Updates from: 02/17/2021 04:40:45
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/azure-monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/azure-monitor.md
@@ -21,7 +21,7 @@ Use Azure Monitor to route Azure Active Directory B2C (Azure AD B2C) sign-in and
You can route log events to: * An Azure [storage account](../storage/blobs/storage-blobs-introduction.md).
-* A [Log Analytics workspace](../azure-monitor/platform/resource-logs.md#send-to-log-analytics-workspace) (to analyze data, create dashboards, and alert on specific events).
+* A [Log Analytics workspace](../azure-monitor/essentials/resource-logs.md#send-to-log-analytics-workspace) (to analyze data, create dashboards, and alert on specific events).
* An Azure [event hub](../event-hubs/event-hubs-about.md) (and integrate with your Splunk and Sumo Logic instances). ![Azure Monitor](./media/azure-monitor/azure-monitor-flow.png)
@@ -34,7 +34,7 @@ In this article, you learn how to transfer the logs to an Azure Log Analytics wo
## Deployment overview
-Azure AD B2C leverages [Azure Active Directory monitoring](../active-directory/reports-monitoring/overview-monitoring.md). To enable *Diagnostic settings* in Azure Active Directory within your Azure AD B2C tenant, you use [Azure Lighthouse](../lighthouse/concepts/azure-delegated-resource-management.md) to [delegate a resource](../lighthouse/concepts/azure-delegated-resource-management.md), which allows your Azure AD B2C (the **Service Provider**) to manage an Azure AD (the **Customer**) resource. After you complete the steps in this article, you'll have access to the *azure-ad-b2c-monitor* resource group that contains the [Log Analytics workspace](../azure-monitor/learn/quick-create-workspace.md) in your **Azure AD B2C** portal. You'll also be able to transfer the logs from Azure AD B2C to your Log Analytics workspace.
+Azure AD B2C leverages [Azure Active Directory monitoring](../active-directory/reports-monitoring/overview-monitoring.md). To enable *Diagnostic settings* in Azure Active Directory within your Azure AD B2C tenant, you use [Azure Lighthouse](../lighthouse/concepts/azure-delegated-resource-management.md) to [delegate a resource](../lighthouse/concepts/azure-delegated-resource-management.md), which allows your Azure AD B2C (the **Service Provider**) to manage an Azure AD (the **Customer**) resource. After you complete the steps in this article, you'll have access to the *azure-ad-b2c-monitor* resource group that contains the [Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md) in your **Azure AD B2C** portal. You'll also be able to transfer the logs from Azure AD B2C to your Log Analytics workspace.
During this deployment, you'll authorize a user or group in your Azure AD B2C directory to configure the Log Analytics workspace instance within the tenant that contains your Azure subscription. To create the authorization, you deploy an [Azure Resource Manager](../azure-resource-manager/index.yml) template to your Azure AD tenant containing the subscription.
@@ -58,7 +58,7 @@ A **Log Analytics workspace** is a unique environment for Azure Monitor log data
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Select the **Directory + Subscription** icon in the portal toolbar, and then select the directory that contains your **Azure AD tenant**.
-1. [Create a Log Analytics workspace](../azure-monitor/learn/quick-create-workspace.md). This example uses a Log Analytics workspace named *AzureAdB2C*, in a resource group named *azure-ad-b2c-monitor*.
+1. [Create a Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md). This example uses a Log Analytics workspace named *AzureAdB2C*, in a resource group named *azure-ad-b2c-monitor*.
## 3. Delegate resource management
@@ -140,9 +140,9 @@ After you've deployed the template and waited a few minutes for the resource pro
Diagnostic settings define where logs and metrics for a resource should be sent. Possible destinations are: -- [Azure storage account](../azure-monitor/platform/resource-logs.md#send-to-azure-storage)-- [Event hubs](../azure-monitor/platform/resource-logs.md#send-to-azure-event-hubs) solutions-- [Log Analytics workspace](../azure-monitor/platform/resource-logs.md#send-to-log-analytics-workspace)
+- [Azure storage account](../azure-monitor/essentials/resource-logs.md#send-to-azure-storage)
+- [Event hubs](../azure-monitor/essentials/resource-logs.md#send-to-azure-event-hubs) solutions
+- [Log Analytics workspace](../azure-monitor/essentials/resource-logs.md#send-to-log-analytics-workspace)
In this example, we use the Log Analytics workspace to create a dashboard.
@@ -167,7 +167,7 @@ To configure monitoring settings for Azure AD B2C activity logs:
1. Select **Save**. > [!NOTE]
-> It can take up to 15 minutes after an event is emitted for it to [appear in a Log Analytics workspace](../azure-monitor/platform/data-ingestion-time.md). Also, learn more about [Active Directory reporting latencies](../active-directory/reports-monitoring/reference-reports-latencies.md), which can impact the staleness of data and play an important role in reporting.
+> It can take up to 15 minutes after an event is emitted for it to [appear in a Log Analytics workspace](../azure-monitor/logs/data-ingestion-time.md). Also, learn more about [Active Directory reporting latencies](../active-directory/reports-monitoring/reference-reports-latencies.md), which can impact the staleness of data and play an important role in reporting.
If you see the error message "To setup Diagnostic settings to use Azure Monitor for your Azure AD B2C directory, you need to set up delegated resource management," make sure you sign-in with a user who is a member of the [security group](#32-select-a-security-group) and [select your subscription](#4-select-your-subscription).
@@ -177,7 +177,7 @@ Now you can configure your Log Analytics workspace to visualize your data and co
### 6.1 Create a Query
-Log queries help you to fully leverage the value of the data collected in Azure Monitor Logs. A powerful query language allows you to join data from multiple tables, aggregate large sets of data, and perform complex operations with minimal code. Virtually any question can be answered and analysis performed as long as the supporting data has been collected, and you understand how to construct the right query. For more information, see [Get started with log queries in Azure Monitor](../azure-monitor/log-query/get-started-queries.md).
+Log queries help you to fully leverage the value of the data collected in Azure Monitor Logs. A powerful query language allows you to join data from multiple tables, aggregate large sets of data, and perform complex operations with minimal code. Virtually any question can be answered and analysis performed as long as the supporting data has been collected, and you understand how to construct the right query. For more information, see [Get started with log queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md).
1. From **Log Analytics workspace**, select **Logs** 1. In the query editor, paste the following [Kusto Query Language](/azure/data-explorer/kusto/query/) query. This query shows policy usage by operation over the past x days. The default duration is set to 90 days (90d). Notice that the query is focused only on the operation where a token/code is issued by policy.
@@ -224,7 +224,7 @@ For more samples, see the Azure AD B2C [SIEM GitHub repo](https://aka.ms/b2csiem
### 6.2 Create a Workbook
-Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal. They allow you to tap into multiple data sources from across Azure, and combine them into unified interactive experiences. For more information, see [Azure Monitor Workbooks](../azure-monitor/platform/workbooks-overview.md).
+Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal. They allow you to tap into multiple data sources from across Azure, and combine them into unified interactive experiences. For more information, see [Azure Monitor Workbooks](../azure-monitor/visualize/workbooks-overview.md).
Follow the instructions below to create a new workbook using a JSON Gallery Template. This workbook provides a **User Insights** and **Authentication** dashboard for Azure AD B2C tenant.
@@ -255,10 +255,10 @@ The workbook will display reports in the form of a dashboard.
## Create alerts
-Alerts are created by alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals. You can create alerts based on specific performance metrics or when certain events are created, absence of an event, or a number of events are created within a particular time window. For example, alerts can be used to notify you when average number of sign-in exceeds a certain threshold. For more information, see [Create alerts](../azure-monitor/learn/tutorial-response.md).
+Alerts are created by alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals. You can create alerts based on specific performance metrics or when certain events are created, absence of an event, or a number of events are created within a particular time window. For example, alerts can be used to notify you when average number of sign-in exceeds a certain threshold. For more information, see [Create alerts](../azure-monitor/alerts/tutorial-response.md).
-Use the following instructions to create a new Azure Alert, which will send an [email notification](../azure-monitor/platform/action-groups.md#configure-notifications) whenever there is a 25% drop in the **Total Requests** compare to previous period. Alert will run every 5 minutes and look for the drop within last 24 hours windows. The alerts are created using Kusto query language.
+Use the following instructions to create a new Azure Alert, which will send an [email notification](../azure-monitor/alerts/action-groups.md#configure-notifications) whenever there is a 25% drop in the **Total Requests** compare to previous period. Alert will run every 5 minutes and look for the drop within last 24 hours windows. The alerts are created using Kusto query language.
1. From **Log Analytics workspace**, select **Logs**.
@@ -292,7 +292,7 @@ After the alert is created, go to **Log Analytics workspace** and select **Alert
### Configure action groups
-Azure Monitor and Service Health alerts use action groups to notify users that an alert has been triggered. You can include sending a voice call, SMS, email; or triggering various types of automated actions. Follow the guidance [Create and manage action groups in the Azure portal](../azure-monitor/platform/action-groups.md)
+Azure Monitor and Service Health alerts use action groups to notify users that an alert has been triggered. You can include sending a voice call, SMS, email; or triggering various types of automated actions. Follow the guidance [Create and manage action groups in the Azure portal](../azure-monitor/alerts/action-groups.md)
Here is an example of an alert notification email.
@@ -302,7 +302,7 @@ Here is an example of an alert notification email.
To onboard multiple Azure AD B2C tenant logs to the same Log Analytics Workspace (or Azure storage account, or event hub), you'll need separate deployments with different **Msp Offer Name** values. Make sure your Log Analytics workspace is in the same resource group as the one you configured in [Create or choose resource group](#1-create-or-choose-resource-group).
-When working with multiple Log Analytics workspaces, use [Cross Workspace Query](../azure-monitor/log-query/cross-workspace-query.md) to create queries that work across multiple workspaces. For example, the following query performs a join of two Audit logs from different tenants based on the same Category (for example, Authentication):
+When working with multiple Log Analytics workspaces, use [Cross Workspace Query](../azure-monitor/logs/cross-workspace-query.md) to create queries that work across multiple workspaces. For example, the following query performs a join of two Audit logs from different tenants based on the same Category (for example, Authentication):
```kusto workspace("AD-B2C-TENANT1").AuditLogs
@@ -312,12 +312,12 @@ workspace("AD-B2C-TENANT1").AuditLogs
## Change the data retention period
-Azure Monitor Logs are designed to scale and support collecting, indexing, and storing massive amounts of data per day from any source in your enterprise or deployed in Azure. By default, logs are retained for 30 days, but retention duration can be increased to up to two years. Learn how to [manage usage and costs with Azure Monitor Logs](../azure-monitor/platform/manage-cost-storage.md). After you select the pricing tier, you can [Change the data retention period](../azure-monitor/platform/manage-cost-storage.md#change-the-data-retention-period).
+Azure Monitor Logs are designed to scale and support collecting, indexing, and storing massive amounts of data per day from any source in your enterprise or deployed in Azure. By default, logs are retained for 30 days, but retention duration can be increased to up to two years. Learn how to [manage usage and costs with Azure Monitor Logs](../azure-monitor/logs/manage-cost-storage.md). After you select the pricing tier, you can [Change the data retention period](../azure-monitor/logs/manage-cost-storage.md#change-the-data-retention-period).
## Next steps * Find more samples in the Azure AD B2C [SIEM gallery](https://aka.ms/b2csiem).
-* For more information about adding and configuring diagnostic settings in Azure Monitor, see [Tutorial: Collect and analyze resource logs from an Azure resource](../azure-monitor/insights/monitor-azure-resource.md).
+* For more information about adding and configuring diagnostic settings in Azure Monitor, see [Tutorial: Collect and analyze resource logs from an Azure resource](../azure-monitor/essentials/monitor-azure-resource.md).
* For information about streaming Azure AD logs to an event hub, see [Tutorial: Stream Azure Active Directory logs to an Azure event hub](../active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md).
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/create-user-flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/create-user-flow.md
@@ -23,7 +23,7 @@ You can create [user flows](user-flow-overview.md) of different types in your Az
## Before you begin - **Register the application** you want to use to test the new user flow. For an example, see the [Tutorial: Register a web application in Azure AD B2C](tutorial-register-applications.md).-- **Add external identity providers** if you want to enable user sign-in with providers like Azure AD, Amazon, Facebook, GitHub, LinkedIn, Microsoft, or Twitter. For an example, see [Tutorial: Add identity providers to your applications in Azure AD B2C](tutorial-add-identity-providers.md).
+- **Add external identity providers** if you want to enable user sign-in with providers like Azure AD, Amazon, Facebook, GitHub, LinkedIn, Microsoft, or Twitter. See [Add identity providers to your applications in Azure AD B2C](add-identity-provider.md).
- **Configure the local account identity provider** to specify the identity types (email, username, phone number) you want to support for local accounts in your tenant. Then you can choose from these supported identity types when you create individual user flows. When a user completes the user flow, a local account is created in your Azure AD B2C directory, and your **Local account** identity provider authenticates the user's information. Configure your tenant's local account identity provider with these steps: 1. Sign in to the [Azure portal](https://portal.azure.com/).
@@ -62,7 +62,7 @@ You can create [user flows](user-flow-overview.md) of different types in your Az
- **Local account**. If you want to allow users to create local accounts in your Azure AD B2C tenant, select the type of identifier you want them to use (for example, email, user ID, or phone). Only those identity types that are configured in your [local account identity provider](#before-you-begin) settings are listed.
- - **Social identity providers**. If you want to allow user sign-in with [social identity providers you've added](tutorial-add-identity-providers.md), like Azure AD, Amazon, Facebook, GitHub, LinkedIn, Microsoft, or Twitter, select the providers from the list.
+ - **Social identity providers**. If you want to allow user sign-in with [social identity providers you've added](add-identity-provider.md), like Azure AD, Amazon, Facebook, GitHub, LinkedIn, Microsoft, or Twitter, select the providers from the list.
9. For **User attributes and claims**, choose the claims and attributes that you want to collect and send from the user during sign-up. Select **Show more**. Select the attributes and claims, and then select **OK**.
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-local https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/identity-provider-local.md
@@ -145,5 +145,5 @@ After you download the starter pack.
## Next steps -- [Add external identity providers](tutorial-add-identity-providers.md)
+- [Add external identity providers](add-identity-provider.md)
- [Create a user flow](tutorial-create-user-flows.md)
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-weibo https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/identity-provider-weibo.md
@@ -28,19 +28,19 @@ zone_pivot_groups: b2c-policy-type
## Create a Weibo application
-To enable sign-in for users with a Weibo account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in [Weibo developer portal](https://open.weibo.com/). If you don't already have a Weibo account, you can sign up at [https://weibo.com](https://weibo.com/signup/signup.php?lang=en-us).
+To enable sign-in for users with a Weibo account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in Weibo developer portal. If you don't already have a Weibo account, you can sign up at [https://weibo.com](https://weibo.com/signup/signup.php?lang=en-us).
-1. Sign in to the [Weibo developer portal](https://open.weibo.com/) with your Weibo account credentials.
+1. Sign in to the Weibo developer portal with your Weibo account credentials.
1. After signing in, select your display name in the top-right corner. 1. In the dropdown, select **编辑开发者信息** (edit developer information). 1. Enter the required information and select **提交** (submit). 1. Complete the email verification process.
-1. Go to the [identity verification page](https://open.weibo.com/developers/identity/edit).
+1. Go to the identity verification page.
1. Enter the required information and select **提交** (submit). ### Register a Weibo application
-1. Go to the [new Weibo app registration page](https://open.weibo.com/apps/new).
+1. Go to the new Weibo app registration page.
1. Enter the necessary application information. 1. Select **创建** (create). 1. Copy the values of **App Key** and **App Secret**. You need both of these to add the identity provider to your tenant.
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/partner-strata https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/partner-strata.md
@@ -80,7 +80,7 @@ To get the software you'll use to integrate your legacy on-premises app with Azu
2. **Create a user flow**: Create a [sign-up and sign-in user flow](./tutorial-create-user-flows.md).
-3. **Add an IdP**: Choose to sign in your user with either a local account or a social or enterprise [IdP](./tutorial-add-identity-providers.md).
+3. **Add an IdP**: Choose to sign in your user with either a local account or a social or enterprise [IdP](./add-identity-provider.md).
4. **Define user attributes**: Define the attributes to be collected during sign-up.
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/phone-authentication-user-flows https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/phone-authentication-user-flows.md
@@ -138,5 +138,5 @@ After you've enabled phone sign-up and sign-in and the recovery email prompt in
## Next steps -- [Add external identity providers](tutorial-add-identity-providers.md)
+- [Add external identity providers](add-identity-provider.md)
- [Create a user flow](tutorial-create-user-flows.md)
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/technical-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/technical-overview.md
@@ -75,7 +75,7 @@ On the sign-up or sign-in page, Azure AD B2C presents a list of external identit
![Mobile sign-in example with a social account (Facebook)](media/technical-overview/external-idp.png)
-To see how to add identity providers in Azure AD B2C, see [Tutorial: Add identity providers to your applications in Azure Active Directory B2C](tutorial-add-identity-providers.md).
+To see how to add identity providers in Azure AD B2C, see [Add identity providers to your applications in Azure Active Directory B2C](add-identity-provider.md).
## Identity experiences: user flows or custom policies
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/troubleshoot-with-application-insights https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/troubleshoot-with-application-insights.md
@@ -97,7 +97,7 @@ Here is a list of queries you can use to see the logs:
The entries may be long. Export to CSV for a closer look.
-For more information about querying, see [Overview of log queries in Azure Monitor](../azure-monitor/log-query/log-query-overview.md).
+For more information about querying, see [Overview of log queries in Azure Monitor](../azure-monitor/logs/log-query-overview.md).
## Configure Application Insights in Production
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-add-identity-providers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tutorial-add-identity-providers.md
@@ -1,182 +0,0 @@
- Title: "Tutorial: Add identity providers to your apps"-
-description: Follow this tutorial to learn how to add identity providers to your applications in Azure Active Directory B2C using the Azure portal.
------- Previously updated : 07/30/2020-----
-# Tutorial: Add identity providers to your applications in Azure Active Directory B2C
-
-In your applications, you may want to enable users to sign in with different identity providers. An *identity provider* creates, maintains, and manages identity information while providing authentication services to applications. You can add identity providers that are supported by Azure Active Directory B2C (Azure AD B2C) to your [user flows](user-flow-overview.md) using the Azure portal.
-
-In this article, you learn how to:
-
-> [!div class="checklist"]
-> * Create the identity provider applications
-> * Add the identity providers to your tenant - both in Facebook and in Azure Active Directory
-> * Add the identity providers to your user flow
-
-You typically use only one identity provider in your applications, but you have the option to add more. This tutorial shows you how to add an Azure AD identity provider and a Facebook identity provider to your application. Adding both of these identity providers to your application is optional. You can also add other identity providers, such as [Amazon](identity-provider-amazon.md), [GitHub](identity-provider-github.md), [Google](identity-provider-google.md), [LinkedIn](identity-provider-linkedin.md), [Microsoft](identity-provider-microsoft-account.md), or [Twitter](identity-provider-twitter.md).
-
-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
-
-## Prerequisites
-
-[Create a user flow](tutorial-create-user-flows.md) to enable users to sign up and sign in to your application.
-
-## Create applications
-
-Identity provider applications provide the identifier and key to enable communication with your Azure AD B2C tenant. In this section of the tutorial, you create an Azure AD application and a Facebook application from which you get identifiers and keys to add the identity providers to your tenant. If you're adding just one of the identity providers, you only need to create the application for that provider.
-
-### Create an Azure Active Directory application
-
-To enable sign-in for users from Azure AD, you need to register an application within the Azure AD tenant. The Azure AD tenant is not the same as your Azure AD B2C tenant.
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Make sure you're using the directory that contains your Azure AD tenant by selecting the **Directory + subscription** filter in the top menu and choosing the directory that contains your Azure AD tenant.
-1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**.
-1. Select **New registration**.
-1. Enter a name for your application. For example, `Azure AD B2C App`.
-1. Accept the selection of **Accounts in this organizational directory only** for this application.
-1. For the **Redirect URI**, accept the value of **Web** and enter the following URL in all lowercase letters, replacing `your-B2C-tenant-name` with the name of your Azure AD B2C tenant.
-
- ```
- https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp
- ```
-
- For example, `https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/authresp`.
-
- All URLs should now be using [b2clogin.com](b2clogin.md).
-
-1. Select **Register**, then record the **Application (client) ID** which you use in a later step.
-1. Under **Manage** in the application menu, select **Certificates & secrets**, then select **New client secret**.
-1. Enter a **Description** for the client secret. For example, `Azure AD B2C App Secret`.
-1. Select the expiration period. For this application, accept the selection of **In 1 year**.
-1. Select **Add**, then record the value of the new client secret which you use in a later step.
-
-### Create a Facebook application
-
-To use a Facebook account as an identity provider in Azure AD B2C, you need to create an application at Facebook. If you donΓÇÖt already have a Facebook account, you can get it at [https://www.facebook.com/](https://www.facebook.com/).
-
-1. Sign in to [Facebook for developers](https://developers.facebook.com/) with your Facebook account credentials.
-1. If you haven't already done so, you need to register as a Facebook developer. To do this, select **Get Started** on the upper-right corner of the page, accept Facebook's policies, and complete the registration steps.
-1. Select **My Apps** and then **Create App**.
-1. Enter a **Display Name** and a valid **Contact Email**.
-1. Click **Create App ID**. This may require you to accept Facebook platform policies and complete an online security check.
-1. Select **Settings** > **Basic**.
-1. Choose a **Category**, for example `Business and Pages`. This value is required by Facebook, but isn't used by Azure AD B2C.
-1. At the bottom of the page, select **Add Platform**, and then select **Website**.
-1. In **Site URL**, enter `https://your-tenant-name.b2clogin.com/` replacing `your-tenant-name` with the name of your tenant.
-1. Enter a URL for the **Privacy Policy URL**, for example `http://www.contoso.com/`. The privacy policy URL is a page you maintain to provide privacy information for your application.
-1. Select **Save Changes**.
-1. At the top of the page, record the value of **App ID**.
-1. Next to **App Secret**, select **Show** and record its value. You use both the App ID and App Secret to configure Facebook as an identity provider in your tenant. **App Secret** is an important security credential which you should store securely.
-1. Select the plus sign next to **PRODUCTS**, then under **Facebook Login**, select **Set up**.
-1. Under **Facebook Login** in the left-hand menu, select **Settings**.
-1. In **Valid OAuth redirect URIs**, enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp`. Replace `your-tenant-name` with the name of your tenant. Select **Save Changes** at the bottom of the page.
-1. To make your Facebook application available to Azure AD B2C, click the **Status** selector at the top right of the page and turn it **On** to make the Application public, and then click **Confirm**. At this point, the Status should change from **Development** to **Live**.
-
-## Add the identity providers
-
-After you create the application for the identity provider that you want to add, you add the identity provider to your tenant.
-
-### Add the Azure Active Directory identity provider
-
-1. Make sure you're using the directory that contains Azure AD B2C tenant. Select the **Directory + subscription** filter in the top menu and choose the directory that contains your Azure AD B2C tenant.
-1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
-1. Select **Identity providers**, and then select **New OpenID Connect provider**.
-1. Enter a **Name**. For example, enter *Contoso Azure AD*.
-1. For **Metadata url**, enter the following URL replacing `{tenant}` with the domain name of your Azure AD tenant:
-
- ```
- https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
- ```
-
- For example, `https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration`.
- For example, `https://login.microsoftonline.com/contoso.com/v2.0/.well-known/openid-configuration`.
-
-1. For **Client ID**, enter the application ID that you previously recorded.
-1. For **Client secret**, enter the client secret that you previously recorded.
-1. For the **Scope**, enter the `openid profile`.
-1. Leave the default values for **Response type**, and **Response mode**.
-1. (Optional) For the **Domain hint**, enter `contoso.com`. For more information, see [Set up direct sign-in using Azure Active Directory B2C](direct-signin.md#redirect-sign-in-to-a-social-provider).
-1. Under **Identity provider claims mapping**, select the following claims:
-
- * **User ID**: *oid*
- * **Display name**: *name*
- * **Given name**: *given_name*
- * **Surname**: *family_name*
- * **Email**: *unique_name*
-
-1. Select **Save**.
-
-### Add the Facebook identity provider
-
-1. Select **Identity providers**, then select **Facebook**.
-1. Enter a **Name**. For example, *Facebook*.
-1. For the **Client ID**, enter the App ID of the Facebook application that you created earlier.
-1. For the **Client secret**, enter the App Secret that you recorded.
-1. Select **Save**.
-
-## Update the user flow
-
-In the tutorial that you completed as part of the prerequisites, you created a user flow for sign-up and sign-in named *B2C_1_signupsignin1*. In this section, you add the identity providers to the *B2C_1_signupsignin1* user flow.
-
-1. Select **User flows**, and then select the *B2C_1_signupsignin1* user flow.
-2. Select **Identity providers**, select the **Facebook** and **Contoso Azure AD** identity providers that you added.
-3. Select **Save**.
-
-## Test the user flow
-
-1. On the Overview page of the user flow that you created, select **Run user flow**.
-1. For **Application**, select the web application named *webapp1* that you previously registered. The **Reply URL** should show `https://jwt.ms`.
-1. Select **Run user flow**, and then sign in with an identity provider that you previously added.
-1. Repeat steps 1 through 3 for the other identity providers that you added.
-
-If the sign in operation is successful, you're redirected to `https://jwt.ms` which displays the Decoded Token, similar to:
-
-```json
-{
- "typ": "JWT",
- "alg": "RS256",
- "kid": "<key-ID>"
-}.{
- "exp": 1562346892,
- "nbf": 1562343292,
- "ver": "1.0",
- "iss": "https://your-b2c-tenant.b2clogin.com/10000000-0000-0000-0000-000000000000/v2.0/",
- "sub": "20000000-0000-0000-0000-000000000000",
- "aud": "30000000-0000-0000-0000-000000000000",
- "nonce": "defaultNonce",
- "iat": 1562343292,
- "auth_time": 1562343292,
- "name": "User Name",
- "idp": "facebook.com",
- "postalCode": "12345",
- "tfp": "B2C_1_signupsignin1"
-}.[Signature]
-```
-
-## Next steps
-
-In this article, you learned how to:
-
-> [!div class="checklist"]
-> * Create the identity provider applications
-> * Add the identity providers to your tenant
-> * Add the identity providers to your user flow
-
-Next, learn how to customize the UI of the pages shown to users as part of their identity experience in your applications:
-
-> [!div class="nextstepaction"]
-> [Customize the user interface of your applications in Azure Active Directory B2C](tutorial-customize-ui.md)
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tutorial-create-user-flows.md
@@ -129,7 +129,7 @@ In this article, you learned how to:
> * Create a profile editing user flow > * Create a password reset user flow
-Next, learn about adding identity providers to your applications to enable user sign-in with providers like Azure AD, Amazon, Facebook, GitHub, LinkedIn, Microsoft, or Twitter.
+Next, learn how to use Azure AD B2C to sign in and sign up users in an application. Follow the ASP.NET web application linked below, or navigate to another application in the table of contents under **Authenticate users**.
> [!div class="nextstepaction"]
-> [Add identity providers to your applications >](tutorial-add-identity-providers.md)
+> [Tutorial: Enable authentication in a web application using Azure AD B2C >](tutorial-web-app-dotnet.md)
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-customize-ui https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tutorial-customize-ui.md
@@ -1,165 +0,0 @@
- Title: "Tutorial: Customize the user interface"-
-description: Follow this tutorial to learn how to customize the user interface (UI) of your applications in Azure Active Directory B2C by using the Azure portal.
------- Previously updated : 07/30/2020----
-# Tutorial: Customize the interface of user experiences in Azure Active Directory B2C
-
-For more common user experiences, such as sign-up, sign-in, and profile editing, you can use [user flows](user-flow-overview.md) in Azure Active Directory B2C (Azure AD B2C). The information in this tutorial helps you to learn how to [customize the user interface (UI)](customize-ui-with-html.md) of these experiences using your own HTML and CSS files.
-
-In this article, you learn how to:
-
-> [!div class="checklist"]
-> * Create UI customization files
-> * Update the user flow to use the files
-> * Test the customized UI
-
-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
-
-## Prerequisites
-
-[Create a user flow](tutorial-create-user-flows.md) to enable users to sign up and sign in to your application.
-
-## Create customization files
-
-You create an Azure storage account and container and then place basic HTML and CSS files in the container.
-
-### Create a storage account
-
-Although you can store your files in many ways, for this tutorial, you store them in [Azure Blob storage](../storage/blobs/storage-blobs-introduction.md).
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Make sure you're using the directory that contains your Azure subscription. Select the **Directory + subscription** filter in the top menu and choose the directory that contains your subscription. This directory is different than the one that contains your Azure B2C tenant.
-3. Choose All services in the top-left corner of the Azure portal, search for and select **Storage accounts**.
-4. Select **Add**.
-5. Under **Resource group**, select **Create new**, enter a name for the new resource group, and then click **OK**.
-6. Enter a name for the storage account. The name you choose must be unique across Azure, must be between 3 and 24 characters in length, and may contain numbers and lowercase letters only.
-7. Select the location of the storage account or accept the default location.
-8. Accept all other default values, select **Review + create**, and then click **Create**.
-9. After the storage account is created, select **Go to resource**.
-
-### Create a container
-
-1. On the overview page of the storage account, select **Blobs**.
-2. Select **Container**, enter a name for the container, choose **Blob (anonymous read access for blobs only)**, and then click **OK**.
-
-### Enable CORS
-
- Azure AD B2C code in a browser uses a modern and standard approach to load custom content from a URL that you specify in a user flow. Cross-origin resource sharing (CORS) allows restricted resources on a web page to be requested from other domains.
-
-1. In the menu, select **CORS**.
-2. For **Allowed origins**, enter `https://your-tenant-name.b2clogin.com`. Replace `your-tenant-name` with the name of your Azure AD B2C tenant. For example, `https://fabrikam.b2clogin.com`. You need to use all lowercase letters when entering your tenant name.
-3. For **Allowed Methods**, select `GET`,`PUT`, and `OPTIONS`.
-4. For **Allowed Headers**, enter an asterisk (*).
-5. For **Exposed Headers**, enter an asterisk (*).
-6. For **Max age**, enter 200.
-
- ![CORS configuration page in Azure Blob storage in Azure portal](./media/tutorial-customize-ui/enable-cors.png)
-
-5. Click **Save**.
-
-### Create the customization files
-
-To customize the UI of the sign-up experience, you start by creating a simple HTML and CSS file. You can configure your HTML any way you want, but it must have a **div** element with an identifier of `api`. For example, `<div id="api"></div>`. Azure AD B2C injects elements into the `api` container when the page is displayed.
-
-1. In a local folder, create the following file and make sure that you change `your-storage-account` to the name of the storage account and `your-container` to the name of the container that you created. For example, `https://store1.blob.core.windows.net/b2c/style.css`.
-
- ```html
- <!DOCTYPE html>
- <html>
- <head>
- <title>My B2C Application</title>
- <link rel="stylesheet" href="https://your-storage-account.blob.core.windows.net/your-container/style.css">
- </head>
- <body>
- <h1>My B2C Application</h1>
- <div id="api"></div>
- </body>
- </html>
- ```
-
- The page can be designed any way that you want, but the **api** div element is required for any HTML customization file that you create.
-
-3. Save the file as *custom-ui.html*.
-4. Create the following simple CSS that centers all elements on the sign-up or sign-in page including the elements that Azure AD B2C injects.
-
- ```css
- h1 {
- color: blue;
- text-align: center;
- }
- .intro h2 {
- text-align: center;
- }
- .entry {
- width: 300px ;
- margin-left: auto ;
- margin-right: auto ;
- }
- .divider h2 {
- text-align: center;
- }
- .create {
- width: 300px ;
- margin-left: auto ;
- margin-right: auto ;
- }
- ```
-
-5. Save the file as *style.css*.
-
-### Upload the customization files
-
-In this tutorial, you store the files that you created in the storage account so that Azure AD B2C can access them.
-
-1. Choose **All services** in the top-left corner of the Azure portal, search for and select **Storage accounts**.
-2. Select the storage account you created, select **Blobs**, and then select the container that you created.
-3. Select **Upload**, navigate to and select the *custom-ui.html* file, and then click **Upload**.
-
- ![Upload blob page in portal with Upload button and Files highlighted](./media/tutorial-customize-ui/upload-blob.png)
-
-4. Copy the URL for the file that you uploaded to use later in the tutorial.
-5. Repeat step 3 and 4 for the *style.css* file.
-
-## Update the user flow
-
-1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
-2. Select **User flows**, and then select the *B2C_1_signupsignin1* user flow.
-3. Select **Page layouts**, and then under **Unified sign-up or sign-in page**, click **Yes** for **Use custom page content**.
-4. In **Custom page URI**, enter the URI for the *custom-ui.html* file that you recorded earlier.
-5. At the top of the page, select **Save**.
-
-## Test the user flow
-
-1. In your Azure AD B2C tenant, select **User flows** and select the *B2C_1_signupsignin1* user flow.
-2. At the top of the page, click **Run user flow**.
-3. Click the **Run user flow** button.
-
- ![Run user flow page for the sign-up or sign-in user flow](./media/tutorial-customize-ui/run-user-flow.png)
-
- You should see a page similar to the following example with the elements centered based on the CSS file that you created:
-
- ![Web browser showing sign up or sign in page with custom UI elements](./media/tutorial-customize-ui/run-now.png)
-
-## Next steps
-
-In this article, you learned how to:
-
-> [!div class="checklist"]
-> * Create UI customization files
-> * Update the user flow to use the files
-> * Test the customized UI
-
-> [!div class="nextstepaction"]
-> [Customize the UI in Azure Active Directory B2C](customize-ui-with-html.md)
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-desktop-app-webapi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tutorial-desktop-app-webapi.md
@@ -160,4 +160,4 @@ In this tutorial, you learned how to:
> * Update the sample to use the application > [!div class="nextstepaction"]
-> [Tutorial: Add identity providers to your applications in Azure Active Directory B2C](tutorial-add-identity-providers.md)
+> [Add identity providers to your applications in Azure Active Directory B2C](add-identity-provider.md)
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-web-api-dotnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tutorial-web-api-dotnet.md
@@ -162,4 +162,4 @@ In this tutorial, you learned how to:
> * Configure the sample to use the application > [!div class="nextstepaction"]
-> [Tutorial: Add identity providers to your applications in Azure Active Directory B2C](tutorial-add-identity-providers.md)
+> [Add identity providers to your applications in Azure Active Directory B2C](add-identity-provider.md)
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-web-app-python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tutorial-web-app-python.md
@@ -181,4 +181,4 @@ In this tutorial, you configured a Python Flask web application to work with a u
Next, learn how to customize the UI of the user flow pages displayed to your users by Azure AD B2C: > [!div class="nextstepaction"]
-> [Tutorial: Customize the interface of user experiences in Azure AD B2C >](tutorial-customize-ui.md)
+> [Customize the interface of user experiences in Azure AD B2C >](customize-ui.md)
active-directory-domain-services https://docs.microsoft.com/en-us/azure/active-directory-domain-services/security-audit-events https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/security-audit-events.md
@@ -36,7 +36,7 @@ The following table outlines scenarios for each destination resource type.
|:|:| |Azure Storage| This target should be used when your primary need is to store security audit events for archival purposes. Other targets can be used for archival purposes, however those targets provide capabilities beyond the primary need of archiving. <br /><br />Before you enable Azure AD DS security audit events, first [Create an Azure Storage account](../storage/common/storage-account-create.md).| |Azure Event Hubs| This target should be used when your primary need is to share security audit events with additional software such as data analysis software or security information & event management (SIEM) software.<br /><br />Before you enable Azure AD DS security audit events, [Create an event hub using Azure portal](../event-hubs/event-hubs-create.md)|
-|Azure Log Analytics Workspace| This target should be used when your primary need is to analyze and review secure audits from the Azure portal directly.<br /><br />Before you enable Azure AD DS security audit events, [Create a Log Analytics workspace in the Azure portal.](../azure-monitor/learn/quick-create-workspace.md)|
+|Azure Log Analytics Workspace| This target should be used when your primary need is to analyze and review secure audits from the Azure portal directly.<br /><br />Before you enable Azure AD DS security audit events, [Create a Log Analytics workspace in the Azure portal.](../azure-monitor/logs/quick-create-workspace.md)|
## Enable security audit events using the Azure portal
@@ -96,7 +96,7 @@ To enable Azure AD DS security audit events using Azure PowerShell, complete the
> [!IMPORTANT] > Ensure you set the authorization rule on the event hub namespace and not the event hub itself.
- * **Azure Log Analytic workspaces** - [Create a Log Analytics workspace with Azure PowerShell](../azure-monitor/platform/powershell-workspace-configuration.md).
+ * **Azure Log Analytic workspaces** - [Create a Log Analytics workspace with Azure PowerShell](../azure-monitor/logs/powershell-workspace-configuration.md).
1. Get the resource ID for your Azure AD DS managed domain using the [Get-AzResource](/powershell/module/Az.Resources/Get-AzResource) cmdlet. Create a variable named *$aadds.ResourceId* to hold the value:
@@ -137,9 +137,9 @@ To enable Azure AD DS security audit events using Azure PowerShell, complete the
Log Analytic workspaces let you view and analyze the security audit events using Azure Monitor and the Kusto query language. This query language is designed for read-only use that boasts power analytic capabilities with an easy-to-read syntax. For more information to get started with Kusto query languages, see the following articles: * [Azure Monitor documentation](../azure-monitor/index.yml)
-* [Get started with Log Analytics in Azure Monitor](../azure-monitor/log-query/log-analytics-tutorial.md)
-* [Get started with log queries in Azure Monitor](../azure-monitor/log-query/get-started-queries.md)
-* [Create and share dashboards of Log Analytics data](../azure-monitor/learn/tutorial-logs-dashboards.md)
+* [Get started with Log Analytics in Azure Monitor](../azure-monitor/logs/log-analytics-tutorial.md)
+* [Get started with log queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md)
+* [Create and share dashboards of Log Analytics data](../azure-monitor/visualize/tutorial-logs-dashboards.md)
The following sample queries can be used to start analyzing security audit events from Azure AD DS.
active-directory-domain-services https://docs.microsoft.com/en-us/azure/active-directory-domain-services/use-azure-monitor-workbooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/use-azure-monitor-workbooks.md
@@ -42,7 +42,7 @@ Azure AD DS includes the following two workbook templates:
* Security overview report * Account activity report
-For more information about how to edit and manage workbooks, see [Azure Monitor Workbooks overview](../azure-monitor/platform/workbooks-overview.md).
+For more information about how to edit and manage workbooks, see [Azure Monitor Workbooks overview](../azure-monitor/visualize/workbooks-overview.md).
## Use the security overview report workbook
active-directory https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-log-analytics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/application-provisioning-log-analytics.md
@@ -19,7 +19,7 @@ Provisioning integrates with Azure Monitor logs and Log Analytics. With Azure mo
## Enabling provisioning logs
-You should already be familiar with Azure monitoring and Log Analytics. If not, jump over to learn about them and then come back to learn about application provisioning logs. To learn more about Azure monitoring, see [Azure Monitor overview](../../azure-monitor/overview.md). To learn more about Azure Monitor logs and Log Analytics, see [Overview of log queries in Azure Monitor](../../azure-monitor/log-query/log-query-overview.md).
+You should already be familiar with Azure monitoring and Log Analytics. If not, jump over to learn about them and then come back to learn about application provisioning logs. To learn more about Azure monitoring, see [Azure Monitor overview](../../azure-monitor/overview.md). To learn more about Azure Monitor logs and Log Analytics, see [Overview of log queries in Azure Monitor](../../azure-monitor/logs/log-query-overview.md).
Once you've configured Azure monitoring, you can enable logs for application provisioning. The option is located on the **Diagnostics settings** page.
@@ -42,7 +42,7 @@ The underlying data stream that Provisioning sends log viewers is almost identic
## Azure Monitor workbooks
-Azure Monitor workbooks provide a flexible canvas for data analysis. They also provide for the creation of rich visual reports within the Azure portal. To learn more, see [Azure Monitor Workbooks overview](../../azure-monitor/platform/workbooks-overview.md).
+Azure Monitor workbooks provide a flexible canvas for data analysis. They also provide for the creation of rich visual reports within the Azure portal. To learn more, see [Azure Monitor Workbooks overview](../../azure-monitor/visualize/workbooks-overview.md).
Application provisioning comes with a set of pre-built workbooks. You can find them on the Workbooks page. To view the data, you'll need to ensure that all the filters (timeRange, jobID, appName) are populated. You'll also need to make sure you've provisioned an app, otherwise there won't be any data in the logs.
@@ -52,7 +52,7 @@ Application provisioning comes with a set of pre-built workbooks. You can find t
## Custom queries
-You can create custom queries and show the data on Azure dashboards. To learn how, see [Create and share dashboards of Log Analytics data](../../azure-monitor/log-query/get-started-queries.md). Also, be sure to check out [Overview of log queries in Azure Monitor](../../azure-monitor/log-query/log-query-overview.md).
+You can create custom queries and show the data on Azure dashboards. To learn how, see [Create and share dashboards of Log Analytics data](../../azure-monitor/logs/get-started-queries.md). Also, be sure to check out [Overview of log queries in Azure Monitor](../../azure-monitor/logs/log-query-overview.md).
Here are some samples to get started with application provisioning.
@@ -91,7 +91,7 @@ AADProvisioningLogs
Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures. Or perhaps spikes in disables or deletes. Another example of where you might want to be alerted is a lack of any provisioning, which indicates something is wrong.
-To learn more about alerts, see [Respond to events with Azure Monitor Alerts](../../azure-monitor/learn/tutorial-response.md).
+To learn more about alerts, see [Respond to events with Azure Monitor Alerts](../../azure-monitor/alerts/tutorial-response.md).
Alert when there's a spike in failures. Replace the jobID with the jobID for your application.
@@ -113,7 +113,7 @@ We're taking an open source and community-based approach to application provisio
## Next steps - [Log analytics](../reports-monitoring/howto-analyze-activity-logs-log-analytics.md)-- [Get started with queries in Azure Monitor logs](../../azure-monitor/log-query/get-started-queries.md)-- [Create and manage alert groups in the Azure portal](../../azure-monitor/platform/action-groups.md)
+- [Get started with queries in Azure Monitor logs](../../azure-monitor/logs/get-started-queries.md)
+- [Create and manage alert groups in the Azure portal](../../azure-monitor/alerts/action-groups.md)
- [Install and use the log analytics views for Azure Active Directory](../reports-monitoring/howto-install-use-log-analytics-views.md) - [Provisioning logs API](/graph/api/resources/provisioningobjectsummary?preserve-view=true&view=graph-rest-beta.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/howto-conditional-access-insights-reporting.md
@@ -40,7 +40,7 @@ Users also need one of the following Log Analytics workspace roles:
If you have not integrated Azure AD logs with Azure Monitor logs, you will need to take the following steps before the workbook will load:
-1. [Create a Log Analytics workspace in Azure Monitor](../../azure-monitor/learn/quick-create-workspace.md).
+1. [Create a Log Analytics workspace in Azure Monitor](../../azure-monitor/logs/quick-create-workspace.md).
1. [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). ## How it works
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/app-objects-and-service-principals.md
@@ -10,7 +10,7 @@
Previously updated : 07/22/2020 Last updated : 02/15/2021
@@ -23,9 +23,9 @@ This article describes application registration, application objects, and servic
## Application registration In order to delegate Identity and Access Management functions to Azure AD, an application must be registered with an Azure AD [tenant](developer-glossary.md#tenant). When you register your application with Azure AD, you are creating an identity configuration for your application that allows it to integrate with Azure AD. When you register an app in the [Azure portal][AZURE-Portal], you choose whether it's a single tenant (only accessible in your tenant) or multi-tenant (accessible in other tenants) and can optionally set a redirect URI (where the access token is sent to).
+For step-by-step instructions on registering an app, see the [app registration quickstart](quickstart-register-app.md).
-When you've completed the app registration, you have a globally unique instance of the app (the application object) which lives within your home tenant or directory. You also have a globally unique ID for your app (the app or client ID). In the portal, you can then add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more.
+When you've completed the app registration, you have a globally unique instance of the app (the [application object](#application-object)) which lives within your home tenant or directory. You also have a globally unique ID for your app (the app or client ID). In the portal, you can then add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more.
If you register an application in the portal, an application object as well as a service principal object are automatically created in your home tenant. If you register/create an application using the Microsoft Graph APIs, creating the service principal object is a separate step.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/authentication-flows-app-scenarios.md
@@ -106,7 +106,7 @@ To help protect a web app that signs in a user:
- If you develop in .NET, you use ASP.NET or ASP.NET Core with the ASP.NET OpenID Connect middleware. Protecting a resource involves validating the security token, which is done by the [IdentityModel extensions for .NET](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki) and not MSAL libraries. -- If you develop in Node.js, you use [Passport.js](https://github.com/AzureAD/passport-azure-ad).
+- If you develop in Node.js, you use [MSAL Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) or [Passport.js](https://github.com/AzureAD/passport-azure-ad).
For more information, see [Web app that signs in users](scenario-web-app-sign-user-overview.md).
@@ -276,17 +276,18 @@ Scenarios that involve acquiring tokens also map to OAuth 2.0 authentication flo
Microsoft authentication libraries support multiple platforms: -- JavaScript-- .NET Framework - .NET Core-- Windows 10/UWP-- Xamarin.iOS-- Xamarin.Android-- Native iOS
+- .NET Framework
+- Java
+- JavaScript
- macOS - Native Android-- Java
+- Native iOS
+- Node.js
- Python
+- Windows 10/UWP
+- Xamarin.iOS
+- Xamarin.Android
You can also use various languages to build your applications.
@@ -299,12 +300,12 @@ In the Windows column of the following table, each time .NET Core is mentioned,
|--|--|--|--|--|--|--| | [Single-page app](scenario-spa-overview.md) <br/>[![Single-Page App Auth](medi) | ![MSAL.js](media/sample-v2-code/small_logo_js.png)<br/>MSAL.js | ![MSAL.js](media/sample-v2-code/small_logo_js.png)<br/>MSAL.js | ![MSAL.js](media/sample-v2-code/small_logo_js.png)<br/>MSAL.js | ![MSAL.js](media/sample-v2-code/small_logo_js.png) MSAL.js | ![MSAL.js](media/sample-v2-code/small_logo_js.png)<br/>MSAL.js | [Single-page app](scenario-spa-overview.md) <br/>[![Single-Page App Implicit](medi) | ![MSAL.js](media/sample-v2-code/small_logo_js.png)<br/>MSAL.js | ![MSAL.js](media/sample-v2-code/small_logo_js.png)<br/>MSAL.js | ![MSAL.js](media/sample-v2-code/small_logo_js.png)<br/>MSAL.js | ![MSAL.js](media/sample-v2-code/small_logo_js.png) MSAL.js | ![MSAL.js](media/sample-v2-code/small_logo_js.png)<br/>MSAL.js
-| [Web app that signs in users](scenario-web-app-sign-user-overview.md) <br/>[![Web app that signs-in users](medi) | ![ASP.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core | ![ASP.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core | ![ASP.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core
-| [Web app that calls web APIs](scenario-web-app-call-api-overview.md) <br/> <br/>[![Web app that calls web APIs](medi) | ![ASP.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core + MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png) <br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>Flask + MSAL Python| ![ASP.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core + MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>Flask + MSAL Python| ![ASP.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core + MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/> ![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>Flask + MSAL Python
-| [Desktop app that calls web APIs](scenario-desktop-overview.md) <br/> <br/>[![Desktop app that calls web APIs](medi) ![Device code flow](media/scenarios/device-code-flow-app.svg) | ![.NET Core](media/sample-v2-code/small_logo_NETcore.png)MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/> ![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python| ![.NET Core](media/sample-v2-code/small_logo_NETcore.png)MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python| ![.NET Core](media/sample-v2-code/small_logo_NETcore.png)MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python <br/> ![iOS / Objective C or swift](media/sample-v2-code/small_logo_iOS.png) MSAL.objc |
+| [Web app that signs in users](scenario-web-app-sign-user-overview.md) <br/>[![Web app that signs-in users](medi) | ![ASP.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/>| ![ASP.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/>| ![ASP.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/>
+| [Web app that calls web APIs](scenario-web-app-call-api-overview.md) <br/> <br/>[![Web app that calls web APIs](medi) | ![ASP.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core + MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png) <br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>Flask + MSAL Python ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/>| ![ASP.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core + MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>Flask + MSAL Python ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/>| ![ASP.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core + MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/> ![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>Flask + MSAL Python ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/>
+| [Desktop app that calls web APIs](scenario-desktop-overview.md) <br/> <br/>[![Desktop app that calls web APIs](medi) ![Device code flow](media/scenarios/device-code-flow-app.svg) | ![.NET Core](media/sample-v2-code/small_logo_NETcore.png)MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/> ![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/>| ![.NET Core](media/sample-v2-code/small_logo_NETcore.png)MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/>| ![.NET Core](media/sample-v2-code/small_logo_NETcore.png)MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python <br/> ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/> ![iOS / Objective C or swift](media/sample-v2-code/small_logo_iOS.png) MSAL.objc |
| [Mobile app that calls web APIs](scenario-mobile-overview.md) <br/> [![Mobile app that calls web APIs](medi) | ![UWP](media/sample-v2-code/small_logo_windows.png) MSAL.NET ![Xamarin](media/sample-v2-code/small_logo_xamarin.png) MSAL.NET | | | ![iOS / Objective C or swift](media/sample-v2-code/small_logo_iOS.png) MSAL.objc | ![Android](media/sample-v2-code/small_logo_Android.png) MSAL.Android
-| [Daemon app](scenario-daemon-overview.md) <br/> [![Daemon app](medi) | ![.NET Core](media/sample-v2-code/small_logo_NETcore.png)MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python| ![.NET Core](media/sample-v2-code/small_logo_NETcore.png) MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python| ![.NET Core](media/sample-v2-code/small_logo_NETcore.png)MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python
-| [Web API that calls web APIs](scenario-web-api-call-api-overview.md) <br/><br/> [![Web API that calls web APIs](medi) | ![ASP.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core + MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python| ![.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core + MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python| ![.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core + MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python
+| [Daemon app](scenario-daemon-overview.md) <br/> [![Daemon app](medi) | ![.NET Core](media/sample-v2-code/small_logo_NETcore.png)MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/>| ![.NET Core](media/sample-v2-code/small_logo_NETcore.png) MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/>| ![.NET Core](media/sample-v2-code/small_logo_NETcore.png)MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/>
+| [Web API that calls web APIs](scenario-web-api-call-api-overview.md) <br/><br/> [![Web API that calls web APIs](medi) | ![ASP.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core + MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/>| ![.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core + MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/>| ![.NET Core](media/sample-v2-code/small_logo_NETcore.png)<br/>ASP.NET Core + MSAL.NET ![MSAL Java](media/sample-v2-code/small_logo_java.png)<br/>MSAL Java<br/>![MSAL Python](media/sample-v2-code/small_logo_python.png)<br/>MSAL Python ![MSAL Node](media/sample-v2-code/small-logo-nodejs.png) <br/>MSAL Node<br/>
For more information, see [Microsoft identity platform authentication libraries](reference-v2-libraries.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-net-migration.md
@@ -57,7 +57,7 @@ It's also possible in MSAL.NET to access v1.0 resources. See details in [Scopes
- ADAL.NET uses [AuthenticationContext](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/AuthenticationContext:-the-connection-to-Azure-AD) as the representation of your connection to the Security Token Service (STS) or authorization server, through an Authority. On the contrary, MSAL.NET is designed around [client applications](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-Applications). It provides two separate classes: `PublicClientApplication` and `ConfidentialClientApplication` -- Acquiring Tokens: ADAL.NET and MSAL.NET have the same authentication calls (`AcquireTokenAsync` and `AcquireTokenSilentAsync` for ADAL.NET, and `AcquireTokenInteractive` and `AcquireTokenSilent` in MSAL.NET) but with different parameters required. One difference is the fact that, in MSAL.NET, you no longer have to pass in the `ClientID` of your application in every AcquireTokenXX call. Indeed, the `ClientID` is set only once when building the (`IPublicClientApplication` or `IConfidentialClientApplication`).
+- Acquiring Tokens: ADAL.NET and MSAL.NET have the same authentication calls (`AcquireTokenAsync` and `AcquireTokenSilentAsync` for ADAL.NET, and `AcquireTokenInteractive` and `AcquireTokenSilent` in MSAL.NET) but with different parameters required. One difference is the fact that, in MSAL.NET, you no longer have to pass in the `ClientID` of your application in every AcquireTokenXX call. Indeed, the `ClientID` is set only once when building the (`IPublicClientApplication` or `IConfidentialClientApplication`).
### IAccount not IUser
@@ -168,7 +168,7 @@ If you want to acquire tokens for an application accepting v1.0 tokens (for inst
For instance, to access in the name of the user a v1.0 web API which App ID URI is `ResourceId`, you'd want to use: ```csharp
-var scopes = new [] { ResourceId+"/user_impersonation"};
+var scopes = new [] { ResourceId+"/user_impersonation" };
``` If you want to read and write with MSAL.NET Azure Active Directory using the Microsoft Graph API (https://graph.microsoft.com/), you would create a list of scopes like in the following snippet:
@@ -203,7 +203,7 @@ For instance, if you want to acquire a token for all the static scopes of a v1.0
```csharp ResourceId = "someAppIDURI";
-var scopes = new [] { ResourceId+"/.default"};
+var scopes = new [] { ResourceId+"/.default" };
``` ### Scopes to request in the case of client credential flow / daemon app
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-overview.md
@@ -47,12 +47,15 @@ MSAL can be used in many application scenarios, including the following:
| Library | Supported platforms and frameworks| | | |
-| [MSAL.NET](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet)| .NET Framework, .NET Core, Xamarin Android, Xamarin iOS, Universal Windows Platform|
-| [MSAL.js](https://github.com/AzureAD/microsoft-authentication-library-for-js)| JavaScript/TypeScript frameworks such as AngularJS, Ember.js, or Durandal.js|
| [MSAL for Android](https://github.com/AzureAD/microsoft-authentication-library-for-android)|Android|
+| [MSAL Angular](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angular)| Single-page apps with Angular and Angular.js frameworks|
| [MSAL for iOS and macOS](https://github.com/AzureAD/microsoft-authentication-library-for-objc)|iOS and macOS| | [MSAL Java](https://github.com/AzureAD/microsoft-authentication-library-for-java)|Windows, macOS, Linux|
+| [MSAL.js](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser)| JavaScript/TypeScript frameworks such as Vue.js, Ember.js, or Durandal.js|
+| [MSAL.NET](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet)| .NET Framework, .NET Core, Xamarin Android, Xamarin iOS, Universal Windows Platform|
+| [MSAL Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node)|Web apps with Express, desktop apps with Electron, Cross-platform console apps|
| [MSAL Python](https://github.com/AzureAD/microsoft-authentication-library-for-python)|Windows, macOS, Linux|
+| [MSAL React](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-react)| Single-page apps with React and React-based libraries (Next.js, Gatsby.js)|
## Differences between ADAL and MSAL
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-create-new-tenant.md
@@ -10,7 +10,7 @@
Previously updated : 03/12/2020 Last updated : 02/15/2021
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-nodejs-console https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-nodejs-console.md
@@ -0,0 +1,209 @@
+
+ Title: "Quickstart: Call Microsoft Graph from a Node.js console app | Azure"
+
+description: In this quickstart, you learn how a Node.js console application can get an access token and call an API protected by a Microsoft identity platform endpoint, using the app's own identity
+++++++ Last updated : 02/11/2021+
+#Customer intent: As an application developer, I want to learn how my Node.js app can get an access token and call an API that is protected by an Microsoft identity platform endpoint using client credentials flow.
++
+# Quickstart: Acquire a token and call Microsoft Graph API from a Node.js console app using app's identity
+
+In this quickstart, you download and run a code sample that demonstrates how a Node.js console application can get an access token using the app's identity to call the Microsoft Graph API and display a [list of users](/graph/api/user-list) in the directory. The code sample demonstrates how an unattended job or Windows service can run with an application identity, instead of a user's identity.
+
+This quickstart uses the [Microsoft Authentication Library for Node.js (MSAL Node)](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) with the [client credentials grant](v2-oauth2-client-creds-grant-flow.md).
+
+## Prerequisites
+
+* [Node.js](https://nodejs.org/en/download/)
+* [Visual Studio Code](https://code.visualstudio.com/download) or another code editor
+
+> [!div renderon="docs"]
+> ## Register and download your quickstart application
+>
+> Follow the steps below to get started.
+>
+> [!div renderon="docs"]
+> #### Step 1: Register your application
+> To register your application and add the app's registration information to your solution manually, follow these steps:
+>
+> 1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
+> 1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.
+> 1. Search for and select **Azure Active Directory**.
+> 1. Under **Manage**, select **App registrations** > **New registration**.
+> 1. Enter a **Name** for your application, for example `msal-node-cli`. Users of your app might see this name, and you can change it later.
+> 1. Select **Register**.
+> 1. Under **Manage**, select **Certificates & secrets**.
+> 1. Under **Client secrets**, select **New client secret**, enter a name, and then select **Add**. Record the secret value in a safe location for use in a later step.
+> 1. Under **Manage**, select **API Permissions** > **Add a permission**. Select **Microsoft Graph**.
+> 1. Select **Application permissions**.
+> 1. Under **User** node, select **User.Read.All**, then select **Add permissions**.
+
+> [!div class="sxs-lookup" renderon="portal"]
+> ### Download and configure your quickstart app
+>
+> #### Step 1: Configure your application in Azure portal
+> For the code sample for this quickstart to work, you need to create a client secret, and add Graph API's **User.Read.All** application permission.
+> > [!div renderon="portal" id="makechanges" class="nextstepaction"]
+> > [Make these changes for me]()
+>
+> > [!div id="appconfigured" class="alert alert-info"]
+> > ![Already configured](media/quickstart-v2-netcore-daemon/green-check.png) Your application is configured with these attributes.
+
+#### Step 2: Download your Node.js project
+
+> [!div renderon="docs"]
+> [Download the code sample](https://github.com/azure-samples/ms-identity-javascript-nodejs-console/archive/main.zip)
+
+> [!div renderon="portal" id="autoupdate" class="sxs-lookup nextstepaction"]
+> [Download the code sample](https://github.com/azure-samples/ms-identity-javascript-nodejs-console/archive/main.zip)
+
+> [!div class="sxs-lookup" renderon="portal"]
+> > [!NOTE]
+> > `Enter_the_Supported_Account_Info_Here`
+
+> [!div renderon="docs"]
+> #### Step 3: Configure your Node.js project
+>
+> 1. Extract the zip file to a local folder close to the root of the disk, for example, *C:/Azure-Samples*.
+> 1. Edit *.env* and replace the values of the fields `TENANT_ID`, `CLIENT_ID`, and `CLIENT_SECRET` with the following snippet:
+>
+> ```
+> "TENANT_ID": "Enter_the_Tenant_Id_Here",
+> "CLIENT_ID": "Enter_the_Application_Id_Here",
+> "CLIENT_SECRET": "Enter_the_Client_Secret_Here"
+> ```
+> Where:
+> - `Enter_the_Application_Id_Here` - is the **Application (client) ID** of the application you registered earlier. Find this ID on the app registration's **Overview** pane in the Azure portal.
+> - `Enter_the_Tenant_Id_Here` - replace this value with the **Tenant ID** or **Tenant name** (for example, contoso.microsoft.com). Find these values on the app registration's **Overview** pane in the Azure portal.
+> - `Enter_the_Client_Secret_Here` - replace this value with the client secret you created earlier. To generate a new key, use **Certificates & secrets** in the app registration settings in the Azure portal.
+>
+> > [!WARNING]
+> > Any plaintext secret in source code poses an increased security risk. This article uses a plaintext client secret for simplicity only. Use [certificate credentials](active-directory-certificate-credentials.md) instead of client secrets in your confidential client applications, especially those apps you intend to deploy to production.
+
+> [!div class="sxs-lookup" renderon="portal"]
+> #### Step 3: Admin consent
+
+> [!div renderon="docs"]
+> #### Step 4: Admin consent
+
+If you try to run the application at this point, you'll receive *HTTP 403 - Forbidden* error: `Insufficient privileges to complete the operation`. This error happens because any *app-only permission* requires **admin consent**: a global administrator of your directory must give consent to your application. Select one of the options below depending on your role:
+
+##### Global tenant administrator
+
+> [!div renderon="docs"]
+> If you are a global tenant administrator, go to **API Permissions** page in the Azure portal's Application Registration and select **Grant admin consent for {Tenant Name}** (where {Tenant Name} is the name of your directory).
+
+> [!div renderon="portal" class="sxs-lookup"]
+> If you are a global administrator, go to **API Permissions** page select **Grant admin consent for Enter_the_Tenant_Name_Here**
+> > [!div id="apipermissionspage"]
+> > [Go to the API Permissions page]()
+
+##### Standard user
+
+If you're a standard user of your tenant, then you need to ask a global administrator to grant **admin consent** for your application. To do this, give the following URL to your administrator:
+
+```url
+https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_id=Enter_the_Application_Id_Here
+```
+
+> [!div renderon="docs"]
+>> Where:
+>> * `Enter_the_Tenant_Id_Here` - replace this value with the **Tenant Id** or **Tenant name** (for example, contoso.microsoft.com)
+>> * `Enter_the_Application_Id_Here` - is the **Application (client) ID** for the application you registered.
+
+> [!div class="sxs-lookup" renderon="portal"]
+> #### Step 4: Run the application
+
+> [!div renderon="docs"]
+> #### Step 5: Run the application
+
+Locate the sample's root folder (where `package.json` resides) in a command prompt or console. You'll need to install the dependencies of this sample once:
+
+```console
+npm install
+```
+
+Then, run the application via command prompt or console:
+
+```console
+node . --op getUsers
+```
+
+You should see on the console output some JSON fragment representing a list of users in your Azure AD directory.
+
+## About the code
+
+Below, some of the important aspects of the sample application are discussed.
+
+### MSAL Node
+
+[MSAL Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) is the library used to sign in users and request tokens used to access an API protected by Microsoft identity platform. As described, this quickstart requests tokens by application permissions (using the application's own identity) instead of delegated permissions. The authentication flow used in this case is known as [OAuth 2.0 client credentials flow](v2-oauth2-client-creds-grant-flow.md). For more information on how to use MSAL Node with daemon apps, see [Scenario: Daemon application](scenario-daemon-overview.md).
+
+ You can install MSAL Node by running the following npm command.
+
+```console
+npm install @azure/msal-node --save
+```
+
+### MSAL initialization
+
+You can add the reference for MSAL by adding the following code:
+
+```javascript
+const msal = require('@azure/msal-node');
+```
+
+Then, initialize MSAL using the following code:
+
+```javascript
+const msalConfig = {
+ auth: {
+ clientId: "Enter_the_Application_Id_Here",
+ authority: "https://login.microsoftonline.com/Enter_the_Tenant_Id_Here",
+ clientSecret: "Enter_the_Client_Secret_Here",
+ }
+};
+const cca = new msal.ConfidentialClientApplication(msalConfig);
+```
+
+> | Where: |Description |
+> |||
+> | `clientId` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. |
+> | `authority` | The STS endpoint for user to authenticate. Usually `https://login.microsoftonline.com/{tenant}` for public cloud, where {tenant} is the name of your tenant or your tenant Id.|
+> | `clientSecret` | Is the client secret created for the application in Azure Portal. |
+
+For more information, please see the [reference documentation for `ConfidentialClientApplication`](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-confidential-client-application.md)
+
+### Requesting tokens
+
+To request a token using app's identity, use `acquireTokenByClientCredential` method:
+
+```javascript
+const tokenRequest = {
+ scopes: [ 'https://graph.microsoft.com/.default' ],
+};
+
+const tokenResponse = await cca.acquireTokenByClientCredential(tokenRequest);
+```
+
+> |Where:| Description |
+> |||
+> | `tokenRequest` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure Portal (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom web APIs, `{Application ID URI}` is defined under **Expose an API** section in Azure Portal's Application Registration. |
+> | `tokenResponse` | The response contains an access token for the scopes requested. |
++
+## Next steps
+
+To learn more about daemon/console app development with MSAL Node, see the tutorial:
+
+> [!div class="nextstepaction"]
+> [Daemon application that calls web APIs](tutorial-v2-nodejs-console.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-nodejs-desktop https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-nodejs-desktop.md
@@ -0,0 +1,241 @@
+
+ Title: "Quickstart: Call Microsoft Graph from a Node.js desktop app | Azure"
+
+description: In this quickstart, you learn how a Node.js Electron desktop application can sign-in users and get an access token to call an API protected by a Microsoft identity platform endpoint
+++++++ Last updated : 02/11/2021+
+#Customer intent: As an application developer, I want to learn how my Node.js Electron desktop application can get an access token and call an API that's protected by a Microsoft identity platform endpoint.
++
+# Quickstart: Acquire an access token and call the Microsoft Graph API from an Electron desktop app
+
+In this quickstart, you download and run a code sample that demonstrates how an Electron desktop application can sign in users and acquire access tokens to call the Microsoft Graph API.
