Updates from: 02/17/2022 02:07:34
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Boolean Transformations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/boolean-transformations.md
Previously updated : 01/17/2022 Last updated : 02/16/2022
This article provides examples for using the boolean claims transformations of t
## AndClaims
-Computes an `And` operation of two boolean input claims, and sets the output claim with result of the operation.
+Computes an `And` operation of two boolean input claims, and sets the output claim with result of the operation. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/boolean#andclaims) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | |-| | - | -- |
The following claims transformation demonstrates how to `And` two boolean claims
## AssertBooleanClaimIsEqualToValue
-Checks that boolean values of two claims are equal, and throws an exception if they are not.
+Checks that boolean values of two claims are equal, and throws an exception if they aren't. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/boolean#assertbooleanclaimisequaltovalue) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | | - | -- |
Checks that boolean values of two claims are equal, and throws an exception if t
The **AssertBooleanClaimIsEqualToValue** claims transformation is always executed from a [validation technical profile](validation-technical-profile.md) that is called by a [self-asserted technical profile](self-asserted-technical-profile.md). The **UserMessageIfClaimsTransformationBooleanValueIsNotEqual** self-asserted technical profile metadata controls the error message that the technical profile presents to the user. The error messages can be [localized](localization-string-ids.md#claims-transformations-error-messages).
-![AssertStringClaimsAreEqual execution](./media/boolean-transformations/assert-execution.png)
+![Diagram shows how to use the AssertStringClaimsAreEqual claims transformation.](./media/boolean-transformations/assert-execution.png)
### Example of AssertBooleanClaimIsEqualToValue
The self-asserted technical profile calls the validation `Example-AssertBoolean`
## CompareBooleanClaimToValue
-Checks that boolean value of a claim is equal to `true` or `false`, and return the result of the compression.
+Checks that boolean value of a claim is equal to `true` or `false`, and return the result of the compression. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/boolean#comparebooleanclaimtovalue) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | | - | -- |
The following claims transformation demonstrates how to check the value of a boo
## NotClaims
-Computes a `Not` operation of the boolean input claim and sets the output claim with result of the operation.
+Computes a `Not` operation of the boolean input claim and sets the output claim with result of the operation. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/boolean#notclaims) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following claims transformation demonstrates how to perform logical negation
## OrClaims
-Computes an `Or` of two boolean claims and sets the output claim with result of the operation.
+Computes an `Or` of two boolean claims and sets the output claim with result of the operation. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/boolean#orclaims) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following claims transformation demonstrates how to `Or` two boolean claims.
## Next steps -- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation) on the Azure AD B2C community GitHub repo
+- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/boolean) on the Azure AD B2C community GitHub repo
active-directory-b2c Claim Resolver Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/claim-resolver-overview.md
Previously updated : 1/11/2022 Last updated : 02/16/2022
The following table lists the claim resolvers with information about the languag
| {Culture:RegionName} | The two letter ISO code for the region. | US | | {Culture:RFC5646} | The RFC5646 language code. | en-US |
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-resolver#culture) of the culture claim resolvers.
+ ## Policy The following table lists the claim resolvers with information about the policy used in the authorization request:
The following table lists the claim resolvers with information about the policy
| {Policy:TenantObjectId} | The tenant object ID of the relying party policy. | 00000000-0000-0000-0000-000000000000 | | {Policy:TrustFrameworkTenantId} | The tenant ID of the trust framework. | your-tenant.onmicrosoft.com |
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-resolver#policy) of the policy claim resolvers.
## Context
The following table lists the contextual claim resolvers of the authorization re
| {Context:IPAddress} | The user IP address. | 11.111.111.11 | | {Context:KMSI} | Indicates whether [Keep me signed in](session-behavior.md?pivots=b2c-custom-policy#enable-keep-me-signed-in-kmsi) checkbox is selected. | true |
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-resolver#context) of the context claim resolvers.
+ ## Claims This section describes how to get a claim value as a claim resolver.