+
+This quickstart uses the [Microsoft Authentication Library for Node.js (MSAL Node)](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) with the [authorization code flow with PKCE](v2-oauth2-auth-code-flow.md).
+
+## Prerequisites
+
+* [Node.js](https://nodejs.org/en/download/)
+* [Visual Studio Code](https://code.visualstudio.com/download) or another code editor
+
+> [!div renderon="docs"]
+> ## Register and download your quickstart application
+>
+> Follow the steps below to get started.
+>
+> #### Step 1: Register your application
+> To register your application and add the app's registration information to your solution manually, follow these steps:
+>
+> 1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
+> 1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.
+> 1. Search for and select **Azure Active Directory**.
+> 1. Under **Manage**, select **App registrations** > **New registration**.
+> 1. Enter a **Name** for your application, for example `msal-node-desktop`. Users of your app might see this name, and you can change it later.
+> 1. Select **Register** to create the application.
+> 1. Under **Manage**, select **Authentication**.
+> 1. Select **Add a platform** > **Mobile and desktop applications**.
+> 1. In the **Redirect URIs** section, enter `msal://redirect`.
+> 1. Select **Configure**.
+
+> [!div class="sxs-lookup" renderon="portal"]
+> #### Step 1: Configure your application in Azure portal
+> For the code sample for this quickstart to work, you need to add a reply URL as **msal://redirect**.
+> > [!div renderon="portal" id="makechanges" class="nextstepaction"]
+> > [Make this change for me]()
+>
+> > [!div id="appconfigured" class="alert alert-info"]
+> > ![Already configured](media/quickstart-v2-windows-desktop/green-check.png) Your application is configured with these attributes.
+
+#### Step 2: Download your Electron project
+
+> [!div renderon="docs"]
+> [Download the code sample](https://github.com/azure-samples/ms-identity-javascript-nodejs-desktop/archive/main.zip)
+
+> [!div renderon="portal" id="autoupdate" class="sxs-lookup nextstepaction"]
+> [Download the code sample](https://github.com/azure-samples/ms-identity-javascript-nodejs-desktop/archive/main.zip)
+
+> [!div class="sxs-lookup" renderon="portal"]
+> > [!NOTE]
+> > `Enter_the_Supported_Account_Info_Here`
+
+> [!div renderon="docs"]
+> #### Step 3: Configure your Electron project
+>
+> 1. Extract the zip file to a local folder close to the root of the disk, for example, *C:/Azure-Samples*.
+> 1. Edit *.env* and replace the values of the fields `TENANT_ID` and `CLIENT_ID` with the following snippet:
+>
+> ```
+> "TENANT_ID": "Enter_the_Tenant_Id_Here",
+> "CLIENT_ID": "Enter_the_Application_Id_Here"
+> ```
+> Where:
+> - `Enter_the_Application_Id_Here` - is the **Application (client) ID** for the application you registered.
+> - `Enter_the_Tenant_Id_Here` - replace this value with the **Tenant Id** or **Tenant name** (for example, contoso.microsoft.com)
+>
+> > [!TIP]
+> > To find the values of **Application (client) ID**, **Directory (tenant) ID**, go to the app's **Overview** page in the Azure portal.
+
+> [!div class="sxs-lookup" renderon="portal"]
+> #### Step 4: Run the application
+
+> [!div renderon="docs"]
+> #### Step 4: Run the application
+
+You'll need to install the dependencies of this sample once:
+
+```console
+npm install
+```
+
+Then, run the application via command prompt or console:
+
+```console
+npm start
+```
+
+You should see application's UI with a **Sign in** button.
+
+## About the code
+
+Below, some of the important aspects of the sample application are discussed.
+
+### MSAL Node
+
+[MSAL Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) is the library used to sign in users and request tokens used to access an API protected by Microsoft identity platform. For more information on how to use MSAL Node with desktop apps, see [this article](scenario-desktop-overview.md).
+
+You can install MSAL Node by running the following npm command.
+
+```console
+npm install @azure/msal-node --save
+```
+
+### MSAL initialization
+
+You can add the reference for MSAL Node by adding the following code:
+
+```javascript
+const { PublicClientApplication } = require('@azure/msal-node');
+```
+
+Then, initialize MSAL using the following code:
+
+```javascript
+const MSAL_CONFIG = {
+ auth: {
+ clientId: "Enter_the_Application_Id_Here",
+ authority: "https://login.microsoftonline.com/Enter_the_Tenant_Id_Here",
+ },
+};
+
+const pca = new PublicClientApplication(MSAL_CONFIG);
+```
+
+> | Where: |Description |
+> |||
+> | `clientId` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. |
+> | `authority` | The STS endpoint for user to authenticate. Usually `https://login.microsoftonline.com/{tenant}` for public cloud, where {tenant} is the name of your tenant or your tenant Id.|
+
+### Requesting tokens
+
+In the first leg of authorization code flow with PKCE, prepare and send an authorization code request with the appropriate parameters. Then, in the second leg of the flow, listen for the authorization code response. Once the code is obtained, exchange it to obtain a token.
+
+```javascript
+// The redirect URI you setup during app registration with a custom file protocol "msal"
+const redirectUri = "msal://redirect";
+
+const cryptoProvider = new CryptoProvider();
+
+const pkceCodes = {
+ challengeMethod: "S256", // Use SHA256 Algorithm
+ verifier: "", // Generate a code verifier for the Auth Code Request first
+ challenge: "" // Generate a code challenge from the previously generated code verifier
+};
+
+/**
+ * Starts an interactive token request
+ * @param {object} authWindow: Electron window object
+ * @param {object} tokenRequest: token request object with scopes
+ */
+async function getTokenInteractive(authWindow, tokenRequest) {
+
+ /**
+ * Proof Key for Code Exchange (PKCE) Setup
+ *
+ * MSAL enables PKCE in the Authorization Code Grant Flow by including the codeChallenge and codeChallengeMethod
+ * parameters in the request passed into getAuthCodeUrl() API, as well as the codeVerifier parameter in the
+ * second leg (acquireTokenByCode() API).
+ */
+
+ const {verifier, challenge} = await cryptoProvider.generatePkceCodes();
+
+ pkceCodes.verifier = verifier;
+ pkceCodes.challenge = challenge;
+
+ const authCodeUrlParams = {
+ redirectUri: redirectUri
+ scopes: tokenRequest.scopes,
+ codeChallenge: pkceCodes.challenge, // PKCE Code Challenge
+ codeChallengeMethod: pkceCodes.challengeMethod // PKCE Code Challenge Method
+ };
+
+ const authCodeUrl = await pca.getAuthCodeUrl(authCodeUrlParams);
+
+ // register the custom file protocol in redirect URI
+ protocol.registerFileProtocol(redirectUri.split(":")[0], (req, callback) => {
+ const requestUrl = url.parse(req.url, true);
+ callback(path.normalize(`${__dirname}/${requestUrl.path}`));
+ });
+
+ const authCode = await listenForAuthCode(authCodeUrl, authWindow); // see below
+
+ const authResponse = await pca.acquireTokenByCode({
+ redirectUri: redirectUri,
+ scopes: tokenRequest.scopes,
+ code: authCode,
+ codeVerifier: pkceCodes.verifier // PKCE Code Verifier
+ });
+
+ return authResponse;
+}
+
+/**
+ * Listens for auth code response from Azure AD
+ * @param {string} navigateUrl: URL where auth code response is parsed
+ * @param {object} authWindow: Electron window object
+ */
+async function listenForAuthCode(navigateUrl, authWindow) {
+
+ authWindow.loadURL(navigateUrl);
+
+ return new Promise((resolve, reject) => {
+ authWindow.webContents.on('will-redirect', (event, responseUrl) => {
+ try {
+ const parsedUrl = new URL(responseUrl);
+ const authCode = parsedUrl.searchParams.get('code');
+ resolve(authCode);
+ } catch (err) {
+ reject(err);
+ }
+ });
+ });
+}
+```
+
+> |Where:| Description |
+> |||
+> | `authWindow` | Current Electron window in process. |
+> | `tokenRequest` | Contains the scopes being requested, such as `"User.Read"` for Microsoft Graph or `"api://<Application ID>/access_as_user"` for custom web APIs. |
+
+## Next steps
+
+To learn more about Electron desktop app development with MSAL Node, see the tutorial:
+
+> [!div class="nextstepaction"]
+> [Tutorial: Sign in users and call the Microsoft Graph API in an Electron desktop app](tutorial-v2-nodejs-desktop.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-v2-libraries https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/reference-v2-libraries.md
@@ -19,7 +19,7 @@
# Microsoft identity platform authentication libraries
-The following tables show Microsoft authentication library support for several application types. They include links to library source code, where to get the package for your app's project, and whether the library supports user sign-in (authentication), access to protected web APIs (authorization), or both.
+The following tables show Microsoft Authentication Library support for several application types. They include links to library source code, where to get the package for your app's project, and whether the library supports user sign-in (authentication), access to protected web APIs (authorization), or both.
The Microsoft identity platform has been certified by the OpenID Foundation as a [certified OpenID provider](https://openid.net/certification/). If you prefer to use a library other than the Microsoft Authentication Library (MSAL) or another Microsoft-supported library, choose one with a [certified OpenID Connect implementation](https://openid.net/developers/certified/).
@@ -37,6 +37,7 @@ Because a SPA's code runs entirely in the browser, it's considered a *public cli
| Angular | [MSAL Angular](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/msal-angular-v1/lib/msal-angular) | [@azure/msal-angular](https://www.npmjs.com/package/@azure/msal-angular) | [Tutorial](tutorial-v2-angular.md) | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | GA | | AngularJS | [MSAL AngularJS](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angularjs) | [@azure/msal-angularjs](https://www.npmjs.com/package/@azure/msal-angularjs) | ΓÇö | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | Public preview | | JavaScript | [MSAL.js 2.0](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser) | [@azure/msal-browser](https://www.npmjs.com/package/@azure/msal-browser) | [Tutorial](tutorial-v2-javascript-auth-code.md) | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | GA |
+| JavaScript | [MSAL.js 1.0](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core) | [@azure/msal-core](https://www.npmjs.com/package/@azure/msal-core) | [Tutorial](tutorial-v2-javascript-spa.md) | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | GA |
| React | [MSAL React](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-react) | [@azure/msal-react](https://www.npmjs.com/package/@azure/msal-react) | ΓÇö | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | Public preview | <!-- | Vue | [Vue MSAL]( https://github.com/mvertopoulos/vue-msal) | [vue-msal]( https://www.npmjs.com/package/vue-msal) | ![X indicating no.][n] | ![Green check mark.][y] | ![Green check mark.][y] | -- |
@@ -56,8 +57,8 @@ Because a web application's code runs on the web server, it's considered a *conf
| ASP.NET Core | [ASP.NET Security](/aspnet/core/security/) | [Microsoft.AspNetCore.Authentication](https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication/) | ΓÇö | ![Library can request ID tokens for user sign-in.][y] | ![Library cannot request access tokens for protected web APIs.][n] | GA | | ASP.NET Core | [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web) | [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web) | ΓÇö | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | GA | | Java | [MSAL4J](https://github.com/AzureAD/microsoft-authentication-library-for-java) | [msal4j](https://search.maven.org/artifact/com.microsoft.azure/msal4j) | [Quickstart](quickstart-v2-java-webapp.md) | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | GA |
-| Node.js | [MSAL Node.js](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) | [msal-node](https://www.npmjs.com/package/@azure/msal-node) | [Quickstart](quickstart-v2-nodejs-webapp-msal.md) | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | Public preview |
-| Node.js | [Azure AD Passport](https://github.com/AzureAD/passport-azure-ad) | [passport-azure-ad](https://www.npmjs.com/package/passport-azure-ad) | [Quickstart](quickstart-v2-nodejs-webapp.md) | ![Library can request ID tokens for user sign-in.][y] | ![Library cannot request access tokens for protected web APIs.][n] | GA |
+| Node.js | [MSAL Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) | [msal-node](https://www.npmjs.com/package/@azure/msal-node) | [Quickstart](quickstart-v2-nodejs-webapp-msal.md) | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | GA |
+| Node.js | [Azure AD Passport](https://github.com/AzureAD/passport-azure-ad) | [passport-azure-ad](https://www.npmjs.com/package/passport-azure-ad) | [Quickstart](quickstart-v2-nodejs-webapp.md) | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | GA |
| Python | [MSAL Python](https://github.com/AzureAD/microsoft-authentication-library-for-python) | [msal](https://pypi.org/project/msal) | [Quickstart](quickstart-v2-python-webapp.md) | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | GA | <!-- | Java | [ScribeJava](https://github.com/scribejava/scribejava) | [ScribeJava 3.2.0](https://github.com/scribejava/scribejava/releases/tag/scribejava-3.2.0) | ![X indicating no.][n] | ![X indicating no.][n] | ![Green check mark.][y] | -- |
@@ -77,7 +78,7 @@ Because a desktop application runs on the user's desktop, it's considered a *pub
| Language / framework | Project on<br/>GitHub | Package | Getting<br/>started | Sign in users | Access web APIs | Generally available (GA) *or*<br/>Public preview<sup>1</sup> | |-|--||::|:--:|::|::|
-| Electron | [MSAL Node.js](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) | [@azure/msal-node](https://www.npmjs.com/package/@azure/msal-node) | ΓÇö | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | Public preview |
+| Electron | [MSAL Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) | [@azure/msal-node](https://www.npmjs.com/package/@azure/msal-node) | [Tutorial](tutorial-v2-nodejs-desktop.md) | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | GA |
| Java | [MSAL4J](https://github.com/AzureAD/microsoft-authentication-library-for-java) | [msal4j](https://mvnrepository.com/artifact/com.microsoft.azure/msal4j) | ΓÇö | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | GA | | macOS (Swift/Obj-C) | [MSAL for iOS and macOS](https://github.com/AzureAD/microsoft-authentication-library-for-objc) | [MSAL](https://cocoapods.org/pods/MSAL) | [Tutorial](tutorial-v2-ios.md) | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | GA | | UWP | [MSAL.NET](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) | [Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client) | [Tutorial](tutorial-v2-windows-uwp.md) | ![Library can request ID tokens for user sign-in.][y] | ![Library can request access tokens for protected web APIs.][y] | GA |
@@ -93,7 +94,7 @@ Because a desktop application runs on the user's desktop, it's considered a *pub
A mobile application is typically binary (compiled) code that surfaces a user interface and is intended to run on a user's mobile device.
-Because a mobile application runs on the the user's mobile device, it's considered a *public client* that's unable to store secrets securely.
+Because a mobile application runs on the user's mobile device, it's considered a *public client* that's unable to store secrets securely.
| Platform | Project on<br/>GitHub | Package | Getting<br/>started | Sign in users | Access web APIs | Generally available (GA) *or*<br/>Public preview<sup>1</sup> | |-|||:--:|:--:|::|::|
@@ -117,7 +118,8 @@ A service or daemon that runs on a server is considered a *confidential client*
|-||-|::|:--:|::|::| | .NET | [MSAL.NET](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) | [Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client/) | [Quickstart](quickstart-v2-netcore-daemon.md) | ![Library cannot request ID tokens for user sign-in.][n] | ![Library can request access tokens for protected web APIs.][y] | GA | | Java | [MSAL4J](https://github.com/AzureAD/microsoft-authentication-library-for-java) | [msal4j](https://javadoc.io/doc/com.microsoft.azure/msal4j/latest/https://docsupdatetracker.net/index.html) | ΓÇö | ![Library cannot request ID tokens for user sign-in.][n] | ![Library can request access tokens for protected web APIs.][y] | GA |
-| Python | [MSAL Python](https://github.com/AzureAD/microsoft-authentication-library-for-python) | [msal-python](https://github.com/AzureAD/microsoft-authentication-library-for-python) | [Quickstart](quickstart-v2-python-daemon.md) | ![Library cannot request ID tokens for user sign-in.][n] | ![Library can request access tokens for protected web APIs.][y] | GA |
+| Node | [MSAL Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) | [msal-node](https://www.npmjs.com/package/@azure/msal-node) | [Quickstart](quickstart-v2-nodejs-console.md) | ![Library cannot request ID tokens for user sign-in.][n] | ![Library can request access tokens for protected web APIs.][y] | GA |
+| Python | [MSAL Python](https://github.com/AzureAD/microsoft-authentication-library-for-python) | [msal-python](https://github.com/AzureAD/microsoft-authentication-library-for-python) | ΓÇö | ![Library cannot request ID tokens for user sign-in.][n] | ![Library can request access tokens for protected web APIs.][y] | GA |
<!-- |PHP| [The PHP League oauth2-client](https://oauth2-client.thephpleague.com/usage/) | [League\OAuth2](https://oauth2-client.thephpleague.com/) | ![Green check mark.][n] | ![X indicating no.][n] | ![Green check mark.][y] | -- | -->
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/sample-v2-code.md
@@ -35,16 +35,18 @@ These samples show how to write a single-page application secured with Microsoft
| Platform | Description | Link | | -- | | -- | | ![This image shows the JavaScript logo](media/sample-v2-code/logo_js.png) [JavaScript (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-core) | SPA calls Microsoft Graph |[javascript-graphapi-v2](https://github.com/Azure-Samples/active-directory-javascript-graphapi-v2) |
-| ![This image shows the JavaScript logo](media/sample-v2-code/logo_js.png) [JavaScript (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser) | SPA calls Microsoft Graph using Auth Code Flow w/ PKCE |[javascript-v2](https://github.com/Azure-Samples/ms-identity-javascript-v2) |
+| ![This image shows the JavaScript logo](media/sample-v2-code/logo_js.png) [JavaScript (MSAL.js 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser) | SPA calls Microsoft Graph using Auth Code Flow w/ PKCE |[javascript-v2](https://github.com/Azure-Samples/ms-identity-javascript-v2) |
| ![This image shows the JavaScript logo](media/sample-v2-code/logo_js.png) [JavaScript (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-core) | SPA calls B2C |[b2c-javascript-msal-singlepageapp](https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp) |
-| ![This image shows the JavaScript logo](media/sample-v2-code/logo_js.png) [JavaScript (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser) | SPA calls B2C using Auth Code Flow w/PKCE |[b2c-javascript-spa](https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa) |
-| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL-Angular)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular)| SPA calls Microsoft Graph | [active-directory-javascript-singlepageapp-angular](https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-angular) |
-| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL-Angular)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular)| SPA calls custom Web API | [ms-identity-javascript-angular-spa-aspnetcore-webapi](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnetcore-webapi) |
-| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL-Angular)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular) | SPA calls B2C |[active-directory-b2c-javascript-angular-spa](https://github.com/Azure-Samples/active-directory-b2c-javascript-angular-spa) |
-| ![This image shows the React logo](media/sample-v2-code/logo_react.png) [React (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-core)| SPA calls custom Web API which in turn calls Microsoft Graph | [ms-identity-javascript-react-spa-dotnetcore-webapi-obo](https://github.com/Azure-Samples/ms-identity-javascript-react-spa-dotnetcore-webapi-obo) |
-| ![This image shows the JavaScript logo](media/sample-v2-code/logo_js.png) [JavaScript (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser) | SPA calls custom web API which in turn calls Microsoft Graph | [ms-identity-javascript-tutorial-chapter4-obo](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-AdvancedGrants/1-call-api-graph) |
-| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL-Angular)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular) | SPA calls custom Web API with App Roles and Security Groups |[ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups) |
-| ![This image shows the Blazor logo](media/sample-v2-code/logo-blazor.png) [Blazor WebAssembly (MSAL-JS)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser) | Blazor WebAssembly Tutorial to sign-in users and call APIs with Azure Active Directory |[ms-identity-blazor-wasm](https://github.com/Azure-Samples/ms-identity-blazor-wasm) |
+| ![This image shows the JavaScript logo](media/sample-v2-code/logo_js.png) [JavaScript (MSAL.js 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser) | SPA calls B2C using Auth Code Flow w/PKCE |[b2c-javascript-spa](https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa) |
+| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL Angular)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular)| SPA calls Microsoft Graph | [active-directory-javascript-singlepageapp-angular](https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-angular) |
+| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL Angular 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular)| SPA calls Microsoft Graph using Auth Code Flow w/ PKCE | [ms-identity-javascript-angular-spa](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa) |
+| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL Angular 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular)| SPA calls custom Web API | [ms-identity-javascript-angular-spa-aspnetcore-webapi](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnetcore-webapi) |
+| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL Angular)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular) | SPA calls B2C |[active-directory-b2c-javascript-angular-spa](https://github.com/Azure-Samples/active-directory-b2c-javascript-angular-spa) |
+| ![This image shows the React logo](media/sample-v2-code/logo_react.png) [React (MSAL React)](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-react)| SPA calls Microsoft Graph using Auth Code Flow w/ PKCE | [ms-identity-javascript-react-spa](https://github.com/Azure-Samples/ms-identity-javascript-react-spa) |
+| ![This image shows the React logo](media/sample-v2-code/logo_react.png) [React (MSAL.js 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-core)| SPA calls custom Web API which in turn calls Microsoft Graph | [ms-identity-javascript-react-spa-dotnetcore-webapi-obo](https://github.com/Azure-Samples/ms-identity-javascript-react-spa-dotnetcore-webapi-obo) |
+| ![This image shows the JavaScript logo](media/sample-v2-code/logo_js.png) [JavaScript (MSAL.js 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser) | SPA calls custom web API which in turn calls Microsoft Graph | [ms-identity-javascript-tutorial-chapter4-obo](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-AdvancedGrants/1-call-api-graph) |
+| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL Angular 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular) | SPA calls custom Web API with App Roles and Security Groups |[ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups) |
+| ![This image shows the Blazor logo](media/sample-v2-code/logo-blazor.png) [Blazor WebAssembly (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser) | Blazor WebAssembly Tutorial to sign-in users and call APIs with Azure Active Directory |[ms-identity-blazor-wasm](https://github.com/Azure-Samples/ms-identity-blazor-wasm) |
## Web applications
@@ -57,6 +59,7 @@ The following samples illustrate web applications that sign in users. Some sampl
| ![This image shows the ASP.NET Framework logo](media/sample-v2-code/logo_NETframework.png)</p> ASP.NET | [ASP.NET Quickstart](https://github.com/AzureAdQuickstarts/AppModelv2-WebApp-OpenIDConnect-DotNet) </p> [dotnet-webapp-openidconnect-v2](https://github.com/azure-samples/active-directory-dotnet-webapp-openidconnect-v2) | [dotnet-admin-restricted-scopes-v2](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2) </p> |[msgraph-training-aspnetmvcapp](https://github.com/microsoftgraph/msgraph-training-aspnetmvcapp) | ![This image shows the Java logo](media/sample-v2-code/logo_java.png) | | [ms-identity-java-webapp](https://github.com/Azure-Samples/ms-identity-java-webapp) | | ![This image shows the Java logo](media/sample-v2-code/logo_java.png) | [ms-identity-b2c-java-servlet-webapp-authentication](https://github.com/Azure-Samples/ms-identity-b2c-java-servlet-webapp-authentication)| |
+| ![This image shows the Node.js logo](media/sample-v2-code/logo_nodejs.png)</p>Node.js (MSAL Node) | [Express web app signs-in users tutorial](https://github.com/Azure-Samples/ms-identity-node) | |
| ![This image shows the Python logo](media/sample-v2-code/logo_python.png) | [ms-identity-python-flask-webapp-authentication](https://github.com/Azure-Samples/ms-identity-python-flask-webapp-authentication) | [ms-identity-python-webapp](https://github.com/Azure-Samples/ms-identity-python-webapp) | | ![This image shows the Python logo](medi) signs-in users and calls Graph tutorial | | ![This image shows the Python logo](medi) signs-in users with B2C | |
@@ -77,6 +80,7 @@ The following samples show public client applications (desktop or mobile applica
| Desktop (Console) with WAM | ![This is the logo for .NET/C# (Desktop)](media/sample-v2-code/logo_NETcore.png) | Interactive with [Web Account Manager](/windows/uwp/security/web-account-manager) (WAM) |[dotnet-native-uwp-wam](https://github.com/azure-samples/active-directory-dotnet-native-uwp-wam) | | | Desktop (Console) | ![This image shows the Java logo](medi#usernamepassword) |[ms-identity-java-desktop](https://github.com/Azure-Samples/ms-identity-java-desktop/) | | | Desktop (Console) | ![This image shows the Python logo](medi#usernamepassword) |[ms-identity-python-desktop](https://github.com/Azure-Samples/ms-identity-python-desktop) | |
+| Desktop (Electron) | ![This image shows the Node.js logo](medi#authorization-code) |[ms-identity-javascript-nodejs-desktop](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-desktop) | |
| Mobile (Android, iOS, UWP) | ![This image shows the .NET/C# (Xamarin) logo](medi#authorization-code) |[xamarin-native-v2](https://github.com/azure-samples/active-directory-xamarin-native-v2) | | | Mobile (iOS) | ![This image shows iOS/Objective-C or Swift](medi#authorization-code) |[ios-swift-objc-native-v2](https://github.com/azure-samples/active-directory-ios-swift-native-v2) </p> [ios-native-nxoauth2-v2](https://github.com/azure-samples/active-directory-ios-native-nxoauth2-v2) | | | Desktop (macOS) | macOS | [Authorization code](msal-authentication-flows.md#authorization-code) |[macOS-swift-objc-native-v2](https://github.com/Azure-Samples/ms-identity-macOS-swift-objc) | |
@@ -92,6 +96,7 @@ The following samples show an application that accesses the Microsoft Graph API
| Console | ![This image shows the .NET Core logo](medi#client-credentials) | [dotnetcore-daemon-v2](https://github.com/azure-samples/active-directory-dotnetcore-daemon-v2) | | Web app | ![Screenshot that shows the ASP.NET logo.](medi#client-credentials) | [dotnet-daemon-v2](https://github.com/azure-samples/active-directory-dotnet-daemon-v2) | | Console | ![This image shows the Java logo](medi#client-credentials) | [ms-identity-java-daemon](https://github.com/Azure-Samples/ms-identity-java-daemon) |
+| Console | ![This image shows the Node.js logo](medi#client-credentials) | [ms-identity-javascript-nodejs-console](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-console) |
| Console | ![This image shows the Python logo](medi#client-credentials) | [ms-identity-python-daemon](https://github.com/Azure-Samples/ms-identity-python-daemon) | ## Headless applications
@@ -106,12 +111,12 @@ The following sample shows a public client application running on a device witho
## Multi-tenant SaaS applications
-The following samples show how to configure your application to accept sign-ins from any Azure Active Directory (Azure AD) tenant. Configuring your application to be *multi-tenant* means that you can offer a **Software as a Service** (SaaS) application to many organizations, allowing their users to be able to sign-in to your application after consenting to use their account.
+The following samples show how to configure your application to accept sign-ins from any Azure Active Directory (Azure AD) tenant. Configuring your application to be *multi-tenant* means that you can offer a **Software as a Service** (SaaS) application to many organizations, allowing their users to be able to sign-in to your application after providing consent.
| Platform | Description | Link | | -- | | -- |
-| ![This image shows the JavaScript logo](media/sample-v2-code/logo_js.png) [JavaScript (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser) | Multi-tenant SPA calls Graph API |[ms-identity-javascript-angular-spa-aspnet-webapi-multitenant](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnet-webapi-multitenant/tree/master/Chapter1) |
-| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL-Angular)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular) | Multi-tenant SPA calls multi-tenant custom Web API |[ms-identity-javascript-angular-spa-aspnet-webapi-multitenant](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnet-webapi-multitenant/tree/master/Chapter2) |
+| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL Angular 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular) | Multi-tenant SPA calls Graph API |[ms-identity-javascript-angular-spa-aspnet-webapi-multitenant](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnet-webapi-multitenant/tree/master/Chapter1) |
+| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL Angular 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular) | Multi-tenant SPA calls multi-tenant custom Web API |[ms-identity-javascript-angular-spa-aspnet-webapi-multitenant](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnet-webapi-multitenant/tree/master/Chapter2) |
| ![This image shows the ASP.NET Core logo](media/sample-v2-code/logo_NETcore.png) [.NET Core (MSAL.NET)](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) | ASP.NET Core MVC web application calls Graph API |[active-directory-aspnetcore-webapp-openidconnect-v2](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-3-Multi-Tenant) | | ![This image shows the ASP.NET Core logo](media/sample-v2-code/logo_NETcore.png) [.NET Core (MSAL.NET)](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) | ASP.NET Core MVC web application calls ASP.NET Core Web API |[active-directory-aspnetcore-webapp-openidconnect-v2](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-3-AnyOrg) |
@@ -124,8 +129,8 @@ The following samples show how to protect a web API with the Microsoft identity
| ![This image shows the ASP.NET Core logo](media/sample-v2-code/logo_NETcore.png)</p>ASP.NET Core | ASP.NET Core web API (service) of [dotnet-native-aspnetcore-v2](https://aka.ms/msidentity-aspnetcore-webapi-calls-msgraph) | | ![This image shows the ASP.NET logo](media/sample-v2-code/logo_NET.png)</p>ASP.NET MVC | Web API (service) of [ms-identity-aspnet-webapi-onbehalfof](https://github.com/Azure-Samples/ms-identity-aspnet-webapi-onbehalfof) | | ![This image shows the Java logo](media/sample-v2-code/logo_java.png) | Web API (service) of [ms-identity-java-webapi](https://github.com/Azure-Samples/ms-identity-java-webapi) |
-| ![This image shows the Node.js logo](media/sample-v2-code/logo_nodejs.png) | Web API (service) of [active-directory-javascript-nodejs-webapi-v2](https://github.com/Azure-Samples/active-directory-javascript-nodejs-webapi-v2) |
-| ![This image shows the Node.js logo](media/sample-v2-code/logo_nodejs.png) | B2C Web API (service) of [active-directory-b2c-javascript-nodejs-webapi](https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi) |
+| ![This image shows the Node.js logo](media/sample-v2-code/logo_nodejs.png)</p>Node.js (Passport.js)| Web API (service) of [active-directory-javascript-nodejs-webapi-v2](https://github.com/Azure-Samples/active-directory-javascript-nodejs-webapi-v2) |
+| ![This image shows the Node.js logo](media/sample-v2-code/logo_nodejs.png)</p>Node.js (Passport.js)| B2C Web API (service) of [active-directory-b2c-javascript-nodejs-webapi](https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi) |
## Azure Functions as web APIs
@@ -135,8 +140,8 @@ The following samples show how to protect an Azure Function using HttpTrigger an
| -- | - | | ![This image shows the ASP.NET Core logo](media/sample-v2-code/logo_NETcore.png)</p>ASP.NET Core | ASP.NET Core web API (service) Azure Function of [dotnet-native-aspnetcore-v2](https://github.com/Azure-Samples/ms-identity-dotnet-webapi-azurefunctions) | | ![This image shows the Python logo](media/sample-v2-code/logo_python.png)</p>Python | Web API (service) of [Python](https://github.com/Azure-Samples/ms-identity-python-webapi-azurefunctions) |
-| ![This image shows the Node.js logo](media/sample-v2-code/logo_nodejs.png)</p>Node.js | Web API (service) of [Node.js and passport-azure-ad](https://github.com/Azure-Samples/ms-identity-nodejs-webapi-azurefunctions) |
-| ![This image shows the Node.js logo](media/sample-v2-code/logo_nodejs.png)</p>Node.js | Web API (service) of [Node.js and passport-azure-ad using on behalf of](https://github.com/Azure-Samples/ms-identity-nodejs-webapi-onbehalfof-azurefunctions) |
+| ![This image shows the Node.js logo](media/sample-v2-code/logo_nodejs.png)</p>Node.js (Passport.js)| Web API (service) of [Node.js and passport-azure-ad](https://github.com/Azure-Samples/ms-identity-nodejs-webapi-azurefunctions) |
+| ![This image shows the Node.js logo](media/sample-v2-code/logo_nodejs.png)</p>Node.js (Passport.js)| Web API (service) of [Node.js and passport-azure-ad using on behalf of](https://github.com/Azure-Samples/ms-identity-nodejs-webapi-onbehalfof-azurefunctions) |
## Other Microsoft Graph samples
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-nodejs-console https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-nodejs-console.md
@@ -0,0 +1,286 @@
+
+ Title: "Tutorial: Call Microsoft Graph in a Node.js console app | Azure"
+
+description: In this tutorial, you build a console app for calling Microsoft Graph to a Node.js console app.
+++++++ Last updated : 01/12/2021+++
+# Tutorial: Call the Microsoft Graph API in a Node.js console app
+
+In this tutorial, you build a console app that calls Microsoft Graph API using its own identity. The console app you build uses the [Microsoft Authentication Library (MSAL) for Node.js](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node).
+
+Follow the steps in this tutorial to:
+
+> [!div class="checklist"]
+> - Register the application in the Azure portal
+> - Create a Node.js console app project
+> - Add authentication logic to your app
+> - Add app registration details
+> - Add a method to call a web API
+> - Test the app
+
+## Prerequisites
+
+- [Node.js](https://nodejs.org/en/download/)
+- [Visual Studio Code](https://code.visualstudio.com/download) or another code editor
+
+## Register the application
+
+First, complete the steps in [Register an application with the Microsoft identity platform](quickstart-register-app.md) to register your app.
+
+Use the following settings for your app registration:
+
+- Name: `NodeConsoleApp` (suggested)
+- Supported account types: **Accounts in this organizational directory only**
+- API permissions: **Microsoft APIs** > **Microsoft Graph** > **Application Permissions** > `User.Read.All`
+- Client secret: `*********` (record this value for use in a later step - it's shown only once)
+
+## Create the project
+
+Create a folder to host your application, for example *NodeConsoleApp*.
+
+1. First, change to your project directory in your terminal and then run the following NPM commands:
+
+```console
+ npm init -y
+ npm install --save dotenv yargs axios @azure/msal-node
+```
+
+2. Next, create a folder named *bin*. Then, inside this folder, create file named *index.js* and add the following code:
+
+```JavaScript
+#!/usr/bin/env node
+
+// read in env settings
+require('dotenv').config();
+
+const yargs = require('yargs');
+
+const fetch = require('./fetch');
+const auth = require('./auth');
+
+const options = yargs
+ .usage('Usage: --op <operation_name>')
+ .option('op', { alias: 'operation', describe: 'operation name', type: 'string', demandOption: true })
+ .argv;
+
+async function main() {
+ console.log(`You have selected: ${options.op}`);
+
+ switch (yargs.argv['op']) {
+ case 'getUsers':
+
+ try {
+ // here we get an access token
+ const authResponse = await auth.getToken(auth.tokenRequest);
+
+ // call the web API with the access token
+ const users = await fetch.callApi(auth.apiConfig.uri, authResponse.accessToken);
+
+ // display result
+ console.log(users);
+ } catch (error) {
+ console.log(error);
+ }
+
+ break;
+ default:
+ console.log('Select a Graph operation first');
+ break;
+ }
+};
+
+main();
+```
+
+This file references two other node modules: *auth.js* which contains an implementation of MSAL Node for acquiring access tokens, and *fetch.js* which contains a method for making an HTTP request to Microsoft Graph API with an access token. After completing the rest of the tutorial, the file and folder structure of your project should look similar to the following:
+
+```
+NodeConsoleApp/
+Γö£ΓöÇΓöÇ bin
+│   ├── auth.js
+│   ├── fetch.js
+│   ├── index.js
+Γö£ΓöÇΓöÇ package.json
+ΓööΓöÇΓöÇ .env
+```
+
+## Add authentication logic
+
+Inside the *bin* folder, create another file named *auth.js* and add the following code for acquiring an access token to present when calling the Microsoft Graph API.
+
+```JavaScript
+const msal = require('@azure/msal-node');
+
+/**
+ * Configuration object to be passed to MSAL instance on creation.
+ * For a full list of MSAL Node configuration parameters, visit:
+ * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/configuration.md
+ */
+const msalConfig = {
+ auth: {
+ clientId: process.env.CLIENT_ID,
+ authority: process.env.AAD_ENDPOINT + process.env.TENANT_ID,
+ clientSecret: process.env.CLIENT_SECRET,
+ }
+};
+
+/**
+ * With client credentials flows permissions need to be granted in the portal by a tenant administrator.
+ * The scope is always in the format '<resource>/.default'. For more, visit:
+ * https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
+ */
+const tokenRequest = {
+ scopes: [process.env.GRAPH_ENDPOINT + '.default'],
+};
+
+const apiConfig = {
+ uri: process.env.GRAPH_ENDPOINT + 'v1.0/users',
+};
+
+/**
+ * Initialize a confidential client application. For more info, visit:
+ * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-confidential-client-application.md
+ */
+const cca = new msal.ConfidentialClientApplication(msalConfig);
+
+/**
+ * Acquires token with client credentials.
+ * @param {object} tokenRequest
+ */
+async function getToken(tokenRequest) {
+ return await cca.acquireTokenByClientCredential(tokenRequest);
+}
+
+module.exports = {
+ apiConfig: apiConfig,
+ tokenRequest: tokenRequest,
+ getToken: getToken
+};
+```
+
+In the code snippet above, we first create a configuration object (*msalConfig*) and pass it to initialize an MSAL [ConfidentialClientApplication](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-confidential-client-application.md). Then we create a method for acquiring tokens via **client credentials** and finally expose this module to be accessed by *main.js*. The configuration parameters in this module are drawn from an environment file, which we will create in the next step.
+
+## Add app registration details
+
+Create an environment file to store the app registration details that will be used when acquiring tokens. To do so, create a file named *.env* inside the root folder of the sample (*NodeConsoleApp*), and add the following code:
+
+```
+# Credentials
+TENANT_ID=Enter_the_Tenant_Id_Here
+CLIENT_ID=Enter_the_Application_Id_Here
+CLIENT_SECRET=Enter_the_Client_Secret_Here
+
+# Endpoints
+AAD_ENDPOINT=Enter_the_Cloud_Instance_Id_Here
+GRAPH_ENDPOINT=Enter_the_Graph_Endpoint_Here
+```
+
+Fill in these details with the values you obtain from Azure app registration portal:
+
+- `Enter_the_Tenant_Id_here` should be one of the following:
+ - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`.
+ - If your application supports *accounts in any organizational directory*, replace this value with `organizations`.
+ - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`.
+ - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`.
+- `Enter_the_Application_Id_Here`: The **Application (client) ID** of the application you registered.
+- `Enter_the_Cloud_Instance_Id_Here`: The Azure cloud instance in which your application is registered.
+ - For the main (or *global*) Azure cloud, enter `https://login.microsoftonline.com`.
+ - For **national** clouds (for example, China), you can find appropriate values in [National clouds](authentication-national-cloud.md).
+- `Enter_the_Graph_Endpoint_Here` is the instance of the Microsoft Graph API the application should communicate with.
+ - For the **global** Microsoft Graph API endpoint, replace both instances of this string with `https://graph.microsoft.com`.
+ - For endpoints in **national** cloud deployments, see [National cloud deployments](/graph/deployments) in the Microsoft Graph documentation.
+
+## Add a method to call a web API
+
+Inside the *bin* folder, create another file named *fetch.js* and add the following code for making REST calls to the Microsoft Graph API:
+
+```javascript
+const axios = require('axios');
+
+/**
+ * Calls the endpoint with authorization bearer token.
+ * @param {string} endpoint
+ * @param {string} accessToken
+ */
+async function callApi(endpoint, accessToken) {
+
+ const options = {
+ headers: {
+ Authorization: `Bearer ${accessToken}`
+ }
+ };
+
+ console.log('request made to web API at: ' + new Date().toString());
+
+ try {
+ const response = await axios.default.get(endpoint, options);
+ return response.data;
+ } catch (error) {
+ console.log(error)
+ return error;
+ }
+};
+
+module.exports = {
+ callApi: callApi
+};
+```
+
+Here, the `callApi` method is used to make an HTTP `GET` request against a protected resource that requires an access token. The request then returns the content to the caller. This method adds the acquired token in the *HTTP Authorization header*. The protected resource here is the Microsoft Graph API [users endpoint](https://docs.microsoft.com/graph/api/user-list) which displays the users in the tenant where this app is registered.
+
+## Test the app
+
+You've completed creation of the application and are now ready to test the app's functionality.
+
+Start the Node.js console app by running the following command from within the root of your project folder:
+
+```console
+node . --op getUsers
+```
+
+This should result in some JSON response from Microsoft Graph API and you should see an array of user objects in the console:
+
+```console
+You have selected: getUsers
+request made to web API at: Fri Jan 22 2021 09:31:52 GMT-0800 (Pacific Standard Time)
+{
+ '@odata.context': 'https://graph.microsoft.com/v1.0/$metadata#users',
+ value: [
+ {
+ displayName: 'Adele Vance'
+ givenName: 'Adele',
+ jobTitle: 'Retail Manager',
+ mail: 'AdeleV@msaltestingjs.onmicrosoft.com',
+ mobilePhone: null,
+ officeLocation: '18/2111',
+ preferredLanguage: 'en-US',
+ surname: 'Vance',
+ userPrincipalName: 'AdeleV@msaltestingjs.onmicrosoft.com',
+ id: 'a6a218a5-f5ae-462a-acd3-581af4bcca00'
+ }
+ ]
+}
+```
+
+## How the application works
+
+This application uses [OAuth 2.0 client credentials grant](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow). This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. The credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service. The type of applications supported with this authentication model are usually **daemons** or **service accounts**.
+
+The scope to request for a client credential flow is the name of the resource followed by `/.default`. This notation tells Azure Active Directory (Azure AD) to use the application-level permissions declared statically during application registration. Also, these API permissions must be granted by a **tenant administrator**.
+
+## Next steps
+
+If you'd like to dive deeper into Node.js console application development on the Microsoft identity platform, see our multi-part scenario series:
+
+> [!div class="nextstepaction"]
+> [Scenario: Daemon application](scenario-daemon-overview.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-nodejs-desktop https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-nodejs-desktop.md
@@ -0,0 +1,728 @@
+
+ Title: "Tutorial: Sign in users and call the Microsoft Graph API in an Electron desktop app | Azure"
+
+description: In this tutorial, you build an Electron desktop app that can sign in users and use the auth code flow to obtain an access token from the Microsoft identity platform and call the Microsoft Graph API.
+++++++ Last updated : 01/12/2021+++
+# Tutorial: Sign in users and call the Microsoft Graph API in an Electron desktop app
+
+In this tutorial, you build an Electron desktop application that signs in users and calls Microsoft Graph by using the authorization code flow with PKCE. The desktop app you build uses the [Microsoft Authentication Library (MSAL) for Node.js](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node).
+
+Follow the steps in this tutorial to:
+
+> [!div class="checklist"]
+> - Register the application in the Azure portal
+> - Create an Electron desktop app project
+> - Add authentication logic to your app
+> - Add a method to call a web API
+> - Add app registration details
+> - Test the app
+
+## Prerequisites
+
+- [Node.js](https://nodejs.org/en/download/)
+- [Electron](https://www.electronjs.org/)
+- [Visual Studio Code](https://code.visualstudio.com/download) or another code editor
+
+## Register the application
+
+First, complete the steps in [Register an application with the Microsoft identity platform](quickstart-register-app.md) to register your app.
+
+Use the following settings for your app registration:
+
+- Name: `ElectronDesktopApp` (suggested)
+- Supported account types: **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**
+- Platform type: **Mobile and desktop applications**
+- Redirect URI: `msal://redirect`
+
+## Create the project
+
+Create a folder to host your application, for example *ElectronDesktopApp*.
+
+1. First, change to your project directory in your terminal and then run the following `npm` commands:
+
+ ```console
+ npm init -y
+ npm install --save @azure/msal-node axios bootstrap dotenv jquery popper.js
+ npm install --save-dev babel electron@10.1.6 webpack
+ ```
+
+2. Then, create a folder named *App*. Inside this folder, create a file named *https://docsupdatetracker.net/index.html* that will serve as UI. Add the following code there:
+
+ ```html
+ <!DOCTYPE html>
+ <html lang="en">
+
+ <head>
+ <meta charset="UTF-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';" />
+ <title>MSAL Node Electron Sample App</title>
+
+ <!-- adding Bootstrap 4 for UI components -->
+ <link rel="stylesheet" href="../node_modules/bootstrap/dist/css/bootstrap.min.css">
+
+ <link rel="SHORTCUT ICON" href="https://c.s-microsoft.com/favicon.ico?v2" type="image/x-icon">
+ </head>
+
+ <body>
+ <nav class="navbar navbar-expand-lg navbar-dark bg-primary">
+ <a class="navbar-brand">Microsoft identity platform</a>
+ <div class="btn-group ml-auto dropleft">
+ <button type="button" id="signIn" class="btn btn-secondary" aria-expanded="false">
+ Sign in
+ </button>
+ <button type="button" id="signOut" class="btn btn-success" hidden aria-expanded="false">
+ Sign out
+ </button>
+ </div>
+ </nav>
+ <br>
+ <h5 class="card-header text-center">Electron sample app calling MS Graph API using MSAL Node</h5>
+ <br>
+ <div class="row" style="margin:auto">
+ <div id="cardDiv" class="col-md-3" style="display:none">
+ <div class="card text-center">
+ <div class="card-body">
+ <h5 class="card-title" id="WelcomeMessage">Please sign-in to see your profile and read your mails
+ </h5>
+ <div id="profileDiv"></div>
+ <br>
+ <br>
+ <button class="btn btn-primary" id="seeProfile">See Profile</button>
+ <br>
+ <br>
+ <button class="btn btn-primary" id="readMail">Read Mails</button>
+ </div>
+ </div>
+ </div>
+ <br>
+ <br>
+ <div class="col-md-4">
+ <div class="list-group" id="list-tab" role="tablist">
+ </div>
+ </div>
+ <div class="col-md-5">
+ <div class="tab-content" id="nav-tabContent">
+ </div>
+ </div>
+ </div>
+ <br>
+ <br>
+
+ <script>
+ window.jQuery = window.$ = require('jquery');
+ require("./renderer.js");
+ </script>
+
+ <!-- importing bootstrap.js and supporting js libraries -->
+ <script src="../node_modules/jquery/dist/jquery.js"></script>
+ <script src="../node_modules/popper.js/dist/umd/popper.js"></script>
+ <script src="../node_modules/bootstrap/dist/js/bootstrap.js"></script>
+ </body>
+
+ </html>
+ ```
+
+3. Next, create file named *main.js* and add the following code:
+
+ ```JavaScript
+ require('dotenv').config()
+
+ const path = require('path');
+ const { app, ipcMain, BrowserWindow } = require('electron');
+ const { IPC_MESSAGES } = require('./constants');
+
+ const { callEndpointWithToken } = require('./fetch');
+ const AuthProvider = require('./AuthProvider');
+
+ const authProvider = new AuthProvider();
+ let mainWindow;
+
+ function createWindow () {
+ mainWindow = new BrowserWindow({
+ width: 800,
+ height: 600,
+ webPreferences: {
+ nodeIntegration: true
+ }
+ });
+
+ mainWindow.loadFile(path.join(__dirname, './https://docsupdatetracker.net/index.html'));
+ };
+
+ app.on('ready', () => {
+ createWindow();
+ });
+
+ app.on('window-all-closed', () => {
+ app.quit();
+ });
++
+ // Event handlers
+ ipcMain.on(IPC_MESSAGES.LOGIN, async() => {
+ const account = await authProvider.login(mainWindow);
+
+ await mainWindow.loadFile(path.join(__dirname, './https://docsupdatetracker.net/index.html'));
+
+ mainWindow.webContents.send(IPC_MESSAGES.SHOW_WELCOME_MESSAGE, account);
+ });
+
+ ipcMain.on(IPC_MESSAGES.LOGOUT, async() => {
+ await authProvider.logout();
+ await mainWindow.loadFile(path.join(__dirname, './https://docsupdatetracker.net/index.html'));
+ });
+
+ ipcMain.on(IPC_MESSAGES.GET_PROFILE, async() => {
+
+ const tokenRequest = {
+ scopes: ['User.Read'],
+ };
+
+ const token = await authProvider.getToken(mainWindow, tokenRequest);
+ const account = authProvider.account
+
+ await mainWindow.loadFile(path.join(__dirname, './https://docsupdatetracker.net/index.html'));
+
+ const graphResponse = await callEndpointWithToken(`${process.env.GRAPH_ENDPOINT_HOST}${process.env.GRAPH_ME_ENDPOINT}`, token);
+
+ mainWindow.webContents.send(IPC_MESSAGES.SHOW_WELCOME_MESSAGE, account);
+ mainWindow.webContents.send(IPC_MESSAGES.SET_PROFILE, graphResponse);
+ });
+
+ ipcMain.on(IPC_MESSAGES.GET_MAIL, async() => {
+
+ const tokenRequest = {
+ scopes: ['Mail.Read'],
+ };
+
+ const token = await authProvider.getToken(mainWindow, tokenRequest);
+ const account = authProvider.account;
+
+ await mainWindow.loadFile(path.join(__dirname, './https://docsupdatetracker.net/index.html'));
+
+ const graphResponse = await callEndpointWithToken(`${process.env.GRAPH_ENDPOINT_HOST}${process.env.GRAPH_MAIL_ENDPOINT}`, token);
+
+ mainWindow.webContents.send(IPC_MESSAGES.SHOW_WELCOME_MESSAGE, account);
+ mainWindow.webContents.send(IPC_MESSAGES.SET_MAIL, graphResponse);
+ });
+ ```
+
+In the code snippet above, we initialize an Electron main window object and create some event handlers for interactions with the Electron window. We also import configuration parameters, instantiate *authProvider* class for handling sign-in, sign-out and token acquisition, and call the Microsoft Graph API.
+
+4. In the same folder (*App*), create another file named *renderer.js* and add the following code:
+
+ ```JavaScript
+ const { ipcRenderer } = require('electron');
+ const { IPC_MESSAGES } = require('./constants');
+
+ // UI event handlers
+ document.querySelector('#signIn').addEventListener('click', () => {
+ ipcRenderer.send(IPC_MESSAGES.LOGIN);
+ });
+
+ document.querySelector('#signOut').addEventListener('click', () => {
+ ipcRenderer.send(IPC_MESSAGES.LOGOUT);
+ });
+
+ document.querySelector('#seeProfile').addEventListener('click', () => {
+ ipcRenderer.send(IPC_MESSAGES.GET_PROFILE);
+ });
+
+ document.querySelector('#readMail').addEventListener('click', () => {
+ ipcRenderer.send(IPC_MESSAGES.GET_MAIL);
+ });
+
+ // Main process message subscribers
+ ipcRenderer.on(IPC_MESSAGES.SHOW_WELCOME_MESSAGE, (event, account) => {
+ showWelcomeMessage(account);
+ });
+
+ ipcRenderer.on(IPC_MESSAGES.SET_PROFILE, (event, graphResponse) => {
+ updateUI(graphResponse, `${process.env.GRAPH_ENDPOINT_HOST}${process.env.GRAPH_ME_ENDPOINT}`);
+ });
+
+ ipcRenderer.on(IPC_MESSAGES.SET_MAIL, (event, graphResponse) => {
+ updateUI(graphResponse, `${process.env.GRAPH_ENDPOINT_HOST}${process.env.GRAPH_MAIL_ENDPOINT}`);
+ });
+
+ // DOM elements to work with
+ const welcomeDiv = document.getElementById("WelcomeMessage");
+ const signInButton = document.getElementById("signIn");
+ const signOutButton = document.getElementById("signOut");
+ const cardDiv = document.getElementById("cardDiv");
+ const profileDiv = document.getElementById("profileDiv");
+ const tabList = document.getElementById("list-tab");
+ const tabContent = document.getElementById("nav-tabContent");
+
+ function showWelcomeMessage(account) {
+ cardDiv.style.display = "initial";
+ welcomeDiv.innerHTML = `Welcome ${account.name}`;
+ signInButton.hidden = true;
+ signOutButton.hidden = false;
+ }
+
+ function clearTabs() {
+ tabList.innerHTML = "";
+ tabContent.innerHTML = "";
+ }
+
+ function updateUI(data, endpoint) {
+
+ console.log(`Graph API responded at: ${new Date().toString()}`);
+
+ if (endpoint === `${process.env.GRAPH_ENDPOINT_HOST}${process.env.GRAPH_ME_ENDPOINT}`) {
+ setProfile(data);
+ } else if (endpoint === `${process.env.GRAPH_ENDPOINT_HOST}${process.env.GRAPH_MAIL_ENDPOINT}`) {
+ setMail(data);
+ }
+ }
+
+ function setProfile(data) {
+ profileDiv.innerHTML = ''
+
+ const title = document.createElement('p');
+ const email = document.createElement('p');
+ const phone = document.createElement('p');
+ const address = document.createElement('p');
+
+ title.innerHTML = "<strong>Title: </strong>" + data.jobTitle;
+ email.innerHTML = "<strong>Mail: </strong>" + data.mail;
+ phone.innerHTML = "<strong>Phone: </strong>" + data.businessPhones[0];
+ address.innerHTML = "<strong>Location: </strong>" + data.officeLocation;
+
+ profileDiv.appendChild(title);
+ profileDiv.appendChild(email);
+ profileDiv.appendChild(phone);
+ profileDiv.appendChild(address);
+ }
+
+ function setMail(data) {
+ const mailInfo = data;
+ if (mailInfo.value.length < 1) {
+ alert("Your mailbox is empty!")
+ } else {
+ clearTabs();
+ mailInfo.value.slice(0, 10).forEach((d, i) => {
+ createAndAppendListItem(d, i);
+ createAndAppendContentItem(d, i);
+ });
+ }
+ }
+
+ function createAndAppendListItem(d, i) {
+ const listItem = document.createElement("a");
+ listItem.setAttribute("class", "list-group-item list-group-item-action")
+ listItem.setAttribute("id", "list" + i + "list")
+ listItem.setAttribute("data-toggle", "list")
+ listItem.setAttribute("href", "#list" + i)
+ listItem.setAttribute("role", "tab")
+ listItem.setAttribute("aria-controls", i)
+ listItem.innerHTML = d.subject;
+ tabList.appendChild(listItem);
+ }
+
+ function createAndAppendContentItem(d, i) {
+ const contentItem = document.createElement("div");
+ contentItem.setAttribute("class", "tab-pane fade")
+ contentItem.setAttribute("id", "list" + i)
+ contentItem.setAttribute("role", "tabpanel")
+ contentItem.setAttribute("aria-labelledby", "list" + i + "list")
+
+ if (d.from) {
+ contentItem.innerHTML = "<strong> from: " + d.from.emailAddress.address + "</strong><br><br>" + d.bodyPreview + "...";
+ tabContent.appendChild(contentItem);
+ }
+ }
+ ```
+
+5. Finally, create a file named *constants.js* that will store the strings constants for describing the application **events**:
+
+ ```JavaScript
+ const IPC_MESSAGES = {
+ SHOW_WELCOME_MESSAGE: 'SHOW_WELCOME_MESSAGE',
+ LOGIN: 'LOGIN',
+ LOGOUT: 'LOGOUT',
+ GET_PROFILE: 'GET_PROFILE',
+ SET_PROFILE: 'SET_PROFILE',
+ GET_MAIL: 'GET_MAIL',
+ SET_MAIL: 'SET_MAIL'
+ }
+
+ module.exports = {
+ IPC_MESSAGES: IPC_MESSAGES,
+ }
+ ```
+
+You now have a simple GUI and interactions for your Electron app. After completing the rest of the tutorial, the file and folder structure of your project should look similar to the following:
+
+```
+ElectronDesktopApp/
+Γö£ΓöÇΓöÇ App
+│   ├── authProvider.js
+│   ├── constants.js
+│   ├── fetch.js
+│   ├── main.js
+│   ├── renderer.js
+│   ├── https://docsupdatetracker.net/index.html
+Γö£ΓöÇΓöÇ package.json
+ΓööΓöÇΓöÇ .env
+```
+
+## Add authentication logic to your app
+
+In *App* folder, create a file named *AuthProvider.js*. This will contain an authentication provider class that will handle login, logout, token acquisition, account selection and related authentication tasks using MSAL Node. Add the following code there:
+
+```JavaScript
+const { PublicClientApplication, LogLevel, CryptoProvider } = require('@azure/msal-node');
+const { protocol } = require('electron');
+const path = require('path');
+const url = require('url');
+
+/**
+ * To demonstrate best security practices, this Electron sample application makes use of
+ * a custom file protocol instead of a regular web (https://) redirect URI in order to
+ * handle the redirection step of the authorization flow, as suggested in the OAuth2.0 specification for Native Apps.
+ */
+const CUSTOM_FILE_PROTOCOL_NAME = process.env.REDIRECT_URI.split(':')[0]; // e.g. msal://redirect
+
+/**
+ * Configuration object to be passed to MSAL instance on creation.
+ * For a full list of MSAL Node configuration parameters, visit:
+ * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/configuration.md
+ */
+const MSAL_CONFIG = {
+ auth: {
+ clientId: process.env.CLIENT_ID,
+ authority: `${process.env.AAD_ENDPOINT_HOST}${process.env.TENANT_ID}`,
+ redirectUri: process.env.REDIRECT_URI,
+ },
+ system: {
+ loggerOptions: {
+ loggerCallback(loglevel, message, containsPii) {
+     console.log(message);
+ },
+         piiLoggingEnabled: false,
+ logLevel: LogLevel.Verbose,
+ }
+ }
+};
+
+class AuthProvider {
+
+ clientApplication;
+ cryptoProvider;
+ authCodeUrlParams;
+ authCodeRequest;
+ pkceCodes;
+ account;
+
+ constructor() {
+ /**
+ * Initialize a public client application. For more information, visit:
+ * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-public-client-application.md
+ */
+ this.clientApplication = new PublicClientApplication(MSAL_CONFIG);
+ this.account = null;
+
+ // Initialize CryptoProvider instance
+ this.cryptoProvider = new CryptoProvider();
+
+ this.setRequestObjects();
+ }
+
+ /**
+ * Initialize request objects used by this AuthModule.
+ */
+ setRequestObjects() {
+ const requestScopes = ['openid', 'profile', 'User.Read'];
+ const redirectUri = process.env.REDIRECT_URI;
+
+ this.authCodeUrlParams = {
+ scopes: requestScopes,
+ redirectUri: redirectUri
+ };
+
+ this.authCodeRequest = {
+ scopes: requestScopes,
+ redirectUri: redirectUri,
+ code: null
+ }
+
+ this.pkceCodes = {
+ challengeMethod: "S256", // Use SHA256 Algorithm
+ verifier: "", // Generate a code verifier for the Auth Code Request first
+ challenge: "" // Generate a code challenge from the previously generated code verifier
+ };
+ }
+
+ async login(authWindow) {
+ const authResult = await this.getTokenInteractive(authWindow, this.authCodeUrlParams);
+ return this.handleResponse(authResult);
+ }
+
+ async logout() {
+ if (this.account) {
+ await this.clientApplication.getTokenCache().removeAccount(this.account);
+ this.account = null;
+ }
+ }
+
+ async getToken(authWindow, tokenRequest) {
+ let authResponse;
+
+ authResponse = await this.getTokenInteractive(authWindow, tokenRequest);
+
+ return authResponse.accessToken || null;
+ }
+
+ // This method contains an implementation of access token acquisition in authorization code flow
+ async getTokenInteractive(authWindow, tokenRequest) {
+
+ /**
+ * Proof Key for Code Exchange (PKCE) Setup
+ *
+ * MSAL enables PKCE in the Authorization Code Grant Flow by including the codeChallenge and codeChallengeMethod parameters
+ * in the request passed into getAuthCodeUrl() API, as well as the codeVerifier parameter in the
+ * second leg (acquireTokenByCode() API).
+ *
+ * MSAL Node provides PKCE Generation tools through the CryptoProvider class, which exposes
+ * the generatePkceCodes() asynchronous API. As illustrated in the example below, the verifier
+ * and challenge values should be generated previous to the authorization flow initiation.
+ *
+ * For details on PKCE code generation logic, consult the
+ * PKCE specification https://tools.ietf.org/html/rfc7636#section-4
+ */
+
+ const {verifier, challenge} = await this.cryptoProvider.generatePkceCodes();
+
+ this.pkceCodes.verifier = verifier;
+ this.pkceCodes.challenge = challenge;
+
+ const authCodeUrlParams = {
+ ...this.authCodeUrlParams,
+ scopes: tokenRequest.scopes,
+ codeChallenge: this.pkceCodes.challenge, // PKCE Code Challenge
+ codeChallengeMethod: this.pkceCodes.challengeMethod // PKCE Code Challenge Method
+ };
+
+ const authCodeUrl = await this.clientApplication.getAuthCodeUrl(authCodeUrlParams);
+
+ protocol.registerFileProtocol(CUSTOM_FILE_PROTOCOL_NAME, (req, callback) => {
+ const requestUrl = url.parse(req.url, true);
+ callback(path.normalize(`${__dirname}/${requestUrl.path}`));
+ });
+
+ const authCode = await this.listenForAuthCode(authCodeUrl, authWindow);
+
+ const authResponse = await this.clientApplication.acquireTokenByCode({
+ ...this.authCodeRequest,
+ scopes: tokenRequest.scopes,
+ code: authCode,
+ codeVerifier: this.pkceCodes.verifier // PKCE Code Verifier
+ });
+
+ return authResponse;
+ }
+
+ // Listen for authorization code response from Azure AD
+ async listenForAuthCode(navigateUrl, authWindow) {
+
+ authWindow.loadURL(navigateUrl);
+
+ return new Promise((resolve, reject) => {
+ authWindow.webContents.on('will-redirect', (event, responseUrl) => {
+ try {
+ const parsedUrl = new URL(responseUrl);
+ const authCode = parsedUrl.searchParams.get('code');
+ resolve(authCode);
+ } catch (err) {
+ reject(err);
+ }
+ });
+ });
+ }
+
+ /**
+ * Handles the response from a popup or redirect. If response is null, will check if we have any accounts and attempt to sign in.
+ * @param response
+ */
+ async handleResponse(response) {
+ if (response !== null) {
+ this.account = response.account;
+ } else {
+ this.account = await this.getAccount();
+ }
+
+ return this.account;
+ }
+
+ /**
+ * Calls getAllAccounts and determines the correct account to sign into, currently defaults to first account found in cache.
+ * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md
+ */
+ async getAccount() {
+ // need to call getAccount here?
+ const cache = this.clientApplication.getTokenCache();
+ const currentAccounts = await cache.getAllAccounts();
+
+ if (currentAccounts === null) {
+ console.log('No accounts detected');
+ return null;
+ }
+
+ if (currentAccounts.length > 1) {
+ // Add choose account code here
+ console.log('Multiple accounts detected, need to add choose account code.');
+ return currentAccounts[0];
+ } else if (currentAccounts.length === 1) {
+ return currentAccounts[0];
+ } else {
+ return null;
+ }
+ }
+}
+
+module.exports = AuthProvider;
+```
+
+In the code snippet above, we first initialized MSAL Node `PublicClientApplication` by passing a configuration object (`msalConfig`). We then exposed `login`, `logout` and `getToken` methods to be called by main module (*main.js*). In `login` and `getToken`, we acquire ID and access tokens, respectively, by first requesting an authorization code and then exchanging this with a token using MSAL Node `acquireTokenByCode` public API.
+
+## Add a method to call a web API
+
+Create another file named *fetch.js*. This file will contain an Axios HTTP client for making REST calls to the Microsoft Graph API.
+
+```JavaScript
+const axios = require('axios');
+
+/**
+ * Makes an Authorization 'Bearer' request with the given accessToken to the given endpoint.
+ * @param endpoint
+ * @param accessToken
+ */
+async function callEndpointWithToken(endpoint, accessToken) {
+ const options = {
+ headers: {
+ Authorization: `Bearer ${accessToken}`
+ }
+ };
+
+ console.log('Request made at: ' + new Date().toString());
+
+ const response = await axios.default.get(endpoint, options);
+
+ return response.data;
+}
+
+module.exports = {
+ callEndpointWithToken: callEndpointWithToken,
+};
+```
+
+## Add app registration details
+
+Finally, create an environment file to store the app registration details that will be used when acquiring tokens. To do so, create a file named *.env* inside the root folder of the sample (*ElectronDesktopApp*), and add the following code:
+
+```
+# Credentials
+CLIENT_ID=Enter_the_Application_Id_Here
+TENANT_ID=Enter_the_Tenant_Id_Here
+
+# Configuration
+REDIRECT_URI=msal://redirect
+
+# Endpoints
+AAD_ENDPOINT_HOST=Enter_the_Cloud_Instance_Id_Here
+GRAPH_ENDPOINT_HOST=Enter_the_Graph_Endpoint_Here
+
+# RESOURCES
+GRAPH_ME_ENDPOINT=v1.0/me
+GRAPH_MAIL_ENDPOINT=v1.0/me/messages
+
+# SCOPES
+GRAPH_SCOPES=User.Read Mail.Read
+```
+
+Fill in these details with the values you obtain from Azure app registration portal:
+
+- `Enter_the_Tenant_Id_here` should be one of the following:
+ - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`.
+ - If your application supports *accounts in any organizational directory*, replace this value with `organizations`.
+ - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`.
+ - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`.
+- `Enter_the_Application_Id_Here`: The **Application (client) ID** of the application you registered.
+- `Enter_the_Cloud_Instance_Id_Here`: The Azure cloud instance in which your application is registered.
+ - For the main (or *global*) Azure cloud, enter `https://login.microsoftonline.com/`.
+ - For **national** clouds (for example, China), you can find appropriate values in [National clouds](authentication-national-cloud.md).
+- `Enter_the_Graph_Endpoint_Here` is the instance of the Microsoft Graph API the application should communicate with.
+ - For the **global** Microsoft Graph API endpoint, replace both instances of this string with `https://graph.microsoft.com/`.
+ - For endpoints in **national** cloud deployments, see [National cloud deployments](/graph/deployments) in the Microsoft Graph documentation.
+
+## Test the app
+
+You've completed creation of the application and are now ready to launch the Electron desktop app and test the app's functionality.
+
+1. Start the app by running the following command from within the root of your project folder:
+
+```console
+electron App/main.js
+```
+
+2. In application main window, you should see the contents of your *https://docsupdatetracker.net/index.html* file and the **Sign In** button.
+
+## Test sign in and sign out
+
+After the *https://docsupdatetracker.net/index.html* file loads, select **Sign In**. You're prompted to sign in with the Microsoft identity platform:
++
+If you consent to the requested permissions, the web applications displays your user name, signifying a successful login:
++
+## Test web API call
+
+After you sign in, select **See Profile** to view the user profile information returned in the response from the call to the Microsoft Graph API:
++
+Select **Read Mails** to view the messages in user's account. You'll be presented with a consent screen:
++
+After consent, you will view the messages returned in the response from the call to the Microsoft Graph API:
++
+## How the application works
+
+When a user selects the **Sign In** button for the first time, get `getTokenInteractive` method of *AuthProvider.js* is called. This method redirects the user to sign-in with the *Microsoft identity platform endpoint* and validate the user's credentials, and then obtains an **authorization code**. This code is then exchanged for an access token using `acquireTokenByCode` public API of MSAL Node.
+
+At this point, a PKCE-protected authorization code is sent to the CORS-protected token endpoint and is exchanged for tokens. An ID token, access token, and refresh token are received by your application and processed by MSAL Node, and the information contained in the tokens is cached.
+
+The ID token contains basic information about the user, like their display name. The access token has a limited lifetime and expires after 24 hours. If you plan to use these tokens for accessing protected resource, your back-end server *must* validate it to guarantee the token was issued to a valid user for your application.
+
+The desktop app you've created in this tutorial makes a REST call to the Microsoft Graph API using an access token as bearer token in request header ([RFC 6750](https://tools.ietf.org/html/rfc6750)).
+
+The Microsoft Graph API requires the *user.read* scope to read a user's profile. By default, this scope is automatically added in every application that's registered in the Azure portal. Other APIs for Microsoft Graph, as well as custom APIs for your back-end server, might require additional scopes. For example, the Microsoft Graph API requires the *Mail.Read* scope in order to list the user's email.
+
+As you add scopes, your users might be prompted to provide additional consent for the added scopes.
++
+## Next steps
+
+If you'd like to dive deeper into Node.js and Electron desktop application development on the Microsoft identity platform, see our multi-part scenario series:
+
+> [!div class="nextstepaction"]
+> [Scenario: Desktop app that calls web APIs](scenario-desktop-overview.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-nodejs-webapp-msal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-nodejs-webapp-msal.md
@@ -0,0 +1,194 @@
+
+ Title: "Tutorial: Sign-in users in a Node.js & Express web app | Azure"
+
+description: In this tutorial, you add support for signing-in users in a web app.
++++++++ Last updated : 01/12/2021+++
+# Tutorial: Sign-in users in a Node.js & Express web app
+
+In this tutorial, you build a web app that signs-in users. The web app you build uses the [Microsoft Authentication Library (MSAL) for Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node).
+
+Follow the steps in this tutorial to:
+
+> [!div class="checklist"]
+> - Register the application in the Azure portal
+> - Create an Express web app project
+> - Install the authentication library packages
+> - Add app registration details
+> - Add code for user login
+> - Test the app
+
+## Prerequisites
+
+- [Node.js](https://nodejs.org/en/download/)
+- [Visual Studio Code](https://code.visualstudio.com/download) or another code editor
+
+## Register the application
+
+First, complete the steps in [Register an application with the Microsoft identity platform](quickstart-register-app.md) to register your app.
+
+Use the following settings for your app registration:
+
+- Name: `ExpressWebApp` (suggested)
+- Supported account types: **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**
+- Platform type: **Web**
+- Redirect URI: `http://localhost:3000/redirect`
+- Client secret: `*********` (record this value for use in a later step - it's shown only once)
+
+## Create the project
+
+Create a folder to host your application, for example *ExpressWebApp*.
+
+1. First, change to your project directory in your terminal and then run the following `npm` commands:
+
+```console
+ npm init -y
+ npm install --save express
+```
+
+2. Next, create file named *index.js* and add the following code:
+
+```JavaScript
+ const express = require("express");
+ const msal = require('@azure/msal-node');
+
+ const SERVER_PORT = process.env.PORT || 3000;
+
+ // Create Express App and Routes
+ const app = express();
+
+ app.listen(SERVER_PORT, () => console.log(`Msal Node Auth Code Sample app listening on port ${SERVER_PORT}!`))
+```
+
+You now have a simple web server running on port 3000. The file and folder structure of your project should look similar to the following:
+
+```
+ExpressWebApp/
+Γö£ΓöÇΓöÇ index.js
+ΓööΓöÇΓöÇ package.json
+```
+
+## Install the auth library
+
+Locate the root of your project directory in a terminal and install the MSAL Node package via NPM.
+
+```console
+ npm install --save @azure/msal-node
+```
+
+## Add app registration details
+
+In the *index.js* file you've created earlier, add the following code:
+
+```JavaScript
+ // Before running the sample, you will need to replace the values in the config,
+ // including the clientSecret
+ const config = {
+ auth: {
+ clientId: "Enter_the_Application_Id",
+ authority: "Enter_the_Cloud_Instance_Id_Here/Enter_the_Tenant_Id_here",
+ clientSecret: "Enter_the_Client_secret"
+ },
+     system: {
+         loggerOptions: {
+             loggerCallback(loglevel, message, containsPii) {
+                 console.log(message);
+             },
+          piiLoggingEnabled: false,
+          logLevel: msal.LogLevel.Verbose,
+         }
+     }
+ };
+```
+
+Fill in these details with the values you obtain from Azure app registration portal:
+
+- `Enter_the_Tenant_Id_here` should be one of the following:
+ - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`.
+ - If your application supports *accounts in any organizational directory*, replace this value with `organizations`.
+ - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`.
+ - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`.
+- `Enter_the_Application_Id_Here`: The **Application (client) ID** of the application you registered.
+- `Enter_the_Cloud_Instance_Id_Here`: The Azure cloud instance in which your application is registered.
+ - For the main (or *global*) Azure cloud, enter `https://login.microsoftonline.com`.
+ - For **national** clouds (for example, China), you can find appropriate values in [National clouds](authentication-national-cloud.md).
+- `Enter_the_Client_secret`: Replace this value with the client secret you created earlier. To generate a new key, use **Certificates & secrets** in the app registration settings in the Azure portal.
+
+> [!WARNING]
+> Any plaintext secret in source code poses an increased security risk. This article uses a plaintext client secret for simplicity only. Use [certificate credentials](active-directory-certificate-credentials.md) instead of client secrets in your confidential client applications, especially those apps you intend to deploy to production.
+
+## Add code for user login
+
+In the *index.js* file you've created earlier, add the following code:
+
+```JavaScript
+ // Create msal application object
+ const cca = new msal.ConfidentialClientApplication(config);
+
+ app.get('/', (req, res) => {
+ const authCodeUrlParameters = {
+ scopes: ["user.read"],
+ redirectUri: "http://localhost:3000/redirect",
+ };
+
+ // get url to sign user in and consent to scopes needed for application
+ cca.getAuthCodeUrl(authCodeUrlParameters).then((response) => {
+ res.redirect(response);
+ }).catch((error) => console.log(JSON.stringify(error)));
+ });
+
+ app.get('/redirect', (req, res) => {
+ const tokenRequest = {
+ code: req.query.code,
+ scopes: ["user.read"],
+ redirectUri: "http://localhost:3000/redirect",
+ };
+
+ cca.acquireTokenByCode(tokenRequest).then((response) => {
+ console.log("\nResponse: \n:", response);
+ res.sendStatus(200);
+ }).catch((error) => {
+ console.log(error);
+ res.status(500).send(error);
+ });
+ });
+```
+
+## Test sign in
+
+You've completed creation of the application and are now ready to test the app's functionality.
+
+1. Start the Node.js console app by running the following command from within the root of your project folder:
+
+```console
+ node index.js
+```
+
+2. Open a browser window and navigate to `http://localhost:3000`. You should see a sign-in screen:
++
+3. Once you enter your credentials, you should see a consent screen asking you to approve the permissions for the app.
++
+## How the application works
+
+In this tutorial, you initialized an MSAL Node [ConfidentialClientApplication](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-confidential-client-application.md) object by passing it a configuration object (*msalConfig*) that contains parameters obtained from your Azure AD app registration on Azure portal. The web app you created uses the [OAuth 2.0 Authorization code grant flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) to sign-in users and obtain ID and access tokens.
+
+## Next steps
+
+If you'd like to dive deeper into Node.js & Express web application development on the Microsoft identity platform, see our multi-part scenario series:
+
+> [!div class="nextstepaction"]
+> [Scenario: Web app that signs in users](scenario-web-app-sign-user-overview.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-service-plan-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/licensing-service-plan-reference.md
@@ -5,7 +5,7 @@ description: Identifier map to manage Azure Active Directory licensing in the Az
keywords: Azure Active Directory licensing service plans documentationcenter: ''-+ editor: ''
@@ -14,7 +14,7 @@
Last updated 12/02/2020-+
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-first https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-access-package-first.md
@@ -1,6 +1,6 @@
Title: Tutorial - Create access package - Azure AD entitlement management
-description: Step-by-step tutorial for how to create your first access package in Azure Active Directory entitlement management.
+ Title: Tutorial - Manage access to resources in Azure AD entitlement management
+description: Step-by-step tutorial for how to create your first access package using the Azure portal in Azure Active Directory entitlement management.
documentationCenter: ''
@@ -21,7 +21,7 @@
#Customer intent: As a IT admin, I want step-by-step instructions of the entire workflow for how to use entitlement management so that I can start to use in my organization.
-# Tutorial: Create your first access package in Azure AD entitlement management
+# Tutorial: Manage access to resources in Azure AD entitlement management
Managing access to all the resources employees need, such as groups, applications, and sites, is an important function for organizations. You want to grant employees the right level of access they need to be productive and remove their access when it is no longer needed.
@@ -40,8 +40,6 @@ For a step-by-step demonstration of the process of deploying Azure Active Direct
>[!VIDEO https://www.youtube.com/embed/zaaKvaaYwI4]
-You can also create an access package programmatically using Microsoft Graph. For a tutorial that shows how to create an access package programmatically, see [entitlement management API](/graph/tutorial-access-package-api?view=graph-rest-beta).
- ## Prerequisites To use Azure AD entitlement management, you must have one of the following licenses:
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-logs-and-reporting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-logs-and-reporting.md
@@ -58,7 +58,7 @@ to send the Azure AD audit log to the Azure Monitor workspace.
## View events for an access package
-To view events for an access package, you must have access to the underlying Azure monitor workspace (see [Manage access to log data and workspaces in Azure Monitor](../../azure-monitor/platform/manage-access.md#manage-access-using-azure-permissions) for information) and in one of the following roles:
+To view events for an access package, you must have access to the underlying Azure monitor workspace (see [Manage access to log data and workspaces in Azure Monitor](../../azure-monitor/logs/manage-access.md#manage-access-using-azure-permissions) for information) and in one of the following roles:
- Global administrator - Security administrator
@@ -188,4 +188,4 @@ $bResponse.Results |ft
``` ## Next steps:-- [Create interactive reports with Azure Monitor workbooks](../../azure-monitor/platform/workbooks-overview.md)
+- [Create interactive reports with Azure Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-overview.md
@@ -172,5 +172,6 @@ Here are some example license scenarios to help you determine the number of lice
## Next steps -- [Tutorial: Create your first access package](entitlement-management-access-package-first.md)
+- If you are interested in using the Azure portal to manage access to resources, see [Tutorial: Manage access to resources - Azure portal](entitlement-management-access-package-first.md).
+- if you are interested in using Microsoft Graph to manage access to resources, see [Tutorial: manage access to resources - Microsoft Graph](/graph/tutorial-access-package-api?toc=/azure/active-directory/governance/toc.json&bc=/azure/active-directory/governance/breadcrumb/toc.json)
- [Common scenarios](entitlement-management-scenarios.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-deployment-plan https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-proxy-deployment-plan.md
@@ -298,7 +298,7 @@ The connectors and the service take care of all the high availability tasks. You
#### Windows event logs and performance counters
-Connectors have both admin and session logs. The admin logs include key events and their errors. The session logs include all the transactions and their processing details. Logs and counters are located in Windows Event Logs for more information see [Understand Azure AD Application Proxy Connectors](./application-proxy-connectors.md#under-the-hood). Follow this [tutorial to configure event log data sources in Azure Monitor](../../azure-monitor/platform/data-sources-windows-events.md).
+Connectors have both admin and session logs. The admin logs include key events and their errors. The session logs include all the transactions and their processing details. Logs and counters are located in Windows Event Logs for more information see [Understand Azure AD Application Proxy Connectors](./application-proxy-connectors.md#under-the-hood). Follow this [tutorial to configure event log data sources in Azure Monitor](../../azure-monitor/agents/data-sources-windows-events.md).
### Troubleshooting guide and steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md
@@ -123,7 +123,7 @@ The following table contains estimated costs per month for a basic event hub in
-To review costs related to managing the Azure Monitor logs, see [Manage cost by controlling data volume and retention in Azure Monitor logs](../../azure-monitor/platform/manage-cost-storage.md).
+To review costs related to managing the Azure Monitor logs, see [Manage cost by controlling data volume and retention in Azure Monitor logs](../../azure-monitor/logs/manage-cost-storage.md).
## Frequently asked questions
@@ -177,7 +177,7 @@ This section answers frequently asked questions and discusses known issues with
**Q: What SIEM tools are currently supported?**
-**A**: **A**: Currently, Azure Monitor is supported by [Splunk](./howto-integrate-activity-logs-with-splunk.md), IBM QRadar, [Sumo Logic](https://help.sumologic.com/Send-Dat).
+**A**: **A**: Currently, Azure Monitor is supported by [Splunk](./howto-integrate-activity-logs-with-splunk.md), IBM QRadar, [Sumo Logic](https://help.sumologic.com/Send-Dat).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-analyze-activity-logs-log-analytics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/howto-analyze-activity-logs-log-analytics.md
@@ -33,9 +33,9 @@ In this article, you learn how to analyze the Azure AD activity logs in your Log
To follow along, you need:
-* A Log Analytics workspace in your Azure subscription. Learn how to [create a Log Analytics workspace](../../azure-monitor/learn/quick-create-workspace.md).
+* A Log Analytics workspace in your Azure subscription. Learn how to [create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md).
* First, complete the steps to [route the Azure AD activity logs to your Log Analytics workspace](howto-integrate-activity-logs-with-log-analytics.md).
-* [Access](../../azure-monitor/platform/manage-access.md#manage-access-using-workspace-permissions) to the log analytics workspace
+* [Access](../../azure-monitor/logs/manage-access.md#manage-access-using-workspace-permissions) to the log analytics workspace
* The following roles in Azure Active Directory (if you are accessing Log Analytics through Azure Active Directory portal) - Security Admin - Security Reader
@@ -94,7 +94,7 @@ You can also set up alerts on your query. For example, to configure an alert whe
3. Enter a name and description for the alert, and choose the severity level. For our example, we could set it to **Informational**.
-4. Select the **Action Group** that will be alerted when the signal occurs. You can choose to notify your team via email or text message, or you could automate the action using webhooks, Azure functions or logic apps. Learn more about [creating and managing alert groups in the Azure portal](../../azure-monitor/platform/action-groups.md).
+4. Select the **Action Group** that will be alerted when the signal occurs. You can choose to notify your team via email or text message, or you could automate the action using webhooks, Azure functions or logic apps. Learn more about [creating and managing alert groups in the Azure portal](../../azure-monitor/alerts/action-groups.md).
5. Once you have configured the alert, select **Create alert** to enable it.
@@ -108,6 +108,6 @@ The workbooks provide several reports related to common scenarios involving audi
## Next steps
-* [Get started with queries in Azure Monitor logs](../../azure-monitor/log-query/get-started-queries.md)
-* [Create and manage alert groups in the Azure portal](../../azure-monitor/platform/action-groups.md)
+* [Get started with queries in Azure Monitor logs](../../azure-monitor/logs/get-started-queries.md)
+* [Create and manage alert groups in the Azure portal](../../azure-monitor/alerts/action-groups.md)
* [Install and use the log analytics views for Azure Active Directory](howto-install-use-log-analytics-views.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-install-use-log-analytics-views https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/howto-install-use-log-analytics-views.md
@@ -32,7 +32,7 @@ The Azure Active Directory log analytics views helps you analyze and search the
To use the log analytics views, you need:
-* A Log Analytics workspace in your Azure subscription. Learn how to [create a Log Analytics workspace](../../azure-monitor/learn/quick-create-workspace.md).
+* A Log Analytics workspace in your Azure subscription. Learn how to [create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md).
* First, complete the steps to [route the Azure AD activity logs to your Log Analytics workspace](howto-integrate-activity-logs-with-log-analytics.md). * Download the views from the [GitHub repository](https://aka.ms/AADLogAnalyticsviews) to your local computer.
@@ -64,11 +64,11 @@ To use the log analytics views, you need:
![Create rule](./media/howto-install-use-log-analytics-views/create-rule.png)
-6. Select the action group to alert. In general, this can be either a team you want to notify via email or text message, or it can be an automated task using webhooks, runbooks, functions, logic apps or external ITSM solutions. Learn how to [create and manage action groups in the Azure portal](../../azure-monitor/platform/action-groups.md).
+6. Select the action group to alert. In general, this can be either a team you want to notify via email or text message, or it can be an automated task using webhooks, runbooks, functions, logic apps or external ITSM solutions. Learn how to [create and manage action groups in the Azure portal](../../azure-monitor/alerts/action-groups.md).
7. Select **Create alert rule** to create the alert. Now you will be alerted every time there's a sign-in error. ## Next steps * [How to analyze activity logs with Azure Monitor logs](howto-analyze-activity-logs-log-analytics.md)
-* [Get started with Azure Monitor logs in the Azure portal](../../azure-monitor/log-query/log-analytics-tutorial.md)
+* [Get started with Azure Monitor logs in the Azure portal](../../azure-monitor/logs/log-analytics-tutorial.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md
@@ -56,7 +56,7 @@ To use this feature, you need:
* An Azure subscription. If you don't have an Azure subscription, you can [sign up for a free trial](https://azure.microsoft.com/free/). * An Azure AD tenant. * A user who's a *global administrator* or *security administrator* for the Azure AD tenant.
-* A Log Analytics workspace in your Azure subscription. Learn how to [create a Log Analytics workspace](../../azure-monitor/learn/quick-create-workspace.md).
+* A Log Analytics workspace in your Azure subscription. Learn how to [create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md).
## Licensing requirements
active-directory https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-use-azure-monitor-workbooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/howto-use-azure-monitor-workbooks.md
@@ -43,13 +43,13 @@ including device platform, device state, client app, sign-in risk, location, and
reports how many users were granted or denied access, as well as how many users bypassed Conditional Access policies when accessing resources. -- To help you to address these questions, Azure Active Directory provides workbooks for monitoring. [Azure Monitor workbooks](../../azure-monitor/platform/workbooks-overview.md) combine text, analytics queries, metrics, and parameters into rich interactive reports.
+- To help you to address these questions, Azure Active Directory provides workbooks for monitoring. [Azure Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md) combine text, analytics queries, metrics, and parameters into rich interactive reports.
This article: -- Assumes you're familiar with how to [Create interactive reports by using Monitor workbooks](../../azure-monitor/platform/workbooks-overview.md).
+- Assumes you're familiar with how to [Create interactive reports by using Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md).
- Explains how to use Monitor workbooks to understand the effect of your Conditional Access policies, to troubleshoot sign-in failures, and to identify legacy authentications.
@@ -61,9 +61,9 @@ To use Monitor workbooks, you need:
- An Azure Active Directory tenant with a premium (P1 or P2) license. Learn how to [get a premium license](../fundamentals/active-directory-get-started-premium.md). -- A [Log Analytics workspace](../../azure-monitor/learn/quick-create-workspace.md).
+- A [Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md).
-- [Access](../../azure-monitor/platform/manage-access.md#manage-access-using-workspace-permissions) to the log analytics workspace
+- [Access](../../azure-monitor/logs/manage-access.md#manage-access-using-workspace-permissions) to the log analytics workspace
- Following roles in Azure Active Directory (if you are accessing Log Analytics through Azure Active Directory portal) - Security administrator - Security reader
@@ -71,7 +71,7 @@ To use Monitor workbooks, you need:
- Global administrator ## Roles
-You must be in one of the following roles as well as have [access to underlying Log Analytics](../../azure-monitor/platform/manage-access.md#manage-access-using-azure-permissions) workspace to manage the workbooks:
+You must be in one of the following roles as well as have [access to underlying Log Analytics](../../azure-monitor/logs/manage-access.md#manage-access-using-azure-permissions) workspace to manage the workbooks:
- Global administrator - Security administrator - Security reader
@@ -300,4 +300,4 @@ To help you troubleshoot sign-ins, Azure Monitor gives you a breakdown by the fo
## Next steps
-[Create interactive reports by using Monitor workbooks](../../azure-monitor/platform/workbooks-overview.md).
+[Create interactive reports by using Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-monitoring https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/overview-monitoring.md
@@ -78,7 +78,7 @@ Routing logs to an Azure event hub allows you to integrate with third-party SIEM
## Send logs to Azure Monitor logs
-[Azure Monitor logs](../../azure-monitor/log-query/log-query-overview.md) is a solution that consolidates monitoring data from different sources and provides a query language and analytics engine that gives you insights into the operation of your applications and resources. By sending Azure AD activity logs to Azure Monitor logs, you can quickly retrieve, monitor and alert on collected data. Learn how to [send data to Azure Monitor logs](howto-integrate-activity-logs-with-log-analytics.md).
+[Azure Monitor logs](../../azure-monitor/logs/log-query-overview.md) is a solution that consolidates monitoring data from different sources and provides a query language and analytics engine that gives you insights into the operation of your applications and resources. By sending Azure AD activity logs to Azure Monitor logs, you can quickly retrieve, monitor and alert on collected data. Learn how to [send data to Azure Monitor logs](howto-integrate-activity-logs-with-log-analytics.md).
You can also install the pre-built views for Azure AD activity logs to monitor common scenarios involving sign-ins and audit events. Learn how to [install and use log analytics views for Azure AD activity logs](howto-install-use-log-analytics-views.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/plan-monitoring-and-reporting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/plan-monitoring-and-reporting.md
@@ -45,7 +45,7 @@ With Azure AD monitoring, you can route logs to:
* an Azure event hub where you can integrate with your existing SIEM tools such as Splunk, Sumologic, or QRadar. > [!NOTE]
-We recently started using the term Azure Monitor logs instead of Log Analytics. Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. We are updating the terminology to better reflect the role of [logs in Azure Monitor](../../azure-monitor/platform/data-platform.md). See [Azure Monitor terminology changes](../../azure-monitor/terminology.md) for details.
+We recently started using the term Azure Monitor logs instead of Log Analytics. Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. We are updating the terminology to better reflect the role of [logs in Azure Monitor](../../azure-monitor/data-platform.md). See [Azure Monitor terminology changes](../../azure-monitor/terminology.md) for details.
[Learn more about report retention policies](./reference-reports-data-retention.md).
@@ -119,7 +119,7 @@ Learn how to [route data to your storage account](./quickstart-azure-monitor-rou
#### Send logs to Azure Monitor logs
-[Azure Monitor logs](../../azure-monitor/log-query/log-query-overview.md) consolidate monitoring data from different sources. It also provides a query language and analytics engine that gives you insights into the operation of your applications and use of resources. By sending Azure AD activity logs to Azure Monitor logs, you can quickly retrieve, monitor, and alert on collected data. Use this method when you don't have an existing SIEM solution that you want to send your data to directly but do want queries and analysis. Once your data is in Azure Monitor logs, you can then send it to event hub and from there to a SIEM if you want to.
+[Azure Monitor logs](../../azure-monitor/logs/log-query-overview.md) consolidate monitoring data from different sources. It also provides a query language and analytics engine that gives you insights into the operation of your applications and use of resources. By sending Azure AD activity logs to Azure Monitor logs, you can quickly retrieve, monitor, and alert on collected data. Use this method when you don't have an existing SIEM solution that you want to send your data to directly but do want queries and analysis. Once your data is in Azure Monitor logs, you can then send it to event hub and from there to a SIEM if you want to.
Learn how to [send data to Azure Monitor logs](./howto-integrate-activity-logs-with-log-analytics.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-audit-log-schema https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/reference-azure-monitor-audit-log-schema.md
@@ -176,5 +176,5 @@ This article describes the Azure Active Directory (Azure AD) audit log schema in
## Next steps * [Interpret sign-in logs schema in Azure Monitor](reference-azure-monitor-sign-ins-log-schema.md)
-* [Azure diagnostics logs](../../azure-monitor/platform/platform-logs-overview.md)
+* [Azure diagnostics logs](../../azure-monitor/essentials/platform-logs-overview.md)
* [Frequently asked questions and known issues](concept-activity-logs-azure-monitor.md#frequently-asked-questions)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema.md
@@ -167,4 +167,4 @@ This article describes the Azure Active Directory (Azure AD) sign-in log schema
## Next steps * [Interpret audit logs schema in Azure Monitor](reference-azure-monitor-audit-log-schema.md)
-* [Read more about Azure platform logs](../../azure-monitor/platform/platform-logs-overview.md)
+* [Read more about Azure platform logs](../../azure-monitor/essentials/platform-logs-overview.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-log-analytics-wizard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/tutorial-log-analytics-wizard.md
@@ -40,7 +40,7 @@ In this tutorial, you learn how to:
Familiarize yourself with these articles: -- [Tutorial: Collect and analyze resource logs from an Azure resource](../../azure-monitor/learn/tutorial-resource-logs.md)
+- [Tutorial: Collect and analyze resource logs from an Azure resource](../../azure-monitor/essentials/tutorial-resource-logs.md)
- [How to integrate activity logs with Log Analytics](./howto-integrate-activity-logs-with-log-analytics.md)
@@ -48,7 +48,7 @@ Familiarize yourself with these articles:
- [KQL quick reference](/azure/data-explorer/kql-quick-reference) -- [Azure Monitor Workbooks](../../azure-monitor/platform/workbooks-overview.md)
+- [Azure Monitor Workbooks](../../azure-monitor/visualize/workbooks-overview.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/security-planning.md
@@ -208,7 +208,7 @@ Microsoft accounts from other programs, such as Xbox, Live, and Outlook, shouldn
#### Monitor Azure activity
-The Azure Activity Log provides a history of subscription-level events in Azure. It offers information about who created, updated, and deleted what resources, and when these events occurred. For more information, see [Audit and receive notifications about important actions in your Azure subscription](../../azure-monitor/platform/alerts-activity-log.md).
+The Azure Activity Log provides a history of subscription-level events in Azure. It offers information about who created, updated, and deleted what resources, and when these events occurred. For more information, see [Audit and receive notifications about important actions in your Azure subscription](../../azure-monitor/alerts/alerts-activity-log.md).
### Additional steps for organizations managing access to other cloud apps via Azure AD
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/arcgisenterprise-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/arcgisenterprise-tutorial.md
@@ -9,27 +9,23 @@
Previously updated : 12/28/2018 Last updated : 02/11/2021 # Tutorial: Azure Active Directory integration with ArcGIS Enterprise
-In this tutorial, you learn how to integrate ArcGIS Enterprise with Azure Active Directory (Azure AD).
-Integrating ArcGIS Enterprise with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate ArcGIS Enterprise with Azure Active Directory (Azure AD). When you integrate ArcGIS Enterprise with Azure AD, you can:
-* You can control in Azure AD who has access to ArcGIS Enterprise.
-* You can enable your users to be automatically signed-in to ArcGIS Enterprise (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to ArcGIS Enterprise.
+* Enable your users to be automatically signed-in to ArcGIS Enterprise with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with ArcGIS Enterprise, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* ArcGIS Enterprise single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* ArcGIS Enterprise single sign-on (SSO) enabled subscription.
> [!NOTE] > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
@@ -38,68 +34,45 @@ To configure Azure AD integration with ArcGIS Enterprise, you need the following
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* ArcGIS Enterprise supports **SP and IDP** initiated SSO
-* ArcGIS Enterprise supports **Just In Time** user provisioning
-
+* ArcGIS Enterprise supports **SP and IDP** initiated SSO.
+* ArcGIS Enterprise supports **Just In Time** user provisioning.
-## Adding ArcGIS Enterprise from the gallery
+## Add ArcGIS Enterprise from the gallery
To configure the integration of ArcGIS Enterprise into Azure AD, you need to add ArcGIS Enterprise from the gallery to your list of managed SaaS apps.
-**To add ArcGIS Enterprise from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **ArcGIS Enterprise**, select **ArcGIS Enterprise** from result panel then click **Add** button to add the application.
-
- ![ArcGIS Enterprise in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with [Application name] based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in [Application name] needs to be established.
-
-To configure and test Azure AD single sign-on with [Application name], you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure ArcGIS Enterprise Single Sign-On](#configure-arcgis-enterprise-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create ArcGIS Enterprise test user](#create-arcgis-enterprise-test-user)** - to have a counterpart of Britta Simon in ArcGIS Enterprise that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **ArcGIS Enterprise** in the search box.
+1. Select **ArcGIS Enterprise** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-### Configure Azure AD single sign-on
+## Configure and test Azure AD SSO for ArcGIS Enterprise
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Configure and test Azure AD SSO with ArcGIS Enterprise using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ArcGIS Enterprise.
-To configure Azure AD single sign-on with [Application name], perform the following steps:
+To configure and test Azure AD SSO with ArcGIS Enterprise, perform the following steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **ArcGIS Enterprise** application integration page, select **Single sign-on**.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure ArcGIS Enterprise SSO](#configure-arcgis-enterprise-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create ArcGIS Enterprise test user](#create-arcgis-enterprise-test-user)** - to have a counterpart of B.Simon in ArcGIS Enterprise that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Configure single sign-on link](common/select-sso.png)
+## Configure Azure AD SSO
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Single sign-on select mode](common/select-saml-option.png)
+1. In the Azure portal, on the **ArcGIS Enterprise** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps, if you wish to configure the application in **IDP** Initiated mode:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern: `<EXTERNAL_DNS_NAME>.portal`
@@ -108,8 +81,6 @@ To configure Azure AD single sign-on with [Application name], perform the follow
c. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern: `https://<EXTERNAL_DNS_NAME>/portal/sharing/rest/oauth2/saml/signin`
@@ -120,7 +91,31 @@ To configure Azure AD single sign-on with [Application name], perform the follow
![The Certificate download link](common/copy-metadataurl.png)
-### Configure ArcGIS Enterprise Single Sign-On
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ArcGIS Enterprise.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **ArcGIS Enterprise**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure ArcGIS Enterprise SSO
1. To automate the configuration within ArcGIS Enterprise, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
@@ -135,19 +130,19 @@ To configure Azure AD single sign-on with [Application name], perform the follow
1. Select **Organization >EDIT SETTINGS**.
- ![Screenshot shows the ArcGIS Enterprise Organization tab with Edit settings called out.](./media/arcgisenterprise-tutorial/configure1.png)
+ ![Screenshot shows the ArcGIS Enterprise Organization tab with Edit settings called out.](./media/arcgisenterprise-tutorial/configure-1.png)
1. Select **Security** tab.
- ![Screenshot shows the Security tab selected.](./media/arcgisenterprise-tutorial/configure2.png)
+ ![Screenshot shows the Security tab selected.](./media/arcgisenterprise-tutorial/configure-2.png)
1. Scroll down to the **Enterprise Logins via SAML** section and select **SET ENTERPRISE LOGIN**.
- ![Screenshot shows Enterprise Logins via SAML where you can select Set Enterprise Login.](./media/arcgisenterprise-tutorial/configure3.png)
+ ![Screenshot shows Enterprise Logins via SAML where you can select Set Enterprise Login.](./media/arcgisenterprise-tutorial/configure-3.png)
1. On the **Set Identity Provider** section, perform the following steps:
- ![Screenshot shows Set Identity Provider where you perform the steps described here.](./media/arcgisenterprise-tutorial/configure4.png)
+ ![Screenshot shows Set Identity Provider where you perform the steps described here.](./media/arcgisenterprise-tutorial/configure-4.png)
a. Please provide a name like **Azure Active Directory Test** in the **Name** textbox.
@@ -155,61 +150,10 @@ To configure Azure AD single sign-on with [Application name], perform the follow
c. Click **Show advanced settings** and copy the **Entity ID** value and paste it into the **Identifier** textbox in the **ArcGIS Enterprise Domain and URLs** section in Azure portal.
- ![Screenshot shows where to get the Entity I D and update identify provider.](./media/arcgisenterprise-tutorial/configure5.png)
+ ![Screenshot shows where to get the Entity I D and update identify provider.](./media/arcgisenterprise-tutorial/configure-5.png)
d. Click **UPDATE IDENTITY PROVIDER**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to ArcGIS Enterprise.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **ArcGIS Enterprise**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, type and select **ArcGIS Enterprise**.
-
- ![The ArcGIS Enterprise link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create ArcGIS Enterprise test user In this section, a user called Britta Simon is created in ArcGIS Enterprise. ArcGIS Enterprise supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in ArcGIS Enterprise, a new one is created after authentication.
@@ -217,16 +161,22 @@ In this section, a user called Britta Simon is created in ArcGIS Enterprise. Arc
> [!Note] > If you need to create a user manually, contact [ArcGIS Enterprise support team](mailto:support@esri.com).
-### Test single sign-on
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to ArcGIS Enterprise Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to ArcGIS Enterprise Sign-on URL directly and initiate the login flow from there.
-When you click the ArcGIS Enterprise tile in the Access Panel, you should be automatically signed in to the ArcGIS Enterprise for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the ArcGIS Enterprise for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the ArcGIS Enterprise tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ArcGIS Enterprise for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure ArcGIS Enterprise you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/cisco-umbrella-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cisco-umbrella-tutorial.md
@@ -9,97 +9,71 @@
Previously updated : 01/17/2019 Last updated : 02/09/2021 # Tutorial: Azure Active Directory integration with Cisco Umbrella
-In this tutorial, you learn how to integrate Cisco Umbrella with Azure Active Directory (Azure AD).
-Integrating Cisco Umbrella with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Cisco Umbrella with Azure Active Directory (Azure AD). When you integrate Cisco Umbrella with Azure AD, you can:
-* You can control in Azure AD who has access to Cisco Umbrella.
-* You can enable your users to be automatically signed-in to Cisco Umbrella (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Cisco Umbrella.
+* Enable your users to be automatically signed-in to Cisco Umbrella with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Cisco Umbrella, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Cisco Umbrella single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Cisco Umbrella single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Cisco Umbrella supports **SP and IDP** initiated SSO
+* Cisco Umbrella supports **SP and IDP** initiated SSO.
-## Adding Cisco Umbrella from the gallery
+## Add Cisco Umbrella from the gallery
To configure the integration of Cisco Umbrella into Azure AD, you need to add Cisco Umbrella from the gallery to your list of managed SaaS apps.
-**To add Cisco Umbrella from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Cisco Umbrella**, select **Cisco Umbrella** from result panel then click **Add** button to add the application.
-
- ![Cisco Umbrella in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with [Application name] based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in [Application name] needs to be established.
-
-To configure and test Azure AD single sign-on with [Application name], you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Cisco Umbrella Single Sign-On](#configure-cisco-umbrella-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Cisco Umbrella test user](#create-cisco-umbrella-test-user)** - to have a counterpart of Britta Simon in Cisco Umbrella that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Cisco Umbrella** in the search box.
+1. Select **Cisco Umbrella** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-### Configure Azure AD single sign-on
+## Configure and test Azure AD SSO for Cisco Umbrella
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Configure and test Azure AD SSO with Cisco Umbrella using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Cisco Umbrella.
-To configure Azure AD single sign-on with [Application name], perform the following steps:
+To configure and test Azure AD SSO with Cisco Umbrella, perform the following steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **Cisco Umbrella** application integration page, select **Single sign-on**.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Cisco Umbrella SSO](#configure-cisco-umbrella-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Cisco Umbrella test user](#create-cisco-umbrella-test-user)** - to have a counterpart of B.Simon in Cisco Umbrella that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Configure single sign-on link](common/select-sso.png)
+## Configure Azure AD SSO
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Single sign-on select mode](common/select-saml-option.png)
+1. In the Azure portal, on the **Cisco Umbrella** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
- ![Cisco Umbrella Domain and URLs single sign-on information](common/both-preintegrated-signon.png)
-
- a. If you wish to configure the application in **SP** intiated mode, perform the following steps:
+ a. If you wish to configure the application in **SP** initiated mode, perform the following steps:
b. Click **Set additional URLs**.
- c. In the **Sign-on URL** textbox, type a URL: `https://login.umbrella.com/sso`
+ c. In the **Sign-on URL** textbox, type the URL: `https://login.umbrella.com/sso`
5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Metadata XML** from the given options as per your requirement and save it on your computer.
@@ -109,93 +83,60 @@ To configure Azure AD single sign-on with [Application name], perform the follow
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
- b. Azure Ad Identifier
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Cisco Umbrella.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Cisco Umbrella**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Cisco Umbrella Single Sign-On
+## Configure Cisco Umbrella SSO
1. In a different browser window, sign-on to your Cisco Umbrella company site as administrator. 2. From the left side of menu, click **Admin** and navigate to **Authentication** and then click on **SAML**.
- ![The Admin](./media/cisco-umbrella-tutorial/tutorial_cisco-umbrella_admin.png)
+ ![The Admin](./media/cisco-umbrella-tutorial/admin.png)
3. Choose **Other** and click on **NEXT**.
- ![The Other](./media/cisco-umbrella-tutorial/tutorial_cisco-umbrella_other.png)
+ ![The Other](./media/cisco-umbrella-tutorial/other.png)
4. On the **Cisco Umbrella Metadata**, page, click **NEXT**.
- ![The metadata](./media/cisco-umbrella-tutorial/tutorial_cisco-umbrella_metadata.png)
+ ![The metadata](./media/cisco-umbrella-tutorial/metadata.png)
5. On the **Upload Metadata** tab, if you had pre-configured SAML, select **Click here to change them** option and follow the below steps.
- ![The Next](./media/cisco-umbrella-tutorial/tutorial_cisco-umbrella_next.png)
+ ![The Next](./media/cisco-umbrella-tutorial/next.png)
6. In the **Option A: Upload XML file**, upload the **Federation Metadata XML** file that you downloaded from the Azure portal and after uploading metadata the below values get auto populated automatically then click **NEXT**.
- ![The choosefile](./media/cisco-umbrella-tutorial/tutorial_cisco-umbrella_choosefile.png)
+ ![The choosefile](./media/cisco-umbrella-tutorial/choose-file.png)
7. Under **Validate SAML Configuration** section, click **TEST YOUR SAML CONFIGURATION**.
- ![The Test](./media/cisco-umbrella-tutorial/tutorial_cisco-umbrella_test.png)
+ ![The Test](./media/cisco-umbrella-tutorial/test.png)
8. Click **SAVE**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Cisco Umbrella.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Cisco Umbrella**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, type and select **Cisco Umbrella**.
-
- ![The Cisco Umbrella link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Cisco Umbrella test user To enable Azure AD users to log in to Cisco Umbrella, they must be provisioned into Cisco Umbrella.
@@ -207,11 +148,11 @@ In the case of Cisco Umbrella, provisioning is a manual task.
2. From the left side of menu, click **Admin** and navigate to **Accounts**.
- ![The Account](./media/cisco-umbrella-tutorial/tutorial_cisco-umbrella_account.png)
+ ![The Account](./media/cisco-umbrella-tutorial/account.png)
3. On the **Accounts** page, click on **Add** on the top right side of the page and perform the following steps.
- ![The User](./media/cisco-umbrella-tutorial/tutorial_cisco-umbrella_createuser.png)
+ ![The User](./media/cisco-umbrella-tutorial/create-user.png)
a. In the **First Name** field, enter the firstname like **Britta**.
@@ -227,16 +168,22 @@ In the case of Cisco Umbrella, provisioning is a manual task.
g. Click **CREATE**.
-### Test single sign-on
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Cisco Umbrella Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Cisco Umbrella Sign-on URL directly and initiate the login flow from there.
-When you click the Cisco Umbrella tile in the Access Panel, you should be automatically signed in to the Cisco Umbrella for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Cisco Umbrella for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Cisco Umbrella tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Cisco Umbrella for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Cisco Umbrella you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/costpoint-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/costpoint-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 08/06/2019 Last updated : 02/11/2021
@@ -21,71 +21,56 @@ In this tutorial, you'll learn how to integrate Costpoint with Azure Active Dire
* Enable your users to be automatically signed-in to Costpoint with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* A Costpoint single sign-on (SSO) enabled subscription.
+* Costpoint single sign-on (SSO) enabled subscription.
## Scenario description
-In this tutorial, you will configure and test Azure AD SSO in a test environment. Costpoint supports **SP and IDP** initiated SSO.
+In this tutorial, you will configure and test Azure AD SSO in a test environment.
+
+* Costpoint supports **SP and IDP** initiated SSO.
## Generate Costpoint metadata Costpoint SAML SSO configuration is explained in the **DeltekCostpoint711Security.pdf** guide. Download this guide from the Deltek Costpoint support site and refer to the **SAML Single Sign-on Setup** > **Configure SAML Single Sign-on between Costpoint and Microsoft Azure** section. Follow the instructions and generate a **Costpoint SP Federation Metadata XML** file.
-![Screenshot that shows the "Product Configuration Utility" with the "Weblogic - Security" tab selected.](./media/costpoint-tutorial/config-utility.png)
+![Screenshot that shows the "Product Configuration Utility" with the "Weblogic - Security" tab selected.](./media/costpoint-tutorial/configuration-utility.png)
## Add Costpoint from the gallery
-To integrate Costpoint with Azure AD, first add Costpoint to your list of managed SaaS apps from the gallery in the Azure portal:
-
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
-
-1. In the left navigation pane, select the **Azure Active Directory** service.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-1. Select **Enterprise Applications** > **All Applications**.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-1. To add a new application, select **New application**.
-
- ![The New application button](common/add-new-app.png)
+To configure the integration of Costpoint into Azure AD, you need to add Costpoint from the gallery to your list of managed SaaS apps.
-1. In the **Add from the gallery** section, enter **Costpoint** in the search box.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Costpoint** in the search box.
+1. Select **Costpoint** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
- ![Costpoint in the results list](common/search-new-app.png)
+## Configure and test Azure AD SSO for Costpoint
-1. In the results list, select **Costpoint**, and then add the app. Wait a few seconds while the app is added to your tenant.
+Configure and test Azure AD SSO with Costpoint using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Costpoint.
-## Configure and test Azure AD single sgn-on
+To configure and test Azure AD SSO with Costpoint, perform the following steps:
-Configure and test Azure AD SSO with Costpoint by using a test user named **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Costpoint.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Costpoint SSO](#configure-costpoint-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Costpoint test user](#create-costpoint-test-user)** - to have a counterpart of B.Simon in Costpoint that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-To configure and test Azure AD SSO with Costpoint, complete the following building blocks:
-
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature.
-1. **[Configure Costpoint](#configure-costpoint)** to configure the SAML SSO settings on application side.
-1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with B.Simon.
-1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B.Simon to use Azure AD single sign-on.
-1. **[Create a Costpoint test user](#create-a-costpoint-test-user)** to have a counterpart of B.Simon in Costpoint that is linked to the Azure AD representation of user.
-1. **[Test SSO](#test-sso)** to verify whether the configuration works.
-
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal: 1. On the **Costpoint** application integration page, select **Single sign-on**.
- ![Configure the single sign-on link](common/select-sso.png)
-
-1. In the **Basic SAML Configuration** section, if you have the *Service Provider metadata file*, complete these steps:
+1. In the **Basic SAML Configuration** section, if you have the **Service Provider metadata file**, complete these steps:
> [!NOTE] > You get the Service Provider metadata file in [Generate Costpoint metadata](#generate-costpoint-metadata). How to use the file is explained later in the tutorial.
@@ -105,61 +90,39 @@ Follow these steps to enable Azure AD SSO in the Azure portal:
![SAML Signing Certificate](common/copy-metadataurl.png)
-### Configure Costpoint
-
-1. Return to Costpoint Configuration Utility. In the **IdP Federation Metadata XML** text box, paste the contents of the *App Federation Metadata Url* file.
-
- ![Costpoint Configuration Utility](./media/costpoint-tutorial/config-utility-idp.png)
-
-1. Continue the instructions from the **DeltekCostpoint711Security.pdf** guide to finish the Costpoint SAML setup.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal named B.Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory** > **Users** > **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-1. Select **New user**.
-
- ![New user Button](common/new-user.png)
+In this section, you'll create a test user in the Azure portal called B.Simon.
-1. In the **User** properties, complete these steps:
-
- ![The User dialog box](common/user-properties.png)
-
- 1. In the **Name** field, enter **B.Simon**.
-
- 1. In the **User name** field, enter `b.simon\@yourcompanydomain.extension` (for example, B.Simon@contoso.com).
-
- 1. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** field.
-
- 1. Select **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable B.Simon to use Azure single sign-on by granting B.Simon access to Costpoint.
-
-1. In the Azure portal, select **Enterprise Applications** > **All applications**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Costpoint.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
1. In the applications list, select **Costpoint**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-1. In the **Manage** section of the app's overview page, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
+## Configure Costpoint SSO
-1. Select **Add user**. In the **Add Assignment** dialog box, select **Users and groups**.
-
- ![The Add User link](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog box, In the **Users** list, select **B.Simon**. Then, choose **Select**.
+1. Return to Costpoint Configuration Utility. In the **IdP Federation Metadata XML** text box, paste the contents of the *App Federation Metadata Url* file.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog box, select the appropriate role for the user from the list, and then choose **Select**.
+ ![Costpoint Configuration Utility](./media/costpoint-tutorial/configuration-utility-metadata.png)
-1. In the **Add Assignment** dialog box, select **Assign**.
+1. Continue the instructions from the **DeltekCostpoint711Security.pdf** guide to finish the Costpoint SAML setup.
-### Create a Costpoint test user
+### Create Costpoint test user
In this section, you create a user in Costpoint. Assume the user ID is **B.SIMON** and the user's name is **B.Simon**. Work with the [Costpoint Client support team](https://www.deltek.com/about/contact-us) to add the user in the Costpoint platform. The user must be created and activated before they can use single sign-on.
@@ -167,14 +130,22 @@ After the user is created, the user's **Authentication Method** selection must b
![Costpoint user](./media/costpoint-tutorial/costpoint-user.png)
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Costpoint Sign on URL where you can initiate the login flow.
+
+* Go to Costpoint Sign-on URL directly and initiate the login flow from there.
-When you select the Costpoint tile in the Access Panel, you should be automatically signed in to the Costpoint application because you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Costpoint for which you set up the SSO.
-- [List of tutorials to integrate SaaS apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Costpoint tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Costpoint for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Costpoint you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/cyberark-saml-authentication-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cyberark-saml-authentication-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 10/03/2019 Last updated : 02/09/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate CyberArk SAML Authentication wit
* Enable your users to be automatically signed-in to CyberArk SAML Authentication with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -34,24 +32,24 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* CyberArk SAML Authentication supports **SP and IDP** initiated SSO
+* CyberArk SAML Authentication supports **SP and IDP** initiated SSO.
-## Adding CyberArk SAML Authentication from the gallery
+## Add CyberArk SAML Authentication from the gallery
To configure the integration of CyberArk SAML Authentication into Azure AD, you need to add CyberArk SAML Authentication from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **CyberArk SAML Authentication** in the search box. 1. Select **CyberArk SAML Authentication** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for CyberArk SAML Authentication
+## Configure and test Azure AD SSO for CyberArk SAML Authentication
Configure and test Azure AD SSO with CyberArk SAML Authentication using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in CyberArk SAML Authentication.
-To configure and test Azure AD SSO with CyberArk SAML Authentication, complete the following building blocks:
+To configure and test Azure AD SSO with CyberArk SAML Authentication, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -64,9 +62,9 @@ To configure and test Azure AD SSO with CyberArk SAML Authentication, complete t
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **CyberArk SAML Authentication** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **CyberArk SAML Authentication** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -110,15 +108,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **CyberArk SAML Authentication**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure CyberArk SAML Authentication SSO
@@ -131,16 +123,20 @@ In this section, you create a user called B.Simon in CyberArk SAML Authenticatio
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to CyberArk SAML Authentication Sign on URL where you can initiate the login flow.
-When you click the CyberArk SAML Authentication tile in the Access Panel, you should be automatically signed in to the CyberArk SAML Authentication for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to CyberArk SAML Authentication Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the CyberArk SAML Authentication for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the CyberArk SAML Authentication tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the CyberArk SAML Authentication for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try CyberArk SAML Authentication with Azure AD](https://aad.portal.azure.com/)
+Once you configure CyberArk SAML Authentication you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/datadog-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/datadog-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 08/13/2020 Last updated : 02/11/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate Datadog with Azure Active Direct
* Enable your users to be automatically signed-in to Datadog with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -34,27 +32,24 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Datadog supports **SP and IDP** initiated SSO
-* Once you configure Datadog you can enforce Session Control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session Control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
-
+* Datadog supports **SP and IDP** initiated SSO.
-## Adding Datadog from the gallery
+## Add Datadog from the gallery
To configure the integration of Datadog into Azure AD, you need to add Datadog from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Datadog** in the search box. 1. Select **Datadog** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Datadog Configure and test Azure AD SSO with Datadog using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Datadog.
-To configure and test Azure AD SSO with Datadog, complete the following building blocks:
+To configure and test Azure AD SSO with Datadog, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -67,9 +62,9 @@ To configure and test Azure AD SSO with Datadog, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Datadog** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Datadog** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -112,18 +107,11 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Datadog**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. - ## Configure Datadog SSO To configure single sign-on on **Datadog** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Datadog support team](mailto:support@datadoghq.com). They set this setting to have the SAML SSO connection set properly on both sides.
@@ -134,9 +122,19 @@ In this section, you create a user called B.Simon in Datadog. Work with [Datadog
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-When you click the Datadog tile in the Access Panel, you should be automatically signed in to the Datadog for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Datadog Sign on URL where you can initiate the login flow.
+
+* Go to Datadog Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Datadog for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Datadog tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Datadog for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
### Enable all users from your tenant to authenticate with the app
@@ -154,14 +152,6 @@ In this section, you enable everyone within your tenant to access Datadog if one
1. Select **Save**.
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)--- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)--- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try Datadog with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Datadog you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/digicert-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/digicert-tutorial.md
@@ -9,93 +9,67 @@
Previously updated : 01/30/2019 Last updated : 02/11/2021 # Tutorial: Azure Active Directory integration with DigiCert
-In this tutorial, you learn how to integrate DigiCert with Azure Active Directory (Azure AD).
-Integrating DigiCert with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate DigiCert with Azure Active Directory (Azure AD). When you integrate DigiCert with Azure AD, you can:
-* You can control in Azure AD who has access to DigiCert.
-* You can enable your users to be automatically signed-in to DigiCert (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to DigiCert.
+* Enable your users to be automatically signed-in to DigiCert with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with DigiCert, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* DigiCert single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* DigiCert single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* DigiCert supports **IDP** initiated SSO
+* DigiCert supports **IDP** initiated SSO.
-## Adding DigiCert from the gallery
+## Add DigiCert from the gallery
To configure the integration of DigiCert into Azure AD, you need to add DigiCert from the gallery to your list of managed SaaS apps.
-**To add DigiCert from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **DigiCert**, select **DigiCert** from result panel then click **Add** button to add the application.
-
- ![DigiCert in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **DigiCert** in the search box.
+1. Select **DigiCert** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with DigiCert based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in DigiCert needs to be established.
+## Configure and test Azure AD SSO for DigiCert
-To configure and test Azure AD single sign-on with DigiCert, you need to complete the following building blocks:
+Configure and test Azure AD SSO with DigiCert using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in DigiCert.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure DigiCert Single Sign-On](#configure-digicert-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create DigiCert test user](#create-digicert-test-user)** - to have a counterpart of Britta Simon in DigiCert that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with DigiCert, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure DigiCert SSO](#configure-digicert-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create DigiCert test user](#create-digicert-test-user)** - to have a counterpart of B.Simon in DigiCert that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with DigiCert, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **DigiCert** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **DigiCert** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![DigiCert Domain and URLs single sign-on information](common/idp-identifier.png)
-
- In the **Identifier** text box, type a URL:
+ In the **Identifier** text box, type the URL:
`https://www.digicert.com/sso` 5. DigiCert application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on application integration page. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **User Attributes** dialog.
@@ -139,81 +113,46 @@ To configure Azure AD single sign-on with DigiCert, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure DigiCert Single Sign-On
-
-To configure single sign-on on **DigiCert** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [DigiCert support team](mailto:support@digicert.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
+In this section, you'll create a test user in the Azure portal called B.Simon.
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to DigiCert.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **DigiCert**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to DigiCert.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **DigiCert**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **DigiCert**.
+## Configure DigiCert SSO
- ![The DigiCert link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **DigiCert** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [DigiCert support team](mailto:support@digicert.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create DigiCert test user In this section, you create a user called Britta Simon in DigiCert. Work with [DigiCert support team](mailto:support@digicert.com) to add the users in the DigiCert platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the DigiCert tile in the Access Panel, you should be automatically signed in to the DigiCert for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the DigiCert for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the DigiCert tile in the My Apps, you should be automatically signed in to the DigiCert for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure DigiCert you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/jfrog-artifactory-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/jfrog-artifactory-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 07/16/2019 Last updated : 02/09/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate JFrog Artifactory with Azure Act
* Enable your users to be automatically signed-in to JFrog Artifactory with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -34,41 +32,40 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* JFrog Artifactory supports **SP and IDP** initiated SSO
-* JFrog Artifactory supports **Just In Time** user provisioning
+* JFrog Artifactory supports **SP and IDP** initiated SSO.
+* JFrog Artifactory supports **Just In Time** user provisioning.
-## Adding JFrog Artifactory from the gallery
+## Add JFrog Artifactory from the gallery
To configure the integration of JFrog Artifactory into Azure AD, you need to add JFrog Artifactory from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **JFrog Artifactory** in the search box. 1. Select **JFrog Artifactory** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for JFrog Artifactory
Configure and test Azure AD SSO with JFrog Artifactory using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in JFrog Artifactory.
-To configure and test Azure AD SSO with JFrog Artifactory, complete the following building blocks:
+To configure and test Azure AD SSO with JFrog Artifactory, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-2. **[Configure JFrog Artifactory SSO](#configure-jfrog-artifactory-sso)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-5. **[Create JFrog Artifactory test user](#create-jfrog-artifactory-test-user)** - to have a counterpart of B.Simon in JFrog Artifactory that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure JFrog Artifactory SSO](#configure-jfrog-artifactory-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create JFrog Artifactory test user](#create-jfrog-artifactory-test-user)** - to have a counterpart of B.Simon in JFrog Artifactory that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **JFrog Artifactory** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **JFrog Artifactory** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -99,9 +96,9 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
a. Click the **pen** next to **Groups returned in claim**.
- ![Screenshot shows User Attributes & Claims with the Edit icon selected.](./media/jfrog-artifactory-tutorial/config04.png)
+ ![Screenshot shows User Attributes & Claims with the Edit icon selected.](./media/jfrog-artifactory-tutorial/configuration-4.png)
- ![Screenshot shows the Group Claims section with All groups selected.](./media/jfrog-artifactory-tutorial/config05.png)
+ ![Screenshot shows the Group Claims section with All groups selected.](./media/jfrog-artifactory-tutorial/configuration-5.png)
b. Select **All Groups** from the radio list.
@@ -118,10 +115,6 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure JFrog Artifactory SSO
-
-Everything you need to configure single sign-on on the **JFrog Artifactory** side is configurable by the Artifactory admin in the SAML configugration screen.
- ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
@@ -141,31 +134,35 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **JFrog Artifactory**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button.
+## Configure JFrog Artifactory SSO
+
+To configure single sign-on on **JFrog Artifactory** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [JFrog Artifactory support team](https://support.jfrog.com). They set this setting to have the SAML SSO connection set properly on both sides.
+ ### Create JFrog Artifactory test user In this section, a user called B.Simon is created in JFrog Artifactory. JFrog Artifactory supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in JFrog Artifactory, a new one is created after authentication.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to JFrog Artifactory Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to JFrog Artifactory Sign-on URL directly and initiate the login flow from there.
-When you click the JFrog Artifactory tile in the Access Panel, you should be automatically signed in to the JFrog Artifactory for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the JFrog Artifactory for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the JFrog Artifactory tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the JFrog Artifactory for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure JFrog Artifactory you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/kendis-scaling-agile-platform-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/kendis-scaling-agile-platform-tutorial.md
@@ -1,6 +1,6 @@
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Kendis-Scaling Agile Platform | Microsoft Docs'
-description: Learn how to configure single sign-on between Azure Active Directory and Kendis-Scaling Agile Platform.
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Kendis - Azure AD Integration | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Kendis - Azure AD Integration.
@@ -9,17 +9,17 @@
Previously updated : 01/28/2021 Last updated : 02/12/2021
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Kendis-Scaling Agile Platform
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Kendis - Azure AD Integration
-In this tutorial, you'll learn how to integrate Kendis-Scaling Agile Platform with Azure Active Directory (Azure AD). When you integrate Kendis-Scaling Agile Platform with Azure AD, you can:
+In this tutorial, you'll learn how to integrate Kendis - Azure AD Integration with Azure Active Directory (Azure AD). When you integrate Kendis - Azure AD Integration with Azure AD, you can:
-* Control in Azure AD who has access to Kendis-Scaling Agile Platform.
-* Enable your users to be automatically signed-in to Kendis-Scaling Agile Platform with their Azure AD accounts.
+* Control in Azure AD who has access to Kendis - Azure AD Integration.
+* Enable your users to be automatically signed-in to Kendis - Azure AD Integration with their Azure AD accounts.
* Manage your accounts in one central location - the Azure portal. ## Prerequisites
@@ -27,46 +27,46 @@ In this tutorial, you'll learn how to integrate Kendis-Scaling Agile Platform wi
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Kendis-Scaling Agile Platform single sign-on (SSO) enabled subscription.
+* Kendis - Azure AD Integration single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Kendis-Scaling Agile Platform supports **SP and IDP** initiated SSO
-* Kendis-Scaling Agile Platform supports **Just In Time** user provisioning
+* Kendis - Azure AD Integration supports **SP and IDP** initiated SSO
+* Kendis - Azure AD Integration supports **Just In Time** user provisioning
-## Adding Kendis-Scaling Agile Platform from the gallery
+## Adding Kendis - Azure AD Integration from the gallery
-To configure the integration of Kendis-Scaling Agile Platform into Azure AD, you need to add Kendis-Scaling Agile Platform from the gallery to your list of managed SaaS apps.
+To configure the integration of Kendis - Azure AD Integration into Azure AD, you need to add Kendis - Azure AD Integration from the gallery to your list of managed SaaS apps.
1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **Kendis-Scaling Agile Platform** in the search box.
-1. Select **Kendis-Scaling Agile Platform** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. In the **Add from the gallery** section, type **Kendis - Azure AD Integration** in the search box.
+1. Select **Kendis - Azure AD Integration** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO for Kendis-Scaling Agile Platform
+## Configure and test Azure AD SSO for Kendis - Azure AD Integration
-Configure and test Azure AD SSO with Kendis-Scaling Agile Platform using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Kendis-Scaling Agile Platform.
+Configure and test Azure AD SSO with Kendis - Azure AD Integration using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Kendis - Azure AD Integration.
-To configure and test Azure AD SSO with Kendis-Scaling Agile Platform, perform the following steps:
+To configure and test Azure AD SSO with Kendis - Azure AD Integration, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure Kendis-Scaling Agile Platform SSO](#configure-kendis-scaling-agile-platform-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Kendis-Scaling Agile Platform test user](#create-kendis-scaling-agile-platform-test-user)** - to have a counterpart of B.Simon in Kendis-Scaling Agile Platform that is linked to the Azure AD representation of user.
+1. **[Configure Kendis-Azure AD Integration SSO](#configure-kendis-azure-ad-integration-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Kendis-Azure AD Integration test user](#create-kendis-azure-ad-integration-test-user)** - to have a counterpart of B.Simon in Kendis - Azure AD Integration that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **Kendis-Scaling Agile Platform** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Kendis - Azure AD Integration** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
@@ -86,13 +86,13 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
`https://<SUBDOMAIN>.kendis.io/login` > [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Kendis-Scaling Agile Platform Client support team](mailto:support@kendis.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Kendis - Azure AD Integration Client support team](mailto:support@kendis.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer. ![The Certificate download link](common/certificatebase64.png)
-1. On the **Set up Kendis-Scaling Agile Platform** section, copy the appropriate URL(s) based on your requirement.
+1. On the **Set up Kendis - Azure AD Integration** section, copy the appropriate URL(s) based on your requirement.
![Copy configuration URLs](common/copy-configuration-urls.png)
@@ -110,19 +110,19 @@ In this section, you'll create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Kendis-Scaling Agile Platform.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Kendis - Azure AD Integration.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Kendis-Scaling Agile Platform**.
+1. In the applications list, select **Kendis - Azure AD Integration**.
1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure Kendis-Scaling Agile Platform SSO
+## Configure Kendis-Azure AD Integration SSO
-1. In a different web browser window, sign in to your Kendis-Scaling Agile Platform company site as an administrator.
+1. In a different web browser window, sign in to your Kendis - Azure AD Integration company site as an administrator.
1. Go to the **Settings > SAML Configurations**.
@@ -144,9 +144,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
f. Click **Save**.
-### Create Kendis-Scaling Agile Platform test user
+### Create Kendis-Azure AD Integration test user
-In this section, a user called Britta Simon is created in Kendis-Scaling Agile Platform. Kendis-Scaling Agile Platform supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Kendis-Scaling Agile Platform, a new one is created after authentication.
+In this section, a user called Britta Simon is created in Kendis - Azure AD Integration. Kendis - Azure AD Integration supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Kendis - Azure AD Integration, a new one is created after authentication.
## Test SSO
@@ -154,19 +154,19 @@ In this section, you test your Azure AD single sign-on configuration with follow
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to Kendis-Scaling Agile Platform Sign on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Kendis - Azure AD Integration Sign on URL where you can initiate the login flow.
-* Go to Kendis-Scaling Agile Platform Sign-on URL directly and initiate the login flow from there.
+* Go to Kendis - Azure AD Integration Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Kendis-Scaling Agile Platform for which you set up the SSO
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Kendis - Azure AD Integration for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Kendis-Scaling Agile Platform tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Kendis-Scaling Agile Platform for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Kendis - Azure AD Integration tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Kendis - Azure AD Integration for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
## Next steps
-Once you configure Kendis-Scaling Agile Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Kendis - Azure AD Integration you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/knowledgeowl-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/knowledgeowl-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 10/14/2019 Last updated : 02/11/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate KnowledgeOwl with Azure Active D
* Enable your users to be automatically signed-in to KnowledgeOwl with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -34,54 +32,53 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* KnowledgeOwl supports **SP and IDP** initiated SSO
-* KnowledgeOwl supports **Just In Time** user provisioning
+* KnowledgeOwl supports **SP and IDP** initiated SSO.
+* KnowledgeOwl supports **Just In Time** user provisioning.
-## Adding KnowledgeOwl from the gallery
+## Add KnowledgeOwl from the gallery
To configure the integration of KnowledgeOwl into Azure AD, you need to add KnowledgeOwl from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **KnowledgeOwl** in the search box. 1. Select **KnowledgeOwl** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for KnowledgeOwl
+## Configure and test Azure AD SSO for KnowledgeOwl
Configure and test Azure AD SSO with KnowledgeOwl using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in KnowledgeOwl.
-To configure and test Azure AD SSO with KnowledgeOwl, complete the following building blocks:
+To configure and test Azure AD SSO with KnowledgeOwl, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure KnowledgeOwl SSO](#configure-knowledgeowl-sso)** - to configure the single sign-on settings on application side.
- * **[Create KnowledgeOwl test user](#create-knowledgeowl-test-user)** - to have a counterpart of B.Simon in KnowledgeOwl that is linked to the Azure AD representation of user.