The following table lists the claim resolvers with information about the OpenID
| {OIDC:Scope} |The `scope` query string parameter. | openid | | {OIDC:Username}| The [resource owner password credentials flow](add-ropc-policy.md) user's username.| emily@contoso.com|
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-resolver#openid-connect-relying-party-application) of the OpenID Connect claim resolvers.
+ ## OAuth2 key-value parameters Any parameter name included as part of an OIDC or OAuth2 request can be mapped to a claim in the user journey. For example, the request from the application might include a query string parameter with a name of `app_session`, `loyalty_number`, or any custom query string.
The following table lists the claim resolvers with information about the SAML a
| {SAML:Subject} | The `Subject` from the NameId element of the SAML AuthN request.| | {SAML:Binding} | The `ProtocolBinding` attribute value, from the `AuthnRequest` element of the SAML request. | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-resolver#saml-service-provider) of the SAML claim resolvers.
+ ## OAuth2 identity provider The following table lists the [OAuth2 identity provider](oauth2-technical-profile.md) claim resolvers:
To use the OAuth2 identity provider claim resolvers, set the output claim's `Par
</ClaimsProvider> ``` - ## Using claim resolvers You can use claims resolvers with the following elements:
In a [Relying party](relyingparty.md) policy technical profile, you may want to
</TechnicalProfile> </RelyingParty> ```+
+## Next steps
+
+- Find more [claims resolvers samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-resolver) on the Azure AD B2C community GitHub repo
active-directory-b2c Claimsschema https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/claimsschema.md
Previously updated : 03/05/2020 Last updated : 02/16/2022
The Identity Experience Framework renders the email address claim with email for
Azure AD B2C supports a variety of user input types, such as a textbox, password, and dropdown list that can be used when manually entering claim data for the claim type. You must specify the **UserInputType** when you collect information from the user by using a [self-asserted technical profile](self-asserted-technical-profile.md) and [display controls](display-controls.md).
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims#user-input-types) of the user input type.
+ The **UserInputType** element available user input types: | UserInputType | Supported ClaimType | Description |
active-directory-b2c Date Transformations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/date-transformations.md
Previously updated : 1/17/2022 Last updated : 02/16/2022
This article provides examples for using the date claims transformations of the
## AssertDateTimeIsGreaterThan
-Asserts that one date is later than a second date. Determines whether the `rightOperand` is greater than the `leftOperand`. If yes, throws an exception.
+Asserts that one date is later than a second date. Determines whether the `rightOperand` is greater than the `leftOperand`. If yes, throws an exception. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/date#assertdatetimeisgreaterthan) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Asserts that one date is later than a second date. Determines whether the `right
The **AssertDateTimeIsGreaterThan** claims transformation is always executed from a [validation technical profile](validation-technical-profile.md) that is called by a [self-asserted technical profile](self-asserted-technical-profile.md). The **DateTimeGreaterThan** self-asserted technical profile metadata controls the error message that the technical profile presents to the user. The error messages can be [localized](localization-string-ids.md#claims-transformations-error-messages).
-![AssertStringClaimsAreEqual execution](./media/date-transformations/assert-execution.png)
+![Diagrams shows how to use the AssertStringClaimsAreEqual claims transformation.](./media/date-transformations/assert-execution.png)
### Example of AssertDateTimeIsGreaterThan
The self-asserted technical profile calls the validation `Example-AssertDates` t
## ConvertDateTimeToDateClaim
-Converts a `DateTime` claim type to a `Date` claim type. The claims transformation removes the time format from the date.
+Converts a `DateTime` claim type to a `Date` claim type. The claims transformation removes the time format from the date. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/date#convertdatetimetodateclaim) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following example demonstrates the conversion of the claim `systemDateTime`
## ConvertDateToDateTimeClaim
-Converts a `Date` claim type to a `DateTime` claim type. The claims transformation converts the time format and adds 12:00:00 AM to the date.
+Converts a `Date` claim type to a `DateTime` claim type. The claims transformation converts the time format and adds 12:00:00 AM to the date. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/date#convertdatetodatetimeclaim) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following example demonstrates the conversion of the claim `dateOfBirth` (da
## DateTimeComparison
-Compares two dates and determines whether the first date is later, earlier, or equal to another. The result is a new Boolean claim with a value of `true` or `false`.