+ 1. **[Create KnowledgeOwl test user](#create-knowledgeowl-test-user)** - to have a counterpart of B.Simon in KnowledgeOwl that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **KnowledgeOwl** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **KnowledgeOwl** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
- a. In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type the URL using one of the following patterns:
```http https://app.knowledgeowl.com/sp https://app.knowledgeowl.com/sp/id/<unique ID> ```
- b. In the **Reply URL** text box, type a URL using the following pattern:
+ b. In the **Reply URL** text box, type the URL using one of the following patterns:
```http https://subdomain.knowledgeowl.com/help/saml-login
@@ -94,7 +91,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL using the following pattern:
+ In the **Sign-on URL** text box, type the URL using one of the following patterns:
```http https://subdomain.knowledgeowl.com/help/saml-login
@@ -145,15 +142,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **KnowledgeOwl**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure KnowledgeOwl SSO
@@ -162,11 +153,11 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on **Settings** and then select **Security**.
- ![Screenshot shows Security selected from the Settings menu.](./media/knowledgeowl-tutorial/configure1.png)
+ ![Screenshot shows Security selected from the Settings menu.](./media/knowledgeowl-tutorial/configure-1.png)
1. Scroll to **SAML SSO Integration** and perform the following steps:
- ![Screenshot shows SAML S S O Integration where you can make the changes described here.](./media/knowledgeowl-tutorial/configure2.png)
+ ![Screenshot shows SAML S S O Integration where you can make the changes described here.](./media/knowledgeowl-tutorial/configure-2.png)
a. Select **Enable SAML SSO**.
@@ -178,23 +169,23 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
e. In the **IdP Login URL** textbox, paste the **Login URL** value, which you have copied from the Azure portal.
- f. In the **IdP Logout URL** textbox, paste the **Logout URL** value, which you have copied from the Azure portal
+ f. In the **IdP Logout URL** textbox, paste the **Logout URL** value, which you have copied from the Azure portal.
g. Upload the downloaded certificate form the Azure portal by clicking the **Upload IdP Certificate**. h. Click on **Map SAML Attributes** to map attributes and perform the following steps:
- ![Screenshot shows Map SAML Attributes where you can make the changes described here.](./media/knowledgeowl-tutorial/configure3.png)
+ ![Screenshot shows Map SAML Attributes where you can make the changes described here.](./media/knowledgeowl-tutorial/configure-3.png)
* Enter `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ssoid` into the **SSO ID** textbox * Enter `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` into the **Username/Email** textbox. * Enter `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname` into the **First Name** textbox. * Enter `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname` into the **Last Name** textbox.
- * Click **Save**
+ * Click **Save**.
i. Click **Save** at the bottom of the page.
- ![Screenshot shows the Save button.](./media/knowledgeowl-tutorial/configure4.png)
+ ![Screenshot shows the Save button.](./media/knowledgeowl-tutorial/configure-4.png)
### Create KnowledgeOwl test user
@@ -205,16 +196,20 @@ In this section, a user called B.Simon is created in KnowledgeOwl. KnowledgeOwl
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to KnowledgeOwl Sign on URL where you can initiate the login flow.
-When you click the KnowledgeOwl tile in the Access Panel, you should be automatically signed in to the KnowledgeOwl for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to KnowledgeOwl Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the KnowledgeOwl for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the KnowledgeOwl tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the KnowledgeOwl for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try KnowledgeOwl with Azure AD](https://aad.portal.azure.com/)
+Once you configure KnowledgeOwl you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/miro-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/miro-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 06/24/2019 Last updated : 02/11/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate Miro with Azure Active Directory
* Enable your users to be automatically signed-in to Miro with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -32,50 +30,51 @@ To get started, you need the following items:
## Scenario description
-In this tutorial, you configure and test Azure AD SSO in a test environment. Miro supports **SP and IDP** initiated SSO and supports **Just In Time** user provisioning.
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+* Miro supports **SP and IDP** initiated SSO and supports **Just In Time** user provisioning.
-## Adding Miro from the gallery
+## Add Miro from the gallery
To configure the integration of Miro into Azure AD, you need to add Miro from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Miro** in the search box. 1. Select **Miro** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Miro
Configure and test Azure AD SSO with Miro using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Miro.
-To configure and test Azure AD SSO with Miro, complete the following building blocks:
+To configure and test Azure AD SSO with Miro, perform the following steps:
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature.
-2. **[Configure Miro](#configure-miro)** to configure the SSO settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with B.Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B.Simon to use Azure AD single sign-on.
-5. **[Create Miro test user](#create-miro-test-user)** to have a counterpart of B.Simon in Miro that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Miro SSO](#configure-miro-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Miro test user](#create-miro-test-user)** - to have a counterpart of B.Simon in Miro that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Miro** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Miro** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step:
- In the **Identifier** text box, type a URL:
+ In the **Identifier** text box, type the URL:
`https://miro.com` 5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://miro.com/sso/saml` 1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
@@ -86,10 +85,6 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure Miro
-
-To configure single sign-on on **Miro** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to Miro support team. They set this setting to have the SAML SSO connection set properly on both sides
- ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
@@ -109,29 +104,35 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Miro**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button.
+## Configure Miro SSO
+
+To configure single sign-on on **Miro** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to Miro support team. They set this setting to have the SAML SSO connection set properly on both sides.
+ ### Create Miro test user In this section, a user called B.Simon is created in Miro. Miro supports just-in-time provisioning, which can be enabled as per requirement. There is no action item for you in this section. If a user doesn't already exist in Miro, a new one is created when you attempt to access Miro.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Miro Sign on URL where you can initiate the login flow.
+
+* Go to Miro Sign-on URL directly and initiate the login flow from there.
-When you select the Miro tile in the Access Panel, you should be automatically signed in to the Miro for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Miro for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Miro tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Miro for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Miro you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/opentext-directory-services-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/opentext-directory-services-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 07/21/2020 Last updated : 02/11/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate OpenText Directory Services with
* Enable your users to be automatically signed-in to OpenText Directory Services with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -36,25 +34,23 @@ In this tutorial, you configure and test Azure AD SSO in a test environment.
* OpenText Directory Services supports **SP and IDP** initiated SSO. * OpenText Directory Services supports **Just In Time** user provisioning.
-* Once you configure OpenText Directory Services you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
-## Adding OpenText Directory Services from the gallery
+## Add OpenText Directory Services from the gallery
To configure the integration of OpenText Directory Services into Azure AD, you need to add OpenText Directory Services from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **OpenText Directory Services** in the search box. 1. Select **OpenText Directory Services** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for OpenText Directory Services Configure and test Azure AD SSO with OpenText Directory Services using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in OpenText Directory Services.
-To configure and test Azure AD SSO with OpenText Directory Services, complete the following building blocks:
+To configure and test Azure AD SSO with OpenText Directory Services, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -67,9 +63,9 @@ To configure and test Azure AD SSO with OpenText Directory Services, complete th
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **OpenText Directory Services** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **OpenText Directory Services** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -112,15 +108,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **OpenText Directory Services**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure OpenText Directory Services SSO
@@ -133,20 +123,20 @@ In this section, a user called B.Simon is created in OpenText Directory Services
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the OpenText Directory Services tile in the Access Panel, you should be automatically signed in to the OpenText Directory Services for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to OpenText Directory Services Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to OpenText Directory Services Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the OpenText Directory Services for which you set up the SSO.
-- [Try OpenText Directory Services with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the OpenText Directory Services tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the OpenText Directory Services for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect OpenText Directory Services with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure OpenText Directory Services you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/purecloud-by-genesys-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/purecloud-by-genesys-tutorial.md
@@ -9,19 +9,17 @@
Previously updated : 10/03/2019 Last updated : 02/11/2021 # Tutorial: Azure Active Directory single sign-on (SSO) integration with PureCloud by Genesys
-In this tutorial, you'll learn how to integrate PureCloud by Genesys with Azure Active Directory (Azure AD). After you do that, you can:
+In this tutorial, you'll learn how to integrate PureCloud by Genesys with Azure Active Directory (Azure AD). When you integrate PureCloud by Genesys with Azure AD, you can:
-* Use Azure AD to control which users can access PureCloud by Genesys.
+* Control in Azure AD who has access to PureCloud by Genesys.
* Enable your users to be automatically signed-in to PureCloud by Genesys with their Azure AD accounts.
-* Manage your accounts in one central location: the Azure portal.
-
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
@@ -37,45 +35,45 @@ In this tutorial, you configure and test Azure AD SSO in a test environment.
* PureCloud by Genesys supports **SP and IDP**ΓÇôinitiated SSO. > [!NOTE]
-> Because the ID for this application is a fixed-string value, only one instance can be configured in one tenant.
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding PureCloud by Genesys from the gallery
+## Add PureCloud by Genesys from the gallery
To configure integration of PureCloud by Genesys into Azure AD, you must add PureCloud by Genesys from the gallery to your list of managed SaaS apps. To do this, follow these steps:
-1. Sign in to the [Azure portal](https://portal.azure.com) by using a work or school account or by using a personal Microsoft account.
+1. Sign in to the Azure portal by using a work or school account or by using a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Go to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **PureCloud by Genesys** in the search box. 1. Select **PureCloud by Genesys** from the results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for PureCloud by Genesys
+## Configure and test Azure AD SSO for PureCloud by Genesys
Configure and test Azure AD SSO with PureCloud by Genesys using a test user named **B.Simon**. For SSO to work, you must establish a link relationship between an Azure AD user and the related user in PureCloud by Genesys.
-To configure and test Azure AD SSO with PureCloud by Genesys, complete the following building blocks:
+To configure and test Azure AD SSO with PureCloud by Genesys, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B.Simon to use Azure AD single sign-on. 1. **[Configure PureCloud by Genesys SSO](#configure-purecloud-by-genesys-sso)** to configure the single sign-on settings on application side.
- 1. **[Create a PureCloud by Genesys test user](#create-purecloud-by-genesys-test-user)** to have a counterpart of B.Simon in PureCloud by Genesys that's linked to the Azure AD representation of user.
+ 1. **[Create PureCloud by Genesys test user](#create-purecloud-by-genesys-test-user)** to have a counterpart of B.Simon in PureCloud by Genesys that's linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** to verify whether the configuration works. ## Configure Azure AD SSO To enable Azure AD SSO in the Azure portal, follow these steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **PureCloud by Genesys** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **PureCloud by Genesys** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a Single Sign-On method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, select the pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. In the **Basic SAML Configuration** section, if you want to configure the application in **IDP**-initiated mode, enter the values for the following fields:
- a. In the **Identifier** box, enter a URL that corresponds to your region:
+ a. In the **Identifier** box, enter the URLs that corresponds to your region:
```http https://login.mypurecloud.com/saml
@@ -85,7 +83,7 @@ To enable Azure AD SSO in the Azure portal, follow these steps:
https://login.mypurecloud.au/saml ```
- b. In the **Reply URL** box, enter a URL that corresponds to your region:
+ b. In the **Reply URL** box, enter the URLs that corresponds to your region:
```http https://login.mypurecloud.com/saml
@@ -97,7 +95,7 @@ To enable Azure AD SSO in the Azure portal, follow these steps:
1. Select **Set additional URLs** and take the following step if you want to configure the application in **SP** initiated mode:
- In the **Sign-on URL** box, enter a URL that corresponds to your region:
+ In the **Sign-on URL** box, enter the URLs that corresponds to your region:
```http https://login.mypurecloud.com
@@ -140,21 +138,15 @@ In this section, you'll create a test user named B.Simon in the Azure portal:
### Assign the Azure AD test user
-In this section, you'll set up B.Simon to use Azure single sign-on by granting access to PureCloud by Genesys.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to PureCloud by Genesys.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **PureCloud by Genesys**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-1. Select **Add user**, and then select **Users and groups** in the **Add Assignment** dialog box.
-
- ![The Add User link](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog box, select **B.Simon** from the Users list, and then choose the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog box, select the appropriate role for the user from the list, and then choose the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog box, select the **Assign** button.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
## Configure PureCloud by Genesys SSO
@@ -162,11 +154,11 @@ In this section, you'll set up B.Simon to use Azure single sign-on by granting
1. Select **Admin** at the top and then go to **Single Sign-on** under **Integrations**.
- ![Screenshot shows the PureCloud Admin window where you can select Single Sign-on.](./media/purecloud-by-genesys-tutorial/configure01.png)
+ ![Screenshot shows the PureCloud Admin window where you can select Single Sign-on.](./media/purecloud-by-genesys-tutorial/configure-1.png)
1. Switch to the **ADFS/Azure AD(Premium)** tab, and then follow these steps:
- ![Screenshot shows the Integrations page where you can enter the values described.](./media/purecloud-by-genesys-tutorial/configure02.png)
+ ![Screenshot shows the Integrations page where you can enter the values described.](./media/purecloud-by-genesys-tutorial/configure-2.png)
a. Select **Browse** to upload the base-64 encoded certificate that you downloaded from the Azure portal into the **ADFS Certificate**.
@@ -176,7 +168,7 @@ In this section, you'll set up B.Simon to use Azure single sign-on by granting
d. For the **Relying Party Identifier** value, go to the Azure portal, and then on the **PureCloud by Genesys** application integration page, select the **Properties** tab and copy the **Application ID** value. Paste it into the **Relying Party Identifier** box.
- ![Screenshot shows the Properties pane where you can find the Application I D value.](./media/purecloud-by-genesys-tutorial/configure06.png)
+ ![Screenshot shows the Properties pane where you can find the Application I D value.](./media/purecloud-by-genesys-tutorial/configure-6.png)
e. Select **Save**.
@@ -190,15 +182,15 @@ To enable Azure AD users to sign in to PureCloud by Genesys, they must be provis
1. Select **Admin** at the top and go to **People** under **People & Permissions**.
- ![Screenshot shows the PureCloud Admin window where you can select People.](./media/purecloud-by-genesys-tutorial/configure03.png)
+ ![Screenshot shows the PureCloud Admin window where you can select People.](./media/purecloud-by-genesys-tutorial/configure-3.png)
1. On the **People** page, select **Add Person**.
- ![Screenshot shows the People page where you can add a person.](./media/purecloud-by-genesys-tutorial/configure04.png)
+ ![Screenshot shows the People page where you can add a person.](./media/purecloud-by-genesys-tutorial/configure-4.png)
1. In the **Add People to the Organization** dialog box, follow these steps:
- ![Screenshot shows the page where you can enter the values described.](./media/purecloud-by-genesys-tutorial/configure05.png)
+ ![Screenshot shows the page where you can enter the values described.](./media/purecloud-by-genesys-tutorial/configure-5.png)
a. In the **Full Name** box, enter the name of a user. For example: **B.simon**.
@@ -208,16 +200,20 @@ To enable Azure AD users to sign in to PureCloud by Genesys, they must be provis
## Test SSO
-In this section, you test your Azure AD single sign-on configuration by using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to PureCloud by Genesys Sign on URL where you can initiate the login flow.
-When you select the **PureCloud by Genesys** tile in the Access Panel, you should be automatically signed in to the PureCloud by Genesys account that you set up SSO for. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to PureCloud by Genesys Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of tutorials about how to integrate SaaS apps with Azure AD ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the PureCloud by Genesys for which you set up the SSO.
-- [What is application access and single sign-on with Azure AD?](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the PureCloud by Genesys tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the PureCloud by Genesys for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure AD?](../conditional-access/overview.md)
+## Next steps
-- [Try PureCloud by Genesys with Azure AD](https://aad.portal.azure.com/)
+Once you configure PureCloud by Genesys you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/resource-central-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/resource-central-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 11/06/2020 Last updated : 01/13/2021
@@ -37,18 +37,17 @@ In this tutorial, you configure and test Azure AD SSO in a test environment.
* Resource Central supports **Just In Time** user provisioning
-## Adding Resource Central from the gallery
+## Add Resource Central from the gallery
To configure the integration of Resource Central into Azure AD, you need to add Resource Central from the gallery to your list of managed SaaS apps. 1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**.
-1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **Resource Central** in the search box.
+1. To add a new application, select **New application**.
+1. In the **Add from the gallery** section, in the search box, enter **Resource Central**.
1. Select **Resource Central** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Resource Central Configure and test Azure AD SSO with Resource Central using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Resource Central.
@@ -58,8 +57,8 @@ To configure and test Azure AD SSO with Resource Central, perform the following
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure Resource Central SSO](#configure-resource-central-sso)** - to configure the single sign-on settings on application side.
1. **[Create Resource Central test user](#create-resource-central-test-user)** - to have a counterpart of B.Simon in Resource Central that is linked to the Azure AD representation of user.
+1. **[Configure Resource Central SSO](#configure-resource-central-sso)** - to configure the single sign-on settings on application side.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
@@ -72,36 +71,34 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. In **Basic SAML Configuration**, enter the values for the following fields:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<DOMAIN_NAME>/ResourceCentral`
+ 1. In the **Sign on URL** text box, type a URL using the following pattern: `https://<DOMAIN_NAME>/ResourceCentral`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<DOMAIN_NAME>/ResourceCentral`
+ 1. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: `https://<DOMAIN_NAME>/ResourceCentral`
- c. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<DOMAIN_NAME>/ResourceCentral/ExAuth/Saml2Authentication/Acs`
+ 1. In the **Reply URL** text box, type a URL using the following pattern: `https://<DOMAIN_NAME>/ResourceCentral/ExAuth/Saml2Authentication/Acs`
- > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL, Identifier and Reply URL. Contact [Resource Central Client support team](mailto:st@aod.vn) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > These values are not literal values. Update these values with the actual Sign-on URL, Identifier, and Reply URL values. Contact [Resource Central Client support team](mailto:st@aod.vn) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in **SAML Signing Certificate**, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
![The Certificate download link](common/certificatebase64.png)
-1. On the **Set up Resource Central** section, copy the appropriate URL(s) based on your requirement.
+1. In **Set up Resource Central**, copy the appropriate URL(s) based on your requirement.
![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user
-In this section, you'll create a test user in the Azure portal called B.Simon.
+In this section, you'll create a test user called B.Simon in the Azure portal.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps: 1. In the **Name** field, enter `B.Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. In the **User name** field, enter the `username@companydomain.extension`. For example, `B.Simon@contoso.com`.
1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
@@ -112,30 +109,72 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Resource Central**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
-1. In the **Add Assignment** dialog, click the **Assign** button.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** pane.
+1. In the **Users and groups** pane, select **B.Simon** from the **Users** list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it in **Select a role**. If no role has been set up for this app, you see **Default Access** role selected.
+1. In the **Add Assignment** pane, click the **Assign** button.
+
+### Create Resource Central test user
+
+In this section, a user called **B.Simon** is created in **Resource Central**.
+
+1. In Resource Central, select **Security** > **Persons** > **New**.
+
+ :::image type="content" source="./media/resource-central/new-person.png" alt-text="Screenshot that shows the Persons pane in Resource Central, with the New button highlighted.":::
+
+1. In **Person Details**, for **Display name**, enter the user **B.Simon**. For **SMTP Address**, enter the user's Azure AD user name. For example, `B.Simon@contoso.com`.
+
+ :::image type="content" source="./media/resource-central/person.png" alt-text="Screenshot that shows the Person Details pane in Resource Central.":::
## Configure Resource Central SSO
-To configure single sign-on on **Resource Central** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Resource Central support team](mailto:rc@aod.vn). They set this setting to have the SAML SSO connection set properly on both sides.
+In this section, you'll configure single sign-on in **Resource Central System Administrator**.
-### Create Resource Central test user
+1. In Resource Central System Administrator, select **External Authentication**.
+1. For **Enable Configuration**, select **Yes**.
+
+ ![Screenshot that shows the Enable Configuration option selected in the External Authentication pane in Resource Central.](./media/resource-central/enable.png)
+
+1. In **Authentication Protocol**, select **SAML2**.
+
+ :::image type="content" source="./media/resource-central/protocol.png" alt-text="Screenshot that shows SAML2 selected for Authentication Protocol in Resource Central.":::
+
+1. Under **SAML2 Configuration**, enter the values for the following fields:
+
+ 1. For **Identifier (Entity ID)**, **Login URL**, **Logout URL**, and **Azure AD Identifier**, enter the relevant URLs:
+
+ :::image type="content" source="./media/resource-central/auth.png" alt-text="Screenshot of the SAML2 Configuration pane in Resource Central.":::
+
+ Copy the URLs from the **Set up Resource Central** pane:
+
+ :::image type="content" source="./media/resource-central/setup.png" alt-text="Screenshot of the Set up Resource Central pane in Resource Central.":::
+
+ 1. For **Return URL**, enter `https://<DOMAIN_NAME>/ResourceCentral/ExAuth/Saml2Authentication/CallbackHandler`.
+
+1. For **Certificate**, upload your certificate and enter your password.
+
+ ![Screenshot of the certificate section in Resource Central.](./media/resource-central/cert.png)
+
+1. Select **Save**.
+
+1. Return to the **Azure portal**. In **SAML Signing Certificate**, upload your certificate and enter your password.
+
+ ![Screenshot of the Import Certificate pane in the Azure portal.](./media/resource-central/cert2.png).
-In this section, a user called Britta Simon is created in Resource Central. Resource Central supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Resource Central, a new one is created after authentication.
+1. Select **Add**.
## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration. To test single sign-on, you have three options:
-* Click on **Test this application** in Azure portal. This will redirect to Resource Central Sign-on URL where you can initiate the login flow.
+* In the Azure portal, select **Test this application**. The link redirects to the Resource Central sign-on URL, where you can initiate login.
-* Go to Resource Central Sign-on URL directly and initiate the login flow from there.
+* Go to the Resource Central sign-on URL directly and initiate login.
-* You can use Microsoft Access Panel. When you click the Resource Central tile in the Access Panel, this will redirect to Resource Central Sign-on URL. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+ :::image type="content" source="./media/resource-central/test.png" alt-text="Screenshot of the Resource Central single sign-on test webpage.":::
+* Use the My Apps portal from Microsoft. In the My Apps portal, select the **Resource Central** tile to redirect to the Resource Central sign-on URL. For more information, see [Sign in and start apps from the My Apps portal](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Resource Central you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+After you set up Resource Central for single sign-on with Azure AD, you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sapboc-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sapboc-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 07/17/2019 Last updated : 02/11/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate SAP Analytics Cloud with Azure A
* Enable your users to be automatically signed-in to SAP Analytics Cloud with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -34,51 +32,50 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* SAP Analytics Cloud supports **SP** initiated SSO
+* SAP Analytics Cloud supports **SP** initiated SSO.
-## Adding SAP Analytics Cloud from the gallery
+## Add SAP Analytics Cloud from the gallery
To configure the integration of SAP Analytics Cloud into Azure AD, you need to add SAP Analytics Cloud from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **SAP Analytics Cloud** in the search box. 1. Select **SAP Analytics Cloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for SAP Analytics Cloud
Configure and test Azure AD SSO with SAP Analytics Cloud using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SAP Analytics Cloud.
-To configure and test Azure AD SSO with SAP Analytics Cloud, complete the following building blocks:
+To configure and test Azure AD SSO with SAP Analytics Cloud, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-2. **[Configure SAP Analytics Cloud SSO](#configure-sap-analytics-cloud-sso)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-5. **[Create SAP Analytics Cloud test user](#create-sap-analytics-cloud-test-user)** - to have a counterpart of B.Simon in SAP Analytics Cloud that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure SAP Analytics Cloud SSO](#configure-sap-analytics-cloud-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create SAP Analytics Cloud test user](#create-sap-analytics-cloud-test-user)** - to have a counterpart of B.Simon in SAP Analytics Cloud that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **SAP Analytics Cloud** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **SAP Analytics Cloud** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
+ a. In the **Sign on URL** text box, type a URL using one of the following patterns:
- `https://<sub-domain>.sapanalytics.cloud/` - `https://<sub-domain>.sapbusinessobjects.cloud/`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ b. In the **Identifier (Entity ID)** text box, type a URL using one of the following patterns:
- `<sub-domain>.sapbusinessobjects.cloud` - `<sub-domain>.sapanalytics.cloud`
@@ -94,72 +91,66 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure SAP Analytics Cloud SSO
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SAP Analytics Cloud.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **SAP Analytics Cloud**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure SAP Analytics Cloud SSO
1. In a different web browser window, sign in to your SAP Analytics Cloud company site as an administrator. 2. Select **Menu** > **System** > **Administration**.
- ![Select Menu, then System, and then Administration](./media/sapboc-tutorial/config1.png)
+ ![Select Menu, then System, and then Administration](./media/sapboc-tutorial/configure-1.png)
3. On the **Security** tab, select the **Edit** (pen) icon.
- ![On the Security tab, select the Edit icon](./media/sapboc-tutorial/config2.png)
+ ![On the Security tab, select the Edit icon](./media/sapboc-tutorial/configure-2.png)
4. For **Authentication Method**, select **SAML Single Sign-On (SSO)**.
- ![Select SAML Single Sign-On for the authentication method](./media/sapboc-tutorial/config3.png)
+ ![Select SAML Single Sign-On for the authentication method](./media/sapboc-tutorial/configure-3.png)
5. To download the service provider metadata (Step 1), select **Download**. In the metadata file, find and copy the **entityID** value. In the Azure portal, on the **Basic SAML Configuration** dialog, paste the value in the **Identifier** box.
- ![Copy and paste the entityID value](./media/sapboc-tutorial/config4.png)
+ ![Copy and paste the entityID value](./media/sapboc-tutorial/configure-4.png)
6. To upload the service provider metadata (Step 2) in the file that you downloaded from the Azure portal, under **Upload Identity Provider metadata**, select **Upload**.
- ![Under Upload Identity Provider metadata, select Upload](./media/sapboc-tutorial/config5.png)
+ ![Under Upload Identity Provider metadata, select Upload](./media/sapboc-tutorial/configure-5.png)
7. In the **User Attribute** list, select the user attribute (Step 3) that you want to use for your implementation. This user attribute maps to the identity provider. To enter a custom attribute on the user's page, use the **Custom SAML Mapping** option. Or, you can select either **Email** or **USER ID** as the user attribute. In our example, we selected **Email** because we mapped the user identifier claim with the **userprincipalname** attribute in the **User Attributes & Claims** section in the Azure portal. This provides a unique user email, which is sent to the SAP Analytics Cloud application in every successful SAML response.
- ![Select User Attribute](./media/sapboc-tutorial/config6.png)
+ ![Select User Attribute](./media/sapboc-tutorial/configure-6.png)
8. To verify the account with the identity provider (Step 4), in the **Login Credential (Email)** box, enter the user's email address. Then, select **Verify Account**. The system adds sign-in credentials to the user account.
- ![Enter email, and select Verify Account](./media/sapboc-tutorial/config7.png)
+ ![Enter email, and select Verify Account](./media/sapboc-tutorial/configure-7.png)
9. Select the **Save** icon. ![Save icon](./media/sapboc-tutorial/save.png)
-### Create an Azure AD test user
-
-In this section, you'll create a test user in the Azure portal called B.Simon.
-
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. Select **New user** at the top of the screen.
-1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SAP Analytics Cloud.
-
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **SAP Analytics Cloud**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add User link](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button.
- ### Create SAP Analytics Cloud test user Azure AD users must be provisioned in SAP Analytics Cloud before they can sign in to SAP Analytics Cloud. In SAP Analytics Cloud, provisioning is a manual task.
@@ -170,11 +161,11 @@ To provision a user account:
2. Select **Menu** > **Security** > **Users**.
- ![Add Employee](./media/sapboc-tutorial/user1.png)
+ ![Add Employee](./media/sapboc-tutorial/user-1.png)
3. On the **Users** page, to add new user details, select **+**.
- ![Add Users page](./media/sapboc-tutorial/user4.png)
+ ![Add Users page](./media/sapboc-tutorial/user-4.png)
Then, complete the following steps:
@@ -190,20 +181,20 @@ To provision a user account:
1. On the **Select Roles** page, select the appropriate role for the user, and then select **OK**.
- ![Select role](./media/sapboc-tutorial/user3.png)
+ ![Select role](./media/sapboc-tutorial/user-3.png)
1. Select the **Save** icon.
-### Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the SAP Analytics Cloud tile in the Access Panel, you should be automatically signed in to the SAP Analytics Cloud for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to SAP Analytics Cloud Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to SAP Analytics Cloud Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the SAP Analytics Cloud tile in the My Apps, this will redirect to SAP Analytics Cloud Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure SAP Analytics Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/shopify-plus-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/shopify-plus-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 06/18/2020 Last updated : 02/11/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate Shopify Plus with Azure Active D
* Enable your users to be automatically signed-in to Shopify Plus with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -34,27 +32,24 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Shopify Plus supports **SP and IDP** initiated SSO
-
-* Once you configure Shopify Plus you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Shopify Plus supports **SP and IDP** initiated SSO.
-## Adding Shopify Plus from the gallery
+## Add Shopify Plus from the gallery
To configure the integration of Shopify Plus into Azure AD, you need to add Shopify Plus from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Shopify Plus** in the search box. 1. Select **Shopify Plus** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Shopify Plus
+## Configure and test Azure AD SSO for Shopify Plus
Configure and test Azure AD SSO with Shopify Plus using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Shopify Plus.
-To configure and test Azure AD SSO with Shopify Plus, complete the following building blocks:
+To configure and test Azure AD SSO with Shopify Plus, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -67,9 +62,9 @@ To configure and test Azure AD SSO with Shopify Plus, complete the following bui
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Shopify Plus** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Shopify Plus** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -120,15 +115,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Shopify Plus**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Shopify Plus SSO
@@ -161,20 +150,20 @@ For all users under an email domain:
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Shopify Plus tile in the Access Panel, you should be automatically signed in to the Shopify Plus for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Shopify Plus Sign on URL where you can initiate the login flow.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* Go to Shopify Plus Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Shopify Plus for which you set up the SSO.
-- [Try Shopify Plus with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Shopify Plus tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Shopify Plus for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Shopify Plus with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Shopify Plus you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/ssogen-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ssogen-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 01/16/2020 Last updated : 02/11/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate SSOGEN - Azure AD SSO Gateway fo
* Enable your users to be automatically signed-in to SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -35,42 +33,41 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE supports **SP and IDP** initiated SSO.
-* Once you configure the SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session controls extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE from the gallery
+## Add SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE from the gallery
To configure the integration of SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE into Azure AD, you need to add SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE** in the search box. 1. Select **SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE
+## Configure and test Azure AD SSO for SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE
Configure and test Azure AD SSO with SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE.
-To configure and test Azure AD SSO with SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE, complete the following building blocks:
+To configure and test Azure AD SSO with SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure SSOGEN Azure AD SSO Gateway for Oracle E Business Suite EBS, PeopleSoft, and JDE SSO](#configure-ssogen-azure-ad-sso-gateway-for-oracle-e-business-suite-ebs-peoplesoft-and-jde-sso)** - to configure the single sign-on settings on application side.
- * **[Create SSOGEN Azure AD SSO Gateway for Oracle E Business Suite EBS, PeopleSoft, and JDE test user](#create-ssogen-azure-ad-sso-gateway-for-oracle-e-business-suite-ebs-peoplesoft-and-jde-test-user)** - to have a counterpart of B.Simon in SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE that is linked to the Azure AD representation of user.
+1. **[Configure SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE SSO](#configure-ssogenazure-ad-sso-gateway-for-oracle-e-business-suiteebs-peoplesoft-and-jde-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE test user](#create-ssogenazure-ad-sso-gateway-for-oracle-e-business-suiteebs-peoplesoft-and-jde-test-user)** - to have a counterpart of B.Simon in SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -114,18 +111,12 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure SSOGEN Azure AD SSO Gateway for Oracle E Business Suite EBS, PeopleSoft, and JDE SSO
+## Configure SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE SSO
To configure single sign-on on **SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE** side, Please find application-specific SSO registration documentation below:
@@ -134,7 +125,7 @@ To configure single sign-on on **SSOGEN - Azure AD SSO Gateway for Oracle E-Busi
* JD Edwards - Azure AD SSO Integration: [https://www.ssogen.com/oracle-jde-sso/](https://www.ssogen.com/oracle-jde-sso/) * Apache - Azure AD SSO Integration: [https://www.ssogen.com/apache-sso-authentication/](https://www.ssogen.com/apache-sso-authentication/)
-### Create SSOGEN Azure AD SSO Gateway for Oracle E Business Suite EBS, PeopleSoft, and JDE test user
+### Create SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE test user
Azure AD sends Unique User Identifier (Name ID) to the user application, after the authentication is successful. Please make sure that Unique User Identifier (Name ID) matches user record in your application, FND_USER.USER_NAME in Oracle EBS for example.
@@ -142,20 +133,20 @@ Please contact [info@ssogen.com](mailto:info@ssogen.com) and [support@ssogen.com
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE tile in the Access Panel, you should be automatically signed in to the SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE for which you set up the SSO.
-- [Try SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/surveymonkey-enterprise-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/surveymonkey-enterprise-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 10/17/2019 Last updated : 02/11/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate SurveyMonkey Enterprise with Azu
* Enable your users to be automatically signed-in to SurveyMonkey Enterprise with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -34,27 +32,27 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* SurveyMonkey Enterprise supports **IDP** initiated SSO
+* SurveyMonkey Enterprise supports **IDP** initiated SSO.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding SurveyMonkey Enterprise from the gallery
+## Add SurveyMonkey Enterprise from the gallery
To configure the integration of SurveyMonkey Enterprise into Azure AD, you need to add SurveyMonkey Enterprise from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **SurveyMonkey Enterprise** in the search box. 1. Select **SurveyMonkey Enterprise** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for SurveyMonkey Enterprise
+## Configure and test Azure AD SSO for SurveyMonkey Enterprise
Configure and test Azure AD SSO with SurveyMonkey Enterprise using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SurveyMonkey Enterprise.
-To configure and test Azure AD SSO with SurveyMonkey Enterprise, complete the following building blocks:
+To configure and test Azure AD SSO with SurveyMonkey Enterprise, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -67,9 +65,9 @@ To configure and test Azure AD SSO with SurveyMonkey Enterprise, complete the fo
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **SurveyMonkey Enterprise** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **SurveyMonkey Enterprise** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -114,15 +112,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **SurveyMonkey Enterprise**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure SurveyMonkey Enterprise SSO
@@ -135,16 +127,12 @@ It is not necessary to create a test user in SurveyMonkey Enterprise. User accou
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the SurveyMonkey Enterprise tile in the Access Panel, you should be automatically signed in to the SurveyMonkey Enterprise for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the SurveyMonkey Enterprise for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the SurveyMonkey Enterprise tile in the My Apps, you should be automatically signed in to the SurveyMonkey Enterprise for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try SurveyMonkey Enterprise with Azure AD](https://aad.portal.azure.com/)
+Once you configure SurveyMonkey Enterprise you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/unifi-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/unifi-tutorial.md
@@ -9,102 +9,74 @@
Previously updated : 01/02/2019 Last updated : 02/09/2021 # Tutorial: Azure Active Directory integration with UNIFI
-In this tutorial, you learn how to integrate UNIFI with Azure Active Directory (Azure AD).
-Integrating UNIFI with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate UNIFI with Azure Active Directory (Azure AD). When you integrate UNIFI with Azure AD, you can:
-* You can control in Azure AD who has access to UNIFI.
-* You can enable your users to be automatically signed-in to UNIFI (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to UNIFI.
+* Enable your users to be automatically signed-in to UNIFI with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with UNIFI, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* UNIFI single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* UNIFI single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* UNIFI supports **SP and IDP** initiated SSO
-* UNIFI supports **Automated** user provisioning
+* UNIFI supports **SP and IDP** initiated SSO.
+* UNIFI supports **Automated** user provisioning.
-## Adding UNIFI from the gallery
+## Add UNIFI from the gallery
To configure the integration of UNIFI into Azure AD, you need to add UNIFI from the gallery to your list of managed SaaS apps.
-**To add UNIFI from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **UNIFI**, select **UNIFI** from result panel then click **Add** button to add the application.
-
- ![UNIFI in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with UNIFI based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in UNIFI needs to be established.
-
-To configure and test Azure AD single sign-on with UNIFI, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **UNIFI** in the search box.
+1. Select **UNIFI** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure UNIFI Single Sign-On](#configure-unifi-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create UNIFI test user](#create-unifi-test-user)** - to have a counterpart of Britta Simon in UNIFI that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for UNIFI
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with UNIFI using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in UNIFI.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with UNIFI, perform the following steps:
-To configure Azure AD single sign-on with UNIFI, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure UNIFI SSO](#configure-unifi-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create UNIFI test user](#create-unifi-test-user)** - to have a counterpart of B.Simon in UNIFI that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **UNIFI** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **UNIFI** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![UNIFI Domain and URLs single sign-on information](common/idp-identifier.png)
- In the **Identifier** text box, type the URL: `INVIEWlabs` 5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://app.discoverunifi.com/login`
- ![image](common/both-preintegrated-signon.png)
- 6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. ![The Certificate download link](common/certificatebase64.png)
@@ -113,27 +85,45 @@ To configure Azure AD single sign-on with UNIFI, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure Ad Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to UNIFI.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **UNIFI**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure UNIFI Single Sign-On
+## Configure UNIFI SSO
1. In a different web browser window, sign on to your **UNIFI** company site as administrator. 2. Click on the **Users**.
- ![Screenshot shows Users selected from the UNIFI site.](./media/unifi-tutorial/app1.png)
+ ![Screenshot shows Users selected from the UNIFI site.](./media/unifi-tutorial/app-1.png)
3. Click on the **Add New Identity Provider**.
- ![Screenshot shows Ad New Identity Provider selected.](./media/unifi-tutorial/app2.png)
+ ![Screenshot shows Ad New Identity Provider selected.](./media/unifi-tutorial/app-2.png)
4. In the **Add Identity Provider** section, perform the following steps:
- ![Screenshot shows the Add Identity Provider where you can enter the values described.](./media/unifi-tutorial/app3.png)
+ ![Screenshot shows the Add Identity Provider where you can enter the values described.](./media/unifi-tutorial/app-3.png)
a. In the **Provider Name** textbox, type the name of the Identity Provider..
@@ -143,71 +133,26 @@ To configure Azure AD single sign-on with UNIFI, perform the following steps:
d. Select the **is Default Provider** checkbox.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to UNIFI.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **UNIFI**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **UNIFI**.
-
- ![The UNIFI link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create UNIFI test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, you create a user called Britta Simon. **UNIFI** supports automatic user provisioning so no manual steps are required. Users are created automatically after successful authentication from the Azure AD.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create UNIFI test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you create a user called Britta Simon. **UNIFI** supports automatic user provisioning so no manual steps are required. Users are created automatically after successful authentication from the Azure AD.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to UNIFI Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to UNIFI Sign-on URL directly and initiate the login flow from there.
-When you click the UNIFI tile in the Access Panel, you should be automatically signed in to the UNIFI for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the UNIFI for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the UNIFI tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the UNIFI for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure UNIFI you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-auth-app-faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/user-help/user-help-auth-app-faq.md
@@ -90,6 +90,7 @@ The Microsoft Authenticator app replaced the Azure Authenticator app, and it's t
### Device registration **Q**: What is device registration?+ **A**: Your org might require you to register the device to track access to secured resources, such as files and apps. They also might turn on Conditional Access to reduce the risk of unwanted access to those resources. You can unregister your device in **Settings**, but you may lose access to emails in Outlook, files in OneDrive, and you'll lose the ability to use phone sign-in. ### Verification codes when connected
advisor https://docs.microsoft.com/en-us/azure/advisor/advisor-alerts-arm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/advisor/advisor-alerts-arm.md
@@ -12,7 +12,7 @@ This article shows you how to set up an alert for new recommendations from Azure
[!INCLUDE [About Azure Resource Manager](../../includes/resource-manager-quickstart-introduction.md)]
-Whenever Azure Advisor detects a new recommendation for one of your resources, an event is stored in [Azure Activity log](../azure-monitor/platform/platform-logs-overview.md). You can set up alerts for these events from Azure Advisor using a recommendation-specific alerts creation experience. You can select a subscription and optionally a resource group to specify the resources that you want to receive alerts on.
+Whenever Azure Advisor detects a new recommendation for one of your resources, an event is stored in [Azure Activity log](../azure-monitor/essentials/platform-logs-overview.md). You can set up alerts for these events from Azure Advisor using a recommendation-specific alerts creation experience. You can select a subscription and optionally a resource group to specify the resources that you want to receive alerts on.
You can also determine the types of recommendations by using these properties:
@@ -25,7 +25,7 @@ You can also configure the action that will take place when an alert is triggere
- Selecting an existing action group - Creating a new action group
-To learn more about action groups, see [Create and manage action groups](../azure-monitor/platform/action-groups.md).
+To learn more about action groups, see [Create and manage action groups](../azure-monitor/alerts/action-groups.md).
> [!NOTE] > Advisor alerts are currently only available for High Availability, Performance, and Cost recommendations. Security recommendations are not supported.
@@ -198,5 +198,5 @@ Remove-AzResourceGroup -Name my-resource-group
## Next steps -- Get an [overview of activity log alerts](../azure-monitor/platform/alerts-overview.md), and learn how to receive alerts.-- Learn more about [action groups](../azure-monitor/platform/action-groups.md).
+- Get an [overview of activity log alerts](../azure-monitor/alerts/alerts-overview.md), and learn how to receive alerts.
+- Learn more about [action groups](../azure-monitor/alerts/action-groups.md).
advisor https://docs.microsoft.com/en-us/azure/advisor/advisor-alerts-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/advisor/advisor-alerts-portal.md
@@ -9,7 +9,7 @@ Last updated 09/09/2019
This article shows you how to set up an alert for new recommendations from Azure Advisor using the Azure portal.
-Whenever Azure Advisor detects a new recommendation for one of your resources, an event is stored in [Azure Activity log](../azure-monitor/platform/platform-logs-overview.md). You can set up alerts for these events from Azure Advisor using a recommendation-specific alerts creation experience. You can select a subscription and optionally a resource group to specify the resources that you want to receive alerts on.
+Whenever Azure Advisor detects a new recommendation for one of your resources, an event is stored in [Azure Activity log](../azure-monitor/essentials/platform-logs-overview.md). You can set up alerts for these events from Azure Advisor using a recommendation-specific alerts creation experience. You can select a subscription and optionally a resource group to specify the resources that you want to receive alerts on.
You can also determine the types of recommendations by using these properties:
@@ -22,7 +22,7 @@ You can also configure the action that will take place when an alert is triggere
* Selecting an existing action group * Creating a new action group
-To learn more about action groups, see [Create and manage action groups](../azure-monitor/platform/action-groups.md).
+To learn more about action groups, see [Create and manage action groups](../azure-monitor/alerts/action-groups.md).
> [!NOTE] > Advisor alerts are currently only available for High Availability, Performance, and Cost recommendations. Security recommendations are not supported.
@@ -52,7 +52,7 @@ To learn more about action groups, see [Create and manage action groups](../azur
![Advisor alert action group](./media/advisor-alerts/create6.png)
-7. In the **action groups** section, select **Add existing** to use an action group you already created or select **Create new** to set up a new [action group](../azure-monitor/platform/action-groups.md).
+7. In the **action groups** section, select **Add existing** to use an action group you already created or select **Create new** to set up a new [action group](../azure-monitor/alerts/action-groups.md).
![Advisor alert add existing](./media/advisor-alerts/create7.png)
@@ -194,5 +194,5 @@ From Azure Advisor, you can edit, delete, or disable and enable your recommendat
## Next steps-- Get an [overview of activity log alerts](../azure-monitor/platform/alerts-overview.md), and learn how to receive alerts.-- Learn more about [action groups](../azure-monitor/platform/action-groups.md).
+- Get an [overview of activity log alerts](../azure-monitor/alerts/alerts-overview.md), and learn how to receive alerts.
+- Learn more about [action groups](../azure-monitor/alerts/action-groups.md).
advisor https://docs.microsoft.com/en-us/azure/advisor/advisor-high-availability-recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/advisor/advisor-high-availability-recommendations.md
@@ -73,7 +73,7 @@ Virtual machines that are in an availability set with disks that share either st
## Repair invalid log alert rules Azure Advisor detects log alert rules that have invalid queries specified in their condition section.
-Azure Monitor log alert rules run queries at specified frequency and fire alerts based on the results. Queries can become invalid over time because of changes in the referenced resources, tables, or commands. Advisor recommends corrections for alert queries to prevent the rules from being automatically disabled and to ensure monitoring coverage. For more information, see [Troubleshooting alert rules](../azure-monitor/platform/alerts-troubleshoot-log.md#query-used-in-a-log-alert-isnt-valid)
+Azure Monitor log alert rules run queries at specified frequency and fire alerts based on the results. Queries can become invalid over time because of changes in the referenced resources, tables, or commands. Advisor recommends corrections for alert queries to prevent the rules from being automatically disabled and to ensure monitoring coverage. For more information, see [Troubleshooting alert rules](../azure-monitor/alerts/alerts-troubleshoot-log.md#query-used-in-a-log-alert-isnt-valid)
## Configure Consistent indexing mode on your Azure Cosmos DB collection
advisor https://docs.microsoft.com/en-us/azure/advisor/advisor-operational-excellence-recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/advisor/advisor-operational-excellence-recommendations.md
@@ -34,7 +34,7 @@ If your pool is using a deprecated internal component, delete and re-create the
## Repair invalid log alert rules Azure Advisor detects alert rules that have invalid queries specified in their condition section.
-You can create log alert rules in Azure Monitor and use them to run analytics queries at specified intervals. The results of the query determine if an alert needs to be triggered. Analytics queries can become invalid over time because of changes in referenced resources, tables, or commands. Advisor recommends that you correct the query in the alert rule to prevent it from being automatically disabled and ensure monitoring coverage of your resources in Azure. [Learn more about troubleshooting alert rules.](../azure-monitor/platform/alerts-troubleshoot-log.md)
+You can create log alert rules in Azure Monitor and use them to run analytics queries at specified intervals. The results of the query determine if an alert needs to be triggered. Analytics queries can become invalid over time because of changes in referenced resources, tables, or commands. Advisor recommends that you correct the query in the alert rule to prevent it from being automatically disabled and ensure monitoring coverage of your resources in Azure. [Learn more about troubleshooting alert rules.](../azure-monitor/alerts/alerts-troubleshoot-log.md)
## Use Azure Policy recommendations
advisor https://docs.microsoft.com/en-us/azure/advisor/advisor-performance-recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/advisor/advisor-performance-recommendations.md
@@ -83,7 +83,7 @@ Migrate your storage account deployment model to Azure Resource Manager to take
Advisor identifies any stand-alone storage accounts that are using the classic deployment model and recommends migrating to the Resource Manager deployment model. > [!NOTE]
-> Classic alerts in Azure Monitor were retired in August 2019. We recommended that you upgrade your classic storage account to use Resource Manager to retain alerting functionality with the new platform. For more information, see [classic alerts retirement](../azure-monitor/platform/monitoring-classic-retirement.md#retirement-of-classic-monitoring-and-alerting-platform).
+> Classic alerts in Azure Monitor were retired in August 2019. We recommended that you upgrade your classic storage account to use Resource Manager to retain alerting functionality with the new platform. For more information, see [classic alerts retirement](../azure-monitor/alerts/monitoring-classic-retirement.md#retirement-of-classic-monitoring-and-alerting-platform).
## Design your storage accounts to prevent reaching the maximum subscription limit
advisor https://docs.microsoft.com/en-us/azure/advisor/advisor-recommendations-digest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/advisor/advisor-recommendations-digest.md
@@ -19,7 +19,7 @@ This article shows you how to set-up a **recommendation digests** for your Advis
The **recommendation digest** creation experience helps you configure the summary. You can select below parameters for configurations: 1. Category: We have recommendation categories like cost, high availability, performance and operational excellence. The capability is not available for security recommendations yet. 2. Frequency of digest: Frequency for the summary notifications can be weekly, bi-weekly and monthly.
-3. Action group: You can either select an existing action group or create a new action group. To learn more about action groups, see [create and manage action groups](../azure-monitor/platform/action-groups.md).
+3. Action group: You can either select an existing action group or create a new action group. To learn more about action groups, see [create and manage action groups](../azure-monitor/alerts/action-groups.md).
4. Language for the digest 5. Recommendation digest name: You can use a user-friendly string to better track and monitor the digests.
@@ -42,7 +42,7 @@ Here are the steps to create **recommendation digest:**
![Provide recommendation digest input conditions](./media/digest-2.png)
-* **Step 5:** In the **action group** section, select the **action group** for the digest. You can learn more here - [Create and manage action groups](../azure-monitor/platform/action-groups.md)
+* **Step 5:** In the **action group** section, select the **action group** for the digest. You can learn more here - [Create and manage action groups](../azure-monitor/alerts/action-groups.md)
![Provide recommendation digest input action group](./media/digest-3.png)
advisor https://docs.microsoft.com/en-us/azure/advisor/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/advisor/security-baseline.md
@@ -226,9 +226,9 @@ Use Azure Conditional Access to limit a user's ability to interact with Azure Re
Activity logs can be used to find an error when troubleshooting or to monitor how a user in your organization modified a resource. -- [Understand logging and different log types in Azure](../azure-monitor/platform/platform-logs-overview.md)
+- [Understand logging and different log types in Azure](../azure-monitor/essentials/platform-logs-overview.md)
-- [How to collect platform logs and metrics with Azure Monitor](../azure-monitor/platform/diagnostic-settings.md)
+- [How to collect platform logs and metrics with Azure Monitor](../azure-monitor/essentials/diagnostic-settings.md)
**Azure Security Center monitoring**: Not applicable
@@ -242,7 +242,7 @@ Ensure you are integrating Azure activity logs into your central logging. Ingest
In addition, enable and onboard data to Azure Sentinel or a third-party SIEM. Many organizations choose to use Azure Sentinel for ΓÇ£hotΓÇ¥ data that is used frequently and Azure Storage for ΓÇ£coldΓÇ¥ data that is used less frequently. -- [How to collect platform logs and metrics with Azure Monitor](../azure-monitor/platform/diagnostic-settings.md)
+- [How to collect platform logs and metrics with Azure Monitor](../azure-monitor/essentials/diagnostic-settings.md)
- [How to onboard Azure Sentinel](../sentinel/quickstart-onboard.md)
@@ -255,9 +255,9 @@ In addition, enable and onboard data to Azure Sentinel or a third-party SIEM. Ma
**Guidance**: Ensure that any storage accounts or Log Analytics workspaces used for storing Azure Advisor logs has the log retention period set according to your organization's compliance regulations. In Azure Monitor, you can set your Log Analytics workspace retention period according to your organization's compliance regulations. Use Azure Storage, Data Lake or Log Analytics workspace accounts for long-term and archival storage. -- [How to configure Log Analytics Workspace Retention Period](../azure-monitor/platform/manage-cost-storage.md)
+- [How to configure Log Analytics Workspace Retention Period](../azure-monitor/logs/manage-cost-storage.md)
-- [Storing resource logs in an Azure Storage Account](../azure-monitor/platform/resource-logs.md#send-to-azure-storage)
+- [Storing resource logs in an Azure Storage Account](../azure-monitor/essentials/resource-logs.md#send-to-azure-storage)
**Azure Security Center monitoring**: Not applicable
aks https://docs.microsoft.com/en-us/azure/aks/availability-zones https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/availability-zones.md
@@ -36,6 +36,7 @@ AKS clusters can currently be created using availability zones in the following
* Southeast Asia * South Central US * UK South
+* US Gov Virginia
* West Europe * West US 2
aks https://docs.microsoft.com/en-us/azure/aks/cluster-configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/cluster-configuration.md
@@ -95,9 +95,9 @@ By using `containerd` for AKS nodes, pod startup latency improves and node resou
* For `containerd`, we recommend using [`crictl`](https://kubernetes.io/docs/tasks/debug-application-cluster/crictl) as a replacement CLI instead of the Docker CLI for **troubleshooting** pods, containers, and container images on Kubernetes nodes (for example, `crictl ps`). * It doesn't provide the complete functionality of the docker CLI. It's intended for troubleshooting only. * `crictl` offers a more kubernetes-friendly view of containers, with concepts like pods, etc. being present.
-* `Containerd` sets up logging using the standardized `cri` logging format (which is different from what you currently get from dockerΓÇÖs json driver). Your logging solution needs to support the `cri` logging format (like [Azure Monitor for Containers](../azure-monitor/insights/container-insights-enable-new-cluster.md))
+* `Containerd` sets up logging using the standardized `cri` logging format (which is different from what you currently get from dockerΓÇÖs json driver). Your logging solution needs to support the `cri` logging format (like [Azure Monitor for Containers](../azure-monitor/containers/container-insights-enable-new-cluster.md))
* You can no longer access the docker engine, `/var/run/docker.sock`, or use Docker-in-Docker (DinD).
- * If you currently extract application logs or monitoring data from Docker Engine, please use something like [Azure Monitor for Containers](../azure-monitor/insights/container-insights-enable-new-cluster.md) instead. Additionally AKS doesn't support running any out of band commands on the agent nodes that could cause instability.
+ * If you currently extract application logs or monitoring data from Docker Engine, please use something like [Azure Monitor for Containers](../azure-monitor/containers/container-insights-enable-new-cluster.md) instead. Additionally AKS doesn't support running any out of band commands on the agent nodes that could cause instability.
* Even when using Moby/docker, building images and directly leveraging the docker engine via the methods above is strongly discouraged. Kubernetes isn't fully aware of those consumed resources, and those approaches present numerous issues detailed [here](https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/) and [here](https://securityboulevard.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1/), for example. * Building images - You can continue to use your current docker build workflow as normal, unless you are building images inside your AKS cluster. In this case, please consider switching to the recommended approach for building images using [ACR Tasks](../container-registry/container-registry-quickstart-task-cli.md), or a more secure in-cluster option like [docker buildx](https://github.com/docker/buildx).
aks https://docs.microsoft.com/en-us/azure/aks/concepts-identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/concepts-identity.md
@@ -232,4 +232,4 @@ For more information on core Kubernetes and AKS concepts, see the following arti
[aks-concepts-storage]: concepts-storage.md [aks-concepts-network]: concepts-network.md [operator-best-practices-identity]: operator-best-practices-identity.md
-[upgrade-per-cluster]: ../azure-monitor/insights/container-insights-update-metrics.md#upgrade-per-cluster-using-azure-cli
+[upgrade-per-cluster]: ../azure-monitor/containers/container-insights-update-metrics.md#upgrade-per-cluster-using-azure-cli
aks https://docs.microsoft.com/en-us/azure/aks/concepts-sustainable-software-engineering https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/concepts-sustainable-software-engineering.md
@@ -56,7 +56,7 @@ Learn more about the features of AKS mentioned in this article:
* [Availability Zones][availability-zones] [availability-zones]: availability-zones.md
-[azure-monitor]: ../azure-monitor/insights/container-insights-overview.md
+[azure-monitor]: ../azure-monitor/containers/container-insights-overview.md
[azure-traffic-manager]: ../traffic-manager/traffic-manager-overview.md [proiximity-placement-groups]: reduce-latency-ppg.md [regions]: faq.md#which-azure-regions-currently-provide-aks
aks https://docs.microsoft.com/en-us/azure/aks/intro-kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/intro-kubernetes.md
@@ -153,7 +153,7 @@ Learn more about deploying and managing AKS with the Azure CLI Quickstart.
[azure-devops]: ../devops-project/overview.md [azure-disk]: ./azure-disks-dynamic-pv.md [azure-files]: ./azure-files-dynamic-pv.md
-[container-health]: ../azure-monitor/insights/container-insights-overview.md
+[container-health]: ../azure-monitor/containers/container-insights-overview.md
[aks-master-logs]: view-master-logs.md [aks-supported versions]: supported-kubernetes-versions.md [concepts-clusters-workloads]: concepts-clusters-workloads.md
aks https://docs.microsoft.com/en-us/azure/aks/kubelet-logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubelet-logs.md
@@ -73,4 +73,4 @@ If you need additional troubleshooting information from the Kubernetes master, s
[aks-quickstart-cli]: kubernetes-walkthrough.md [aks-quickstart-portal]: kubernetes-walkthrough-portal.md [aks-master-logs]: view-master-logs.md
-[azure-container-logs]: ../azure-monitor/insights/container-insights-overview.md
+[azure-container-logs]: ../azure-monitor/containers/container-insights-overview.md
aks https://docs.microsoft.com/en-us/azure/aks/kubernetes-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-portal.md
@@ -94,5 +94,5 @@ This article showed you how to access Kubernetes resources for your AKS cluster.
[deployments]: concepts-clusters-workloads.md#deployments-and-yaml-manifests [aks-managed-aad]: managed-aad.md [cli-aad-upgrade]: managed-aad.md#upgrading-to-aks-managed-azure-ad-integration
-[enable-monitor]: ../azure-monitor/insights/container-insights-enable-existing-clusters.md
+[enable-monitor]: ../azure-monitor/containers/container-insights-enable-existing-clusters.md
[portal-cluster]: kubernetes-walkthrough-portal.md
aks https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-walkthrough-portal.md
@@ -281,7 +281,7 @@ To learn more about AKS, and walk through a complete code to deployment example,
[kubernetes-concepts]: concepts-clusters-workloads.md [az-aks-get-credentials]: /cli/azure/aks?view=azure-cli-latest&preserve-view=true#az-aks-get-credentials [az-aks-delete]: /cli/azure/aks#az-aks-delete
-[aks-monitor]: ../azure-monitor/insights/container-insights-overview.md
+[aks-monitor]: ../azure-monitor/containers/container-insights-overview.md
[aks-network]: ./concepts-network.md [aks-tutorial]: ./tutorial-kubernetes-prepare-app.md [http-routing]: ./http-application-routing.md
aks https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-walkthrough-powershell.md
@@ -272,7 +272,7 @@ To see the Azure Vote app in action, open a web browser to the external IP addre
![Voting app deployed in Azure Kubernetes Service](./media/kubernetes-walkthrough-powershell/voting-app-deployed-in-azure-kubernetes-service.png) When the AKS cluster was created,
-[Azure Monitor for containers](../azure-monitor/insights/container-insights-overview.md) was enabled
+[Azure Monitor for containers](../azure-monitor/containers/container-insights-overview.md) was enabled
to capture health metrics for both the cluster nodes and pods. These health metrics are available in the Azure portal.
aks https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-rm-template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-walkthrough-rm-template.md
@@ -306,7 +306,7 @@ To learn more about AKS, and walk through a complete code to deployment example,
<!-- LINKS - internal --> [kubernetes-concepts]: concepts-clusters-workloads.md
-[aks-monitor]: ../azure-monitor/insights/container-insights-onboard.md
+[aks-monitor]: ../azure-monitor/containers/container-insights-onboard.md
[aks-tutorial]: ./tutorial-kubernetes-prepare-app.md [az-aks-browse]: /cli/azure/aks?view=azure-cli-latest&preserve-view=true#az-aks-browse [az-aks-create]: /cli/azure/aks?view=azure-cli-latest&preserve-view=true#az-aks-create
aks https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-walkthrough.md
@@ -285,7 +285,7 @@ To learn more about AKS, and walk through a complete code to deployment example,
<!-- LINKS - internal --> [kubernetes-concepts]: concepts-clusters-workloads.md
-[aks-monitor]: ../azure-monitor/insights/container-insights-onboard.md
+[aks-monitor]: ../azure-monitor/containers/container-insights-onboard.md
[aks-tutorial]: ./tutorial-kubernetes-prepare-app.md [az-aks-browse]: /cli/azure/aks?view=azure-cli-latest&preserve-view=true#az-aks-browse [az-aks-create]: /cli/azure/aks?view=azure-cli-latest&preserve-view=true#az-aks-create
@@ -294,7 +294,7 @@ To learn more about AKS, and walk through a complete code to deployment example,
[az-group-create]: /cli/azure/group#az-group-create [az-group-delete]: /cli/azure/group#az-group-delete [azure-cli-install]: /cli/azure/install-azure-cli
-[azure-monitor-containers]: ../azure-monitor/insights/container-insights-overview.md
+[azure-monitor-containers]: ../azure-monitor/containers/container-insights-overview.md
[sp-delete]: kubernetes-service-principal.md#additional-considerations [azure-portal]: https://portal.azure.com [kubernetes-deployment]: concepts-clusters-workloads.md#deployments-and-yaml-manifests
aks https://docs.microsoft.com/en-us/azure/aks/rdp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/rdp.md
@@ -160,7 +160,7 @@ If you need additional troubleshooting data, you can [view the Kubernetes master
[az-aks-install-cli]: /cli/azure/aks?view=azure-cli-latest#az-aks-install-cli [az-aks-get-credentials]: /cli/azure/aks?view=azure-cli-latest#az-aks-get-credentials [az-vm-delete]: /cli/azure/vm#az-vm-delete
-[azure-monitor-containers]: ../azure-monitor/insights/container-insights-overview.md
+[azure-monitor-containers]: ../azure-monitor/containers/container-insights-overview.md
[install-azure-cli]: /cli/azure/install-azure-cli [ssh-steps]: ssh.md [view-master-logs]: view-master-logs.md
aks https://docs.microsoft.com/en-us/azure/aks/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/security-baseline.md
@@ -197,9 +197,9 @@ Create alerts within Azure Monitor that will trigger when changes to critical ne
Use Azure Monitor logs to enable and query the logs from AKS the master components, kube-apiserver and kube-controller-manager. Create and manage the nodes that run the kubelet with container runtime and deploy their applications through the managed Kubernetes API server. -- [How to view and retrieve Azure Activity Log events](../azure-monitor/platform/activity-log.md#view-the-activity-log)
+- [How to view and retrieve Azure Activity Log events](../azure-monitor/essentials/activity-log.md#view-the-activity-log)
-- [How to create alerts in Azure Monitor](../azure-monitor/platform/alerts-activity-log.md)
+- [How to create alerts in Azure Monitor](../azure-monitor/alerts/alerts-activity-log.md)
- [Enable and review Kubernetes master node logs in Azure Kubernetes Service (AKS)](view-master-logs.md)
@@ -241,9 +241,9 @@ Enable and on-board this data to Azure Sentinel or a third-party SIEM based on y
- [Review the Log schema including log roles here](view-master-logs.md) -- [Understand Azure Monitor for Containers](../azure-monitor/insights/container-insights-overview.md)
+- [Understand Azure Monitor for Containers](../azure-monitor/containers/container-insights-overview.md)
-- [How to enable Azure Monitor for Containers](../azure-monitor/insights/container-insights-onboard.md)
+- [How to enable Azure Monitor for Containers](../azure-monitor/containers/container-insights-onboard.md)
- [Enable and review Kubernetes master node logs in Azure Kubernetes Service (AKS)](view-master-logs.md)
@@ -297,7 +297,7 @@ Data collection is required to provide visibility into missing updates, misconfi
**Guidance**: Onboard your Azure Kubernetes Service (AKS) instances to Azure Monitor and set the corresponding Azure Log Analytics workspace retention period according to your organization's compliance requirements. -- [How to set log retention parameters for Log Analytics Workspaces](../azure-monitor/platform/manage-cost-storage.md#change-the-data-retention-period)
+- [How to set log retention parameters for Log Analytics Workspaces](../azure-monitor/logs/manage-cost-storage.md#change-the-data-retention-period)
**Azure Security Center monitoring**: Not applicable
@@ -315,7 +315,7 @@ View the logs generated by AKS master components (kube-apiserver and kube-contro
- [How to onboard Azure Sentinel](../sentinel/quickstart-onboard.md) -- [How to perform custom queries in Azure Monitor](../azure-monitor/log-query/get-started-queries.md)
+- [How to perform custom queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md)
**Azure Security Center monitoring**: Yes
@@ -426,7 +426,7 @@ Create policies and procedures around the use of dedicated administrative accoun
**Guidance**: Use single sign-on for Azure Kubernetes Service (AKS) with Azure Active Directory (Azure AD) integrated authentication for an AKS cluster. -- [How to view Kubernetes logs, events, and pod metrics in real-time](../azure-monitor/insights/container-insights-livedata-overview.md)
+- [How to view Kubernetes logs, events, and pod metrics in real-time](../azure-monitor/containers/container-insights-livedata-overview.md)
**Azure Security Center monitoring**: Not applicable
@@ -522,7 +522,7 @@ Be aware of roles used for support or troubleshooting purposes. For example, any
**Guidance**: Integrate user authentication for Azure Kubernetes Service (AKS) with Azure Active Directory (Azure AD). Create Diagnostic Settings for Azure AD, sending the audit and sign-in logs to an Azure Log Analytics workspace. Configure desired Alerts (such as when a deactivated account attempts to log in) within an Azure Log Analytics workspace. - [How to integrate Azure Activity Logs into Azure Monitor](../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) -- [How to create, view, and manage log alerts using Azure Monitor](../azure-monitor/platform/alerts-log.md)
+- [How to create, view, and manage log alerts using Azure Monitor](../azure-monitor/alerts/alerts-log.md)
**Azure Security Center monitoring**: Not applicable
@@ -677,11 +677,11 @@ Configure alerts for proactive notification or log creation when CPU and memory
Use Azure Activity Log to monitor your AKS clusters and related resources at a high level. Integrate with Prometheus to view application and workload metrics it collects from nodes and Kubernetes using queries to create custom alerts, dashboards, and detailed perform detailed analysis. -- [Understand Azure Monitor for Containers](../azure-monitor/insights/container-insights-overview.md)
+- [Understand Azure Monitor for Containers](../azure-monitor/containers/container-insights-overview.md)
-- [How to enable Azure Monitor for containers](../azure-monitor/insights/container-insights-onboard.md)
+- [How to enable Azure Monitor for containers](../azure-monitor/containers/container-insights-onboard.md)
-- [How to view and retrieve Azure Activity Log events](../azure-monitor/platform/activity-log.md#view-the-activity-log)
+- [How to view and retrieve Azure Activity Log events](../azure-monitor/essentials/activity-log.md#view-the-activity-log)
**Azure Security Center monitoring**: Yes
aks https://docs.microsoft.com/en-us/azure/aks/windows-container-cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/windows-container-cli.md
@@ -266,7 +266,7 @@ To learn more about AKS, and walk through a complete code to deployment example,
<!-- LINKS - internal --> [kubernetes-concepts]: concepts-clusters-workloads.md
-[aks-monitor]: ../azure-monitor/insights/container-insights-onboard.md
+[aks-monitor]: ../azure-monitor/containers/container-insights-onboard.md
[aks-tutorial]: ./tutorial-kubernetes-prepare-app.md [az-aks-browse]: /cli/azure/aks?view=azure-cli-latest#az-aks-browse [az-aks-create]: /cli/azure/aks?view=azure-cli-latest#az-aks-create
aks https://docs.microsoft.com/en-us/azure/aks/windows-faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/windows-faq.md
@@ -186,7 +186,7 @@ To get started with Windows Server containers in AKS, [create a node pool that r
[nodepool-limitations]: use-multiple-node-pools.md#limitations [windows-container-compat]: /virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-2019%2Cwindows-10-1909 [maximum-number-of-pods]: configure-azure-cni.md#maximum-pods-per-node
-[azure-monitor]: ../azure-monitor/insights/container-insights-overview.md#what-does-azure-monitor-for-containers-provide
+[azure-monitor]: ../azure-monitor/containers/container-insights-overview.md#what-does-azure-monitor-for-containers-provide
[client-source-ip]: concepts-network.md#ingress-controllers [kubernetes-dashboard]: kubernetes-dashboard.md [windows-rdp]: rdp.md
analysis-services https://docs.microsoft.com/en-us/azure/analysis-services/analysis-services-logging https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-logging.md
@@ -11,7 +11,7 @@
# Setup diagnostic logging
-An important part of any Analysis Services solution is monitoring how your servers are performing. Azure Analysis services is integrated with Azure Monitor. With [Azure Monitor resource logs](../azure-monitor/platform/platform-logs-overview.md), you can monitor and send logs to [Azure Storage](https://azure.microsoft.com/services/storage/), stream them to [Azure Event Hubs](https://azure.microsoft.com/services/event-hubs/), and export them to [Azure Monitor logs](../azure-monitor/overview.md).
+An important part of any Analysis Services solution is monitoring how your servers are performing. Azure Analysis services is integrated with Azure Monitor. With [Azure Monitor resource logs](../azure-monitor/essentials/platform-logs-overview.md), you can monitor and send logs to [Azure Storage](https://azure.microsoft.com/services/storage/), stream them to [Azure Event Hubs](https://azure.microsoft.com/services/event-hubs/), and export them to [Azure Monitor logs](../azure-monitor/overview.md).
![Resource logging to Storage, Event Hubs, or Azure Monitor logs](./media/analysis-services-logging/aas-logging-overview.png)
@@ -77,7 +77,7 @@ The Metrics category logs the same [Server metrics](analysis-services-monitor.md
* **Archive to a storage account**. To use this option, you need an existing storage account to connect to. See [Create a storage account](../storage/common/storage-account-create.md). Follow the instructions to create a Resource Manager, general-purpose account, then select your storage account by returning to this page in the portal. It may take a few minutes for newly created storage accounts to appear in the drop-down menu. * **Stream to an event hub**. To use this option, you need an existing Event Hub namespace and event hub to connect to. To learn more, see [Create an Event Hubs namespace and an event hub using the Azure portal](../event-hubs/event-hubs-create.md). Then return to this page in the portal to select the Event Hub namespace and policy name.
- * **Send to Azure Monitor (Log Analytics workspace)**. To use this option, either use an existing workspace or [create a new workspace](../azure-monitor/learn/quick-create-workspace.md) resource in the portal. For more information on viewing your logs, see [View logs in Log Analytics workspace](#view-logs-in-log-analytics-workspace) in this article.
+ * **Send to Azure Monitor (Log Analytics workspace)**. To use this option, either use an existing workspace or [create a new workspace](../azure-monitor/logs/quick-create-workspace.md) resource in the portal. For more information on viewing your logs, see [View logs in Log Analytics workspace](#view-logs-in-log-analytics-workspace) in this article.
* **Engine**. Select this option to log xEvents. If you're archiving to a storage account, you can select the retention period for the resource logs. Logs are autodeleted after the retention period expires. * **Service**. Select this option to log service level events. If you are archiving to a storage account, you can select the retention period for the resource logs. Logs are autodeleted after the retention period expires.
@@ -85,7 +85,7 @@ The Metrics category logs the same [Server metrics](analysis-services-monitor.md
3. Click **Save**.
- If you receive an error that says "Failed to update diagnostics for \<workspace name>. The subscription \<subscription id> is not registered to use microsoft.insights." follow the [Troubleshoot Azure Diagnostics](../azure-monitor/platform/resource-logs.md) instructions to register the account, then retry this procedure.
+ If you receive an error that says "Failed to update diagnostics for \<workspace name>. The subscription \<subscription id> is not registered to use microsoft.insights." follow the [Troubleshoot Azure Diagnostics](../azure-monitor/essentials/resource-logs.md) instructions to register the account, then retry this procedure.
If you want to change how your resource logs are saved at any point in the future, you can return to this page to modify settings.
@@ -135,7 +135,7 @@ Learn how to [change diagnostics settings by using the Azure Monitor REST API](/
### Resource Manager template
-Learn how to [enable diagnostics settings at resource creation by using a Resource Manager template](../azure-monitor/samples/resource-manager-diagnostic-settings.md).
+Learn how to [enable diagnostics settings at resource creation by using a Resource Manager template](../azure-monitor/essentials/resource-manager-diagnostic-settings.md).
## Manage your logs
@@ -203,7 +203,7 @@ window
| order by TimeGenerated asc ```
-There are hundreds of queries you can use. To learn more about queries, see [Get started with Azure Monitor log queries](../azure-monitor/log-query/get-started-queries.md).
+There are hundreds of queries you can use. To learn more about queries, see [Get started with Azure Monitor log queries](../azure-monitor/logs/get-started-queries.md).
## Turn on logging by using PowerShell
@@ -321,6 +321,6 @@ Set-AzDiagnosticSetting -ResourceId $account.ResourceId`
## Next steps
-Learn more about [Azure Monitor resource logging](../azure-monitor/platform/platform-logs-overview.md).
+Learn more about [Azure Monitor resource logging](../azure-monitor/essentials/platform-logs-overview.md).
See [Set-AzDiagnosticSetting](/powershell/module/az.monitor/set-azdiagnosticsetting) in PowerShell help.
analysis-services https://docs.microsoft.com/en-us/azure/analysis-services/analysis-services-monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-monitor.md
@@ -11,7 +11,7 @@
# Monitor server metrics
-Analysis Services provides metrics in Azure Metrics Explorer, a free tool in the portal, to help you monitor the performance and health of your servers. For example, monitor memory and CPU usage, number of client connections, and query resource consumption. Analysis Services uses the same monitoring framework as most other Azure services. To learn more, see [Getting started with Azure Metrics Explorer](../azure-monitor/platform/metrics-getting-started.md).
+Analysis Services provides metrics in Azure Metrics Explorer, a free tool in the portal, to help you monitor the performance and health of your servers. For example, monitor memory and CPU usage, number of client connections, and query resource consumption. Analysis Services uses the same monitoring framework as most other Azure services. To learn more, see [Getting started with Azure Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md).
To perform more in-depth diagnostics, track performance, and identify trends across multiple service resources in a resource group or subscription, use [Azure Monitor](../azure-monitor/overview.md). Azure Monitor (service) may result in a billable service.
@@ -84,5 +84,5 @@ Use this table to determine which metrics are best for your monitoring scenario.
## Next steps [Azure Monitor overview](../azure-monitor/overview.md)
-[Getting started with Azure Metrics Explorer](../azure-monitor/platform/metrics-getting-started.md)
+[Getting started with Azure Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md)
[Metrics in Azure Monitor REST API](/rest/api/monitor/metrics)
analysis-services https://docs.microsoft.com/en-us/azure/analysis-services/analysis-services-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-overview.md
@@ -234,7 +234,7 @@ Modern data exploration and visualization tools like Power BI, Excel, Reporting
## Monitoring and diagnostics
-Azure Analysis Services is integrated with Azure Monitor metrics, providing an extensive number of resource-specific metrics to help you monitor the performance and health of your servers. To learn more, see [Monitor server metrics](analysis-services-monitor.md). Record metrics with [resource platform logs](../azure-monitor/platform/platform-logs-overview.md). Monitor and send logs to [Azure Storage](https://azure.microsoft.com/services/storage/), stream them to [Azure Event Hubs](https://azure.microsoft.com/services/event-hubs/), and export them to [Azure Monitor logs](https://azure.microsoft.com/services/log-analytics/), a service of [Azure](https://www.microsoft.com/cloud-platform/operations-management-suite). To learn more, see [Setup diagnostic logging](analysis-services-logging.md).
+Azure Analysis Services is integrated with Azure Monitor metrics, providing an extensive number of resource-specific metrics to help you monitor the performance and health of your servers. To learn more, see [Monitor server metrics](analysis-services-monitor.md). Record metrics with [resource platform logs](../azure-monitor/essentials/platform-logs-overview.md). Monitor and send logs to [Azure Storage](https://azure.microsoft.com/services/storage/), stream them to [Azure Event Hubs](https://azure.microsoft.com/services/event-hubs/), and export them to [Azure Monitor logs](https://azure.microsoft.com/services/log-analytics/), a service of [Azure](https://www.microsoft.com/cloud-platform/operations-management-suite). To learn more, see [Setup diagnostic logging](analysis-services-logging.md).
Azure Analysis Services also supports using [Dynamic Management Views (DMVs)](/analysis-services/instances/use-dynamic-management-views-dmvs-to-monitor-analysis-services). Based on SQL syntax, DMVs interface schema rowsets that return metadata and monitoring information about server instance.
api-management https://docs.microsoft.com/en-us/azure/api-management/api-management-get-started-publish-versions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-get-started-publish-versions.md
@@ -6,7 +6,7 @@
Previously updated : 10/30/2020 Last updated : 02/10/2021
@@ -84,6 +84,32 @@ For example, to add the version to the **Unlimited** product:
:::image type="content" source="media/api-management-getstarted-publish-versions/08-add-multiple-versions-03-add-version-product.png" alt-text="Add version to product":::
+## Use version sets
+
+When you create multiple versions, the Azure portal creates a *version set*, which represents a set of versions for a single logical API. Select the name of an API that has multiple versions. The Azure portal displays its **Version set**. You can customize the **Name** and **Description** of a virtual set.
+
+You can interact directly with version sets by using the Azure CLI:
++
+To see all your version sets, run the [az apim api versionset list](/cli/azure/apim/api/versionset#az_apim_api_versionset_list) command:
+
+```azurecli
+az apim api versionset list --resource-group apim-hello-word-resource-group \
+ --service-name apim-hello-world --output table
+```
+
+When the Azure portal creates a version set for you, it assigns an alphanumeric name, which appears in the **Name** column of the list. Use this name in other Azure CLI commands.
+
+To see details about a version set, run the [az apim api versionset show](/api/versionset#az_apim_api_versionset_show) command:
+
+```azurecli
+az apim api versionset show --resource-group apim-hello-word-resource-group \
+ --service-name apim-hello-world --version-set-id 00000000000000000000000
+```
+
+For more information about version sets, see [Versions in Azure API Management](api-management-versions.md#how-versions-are-represented).
+ ## Browse the developer portal to see the version If you've tried the [developer portal](api-management-howto-developer-portal-customize.md), you can see API versions there.
api-management https://docs.microsoft.com/en-us/azure/api-management/api-management-get-started-revise-api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-get-started-revise-api.md
@@ -8,7 +8,7 @@
Previously updated : 10/30/2020 Last updated : 02/09/2021
@@ -74,6 +74,8 @@ In this tutorial, you learn how to:
## Make your revision current and add a change log entry
+### [Portal](#tab/azure-portal)
+ 1. Select the **Revisions** tab from the menu near the top of the page. 1. Open the context menu (**...**) for **Revision 2**. 1. Select **Make current**.
@@ -82,6 +84,61 @@ In this tutorial, you learn how to:
:::image type="content" source="media/api-management-getstarted-revise-api/revisions-menu.png" alt-text="Revision menu in Revisions window":::
+### [Azure CLI](#tab/azure-cli)
+
+To begin using Azure CLI:
++
+Use this procedure to create and update a release.
+
+1. Run the [az apim api list](/cli/azure/apim/api#az_apim_api_list) command to see your API IDs:
+
+ ```azurecli
+ az apim api list --resource-group apim-hello-word-resource-group \
+ --service-name apim-hello-world --output table
+ ```
+
+ The API ID to use in the next command is the `Name` value. The API revision is in the `ApiRevision` column.
+
+1. To create the release, with a release note, run the [az apim api release create](/cli/azure/apim/api/release#az_apim_api_release_create) command:
+
+ ```azurecli
+ az apim api release create --resource-group apim-hello-word-resource-group \
+ --api-id demo-conference-api --api-revision 2 --service-name apim-hello-world \
+ --notes 'Testing revisions. Added new "test" operation.'
+ ```
+
+ The revision that you release becomes the current revision.
+
+1. To see your releases, use the [az apim api release list](/cli/azure/apim/api/release#az_apim_api_release_list) command:
+
+ ```azurecli
+ az apim api release list --resource-group apim-hello-word-resource-group \
+ --api-id echo-api --service-name apim-hello-world --output table
+ ```
+
+ The notes you specify appear in the changelog. You can see them in the output of the previous command.
+
+1. When you create a release, the `--notes` parameter is optional. You can add or change the notes later by using the [az apim api release update](/cli/azure/apim/api/release#az_apim_api_release_update) command:
+
+ ```azurecli
+ az apim api release update --resource-group apim-hello-word-resource-group \
+ --api-id demo-conference-api --release-id 00000000000000000000000000000000 \
+ --service-name apim-hello-world --notes "Revised notes."
+ ```
+
+ Use the value in the `Name` column for the release ID.
+
+You can remove any release by running the [az apim api release delete ](/cli/azure/apim/api/release#az_apim_api_release_delete) command:
+
+```azurecli
+az apim api release delete --resource-group apim-hello-word-resource-group \
+ --api-id demo-conference-api --release-id 00000000000000000000000000000000
+ --service-name apim-hello-world
+```
++ ## Browse the developer portal to see changes and change log
api-management https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-add-products https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-add-products.md
@@ -5,7 +5,7 @@ description: In this tutorial, you create and publish a product in Azure API Man
Previously updated : 09/30/2020 Last updated : 02/09/2021
@@ -30,6 +30,8 @@ In this tutorial, you learn how to:
## Create and publish a product
+### [Portal](#tab/azure-portal)
+ 1. Sign in to the Azure portal, and navigate to your API Management instance. 1. In the left navigation, select **Products** > **+ Add**. 1. In the **Add product** window, enter values described in the following table to create your product.
@@ -43,17 +45,60 @@ In this tutorial, you learn how to:
| State | Select **Published** if you want to publish the product. Before the APIs in a product can be called, the product must be published. By default, new products are unpublished, and are visible only to the **Administrators** group. | | Requires subscription | Select if a user is required to subscribe to use the product. | | Requires approval | Select if you want an administrator to review and accept or reject subscription attempts to this product. If not selected, subscription attempts are auto-approved. |
- | Subscription count limit | Optionally limit the count of multiple simultaneous subscriptions,. |
+ | Subscription count limit | Optionally limit the count of multiple simultaneous subscriptions. |
| Legal terms | You can include the terms of use for the product which subscribers must accept in order to use the product. | | APIs | Select one or more APIs. You can also add APIs after creating the product. For more information, see [Add APIs to a product](#add-apis-to-a-product) later in this article. | 3. Select **Create** to create the new product.
+### [Azure CLI](#tab/azure-cli)
+
+To begin using Azure CLI:
++
+To create a product, run the [az apim product create](/cli/azure/apim/product#az_apim_product_create) command:
+
+```azurecli
+az apim product create --resource-group apim-hello-word-resource-group \
+ --product-name "Contoso product" --product-id contoso-product \
+ --service-name apim-hello-world --subscription-required true \
+ --state published --description "This is a test."
+```
+
+You can specify various values for your product:
+
+ | Parameter | Description |
+ |--|-|
+ | `--product-name` | The name as you want it to be shown in the [developer portal](api-management-howto-developer-portal.md). |
+ | `--description` | Provide information about the product such as its purpose, the APIs it provides access to, and other details. |
+ | `--state` | Select **published** if you want to publish the product. Before the APIs in a product can be called, the product must be published. By default, new products are unpublished, and are visible only to the **Administrators** group. |
+ | `--subscription-required` | Select if a user is required to subscribe to use the product. |
+ | `--approval-required` | Select if you want an administrator to review and accept or reject subscription attempts to this product. If not selected, subscription attempts are auto-approved. |
+ | `--subscriptions-limit` | Optionally limit the count of multiple simultaneous subscriptions.|
+ | `--legal-terms` | You can include the terms of use for the product which subscribers must accept in order to use the product. |
+
+To see your current products, use the [az apim product list](/cli/azure/apim/product#az_apim_product_list) command:
+
+```azurecli
+az apim product list --resource-group apim-hello-word-resource-group \
+ --service-name apim-hello-world --output table
+```
+
+You can delete a product by using the [az apim product delete](/cli/azure/apim/product#az_apim_product_delete) command:
+
+```azurecli
+az apim product delete --product-id contoso-product \
+ --resource-group apim-hello-word-resource-group \
+ --service-name apim-hello-world --delete-subscriptions true
+```
+++ ### Add more configurations Continue configuring the product after saving it. In your API Management instance, select the product from the **Products** window. Add or update: - |Item |Description | ||| |Settings | Product metadata and state |
@@ -70,6 +115,7 @@ Developers must first subscribe to a product to get access to the API. When they
### Add an API to an existing product
+### [Portal](#tab/azure-portal)
1. In the left navigation of your API Management instance, select **Products**. 1. Select a product, then select **APIs**.
@@ -78,6 +124,40 @@ Developers must first subscribe to a product to get access to the API. When they
:::image type="content" source="media/api-management-howto-add-products/02-create-publish-product-02.png" alt-text="Add API to existing product":::
+### [Azure CLI](#tab/azure-cli)
+
+1. To see your managed APIs, use the [az apim api list](/cli/azure/apim/api#az_apim_api_list) command:
+
+ ```azurecli
+ az apim api list --resource-group apim-hello-word-resource-group \
+ --service-name apim-hello-world --output table
+ ```
+
+1. To add an API to your product, run the [az apim product api add](/cli/azure/apim/product/api#az_apim_product_api_add) command:
+
+ ```azurecli
+ az apim product api add --resource-group apim-hello-word-resource-group \
+ --api-id demo-conference-api --product-id contoso-product \
+ --service-name apim-hello-world
+ ```
+
+1. Verify the addition by using the [az apim product api list](/cli/azure/apim/product/api#az_apim_product_api_list) command:
+
+ ```azurecli
+ az apim product api list --resource-group apim-hello-word-resource-group \
+ --product-id contoso-product --service-name apim-hello-world --output table
+ ```
+
+You can remove an API from a product by using the [az apim product api delete](/cli/azure/apim/product/api#az_apim_product_api_delete) command:
+
+```azurecli
+az apim product api delete --resource-group apim-hello-word-resource-group \
+ --api-id demo-conference-api --product-id contoso-product \
+ --service-name apim-hello-world
+```
+++ > [!TIP] > You can create or update a user's subscription to a product with custom subscription keys through a [REST API](/rest/api/apimanagement/2019-12-01/subscription/createorupdate) or PowerShell command.
api-management https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-properties https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-properties.md
@@ -7,7 +7,7 @@
Previously updated : 12/14/2020 Last updated : 02/09/2021
@@ -82,6 +82,8 @@ See [Prerequisites for key vault integration](#prerequisites-for-key-vault-integ
### Add a plain or secret value
+### [Portal](#tab/azure-portal)
+ 1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance. 1. Under **APIs**, select **Named values** > **+Add**. 1. Enter a **Name** identifier, and enter a **Display name** used to reference the property in policies.
@@ -92,6 +94,50 @@ See [Prerequisites for key vault integration](#prerequisites-for-key-vault-integ
Once the named value is created, you can edit it by selecting the name. If you change the display name, any policies that reference that named value are automatically updated to use the new display name.
+### [Azure CLI](#tab/azure-cli)
+
+To begin using Azure CLI:
++
+To add a named value, use the [az apim nv create](/cli/azure/apim/nv#az_apim_nv_create) command:
+
+```azurecli
+az apim nv create --resource-group apim-hello-word-resource-group \
+ --display-name "named_value_01" --named-value-id named_value_01 \
+ --secret true --service-name apim-hello-world --value test
+```
+
+After you create a named value, you can update it by using the [az apim nv update](/cli/azure/apim/nv#az_apim_nv_update) command. To see all your named values, run the [az apim nv list](/cli/azure/apim/nv#az_apim_nv_list) command:
+
+```azurecli
+az apim nv list --resource-group apim-hello-word-resource-group \
+ --service-name apim-hello-world --output table
+```
+
+To see the details of the named value you created for this example, run the [az apim nv show](/cli/azure/apim/nv#az_apim_nv_show) command:
+
+```azurecli
+az apim nv show --resource-group apim-hello-word-resource-group \
+ --service-name apim-hello-world --named-value-id named_value_01
+```
+
+This example is a secret value. The previous command does not return the value. To see the value, run the [az apim nv show-secret](/cli/azure/apim/nv#az_apim_nv_show_secret) command:
+
+```azurecli
+az apim nv show-secret --resource-group apim-hello-word-resource-group \
+ --service-name apim-hello-world --named-value-id named_value_01
+```
+
+To delete a named value, use the [az apim nv delete](/cli/azure/apim/nv#az_apim_nv_delete) command:
+
+```azurecli
+az apim nv delete --resource-group apim-hello-word-resource-group \
+ --service-name apim-hello-world --named-value-id named_value_01
+```
+++ ## Use a named value The examples in this section use the named values shown in the following table.
api-management https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-use-azure-monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-use-azure-monitor.md
@@ -34,7 +34,7 @@ You can also use API Management's built-in [analytics](howto-use-analytics.md) t
## View metrics of your APIs
-API Management emits [metrics](../azure-monitor/platform/data-platform-metrics.md) every minute, giving you near real-time visibility into the state and health of your APIs. The following are the two most frequently used metrics. For a list of all available metrics, see [supported metrics](../azure-monitor/platform/metrics-supported.md#microsoftapimanagementservice).
+API Management emits [metrics](../azure-monitor/essentials/data-platform-metrics.md) every minute, giving you near real-time visibility into the state and health of your APIs. The following are the two most frequently used metrics. For a list of all available metrics, see [supported metrics](../azure-monitor/essentials/metrics-supported.md#microsoftapimanagementservice).
* **Capacity** - helps you make decisions about upgrading/downgrading your APIM services. The metric is emitted per minute and reflects the gateway capacity at the time of reporting. The metric ranges from 0-100 calculated based on gateway resources such as CPU and memory utilization. * **Requests** - helps you analyze API traffic going through your API Management services. The metric is emitted per minute and reports the number of gateway requests with dimensions including response codes, location, hostname, and errors.
@@ -57,7 +57,7 @@ To access metrics:
## Set up an alert rule
-You can receive [alerts](../azure-monitor/platform/alerts-metric-overview.md) based on metrics and activity logs. Azure Monitor allows you to [configure an alert](../azure-monitor/platform/alerts-metric.md) to do the following when it triggers:
+You can receive [alerts](../azure-monitor/alerts/alerts-metric-overview.md) based on metrics and activity logs. Azure Monitor allows you to [configure an alert](../azure-monitor/alerts/alerts-metric.md) to do the following when it triggers:
* Send an email notification * Call a webhook
@@ -135,7 +135,7 @@ To configure resource logs:
You can archive resource logs along with metrics to a storage account, stream them to an Event Hub, or send them to a Log Analytics workspace.
-For more information, see [Create diagnostic settings to send platform logs and metrics to different destinations](../azure-monitor/platform/diagnostic-settings.md).
+For more information, see [Create diagnostic settings to send platform logs and metrics to different destinations](../azure-monitor/essentials/diagnostic-settings.md).
## View diagnostic data in Azure Monitor
@@ -146,7 +146,7 @@ If you enable collection of GatewayLogs or metrics in a Log Analytics workspace,
:::image type="content" source="media/api-management-howto-use-azure-monitor/logs-menu-item.png" alt-text="Screenshot of Logs item in Monitoring menu":::
-Run queries to view the data. Several [sample queries](../azure-monitor/log-query/example-queries.md) are provided, or run your own. For example, the following query retrieves the most recent 24 hours of data from the GatewayLogs table:
+Run queries to view the data. Several [sample queries](../azure-monitor/logs/example-queries.md) are provided, or run your own. For example, the following query retrieves the most recent 24 hours of data from the GatewayLogs table:
```kusto ApiManagementGatewayLogs
@@ -155,9 +155,9 @@ ApiManagementGatewayLogs
For more information about using resource logs for API Management, see:
-* [Get started with Azure Monitor Log Analytics](../azure-monitor/log-query/log-analytics-tutorial.md), or try the [Log Analytics Demo environment](https://portal.loganalytics.io/demo).
+* [Get started with Azure Monitor Log Analytics](../azure-monitor/logs/log-analytics-tutorial.md), or try the [Log Analytics Demo environment](https://portal.loganalytics.io/demo).
-* [Overview of log queries in Azure Monitor](../azure-monitor/log-query/log-query-overview.md).
+* [Overview of log queries in Azure Monitor](../azure-monitor/logs/log-query-overview.md).
The following JSON indicates a sample entry in GatewayLogs for a successful API request. For details, see the [schema reference](gateway-log-schema-reference.md).
api-management https://docs.microsoft.com/en-us/azure/api-management/api-management-versions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-versions.md
@@ -7,7 +7,7 @@
Previously updated : 06/12/2020 Last updated : 02/10/2021
@@ -59,9 +59,13 @@ If you add a version to a non-versioned API, an `Original` version will be autom
## How versions are represented
-Azure API Management maintains a resource called a *version set*, which represents a set of versions for a single logical API. When you use the Azure portal to manage versions you don't see the version set, but if you interact with your API Management service using PowerShell, Resource Manager templates, or the Azure Resource Manager API, you can directly view and manage version sets. A version set contains the display name of the versioned API, as well as the [versioning scheme used](#versioning-schemes) to direct requests to specified versions.
+Azure API Management maintains a resource called a *version set*, which represents a set of versions for a single logical API. A version set contains the display name of the versioned API and the [versioning scheme used](#versioning-schemes) to direct requests to specified versions.
-Each version of an API is maintained as its own API resource, which is then associated with a version set. A version set might contain APIs with very different operations or policies, which reflects the fact that you might make significant changes between versions of your API.
+Each version of an API is maintained as its own API resource, which is then associated with a version set. A version set might contain APIs with different operations or policies. You might make significant changes between versions in a set.
+
+The Azure portal creates version sets for you. You can modify the name and description for a version set in the Azure portal.
+
+You can view and manage version sets directly by using [Azure CLI](/cli/azure/apim/api/versionset), [Azure PowerShell](/powershell/module/az.apimanagement/#api-management), [Resource Manager templates](/azure/templates/microsoft.apimanagement/service/apiversionsets), or the [Azure Resource Manager API](/rest/api/apimanagement/2020-06-01-preview/apiversionset).
### Migrating a non-versioned API to a versioned API
api-management https://docs.microsoft.com/en-us/azure/api-management/gateway-log-schema-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/gateway-log-schema-reference.md
@@ -12,7 +12,7 @@
# Reference: API Management resource log schema
-This article provides a schema reference for the Azure API Management GatewayLogs resource log. Log entries also include fields in the [top-level common schema](../azure-monitor/platform/resource-logs-schema.md#top-level-common-schema).
+This article provides a schema reference for the Azure API Management GatewayLogs resource log. Log entries also include fields in the [top-level common schema](../azure-monitor/essentials/resource-logs-schema.md#top-level-common-schema).
To enable collection of the resource log in API Management, see [Monitor published APIs](api-management-howto-use-azure-monitor.md#resource-logs).
@@ -44,5 +44,5 @@ The following properties are logged for each API request.
## Next steps * For information about monitoring APIs in API Management, see [Monitor published APIs](api-management-howto-use-azure-monitor.md)
-* Learn more about [Common and service-specific schema for Azure Resource Logs](../azure-monitor/platform/resource-logs-schema.md)
+* Learn more about [Common and service-specific schema for Azure Resource Logs](../azure-monitor/essentials/resource-logs-schema.md)
api-management https://docs.microsoft.com/en-us/azure/api-management/how-to-configure-cloud-metrics-logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/how-to-configure-cloud-metrics-logs.md
@@ -56,7 +56,7 @@ The self-hosted gateway currently emits the following metrics through Azure Moni
The self-hosted gateway currently does not send [diagnostic logs](./api-management-howto-use-azure-monitor.md#activity-logs) to the cloud. However, it is possible to [configure and persist logs locally](how-to-configure-local-metrics-logs.md) where the self-hosted gateway is deployed.
-If a gateway is deployed in [Azure Kubernetes Service](https://azure.microsoft.com/services/kubernetes-service/), you can enable [Azure Monitor for containers](../azure-monitor/insights/container-insights-overview.md) to collect logs from your containers and view them in Log Analytics.
+If a gateway is deployed in [Azure Kubernetes Service](https://azure.microsoft.com/services/kubernetes-service/), you can enable [Azure Monitor for containers](../azure-monitor/containers/container-insights-overview.md) to collect logs from your containers and view them in Log Analytics.
## Next steps
api-management https://docs.microsoft.com/en-us/azure/api-management/how-to-configure-local-metrics-logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/how-to-configure-local-metrics-logs.md
@@ -201,7 +201,7 @@ The self-hosted gateway outputs logs to `stdout` and `stderr` by default. You ca
kubectl logs <pod-name> ```
-If your self-hosted gateway is deployed in Azure Kubernetes Service, you can enable [Azure Monitor for containers](../azure-monitor/insights/container-insights-overview.md) to collect `stdout` and `stderr` from your workloads and view the logs in Log Analytics.
+If your self-hosted gateway is deployed in Azure Kubernetes Service, you can enable [Azure Monitor for containers](../azure-monitor/containers/container-insights-overview.md) to collect `stdout` and `stderr` from your workloads and view the logs in Log Analytics.
The self-hosted gateway also supports a number of protocols including `localsyslog`, `rfc5424`, and `journal`. The below table summarizes all the options supported.
api-management https://docs.microsoft.com/en-us/azure/api-management/mock-api-responses https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/mock-api-responses.md
@@ -6,7 +6,7 @@
Previously updated : 09/30/2020 Last updated : 02/09/2021
@@ -55,6 +55,8 @@ The steps in this section show how to create a blank API with no backend.
An API exposes one or more operations. In this section, add an operation to the blank API you created. Calling the operation after completing steps in this section produces an error. You will get no errors after you complete steps later in the [Enable response mocking](#enable-response-mocking) section.
+### [Portal](#tab/azure-portal)
+ 1. Select the API you created in the previous step. 1. Select **+ Add Operation**. 1. In the **Frontend** window, enter the following values.
@@ -83,6 +85,39 @@ Although not required for this example, additional settings for an API operation
|**Query** | Add query parameters. Besides providing a name and description, you can provide values that are assigned to a query parameter. One of the values can be marked as default (optional). | |**Request** | Define request content types, examples, and schemas. |
+### [Azure CLI](#tab/azure-cli)
+
+To begin using Azure CLI:
++
+To add an operation to your test API, run the [az apim api operation create](/cli/azure/apim/api/operation#az_apim_api_operation_create) command:
+
+```azurecli
+az apim api operation create --resource-group apim-hello-word-resource-group \
+ --display-name "Test call" --api-id test-api --method GET \
+ --url-template /test --service-name apim-hello-world
+```
+
+Run the [az apim api operation list](/cli/azure/apim/api/operation#az_apim_api_operation_list) command to see all your operations for an API:
+
+```azurecli
+az apim api operation list --resource-group apim-hello-word-resource-group \
+ --api-id test-api --service-name apim-hello-world --output table
+```
+
+To remove an operation, use the [az apim api operation delete](/cli/azure/apim/api/operation#az_apim_api_operation_delete) command. Get the operation ID from the previous command.
+
+```azurecli
+az apim api operation delete --resource-group apim-hello-word-resource-group \
+ --api-id test-api --operation-id 00000000000000000000000000000000 \
+ --service-name apim-hello-world
+```
+
+Keep this operation for use in the rest of this article.
+++ ## Enable response mocking 1. Select the API you created in [Create a test API](#create-a-test-api).
api-management https://docs.microsoft.com/en-us/azure/api-management/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/security-baseline.md
@@ -206,9 +206,9 @@ You may also use Azure Blueprints to simplify large-scale Azure deployments by p
**Guidance**: Use Azure Activity Log to monitor network resource configurations and detect changes to network resources associated with your Azure API Management deployments. Create alerts within Azure Monitor that will trigger when changes to critical network resources take place.
-* [How to view and retrieve Azure Activity Log events](../azure-monitor/platform/activity-log.md#view-the-activity-log)
+* [How to view and retrieve Azure Activity Log events](../azure-monitor/essentials/activity-log.md#view-the-activity-log)
-* [How to create alerts in Azure Monitor](../azure-monitor/platform/alerts-activity-log.md)
+* [How to create alerts in Azure Monitor](../azure-monitor/alerts/alerts-activity-log.md)
**Azure Security Center monitoring**: Not applicable
@@ -234,7 +234,7 @@ In addition to Azure Monitor, Azure API Management can be integrated with one or
Optionally, enable, and on-board data to Azure Sentinel or a third-party Security Incident and Event Management (SIEM).
-* [How to configure diagnostic settings](../azure-monitor/platform/diagnostic-settings.md#create-in-azure-portal)
+* [How to configure diagnostic settings](../azure-monitor/essentials/diagnostic-settings.md#create-in-azure-portal)
* [How to onboard Azure Sentinel](../sentinel/quickstart-onboard.md)
@@ -254,7 +254,7 @@ Optionally, enable, and on-board data to Azure Sentinel or a third-party Securit
For data plane audit logging, diagnostic logs provide rich information about operations and errors that are important for auditing as well as troubleshooting purposes. Diagnostics logs differ from activity logs. Activity logs provide insights into the operations that were performed on your Azure resources. Diagnostics logs provide insight into operations that your resource performed.
-* [How to enable Diagnostic Settings for Azure Activity Log](../azure-monitor/platform/activity-log.md)
+* [How to enable Diagnostic Settings for Azure Activity Log](../azure-monitor/essentials/activity-log.md)
* [How to enable Diagnostic Settings for Azure API Management](./api-management-howto-use-azure-monitor.md#activity-logs)
@@ -274,9 +274,9 @@ For data plane audit logging, diagnostic logs provide rich information about ope
**Guidance**: Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. Use Azure Storage accounts for long-term/archival storage.
-* [How to set log retention parameters for Log Analytics Workspaces](../azure-monitor/platform/manage-cost-storage.md#change-the-data-retention-period)
+* [How to set log retention parameters for Log Analytics Workspaces](../azure-monitor/logs/manage-cost-storage.md#change-the-data-retention-period)
-* [How to archive logs to an Azure Storage account](../azure-monitor/platform/resource-logs.md#send-to-azure-storage)
+* [How to archive logs to an Azure Storage account](../azure-monitor/essentials/resource-logs.md#send-to-azure-storage)
**Azure Security Center monitoring**: Not applicable
@@ -290,9 +290,9 @@ Optionally, integrate API Management with Azure Application Insights and use it
* [How to monitor and review logs for Azure API Management](./api-management-howto-use-azure-monitor.md)
-* [How to perform custom queries in Azure Monitor](../azure-monitor/log-query/get-started-queries.md)
+* [How to perform custom queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md)
-* [Understand Log Analytics Workspace](../azure-monitor/log-query/log-analytics-tutorial.md)
+* [Understand Log Analytics Workspace](../azure-monitor/logs/log-analytics-tutorial.md)
* [How to integrate with Azure Application Insights](./api-management-howto-app-insights.md)
@@ -310,7 +310,7 @@ Optionally, integrate API Management with Azure Application Insights and use it
Optionally, you may enable and on-board data to Azure Sentinel or a third-party SIEM.
-* [How to enable diagnostic settings for Azure Activity Log](../azure-monitor/platform/activity-log.md)
+* [How to enable diagnostic settings for Azure Activity Log](../azure-monitor/essentials/activity-log.md)
* [How to enable diagnostic settings for Azure API Management](./api-management-howto-use-azure-monitor.md#activity-logs)
@@ -665,7 +665,7 @@ Microsoft manages the underlying infrastructure for Azure API Management and has
**Guidance**: Use Azure Monitor with the Azure Activity log to create alerts for when changes take place to production Azure Functions apps as well as other critical or related resources.
-* [How to create alerts for Azure Activity Log events](../azure-monitor/platform/alerts-activity-log.md)
+* [How to create alerts for Azure Activity Log events](../azure-monitor/alerts/alerts-activity-log.md)
* [How to use Azure Monitor and Azure Activity Log in Azure API Management](./api-management-howto-use-azure-monitor.md)
api-management https://docs.microsoft.com/en-us/azure/api-management/troubleshoot-response-timeout-and-errors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/troubleshoot-response-timeout-and-errors.md
@@ -19,7 +19,7 @@ Client applications calling APIs through your API Management (APIM) service may
* Intermittent HTTP 500 errors * Timeout error messages
-These symptoms manifest as instances of `BackendConnectionFailure` in your [Azure Monitor resource logs](../azure-monitor/platform/resource-logs.md).
+These symptoms manifest as instances of `BackendConnectionFailure` in your [Azure Monitor resource logs](../azure-monitor/essentials/resource-logs.md).
## Cause
app-service https://docs.microsoft.com/en-us/azure/app-service/app-service-configure-premium-tier https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-configure-premium-tier.md
@@ -120,4 +120,4 @@ New-AzAppServicePlan -ResourceGroupName <resource_group_name> `
## More resources [Scale up an app in Azure](manage-scale-up.md)
-[Scale instance count manually or automatically](../azure-monitor/platform/autoscale-get-started.md)
+[Scale instance count manually or automatically](../azure-monitor/autoscale/autoscale-get-started.md)
app-service https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-plan-manage.md
@@ -77,7 +77,7 @@ You can find **Clone App** in the **Development Tools** section of the menu.
To scale up an App Service plan's pricing tier, see [Scale up an app in Azure](manage-scale-up.md).
-To scale out an app's instance count, see [Scale instance count manually or automatically](../azure-monitor/platform/autoscale-get-started.md).
+To scale out an app's instance count, see [Scale instance count manually or automatically](../azure-monitor/autoscale/autoscale-get-started.md).
<a name="delete"></a>
app-service https://docs.microsoft.com/en-us/azure/app-service/app-service-web-nodejs-best-practices-and-troubleshoot-guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-web-nodejs-best-practices-and-troubleshoot-guide.md
@@ -135,7 +135,7 @@ let keepaliveAgent = new Agent({
#### My node application is consuming too much CPU
-You may receive a recommendation from Azure App Service on your portal about high cpu consumption. You can also set up monitors to watch for certain [metrics](web-sites-monitor.md). When checking the CPU usage on the [Azure portal Dashboard](../azure-monitor/platform/metrics-charts.md), check the MAX values for CPU so you donΓÇÖt miss the peak values.
+You may receive a recommendation from Azure App Service on your portal about high cpu consumption. You can also set up monitors to watch for certain [metrics](web-sites-monitor.md). When checking the CPU usage on the [Azure portal Dashboard](../azure-monitor/essentials/metrics-charts.md), check the MAX values for CPU so you donΓÇÖt miss the peak values.
If you believe your application is consuming too much CPU and you cannot explain why, you can profile your node application to find out. #### Profiling your node application on Azure App Service with V8-Profiler
@@ -208,7 +208,7 @@ You can see that 95% of the time was consumed by the WriteConsoleLog function. T
### My node application is consuming too much memory
-If your application is consuming too much memory, you see a notice from Azure App Service on your portal about high memory consumption. You can set up monitors to watch for certain [metrics](web-sites-monitor.md). When checking the memory usage on the [Azure portal Dashboard](../azure-monitor/platform/metrics-charts.md), be sure to check the MAX values for memory so you donΓÇÖt miss the peak values.
+If your application is consuming too much memory, you see a notice from Azure App Service on your portal about high memory consumption. You can set up monitors to watch for certain [metrics](web-sites-monitor.md). When checking the memory usage on the [Azure portal Dashboard](../azure-monitor/essentials/metrics-charts.md), be sure to check the MAX values for memory so you donΓÇÖt miss the peak values.
#### Leak detection and Heap Diff for node.js
app-service https://docs.microsoft.com/en-us/azure/app-service/deploy-configure-credentials https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-configure-credentials.md
@@ -3,25 +3,23 @@ Title: Configure deployment credentials
description: Learn what types of deployment credentials are in Azure App Service and how to configure and use them. Previously updated : 08/14/2019 Last updated : 02/11/2021 # Configure deployment credentials for Azure App Service
-[Azure App Service](./overview.md) supports two types of credentials for [local Git deployment](deploy-local-git.md)
+To secure app deployment from a local computer, [Azure App Service](./overview.md) supports two types of credentials for [local Git deployment](deploy-local-git.md)
and [FTP/S deployment](deploy-ftp.md). These credentials are not the same as your Azure subscription credentials. [!INCLUDE [app-service-deploy-credentials](../../includes/app-service-deploy-credentials.md)]
-## <a name="userscope"></a>Configure user-level credentials
+## <a name="userscope"></a>Configure user-scope credentials
-You can configure your user-level credentials in any app's [resource page](../azure-resource-manager/management/manage-resources-portal.md#manage-resources). Regardless in which app you configure these credentials, it applies to all apps and for all subscriptions in your Azure account.
+# [Azure CLI](#tab/cli)
-### In the Cloud Shell
-
-To configure the deployment user in the [Cloud Shell](https://shell.azure.com), run the [az webapp deployment user set](/cli/azure/webapp/deployment/user#az-webapp-deployment-user-set) command. Replace \<username> and \<password> with a deployment user username and password.
+Run the [az webapp deployment user set](/cli/azure/webapp/deployment/user#az-webapp-deployment-user-set) command. Replace \<username> and \<password> with a deployment user username and password.
- The username must be unique within Azure, and for local Git pushes, must not contain the ΓÇÿ@ΓÇÖ symbol. - The password must be at least eight characters long, with two of the following three elements: letters, numbers, and symbols.
@@ -30,21 +28,23 @@ To configure the deployment user in the [Cloud Shell](https://shell.azure.com),
az webapp deployment user set --user-name <username> --password <password> ```
-The JSON output shows the password as `null`. If you get a `'Conflict'. Details: 409` error, change the username. If you get a `'Bad Request'. Details: 400` error, use a stronger password.
+The JSON output shows the password as `null`.
-### In the portal
+# [Azure PowerShell](#tab/powershell)
-In the Azure portal, you must have at least one app before you can access the deployment credentials page. To configure your user-level credentials:
+You can't configure the user-scope credentials with Azure PowerShell. Use a different method, or consider [using application-scope credentials](#appscope).
-1. In the [Azure portal](https://portal.azure.com), from the left menu, select **App Services** > **\<any_app>** > **Deployment center** > **FTP** > **Dashboard**.
+# [Azure portal](#tab/portal)
- ![Shows how you can select the FTP dashboard from the Deployment center in Azure App Services.](./media/app-service-deployment-credentials/access-no-git.png)
+You can configure your user-scope credentials in any app's [resource page](../azure-resource-manager/management/manage-resources-portal.md#manage-resources). Regardless in which app you configure these credentials, it applies to all apps for all subscriptions in your Azure account.
- Or, if you've already configured Git deployment, select **App Services** > **&lt;any_app>** > **Deployment center** > **FTP/Credentials**.
+In the [Azure portal](https://portal.azure.com), you must have at least one app before you can access the deployment credentials page. To configure your user-scope credentials:
- ![Shows how you can select the FTP dashboard from the Deployment center in Azure App Services for your configured Git deployment.](./media/app-service-deployment-credentials/access-with-git.png)
+1. From the left menu of your app, select > **Deployment center** > **FTPS credentials** or **Local Git/FTPS credentials**.
-2. Select **User Credentials**, configure the user name and password, and then select **Save Credentials**.
+ ![Shows how you can select the FTP dashboard from the Deployment center in Azure App Services.](./media/app-service-deployment-credentials/access-no-git.png)
+
+2. Scroll down to **User scope**, configure the **Username** and **Password**, and then select **Save**.
Once you have set your deployment credentials, you can find the *Git* deployment username in your app's **Overview** page,
@@ -53,25 +53,80 @@ Once you have set your deployment credentials, you can find the *Git* deployment
If Git deployment is configured, the page shows a **Git/deployment username**; otherwise, an **FTP/deployment username**. > [!NOTE]
-> Azure does not show your user-level deployment password. If you forget the password, you can reset your credentials by following the steps in this section.
+> Azure does not show your user-scope deployment password. If you forget the password, you can reset your credentials by following the steps in this section.
> >
-## Use user-level credentials with FTP/FTPS
+--
+
+## Use user-scope credentials with FTP/FTPS
-Authenticating to an FTP/FTPS endpoint using user-level credentials requirers a username in the following format:
+Authenticating to an FTP/FTPS endpoint using user-scope credentials requires a username in the following format:
`<app-name>\<user-name>`
-Since user-level credentials are linked to the user and not a specific resource, the username must be in this format to direct the sign-in action to the right app endpoint.
+Since user-scope credentials are linked to the user and not a specific resource, the username must be in this format to direct the sign-in action to the right app endpoint.
+
+## <a name="appscope"></a>Get application-scope credentials
+
+# [Azure CLI](#tab/cli)
+
+Get the application-scope credentials using the [az webapp deployment list-publishing-profiles](/cli/azure/webapp/deployment#az_webapp_deployment_list_publishing_profiles) command. For example:
+
+```azurecli-interactive
+az webapp deployment list-publishing-profiles --resource-group <group-name> --name <app-name>
+```
+
+For [local Git deployment](deploy-local-git.md), you can also use the [az webapp deployment list-publishing-credentials](/cli/azure/webapp/deployment#az_webapp_deployment_list_publishing_credentials) command to get a Git remote URI for your app, with the application-scope credentials already embedded. For example:
+
+```azurecli-interactive
+az webapp deployment list-publishing-credentials --resource-group <group-name> --name <app-name> --query scmUri
+```
+
+# [Azure PowerShell](#tab/powershell)
+
+Get the application-scope credentials using the [Get-AzWebAppPublishingProfile](/powershell/module/az.websites/get-azwebapppublishingprofile) command. For example:
-## <a name="appscope"></a>Get and reset app-level credentials
-To get the app-level credentials:
+```azurepowershell-interactive
+Get-AzWebAppPublishingProfile -ResourceGroupName <group-name> -Name <app-name>
+```
-1. In the [Azure portal](https://portal.azure.com), from the left menu, select **App Services** > **&lt;any_app>** > **Deployment center** > **FTP/Credentials**.
+# [Azure portal](#tab/portal)
-2. Select **App Credentials**, and select the **Copy** link to copy the username or password.
+1. From the left menu of your app, select **Deployment center** > **FTPS credentials** or **Local Git/FTPS credentials**.
+
+ ![Shows how you can select the FTP dashboard from the Deployment center in Azure App Services.](./media/app-service-deployment-credentials/access-no-git.png)
-To reset the app-level credentials, select **Reset Credentials** in the same dialog.
+2. In the **Application scope** section, select the **Copy** link to copy the username or password.
+
+--
+
+## Reset application-scope credentials
+
+# [Azure CLI](#tab/cli)
+
+Reset the application-scope credentials using the [az resource invoke-action](/cli/azure/resource#az_resource_invoke_action) command:
+
+```azurecli-interactive
+az resource invoke-action --action newpassword --resource-group <group-name> --name <app-name> --resource-type Microsoft.Web/sites
+```
+
+# [Azure PowerShell](#tab/powershell)
+
+Reset the application-scope credentials using the [Invoke-AzResourceAction](/powershell/module/az.resources/invoke-azresourceaction) command:
+
+```azurepowershell-interactive
+Invoke-AzResourceAction -ResourceGroupName <group-name> -ResourceType Microsoft.Web/sites -ResourceName <app-name> -Action newpassword
+```
+
+# [Azure portal](#tab/portal)
+
+1. From the left menu of your app, select **Deployment center** > **FTPS credentials** or **Local Git/FTPS credentials**.
+
+ ![Shows how you can select the FTP dashboard from the Deployment center in Azure App Services.](./media/app-service-deployment-credentials/access-no-git.png)
+
+2. In the **Application scope** section, select **Reset**.
+
+--
## Disable basic authentication
@@ -81,7 +136,7 @@ Some organizations need to meet security requirements and would rather disable a
To disable FTP access to the site, run the following CLI command. Replace the placeholders with your resource group and site name.
-```bash
+```azurecli-interactive
az resource update --resource-group <resource-group> --name ftp --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/<site-name> --set properties.allow=false ```
@@ -91,7 +146,7 @@ To confirm that FTP access is blocked, you can try to authenticate using an FTP
To disable basic auth access to the WebDeploy port and SCM site, run the following CLI command. Replace the placeholders with your resource group and site name.
-```bash
+```azurecli-interactive
az resource update --resource-group <resource-group> --name scm --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/<site-name> --set properties.allow=false ```
app-service https://docs.microsoft.com/en-us/azure/app-service/deploy-local-git https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-local-git.md
@@ -3,7 +3,7 @@ Title: Deploy from local Git repo
description: Learn how to enable local Git deployment to Azure App Service. One of the simplest ways to deploy code from your local machine. ms.assetid: ac50a623-c4b8-4dfd-96b2-a09420770063 Previously updated : 06/18/2019 Last updated : 02/16/2021
@@ -19,123 +19,113 @@ To follow the steps in this how-to guide:
- [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)] - [Install Git](https://www.git-scm.com/downloads).
-
+ - Have a local Git repository with code you want to deploy. To download a sample repository, run the following command in your local terminal window: ```bash git clone https://github.com/Azure-Samples/nodejs-docs-hello-world.git ``` - [!INCLUDE [Prepare repository](../../includes/app-service-deploy-prepare-repo.md)]
-## Deploy with Kudu build server
+## Configure a deployment user
-The easiest way to enable local Git deployment for your app with the Kudu App Service build server is to use Azure Cloud Shell.
+See [Configure deployment credentials for Azure App Service](deploy-configure-credentials.md). You can use either user-scope credentials or application-scope credentials.
-### Configure a deployment user
+## Create a Git enabled app
+If you already have an App Service app and want to configure local Git deployment for it, see [Configure an existing app](#configure-an-existing-app) instead.
-### Get the deployment URL
+# [Azure CLI](#tab/cli)
-To get the URL to enable local Git deployment for an existing app, run [`az webapp deployment source config-local-git`](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config-local-git) in the Cloud Shell. Replace \<app-name> and \<group-name> with the names of your app and its Azure resource group.
+Run [`az webapp create`](/cli/azure/webapp#az_webapp_create) with the `--deployment-local-git` option. For example:
```azurecli-interactive
-az webapp deployment source config-local-git --name <app-name> --resource-group <group-name>
+az webapp create --resource-group <group-name> --plan <plan-name> --name <app-name> --runtime "<runtime-flag>" --deployment-local-git
```
-> [!NOTE]
-> If you are using a linux app-service-plan, you need to add this parameter: --runtime python|3.7
+The output contains a URL like: `https://<deployment-username>@<app-name>.scm.azurewebsites.net/<app-name>.git`. Use this URL to deploy your app in the next step.
-Or, to create a new Git-enabled app, run [`az webapp create`](/cli/azure/webapp#az-webapp-create) in the Cloud Shell with the `--deployment-local-git` parameter. Replace \<app-name>, \<group-name>, and \<plan-name> with the names for your new Git app, its Azure resource group, and its Azure App Service plan.
+# [Azure PowerShell](#tab/powershell)
-```azurecli-interactive
-az webapp create --name <app-name> --resource-group <group-name> --plan <plan-name> --deployment-local-git
+Run [New-AzWebApp](/powershell/module/az.websites/new-azwebapp) from the root of your Git repository. For example:
+
+```azurepowershell-interactive
+New-AzWebApp -Name <app-name>
```
-Either command returns a URL like: `https://<deployment-username>@<app-name>.scm.azurewebsites.net/<app-name>.git`. Use this URL to deploy your app in the next step.
+When your run this cmdlet from a directory that's a Git repository, it automatically creates a Git remote to your App Service app for you, named `azure`.
+
+# [Azure portal](#tab/portal)
+
+In the portal, you need to create an app first, then configure deployment for it. See [Configure an existing app](#configure-an-existing-app).
+
+--
+
+## Configure an existing app
-Instead of using this account-level URL, you can also enable local Git by using app-level credentials. Azure App Service automatically generates these credentials for every app.
+If you haven't created an app yet, see [Create a Git enabled app](#create-a-git-enabled-app) instead.
-Get the app credentials by running the following command in the Cloud Shell. Replace \<app-name> and \<group-name> with your app's name and Azure resource group name.
+# [Azure CLI](#tab/cli)
+
+Run [`az webapp deployment source config-local-git`](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config-local-git). For example:
```azurecli-interactive
-az webapp deployment list-publishing-credentials --name <app-name> --resource-group <group-name> --query scmUri --output tsv
+az webapp deployment source config-local-git --name <app-name> --resource-group <group-name>
```
-Use the URL that returns to deploy your app in the next step.
+The output contains a URL like: `https://<deployment-username>@<app-name>.scm.azurewebsites.net/<app-name>.git`. Use this URL to deploy your app in the next step.
-### Deploy the web app
+> [!TIP]
+> This URL contains the user-scope deployment username. If you like, you can [use the application-scope credentials](deploy-configure-credentials.md#appscope) instead.
-1. Open a local terminal window to your local Git repository, and add an Azure remote. In the following command, replace \<url> with the deployment user-specific URL or app-specific URL you got from the previous step.
-
- ```bash
- git remote add azure <url>
- ```
-
-1. Push to the Azure remote with `git push azure main`.
-
-1. In the **Git Credential Manager** window, enter your [deployment user password](#configure-a-deployment-user), not your Azure sign-in password.
-
-1. Review the output. You may see runtime-specific automation, such as MSBuild for ASP.NET, `npm install` for Node.js, and `pip install` for Python.
-
-1. Browse to your app in the Azure portal to verify that the content is deployed.
+# [Azure PowerShell](#tab/powershell)
-## Deploy with Azure Pipelines builds
+Set the `scmType` of your app by running the [Set-AzResource](/powershell/module/az.resources/set-azresource) cmdlet.
-If your account has the necessary permissions, you can set up Azure Pipelines (Preview) to enable local Git deployment for your app.
+```powershell-interactive
+$PropertiesObject = @{
+ scmType = "LocalGit";
+}
-- Your Azure account must have permissions to write to Azure Active Directory and create a service.
-
-- Your Azure account must have the **Owner** role in your Azure subscription.
+Set-AzResource -PropertyObject $PropertiesObject -ResourceGroupName <group-name> `
+-ResourceType Microsoft.Web/sites/config -ResourceName <app-name>/web `
+-ApiVersion 2015-08-01 -Force
+```
-- You must be an administrator in the Azure DevOps project you want to use.
+# [Azure portal](#tab/portal)
-To enable local Git deployment for your app with Azure Pipelines (Preview):
+1. In the [Azure portal](https://portal.azure.com), navigate to your app's management page.
-1. In the [Azure portal](https://portal.azure.com), search for and select **App Services**.
+1. From the left menu, select **Deployment Center** > **Settings**. Select **Local Git** in **Source**, then click **Save**.
-1. Select your Azure App Service app and select **Deployment Center** in the left menu.
-
-1. On the **Deployment Center** page, select **Local Git**, and then select **Continue**.
-
- ![Select Local Git, and then select Continue](media/app-service-deploy-local-git/portal-enable.png)
-
-1. On the **Build provider** page, select **Azure Pipelines (Preview)**, and then select **Continue**.
-
- ![Select Azure Pipelines (Preview), and then select Continue.](media/app-service-deploy-local-git/pipeline-builds.png)
+ ![Shows how to enable local Git deployment for App Service in the Azure portal](./media/deploy-local-git/enable-portal.png)
-1. On the **Configure** page, configure a new Azure DevOps organization, or specify an existing organization, and then select **Continue**.
-
- > [!NOTE]
- > If your existing Azure DevOps organization isn't listed, you may need to link it to your Azure subscription. For more information, see [Define your CD release pipeline](/azure/devops/pipelines/apps/cd/deploy-webdeploy-webapps#cd).
-
-1. Depending on your App Service plan [pricing tier](https://azure.microsoft.com/pricing/details/app-service/plans/), you may see a **Deploy to staging** page. Choose whether to [enable deployment slots](deploy-staging-slots.md), and then select **Continue**.
-
-1. On the **Summary** page, review the settings, and then select **Finish**.
-
-1. When the Azure Pipeline is ready, copy the Git repository URL from the **Deployment Center** page to use in the next step.
-
- ![Copy the Git repository URL](media/app-service-deploy-local-git/vsts-repo-ready.png)
+1. In the Local Git section, copy the **Git Clone Uri** for later. This Uri doesn't contain any credentials.
+
+--
+
+## Deploy the web app
-1. In your local terminal window, add an Azure remote to your local Git repository. In the command, replace \<url> with the URL of the Git repository that you got from the previous step.
+1. In a local terminal window, change the directory to the root of your Git repository, and add a Git remote using the URL you got from your app. If your chosen method doesn't give you a URL, use `https://<app-name>.scm.azurewebsites.net/<app-name>.git` with your app name in `<app-name>`.
```bash git remote add azure <url> ```+
+ > [!NOTE]
+ > If you [created a Git-enabled app in PowerShell using New-AzWebApp](#create-a-git-enabled-app), the remote is already created for you.
-1. Push to the Azure remote with `git push azure main`.
+1. Push to the Azure remote with `git push azure master`.
-1. On the **Git Credential Manager** page, sign in with your visualstudio.com username. For other authentication methods, see [Azure DevOps Services authentication overview](/vsts/git/auth-overview?view=vsts).
+1. In the **Git Credential Manager** window, enter your [user-scope or application-scope credentials](#configure-a-deployment-user), not your Azure sign-in credentials.
+
+ If your Git remote URL already contains the username and password, you won't be prompted.
-1. Once deployment is finished, view the build progress at `https://<azure_devops_account>.visualstudio.com/<project_name>/_build`, and the deployment progress at `https://<azure_devops_account>.visualstudio.com/<project_name>/_release`.
+1. Review the output. You may see runtime-specific automation, such as MSBuild for ASP.NET, `npm install` for Node.js, and `pip install` for Python.
1. Browse to your app in the Azure portal to verify that the content is deployed. - ## Troubleshoot deployment You may see the following common error messages when you use Git to publish to an App Service app in Azure:
@@ -151,7 +141,7 @@ You may see the following common error messages when you use Git to publish to a
## Additional resources -- [Project Kudu documentation](https://github.com/projectkudu/kudu/wiki)
+- [App Service build server (Project Kudu documentation)](https://github.com/projectkudu/kudu/wiki)
- [Continuous deployment to Azure App Service](deploy-continuous-deployment.md) - [Sample: Create a web app and deploy code from a local Git repository (Azure CLI)](./scripts/cli-deploy-local-git.md?toc=%2fcli%2fazure%2ftoc.json) - [Sample: Create a web app and deploy code from a local Git repository (PowerShell)](./scripts/powershell-deploy-local-git.md?toc=%2fpowershell%2fmodule%2ftoc.json)
app-service https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-staging-slots.md
@@ -218,7 +218,7 @@ If you have any problems, see [Troubleshoot swaps](#troubleshoot-swaps).
## Monitor a swap
-If the [swap operation](#AboutConfiguration) takes a long time to complete, you can get information on the swap operation in the [activity log](../azure-monitor/platform/platform-logs-overview.md).
+If the [swap operation](#AboutConfiguration) takes a long time to complete, you can get information on the swap operation in the [activity log](../azure-monitor/essentials/platform-logs-overview.md).
On your app's resource page in the portal, in the left pane, select **Activity log**.
app-service https://docs.microsoft.com/en-us/azure/app-service/environment/creation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/environment/creation.md
@@ -81,4 +81,4 @@ The ASE is normally deployed on VMs that are provisioned on a multi-tenant hyper
[AppDeploy]: ../deploy-local-git.md [ASEWAF]: app-service-app-service-environment-web-application-firewall.md [AppGW]: ../../web-application-firewall/ag/ag-overview.md
-[logalerts]: ../../azure-monitor/platform/alerts-log.md
+[logalerts]: ../../azure-monitor/alerts/alerts-log.md
app-service https://docs.microsoft.com/en-us/azure/app-service/environment/firewall-integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/environment/firewall-integration.md
@@ -96,7 +96,7 @@ Azure Firewall can send logs to Azure Storage, Event Hub, or Azure Monitor logs.
AzureDiagnostics | where msg_s contains "Deny" | where TimeGenerated >= ago(1h) ```
-Integrating your Azure Firewall with Azure Monitor logs is useful when first getting an application working when you are not aware of all of the application dependencies. You can learn more about Azure Monitor logs from [Analyze log data in Azure Monitor](../../azure-monitor/log-query/log-query-overview.md).
+Integrating your Azure Firewall with Azure Monitor logs is useful when first getting an application working when you are not aware of all of the application dependencies. You can learn more about Azure Monitor logs from [Analyze log data in Azure Monitor](../../azure-monitor/logs/log-query-overview.md).
## Dependencies
app-service https://docs.microsoft.com/en-us/azure/app-service/environment/using-an-ase https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/environment/using-an-ase.md
@@ -5,7 +5,7 @@
ms.assetid: a22450c4-9b8b-41d4-9568-c4646f4cf66b Previously updated : 5/10/2020 Last updated : 9/22/2020
@@ -191,7 +191,7 @@ If you integrate with Log Analytics, you can see the logs by selecting **Logs**
**Creating an alert**
-To create an alert against your logs, follow the instructions in [Create, view, and manage log alerts using Azure Monitor](../../azure-monitor/platform/alerts-log.md). In brief:
+To create an alert against your logs, follow the instructions in [Create, view, and manage log alerts using Azure Monitor](../../azure-monitor/alerts/alerts-log.md). In brief:
* Open the Alerts page in your ASE portal * Select **New alert rule**
@@ -298,4 +298,4 @@ For more specific examples, use: az find "az appservice ase"
[AppDeploy]: ../deploy-local-git.md [ASEWAF]: app-service-app-service-environment-web-application-firewall.md [AppGW]: ../../web-application-firewall/ag/ag-overview.md
-[logalerts]: ../../azure-monitor/platform/alerts-log.md
+[logalerts]: ../../azure-monitor/alerts/alerts-log.md
app-service https://docs.microsoft.com/en-us/azure/app-service/environment/using https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/environment/using.md
@@ -138,7 +138,7 @@ If you integrate with Log Analytics, you can see the logs by selecting **Logs**
**Creating an alert**
-To create an alert against your logs, follow the instructions in [Create, view, and manage log alerts using Azure Monitor](../../azure-monitor/platform/alerts-log.md). In brief:
+To create an alert against your logs, follow the instructions in [Create, view, and manage log alerts using Azure Monitor](../../azure-monitor/alerts/alerts-log.md). In brief:
* Open the Alerts page in your ASE portal * Select **New alert rule**
@@ -201,4 +201,4 @@ To delete an ASE:
[AppDeploy]: ../deploy-local-git.md [ASEWAF]: app-service-app-service-environment-web-application-firewall.md [AppGW]: ../../web-application-firewall/ag/ag-overview.md
-[logalerts]: ../../azure-monitor/platform/alerts-log.md
+[logalerts]: ../../azure-monitor/alerts/alerts-log.md
app-service https://docs.microsoft.com/en-us/azure/app-service/faq-configuration-and-management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/faq-configuration-and-management.md
@@ -288,7 +288,7 @@ The quickest way to find the version of Microsoft .NET that's installed in App S
## Why isn't Autoscale working as expected?
-If Azure Autoscale hasn't scaled in or scaled out the web app instance as you expected, you might be running into a scenario in which we intentionally choose not to scale to avoid an infinite loop due to "flapping." This usually happens when there isn't an adequate margin between the scale-out and scale-in thresholds. To learn how to avoid "flapping" and to read about other Autoscale best practices, see [Autoscale best practices](../azure-monitor/platform/autoscale-best-practices.md#autoscale-best-practices).
+If Azure Autoscale hasn't scaled in or scaled out the web app instance as you expected, you might be running into a scenario in which we intentionally choose not to scale to avoid an infinite loop due to "flapping." This usually happens when there isn't an adequate margin between the scale-out and scale-in thresholds. To learn how to avoid "flapping" and to read about other Autoscale best practices, see [Autoscale best practices](../azure-monitor/autoscale/autoscale-best-practices.md#autoscale-best-practices).
## Why does Autoscale sometimes scale only partially?
app-service https://docs.microsoft.com/en-us/azure/app-service/get-resource-events https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/get-resource-events.md
@@ -8,7 +8,7 @@
# Get resource events in Azure App Service
-Azure App Service provides built-in tools to monitor the status and health of your resources. Resource events help you understand any changes that were made to your underlying web app resources and take action as necessary. Event examples include: scaling of instances, updates to application settings, restarting of the web app, and many more. In this article, you'll learn how to view [Azure Activity Logs](../azure-monitor/platform/activity-log.md#view-the-activity-log) and enable [Event Grid](../event-grid/index.yml) to monitor resource events related to your App Service web app.
+Azure App Service provides built-in tools to monitor the status and health of your resources. Resource events help you understand any changes that were made to your underlying web app resources and take action as necessary. Event examples include: scaling of instances, updates to application settings, restarting of the web app, and many more. In this article, you'll learn how to view [Azure Activity Logs](../azure-monitor/essentials/activity-log.md#view-the-activity-log) and enable [Event Grid](../event-grid/index.yml) to monitor resource events related to your App Service web app.
> [!NOTE] > App Service integration with Event Grid is in **preview**. [View the announcement for more details.](https://aka.ms/app-service-event-grid-announcement)
@@ -28,7 +28,7 @@ Azure Activity Logs for App Service details such as:
Azure Activity Logs can be queried using the Azure portal, PowerShell, REST API, or CLI. You can send the logs to a storage account, Event Hub, and Log Analytics. You can also analyze them in Power BI or create alerts to stay updated on resource events.
-[View and retrieve Azure Activity log events.](../azure-monitor/platform/activity-log.md#view-the-activity-log)
+[View and retrieve Azure Activity log events.](../azure-monitor/essentials/activity-log.md#view-the-activity-log)
## Ship Activity Logs to Event Grid
@@ -39,7 +39,7 @@ Alternatively, you can use Event Grid with Logic Apps to process data anywhere,
[View the properties and schema for Azure App Service Events.](../event-grid/event-schema-app-service.md) ## <a name="nextsteps"></a> Next steps
-* [Query logs with Azure Monitor](../azure-monitor/log-query/log-query-overview.md)
+* [Query logs with Azure Monitor](../azure-monitor/logs/log-query-overview.md)
* [How to Monitor Azure App Service](web-sites-monitor.md) * [Troubleshooting Azure App Service in Visual Studio](troubleshoot-dotnet-visual-studio.md) * [Analyze app Logs in HDInsight](https://gallery.technet.microsoft.com/scriptcenter/Analyses-Windows-Azure-web-0b27d413)
app-service https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/manage-scale-up.md
@@ -17,7 +17,7 @@ This article shows you how to scale your app in Azure App Service. There are two
* [Scale out](https://en.wikipedia.org/wiki/Scalability#Horizontal_and_vertical_scaling): Increase the number of VM instances that run your app. You can scale out to as many as 30 instances, depending on your pricing tier. [App Service Environments](environment/intro.md) in **Isolated** tier further increases your scale-out count to 100 instances. For more information about scaling out, see
- [Scale instance count manually or automatically](../azure-monitor/platform/autoscale-get-started.md). There, you find out how
+ [Scale instance count manually or automatically](../azure-monitor/autoscale/autoscale-get-started.md). There, you find out how
to use autoscaling, which is to scale instance count automatically based on predefined rules and schedules. The scale settings take only seconds to apply and affect all apps in your [App Service plan](../app-service/overview-hosting-plans.md).
@@ -78,7 +78,7 @@ For a table of service limits, quotas, and constraints, and supported features i
## More resources
-[Scale instance count manually or automatically](../azure-monitor/platform/autoscale-get-started.md)
+[Scale instance count manually or automatically](../azure-monitor/autoscale/autoscale-get-started.md)
[Configure PremiumV3 tier for App Service](app-service-configure-premium-tier.md) <!-- LINKS -->
app-service https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-hosting-plans.md
@@ -52,7 +52,7 @@ When you create an app in App Service, it is put into an App Service plan. When
In this way, the App Service plan is the scale unit of the App Service apps. If the plan is configured to run five VM instances, then all apps in the plan run on all five instances. If the plan is configured for autoscaling, then all apps in the plan are scaled out together based on the autoscale settings.
-For information on scaling out an app, see [Scale instance count manually or automatically](../azure-monitor/platform/autoscale-get-started.md).
+For information on scaling out an app, see [Scale instance count manually or automatically](../azure-monitor/autoscale/autoscale-get-started.md).
<a name="cost"></a>
app-service https://docs.microsoft.com/en-us/azure/app-service/overview-manage-costs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-manage-costs.md
@@ -34,7 +34,7 @@ Depending on which feature you use in App Service, the following cost-accruing r
- **App Service plan** Required to host an App Service app. - **Isolated tier** A [Virtual Network](../virtual-network/index.yml) is required for an App Service environment. - **Backup** A [Storage account](../storage/index.yml) is required to make backups.-- **Diagnostic logs** You can select [Storage account](../storage/index.yml) as the logging option, or integrate with [Azure Log Analytics](../azure-monitor/log-query/log-analytics-tutorial.md).
+- **Diagnostic logs** You can select [Storage account](../storage/index.yml) as the logging option, or integrate with [Azure Log Analytics](../azure-monitor/logs/log-analytics-tutorial.md).
- **App Service certificates** Certificates you purchase in Azure must be maintained in [Azure Key Vault](../key-vault/index.yml). Other cost resources for App Service are (see [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/) for details):
@@ -110,7 +110,7 @@ Production workloads come with the recommendation of the dedicated **Standard**
> [!NOTE] > **Premium V3** supports both Windows containers and Linux containers.
-Once you choose the pricing tier you want, you should minimize the idle instances. In a scale-out deployment, you can waste money on underutilized compute instances. You should [configure autoscaling](../azure-monitor/platform/autoscale-get-started.md), available in **Standard** tier and above. By creating scale-out schedules, as well as metric-based scale-out rules, you only pay for the instances you really need at any given time.
+Once you choose the pricing tier you want, you should minimize the idle instances. In a scale-out deployment, you can waste money on underutilized compute instances. You should [configure autoscaling](../azure-monitor/autoscale/autoscale-get-started.md), available in **Standard** tier and above. By creating scale-out schedules, as well as metric-based scale-out rules, you only pay for the instances you really need at any given time.
### Azure Reservations
app-service https://docs.microsoft.com/en-us/azure/app-service/overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview.md
@@ -24,7 +24,7 @@ Here are some key features of App Service:
* **Managed production environment** - App Service automatically [patches and maintains the OS and language frameworks](overview-patch-os-runtime.md) for you. Spend time writing great apps and let Azure worry about the platform. * **Containerization and Docker** - Dockerize your app and host a custom Windows or Linux container in App Service. Run multi-container apps with Docker Compose. Migrate your Docker skills directly to App Service. * **DevOps optimization** - Set up [continuous integration and deployment](deploy-continuous-deployment.md) with Azure DevOps, GitHub, BitBucket, Docker Hub, or Azure Container Registry. Promote updates through [test and staging environments](deploy-staging-slots.md). Manage your apps in App Service by using [Azure PowerShell](/powershell/azure/) or the [cross-platform command-line interface (CLI)](/cli/azure/install-azure-cli).
-* **Global scale with high availability** - Scale [up](manage-scale-up.md) or [out](../azure-monitor/platform/autoscale-get-started.md) manually or automatically. Host your apps anywhere in Microsoft's global datacenter infrastructure, and the App Service [SLA](https://azure.microsoft.com/support/legal/sla/app-service/) promises high availability.
+* **Global scale with high availability** - Scale [up](manage-scale-up.md) or [out](../azure-monitor/autoscale/autoscale-get-started.md) manually or automatically. Host your apps anywhere in Microsoft's global datacenter infrastructure, and the App Service [SLA](https://azure.microsoft.com/support/legal/sla/app-service/) promises high availability.
* **Connections to SaaS platforms and on-premises data** - Choose from more than 50 [connectors](../connectors/apis-list.md) for enterprise systems (such as SAP), SaaS services (such as Salesforce), and internet services (such as Facebook). Access on-premises data using [Hybrid Connections](app-service-hybrid-connections.md) and [Azure Virtual Networks](web-sites-integrate-with-vnet.md). * **Security and compliance** - App Service is [ISO, SOC, and PCI compliant](https://www.microsoft.com/en-us/trustcenter). Authenticate users with [Azure Active Directory](configure-authentication-provider-aad.md), [Google](configure-authentication-provider-google.md), [Facebook](configure-authentication-provider-facebook.md), [Twitter](configure-authentication-provider-twitter.md), or [Microsoft account](configure-authentication-provider-microsoft.md). Create [IP address restrictions](app-service-ip-restrictions.md) and [manage service identities](overview-managed-identity.md). * **Application templates** - Choose from an extensive list of application templates in the [Azure Marketplace](https://azure.microsoft.com/marketplace/), such as WordPress, Joomla, and Drupal.
app-service https://docs.microsoft.com/en-us/azure/app-service/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/security-baseline.md
@@ -240,9 +240,9 @@ Review detailed security alerts and recommendations in Security Center, at the p
It is recommended that you create a process with automated tools to monitor network resource configurations and quickly detect changes. -- [How to view and retrieve Azure Activity Log events](../azure-monitor/platform/activity-log.md#view-the-activity-log)
+- [How to view and retrieve Azure Activity Log events](../azure-monitor/essentials/activity-log.md#view-the-activity-log)
-- [How to create alerts in Azure Monitor](../azure-monitor/platform/alerts-activity-log.md)
+- [How to create alerts in Azure Monitor](../azure-monitor/alerts/alerts-activity-log.md)
- [Export security alerts and recommendations](../security-center/continuous-export.md)
@@ -280,7 +280,7 @@ The "what, who, and when" for any write operations (PUT, POST, DELETE) performed
Additionally, Azure Key Vault provides centralized secret management with access policies and audit history. -- [How to enable Diagnostic Settings for Azure Activity Log](../azure-monitor/platform/activity-log.md)
+- [How to enable Diagnostic Settings for Azure Activity Log](../azure-monitor/essentials/activity-log.md)
- [How to enable Diagnostic Settings for Azure App Service](troubleshoot-diagnostic-logs.md)
@@ -293,7 +293,7 @@ Additionally, Azure Key Vault provides centralized secret management with access
### 2.5: Configure security log storage retention **Guidance**: In Azure Monitor, set the log retention period for the Log Analytics workspaces associated with your App Service resources according to your organization's compliance regulations.-- [How to set log retention parameters](../azure-monitor/platform/manage-cost-storage.md#change-the-data-retention-period)
+- [How to set log retention parameters](../azure-monitor/logs/manage-cost-storage.md#change-the-data-retention-period)
**Azure Security Center monitoring**: Not applicable
@@ -309,7 +309,7 @@ If you have deployed a Web Application Firewall (WAF), you can monitor attacks a
Use Azure Sentinel, a scalable and cloud-native security information event management (SIEM), to integrate with various data sources and connectors, as per requirements. Optionally, enable and on-board data to a third-party security information event management solution in the Azure Marketplace. -- [How to enable diagnostic settings for Azure Activity Log](../azure-monitor/platform/activity-log.md)
+- [How to enable diagnostic settings for Azure Activity Log](../azure-monitor/essentials/activity-log.md)
- [How to enable Application Insights](../azure-monitor/app/app-insights-overview.md)
@@ -640,7 +640,7 @@ Note that while locally attached disks can be used optionally by websites as tem
**Guidance**: Use Azure Monitor with Azure Activity log to create alerts upon any changes to production App Service apps and other critical or related resources. -- [How to create alerts for Azure Activity Log events](../azure-monitor/platform/alerts-activity-log.md)
+- [How to create alerts for Azure Activity Log events](../azure-monitor/alerts/alerts-activity-log.md)
**Azure Security Center monitoring**: Currently not available
app-service https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/troubleshoot-diagnostic-logs.md
@@ -195,7 +195,7 @@ The following table shows the supported log types and descriptions:
<sup>1</sup> For Java SE apps, add "$WEBSITE_AZMON_PREVIEW_ENABLED" to the app settings and set it to 1 or to true. ## <a name="nextsteps"></a> Next steps
-* [Query logs with Azure Monitor](../azure-monitor/log-query/log-query-overview.md)
+* [Query logs with Azure Monitor](../azure-monitor/logs/log-query-overview.md)
* [How to Monitor Azure App Service](web-sites-monitor.md) * [Troubleshooting Azure App Service in Visual Studio](troubleshoot-dotnet-visual-studio.md) * [Analyze app Logs in HDInsight](https://gallery.technet.microsoft.com/scriptcenter/Analyses-Windows-Azure-web-0b27d413)
app-service https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-http-502-http-503 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/troubleshoot-http-502-http-503.md
@@ -56,7 +56,7 @@ Some of the metrics that you might want to monitor for your app are
For more information, see: * [Monitor apps in Azure App Service](web-sites-monitor.md)
-* [Receive alert notifications](../azure-monitor/platform/alerts-overview.md)
+* [Receive alert notifications](../azure-monitor/alerts/alerts-overview.md)
<a name="collect"></a>
app-service https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-performance-degradation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/troubleshoot-performance-degradation.md
@@ -57,7 +57,7 @@ Some of the metrics that you might want to monitor for your app are
For more information, see: * [Monitor apps in Azure App Service](web-sites-monitor.md)
-* [Receive alert notifications](../azure-monitor/platform/alerts-overview.md)
+* [Receive alert notifications](../azure-monitor/alerts/alerts-overview.md)
#### Monitor web endpoint status If you are running your app in the **Standard** pricing tier, App Service lets you monitor two endpoints from three geographic locations.
app-service https://docs.microsoft.com/en-us/azure/app-service/tutorial-troubleshoot-monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-troubleshoot-monitor.md
@@ -73,7 +73,7 @@ Diagnostic settings can be used to collect metrics for certain Azure services in
You run the following commands to create diagnostic settings for AppServiceConsoleLogs (standard output/error) and AppServiceHTTPLogs (web server logs). Replace _\<app-name>_ and _\<workspace-name>_ with your values. > [!NOTE]
-> The first two commands, `resourceID` and `workspaceID`, are variables to be used in the `az monitor diagnostic-settings create` command. See [Create diagnostic settings using Azure CLI](../azure-monitor/platform/diagnostic-settings.md#create-using-azure-cli) for more information on this command.
+> The first two commands, `resourceID` and `workspaceID`, are variables to be used in the `az monitor diagnostic-settings create` command. See [Create diagnostic settings using Azure CLI](../azure-monitor/essentials/diagnostic-settings.md#create-using-azure-cli) for more information on this command.
> ```bash
@@ -124,7 +124,7 @@ In the Azure portal, select your Log Analytics workspace.
### Log queries
-Log queries help you to fully leverage the value of the data collected in Azure Monitor Logs. You use log queries to identify the logs in both AppServiceHTTPLogs and AppServiceConsoleLogs. See the [log query overview](../azure-monitor/log-query/log-query-overview.md) for more information on log queries.
+Log queries help you to fully leverage the value of the data collected in Azure Monitor Logs. You use log queries to identify the logs in both AppServiceHTTPLogs and AppServiceConsoleLogs. See the [log query overview](../azure-monitor/logs/log-query-overview.md) for more information on log queries.
### View AppServiceHTTPLogs with log query
@@ -264,6 +264,6 @@ What you learned:
> * Used log queries to identify and troubleshoot web app errors ## <a name="nextsteps"></a> Next steps
-* [Query logs with Azure Monitor](../azure-monitor/log-query/log-query-overview.md)
+* [Query logs with Azure Monitor](../azure-monitor/logs/log-query-overview.md)
* [Troubleshooting Azure App Service in Visual Studio](troubleshoot-dotnet-visual-studio.md) * [Analyze app Logs in HDInsight](https://gallery.technet.microsoft.com/scriptcenter/Analyses-Windows-Azure-web-0b27d413)
app-service https://docs.microsoft.com/en-us/azure/app-service/web-sites-monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/web-sites-monitor.md
@@ -135,7 +135,7 @@ There are two metrics that reflect CPU usage:
**CPU percentage**: Useful for apps hosted in Basic, Standard, and Premium plans, because they can be scaled out. CPU percentage is a good indication of the overall usage across all instances. ## Metrics granularity and retention policy
-Metrics for an app and app service plan are logged and aggregated by the service and [retained according to these rules](../azure-monitor/platform/data-platform-metrics.md#retention-of-metrics).
+Metrics for an app and app service plan are logged and aggregated by the service and [retained according to these rules](../azure-monitor/essentials/data-platform-metrics.md#retention-of-metrics).
## Monitoring quotas and metrics in the Azure portal To review the status of the various quotas and metrics that affect an app, go to the [Azure portal](https://portal.azure.com).
@@ -153,14 +153,14 @@ You can access metrics directly from the resource **Overview** page. Here you'll
Clicking on any of those charts will take you to the metrics view where you can create custom charts, query different metrics and much more.
-To learn more about metrics, see [Monitor service metrics](../azure-monitor/platform/data-platform.md).
+To learn more about metrics, see [Monitor service metrics](../azure-monitor/data-platform.md).
## Alerts and autoscale
-Metrics for an app or an App Service plan can be hooked up to alerts. For more information, see [Receive alert notifications](../azure-monitor/platform/alerts-classic-portal.md).
+Metrics for an app or an App Service plan can be hooked up to alerts. For more information, see [Receive alert notifications](../azure-monitor/alerts/alerts-classic-portal.md).
App Service apps hosted in Basic or higher App Service plans support autoscale. With autoscale, you can configure rules that monitor the App Service plan metrics. Rules can increase or decrease the instance count, which can provide additional resources as needed. Rules can also help you save money when the app is over-provisioned.
-For more information about autoscale, see [How to scale](../azure-monitor/platform/autoscale-get-started.md) and [Best practices for Azure Monitor autoscaling](../azure-monitor/platform/autoscale-best-practices.md).
+For more information about autoscale, see [How to scale](../azure-monitor/autoscale/autoscale-get-started.md) and [Best practices for Azure Monitor autoscaling](../azure-monitor/autoscale/autoscale-best-practices.md).
[fzilla]:https://go.microsoft.com/fwlink/?LinkId=247914 [vmsizes]:https://go.microsoft.com/fwlink/?LinkID=309169
application-gateway https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq-md https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/application-gateway-faq-md.md
@@ -452,7 +452,7 @@ In the portal, on the menu blade of an application gateway, select **Activity Lo
### Can I set alerts with Application Gateway?
-Yes. In Application Gateway, alerts are configured on metrics. For more information, see [Application Gateway metrics](./application-gateway-metrics.md) and [Receive alert notifications](../azure-monitor/platform/alerts-overview.md).
+Yes. In Application Gateway, alerts are configured on metrics. For more information, see [Application Gateway metrics](./application-gateway-metrics.md) and [Receive alert notifications](../azure-monitor/alerts/alerts-overview.md).
### How do I analyze traffic statistics for Application Gateway?
application-gateway https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-metrics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/application-gateway-metrics.md
@@ -11,7 +11,7 @@
# Metrics for Application Gateway
-Application Gateway publishes data points, called metrics, to [Azure Monitor](../azure-monitor/overview.md) for the performance of your Application Gateway and backend instances. These metrics are numerical values in an ordered set of time-series data that describe some aspect of your application gateway at a particular time. If there are requests flowing through the Application Gateway, it measures and sends its metrics in 60-second intervals. If there are no requests flowing through the Application Gateway or no data for a metric, the metric is not reported. For more information, see [Azure Monitor metrics](../azure-monitor/platform/data-platform-metrics.md).
+Application Gateway publishes data points, called metrics, to [Azure Monitor](../azure-monitor/overview.md) for the performance of your Application Gateway and backend instances. These metrics are numerical values in an ordered set of time-series data that describe some aspect of your application gateway at a particular time. If there are requests flowing through the Application Gateway, it measures and sends its metrics in 60-second intervals. If there are no requests flowing through the Application Gateway or no data for a metric, the metric is not reported. For more information, see [Azure Monitor metrics](../azure-monitor/essentials/data-platform-metrics.md).
## Metrics supported by Application Gateway V2 SKU
@@ -196,7 +196,7 @@ In the following image, you see an example with three metrics displayed for the
:::image type="content" source="media/application-gateway-diagnostics/figure5.png" alt-text="Metric view." lightbox="media/application-gateway-diagnostics/figure5-lb.png":::
-To see a current list of metrics, see [Supported metrics with Azure Monitor](../azure-monitor/platform/metrics-supported.md).
+To see a current list of metrics, see [Supported metrics with Azure Monitor](../azure-monitor/essentials/metrics-supported.md).
### Alert rules on metrics
@@ -226,9 +226,9 @@ A list of alerts appears after you create a metric alert. It provides an overvie
![List of alerts and rules][9]
-To learn more about alert notifications, see [Receive alert notifications](../azure-monitor/platform/alerts-overview.md).
+To learn more about alert notifications, see [Receive alert notifications](../azure-monitor/alerts/alerts-overview.md).
-To understand more about webhooks and how you can use them with alerts, visit [Configure a webhook on an Azure metric alert](../azure-monitor/platform/alerts-webhooks.md).
+To understand more about webhooks and how you can use them with alerts, visit [Configure a webhook on an Azure metric alert](../azure-monitor/alerts/alerts-webhooks.md).
## Next steps
application-gateway https://docs.microsoft.com/en-us/azure/application-gateway/high-traffic-support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/high-traffic-support.md
@@ -18,7 +18,7 @@ You can use Application Gateway with Web Application Firewall (WAF) for a scalab
It is important that you scale your Application Gateway according to your traffic and with a bit of a buffer so that you are prepared for any traffic surges or spikes and minimizing the impact that it may have in your QoS. The following suggestions help you set up Application Gateway with WAF to handle extra traffic.
-Please check the [metrics documentation](./application-gateway-metrics.md) for the complete list of metrics offered by Application Gateway. See [visualize metrics](./application-gateway-metrics.md#metrics-visualization) in the Azure portal and the [Azure monitor documentation](../azure-monitor/platform/alerts-metric.md) on how to set alerts for metrics.
+Please check the [metrics documentation](./application-gateway-metrics.md) for the complete list of metrics offered by Application Gateway. See [visualize metrics](./application-gateway-metrics.md#metrics-visualization) in the Azure portal and the [Azure monitor documentation](../azure-monitor/alerts/alerts-metric.md) on how to set alerts for metrics.
## Scaling for Application Gateway v1 SKU (Standard/WAF SKU)
@@ -60,7 +60,7 @@ Check your Compute Unit metric for the past one month. Compute unit metric is a
## Monitoring and alerting
-To get notified of any traffic or utilization anomalies, you can set up alerts on certain metrics. See [metrics documentation](./application-gateway-metrics.md) for the complete list of metrics offered by Application Gateway. See [visualize metrics](./application-gateway-metrics.md#metrics-visualization) in the Azure portal and the [Azure monitor documentation](../azure-monitor/platform/alerts-metric.md) on how to set alerts for metrics.
+To get notified of any traffic or utilization anomalies, you can set up alerts on certain metrics. See [metrics documentation](./application-gateway-metrics.md) for the complete list of metrics offered by Application Gateway. See [visualize metrics](./application-gateway-metrics.md#metrics-visualization) in the Azure portal and the [Azure monitor documentation](../azure-monitor/alerts/alerts-metric.md) on how to set alerts for metrics.
## Alerts for Application Gateway v1 SKU (Standard/WAF)
application-gateway https://docs.microsoft.com/en-us/azure/application-gateway/log-analytics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/log-analytics.md
@@ -12,7 +12,7 @@
# Use Log Analytics to examine Application Gateway Web Application Firewall (WAF) Logs
-Once your Application Gateway WAF is operational, you can enable logs to inspect what is happening with each request. Firewall logs give insight to what the WAF is evaluating, matching, and blocking. With Log Analytics, you can examine the data inside the firewall logs to give even more insights. For more information about creating a Log Analytics workspace, see [Create a Log Analytics workspace in the Azure portal](../azure-monitor/learn/quick-create-workspace.md). For more information about log queries, see [Overview of log queries in Azure Monitor](../azure-monitor/log-query/log-query-overview.md).
+Once your Application Gateway WAF is operational, you can enable logs to inspect what is happening with each request. Firewall logs give insight to what the WAF is evaluating, matching, and blocking. With Log Analytics, you can examine the data inside the firewall logs to give even more insights. For more information about creating a Log Analytics workspace, see [Create a Log Analytics workspace in the Azure portal](../azure-monitor/logs/quick-create-workspace.md). For more information about log queries, see [Overview of log queries in Azure Monitor](../azure-monitor/logs/log-query-overview.md).
## Import WAF logs
application-gateway https://docs.microsoft.com/en-us/azure/application-gateway/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/security-baseline.md
@@ -186,9 +186,9 @@ You may use Azure PowerShell or Azure CLI to look-up or perform actions on resou
**Guidance**: Use Azure Activity Log to monitor network resource configurations and detect changes for network settings and resources related to your Azure Application Gateway deployments. Create alerts within Azure Monitor that will trigger when changes to critical network settings or resources takes place.
-* [How to view and retrieve Azure Activity Log events](../azure-monitor/platform/activity-log.md#view-the-activity-log)
+* [How to view and retrieve Azure Activity Log events](../azure-monitor/essentials/activity-log.md#view-the-activity-log)
-* [How to create alerts in Azure Monitor](../azure-monitor/platform/alerts-activity-log.md)
+* [How to create alerts in Azure Monitor](../azure-monitor/alerts/alerts-activity-log.md)
**Azure Security Center monitoring**: Currently not available
@@ -214,7 +214,7 @@ In addition to Activity Logs, you can configure diagnostic settings for your Azu
Azure Application Gateway also offers built-in integration with Azure Application Insights. Application Insights collects log, performance, and error data. Application Insights automatically detects performance anomalies and includes powerful analytics tools to help you diagnose issues and to understand how your web apps are being used. You may enable continuous export to export telemetry from Application Insights into a centralized location to keep the data for longer than the standard retention period.
-* [How to enable diagnostic settings for Azure Activity Log](../azure-monitor/platform/activity-log.md)
+* [How to enable diagnostic settings for Azure Activity Log](../azure-monitor/essentials/activity-log.md)
* [How to enable diagnostic settings for Azure Application Gateway](./application-gateway-diagnostics.md)
@@ -234,7 +234,7 @@ In addition to Activity Logs, you can configure diagnostic settings for your Azu
Azure Application Gateway also offers built-in integration with Azure Application Insights. Application Insights collects log, performance, and error data. Application Insights automatically detects performance anomalies and includes powerful analytics tools to help you diagnose issues and to understand how your web apps are being used. You may enable continuous export to export telemetry from Application Insights into a centralized location to keep the data for longer than the standard retention period.
-* [How to enable diagnostic settings for Azure Activity Log](../azure-monitor/platform/activity-log.md)
+* [How to enable diagnostic settings for Azure Activity Log](../azure-monitor/essentials/activity-log.md)
* [How to enable diagnostic settings for Azure Application Gateway](./application-gateway-diagnostics.md)
@@ -258,7 +258,7 @@ Azure Application Gateway also offers built-in integration with Azure Applicatio
**Guidance**: Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term/archival storage.
-* [How to set log retention parameters for Log Analytics Workspaces](../azure-monitor/platform/manage-cost-storage.md#change-the-data-retention-period)
+* [How to set log retention parameters for Log Analytics Workspaces](../azure-monitor/logs/manage-cost-storage.md#change-the-data-retention-period)
**Azure Security Center monitoring**: Currently not available
@@ -272,7 +272,7 @@ Use Azure Monitor for Networks for a comprehensive view of health and metrics fo
Optionally, you may enable and on-board data to Azure Sentinel or a third-party SIEM.
-* [How to enable diagnostic settings for Azure Activity Log](../azure-monitor/platform/activity-log.md)
+* [How to enable diagnostic settings for Azure Activity Log](../azure-monitor/essentials/activity-log.md)
* [How to enable diagnostic settings for Azure Application Gateway](./application-gateway-diagnostics.md)
@@ -292,13 +292,13 @@ Use Azure Monitor for Networks for a comprehensive view of health and metrics fo
* [How to deploy Azure WAF](../web-application-firewall/ag/create-waf-policy-ag.md)
-* [How to enable diagnostic settings for Azure Activity Log](../azure-monitor/platform/activity-log.md)
+* [How to enable diagnostic settings for Azure Activity Log](../azure-monitor/essentials/activity-log.md)
* [How to enable diagnostic settings for Azure Application Gateway](./application-gateway-diagnostics.md) * [How to use Azure Monitor for Networks](../azure-monitor/insights/network-insights-overview.md)
-* [How to create alerts within Azure](../azure-monitor/learn/tutorial-response.md)
+* [How to create alerts within Azure](../azure-monitor/alerts/tutorial-response.md)
**Azure Security Center monitoring**: Yes
@@ -589,7 +589,7 @@ Microsoft manages the underlying infrastructure for Azure Application Gateway an
**Guidance**: Use Azure Monitor with the Azure Activity log to create alerts for when changes take place to production Azure Application Gateway instances as well as other critical or related resources.
-* [How to create alerts for Azure Activity Log events](../azure-monitor/platform/alerts-activity-log.md)
+* [How to create alerts for Azure Activity Log events](../azure-monitor/alerts/alerts-activity-log.md)
**Azure Security Center monitoring**: Yes
automanage https://docs.microsoft.com/en-us/azure/automanage/virtual-machines-best-practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/virtual-machines-best-practices.md
@@ -23,7 +23,7 @@ For all of these services, we will auto-onboard, auto-configure, monitor for dri
|Service |Description |Profiles Supported<sup>1</sup> |Preferences supported<sup>1</sup> | |--||-|-|
-|VM Insights Monitoring |Azure Monitor for VMs monitors the performance and health of your virtual machines, including their running processes and dependencies on other resources. Learn [more](../azure-monitor/insights/vminsights-overview.md). |Azure VM Best Practices ΓÇô Production |No |
+|VM Insights Monitoring |Azure Monitor for VMs monitors the performance and health of your virtual machines, including their running processes and dependencies on other resources. Learn [more](../azure-monitor/vm/vminsights-overview.md). |Azure VM Best Practices ΓÇô Production |No |
|Backup |Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. Learn [more](../backup/backup-azure-vms-introduction.md). Charges are based on the number and size of VMs being protected. Learn [more](https://azure.microsoft.com/pricing/details/backup/). |Azure VM Best Practices ΓÇô Production |Yes | |Azure Security Center |Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud. Learn [more](../security-center/security-center-introduction.md). Automanage will configure the subscription where your VM resides to the free-tier offering of Azure Security Center. If your subscription is already onboarded to Azure Security Center, then automanaged will not reconfigure it. |Azure VM Best Practices ΓÇô Production, Azure VM Best Practices ΓÇô Dev/Test |No | |Microsoft Antimalware |Microsoft Antimalware for Azure is a free real-time protection that helps identify and remove viruses, spyware, and other malicious software. It generates alerts when known malicious or unwanted software tries to install itself or run on your Azure systems. Learn [more](../security/fundamentals/antimalware.md). |Azure VM Best Practices ΓÇô Production, Azure VM Best Practices ΓÇô Dev/Test |Yes |
@@ -31,7 +31,7 @@ For all of these services, we will auto-onboard, auto-configure, monitor for dri
|Change Tracking & Inventory |Change Tracking and Inventory combines change tracking and inventory functions to allow you to track virtual machine and server infrastructure changes. The service supports change tracking across services, daemons software, registry, and files in your environment to help you diagnose unwanted changes and raise alerts. Inventory support allows you to query in-guest resources for visibility into installed applications and other configuration items. Learn [more](../automation/change-tracking/overview.md). |Azure VM Best Practices ΓÇô Production, Azure VM Best Practices ΓÇô Dev/Test |No | |Azure Guest Configuration | Guest Configuration policy is used to monitor the configuration and report on the compliance of the machine. The Automanage service will install the [Windows security baselines](/windows/security/threat-protection/windows-security-baselines) using the Guest Configuration extension. Learn [more](../governance/policy/concepts/guest-configuration.md). |Azure VM Best Practices ΓÇô Production, Azure VM Best Practices ΓÇô Dev/Test |No | |Azure Automation Account |Azure Automation supports management throughout the lifecycle of your infrastructure and applications. Learn [more](../automation/automation-intro.md). |Azure VM Best Practices ΓÇô Production, Azure VM Best Practices ΓÇô Dev/Test |No |
-|Log Analytics Workspace |Azure Monitor stores log data in a Log Analytics workspace, which is an Azure resource and a container where data is collected, aggregated, and serves as an administrative boundary. Learn [more](../azure-monitor/platform/design-logs-deployment.md). |Azure VM Best Practices ΓÇô Production, Azure VM Best Practices ΓÇô Dev/Test |No |
+|Log Analytics Workspace |Azure Monitor stores log data in a Log Analytics workspace, which is an Azure resource and a container where data is collected, aggregated, and serves as an administrative boundary. Learn [more](../azure-monitor/logs/design-logs-deployment.md). |Azure VM Best Practices ΓÇô Production, Azure VM Best Practices ΓÇô Dev/Test |No |
<sup>1</sup> Configuration profiles are available when you are enabling Automanage. Learn [more](automanage-virtual-machines.md#configuration-profiles). You can also adjust the default settings of the configuration profile and set your own preferences within the best practices constraints.
automation https://docs.microsoft.com/en-us/azure/automation/automation-alert-metric https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-alert-metric.md
@@ -7,7 +7,7 @@
# Monitor runbooks with metric alerts
-In this article, you learn how to create a [metric alert](../azure-monitor/platform/alerts-metric-overview.md) based on runbook completion status.
+In this article, you learn how to create a [metric alert](../azure-monitor/alerts/alerts-metric-overview.md) based on runbook completion status.
## Sign in to Azure
@@ -46,7 +46,7 @@ Alerts allow you to define a condition to monitor for and an action to take when
### Define the action to take
-1. Under **Action group**, select **Specify action group**. An action group is a group of actions that you can use across more than one alert. These can include but aren't limited to, email notifications, runbooks, webhooks, and many more. To learn more about action groups and steps to create one that sends an email notification, see [Create and manage action groups](../azure-monitor/platform/action-groups.md).
+1. Under **Action group**, select **Specify action group**. An action group is a group of actions that you can use across more than one alert. These can include but aren't limited to, email notifications, runbooks, webhooks, and many more. To learn more about action groups and steps to create one that sends an email notification, see [Create and manage action groups](../azure-monitor/alerts/action-groups.md).
### Define alert details
automation https://docs.microsoft.com/en-us/azure/automation/automation-create-alert-triggered-runbook https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-create-alert-triggered-runbook.md
@@ -9,7 +9,7 @@
# Use an alert to trigger an Azure Automation runbook
-You can use [Azure Monitor](../azure-monitor/overview.md) to monitor base-level metrics and logs for most services in Azure. You can call Azure Automation runbooks by using [action groups](../azure-monitor/platform/action-groups.md) or by using classic alerts to automate tasks based on alerts. This article shows you how to configure and run a runbook by using alerts.
+You can use [Azure Monitor](../azure-monitor/overview.md) to monitor base-level metrics and logs for most services in Azure. You can call Azure Automation runbooks by using [action groups](../azure-monitor/alerts/action-groups.md) or by using classic alerts to automate tasks based on alerts. This article shows you how to configure and run a runbook by using alerts.
## Alert types
@@ -20,15 +20,15 @@ You can use automation runbooks with three alert types:
* Near-real-time metric alerts > [!NOTE]
-> The common alert schema standardizes the consumption experience for alert notifications in Azure today. Historically, the three alert types in Azure today (metric, log, and activity log) have had their own email templates, webhook schemas, etc. To learn more, see [Common alert schema](../azure-monitor/platform/alerts-common-schema.md)
+> The common alert schema standardizes the consumption experience for alert notifications in Azure today. Historically, the three alert types in Azure today (metric, log, and activity log) have had their own email templates, webhook schemas, etc. To learn more, see [Common alert schema](../azure-monitor/alerts/alerts-common-schema.md)
When an alert calls a runbook, the actual call is an HTTP POST request to the webhook. The body of the POST request contains a JSON-formated object that has useful properties that are related to the alert. The following table lists links to the payload schema for each alert type: |Alert |Description|Payload schema | ||||
-|[Common alert](../azure-monitor/platform/alerts-common-schema.md)|The common alert schema that standardizes the consumption experience for alert notifications in Azure today.|Common alert payload schema|
-|[Activity log alert](../azure-monitor/platform/activity-log-alerts.md) |Sends a notification when any new event in the Azure activity log matches specific conditions. For example, when a `Delete VM` operation occurs in **myProductionResourceGroup** or when a new Azure Service Health event with an Active status appears.| [Activity log alert payload schema](../azure-monitor/platform/activity-log-alerts-webhook.md) |
-|[Near real-time metric alert](../azure-monitor/platform/alerts-metric-near-real-time.md) |Sends a notification faster than metric alerts when one or more platform-level metrics meet specified conditions. For example, when the value for **CPU %** on a VM is greater than 90, and the value for **Network In** is greater than 500 MB for the past 5 minutes.| [Near real-time metric alert payload schema](../azure-monitor/platform/alerts-webhooks.md#payload-schema) |
+|[Common alert](../azure-monitor/alerts/alerts-common-schema.md)|The common alert schema that standardizes the consumption experience for alert notifications in Azure today.|Common alert payload schema|
+|[Activity log alert](../azure-monitor/alerts/activity-log-alerts.md) |Sends a notification when any new event in the Azure activity log matches specific conditions. For example, when a `Delete VM` operation occurs in **myProductionResourceGroup** or when a new Azure Service Health event with an Active status appears.| [Activity log alert payload schema](../azure-monitor/alerts/activity-log-alerts-webhook.md) |
+|[Near real-time metric alert](../azure-monitor/alerts/alerts-metric-near-real-time.md) |Sends a notification faster than metric alerts when one or more platform-level metrics meet specified conditions. For example, when the value for **CPU %** on a VM is greater than 90, and the value for **Network In** is greater than 500 MB for the past 5 minutes.| [Near real-time metric alert payload schema](../azure-monitor/alerts/alerts-webhooks.md#payload-schema) |
Because the data that's provided by each type of alert is different, each alert type is handled differently. In the next section, you learn how to create a runbook to handle different types of alerts.
@@ -180,7 +180,7 @@ Alerts use action groups, which are collections of actions that are triggered by
![Add action group page](./media/automation-create-alert-triggered-runbook/add-action-group.png)
- You can use this action group in the [activity log alerts](../azure-monitor/platform/activity-log-alerts.md) and [near real-time alerts](../azure-monitor/platform/alerts-overview.md) that you create.
+ You can use this action group in the [activity log alerts](../azure-monitor/alerts/activity-log-alerts.md) and [near real-time alerts](../azure-monitor/alerts/alerts-overview.md) that you create.
1. Under **Alert Details**, add an alert rule name and description and click **Create alert rule**.
@@ -188,6 +188,6 @@ Alerts use action groups, which are collections of actions that are triggered by
* To start a runbook using a webhook, see [Start a runbook from a webhook](automation-webhooks.md). * To discover different ways to start a runbook, see [Start a runbook](./start-runbooks.md).
-* To create an activity log alert, see [Create activity log alerts](../azure-monitor/platform/activity-log-alerts.md).
-* To learn how to create a near real-time alert, see [Create an alert rule in the Azure portal](../azure-monitor/platform/alerts-metric.md?toc=/azure/azure-monitor/toc.json).
+* To create an activity log alert, see [Create activity log alerts](../azure-monitor/alerts/activity-log-alerts.md).
+* To learn how to create a near real-time alert, see [Create an alert rule in the Azure portal](../azure-monitor/alerts/alerts-metric.md?toc=/azure/azure-monitor/toc.json).
* For a PowerShell cmdlet reference, see [Az.Automation](/powershell/module/az.automation).
automation https://docs.microsoft.com/en-us/azure/automation/automation-dsc-diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-dsc-diagnostics.md
@@ -30,7 +30,7 @@ To start sending your Automation State Configuration reports to Azure Monitor lo
- The November 2016 or later release of [Azure PowerShell](/powershell/azure/) (v2.3.0). - An Azure Automation account. For more information, see [An introduction to Azure Automation](automation-intro.md).-- A Log Analytics workspace with an Automation & Control service offering. For more information, see [Get started with Log Analytics in Azure Monitor](../azure-monitor/log-query/log-analytics-tutorial.md).
+- A Log Analytics workspace with an Automation & Control service offering. For more information, see [Get started with Log Analytics in Azure Monitor](../azure-monitor/logs/log-analytics-tutorial.md).
- At least one Azure Automation State Configuration node. For more information, see [Onboarding machines for management by Azure Automation State Configuration](automation-dsc-onboarding.md). - The [xDscDiagnostics](https://www.powershellgallery.com/packages/xDscDiagnostics/2.7.0.0) module, version 2.7.0.0 or greater. For installation steps, see [Troubleshoot Azure Automation Desired State Configuration](./troubleshoot/desired-state-configuration.md).
@@ -85,7 +85,7 @@ Filtering details:
* Filter on `DscResourceStatusData` to return operations for each DSC resource called in the node configuration applied to that resource. * Filter on `DscResourceStatusData` to return error information for any DSC resources that fail.
-To learn more about constructing log queries to find data, see [Overview of log queries in Azure Monitor](../azure-monitor/log-query/log-query-overview.md).
+To learn more about constructing log queries to find data, see [Overview of log queries in Azure Monitor](../azure-monitor/logs/log-query-overview.md).
### Send an email when a State Configuration compliance check fails
@@ -100,7 +100,7 @@ the alert rule.
If you have set up logs from more than one Automation account or subscription to your workspace, you can group your alerts by subscription and Automation account. Derive the Automation account name from the `Resource` field in the search of the `DscNodeStatusData` records. 1. To open the **Create rule** screen, click **New Alert Rule** at the top of the page.
-For more information on the options to configure the alert, see [Create an alert rule](../azure-monitor/platform/alerts-metric.md).
+For more information on the options to configure the alert, see [Create an alert rule](../azure-monitor/alerts/alerts-metric.md).
### Find failed DSC resources across all nodes
@@ -194,5 +194,5 @@ Azure Automation diagnostics create two categories of records in Azure Monitor l
- For a PowerShell cmdlet reference, see [Az.Automation](/powershell/module/az.automation). - For pricing information, see [Azure Automation State Configuration pricing](https://azure.microsoft.com/pricing/details/automation/). - To see an example of using Azure Automation State Configuration in a continuous deployment pipeline, see [Set up continuous deployment with Chocolatey](automation-dsc-cd-chocolatey.md).-- To learn more about how to construct different search queries and review the Automation State Configuration logs with Azure Monitor logs, see [Log searches in Azure Monitor logs](../azure-monitor/log-query/log-query-overview.md).-- To learn more about Azure Monitor logs and data collection sources, see [Collecting Azure storage data in Azure Monitor logs overview](../azure-monitor/platform/resource-logs.md#send-to-log-analytics-workspace).
+- To learn more about how to construct different search queries and review the Automation State Configuration logs with Azure Monitor logs, see [Log searches in Azure Monitor logs](../azure-monitor/logs/log-query-overview.md).
+- To learn more about Azure Monitor logs and data collection sources, see [Collecting Azure storage data in Azure Monitor logs overview](../azure-monitor/essentials/resource-logs.md#send-to-log-analytics-workspace).
automation https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-hybrid-runbook-worker.md
@@ -19,7 +19,7 @@ There are two types of Runbook Workers - system and user. The following table de
|**System** |Supports a set of hidden runbooks used by the Update Management feature that are designed to install user-specified updates on Windows and Linux machines.<br> This type of Hybrid Runbook Worker is not a member of a Hybrid Runbook Worker group, and therefore doesn't run runbooks that target a Runbook Worker group. | |**User** |Supports user-defined runbooks intended to run directly on the Windows and Linux machine that are members of one or more Runbook Worker groups. |
-A Hybrid Runbook Worker can run on either the Windows or the Linux operating system, and this role relies on the [Log Analytics agent](../azure-monitor/platform/log-analytics-agent.md) reporting to an Azure Monitor [Log Analytics workspace](../azure-monitor/platform/design-logs-deployment.md). The workspace is not only to monitor the machine for the supported operating system, but also to download the components required to install the Hybrid Runbook Worker.
+A Hybrid Runbook Worker can run on either the Windows or the Linux operating system, and this role relies on the [Log Analytics agent](../azure-monitor/agents/log-analytics-agent.md) reporting to an Azure Monitor [Log Analytics workspace](../azure-monitor/logs/design-logs-deployment.md). The workspace is not only to monitor the machine for the supported operating system, but also to download the components required to install the Hybrid Runbook Worker.
When Azure Automation [Update Management](./update-management/overview.md) is enabled, any machine connected to your Log Analytics workspace is automatically configured as a system Hybrid Runbook Worker. To configure it as a user Windows Hybrid Runbook Worker, see [Deploy a Windows Hybrid Runbook Worker](automation-windows-hrw-install.md) and for Linux, see [Deploy a Linux Hybrid Runbook Worker](automation-linux-hrw-install.md).
@@ -56,7 +56,7 @@ If you use a proxy server for communication between Azure Automation and machine
### Firewall use
-If you use a firewall to restrict access to the Internet, you must configure the firewall to permit access. If using the Log Analytics gateway as a proxy, ensure that it is configured for Hybrid Runbook Workers. See [Configure the Log Analytics gateway for Automation Hybrid Runbook Workers](../azure-monitor/platform/gateway.md).
+If you use a firewall to restrict access to the Internet, you must configure the firewall to permit access. If using the Log Analytics gateway as a proxy, ensure that it is configured for Hybrid Runbook Workers. See [Configure the Log Analytics gateway for Automation Hybrid Runbook Workers](../azure-monitor/agents/gateway.md).
### Service tags
automation https://docs.microsoft.com/en-us/azure/automation/automation-linux-hrw-install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-linux-hrw-install.md
@@ -21,13 +21,13 @@ Before you start, make sure that you have the following.
### A Log Analytics workspace
-The Hybrid Runbook Worker role depends on an Azure Monitor Log Analytics workspace to install and configure the role. You can create it through [Azure Resource Manager](../azure-monitor/samples/resource-manager-workspace.md#create-a-log-analytics-workspace), through [PowerShell](../azure-monitor/scripts/powershell-sample-create-workspace.md?toc=/powershell/module/toc.json), or in the [Azure portal](../azure-monitor/learn/quick-create-workspace.md).
+The Hybrid Runbook Worker role depends on an Azure Monitor Log Analytics workspace to install and configure the role. You can create it through [Azure Resource Manager](../azure-monitor/logs/resource-manager-workspace.md#create-a-log-analytics-workspace), through [PowerShell](../azure-monitor/logs/powershell-sample-create-workspace.md?toc=/powershell/module/toc.json), or in the [Azure portal](../azure-monitor/logs/quick-create-workspace.md).
-If you don't have an Azure Monitor Log Analytics workspace, review the [Azure Monitor Log design guidance](../azure-monitor/platform/design-logs-deployment.md) before you create the workspace.
+If you don't have an Azure Monitor Log Analytics workspace, review the [Azure Monitor Log design guidance](../azure-monitor/logs/design-logs-deployment.md) before you create the workspace.
### Log Analytics agent
-The Hybrid Runbook Worker role requires the [Log Analytics agent](../azure-monitor/platform/log-analytics-agent.md) for the supported Linux operating system. For servers or machines hosted outside of Azure, you can install the Log Analytics agent using [Azure Arc enabled servers](../azure-arc/servers/overview.md).
+The Hybrid Runbook Worker role requires the [Log Analytics agent](../azure-monitor/agents/log-analytics-agent.md) for the supported Linux operating system. For servers or machines hosted outside of Azure, you can install the Log Analytics agent using [Azure Arc enabled servers](../azure-arc/servers/overview.md).
>[!NOTE] >After installing the Log Analytics agent for Linux, you should not change the permissions of the `sudoers.d` folder or its ownership. Sudo permission is required for the **nxautomation** account, which is the user context the Hybrid Runbook Worker runs under. The permissions should not be removed. Restricting this to certain folders or commands may result in a breaking change.
automation https://docs.microsoft.com/en-us/azure/automation/automation-manage-send-joblogs-log-analytics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-manage-send-joblogs-log-analytics.md
@@ -67,7 +67,7 @@ Automation diagnostic settings supports forwarding the following platform logs a
* DSCNodeStatus * Metrics - Total Jobs, Total Update Deployment Machine Runs, Total Update Deployment Runs
-To start sending your Automation logs to Azure Monitor logs, review [create diagnostic settings](../azure-monitor/platform/diagnostic-settings.md) to understand the feature and methods available to configure diagnostic settings to send platform logs.
+To start sending your Automation logs to Azure Monitor logs, review [create diagnostic settings](../azure-monitor/essentials/diagnostic-settings.md) to understand the feature and methods available to configure diagnostic settings to send platform logs.
## Azure Monitor log records
@@ -136,7 +136,7 @@ To create an alert rule, start by creating a log search for the runbook job reco
If you set up logs from more than one Automation account or subscription to your workspace, you can group your alerts by subscription and Automation account. Automation account name can be found in the `Resource` field in the search of `JobLogs`.
-3. To open the **Create rule** screen, click **New Alert Rule** at the top of the page. For more information on the options to configure the alert, see [Log alerts in Azure](../azure-monitor/platform/alerts-unified-log.md).
+3. To open the **Create rule** screen, click **New Alert Rule** at the top of the page. For more information on the options to configure the alert, see [Log alerts in Azure](../azure-monitor/alerts/alerts-unified-log.md).
### Find all jobs that have completed with errors
@@ -188,8 +188,8 @@ AzureDiagnostics
## Next steps
-* To learn how to construct search queries and review the Automation job logs with Azure Monitor logs, see [Log searches in Azure Monitor logs](../azure-monitor/log-query/log-query-overview.md).
+* To learn how to construct search queries and review the Automation job logs with Azure Monitor logs, see [Log searches in Azure Monitor logs](../azure-monitor/logs/log-query-overview.md).
* To understand creation and retrieval of output and error messages from runbooks, see [Monitor runbook output](automation-runbook-output-and-messages.md). * To learn more about runbook execution, how to monitor runbook jobs, and other technical details, see [Runbook execution in Azure Automation](automation-runbook-execution.md).
-* To learn more about Azure Monitor logs and data collection sources, see [Collecting Azure storage data in Azure Monitor logs overview](../azure-monitor/platform/resource-logs.md#send-to-log-analytics-workspace).
-* For help troubleshooting Log Analytics, see [Troubleshooting why Log Analytics is no longer collecting data](../azure-monitor/platform/manage-cost-storage.md#troubleshooting-why-log-analytics-is-no-longer-collecting-data).
+* To learn more about Azure Monitor logs and data collection sources, see [Collecting Azure storage data in Azure Monitor logs overview](../azure-monitor/essentials/resource-logs.md#send-to-log-analytics-workspace).
+* For help troubleshooting Log Analytics, see [Troubleshooting why Log Analytics is no longer collecting data](../azure-monitor/logs/manage-cost-storage.md#troubleshooting-why-log-analytics-is-no-longer-collecting-data).
automation https://docs.microsoft.com/en-us/azure/automation/automation-managing-data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-managing-data.md
@@ -22,7 +22,7 @@ To insure the security of data in transit to Azure Automation, we strongly encou
Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are **not recommended**. We do not recommend explicitly setting your agent to only use TLS 1.2 unless absolutely necessary, as it can break platform level security features that allow you to automatically detect and take advantage of newer more secure protocols as they become available, such as TLS 1.3.
-For information about TLS 1.2 support with the Log Analytics agent for Windows and Linux, which is a dependency for the Hybrid Runbook Worker role, see [Log Analytics agent overview - TLS 1.2](..//azure-monitor/platform/log-analytics-agent.md#tls-12-protocol).
+For information about TLS 1.2 support with the Log Analytics agent for Windows and Linux, which is a dependency for the Hybrid Runbook Worker role, see [Log Analytics agent overview - TLS 1.2](..//azure-monitor/agents/log-analytics-agent.md#tls-12-protocol).
### Platform-specific guidance
automation https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-runbook-execution.md
@@ -81,18 +81,18 @@ A runbook requires appropriate [credentials](shared-resources/credentials.md) to
## Azure Monitor
-Azure Automation makes use of [Azure Monitor](../azure-monitor/overview.md) for monitoring its machine operations. The operations require a Log Analytics workspace and a [Log Analytics agent](../azure-monitor/platform/log-analytics-agent.md).
+Azure Automation makes use of [Azure Monitor](../azure-monitor/overview.md) for monitoring its machine operations. The operations require a Log Analytics workspace and a [Log Analytics agent](../azure-monitor/agents/log-analytics-agent.md).
### Log Analytics agent for Windows
-The [Log Analytics agent for Windows](../azure-monitor/platform/agent-windows.md) works with Azure Monitor to manage Windows VMs and physical computers. The machines can be running either in Azure or in a non-Azure environment, such as a local datacenter.
+The [Log Analytics agent for Windows](../azure-monitor/agents/agent-windows.md) works with Azure Monitor to manage Windows VMs and physical computers. The machines can be running either in Azure or in a non-Azure environment, such as a local datacenter.
>[!NOTE] >The Log Analytics agent for Windows was previously known as the Microsoft Monitoring Agent (MMA). ### Log Analytics agent for Linux
-The [Log Analytics agent for Linux](../azure-monitor/platform/agent-linux.md) works similarly to the agent for Windows, but connects Linux computers to Azure Monitor. The agent is installed with a **nxautomation** user account that allows execution of commands requiring root permissions, for example, on a Hybrid Runbook Worker. The **nxautomation** account is a system account that doesn't require a password.
+The [Log Analytics agent for Linux](../azure-monitor/agents/agent-linux.md) works similarly to the agent for Windows, but connects Linux computers to Azure Monitor. The agent is installed with a **nxautomation** user account that allows execution of commands requiring root permissions, for example, on a Hybrid Runbook Worker. The **nxautomation** account is a system account that doesn't require a password.
The **nxautomation** account with the corresponding sudo permissions must be present during [installation of a Linux Hybrid Runbook worker](automation-linux-hrw-install.md). If you try to install the worker and the account is not present or doesnΓÇÖt have the appropriate permissions, the installation fails.
automation https://docs.microsoft.com/en-us/azure/automation/automation-solution-vm-management-config https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-solution-vm-management-config.md
@@ -140,7 +140,7 @@ To change email notifications after Start/Stop VMs during off-hours is deployed,
:::image type="content" source="media/automation-solution-vm-management/change-email.png" alt-text="Screenshot of the Email/SMS/Push/Voice page showing an example email address updated.":::
- Alternatively you can add additional actions to the action group, to learn more about action groups, see [action groups](../azure-monitor/platform/action-groups.md)
+ Alternatively you can add additional actions to the action group, to learn more about action groups, see [action groups](../azure-monitor/alerts/action-groups.md)
The following is an example email that is sent when the feature shuts down virtual machines.
automation https://docs.microsoft.com/en-us/azure/automation/automation-solution-vm-management-enable https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-solution-vm-management-enable.md
@@ -77,7 +77,7 @@ After you click **OK**, the configuration options are validated and the Automati
4. Use the **Schedule** field to select a schedule for VM management by the feature. Select a start date and time for your schedule, to create a recurring daily schedule starting at the chosen time. Selecting a different region is not available. To configure the schedule to your specific time zone after configuring the feature, see [Modify the startup and shutdown schedules](automation-solution-vm-management-config.md#modify-the-startup-and-shutdown-schedules).
-5. To receive email notifications from an [action group](../azure-monitor/platform/action-groups.md), accept the default value of **Yes** in the **Email notifications** field, and provide a valid email address. If you select **No** but decide at a later date that you want to receive email notifications, you can update the action group that is created with valid email addresses separated by commas.
+5. To receive email notifications from an [action group](../azure-monitor/alerts/action-groups.md), accept the default value of **Yes** in the **Email notifications** field, and provide a valid email address. If you select **No** but decide at a later date that you want to receive email notifications, you can update the action group that is created with valid email addresses separated by commas.
6. Enable the following alert rules:
@@ -87,7 +87,7 @@ After you click **OK**, the configuration options are validated and the Automati
## Create alerts
-Start/Stop VMs during off-hours doesn't include a predefined set of alerts. Review [Create log alerts with Azure Monitor](../azure-monitor/platform/alerts-log.md) to learn how to create job failed alerts to support your DevOps or operational processes and procedures.
+Start/Stop VMs during off-hours doesn't include a predefined set of alerts. Review [Create log alerts with Azure Monitor](../azure-monitor/alerts/alerts-log.md) to learn how to create job failed alerts to support your DevOps or operational processes and procedures.
## Deploy the feature
automation https://docs.microsoft.com/en-us/azure/automation/automation-solution-vm-management-logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-solution-vm-management-logs.md
@@ -9,7 +9,7 @@
# Query logs from Start/Stop VMs during off-hours
-Azure Automation forwards two types of records to the linked Log Analytics workspace: job logs and job streams. This article reviews the data available for [query](../azure-monitor/log-query/log-query-overview.md) in Azure Monitor.
+Azure Automation forwards two types of records to the linked Log Analytics workspace: job logs and job streams. This article reviews the data available for [query](../azure-monitor/logs/log-query-overview.md) in Azure Monitor.
## Job logs
@@ -67,5 +67,5 @@ The following table provides sample log searches for job records collected by St
## Next steps * To set up the feature, see [Configure Stop/Start VMs during off-hours](automation-solution-vm-management-config.md).
-* For information on log alerts during feature deployment, see [Create log alerts with Azure Monitor](../azure-monitor/platform/alerts-log.md).
+* For information on log alerts during feature deployment, see [Create log alerts with Azure Monitor](../azure-monitor/alerts/alerts-log.md).
* To resolve feature errors, see [Troubleshoot Start/Stop VMs during off-hours issues](troubleshoot/start-stop-vm.md).
automation https://docs.microsoft.com/en-us/azure/automation/automation-solution-vm-management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-solution-vm-management.md
@@ -9,7 +9,7 @@
# Start/Stop VMs during off-hours overview
-The Start/Stop VMs during off-hours feature start or stops enabled Azure VMs. It starts or stops machines on user-defined schedules, provides insights through Azure Monitor logs, and sends optional emails by using [action groups](../azure-monitor/platform/action-groups.md). The feature can be enabled on both Azure Resource Manager and classic VMs for most scenarios.
+The Start/Stop VMs during off-hours feature start or stops enabled Azure VMs. It starts or stops machines on user-defined schedules, provides insights through Azure Monitor logs, and sends optional emails by using [action groups](../azure-monitor/alerts/action-groups.md). The feature can be enabled on both Azure Resource Manager and classic VMs for most scenarios.
This feature uses [Start-AzVm](/powershell/module/az.compute/start-azvm) cmdlet to start VMs. It uses [Stop-AzVM](/powershell/module/az.compute/stop-azvm) for stopping VMs.
automation https://docs.microsoft.com/en-us/azure/automation/automation-tutorial-installed-software https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-tutorial-installed-software.md
@@ -42,7 +42,7 @@ First you need to enable Change tracking and Inventory for this tutorial. If you
1. Navigate to your Automation account and select **Inventory** or **Change tracking** under **Configuration Management**.
-2. Choose the [Log Analytics](../azure-monitor/log-query/log-query-overview.md) workspace. This workspace collects data that is generated by features such as Change Tracking and Inventory. The workspace provides a single location to review and analyze data from multiple sources.
+2. Choose the [Log Analytics](../azure-monitor/logs/log-query-overview.md) workspace. This workspace collects data that is generated by features such as Change Tracking and Inventory. The workspace provides a single location to review and analyze data from multiple sources.
[!INCLUDE [azure-monitor-log-analytics-rebrand](../../includes/azure-monitor-log-analytics-rebrand.md)]
@@ -74,7 +74,7 @@ After the feature is enabled, information about installed software and changes o
To enable non-Azure machines for the feature:
-1. Install the [Log Analytics agent for Windows](../azure-monitor/platform/agent-windows.md) or [Log Analytics agent for Linux](automation-linux-hrw-install.md), depending on your operating system.
+1. Install the [Log Analytics agent for Windows](../azure-monitor/agents/agent-windows.md) or [Log Analytics agent for Linux](automation-linux-hrw-install.md), depending on your operating system.
2. Navigate to your Automation account and go to **Inventory** or **Change tracking** under **Configuration Management**.
@@ -116,7 +116,7 @@ ConfigurationData
| summarize arg_max(TimeGenerated, *) by SoftwareName, Computer ```
-To learn more about running and searching log files in Azure Monitor logs, see [Azure Monitor logs](../azure-monitor/log-query/log-query-overview.md).
+To learn more about running and searching log files in Azure Monitor logs, see [Azure Monitor logs](../azure-monitor/logs/log-query-overview.md).
## See the software inventory for a single machine
automation https://docs.microsoft.com/en-us/azure/automation/automation-tutorial-troubleshoot-changes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-tutorial-troubleshoot-changes.md
@@ -49,7 +49,7 @@ First you need to enable Change Tracking and Inventory for this tutorial. If you
![Enable change](./media/automation-tutorial-troubleshoot-changes/enableinventory.png)
-3. Choose the [Log Analytics](../azure-monitor/log-query/log-query-overview.md) workspace. This workspace collects data that is generated by features such as Change Tracking and Inventory. The workspace provides a single location to review and analyze data from multiple sources.
+3. Choose the [Log Analytics](../azure-monitor/logs/log-query-overview.md) workspace. This workspace collects data that is generated by features such as Change Tracking and Inventory. The workspace provides a single location to review and analyze data from multiple sources.
[!INCLUDE [azure-monitor-log-analytics-rebrand](../../includes/azure-monitor-log-analytics-rebrand.md)]
@@ -75,7 +75,7 @@ ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcState == "Stopped" ```
-To learn more about running and searching log files in Azure Monitor logs, see [Azure Monitor logs](../azure-monitor/log-query/log-query-overview.md).
+To learn more about running and searching log files in Azure Monitor logs, see [Azure Monitor logs](../azure-monitor/logs/log-query-overview.md).
## Configure change tracking
@@ -193,7 +193,7 @@ Viewing changes in the Azure portal can be helpful, but being able to be alerted
![Configure signal logic](./media/automation-tutorial-troubleshoot-changes/configure-signal-logic.png)
-10. Select **Create New** under **Action Groups**. An action group is a group of actions that you can use across multiple alerts. The actions can include but are not limited to email notifications, runbooks, webhooks, and many more. To learn more about action groups, see [Create and manage action groups](../azure-monitor/platform/action-groups.md).
+10. Select **Create New** under **Action Groups**. An action group is a group of actions that you can use across multiple alerts. The actions can include but are not limited to email notifications, runbooks, webhooks, and many more. To learn more about action groups, see [Create and manage action groups](../azure-monitor/alerts/action-groups.md).
11. Under **Alert details**, enter a name and description for the alert.
automation https://docs.microsoft.com/en-us/azure/automation/automation-windows-hrw-install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-windows-hrw-install.md
@@ -20,13 +20,13 @@ Before you start, make sure that you have the following.
### A Log Analytics workspace
-The Hybrid Runbook Worker role depends on an Azure Monitor Log Analytics workspace to install and configure the role. You can create it through [Azure Resource Manager](../azure-monitor/samples/resource-manager-workspace.md#create-a-log-analytics-workspace), through [PowerShell](../azure-monitor/scripts/powershell-sample-create-workspace.md?toc=/powershell/module/toc.json), or in the [Azure portal](../azure-monitor/learn/quick-create-workspace.md).
+The Hybrid Runbook Worker role depends on an Azure Monitor Log Analytics workspace to install and configure the role. You can create it through [Azure Resource Manager](../azure-monitor/logs/resource-manager-workspace.md#create-a-log-analytics-workspace), through [PowerShell](../azure-monitor/logs/powershell-sample-create-workspace.md?toc=/powershell/module/toc.json), or in the [Azure portal](../azure-monitor/logs/quick-create-workspace.md).
-If you don't have an Azure Monitor Log Analytics workspace, review the [Azure Monitor Log design guidance](../azure-monitor/platform/design-logs-deployment.md) before you create the workspace.
+If you don't have an Azure Monitor Log Analytics workspace, review the [Azure Monitor Log design guidance](../azure-monitor/logs/design-logs-deployment.md) before you create the workspace.
### Log Analytics agent
-The Hybrid Runbook Worker role requires the [Log Analytics agent](../azure-monitor/platform/log-analytics-agent.md) for the supported Windows operating system. For servers or machines hosted outside of Azure, you can install the Log Analytics agent using [Azure Arc enabled servers](../azure-arc/servers/overview.md).
+The Hybrid Runbook Worker role requires the [Log Analytics agent](../azure-monitor/agents/log-analytics-agent.md) for the supported Windows operating system. For servers or machines hosted outside of Azure, you can install the Log Analytics agent using [Azure Arc enabled servers](../azure-arc/servers/overview.md).
### Supported Windows operating system
automation https://docs.microsoft.com/en-us/azure/automation/change-tracking/configure-alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/change-tracking/configure-alerts.md
@@ -11,7 +11,7 @@
Alerts in Azure proactively notify you of results from runbook jobs, service health issues, or other scenarios related to your Automation account. Azure Automation does not include pre-configured alert rules, but you can create your own based on data that it generates. This article provides guidance on creating alert rules based on changes identified by Change Tracking and Inventory.
-If you're not familiar with Azure Monitor alerts, see [Overview of alerts in Microsoft Azure](../../azure-monitor/platform/alerts-overview.md) before you start. To learn more about alerts that use log queries, see [Log alerts in Azure Monitor](../../azure-monitor/platform/alerts-unified-log.md).
+If you're not familiar with Azure Monitor alerts, see [Overview of alerts in Microsoft Azure](../../azure-monitor/alerts/alerts-overview.md) before you start. To learn more about alerts that use log queries, see [Log alerts in Azure Monitor](../../azure-monitor/alerts/alerts-unified-log.md).
## Create alert
@@ -33,11 +33,11 @@ Let's use this example to discuss the steps for creating alerts on a change.
5. After the alert logic is set, assign action groups to perform actions in response to triggering of the alert. In this case, we're setting up emails to be sent and an IT Service Management (ITSM) ticket to be created.
-Follow the steps below to set up alerts to let you know the status of an update deployment. If you are new to Azure alerts, see [Azure Alerts overview](../../azure-monitor/platform/alerts-overview.md).
+Follow the steps below to set up alerts to let you know the status of an update deployment. If you are new to Azure alerts, see [Azure Alerts overview](../../azure-monitor/alerts/alerts-overview.md).
## Configure action groups for your alerts
-Once you have your alerts configured, you can set up an action group, which is a group of actions to use across multiple alerts. The actions can include email notifications, runbooks, webhooks, and much more. To learn more about action groups, see [Create and manage action groups](../../azure-monitor/platform/action-groups.md).
+Once you have your alerts configured, you can set up an action group, which is a group of actions to use across multiple alerts. The actions can include email notifications, runbooks, webhooks, and much more. To learn more about action groups, see [Create and manage action groups](../../azure-monitor/alerts/action-groups.md).
1. Select an alert and then select **Create New** under **Action Groups**.
@@ -61,8 +61,8 @@ Once you have your alerts configured, you can set up an action group, which is a
## Next steps
-* Learn more about [alerts in Azure Monitor](../../azure-monitor/platform/alerts-overview.md).
+* Learn more about [alerts in Azure Monitor](../../azure-monitor/alerts/alerts-overview.md).
-* Learn about [log queries](../../azure-monitor/log-query/log-query-overview.md) to retrieve and analyze data from a Log Analytics workspace.
+* Learn about [log queries](../../azure-monitor/logs/log-query-overview.md) to retrieve and analyze data from a Log Analytics workspace.
-* Manage [usage and costs with Azure Monitor Logs](../../azure-monitor/platform/manage-cost-storage.md) describes how to control your costs by changing your data retention period, and how to analyze and alert on your data usage.
+* Manage [usage and costs with Azure Monitor Logs](../../azure-monitor/logs/manage-cost-storage.md) describes how to control your costs by changing your data retention period, and how to analyze and alert on your data usage.
automation https://docs.microsoft.com/en-us/azure/automation/change-tracking/enable-from-automation-account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/change-tracking/enable-from-automation-account.md
@@ -48,7 +48,7 @@ Machines not in Azure need to be added manually. We recommend installing the Log
1. From your Automation account select **Inventory** or **Change tracking** under **Configuration Management**.
-2. Click **Add non-Azure machine**. This action opens up a new browser window with [instructions to install and configure the Log Analytics agent for Windows](../../azure-monitor/platform/log-analytics-agent.md) so that the machine can begin reporting Change Tracking and Inventory operations. If you're enabling a machine that's currently managed by Operations Manager, a new agent isn't required and the workspace information is entered into the existing agent.
+2. Click **Add non-Azure machine**. This action opens up a new browser window with [instructions to install and configure the Log Analytics agent for Windows](../../azure-monitor/agents/log-analytics-agent.md) so that the machine can begin reporting Change Tracking and Inventory operations. If you're enabling a machine that's currently managed by Operations Manager, a new agent isn't required and the workspace information is entered into the existing agent.
## Enable machines in the workspace
automation https://docs.microsoft.com/en-us/azure/automation/change-tracking/enable-from-runbook https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/change-tracking/enable-from-runbook.md
@@ -23,7 +23,7 @@ This method uses two runbooks:
* Azure subscription. If you don't have one yet, you can [activate your MSDN subscriber benefits](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details/) or sign up for a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). * [Automation account](../automation-security-overview.md) to manage machines.
-* [Log Analytics workspace](../../azure-monitor/platform/design-logs-deployment.md)
+* [Log Analytics workspace](../../azure-monitor/logs/design-logs-deployment.md)
* A [virtual machine](../../virtual-machines/windows/quick-create-portal.md). * Two Automation assets, which are used by the **Enable-AutomationSolution** runbook. This runbook, if it doesn't already exist in your Automation account, is automatically imported by the **Enable-MultipleSolution** runbook during its first run. * *LASolutionSubscriptionId*: Subscription ID of where the Log Analytics workspace is located.
automation https://docs.microsoft.com/en-us/azure/automation/change-tracking/manage-change-tracking https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/change-tracking/manage-change-tracking.md
@@ -162,7 +162,7 @@ You can do various searches against the Azure Monitor logs for change records. W
## Next steps * For information about scope configurations, see [Limit Change Tracking and Inventory deployment scope](manage-scope-configurations.md).
-* If you need to search logs stored in Azure Monitor Logs, see [Log searches in Azure Monitor Logs](../../azure-monitor/log-query/log-query-overview.md).
+* If you need to search logs stored in Azure Monitor Logs, see [Log searches in Azure Monitor Logs](../../azure-monitor/logs/log-query-overview.md).
* If finished with deployments, see [Remove Change Tracking and Inventory](remove-feature.md). * To delete your VMs from Change Tracking and Inventory, see [Remove VMs from Change Tracking and Inventory](remove-vms-from-change-tracking.md). * To troubleshoot feature errors, see [Troubleshoot Change Tracking and Inventory issues](../troubleshoot/change-tracking.md).
automation https://docs.microsoft.com/en-us/azure/automation/change-tracking/overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/change-tracking/overview.md
@@ -29,9 +29,9 @@ Change Tracking and Inventory makes use of [Azure Security Center File Integrity
Enabling all features included in Change Tracking and Inventory might cause additional charges. Before proceeding, review [Automation Pricing](https://azure.microsoft.com/pricing/details/automation/) and [Azure Monitor Pricing](https://azure.microsoft.com/pricing/details/monitor/).
-Change Tracking and Inventory forwards data to Azure Monitor Logs, and this collected data is stored in a Log Analytics workspace. The File Integrity Monitoring (FIM) feature is available only when **Azure Defender for servers** is enabled. See Azure Security Center [Pricing](../../security-center/security-center-pricing.md) to learn more. FIM uploads data to the same Log Analytics workspace as the one created to store data from Change Tracking and Inventory. We recommend that you monitor your linked Log Analytics workspace to keep track of your exact usage. For more information about analyzing Azure Monitor Logs data usage, see [Manage usage and cost](../../azure-monitor/platform/manage-cost-storage.md).
+Change Tracking and Inventory forwards data to Azure Monitor Logs, and this collected data is stored in a Log Analytics workspace. The File Integrity Monitoring (FIM) feature is available only when **Azure Defender for servers** is enabled. See Azure Security Center [Pricing](../../security-center/security-center-pricing.md) to learn more. FIM uploads data to the same Log Analytics workspace as the one created to store data from Change Tracking and Inventory. We recommend that you monitor your linked Log Analytics workspace to keep track of your exact usage. For more information about analyzing Azure Monitor Logs data usage, see [Manage usage and cost](../../azure-monitor/logs/manage-cost-storage.md).
-Machines connected to the Log Analytics workspace use the [Log Analytics agent](../../azure-monitor/platform/log-analytics-agent.md) to collect data about changes to installed software, Microsoft services, Windows registry and files, and Linux daemons on monitored servers. When data is available, the agent sends it to Azure Monitor Logs for processing. Azure Monitor Logs applies logic to the received data, records it, and makes it available for analysis.
+Machines connected to the Log Analytics workspace use the [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md) to collect data about changes to installed software, Microsoft services, Windows registry and files, and Linux daemons on monitored servers. When data is available, the agent sends it to Azure Monitor Logs for processing. Azure Monitor Logs applies logic to the received data, records it, and makes it available for analysis.
> [!NOTE] > Change Tracking and Inventory requires linking a Log Analytics workspace to your Automation account. For a definitive list of supported regions, see [Azure Workspace mappings](../how-to/region-mappings.md). The region mappings don't affect the ability to manage VMs in a separate region from your Automation account.
@@ -53,7 +53,7 @@ Change Tracking and Inventory doesn't support or has the following limitations:
## Supported operating systems
-Change Tracking and Inventory is supported on all operating systems that meet Log Analytics agent requirements. See [supported operating systems](../../azure-monitor/platform/agents-overview.md#supported-operating-systems) for a list of the Windows and Linux operating system versions that are currently supported by the Log Analytics agent.
+Change Tracking and Inventory is supported on all operating systems that meet Log Analytics agent requirements. See [supported operating systems](../../azure-monitor/agents/agents-overview.md#supported-operating-systems) for a list of the Windows and Linux operating system versions that are currently supported by the Log Analytics agent.
To understand client requirements for TLS 1.2, see [TLS 1.2 enforcement for Azure Automation](../automation-managing-data.md#tls-12-enforcement-for-azure-automation).
@@ -154,7 +154,7 @@ The following table shows the tracked item limits per machine for Change Trackin
|Services|250| |Daemons|250|
-The average Log Analytics data usage for a machine using Change Tracking and Inventory is approximately 40 MB per month, depending on your environment. With the Usage and Estimated Costs feature of the Log Analytics workspace, you can view the data ingested by Change Tracking and Inventory in a usage chart. Use this data view to evaluate your data usage and determine how it affects your bill. See [Understand your usage and estimate costs](../../azure-monitor/platform/manage-cost-storage.md#understand-your-usage-and-estimate-costs).
+The average Log Analytics data usage for a machine using Change Tracking and Inventory is approximately 40 MB per month, depending on your environment. With the Usage and Estimated Costs feature of the Log Analytics workspace, you can view the data ingested by Change Tracking and Inventory in a usage chart. Use this data view to evaluate your data usage and determine how it affects your bill. See [Understand your usage and estimate costs](../../azure-monitor/logs/manage-cost-storage.md#understand-your-usage-and-estimate-costs).
### Microsoft service data
automation https://docs.microsoft.com/en-us/azure/automation/how-to/automation-region-dns-records https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/how-to/automation-region-dns-records.md
@@ -16,7 +16,7 @@ The [Azure Automation](../automation-intro.md) service uses a number of DNS reco
* Webhooks >[!NOTE]
->Linux Hybrid Runbook Worker registration will fail with the new records unless it is version 1.6.10.2 or higher. You must upgrade to a newer version of the [Log Analytics agent for Linux](../../azure-monitor/platform/agent-linux.md) in order for the machine to receive an updated version of the worker role and use these new records. Existing machines will continue working without any issues.
+>Linux Hybrid Runbook Worker registration will fail with the new records unless it is version 1.6.10.2 or higher. You must upgrade to a newer version of the [Log Analytics agent for Linux](../../azure-monitor/agents/agent-linux.md) in order for the machine to receive an updated version of the worker role and use these new records. Existing machines will continue working without any issues.
## DNS records per region
automation https://docs.microsoft.com/en-us/azure/automation/how-to/private-link-security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/how-to/private-link-security.md
@@ -29,7 +29,7 @@ With Private Link you can:
- Connect privately to Azure Monitor Log Analytics workspace without opening any public network access. >[!NOTE]
- >A separate private endpoint for your Log Analytics workspace is required if your Automation account is linked to a Log Analytics workspace to forward job data, and when you have enabled features such as Update Management, Change Tracking and Inventory, State Configuration, or Start/Stop VMs during off-hours. For more information about Private Link for Azure Monitor, see [Use Azure Private Link to securely connect networks to Azure Monitor](../../azure-monitor/platform/private-link-security.md).
+ >A separate private endpoint for your Log Analytics workspace is required if your Automation account is linked to a Log Analytics workspace to forward job data, and when you have enabled features such as Update Management, Change Tracking and Inventory, State Configuration, or Start/Stop VMs during off-hours. For more information about Private Link for Azure Monitor, see [Use Azure Private Link to securely connect networks to Azure Monitor](../../azure-monitor/logs/private-link-security.md).
- Ensure your Automation data is only accessed through authorized private networks. - Prevent data exfiltration from your private networks by defining your Azure Automation resource that connects through your private endpoint.
@@ -41,8 +41,8 @@ For more information, see [Key Benefits of Private Link](../../private-link/pri
## Limitations - In the current implementation of Private Link, Automation account cloud jobs cannot access Azure resources that are secured using private endpoint. For example, Azure Key Vault, Azure SQL, Azure Storage account, etc. To workaround this, use a [Hybrid Runbook Worker](../automation-hybrid-runbook-worker.md) instead.-- You need to use the latest version of the [Log Analytics agent](../../azure-monitor/platform/log-analytics-agent.md) for Windows or Linux.-- The [Log Analytics Gateway](../../azure-monitor/platform/gateway.md) does not support Private Link.
+- You need to use the latest version of the [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md) for Windows or Linux.
+- The [Log Analytics Gateway](../../azure-monitor/agents/gateway.md) does not support Private Link.
## How it works
@@ -71,7 +71,7 @@ To understand & configure Update Management review [About Update Management](../
If you want your machines configured for Update management to connect to Automation & Log Analytics workspace in a secure manner over Private Link channel, you have to enable Private Link for the Log Analytics workspace linked to the Automation Account configured with Private Link.
-You can control how a Log Analytics workspace can be reached from outside of the Private Link scopes by following the steps described in [Configure Log Analytics](../../azure-monitor/platform/private-link-security.md#configure-log-analytics). If you set **Allow public network access for ingestion** to **No**, then machines outside of the connected scopes cannot upload data to this workspace. If you set **Allow public network access for queries** to **No**, then machines outside of the scopes cannot access data in this workspace.
+You can control how a Log Analytics workspace can be reached from outside of the Private Link scopes by following the steps described in [Configure Log Analytics](../../azure-monitor/logs/private-link-security.md#configure-log-analytics). If you set **Allow public network access for ingestion** to **No**, then machines outside of the connected scopes cannot upload data to this workspace. If you set **Allow public network access for queries** to **No**, then machines outside of the scopes cannot access data in this workspace.
Use **DSCAndHybridWorker** target sub-resource to enable Private Link for user & system hybrid workers.
automation https://docs.microsoft.com/en-us/azure/automation/learn/automation-tutorial-runbook-textual-python-3 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/learn/automation-tutorial-runbook-textual-python-3.md
@@ -3,7 +3,7 @@ Title: Create a Python 3 runbook (preview) in Azure Automation
description: This article teaches you to create, test, and publish a simple Python 3 runbook (preview). Previously updated : 12/22/2020 Last updated : 02/16/2021
@@ -34,7 +34,7 @@ To complete this tutorial, you need the following:
* If you have both Python 2 and Python 3 installed and you want to run both types of runbooks, then you need to configure the following environmental variables: * Python 2 - Create a new environmental variable called `PYTHON_2_PATH` and specify the installation folder. For example, if the installation folder is `C:\Python27`, then this path needs to be added to the variable.
-
+ * Python 3 - Create a new environmental variable called `PYTHON_3_PATH` and specify the installation folder. For example, if the installation folder is `C:\Python3`, then this path needs to be added to the variable. ## Create a new runbook
@@ -124,23 +124,17 @@ To do this, the script has to authenticate using the credentials from your Autom
2. Add the following code to authenticate to Azure:
- ```python
- import os
- from azure.mgmt.compute import ComputeManagementClient
- import azure.mgmt.resource
- import automationassets
-
- def get_automation_runas_credential(runas_connection):
+ ```python
from OpenSSL import crypto import binascii from msrestazure import azure_active_directory import adal
-
+ # Get the Azure Automation RunAs service principal certificate cert = automationassets.get_automation_certificate("AzureRunAsCertificate") pks12_cert = crypto.load_pkcs12(cert) pem_pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM,pks12_cert.get_privatekey()) -
+
# Get run as connection information for the Azure Automation service principal application_id = runas_connection["ApplicationId"] thumbprint = runas_connection["CertificateThumbprint"]
@@ -151,17 +145,13 @@ To do this, the script has to authenticate using the credentials from your Autom
authority_url = ("https://login.microsoftonline.com/"+tenant_id) context = adal.AuthenticationContext(authority_url) return azure_active_directory.AdalAuthentication(
- lambda: context.acquire_token_with_client_certificate(
- resource,
- application_id,
- pem_pkey,
- thumbprint)
+ lambda: context.acquire_token_with_client_certificate(
+ resource,
+ application_id,
+ pem_pkey,
+ thumbprint)
)
-
- # Authenticate to Azure using the Azure Automation RunAs service principal
- runas_connection = automationassets.get_automation_connection("AzureRunAsConnection")
- azure_credential = get_automation_runas_credential(runas_connection)
- ```
+ ```
## Add code to create Python Compute client and start the VM
automation https://docs.microsoft.com/en-us/azure/automation/migrate-oms-update-deployments https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/migrate-oms-update-deployments.md
@@ -8,7 +8,7 @@
# Migrate Azure Monitor logs update deployments to Azure portal
-The Operations Management Suite (OMS) portal is being [deprecated](../azure-monitor/platform/oms-portal-transition.md). All functionality that was available in the OMS portal for Update Management is available in the Azure portal, through Azure Monitor logs. This article provides the information you need to migrate to the Azure portal.
+The Operations Management Suite (OMS) portal is being [deprecated](../azure-monitor/logs/oms-portal-transition.md). All functionality that was available in the OMS portal for Update Management is available in the Azure portal, through Azure Monitor logs. This article provides the information you need to migrate to the Azure portal.
## Key information
@@ -35,7 +35,7 @@ The Operations Management Suite (OMS) portal is being [deprecated](../azure-moni
## Recreate existing deployments
-All update deployments created in the OMS portal have a [saved search](../azure-monitor/platform/computer-groups.md) also known as a computer group, with the same name as the update deployment that exists. The saved search contains the list of machines that were scheduled in the update deployment.
+All update deployments created in the OMS portal have a [saved search](../azure-monitor/logs/computer-groups.md) also known as a computer group, with the same name as the update deployment that exists. The saved search contains the list of machines that were scheduled in the update deployment.
:::image type="content" source="media/migrate-oms-update-deployments/oms-deployment.png" alt-text="Screenshot of the Update Deployments page with the Name and Servers fields highlighted.":::
@@ -53,7 +53,7 @@ To use this existing saved search, follow these steps:
| | | |Name |Unique name to identify the update deployment. | |Operating System| Select **Linux** or **Windows**.|
- |Machines to update |Select a Saved search, Imported group, or pick Machine from the dropdown and select individual machines. If you choose **Machines**, the readiness of the machine is shown in the **UPDATE AGENT READINESS** column.</br> To learn about the different methods of creating computer groups in Azure Monitor logs, see [Computer groups in Azure Monitor logs](../azure-monitor/platform/computer-groups.md) |
+ |Machines to update |Select a Saved search, Imported group, or pick Machine from the dropdown and select individual machines. If you choose **Machines**, the readiness of the machine is shown in the **UPDATE AGENT READINESS** column.</br> To learn about the different methods of creating computer groups in Azure Monitor logs, see [Computer groups in Azure Monitor logs](../azure-monitor/logs/computer-groups.md) |
|Update classifications|Select all the update classifications that you need. CentOS does not support this out of the box.| |Updates to exclude|Enter the updates to exclude. For Windows, enter the KB article without the **KB** prefix. For Linux, enter the package name or use a wildcard character. | |Schedule settings|Select the time to start, and then select either **Once** or **Recurring** for the recurrence. |
automation https://docs.microsoft.com/en-us/azure/automation/quickstart-create-automation-account-template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/quickstart-create-automation-account-template.md
@@ -75,11 +75,11 @@ The JSON template specifies a default value for the other parameters that would
If you're new to Azure Automation and Azure Monitor, it's important that you understand the following configuration details. They can help you avoid errors when you try to create, configure, and use a Log Analytics workspace linked to your new Automation account.
-* Review [additional details](../azure-monitor/samples/resource-manager-workspace.md#create-a-log-analytics-workspace) to fully understand workspace configuration options, such as access control mode, pricing tier, retention, and capacity reservation level.
+* Review [additional details](../azure-monitor/logs/resource-manager-workspace.md#create-a-log-analytics-workspace) to fully understand workspace configuration options, such as access control mode, pricing tier, retention, and capacity reservation level.
* Review [workspace mappings](how-to/region-mappings.md) to specify the supported regions inline or in a parameter file. Only certain regions are supported for linking a Log Analytics workspace and an Automation account in your subscription.
-* If you're new to Azure Monitor logs and have not deployed a workspace already, you should review the [workspace design guidance](../azure-monitor/platform/design-logs-deployment.md). It will help you to learn about access control, and understand the design implementation strategies we recommend for your organization.
+* If you're new to Azure Monitor logs and have not deployed a workspace already, you should review the [workspace design guidance](../azure-monitor/logs/design-logs-deployment.md). It will help you to learn about access control, and understand the design implementation strategies we recommend for your organization.
## Deploy the template
automation https://docs.microsoft.com/en-us/azure/automation/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/security-baseline.md
@@ -178,9 +178,9 @@ You may use Azure PowerShell or Azure CLI to look-up or perform actions on resou
**Guidance**: Use Azure Activity Log to monitor resource configurations and detect changes to your network resources. Create alerts within Azure Monitor that will trigger when changes to critical resources take place.
-* [How to view and retrieve Azure Activity Log events](../azure-monitor/platform/activity-log.md#view-the-activity-log)
+* [How to view and retrieve Azure Activity Log events](../azure-monitor/essentials/activity-log.md#view-the-activity-log)
-* [How to create alerts in Azure Monitor](../azure-monitor/platform/alerts-activity-log.md)
+* [How to create alerts in Azure Monitor](../azure-monitor/alerts/alerts-activity-log.md)
**Azure Security Center monitoring**: Currently not available
@@ -208,7 +208,7 @@ Alternatively, you may enable and on-board data to Azure Sentinel or a third-par
* [How to onboard Azure Sentinel](../sentinel/quickstart-onboard.md)
-* [How to collect platform logs and metrics with Azure Monitor](../azure-monitor/platform/diagnostic-settings.md)
+* [How to collect platform logs and metrics with Azure Monitor](../azure-monitor/essentials/diagnostic-settings.md)
* [How to get started with Azure Monitor and third-party SIEM integration](https://azure.microsoft.com/blog/use-azure-monitor-to-integrate-with-siem-tools/)
@@ -228,9 +228,9 @@ Alternatively, you may enable and on-board data to Azure Sentinel or a third-par
**Guidance**: Enable Azure Monitor for access to your audit and activity logs which includes event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
-* [How to collect platform logs and metrics with Azure Monitor](../azure-monitor/platform/diagnostic-settings.md)
+* [How to collect platform logs and metrics with Azure Monitor](../azure-monitor/essentials/diagnostic-settings.md)
-* [View and retrieve Azure Activity log events](../azure-monitor/platform/activity-log.md#view-the-activity-log)
+* [View and retrieve Azure Activity log events](../azure-monitor/essentials/activity-log.md#view-the-activity-log)
**Azure Security Center monitoring**: Yes
@@ -252,7 +252,7 @@ When using the Hybrid Runbook Worker feature, Azure Security Center provides Sec
**Guidance**: Within Azure Monitor, set your Log Analytics workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term/archival storage.
-* [Change the data retention period in Log Analytics](../azure-monitor/platform/manage-cost-storage.md#change-the-data-retention-period)
+* [Change the data retention period in Log Analytics](../azure-monitor/logs/manage-cost-storage.md#change-the-data-retention-period)
* [Data retention details for Automation Accounts](./automation-managing-data.md#data-retention)
@@ -268,9 +268,9 @@ Alternatively, you may enable and on-board data to Azure Sentinel or a third-par
* [How to onboard Azure Sentinel](../sentinel/quickstart-onboard.md)
-* [Understand log queries in Azure Monitor](../azure-monitor/log-query/log-analytics-tutorial.md)
+* [Understand log queries in Azure Monitor](../azure-monitor/logs/log-analytics-tutorial.md)
-* [How to perform custom queries in Azure Monitor](../azure-monitor/log-query/get-started-queries.md)
+* [How to perform custom queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md)
**Azure Security Center monitoring**: Not applicable
@@ -286,7 +286,7 @@ Alternatively, you may enable and on-board data to Azure Sentinel.
* [How to manage alerts in Azure Security Center](../security-center/security-center-managing-and-responding-alerts.md)
-* [How to alert on Azure Monitor log data](../azure-monitor/learn/tutorial-response.md)
+* [How to alert on Azure Monitor log data](../azure-monitor/alerts/tutorial-response.md)
**Azure Security Center monitoring**: Currently not available
@@ -416,7 +416,7 @@ You can also enable a Just-In-Time / Just-Enough-Access by using Azure AD Privil
* [How to integrate Azure Activity Logs into Azure Monitor](../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)
-* [How to configure action groups for custom alerting and notification](../azure-monitor/platform/action-groups.md)
+* [How to configure action groups for custom alerting and notification](../azure-monitor/alerts/action-groups.md)
**Azure Security Center monitoring**: Yes
@@ -616,7 +616,7 @@ When using Hybrid Runbook Workers, the virtual disks on the virtual machines are
* [Diagnostic logging for a network security group](../private-link/private-link-overview.md#logging-and-monitoring)
-* [How to create alerts for Azure Activity Log events](../azure-monitor/platform/alerts-activity-log.md)
+* [How to create alerts for Azure Activity Log events](../azure-monitor/alerts/alerts-activity-log.md)
**Azure Security Center monitoring**: Currently not available
automation https://docs.microsoft.com/en-us/azure/automation/start-runbooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/start-runbooks.md
@@ -16,7 +16,7 @@ The following table helps you determine the method to start a runbook in Azure A
| [Windows PowerShell](/powershell/module/azurerm.automation/start-azurermautomationrunbook) |<li>Call from command line with Windows PowerShell cmdlets.<br> <li>Can be included in automated feature with multiple steps.<br> <li>Request is authenticated with certificate or OAuth user principal / service principal.<br> <li>Provide simple and complex parameter values.<br> <li>Track job state.<br> <li>Client required to support PowerShell cmdlets. | | [Azure Automation API](/rest/api/automation/) |<li>Most flexible method but also most complex.<br> <li>Call from any custom code that can make HTTP requests.<br> <li>Request authenticated with certificate, or Oauth user principal / service principal.<br> <li>Provide simple and complex parameter values. *If you're calling a Python runbook using the API, the JSON payload must be serialized.*<br> <li>Track job state. | | [Webhooks](automation-webhooks.md) |<li>Start runbook from single HTTP request.<br> <li>Authenticated with security token in URL.<br> <li>Client can't override parameter values specified when webhook created. Runbook can define single parameter that is populated with the HTTP request details.<br> <li>No ability to track job state through webhook URL. |
-| [Respond to Azure Alert](../azure-monitor/platform/alerts-overview.md) |<li>Start a runbook in response to Azure alert.<br> <li>Configure webhook for runbook and link to alert.<br> <li>Authenticated with security token in URL. |
+| [Respond to Azure Alert](../azure-monitor/alerts/alerts-overview.md) |<li>Start a runbook in response to Azure alert.<br> <li>Configure webhook for runbook and link to alert.<br> <li>Authenticated with security token in URL. |
| [Schedule](./shared-resources/schedules.md) |<li>Automatically start runbook on hourly, daily, weekly, or monthly schedule.<br> <li>Manipulate schedule through Azure portal, PowerShell cmdlets, or Azure API.<br> <li>Provide parameter values to be used with schedule. | | [From Another Runbook](automation-child-runbooks.md) |<li>Use a runbook as an activity in another runbook.<br> <li>Useful for functionality used by multiple runbooks.<br> <li>Provide parameter values to child runbook and use output in parent runbook. |
automation https://docs.microsoft.com/en-us/azure/automation/troubleshoot/change-tracking https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/change-tracking.md
@@ -91,11 +91,11 @@ Heartbeat
| summarize by Computer, Solutions ```
-If you don't see your machine in query results, it hasn't recently checked in. There's probably a local configuration issue and you should reinstall the agent. For information about installation and configuration, see [Collect log data with the Log Analytics agent](../../azure-monitor/platform/log-analytics-agent.md).
+If you don't see your machine in query results, it hasn't recently checked in. There's probably a local configuration issue and you should reinstall the agent. For information about installation and configuration, see [Collect log data with the Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md).
If your machine shows up in the query results, verify the scope configuration. See [Targeting monitoring solutions in Azure Monitor](../../azure-monitor/insights/solution-targeting.md).
-For more troubleshooting of this issue, see [Issue: You are not seeing any Linux data](../../azure-monitor/platform/agent-linux-troubleshoot.md#issue-you-are-not-seeing-any-linux-data).
+For more troubleshooting of this issue, see [Issue: You are not seeing any Linux data](../../azure-monitor/agents/agent-linux-troubleshoot.md#issue-you-are-not-seeing-any-linux-data).
##### Log Analytics agent for Linux not configured correctly
automation https://docs.microsoft.com/en-us/azure/automation/troubleshoot/hybrid-runbook-worker https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/hybrid-runbook-worker.md
@@ -123,7 +123,7 @@ The following issues are possible causes:
#### Resolution ##### Mistyped workspace ID or key
-To verify if the agent's workspace ID or workspace key was mistyped, see [Adding or removing a workspace ΓÇô Windows agent](../../azure-monitor/platform/agent-manage.md#windows-agent) for the Windows agent or [Adding or removing a workspace ΓÇô Linux agent](../../azure-monitor/platform/agent-manage.md#linux-agent) for the Linux agent. Make sure to select the full string from the Azure portal, and copy and paste it carefully.
+To verify if the agent's workspace ID or workspace key was mistyped, see [Adding or removing a workspace ΓÇô Windows agent](../../azure-monitor/agents/agent-manage.md#windows-agent) for the Windows agent or [Adding or removing a workspace ΓÇô Linux agent](../../azure-monitor/agents/agent-manage.md#linux-agent) for the Linux agent. Make sure to select the full string from the Azure portal, and copy and paste it carefully.
##### Configuration not downloaded
@@ -164,7 +164,7 @@ Place this file in the same folder as the executable file `OrchestratorSandbox.e
## Linux
-The Linux Hybrid Runbook Worker depends on the [Log Analytics agent for Linux](../../azure-monitor/platform/log-analytics-agent.md) to communicate with your Automation account to register the worker, receive runbook jobs, and report status. If registration of the worker fails, here are some possible causes for the error.
+The Linux Hybrid Runbook Worker depends on the [Log Analytics agent for Linux](../../azure-monitor/agents/log-analytics-agent.md) to communicate with your Automation account to register the worker, receive runbook jobs, and report status. If registration of the worker fails, here are some possible causes for the error.
### <a name="prompt-for-password"></a>Scenario: Linux Hybrid Runbook Worker receives prompt for a password when signing a runbook
@@ -220,7 +220,7 @@ wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/inst
## Windows
-The Windows Hybrid Runbook Worker depends on the [Log Analytics agent for Windows](../../azure-monitor/platform/log-analytics-agent.md) to communicate with your Automation account to register the worker, receive runbook jobs, and report status. If registration of the worker fails, this section includes some possible reasons.
+The Windows Hybrid Runbook Worker depends on the [Log Analytics agent for Windows](../../azure-monitor/agents/log-analytics-agent.md) to communicate with your Automation account to register the worker, receive runbook jobs, and report status. If registration of the worker fails, this section includes some possible reasons.
### <a name="mma-not-running"></a>Scenario: The Log Analytics agent for Windows isn't running
@@ -248,7 +248,7 @@ This issue can be caused by your proxy or network firewall blocking communicatio
#### Resolution
-Logs are stored locally on each hybrid worker at C:\ProgramData\Microsoft\System Center\Orchestrator\7.2\SMA\Sandboxes. You can verify if there are any warning or error events in the **Application and Services Logs\Microsoft-SMA\Operations** and **Application and Services Logs\Operations Manager** event logs. These logs indicate a connectivity or other type of issue that affects the enabling of the role to Azure Automation, or an issue encountered under normal operations. For additional help troubleshooting issues with the Log Analytics agent, see [Troubleshoot issues with the Log Analytics Windows agent](../../azure-monitor/platform/agent-windows-troubleshoot.md).
+Logs are stored locally on each hybrid worker at C:\ProgramData\Microsoft\System Center\Orchestrator\7.2\SMA\Sandboxes. You can verify if there are any warning or error events in the **Application and Services Logs\Microsoft-SMA\Operations** and **Application and Services Logs\Operations Manager** event logs. These logs indicate a connectivity or other type of issue that affects the enabling of the role to Azure Automation, or an issue encountered under normal operations. For additional help troubleshooting issues with the Log Analytics agent, see [Troubleshoot issues with the Log Analytics Windows agent](../../azure-monitor/agents/agent-windows-troubleshoot.md).
Hybrid workers send [Runbook output and messages](../automation-runbook-output-and-messages.md) to Azure Automation in the same way that runbook jobs running in the cloud send output and messages. You can enable the Verbose and Progress streams just as you do for runbooks.
automation https://docs.microsoft.com/en-us/azure/automation/troubleshoot/onboarding https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/onboarding.md
@@ -77,7 +77,7 @@ Failed to configure automation account for diagnostic logging
#### Cause
-This error can be caused if the pricing tier doesn't match the subscription's billing model. For more information, see [Monitoring usage and estimated costs in Azure Monitor](../../azure-monitor/platform/usage-estimated-costs.md).
+This error can be caused if the pricing tier doesn't match the subscription's billing model. For more information, see [Monitoring usage and estimated costs in Azure Monitor](../../azure-monitor//usage-estimated-costs.md).
#### Resolution
automation https://docs.microsoft.com/en-us/azure/automation/troubleshoot/update-agent-issues-linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/update-agent-issues-linux.md
@@ -57,7 +57,7 @@ The operating system check verifies if the Hybrid Runbook Worker is running one
### Log Analytics agent
-This check ensures that the Log Analytics agent for Linux is installed. For instructions on how to install it, see [Install the agent for Linux](../../azure-monitor/learn/quick-collect-linux-computer.md#install-the-agent-for-linux).
+This check ensures that the Log Analytics agent for Linux is installed. For instructions on how to install it, see [Install the agent for Linux](../../azure-monitor/vm/quick-collect-linux-computer.md#install-the-agent-for-linux).
### Log Analytics agent status
automation https://docs.microsoft.com/en-us/azure/automation/troubleshoot/update-agent-issues https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/update-agent-issues.md
@@ -82,7 +82,7 @@ Proxy and firewall configurations must allow the Hybrid Runbook Worker agent to
This check determines if the Log Analytics agent for Windows (`healthservice`) is running on the machine. To learn more about troubleshooting the service, see [The Log Analytics agent for Windows isn't running](hybrid-runbook-worker.md#mma-not-running).
-To reinstall the Log Analytics agent for Windows, see [Install the agent for Windows](../../azure-monitor/learn/quick-collect-windows-computer.md#install-the-agent-for-windows).
+To reinstall the Log Analytics agent for Windows, see [Install the agent for Windows](../../azure-monitor/vm/quick-collect-windows-computer.md#install-the-agent-for-windows).
### Monitoring agent service events
automation https://docs.microsoft.com/en-us/azure/automation/troubleshoot/update-management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/update-management.md
@@ -130,7 +130,7 @@ This issue can be caused by local configuration issues or by improperly configur
1. Run the troubleshooter for [Windows](update-agent-issues.md#troubleshoot-offline) or [Linux](update-agent-issues-linux.md#troubleshoot-offline), depending on the OS.
-2. Make sure that your machine is reporting to the correct workspace. For guidance on how to verify this aspect, see [Verify agent connectivity to Azure Monitor](../../azure-monitor/platform/agent-windows.md#verify-agent-connectivity-to-azure-monitor). Also make sure that this workspace is linked to your Azure Automation account. To confirm, go to your Automation account and select **Linked workspace** under **Related Resources**.
+2. Make sure that your machine is reporting to the correct workspace. For guidance on how to verify this aspect, see [Verify agent connectivity to Azure Monitor](../../azure-monitor/agents/agent-windows.md#verify-agent-connectivity-to-azure-monitor). Also make sure that this workspace is linked to your Azure Automation account. To confirm, go to your Automation account and select **Linked workspace** under **Related Resources**.
3. Make sure that the machines show up in the Log Analytics workspace linked to your Automation account. Run the following query in the Log Analytics workspace.
@@ -139,7 +139,7 @@ This issue can be caused by local configuration issues or by improperly configur
| summarize by Computer, Solutions ```
- If you don't see your machine in the query results, it hasn't recently checked in. There's probably a local configuration issue and you should [reinstall the agent](../../azure-monitor/learn/quick-collect-windows-computer.md#install-the-agent-for-windows).
+ If you don't see your machine in the query results, it hasn't recently checked in. There's probably a local configuration issue and you should [reinstall the agent](../../azure-monitor/vm/quick-collect-windows-computer.md#install-the-agent-for-windows).
If your machine is listed in the query results, verify under the **Solutions** property that **updates** is listed. This verifies it is registered with Update Management. If it is not, check for scope configuration problems. The [scope configuration](../update-management/scope-configuration.md) determines which machines are configured for Update Management. To configure the scope configuration for the target the machine, see [Enable machines in the workspace](../update-management/enable-from-automation-account.md#enable-machines-in-the-workspace).
automation https://docs.microsoft.com/en-us/azure/automation/update-management/configure-alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/configure-alerts.md
@@ -13,7 +13,7 @@ Alerts in Azure proactively notify you of results from runbook jobs, service hea
## Available metrics
-Azure Automation creates two distinct platform metrics related to Update Management that are collected and forwarded to Azure Monitor. These metric are available for analysis using [Metrics Explorer](../../azure-monitor/platform/metrics-charts.md) and for alerting using a [metrics alert rule](../../azure-monitor/platform/alerts-metric.md).
+Azure Automation creates two distinct platform metrics related to Update Management that are collected and forwarded to Azure Monitor. These metric are available for analysis using [Metrics Explorer](../../azure-monitor/essentials/metrics-charts.md) and for alerting using a [metrics alert rule](../../azure-monitor/alerts/alerts-metric.md).
The two metrics emitted are:
@@ -29,7 +29,7 @@ When used for alerts, both metrics support dimensions that carry additional info
## Create alert
-Follow the steps below to set up alerts to let you know the status of an update deployment. If you are new to Azure alerts, see [Azure Alerts overview](../../azure-monitor/platform/alerts-overview.md).
+Follow the steps below to set up alerts to let you know the status of an update deployment. If you are new to Azure alerts, see [Azure Alerts overview](../../azure-monitor/alerts/alerts-overview.md).
1. In your Automation account, select **Alerts** under **Monitoring**, and then select **New alert rule**.
@@ -57,7 +57,7 @@ Follow the steps below to set up alerts to let you know the status of an update
## Configure action groups for your alerts
-Once you have your alerts configured, you can set up an action group, which is a group of actions to use across multiple alerts. The actions can include email notifications, runbooks, webhooks, and much more. To learn more about action groups, see [Create and manage action groups](../../azure-monitor/platform/action-groups.md).
+Once you have your alerts configured, you can set up an action group, which is a group of actions to use across multiple alerts. The actions can include email notifications, runbooks, webhooks, and much more. To learn more about action groups, see [Create and manage action groups](../../azure-monitor/alerts/action-groups.md).
1. Select an alert and then select **Create New** under **Action Groups**.
@@ -81,8 +81,8 @@ Once you have your alerts configured, you can set up an action group, which is a
## Next steps
-* Learn more about [alerts in Azure Monitor](../../azure-monitor/platform/alerts-overview.md).
+* Learn more about [alerts in Azure Monitor](../../azure-monitor/alerts/alerts-overview.md).
-* Learn about [log queries](../../azure-monitor/log-query/log-query-overview.md) to retrieve and analyze data from a Log Analytics workspace.
+* Learn about [log queries](../../azure-monitor/logs/log-query-overview.md) to retrieve and analyze data from a Log Analytics workspace.
-* Manage [usage and costs with Azure Monitor Logs](../../azure-monitor/platform/manage-cost-storage.md) describes how to control your costs by changing your data retention period, and how to analyze and alert on your data usage.
+* Manage [usage and costs with Azure Monitor Logs](../../azure-monitor/logs/manage-cost-storage.md) describes how to control your costs by changing your data retention period, and how to analyze and alert on your data usage.
automation https://docs.microsoft.com/en-us/azure/automation/update-management/configure-groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/configure-groups.md
@@ -38,7 +38,7 @@ To preview the results of your dynamic group query, click **Preview**. The previ
## Define dynamic groups for non-Azure machines
-A dynamic group for non-Azure machines uses saved searches, also called computer groups. To learn how to create a saved search, see [Creating a computer group](../../azure-monitor/platform/computer-groups.md#creating-a-computer-group). Once your saved search is created, you can select it from the list of saved searches in **Update management** in the Azure portal. Click **Preview** to preview the computers in the saved search.
+A dynamic group for non-Azure machines uses saved searches, also called computer groups. To learn how to create a saved search, see [Creating a computer group](../../azure-monitor/logs/computer-groups.md#creating-a-computer-group). Once your saved search is created, you can select it from the list of saved searches in **Update management** in the Azure portal. Click **Preview** to preview the computers in the saved search.
![Screenshot shows the Select groups page for Non-Azure (Preview) and the Preview pane on the right side.](./media/configure-groups/select-groups-2.png)
automation https://docs.microsoft.com/en-us/azure/automation/update-management/deploy-updates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/deploy-updates.md
@@ -54,7 +54,7 @@ To schedule a new update deployment, perform the following steps. Depending on t
> [!NOTE] > This option is not available if you selected an Azure VM or Arc enabled server. The machine is automatically targeted for the scheduled deployment.
-6. In the **Machines to update** region, select a saved search, an imported group, or pick **Machines** from the dropdown menu and select individual machines. With this option, you can see the readiness of the Log Analytics agent for each machine. To learn about the different methods of creating computer groups in Azure Monitor logs, see [Computer groups in Azure Monitor logs](../../azure-monitor/platform/computer-groups.md). You can include up to a maximum of 1000 machines in a scheduled update deployment.
+6. In the **Machines to update** region, select a saved search, an imported group, or pick **Machines** from the dropdown menu and select individual machines. With this option, you can see the readiness of the Log Analytics agent for each machine. To learn about the different methods of creating computer groups in Azure Monitor logs, see [Computer groups in Azure Monitor logs](../../azure-monitor/logs/computer-groups.md). You can include up to a maximum of 1000 machines in a scheduled update deployment.
> [!NOTE] > This option is not available if you selected an Azure VM or Arc enabled server. The machine is automatically targeted for the scheduled deployment.
automation https://docs.microsoft.com/en-us/azure/automation/update-management/enable-from-automation-account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/enable-from-automation-account.md
@@ -19,7 +19,8 @@ This article describes how you can use your Automation account to enable the [Up
* Azure subscription. If you don't have one yet, you can [activate your MSDN subscriber benefits](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details/) or sign up for a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). * [Automation account](../automation-security-overview.md) to manage machines.
-* An [Azure virtual machine](../../virtual-machines/windows/quick-create-portal.md), or VM or server registered with Arc enabled servers. Non-Azure VMs or servers need to have the [Log Analytics agent](../../azure-monitor/platform/log-analytics-agent.md) for Windows or Linux installed and reporting to the workspace linked to the Automation account Update Management is enabled in. We recommend installing the Log Analytics agent for Windows or Linux by first connecting your machine to [Azure Arc enabled servers](../../azure-arc/servers/overview.md), and then use Azure Policy to assign the [Deploy Log Analytics agent to *Linux* or *Windows* Azure Arc machines](../../governance/policy/samples/built-in-policies.md#monitoring) built-in policy. Alternatively, if you plan to monitor the machines with Azure Monitor for VMs, instead use the [Enable Azure Monitor for VMs](../../governance/policy/samples/built-in-initiatives.md#monitoring) initiative.
+* An [Azure virtual machine](../../virtual-machines/windows/quick-create-portal.md), or VM or server registered with Arc enabled servers. Non-Azure VMs or servers need to have the [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md) for Windows or Linux installed and reporting to the workspace linked to the Automation account Update Management is enabled in. We recommend installing the Log Analytics agent for Windows or Linux by first connecting your machine to [Azure Arc enabled servers](../../azure-arc/servers/overview.md), and then use Azure Policy to assign the [Deploy Log Analytics agent to *Linux* or *Windows* Azure Arc machines](../../governance/policy/samples/built-in-policies.md#monitoring) built-in policy. Alternatively, if you plan to monitor the machines with Azure Monitor for VMs, instead use the [Enable Azure Monitor for VMs](../../governance/policy/samples/built-in-initiatives.md#monitoring) initiative.
+ ## Sign in to Azure
@@ -49,7 +50,7 @@ For machines or servers hosted outside of Azure, including the ones registered w
1. From your Automation account, select **Update management** under **Update management**.
-2. Select **Add non-Azure machine**. This action opens a new browser window with [instructions to install and configure the Log Analytics agent for Windows](../../azure-monitor/platform/log-analytics-agent.md) so that the machine can begin reporting to Update Management. If you're enabling a machine that's currently managed by Operations Manager, a new agent isn't required. The workspace information is added to the agents configuration.
+2. Select **Add non-Azure machine**. This action opens a new browser window with [instructions to install and configure the Log Analytics agent for Windows](../../azure-monitor/agents/log-analytics-agent.md) so that the machine can begin reporting to Update Management. If you're enabling a machine that's currently managed by Operations Manager, a new agent isn't required. The workspace information is added to the agents configuration.
## Enable machines in the workspace
automation https://docs.microsoft.com/en-us/azure/automation/update-management/enable-from-runbook https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/enable-from-runbook.md
@@ -24,7 +24,7 @@ This method uses two runbooks:
* Azure subscription. If you don't have one yet, you can [activate your MSDN subscriber benefits](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details/) or sign up for a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). * [Automation account](../automation-security-overview.md) to manage machines.
-* [Log Analytics workspace](../../azure-monitor/platform/design-logs-deployment.md)
+* [Log Analytics workspace](../../azure-monitor/logs/design-logs-deployment.md)
* A [virtual machine](../../virtual-machines/windows/quick-create-portal.md). * Two Automation assets, which are used by the **Enable-AutomationSolution** runbook. This runbook, if it doesn't already exist in your Automation account, is automatically imported by the **Enable-MultipleSolution** runbook during its first run. * *LASolutionSubscriptionId*: Subscription ID of where the Log Analytics workspace is located.
automation https://docs.microsoft.com/en-us/azure/automation/update-management/enable-from-template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/enable-from-template.md
@@ -59,11 +59,11 @@ The JSON template specifies a default value for the other parameters that would
If you're new to Azure Automation and Azure Monitor, it's important that you understand the following configuration details. They can help you avoid errors when you try to create, configure, and use a Log Analytics workspace linked to your new Automation account.
-* Review [additional details](../../azure-monitor/samples/resource-manager-workspace.md#create-a-log-analytics-workspace) to fully understand workspace configuration options, such as access control mode, pricing tier, retention, and capacity reservation level.
+* Review [additional details](../../azure-monitor/logs/resource-manager-workspace.md#create-a-log-analytics-workspace) to fully understand workspace configuration options, such as access control mode, pricing tier, retention, and capacity reservation level.
* Review [workspace mappings](../how-to/region-mappings.md) to specify the supported regions inline or in a parameter file. Only certain regions are supported for linking a Log Analytics workspace and an Automation account in your subscription.
-* If you're new to Azure Monitor logs and have not deployed a workspace already, you should review the [workspace design guidance](../../azure-monitor/platform/design-logs-deployment.md). It will help you to learn about access control, and understand the design implementation strategies we recommend for your organization.
+* If you're new to Azure Monitor logs and have not deployed a workspace already, you should review the [workspace design guidance](../../azure-monitor/logs/design-logs-deployment.md). It will help you to learn about access control, and understand the design implementation strategies we recommend for your organization.
## Deploy template
automation https://docs.microsoft.com/en-us/azure/automation/update-management/mecmintegration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/mecmintegration.md
@@ -20,7 +20,7 @@ You can report and update managed Windows servers by creating and pre-staging so
* You must have [Azure Automation Update Management](overview.md) added to your Automation account. * Windows servers currently managed by your Microsoft Endpoint Configuration Manager environment also need to report to the Log Analytics workspace that also has Update Management enabled.
-* This feature is enabled in Microsoft Endpoint Configuration Manager current branch version 1606 and higher. To integrate your Microsoft Endpoint Configuration Manager central administration site or a standalone primary site with Azure Monitor logs and import collections, review [Connect Configuration Manager to Azure Monitor logs](../../azure-monitor/platform/collect-sccm.md).
+* This feature is enabled in Microsoft Endpoint Configuration Manager current branch version 1606 and higher. To integrate your Microsoft Endpoint Configuration Manager central administration site or a standalone primary site with Azure Monitor logs and import collections, review [Connect Configuration Manager to Azure Monitor logs](../../azure-monitor/logs/collect-sccm.md).
* Windows agents must either be configured to communicate with a Windows Server Update Services (WSUS) server or have access to Microsoft Update if they don't receive security updates from Microsoft Endpoint Configuration Manager. How you manage clients hosted in Azure IaaS with your existing Microsoft Endpoint Configuration Manager environment primarily depends on the connection you have between Azure datacenters and your infrastructure. This connection affects any design changes you may need to make to your Microsoft Endpoint Configuration Manager infrastructure and related cost to support those necessary changes. To understand what planning considerations you need to evaluate before proceeding, review [Configuration Manager on Azure - Frequently Asked Questions](/configmgr/core/understand/configuration-manager-on-azure#networking).
automation https://docs.microsoft.com/en-us/azure/automation/update-management/overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/overview.md
@@ -24,7 +24,7 @@ Before deploying Update Management and enabling your machines for management, ma
Machines that are managed by Update Management rely on the following to perform assessment and to deploy updates:
-* [Log Analytics agent](../../azure-monitor/platform/log-analytics-agent.md) for Windows or Linux
+* [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md) for Windows or Linux
* PowerShell Desired State Configuration (DSC) for Linux * Automation Hybrid Runbook Worker (automatically installed when you enable Update Management on the machine) * Microsoft Update or [Windows Server Update Services](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) (WSUS) for Windows machines
@@ -47,7 +47,7 @@ Update Management reports how up to date the machine is based on what source you
You can deploy and install software updates on machines that require the updates by creating a scheduled deployment. Updates classified as optional aren't included in the deployment scope for Windows machines. Only required updates are included in the deployment scope.
-The scheduled deployment defines which target machines receive the applicable updates. It does so either by explicitly specifying certain machines or by selecting a [computer group](../../azure-monitor/platform/computer-groups.md) that's based on log searches of a specific set of machines (or on an [Azure query](query-logs.md) that dynamically selects Azure VMs based on specified criteria). These groups differ from [scope configuration](../../azure-monitor/insights/solution-targeting.md), which is used to control the targeting of machines that receive the configuration to enable Update Management. This prevents them from performing and reporting update compliance, and install approved required updates.
+The scheduled deployment defines which target machines receive the applicable updates. It does so either by explicitly specifying certain machines or by selecting a [computer group](../../azure-monitor/logs/computer-groups.md) that's based on log searches of a specific set of machines (or on an [Azure query](query-logs.md) that dynamically selects Azure VMs based on specified criteria). These groups differ from [scope configuration](../../azure-monitor/insights/solution-targeting.md), which is used to control the targeting of machines that receive the configuration to enable Update Management. This prevents them from performing and reporting update compliance, and install approved required updates.
While defining a deployment, you also specify a schedule to approve and set a time period during which updates can be installed. This period is called the maintenance window. A 20-minute span of the maintenance window is reserved for reboots, assuming one is needed and you selected the appropriate reboot option. If patching takes longer than expected and there's less than 20 minutes in the maintenance window, a reboot won't occur.
@@ -101,7 +101,7 @@ Software Requirements:
Windows agents must be configured to communicate with a WSUS server, or they require access to Microsoft Update. For hybrid machines, we recommend installing the Log Analytics agent for Windows by first connecting your machine to [Azure Arc enabled servers](../../azure-arc/servers/overview.md), and then use Azure Policy to assign the [Deploy Log Analytics agent to Windows Azure Arc machines](../../governance/policy/samples/built-in-policies.md#monitoring) built-in policy. Alternatively, if you plan to monitor the machines with Azure Monitor for VMs, instead use the [Enable Azure Monitor for VMs](../../governance/policy/samples/built-in-initiatives.md#monitoring) initiative.
-You can use Update Management with Microsoft Endpoint Configuration Manager. To learn more about integration scenarios, see [Integrate Update Management with Windows Endpoint Configuration Manager](mecmintegration.md). The [Log Analytics agent for Windows](../../azure-monitor/platform/agent-windows.md) is required for Windows servers managed by sites in your Configuration Manager environment.
+You can use Update Management with Microsoft Endpoint Configuration Manager. To learn more about integration scenarios, see [Integrate Update Management with Windows Endpoint Configuration Manager](mecmintegration.md). The [Log Analytics agent for Windows](../../azure-monitor/agents/agent-windows.md) is required for Windows servers managed by sites in your Configuration Manager environment.
By default, Windows VMs that are deployed from Azure Marketplace are set to receive automatic updates from Windows Update Service. This behavior doesn't change when you add Windows VMs to your workspace. If you don't actively manage updates by using Update Management, the default behavior (to automatically apply updates) applies.
@@ -141,7 +141,7 @@ You can add the Windows machine to a user Hybrid Runbook Worker group in your Au
### Management packs
-If your Operations Manager management group is [connected to a Log Analytics workspace](../../azure-monitor/platform/om-agents.md), the following management packs are installed in Operations Manager. These management packs are also installed for Update Management on directly connected Windows machines. You don't need to configure or manage these management packs.
+If your Operations Manager management group is [connected to a Log Analytics workspace](../../azure-monitor/agents/om-agents.md), the following management packs are installed in Operations Manager. These management packs are also installed for Update Management on directly connected Windows machines. You don't need to configure or manage these management packs.
* Microsoft System Center Advisor Update Assessment Intelligence Pack (Microsoft.IntelligencePacks.UpdateAssessment) * Microsoft.IntelligencePack.UpdateAssessment.Configuration (Microsoft.IntelligencePack.UpdateAssessment.Configuration)
@@ -150,7 +150,7 @@ If your Operations Manager management group is [connected to a Log Analytics wor
> [!NOTE] > If you have an Operations Manager 1807 or 2019 management group connected to a Log Analytics workspace with agents configured in the management group to collect log data, you need to override the parameter `IsAutoRegistrationEnabled` and set it to True in the **Microsoft.IntelligencePacks.AzureAutomation.HybridAgent.Init** rule.
-For more information about updates to management packs, see [Connect Operations Manager to Azure Monitor logs](../../azure-monitor/platform/om-agents.md).
+For more information about updates to management packs, see [Connect Operations Manager to Azure Monitor logs](../../azure-monitor/agents/om-agents.md).
> [!NOTE] > For Update Management to fully manage machines with the Log Analytics agent, you must update to the Log Analytics agent for Windows or the Log Analytics agent for Linux. To learn how to update the agent, see [How to upgrade an Operations Manager agent](/system-center/scom/deploy-upgrade-agents). In environments that use Operations Manager, you must be running System Center Operations Manager 2012 R2 UR 14 or later.
@@ -175,7 +175,7 @@ Update Management scans managed machines for data using the following rules. It
* Each Linux machine - Update Management does a scan every hour.
-The average data usage by Azure Monitor logs for a machine using Update Management is approximately 25 MB per month. This value is only an approximation and is subject to change, depending on your environment. We recommend that you monitor your environment to keep track of your exact usage. For more information about analyzing Azure Monitor Logs data usage, see [Manage usage and cost](../../azure-monitor/platform/manage-cost-storage.md).
+The average data usage by Azure Monitor logs for a machine using Update Management is approximately 25 MB per month. This value is only an approximation and is subject to change, depending on your environment. We recommend that you monitor your environment to keep track of your exact usage. For more information about analyzing Azure Monitor Logs data usage, see [Manage usage and cost](../../azure-monitor/logs/manage-cost-storage.md).
## <a name="ports"></a>Network planning
@@ -187,7 +187,7 @@ For Red Hat Linux machines, see [IPs for the RHUI content delivery servers](../.
For more information about ports required for the Hybrid Runbook Worker, see [Update Management addresses for Hybrid Runbook Worker](../automation-hybrid-runbook-worker.md#update-management-addresses-for-hybrid-runbook-worker).
-If your IT security policies do not allow machines on the network to connect to the internet, you can set up a [Log Analytics gateway](../../azure-monitor/platform/gateway.md) and then configure the machine to connect through the gateway to Azure Automation and Azure Monitor.
+If your IT security policies do not allow machines on the network to connect to the internet, you can set up a [Log Analytics gateway](../../azure-monitor/agents/gateway.md) and then configure the machine to connect through the gateway to Azure Automation and Azure Monitor.
## Update classifications
automation https://docs.microsoft.com/en-us/azure/automation/update-management/query-logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/query-logs.md
@@ -190,7 +190,7 @@ On a Windows computer, you can review the following information to verify agent
1. Open the Windows Event Log. Go to **Application and Services Logs\Operations Manager** and search for Event ID 3000 and Event ID 5002 from the source **Service Connector**. These events indicate that the computer has registered with the Log Analytics workspace and is receiving configuration.
-If the agent can't communicate with Azure Monitor logs and the agent is configured to communicate with the internet through a firewall or proxy server, confirm the firewall or proxy server is properly configured. To learn how to verify the firewall or proxy server is properly configured, see [Network configuration for Windows agent](../../azure-monitor/platform/agent-windows.md) or [Network configuration for Linux agent](../../azure-monitor/learn/quick-collect-linux-computer.md).
+If the agent can't communicate with Azure Monitor logs and the agent is configured to communicate with the internet through a firewall or proxy server, confirm the firewall or proxy server is properly configured. To learn how to verify the firewall or proxy server is properly configured, see [Network configuration for Windows agent](../../azure-monitor/agents/agent-windows.md) or [Network configuration for Linux agent](../../azure-monitor/vm/quick-collect-linux-computer.md).
> [!NOTE] > If your Linux systems are configured to communicate with a proxy or Log Analytics Gateway and you're enabling Update Management, update the `proxy.conf` permissions to grant the omiuser group read permission on the file by using the following commands:
@@ -200,7 +200,7 @@ If the agent can't communicate with Azure Monitor logs and the agent is configur
Newly added Linux agents show a status of **Updated** after an assessment has been performed. This process can take up to 6 hours.
-To confirm that an Operations Manager management group is communicating with Azure Monitor logs, see [Validate Operations Manager integration with Azure Monitor logs](../../azure-monitor/platform/om-agents.md#validate-operations-manager-integration-with-azure-monitor).
+To confirm that an Operations Manager management group is communicating with Azure Monitor logs, see [Validate Operations Manager integration with Azure Monitor logs](../../azure-monitor/agents/om-agents.md#validate-operations-manager-integration-with-azure-monitor).
### Single Azure VM Assessment queries (Windows)
@@ -405,5 +405,5 @@ Update
## Next steps
-* For details of Azure Monitor logs, see [Azure Monitor logs](../../azure-monitor/log-query/log-query-overview.md).
+* For details of Azure Monitor logs, see [Azure Monitor logs](../../azure-monitor/logs/log-query-overview.md).
* For help with alerts, see [Configure alerts](configure-alerts.md).
availability-zones https://docs.microsoft.com/en-us/azure/availability-zones/az-region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/availability-zones/az-region.md
@@ -50,7 +50,7 @@ To achieve comprehensive business continuity on Azure, build your application ar
| East US | North Europe | | Australia East | | East US 2 | UK South | | | | South Central US | West Europe | | |
-| US Gov Virginia* | | | |
+| US Gov Virginia | | | |
| West US 2 | | | |
azure-app-configuration https://docs.microsoft.com/en-us/azure/azure-app-configuration/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/security-baseline.md
@@ -601,9 +601,9 @@ For more information, see the following references:
**Guidance**: Activity logs, which are automatically available, contain all write operations (PUT, POST, DELETE) for your App Configuration resources except read operations (GET). Activity logs can be used to find an error when troubleshooting or to monitor how a user in your organization modified a resource. For App Configuration, activity logs are only available on the control plane and are surfaced by the Azure Resource Manager (ARM). Customer facing data plane logging for App Configuration is currently not supported. Azure resource logs are also not available to be configured. -- [How to collect platform logs and metrics with Azure Monitor](../azure-monitor/platform/diagnostic-settings.md)
+- [How to collect platform logs and metrics with Azure Monitor](../azure-monitor/essentials/diagnostic-settings.md)
-- [Understand logging and different log types in Azure](../azure-monitor/platform/platform-logs-overview.md)
+- [Understand logging and different log types in Azure](../azure-monitor/essentials/platform-logs-overview.md)
**Azure Security Center monitoring**: Not applicable
@@ -617,7 +617,7 @@ Ensure you are integrating Azure activity logs into your central logging. Ingest
In addition, enable and onboard data to Azure Sentinel or a third-party SIEM. Many organizations choose to use Azure Sentinel for ΓÇ£hotΓÇ¥ data that is used frequently and Azure Storage for ΓÇ£coldΓÇ¥ data that is used less frequently. -- [How to collect platform logs and metrics with Azure Monitor](../azure-monitor/platform/diagnostic-settings.md)
+- [How to collect platform logs and metrics with Azure Monitor](../azure-monitor/essentials/diagnostic-settings.md)
- [How to onboard Azure Sentinel](../sentinel/quickstart-onboard.md)
@@ -631,9 +631,9 @@ In addition, enable and onboard data to Azure Sentinel or a third-party SIEM. Ma
In Azure Monitor, you can set your Log Analytics workspace retention period according to your organization's compliance regulations. -- [How to configure Log Analytics Workspace Retention Period](../azure-monitor/platform/manage-cost-storage.md)
+- [How to configure Log Analytics Workspace Retention Period](../azure-monitor/logs/manage-cost-storage.md)
-- [Storing resource logs in an Azure Storage Account](../azure-monitor/platform/resource-logs.md#send-to-azure-storage)
+- [Storing resource logs in an Azure Storage Account](../azure-monitor/essentials/resource-logs.md#send-to-azure-storage)
**Azure Security Center monitoring**: Not applicable
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/data/upload-metrics-and-logs-to-azure-monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/upload-metrics-and-logs-to-azure-monitor.md
@@ -188,7 +188,7 @@ Create, read, update, and delete (CRUD) operations on Azure Arc enabled data ser
During preview, this process happens nightly. The general guidance is to upload the usage only once per day. When usage information is exported and uploaded multiple times within the same 24 hour period, only the resource inventory is updated in Azure portal but not the resource usage.
-For uploading metrics, Azure monitor only accepts the last 30 minutes of data ([Learn more](../../azure-monitor/platform/metrics-store-custom-rest-api.md#troubleshooting)). The guidance for uploading metrics is to upload the metrics immediately after creating the export file so you can view the entire data set in Azure portal. For instance, if you exported the metrics at 2:00 PM and ran the upload command at 2:50 PM. Since Azure Monitor only accepts data for the last 30 minutes, you may not see any data in the portal.
+For uploading metrics, Azure monitor only accepts the last 30 minutes of data ([Learn more](../../azure-monitor/essentials/metrics-store-custom-rest-api.md#troubleshooting)). The guidance for uploading metrics is to upload the metrics immediately after creating the export file so you can view the entire data set in Azure portal. For instance, if you exported the metrics at 2:00 PM and ran the upload command at 2:50 PM. Since Azure Monitor only accepts data for the last 30 minutes, you may not see any data in the portal.
## Next steps
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/data/upload-metrics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/upload-metrics.md
@@ -121,7 +121,7 @@ To upload metrics for your Azure arc enabled SQL managed instances and Azure Arc
>[!NOTE] >Wait for at least 30 mins after the Azure Arc enabled data instances are created for the first upload. >
- >Make sure `upload` the metrics right away after `export` as Azure Monitor only accepts metrics for the last 30 minutes. [Learn more](../../azure-monitor/platform/metrics-store-custom-rest-api.md#troubleshooting).
+ >Make sure `upload` the metrics right away after `export` as Azure Monitor only accepts metrics for the last 30 minutes. [Learn more](../../azure-monitor/essentials/metrics-store-custom-rest-api.md#troubleshooting).
If you see any errors indicating "Failure to get metrics" during export, check if data collection is set to `true` by running the following command:
@@ -195,7 +195,7 @@ Create, read, update, and delete (CRUD) operations on Azure Arc enabled data ser
During preview, this process happens nightly. The general guidance is to upload the usage only once per day. When usage information is exported and uploaded multiple times within the same 24 hour period, only the resource inventory is updated in Azure portal but not the resource usage.
-For uploading metrics, Azure monitor only accepts the last 30 minutes of data ([Learn more](../../azure-monitor/platform/metrics-store-custom-rest-api.md#troubleshooting)). The guidance for uploading metrics is to upload the metrics immediately after creating the export file so you can view the entire data set in Azure portal. For instance, if you exported the metrics at 2:00 PM and ran the upload command at 2:50 PM. Since Azure Monitor only accepts data for the last 30 minutes, you may not see any data in the portal.
+For uploading metrics, Azure monitor only accepts the last 30 minutes of data ([Learn more](../../azure-monitor/essentials/metrics-store-custom-rest-api.md#troubleshooting)). The guidance for uploading metrics is to upload the metrics immediately after creating the export file so you can view the entire data set in Azure portal. For instance, if you exported the metrics at 2:00 PM and ran the upload command at 2:50 PM. Since Azure Monitor only accepts data for the last 30 minutes, you may not see any data in the portal.
## Next steps
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/conceptual-agent-architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/conceptual-agent-architecture.md
@@ -0,0 +1,92 @@
+
+ Title: "Azure Arc enabled Kubernetes Agent Architecture"
++ Last updated : 02/15/2021+++
+description: "This article provides an architectural overview of Azure Arc enabled Kubernetes agents"
+keywords: "Kubernetes, Arc, Azure, containers"
++
+# Azure Arc enabled Kubernetes Agent Architecture
+
+[Kubernetes](https://kubernetes.io/) can be used to deploy containerized workloads on hybrid and multi-cloud environments in a consistent way. Azure Arc enabled Kubernetes can be used as a centralized control plane to consistently manage policy, governance, and security across these heterogenous environments. This article provides:
+
+* An architectural overview of connecting a cluster to Azure Arc.
+* The connectivity pattern followed by agents.
+* A description of the data exchanged between cluster environment and Azure.
+
+## Deploy agents to your cluster
+
+Most on-prem datacenters enforce strict network rules that prevent inbound communication on the firewall used at the network boundary. Azure Arc enabled Kubernetes works with these restrictions by only enabling selective egress endpoints for outbound communication and not requiring any inbound ports on the firewall. Azure Arc enabled Kubernetes agents initiate the outbound connections.
+
+![Architectural overview](./media/architectural-overview.png)
+
+Connect a cluster to Azure Arc using the following steps:
+
+1. Create a Kubernetes cluster on your choice of infrastructure (VMware vSphere, Amazon Web Services, Google Cloud Platform, etc.).
+
+ > [!NOTE]
+ > Customers are required to create and manage the lifecycle of the Kubernetes cluster themselves as Azure Arc enabled Kubernetes currently only supports attaching existing Kubernetes clusters to Azure Arc.
+
+1. Initiate the Azure Arc registration for your cluster using Azure CLI.
+ * Azure CLI uses Helm to deploy the agent Helm chart on the cluster.
+ * The cluster nodes initiate an outbound communication to the [Microsoft Container Registry](https://github.com/microsoft/containerregistry) and pull the images needed to create the following agents in the `azure-arc` namespace:
+
+ | Agent | Description |
+ | -- | -- |
+ | `deployment.apps/clusteridentityoperator` | Azure Arc enabled Kubernetes currently supports only [system assigned identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview). clusteridentityoperator makes the first outbound communication needed to fetch the managed service identity (MSI) certificate used by other agents for communication with Azure. |
+ | `deployment.apps/config-agent` | Watches the connected cluster for source control configuration resources applied on the cluster and updates compliance state |
+ | `deployment.apps/controller-manager` | An operator of operators that orchestrates interactions between Azure Arc components |
+ | `deployment.apps/metrics-agent` | Collects metrics of other Arc agents to ensure that these agents are exhibiting optimal performance |
+ | `deployment.apps/cluster-metadata-operator` | Gathers cluster metadata - cluster version, node count, and Azure Arc agent version |
+ | `deployment.apps/resource-sync-agent` | Syncs the above mentioned cluster metadata to Azure |
+ | `deployment.apps/flux-logs-agent` | Collects logs from the flux operators deployed as a part of source control configuration |
+
+1. Once all the Azure Arc enabled Kubernetes agent pods in `Running` state, verify that your cluster connected to Azure Arc. You should see:
+ * An Azure Arc enabled Kubernetes resource in [Azure Resource Manager](../../azure-resource-manager/management/overview.md). This resource is tracked in Azure as a projection of the customer-managed Kubernetes cluster, not the actual Kubernetes cluster itself.
+ * Cluster metadata, like Kubernetes version, agent version, and number of nodes, appears on the Azure Arc enabled Kubernetes resource as metadata.
+
+## Data exchange between cluster environment and Azure
+
+| Data type | Scenario | Communication mode |
+| | -- | |
+| Kubernetes cluster version | Cluster metadata | Agent pushes to Azure |
+| Number of nodes in the cluster | Cluster metadata | Agent pushes to Azure |
+| Agent version | Cluster metadata | Agent pushes to Azure |
+| Kubernetes distribution type | Cluster metadata | Azure CLI pushes to Azure |
+| Infrastructure type (AWS/GCP/vSphere/...) | Cluster metadata | Azure CLI pushes to Azure |
+| vCPU count of nodes in the cluster | Billing | Azure CLI pushes to Azure |
+| Agent heartbeat | Resource Health | Agent pushes to Azure |
+| Resource consumption (memory/CPU) by agents | Diagnostics and supportability | Agent pushes to Azure |
+| Logs of all agent containers | Diagnostics and supportability | Agent pushes to Azure |
+| Agent upgrade availability | Agent upgrade | Agent pulls from Azure |
+| Desired state of Configuration - Git repo URL, flux operator parameters, private key, known hosts content, HTTPS username, token/password | Configuration | Agent pulls from Azure |
+| Status of flux operator installation | Configuration | Agent pushes to Azure |
+| Azure Policy assignments that need Gatekeeper enforcement within cluster | Azure Policy | Agent pulls from Azure |
+| Audit and compliance status of in-cluster policy enforcements | Azure Policy | Agent pushes to Azure |
+| Metrics and logs of customer workloads | Azure Monitor | Agent pushes to Log Analytics workspace resource in customer's tenant and subscription |
+
+## Connectivity status
+
+| Status | Description |
+| | -- |
+| Connecting | Azure Arc enabled Kubernetes resource created in Azure Resource Manager, but service hasn't received agent heartbeat yet. |
+| Connected | Azure Arc enabled Kubernetes service received an agent heartbeat sometime within the previous 15 minutes. |
+| Offline | Azure Arc enabled Kubernetes resource was previously connected, but the service hasn't received any agent heartbeat for 15 minutes. |
+| Expired | Managed service identity (MSI) certificate has an expiration window of 90 days after it is issued. Once this certificate expires, the resource is considered `Expired` and all features such as configuration, monitoring and policy stop working on this cluster. More information on how to address expired Azure Arc enabled Kubernetes resources can be found [here](./faq.md#how-to-address-expired-azure-arc-enabled-kubernetes-resources) |
+
+## Understand connectivity modes
+
+| Connectivity mode | Description |
+| -- | -- |
+| Fully connected | Agents are always able to reach out to Azure. Experience is ideal in this case as there is little delay in propagation of configurations (for GitOps), enforcement of policies (in Azure Policy and Gatekeeper) and collection of metrics and logs of workloads (in Azure Monitor) |
+| Semi-connected | MSI certificate pulled down by the `clusteridentityoperator` is valid for 90 days maximum before the certificate expires. Once the certificate expires, the Azure Arc enabled Kubernetes resource stops working. Delete and recreate the Azure Arc enabled Kubernetes resource and agents to get all the Arc features to work on the cluster. During the 90 days, users are recommended to connect the cluster at least once every 30 days. |
+| Disconnected | Kubernetes clusters in disconnected environments without any access to Azure are currently not supported by Azure Arc enabled Kubernetes. If this capability is of interest to you, submit or up-vote an idea on [Azure Arc's UserVoice forum](https://feedback.azure.com/forums/925690-azure-arc).
+
+## Next steps
+
+* [Connect a cluster to Azure Arc](./connect-cluster.md)
+* [Conceptual overview of configurations](./conceptual-configurations.md)
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/conceptual-configurations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/conceptual-configurations.md
@@ -0,0 +1,50 @@
+
+ Title: "Configurations and GitOps - Azure Arc enabled Kubernetes"
++ Last updated : 02/15/2021+++
+description: "This article provides a conceptual overview of GitOps and configurations capability of Azure Arc enabled Kubernetes."
+keywords: "Kubernetes, Arc, Azure, containers, configuration, GitOps"
++
+# Configurations and GitOps with Azure Arc enabled Kubernetes
+
+In relation to Kubernetes, GitOps is the practice of declaring the desired state of Kubernetes cluster configurations (deployments, namespaces, etc.) in a Git repository. This declaration is followed by a polling and pull-based deployment of these cluster configurations using an operator. The Git repository can contain:
+* YAML-format manifests describing any valid Kubernetes resources, including Namespaces, ConfigMaps, Deployments, DaemonSets, etc.
+* Helm charts for deploying applications.
+
+[Flux](https://docs.fluxcd.io/), a popular open-source tool in the GitOps space, can be deployed on the Kubernetes cluster to ease the flow of configurations from a Git repo to a Kubernetes cluster. Flux supports the deployment of its operator at both the cluster and namespace scopes. A flux operator deployed with namespace scope can only deploy Kubernetes objects within that specific namespace. The ability to choose between cluster or namespace scope helps you achieve multi-tenant deployment patterns on the same Kubernetes cluster.
+
+## Configurations
+
+[ ![Configurations architecture](./media/conceptual-configurations.png) ](./media/conceptual-configurations.png#lightbox)
+
+The connection between your cluster and a Git repository is created as a `Microsoft.KubernetesConfiguration/sourceControlConfigurations` extension resource on top of the Azure Arc enabled Kubernetes resource (represented by `Microsoft.Kubernetes/connectedClusters`) in Azure Resource Manager.
+
+The `sourceControlConfiguration` resource properties are used to deploy Flux operator on the cluster with the appropriate parameters, such as the Git repo from which to pull manifests and the polling interval at which to pull them. The `sourceControlConfiguration` data is stored encrypted, at rest in an Azure Cosmos DB database to ensure data confidentiality.
+
+The `config-agent` running in your cluster is responsible for:
+* Tracking new or updated `sourceControlConfiguration` extension resources on the Azure Arc enabled Kubernetes resource.
+* Deploying a Flux operator to watch the Git repository for each `sourceControlConfiguration`.`
+* Applying any updates made to any `sourceControlConfiguration`.
+
+You can create multiple namespace-scoped `sourceControlConfiguration` resources on the same Azure Arc enabled Kubernetes cluster to achieve multi-tenancy.
+
+> [!NOTE]
+> * Since the `config-agent` monitors for new or updated `sourceControlConfiguration` extension resources to be available on Azure Arc enabled Kubernetes resource, agents require connectivity for the desired state to be pulled down to the cluster. Whenever agents aren't able to connect to Azure, the desired state properties declared on the `sourceControlConfiguration` resource in Azure Resource Manager are not applied on the cluster.
+> * Sensitive customer inputs like private key, known hosts content, HTTPS username, and token/password are not stored for more than 48 hours in the Azure Arc enabled Kubernetes services. If you are using sensitive inputs for configurations, be advised to bring the clusters online as regularly as possible.
+
+## Apply configurations at scale
+
+Since Azure Resource Manager manages your configurations, you can use Azure Policy to automate the creation of the same configuration on all Azure Arc enabled Kubernetes resources within the scope of a subscription or a resource group.
+
+This at-scale enforcement ensures that a common baseline configuration (containing configurations like ClusterRoleBindings, RoleBindings, and NetworkPolicy) can be applied across the entire fleet or inventory of Azure Arc enabled Kubernetes clusters.
+
+## Next steps
+
+* [Connect a cluster to Azure Arc](./connect-cluster.md)
+* [Create configurations on your Arc enabled Kubernetes cluster](./use-gitops-connected-cluster.md)
+* [Use Azure Policy to apply configurations at scale](./use-azure-policy.md)
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/connect-cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/connect-cluster.md
@@ -3,7 +3,7 @@ Title: "Connect an Azure Arc enabled Kubernetes cluster (Preview)"
# Previously updated : 02/09/2021 Last updated : 02/15/2021
@@ -14,7 +14,7 @@
# Connect an Azure Arc enabled Kubernetes cluster (Preview)
-This article covers the process of connecting any Cloud Native Computing Foundation (CNCF) certified Kubernetes cluster, such as AKS-engine on Azure, AKS-engine on Azure Stack Hub, GKE, EKS, and VMware vSphere cluster to Azure Arc.
+This article provides a walk-through on connecting any existing Kubernetes cluster to Azure Arc. A conceptual overview of the same can be found [here](./conceptual-agent-architecture.md).
## Before you begin
@@ -25,9 +25,9 @@ Verify you have prepared the following prerequisites:
* Create a Kubernetes cluster using Docker for [Mac](https://docs.docker.com/docker-for-mac/#kubernetes) or [Windows](https://docs.docker.com/docker-for-windows/#kubernetes). * A kubeconfig file to access the cluster and cluster-admin role on the cluster for deployment of Arc enabled Kubernetes agents. * The user or service principal used with `az login` and `az connectedk8s connect` commands must have the 'Read' and 'Write' permissions on the 'Microsoft.Kubernetes/connectedclusters' resource type. The "Kubernetes Cluster - Azure Arc Onboarding" role has these permissions and can be used for role assignments on the user or service principal.
-* Helm 3 for the onboarding the cluster using a connectedk8s extension. [Install the latest release of Helm 3](https://helm.sh/docs/intro/install) to meet this requirement.
+* Helm 3 for onboarding the cluster using a `connectedk8s` extension. [Install the latest release of Helm 3](https://helm.sh/docs/intro/install) to meet this requirement.
* Azure CLI version 2.15+ for installing the Azure Arc enabled Kubernetes CLI extensions. [Install Azure CLI](/cli/azure/install-azure-cli?view=azure-cli-latest&preserve-view=true) or update to the latest version.
-* Install the Arc enabled Kubernetes CLI extensions:
+* Install the Azure Arc enabled Kubernetes CLI extensions:
* Install the `connectedk8s` extension, which helps you connect Kubernetes clusters to Azure:
@@ -68,7 +68,7 @@ Azure Arc agents require the following protocols/ports/outbound URLs to function
| `https://mcr.microsoft.com` | Required to pull container images for Azure Arc agents. | | `https://eus.his.arc.azure.com`, `https://weu.his.arc.azure.com` | Required to pull system-assigned managed identity certificates. |
-## Register the two providers for Azure Arc enabled Kubernetes:
+## Register the two providers for Azure Arc enabled Kubernetes
```console az provider register --namespace Microsoft.Kubernetes
@@ -130,20 +130,28 @@ Helm release deployment succeeded
"serverAppId": "", "tenantId": "" },
- "agentPublicKeyCertificate": "...",
- "agentVersion": "0.1.0",
- "id": "/subscriptions/57ac26cf-a9f0-4908-b300-9a4e9a0fb205/resourceGroups/AzureArcTest/providers/Microsoft.Kubernetes/connectedClusters/AzureArcTest1",
+ "agentPublicKeyCertificate": "xxxxxxxxxxxxxxxxxxx",
+ "agentVersion": null,
+ "connectivityStatus": "Connecting",
+ "distribution": "gke",
+ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/AzureArcTest/providers/Microsoft.Kubernetes/connectedClusters/AzureArcTest1",
"identity": {
- "principalId": null,
- "tenantId": null,
- "type": "None"
+ "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+ "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+ "type": "SystemAssigned"
},
- "kubernetesVersion": "v1.15.0",
+ "infrastructure": "gcp",
+ "kubernetesVersion": null,
+ "lastConnectivityTime": null,
"location": "eastus",
+ "managedIdentityCertificateExpirationTime": null,
"name": "AzureArcTest1",
+ "offering": null,
+ "provisioningState": "Succeeded",
"resourceGroup": "AzureArcTest", "tags": {},
- "totalNodeCount": 1,
+ "totalCoreCount": null,
+ "totalNodeCount": null,
"type": "Microsoft.Kubernetes/connectedClusters" } ```
@@ -171,7 +179,7 @@ You can also view this resource on the [Azure portal](https://portal.azure.com/)
## Connect using an outbound proxy server
-If your cluster is behind an outbound proxy server, Azure CLI and the Arc enabled Kubernetes agents need to route their requests via the outbound proxy server:
+If your cluster is behind an outbound proxy server, Azure CLI and the Azure Arc enabled Kubernetes agents need to route their requests via the outbound proxy server:
1. Check the version of `connectedk8s` extension installed on your machine:
@@ -208,9 +216,9 @@ If your cluster is behind an outbound proxy server, Azure CLI and the Arc enable
> [!NOTE] > * Specifying `excludedCIDR` under `--proxy-skip-range` is important to ensure in-cluster communication is not broken for the agents. > * While `--proxy-http`, `--proxy-https`, and `--proxy-skip-range` are expected for most outbound proxy environments, `--proxy-cert` is only required if trusted certificates from proxy need to be injected into trusted certificate store of agent pods.
-> * The above proxy specification is currently applied only for Arc agents and not for the flux pods used in sourceControlConfiguration. The Arc enabled Kubernetes team is actively working on this feature and it will be available soon.
+> * The above proxy specification is currently applied only for Arc agents and not for the flux pods used in sourceControlConfiguration. The Azure Arc enabled Kubernetes team is actively working on this feature and it will be available soon.
-## Azure Arc agents for Kubernetes
+## Azure Arc Agents for Kubernetes
Azure Arc enabled Kubernetes deploys a few operators into the `azure-arc` namespace. You can view these deployments and pods using:
@@ -240,17 +248,7 @@ pod/metrics-agent-58b765c8db-n5l7k 2/2 Running 0 16h
pod/resource-sync-agent-5cf85976c7-522p5 3/3 Running 0 16h ```
-Azure Arc enabled Kubernetes consists of a few agents (operators) that run in your cluster deployed to the `azure-arc` namespace.
-
-| Agents (Operators) | Description |
-| | |
-| `deployment.apps/config-agent` | Watches the connected cluster for source control configuration resources applied on the cluster and updates compliance state. |
-| `deployment.apps/controller-manager` | An operator of operators that orchestrates interactions between Azure Arc components. |
-| `deployment.apps/metrics-agent` | Collects performance metrics of other Arc agents. |
-| `deployment.apps/cluster-metadata-operator` | Gathers cluster metadata, such as cluster version, node count, and Azure Arc agent version. |
-| `deployment.apps/resource-sync-agent` | Syncs the above mentioned cluster metadata to Azure. |
-| `deployment.apps/clusteridentityoperator` | Azure Arc enabled Kubernetes currently supports system-assigned identity. `clusteridentityoperator` maintains the managed service identity (MSI) certificate used by other agents for communication with Azure. |
-| `deployment.apps/flux-logs-agent` | Collects logs from the flux operators deployed as a part of source control configuration. |
+Verify that all pods are in a `Running` state.
## Delete a connected cluster
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/faq.md
@@ -0,0 +1,68 @@
+
+ Title: "Azure Arc enabled Kubernetes frequently asked questions"
++ Last updated : 02/15/2021+++
+description: "This article contains a list of frequently asked questions related to Azure Arc enabled Kubernetes"
+keywords: "Kubernetes, Arc, Azure, containers, configuration, GitOps, faq"
++
+# Frequently Asked Questions - Azure Arc enabled Kubernetes
+
+This article addresses frequently asked questions about Azure Arc enabled Kubernetes.
+
+## What is the difference between Azure Arc enabled Kubernetes and Azure Kubernetes Service (AKS)?
+
+AKS is the managed Kubernetes offering by Azure. AKS simplifies deploying a managed Kubernetes cluster in Azure by offloading much of the complexity and operational overhead to Azure. Since the Kubernetes masters are managed by Azure, you only manage and maintain the agent nodes.
+
+Azure Arc enabled Kubernetes allows you to extend AzureΓÇÖs management capabilities (like Azure Monitor and Azure Policy) by connecting Kubernetes clusters to Azure. You maintain the underlying Kubernetes cluster itself.
+
+## Do I need to connect my AKS clusters running on Azure to Azure Arc?
+
+No. All Azure Arc enabled Kubernetes features, including Azure Monitor and Azure Policy (Gatekeeper), are available on AKS (a native resource in Azure Resource Manager).
+
+## Should I connect my AKS-HCI cluster and Kubernetes clusters on Azure Stack Hub and Azure Stack Edge to Azure Arc?
+
+Yes, connecting your AKS-HCI cluster or Kubernetes clusters on Azure Stack Edge or Azure Stack Hub to Azure Arc provides clusters with resource representation in Azure Resource Manager. This resource representation extends capabilities like Cluster Configuration, Azure Monitor, and Azure Policy (Gatekeeper) to the Kubernetes clusters you connect.
+
+## How to address expired Azure Arc enabled Kubernetes resources?
+
+The Managed service identity (MSI) certificate associated with your Azure Arc enabled Kuberenetes has an expiration window of 90 days. Once this certificate expires, the resource is considered `Expired` and all features such as configuration, monitoring and policy stop working on this cluster. Follow these steps to get your Kubernetes cluster working with Azure Arc again:
+
+1. Delete Azure Arc enabled Kubernetes resource and agents on the cluster
+
+ ```console
+ az connectedk8s delete -n <name> -g <resource-group>
+ ```
+
+1. Recreate the Azure Arc enabled Kubernetes resource by deploying agents on the cluster again.
+
+ ```console
+ az connectedk8s connect -n <name> -g <resource-group>
+ ```
+
+> [!NOTE]
+> `az connectedk8s delete` will also delete configurations on top of the cluster. After running `az connectedk8s connect`, create the configurations on the cluster again, either manually or using Azure Policy.
+
+## If I am already using CI/CD pipelines, can I still use Azure Arc enabled Kubernetes and configurations?
+
+Yes, you can still use configurations on a cluster receiving deployments via a CI/CD pipeline. Compared to traditional CI/CD pipelines, configurations feature two extra benefits:
+
+**Drift reconciliation**
+
+The CI/CD pipeline applies changes only once during pipeline run. However, the GitOps operator on the cluster continuously polls the Git repository to fetch the desired state of Kubernetes resources on the cluster. If the GitOps operator finds the desired state of resources to be different from the actual state of resources on the cluster, this drift is reconciled.
+
+**Apply GitOps at scale**
+
+CI/CD pipelines are good for event driven deployments to your Kubernetes cluster, where the event could be a push to a Git repository. However, deployment of the same configuration to all your Kubernetes clusters requires the CI/CD pipeline to be configured with credentials of each of these Kubernetes clusters manually. On the other hand, in the case of Azure Arc enabled Kubernetes, since Azure Resource Manager manages your configurations, you can use Azure Policy to automate the application of the desired configuration on all Kubernetes clusters under a subscription or resource group scope in one go. This capability is even applicable to Azure Arc enabled Kubernetes resources created after the policy assignment.
+
+The configurations feature is used to apply baseline configurations like network policies, role bindings, and pod security policies across the entire inventory of Kubernetes clusters for compliance and governance requirements.
+
+## Next steps
+
+* [Connect a cluster to Azure Arc](./connect-cluster.md)
+* [Create configurations on your Arc enabled Kubernetes cluster](./use-gitops-connected-cluster.md)
+* [Use Azure Policy to apply configurations at scale](./use-azure-policy.md)
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/overview.md
@@ -3,7 +3,7 @@ Title: "Overview of Azure Arc enabled Kubernetes"
# Previously updated : 05/19/2020 Last updated : 02/15/2021
@@ -57,22 +57,6 @@ Azure Arc enabled Kubernetes is currently supported in these regions:
* East US * West Europe
-## Frequently Asked Questions
-
-* What is the difference between Azure Arc enabled Kubernetes and Azure Kubernetes Service (AKS)?
-
- Azure Kubernetes Service (AKS) is the managed Kubernetes offering by Azure. AKS makes it simple to deploy a managed Kubernetes cluster in Azure. AKS reduces the complexity and operational overhead of managing Kubernetes by offloading much of that responsibility to Azure. The Kubernetes masters are managed by Azure. You only manage and maintain the agent nodes.
-
- Azure Arc enabled Kubernetes allows you to connect Kubernetes clusters to Azure for extending Azure's management capabilities like Azure Monitor and Azure Policy. The maintenance of the underlying Kubernetes cluster itself is done by you.
-
-* Do I need to connect my Azure Kubernetes Service clusters running on Azure to Azure Arc?
-
- No. All features of Azure Arc enabled Kubernetes like Azure Monitor, Azure Policy (Gatekeeper) are natively available with AKS, which already has a resource representation in Azure.
-
-* Should I connect my AKS cluster on Azure Stack HCI to Azure Arc? What about Kubernetes clusters running on Azure Stack Hub or Azure Stack Edge?
-
- Yes, connecting these clusters to Azure Arc does have benefits. It provides a resource representation for these Kubernetes clusters in Azure Resource Manager. Using this resource representation, capabilities like Cluster Configuration, Azure Monitor, Azure Policy (Gatekeeper) can be extended to these Kubernetes clusters
- ## Next steps * [Connect a cluster](./connect-cluster.md)
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/use-azure-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/use-azure-policy.md
@@ -3,7 +3,7 @@ Title: "Use Azure Policy to apply cluster configurations at scale (Preview)"
# Previously updated : 02/10/2021 Last updated : 02/15/2021
@@ -70,4 +70,4 @@ For existing clusters, you will need to manually run a remediation task. This ta
## Next steps
-* [Set up Azure Monitor for Containers with Arc enabled Kubernetes clusters](../../azure-monitor/insights/container-insights-enable-arc-enabled-clusters.md)
+* [Set up Azure Monitor for Containers with Arc enabled Kubernetes clusters](../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md)
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/use-gitops-connected-cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/use-gitops-connected-cluster.md
@@ -3,7 +3,7 @@ Title: "Deploy configurations using GitOps on Arc enabled Kubernetes cluster (Pr
# Previously updated : 02/09/2021 Last updated : 02/15/2021
@@ -11,40 +11,20 @@ description: "Use GitOps to configure an Azure Arc enabled Kubernetes cluster (P
keywords: "GitOps, Kubernetes, K8s, Azure, Arc, Azure Kubernetes Service, AKS, containers"
-# Deploy configurations using GitOps on Arc enabled Kubernetes cluster (Preview)
+# Deploy configurations using GitOps on an Arc enabled Kubernetes cluster (Preview)
-In relation to Kubernetes, GitOps is the practice of declaring the desired state of Kubernetes cluster configurations (deployments, namespaces, etc.) in a Git repository. This declaration is followed by a polling and pull-based deployment of these cluster configurations using an operator.
-
-This article covers the setup of GitOps workflows on Azure Arc enabled Kubernetes clusters.
-
-The connection between your cluster and a Git repository is created as a `Microsoft.KubernetesConfiguration/sourceControlConfigurations` extension resource in Azure Resource Manager. The `sourceControlConfiguration` resource properties represent where and how Kubernetes resources should flow from Git to your cluster. The `sourceControlConfiguration` data is stored encrypted, at rest in an Azure Cosmos DB database to ensure data confidentiality.
-
-The `config-agent` running in your cluster is responsible for:
-* Tracking new or updated `sourceControlConfiguration` extension resources on the Azure Arc enabled Kubernetes resource.
-* Deploying a Flux operator to watch the Git repository for each `sourceControlConfiguration`.
-* Applying any updates made to any `sourceControlConfiguration`.
-
-You can create multiple `sourceControlConfiguration` resources on the same Azure Arc enabled Kubernetes cluster to achieve multi-tenancy. Limit deployments to within the respective namespaces by creating each `sourceControlConfiguration` with a different `namespace` scope.
-
-The Git repository can contain:
-* YAML-format manifests describing any valid Kubernetes resources, including Namespaces, ConfigMaps, Deployments, DaemonSets, etc.
-* Helm charts for deploying applications.
-
-A common set of scenarios includes defining a baseline configuration for your organization, such as common Azure roles and bindings, monitoring or logging agents, or cluster-wide services.
-
-The same pattern can be used to manage a larger collection of clusters, which may be deployed across heterogeneous environments. For example, you have one repository that defines the baseline configuration for your organization, which applies to multiple Kubernetes clusters at once. [Azure Policy can automate](use-azure-policy.md) the creation of a `sourceControlConfiguration` with a specific set of parameters on all Azure Arc enabled Kubernetes resources within a scope (subscription or resource group).
-
-Walk through the following steps to learn how to apply a set of configurations with `cluster-admin` scope.
+This article demonstrates applying configurations on an Azure Arc enabled Kubernetes cluster. A conceptual overview of the same can be found [here](./conceptual-configurations.md).
## Before you begin
-Verify you have an existing Azure Arc enabled Kubernetes connected cluster. If you need a connected cluster, see the [Connect an Azure Arc enabled Kubernetes cluster quickstart](./connect-cluster.md).
+* Verify you have an existing Azure Arc enabled Kubernetes connected cluster. If you need a connected cluster, see the [Connect an Azure Arc enabled Kubernetes cluster quickstart](./connect-cluster.md).
+
+* Review the [Configurations and GitOps with Arc for Kubernetes article](./conceptual-configurations.md) to understand the benefits and architecture of this feature.
## Create a configuration The [example repository](https://github.com/Azure/arc-k8s-demo) used in this article is structured around the persona of a cluster operator who would like to provision a few namespaces, deploy a common workload, and provide some team-specific configuration. Using this repository creates the following resources on your cluster: - * **Namespaces:** `cluster-config`, `team-a`, `team-b` * **Deployment:** `cluster-config/azure-vote` * **ConfigMap:** `team-a/endpoints`
@@ -380,4 +360,4 @@ Command group 'k8sconfiguration' is in preview. It may be changed/removed in a f
## Next steps - [Use Helm with source control configuration](./use-gitops-with-helm.md)-- [Use Azure Policy to govern cluster configuration](./use-azure-policy.md)
+- [Use Azure Policy to govern cluster configuration](./use-azure-policy.md)
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/use-gitops-with-helm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/use-gitops-with-helm.md
@@ -3,7 +3,7 @@ Title: "Deploy Helm Charts using GitOps on Arc enabled Kubernetes cluster(Previe
# Previously updated : 02/09/2021 Last updated : 02/15/2021
@@ -77,7 +77,7 @@ You can learn more about the HelmRelease in the official [Helm Operator document
Using the Azure CLI extension for `k8sconfiguration`, link your connected cluster to the example Git repository. Give this configuration the name `azure-arc-sample` and deploy the Flux operator in the `arc-k8s-demo` namespace. ```console
-az k8sconfiguration create --name azure-arc-sample --cluster-name AzureArcTest1 --resource-group AzureArcTest --operator-instance-name flux --operator-namespace arc-k8s-demo --operator-params='--git-readonly --git-path=releases' --enable-helm-operator --helm-operator-version='0.6.0' --helm-operator-params='--set helm.versions=v3' --repository-url https://github.com/Azure/arc-helm-demo.git --scope namespace --cluster-type connectedClusters
+az k8sconfiguration create --name azure-arc-sample --cluster-name AzureArcTest1 --resource-group AzureArcTest --operator-instance-name flux --operator-namespace arc-k8s-demo --operator-params='--git-readonly --git-path=releases' --enable-helm-operator --helm-operator-version='1.2.0' --helm-operator-params='--set helm.versions=v3' --repository-url https://github.com/Azure/arc-helm-demo.git --scope namespace --cluster-type connectedClusters
``` ### Configuration Parameters
@@ -108,7 +108,7 @@ Command group 'k8sconfiguration' is in preview. It may be changed/removed in a f
"enableHelmOperator": "True", "helmOperatorProperties": { "chartValues": "--set helm.versions=v3",
- "chartVersion": "0.6.0"
+ "chartVersion": "1.2.0"
}, "id": "/subscriptions/57ac26cf-a9f0-4908-b300-9a4e9a0fb205/resourceGroups/AzureArcTest/providers/Microsoft.Kubernetes/connectedClusters/AzureArcTest1/providers/Microsoft.KubernetesConfiguration/sourceControlConfigurations/azure-arc-sample", "name": "azure-arc-sample",
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/agent-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/agent-overview.md
@@ -1,7 +1,7 @@
Title: Overview of the Connected Machine Windows agent description: This article provides a detailed overview of the Azure Arc enabled servers agent available, which supports monitoring virtual machines hosted in hybrid environments. Previously updated : 02/03/2021 Last updated : 02/16/2021
@@ -28,6 +28,30 @@ The Azure Connected Machine agent package contains several logical components, w
* The Extension agent manages VM extensions, including install, uninstall, and upgrade. Extensions are downloaded from Azure and copied to the `%SystemDrive%\%ProgramFiles%\AzureConnectedMachineAgent\ExtensionService\downloads` folder on Windows, and for Linux to `/opt/GC_Ext/downloads`. On Windows, the extension is installed to the following path `%SystemDrive%\Packages\Plugins\<extension>`, and on Linux the extension is installed to `/var/lib/waagent/<extension>`.
+## Instance metadata
+
+Metadata information about the connected machine is collected after the Connected Machine agent registers with Arc enabled servers. Specifically:
+
+* Operating system name, type, and version
+* Computer name
+* Computer fully qualified domain name (FQDN)
+* Connected Machine agent version
+* Active Directory and DNS fully qualified domain name (FQDN)
+* UUID (BIOS ID)
+* Connected Machine agent heartbeat
+* Connected Machine agent version
+* Public key for managed identity
+* Policy compliance status and details (if using Azure Policy Guest Configuration policies)
+
+The following metadata information is requested by the agent from Azure:
+
+* Resource location (region)
+* Virtual machine ID
+* Tags
+* Azure Active Directory managed identity certificate
+* Guest configuration policy assignments
+* Extension requests - install, update, and delete.
+ ## Download agents You can download the Azure Connected Machine agent package for Windows and Linux from the locations listed below.
@@ -81,7 +105,7 @@ To ensure the security of data in transit to Azure, we strongly encourage you to
The Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. If the machine connects through a firewall or proxy server to communicate over the Internet, review the following to understand the network configuration requirements. > [!NOTE]
-> Arc enabled servers does not support using a [Log Analytics gateway](../../azure-monitor/platform/gateway.md) as a proxy for the Connected Machine agent.
+> Arc enabled servers does not support using a [Log Analytics gateway](../../azure-monitor/agents/gateway.md) as a proxy for the Connected Machine agent.
> If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs listed below are not blocked. When you only allow the IP ranges or domain names required for the agent to communicate with the service, you need to allow access to the following Service Tags and URLs.
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/data-residency https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/data-residency.md
@@ -2,7 +2,7 @@
Title: Data residency description: Data residency and information about Azure Arc enabled servers. Previously updated : 10/08/2020 Last updated : 02/16/2021
@@ -18,10 +18,16 @@ Azure Arc enabled servers store [Azure VM extension](manage-vm-extensions.md) co
Metadata information about the connected machine is also collected. Specifically:
-* Operating system name and version
+* Operating system name, type, and version
* Computer name * Computer fully qualified domain name (FQDN) * Connected Machine agent version
+* Active Directory and DNS fully qualified domain name (FQDN)
+* UUID (BIOS ID)
+* Connected Machine agent heartbeat
+* Connected Machine agent version
+* Public key for managed identity
+* Policy compliance status and details (if using Azure Policy Guest Configuration policies)
Arc enabled servers allow you to specify the region where your data will be stored. Microsoft may replicate to other regions for data resiliency, but Microsoft does not replicate or move data outside the geography. This data is stored in the region where the Azure Arc machine resource is configured. For example, if the machine is registered with Arc in the East US region, this data is stored in the US region.
@@ -29,4 +35,4 @@ For more information about our regional resiliency and compliance support, see [
## Next steps
-Learn more about designing for [Azure resiliency](/azure/architecture/reliability/architect).
+Learn more about designing for [Azure resiliency](/azure/architecture/reliability/architect).
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/learn/tutorial-enable-vm-insights https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/learn/tutorial-enable-vm-insights.md
@@ -7,7 +7,7 @@ Last updated 09/23/2020
# Tutorial: Monitor a hybrid machine with Azure Monitor for VMs
-[Azure Monitor](../overview.md) can collect data directly from your hybrid machines into a Log Analytics workspace for detailed analysis and correlation. Typically this would entail installing the [Log Analytics agent](../../../azure-monitor/platform/agents-overview.md#log-analytics-agent) on the machine using a script, manually, or automated method following your configuration management standards. Arc enabled servers recently introduced support to install the Log Analytics and Dependency agent [VM extensions](../manage-vm-extensions.md) for Windows and Linux, enabling Azure Monitor to collect data from your non-Azure VMs.
+[Azure Monitor](../overview.md) can collect data directly from your hybrid machines into a Log Analytics workspace for detailed analysis and correlation. Typically this would entail installing the [Log Analytics agent](../../../azure-monitor/agents/agents-overview.md#log-analytics-agent) on the machine using a script, manually, or automated method following your configuration management standards. Arc enabled servers recently introduced support to install the Log Analytics and Dependency agent [VM extensions](../manage-vm-extensions.md) for Windows and Linux, enabling Azure Monitor to collect data from your non-Azure VMs.
This tutorial shows you how to configure and collect data from your Linux or Windows machines by enabling Azure Monitor for VMs following a simplified set of steps, which streamlines the experience and takes a shorter amount of time.
@@ -17,9 +17,9 @@ This tutorial shows you how to configure and collect data from your Linux or Win
* VM extension functionality is available only in the list of [supported regions](../overview.md#supported-regions).
-* See [Supported operating systems](../../../azure-monitor/insights/vminsights-enable-overview.md#supported-operating-systems) to ensure that the servers operating system you're enabling is supported by Azure Monitor for VMs.
+* See [Supported operating systems](../../../azure-monitor/vm/vminsights-enable-overview.md#supported-operating-systems) to ensure that the servers operating system you're enabling is supported by Azure Monitor for VMs.
-* Review firewall requirements for the Log Analytics agent provided in the [Log Analytics agent overview](../../../azure-monitor/platform/log-analytics-agent.md#network-requirements). The Azure Monitor for VMs Map Dependency agent doesn't transmit any data itself, and it doesn't require any changes to firewalls or ports.
+* Review firewall requirements for the Log Analytics agent provided in the [Log Analytics agent overview](../../../azure-monitor/agents/log-analytics-agent.md#network-requirements). The Azure Monitor for VMs Map Dependency agent doesn't transmit any data itself, and it doesn't require any changes to firewalls or ports.
## Sign in to Azure portal
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/manage-agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-agent.md
@@ -307,7 +307,7 @@ If you are planning to stop managing the machine with supporting services in Azu
To configure the agent to communicate to the service through a proxy server or remove this configuration after deployment, or use one of the following methods to complete this task. > [!NOTE]
-> Arc enabled servers does not support using a [Log Analytics gateway](../../azure-monitor/platform/gateway.md) as a proxy for the Connected Machine agent.
+> Arc enabled servers does not support using a [Log Analytics gateway](../../azure-monitor/agents/gateway.md) as a proxy for the Connected Machine agent.
> ### Windows
@@ -350,6 +350,6 @@ sudo azcmagent_proxy remove
* Troubleshooting information can be found in the [Troubleshoot Connected Machine agent guide](troubleshoot-agent-onboard.md).
-* Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/policy/concepts/guest-configuration.md), verifying the machine is reporting to the expected Log Analytics workspace, enable monitoring with [Azure Monitor with VMs](../../azure-monitor/insights/vminsights-enable-policy.md), and much more.
+* Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/policy/concepts/guest-configuration.md), verifying the machine is reporting to the expected Log Analytics workspace, enable monitoring with [Azure Monitor with VMs](../../azure-monitor/vm/vminsights-enable-policy.md), and much more.
-* Learn more about the [Log Analytics agent](../../azure-monitor/platform/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to collect operating system and workload monitoring data, manage it using Automation runbooks or features like Update Management, or use other Azure services like [Azure Security Center](../../security-center/security-center-introduction.md).
+* Learn more about the [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to collect operating system and workload monitoring data, manage it using Automation runbooks or features like Update Management, or use other Azure services like [Azure Security Center](../../security-center/security-center-introduction.md).
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/manage-vm-extensions-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-vm-extensions-portal.md
@@ -28,7 +28,7 @@ VM extensions can be applied your Arc for server managed machine through the Azu
![Install Log Analytics VM extension](./media/manage-vm-extensions/mma-extension-config.png)
- To complete the installation, you are required to provide the workspace ID and primary key. If you are not familiar with how to find this information, see [obtain workspace ID and key](../../azure-monitor/platform/log-analytics-agent.md#workspace-id-and-key).
+ To complete the installation, you are required to provide the workspace ID and primary key. If you are not familiar with how to find this information, see [obtain workspace ID and key](../../azure-monitor/agents/log-analytics-agent.md#workspace-id-and-key).
4. After confirming the required information provided, select **Create**. A summary of the deployment is displayed and you can review the status of the deployment.
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/manage-vm-extensions-template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-vm-extensions-template.md
@@ -1,7 +1,7 @@
Title: Enable VM extension using Azure Resource Manager template description: This article describes how to deploy virtual machine extensions to Azure Arc enabled servers running in hybrid cloud environments using an Azure Resource Manager template. Previously updated : 02/03/2021 Last updated : 02/10/2021
@@ -540,7 +540,7 @@ To use the PowerShell DSC extension, the following sample is provided to run on
## Deploy the Dependency agent extension
-To use the Azure Monitor Dependency agent extension, the following sample is provided to run on Windows and Linux. If you are unfamiliar with the Dependency agent, see [Overview of Azure Monitor agents](../../azure-monitor/platform/agents-overview.md#dependency-agent).
+To use the Azure Monitor Dependency agent extension, the following sample is provided to run on Windows and Linux. If you are unfamiliar with the Dependency agent, see [Overview of Azure Monitor agents](../../azure-monitor/agents/agents-overview.md#dependency-agent).
### Template file for Linux
@@ -626,13 +626,43 @@ The following JSON shows the schema for the Key Vault VM extension (preview). Th
```json {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "vmName": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "autoUpgradeMinorVersion":{
+ "type": "bool"
+ },
+ "pollingIntervalInS":{
+ "type": "int"
+ },
+ "certificateStoreName":{
+ "type": "string"
+ },
+ "certificateStoreLocation":{
+ "type": "string"
+ },
+ "observedCertificates":{
+ "type": "string"
+ },
+ "msiEndpoint":{
+ "type": "string"
+ },
+ "msiClientId":{
+ "type": "string"
+ }
+},
+"resources": [
+ {
"type": "Microsoft.HybridCompute/machines/extensions",
- "name": "KeyVaultForLinux",
- "apiVersion": "2019-07-01",
- "location": "<location>",
- "dependsOn": [
- "[concat('Microsoft.HybridCompute/machines/extensions/', <machineName>)]"
- ],
+ "name": "[concat(parameters('vmName'),'/KVVMExtensionForLinux')]",
+ "apiVersion": "2019-12-12",
+ "location": "[parameters('location')]",
"properties": { "publisher": "Microsoft.Azure.KeyVault", "type": "KeyVaultForLinux",
@@ -641,12 +671,18 @@ The following JSON shows the schema for the Key Vault VM extension (preview). Th
"settings": { "secretsManagementSettings": { "pollingIntervalInS": <polling interval in seconds, e.g. "3600">,
- "certificateStoreName": <ingnored on linux>,
+ "certificateStoreName": <ignored on linux>,
"certificateStoreLocation": <disk path where certificate is stored, default: "/var/lib/waagent/Microsoft.Azure.KeyVault">, "observedCertificates": <list of KeyVault URIs representing monitored certificates, e.g.: "https://myvault.vault.azure.net/secrets/mycertificate"
- }
+ },
+ "authenticationSettings": {
+ "msiEndpoint": <MSI endpoint e.g.: "http://localhost:40342/metadata/identity">,
+ "msiClientId": <MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619">
+ }
}
- }
+ }
+ }
+ ]
} ```
@@ -654,13 +690,49 @@ The following JSON shows the schema for the Key Vault VM extension (preview). Th
```json {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "vmName": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "autoUpgradeMinorVersion":{
+ "type": "bool"
+ },
+ "pollingIntervalInS":{
+ "type": "int"
+ },
+ "certificateStoreName":{
+ "type": "string"
+ },
+ "linkOnRenewal":{
+ "type": "bool"
+ },
+ "certificateStoreLocation":{
+ "type": "string"
+ },
+ "requireInitialSync":{
+ "type": "bool"
+ },
+ "observedCertificates":{
+ "type": "string"
+ },
+ "msiEndpoint":{
+ "type": "string"
+ },
+ "msiClientId":{
+ "type": "string"
+ }
+},
+"resources": [
+ {
"type": "Microsoft.HybridCompute/machines/extensions",
- "name": "KVVMExtensionForWindows",
- "apiVersion": "2019-07-01",
- "location": "<location>",
- "dependsOn": [
- "[concat('Microsoft.HybridCompute/machines/extensions/', <machineName>)]"
- ],
+ "name": "[concat(parameters('vmName'),'/KVVMExtensionForWindows')]",
+ "apiVersion": "2019-12-12",
+ "location": "[parameters('location')]",
"properties": { "publisher": "Microsoft.Azure.KeyVault", "type": "KeyVaultForWindows",
@@ -668,28 +740,35 @@ The following JSON shows the schema for the Key Vault VM extension (preview). Th
"autoUpgradeMinorVersion": true, "settings": { "secretsManagementSettings": {
- "pollingIntervalInS": <polling interval in seconds, e.g: "3600">,
+ "pollingIntervalInS": "3600",
"certificateStoreName": <certificate store name, e.g.: "MY">, "linkOnRenewal": <Only Windows. This feature ensures s-channel binding when certificate renews, without necessitating a re-deployment. e.g.: false>, "certificateStoreLocation": <certificate store location, currently it works locally only e.g.: "LocalMachine">, "requireInitialSync": <initial synchronization of certificates e..g: true>,
- "observedCertificates": <list of KeyVault URIs representing monitored certificates, e.g.: "https://myvault.vault.azure.net/secrets/mycertificate"
+ "observedCertificates": <list of KeyVault URIs representing monitored certificates, e.g.: "https://myvault.vault.azure.net"
}, "authenticationSettings": {
- "msiEndpoint": <Optional MSI endpoint e.g.: "http://169.254.169.254/metadata/identity">,
- "msiClientId": <Optional MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619">
+ "msiEndpoint": <MSI endpoint e.g.: "http://localhost:40342/metadata/identity">,
+ "msiClientId": <MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619">
} }
- }
+ }
+ }
+ ]
} ``` > [!NOTE] > Your observed certificates URLs should be of the form `https://myVaultName.vault.azure.net/secrets/myCertName`.
->
+>
> This is because the `/secrets` path returns the full certificate, including the private key, while the `/certificates` path does not. More information about certificates can be found here: [Key Vault Certificates](../../key-vault/general/about-keys-secrets-certificates.md)
-Save the template file to disk. You can then install the extension on all the connected machines within a resource group with the following command.
+### Template deployment
+
+Save the template file to disk. You can then deploy the extension to the connected machine with the following command.
+
+> [!NOTE]
+> The VM extension would require a system-assigned identity to be assigned to authenticate to Key vault. See [How to authenticate to Key Vault using managed identity](managed-identity-authentication.md) for Windows and Linux Arc enabled servers.
```powershell New-AzResourceGroupDeployment -ResourceGroupName "ContosoEngineering" -TemplateFile "D:\Azure\Templates\KeyVaultExtension.json"
@@ -773,7 +852,9 @@ To use the Azure Defender integrated scanner extension, the following sample is
} ```
-Save the template file to disk. You can then install the extension on all the connected machines within a resource group with the following command.
+### Template deployment
+
+Save the template file to disk. You can then deploy the extension to the connected machine with the following command.
```powershell New-AzResourceGroupDeployment -ResourceGroupName "ContosoEngineering" -TemplateFile "D:\Azure\Templates\AzureDefenderScanner.json"
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/manage-vm-extensions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-vm-extensions.md
@@ -22,9 +22,9 @@ Azure Arc enabled servers VM extension support provides the following key benefi
- Use [Azure Automation State Configuration](../../automation/automation-dsc-overview.md) to centrally store configurations and maintain the desired state of hybrid connected machines enabled through the DSC VM extension. -- Collect log data for analysis with [Logs in Azure Monitor](../../azure-monitor/platform/data-platform-logs.md) enabled through the Log Analytics agent VM extension. This is useful for doing complex analysis across data from different kinds of sources.
+- Collect log data for analysis with [Logs in Azure Monitor](../../azure-monitor/logs/data-platform-logs.md) enabled through the Log Analytics agent VM extension. This is useful for doing complex analysis across data from different kinds of sources.
-- With [Azure Monitor for VMs](../../azure-monitor/insights/vminsights-overview.md), analyzes the performance of your Windows and Linux VMs, and monitor their processes and dependencies on other resources and external processes. This is achieved through enabling both the Log Analytics agent and Dependency agent VM extensions.
+- With [Azure Monitor for VMs](../../azure-monitor/vm/vminsights-overview.md), analyzes the performance of your Windows and Linux VMs, and monitor their processes and dependencies on other resources and external processes. This is achieved through enabling both the Log Analytics agent and Dependency agent VM extensions.
- Download and execute scripts on hybrid connected machines using the Custom Script Extension. This extension is useful for post deployment configuration, software installation, or any other configuration or management tasks.
@@ -50,7 +50,7 @@ To learn about the Azure Connected Machine agent package and details about the E
|Log Analytics agent |Microsoft.EnterpriseCloud.Monitoring |MicrosoftMonitoringAgent |[Log Analytics VM extension for Windows](../../virtual-machines/extensions/oms-windows.md)| |Azure Monitor for VMs (insights) |Microsoft.Azure.Monitoring.DependencyAgent |DependencyAgentWindows | [Dependency agent virtual machine extension for Windows](../../virtual-machines/extensions/agent-dependency-windows.md)| |Azure Key Vault Certificate Sync | Microsoft.Azure.Key.Vault |KeyVaultForWindows | [Key Vault virtual machine extension for Windows](../../virtual-machines/extensions/key-vault-windows.md) |
-|Azure Monitor Agent |Microsoft.Azure.Monitor |AzureMonitorWindowsAgent |[Install the Azure Monitor agent (preview)](../../azure-monitor/platform/azure-monitor-agent-install.md) |
+|Azure Monitor Agent |Microsoft.Azure.Monitor |AzureMonitorWindowsAgent |[Install the Azure Monitor agent (preview)](../../azure-monitor/agents/azure-monitor-agent-install.md) |
### Linux extensions
@@ -62,7 +62,7 @@ To learn about the Azure Connected Machine agent package and details about the E
|Log Analytics agent |Microsoft.EnterpriseCloud.Monitoring |OmsAgentForLinux |[Log Analytics VM extension for Linux](../../virtual-machines/extensions/oms-linux.md) | |Azure Monitor for VMs (insights) |Microsoft.Azure.Monitoring.DependencyAgent |DependencyAgentLinux |[Dependency agent virtual machine extension for Linux](../../virtual-machines/extensions/agent-dependency-linux.md) | |Azure Key Vault Certificate Sync | Microsoft.Azure.Key.Vault |KeyVaultForLinux | [Key Vault virtual machine extension for Linux](../../virtual-machines/extensions/key-vault-linux.md) |
-|Azure Monitor Agent |Microsoft.Azure.Monitor |AzureMonitorLinuxAgent |[Install the Azure Monitor agent (preview)](../../azure-monitor/platform/azure-monitor-agent-install.md) |
+|Azure Monitor Agent |Microsoft.Azure.Monitor |AzureMonitorLinuxAgent |[Install the Azure Monitor agent (preview)](../../azure-monitor/agents/azure-monitor-agent-install.md) |
## Prerequisites
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/onboard-dsc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/onboard-dsc.md
@@ -84,6 +84,6 @@ The [CompositeResource](https://www.powershellgallery.com/packages/compositereso
* Troubleshooting information can be found in the [Troubleshoot Connected Machine agent guide](troubleshoot-agent-onboard.md).
-* Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/policy/concepts/guest-configuration.md), verifying the machine is reporting to the expected Log Analytics workspace, enable monitoring with [Azure Monitor with VMs](../../azure-monitor/insights/vminsights-enable-policy.md), and much more.
+* Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/policy/concepts/guest-configuration.md), verifying the machine is reporting to the expected Log Analytics workspace, enable monitoring with [Azure Monitor with VMs](../../azure-monitor/vm/vminsights-enable-policy.md), and much more.
-* Learn more about the [Log Analytics agent](../../azure-monitor/platform/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to proactively monitor the OS and workloads running on the machine, manage it using Automation runbooks or solutions like Update Management, or use other Azure services like [Azure Security Center](../../security-center/security-center-introduction.md).
+* Learn more about the [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to proactively monitor the OS and workloads running on the machine, manage it using Automation runbooks or solutions like Update Management, or use other Azure services like [Azure Security Center](../../security-center/security-center-introduction.md).
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/onboard-portal.md
@@ -161,6 +161,6 @@ After you install the agent and configure it to connect to Azure Arc enabled ser
* Troubleshooting information can be found in the [Troubleshoot Connected Machine agent guide](troubleshoot-agent-onboard.md).
-* Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/policy/concepts/guest-configuration.md), verifying the machine is reporting to the expected Log Analytics workspace, enable monitoring with [Azure Monitor with VMs](../../azure-monitor/insights/vminsights-enable-policy.md), and much more.
+* Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/policy/concepts/guest-configuration.md), verifying the machine is reporting to the expected Log Analytics workspace, enable monitoring with [Azure Monitor with VMs](../../azure-monitor/vm/vminsights-enable-policy.md), and much more.
-* Learn more about the [Log Analytics agent](../../azure-monitor/platform/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to collect operating system and workload monitoring data, manage it using Automation runbooks or features like Update Management, or use other Azure services like [Azure Security Center](../../security-center/security-center-introduction.md).
+* Learn more about the [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to collect operating system and workload monitoring data, manage it using Automation runbooks or features like Update Management, or use other Azure services like [Azure Security Center](../../security-center/security-center-introduction.md).
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/onboard-powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/onboard-powershell.md
@@ -98,6 +98,6 @@ After you install and configure the agent to register with Azure Arc enabled ser
* If necessary, see the [Troubleshoot Connected Machine agent guide](troubleshoot-agent-onboard.md).
-* Learn how to manage your machine by using [Azure Policy](../../governance/policy/overview.md). You can use VM [guest configuration](../../governance/policy/concepts/guest-configuration.md), verify that the machine is reporting to the expected Log Analytics workspace, and enable monitoring with [Azure Monitor with VMs](../../azure-monitor/insights/vminsights-enable-policy.md).
+* Learn how to manage your machine by using [Azure Policy](../../governance/policy/overview.md). You can use VM [guest configuration](../../governance/policy/concepts/guest-configuration.md), verify that the machine is reporting to the expected Log Analytics workspace, and enable monitoring with [Azure Monitor with VMs](../../azure-monitor/vm/vminsights-enable-policy.md).
-* Learn more about the [Log Analytics agent](../../azure-monitor/platform/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to collect operating system and workload monitoring data, or manage it by using Azure Automation runbooks or features like Update Management. This agent is also required to use other Azure services, such as [Azure Security Center](../../security-center/security-center-introduction.md).
+* Learn more about the [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to collect operating system and workload monitoring data, or manage it by using Azure Automation runbooks or features like Update Management. This agent is also required to use other Azure services, such as [Azure Security Center](../../security-center/security-center-introduction.md).
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/onboard-service-principal.md
@@ -136,6 +136,6 @@ After you install the agent and configure it to connect to Azure Arc enabled ser
* Troubleshooting information can be found in the [Troubleshoot Connected Machine agent guide](troubleshoot-agent-onboard.md). -- Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/policy/concepts/guest-configuration.md), verifying the machine is reporting to the expected Log Analytics workspace, enable monitoring with [Azure Monitor with VMs](../../azure-monitor/insights/vminsights-enable-policy.md), and much more.
+- Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/policy/concepts/guest-configuration.md), verifying the machine is reporting to the expected Log Analytics workspace, enable monitoring with [Azure Monitor with VMs](../../azure-monitor/vm/vminsights-enable-policy.md), and much more.
-- Learn more about the [Log Analytics agent](../../azure-monitor/platform/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to collect operating system and workload monitoring data, manage it using Automation runbooks or features like Update Management, or use other Azure services like [Azure Security Center](../../security-center/security-center-introduction.md).
+- Learn more about the [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to collect operating system and workload monitoring data, manage it using Automation runbooks or features like Update Management, or use other Azure services like [Azure Security Center](../../security-center/security-center-introduction.md).
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/onboard-windows-admin-center https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/onboard-windows-admin-center.md
@@ -62,6 +62,6 @@ After you install the agent and configure it to connect to Azure Arc enabled ser
* Troubleshooting information can be found in the [Troubleshoot Connected Machine agent guide](troubleshoot-agent-onboard.md).
-* Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/policy/concepts/guest-configuration.md), verifying the machine is reporting to the expected Log Analytics workspace, enable monitoring with [Azure Monitor with VMs](../../azure-monitor/insights/vminsights-enable-policy.md), and much more.
+* Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/policy/concepts/guest-configuration.md), verifying the machine is reporting to the expected Log Analytics workspace, enable monitoring with [Azure Monitor with VMs](../../azure-monitor/vm/vminsights-enable-policy.md), and much more.
-* Learn more about the [Log Analytics agent](../../azure-monitor/platform/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to collect operating system and workload monitoring data, manage it using Automation runbooks or features like Update Management, or use other Azure services like [Azure Security Center](../../security-center/security-center-introduction.md).
+* Learn more about the [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to collect operating system and workload monitoring data, manage it using Automation runbooks or features like Update Management, or use other Azure services like [Azure Security Center](../../security-center/security-center-introduction.md).
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/overview.md
@@ -10,7 +10,7 @@
Azure Arc enabled servers allows you to manage your Windows and Linux machines hosted outside of Azure, on your corporate network, or other cloud provider consistent with how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. Each connected machine has a Resource ID, is included in a resource group, and benefits from standard Azure constructs such as Azure Policy and applying tags. Service providers who manage a customer's on-premises infrastructure can manage their hybrid machines, just like they do today with native Azure resources, across multiple customer environments, using [Azure Lighthouse](../../lighthouse/how-to/manage-hybrid-infrastructure-arc.md) with Azure Arc.
-To deliver this experience with your hybrid machines hosted outside of Azure, the Azure Connected Machine agent needs to be installed on each machine that you plan on connecting to Azure. This agent does not deliver any other functionality, and it doesn't replace the Azure [Log Analytics agent](../../azure-monitor/platform/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to proactively monitor the OS and workloads running on the machine, manage it using Automation runbooks or solutions like Update Management, or use other Azure services like [Azure Security Center](../../security-center/security-center-introduction.md).
+To deliver this experience with your hybrid machines hosted outside of Azure, the Azure Connected Machine agent needs to be installed on each machine that you plan on connecting to Azure. This agent does not deliver any other functionality, and it doesn't replace the Azure [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to proactively monitor the OS and workloads running on the machine, manage it using Automation runbooks or solutions like Update Management, or use other Azure services like [Azure Security Center](../../security-center/security-center-introduction.md).
## Supported scenarios
@@ -20,7 +20,7 @@ When you connect your machine to Azure Arc enabled servers, it enables the abili
- Report on configuration changes about installed software, Microsoft services, Windows registry and files, and Linux daemons on monitored servers using Azure Automation [Change Tracking and Inventory](../../automation/change-tracking/overview.md). -- Monitor your connected machine guest operating system performance, and discover application components to monitor their processes and dependencies with other resources the application communicates using [Azure Monitor for VMs](../../azure-monitor/insights/vminsights-overview.md).
+- Monitor your connected machine guest operating system performance, and discover application components to monitor their processes and dependencies with other resources the application communicates using [Azure Monitor for VMs](../../azure-monitor/vm/vminsights-overview.md).
- Simplify deployment with other Azure services like Azure Automation [State Configuration](../../automation/automation-dsc-overview.md) and Azure Monitor Log Analytics workspace using the supported [Azure VM extensions](manage-vm-extensions.md) for your non-Azure Windows or Linux machine. This includes performing post-deployment configuration or software installation using the Custom Script Extension.
@@ -31,7 +31,7 @@ When you connect your machine to Azure Arc enabled servers, it enables the abili
- Include your non-Azure servers for threat detection and proactively monitor for potential security threats using [Azure Security Center](../../security-center/security-center-introduction.md).
-Log data collected and stored in a Log Analytics workspace from the hybrid machine now contains properties specific to the machine, such as a Resource ID. This can be used to support [resource-context](../../azure-monitor/platform/design-logs-deployment.md#access-mode) log access.
+Log data collected and stored in a Log Analytics workspace from the hybrid machine now contains properties specific to the machine, such as a Resource ID. This can be used to support [resource-context](../../azure-monitor/logs/design-logs-deployment.md#access-mode) log access.
[!INCLUDE [azure-lighthouse-supported-service](../../../includes/azure-lighthouse-supported-service.md)]
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/scenario-onboard-azure-sentinel https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/scenario-onboard-azure-sentinel.md
@@ -13,7 +13,7 @@ This article is intended to help you onboard your Azure Arc enabled server to [A
Before you start, make sure that you've met the following requirements: -- A [Log Analytics workspace](../../azure-monitor/platform/data-platform-logs.md). For more information about Log Analytics workspaces, see [Designing your Azure Monitor Logs deployment](../../azure-monitor/platform/design-logs-deployment.md).
+- A [Log Analytics workspace](../../azure-monitor/logs/data-platform-logs.md). For more information about Log Analytics workspaces, see [Designing your Azure Monitor Logs deployment](../../azure-monitor/logs/design-logs-deployment.md).
- Azure Sentinel [enabled in your subscription](../../sentinel/quickstart-onboard.md).
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/troubleshoot-vm-extensions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/troubleshoot-vm-extensions.md
@@ -33,7 +33,7 @@ The following troubleshooting steps apply to all VM extensions.
- The Log Analytics agent version 1.13.9 (corresponding extension version is 1.13.15) is not correctly marking uploaded data with the resource ID of the Azure Arc enabled server. Although logs are being sent to the service, when you try to view the data from the selected enabled server after selecting **Logs** or **Insights**, no data is returned. You can view its data by running queries from Azure Monitor Logs or from Azure Monitor for VMs, which are scoped to the workspace. -- Some distributions are not currently supported by the Log Analytics agent for Linux. The agent requires additional dependencies to be installed, including Python 2. Review the support matrix and prerequisites [here](../../azure-monitor/platform/agents-overview.md#supported-operating-systems).
+- Some distributions are not currently supported by the Log Analytics agent for Linux. The agent requires additional dependencies to be installed, including Python 2. Review the support matrix and prerequisites [here](../../azure-monitor/agents/agents-overview.md#supported-operating-systems).
- Error code 52 in the status message indicates a missing dependency. Check the output and logs for more information about which dependency is missing.
azure-australia https://docs.microsoft.com/en-us/azure/azure-australia/gateway-log-audit-visibility https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-australia/gateway-log-audit-visibility.md
@@ -109,7 +109,7 @@ When implementing the components listed in this article, the following general g
|Australian Regulatory and Policy Compliance Documents|[https://aka.ms/au-irap](https://aka.ms/au-irap)| |Azure products - Australian regions and non-regional|[https://azure.microsoft.com/global-infrastructure/services/?regions=non-regional,australia-central,australia-central-2,australia-east,australia-southeast](https://azure.microsoft.com/global-infrastructure/services/?regions=non-regional,australia-central,australia-central-2,australia-east,australia-southeast)| |Microsoft Azure Security and Audit Log Management Whitepaper|[https://download.microsoft.com/download/B/6/C/B6C0A98B-D34A-417C-826E-3EA28CDFC9DD/AzureSecurityandAuditLogManagement_11132014.pdf](https://download.microsoft.com/download/B/6/C/B6C0A98B-D34A-417C-826E-3EA28CDFC9DD/AzureSecurityandAuditLogManagement_11132014.pdf)|
-|Microsoft Monitoring Agent Configuration|[https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent](../azure-monitor/platform/log-analytics-agent.md)|
+|Microsoft Monitoring Agent Configuration|[https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent](../azure-monitor/agents/log-analytics-agent.md)|
| ## Component guidance
@@ -184,8 +184,8 @@ Virtual Machines are end points that send and receive network communications, pr
|Resources|Link| ||| |Virtual Machines|[https://docs.microsoft.com/azure/virtual-machines](../virtual-machines/index.yml)|
-|Collect Data from