+Compares two dates and determines whether the first date is later, earlier, or equal to another. The result is a new Boolean claim with a value of `true` or `false`. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/date#datetimecomparison) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Use this claims transformation to determine if first date plus the `timeSpanInSe
- **operator**: later than - **timeSpanInSeconds**: 7776000 (90 days) - Output claims:
- - **result**: true
+ - **result**: true
## IsTermsOfUseConsentRequired
-Determine whether a `dateTime` claim type is earlier or greater than a specific date. The result is a new Boolean claim with a value of `true` or `false`.
+Determine whether a `dateTime` claim type is earlier or greater than a specific date. The result is a new Boolean claim with a value of `true` or `false`. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/date#istermsofuseconsentrequired) of this claims transformation.
| Item | TransformationClaimType | Data type | Notes | | - | -- | | -- |
-| InputClaim | termsOfUseConsentDateTime | dateTime | The `dateTime` claim type to check whether it is earlier or later than the `termsOfUseTextUpdateDateTime` input parameter. Undefined value returns `true` result. |
-| InputParameter | termsOfUseTextUpdateDateTime | dateTime | The `dateTime` claim type to check whether it is earlier or later than the `termsOfUseConsentDateTime` input claim. The time part of the date is optional. |
+| InputClaim | termsOfUseConsentDateTime | dateTime | The `dateTime` claim type to check whether it's earlier or later than the `termsOfUseTextUpdateDateTime` input parameter. Undefined value returns `true` result. |
+| InputParameter | termsOfUseTextUpdateDateTime | dateTime | The `dateTime` claim type to check whether it's earlier or later than the `termsOfUseConsentDateTime` input claim. The time part of the date is optional. |
| OutputClaim | result | boolean | The claim type that's produced after this claims transformation has been invoked. | Use this claims transformation to determine whether a `dateTime` claim type is earlier or greater than a specific date. For example, check whether a user has consented to the latest version of your terms of use (TOU) or terms of service. To check the last time a user consented, store the last time the user accepted the TOU in an [extension attribute](user-profile-attributes.md#extension-attributes). When your TOU wording changes, update the `termsOfUseTextUpdateDateTime` input parameter with the time of the change. Then, call this claims transformation to compare the dates. If the claims transformation returns `true`, the `termsOfUseConsentDateTime` value is earlier than the `termsOfUseTextUpdateDateTime` value, and you can ask the user to accept the updated TOU.
Use this claims transformation to determine whether a `dateTime` claim type is e
### IsTermsOfUseConsentRequired example - Input claims:
- - **termsOfUseConsentDateTime**: 2020-03-09T09:15:00
-- Input parameters:
- - **termsOfUseTextUpdateDateTime**: 2021-11-15
-- Output claims:
- - **result**: true
+ - **termsOfUseConsentDateTime**: 2020-03-09T09:15:00
+- Input parameters:
+ - **termsOfUseTextUpdateDateTime**: 2021-11-15
+- Output claims:
+ - **result**: true
## GetCurrentDateTime
-Get the current UTC date and time and add the value to a claim type.
+Get the current UTC date and time and add the value to a claim type. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/date#getcurrentdatetime) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following example shows how to get the current data and time:
## Next steps -- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation) on the Azure AD B2C community GitHub repo
+- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/date) on the Azure AD B2C community GitHub repo
active-directory-b2c General Transformations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/general-transformations.md
Previously updated : 01/17/2022 Last updated : 02/16/2022
This article provides examples for using general claims transformations of the A
## CopyClaim
-Copy value of a claim to another. Both claims must be from the same type.
+Copy value of a claim to another. Both claims must be from the same type. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/general#copyclaim) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Use this claims transformation to copy a value from a string or numeric claim, t
## DoesClaimExist
-Checks if the input claim exists, and sets output claim to `true` or `false` accordingly.
+Checks if the input claim exists, and sets output claim to `true` or `false` accordingly. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/general#doesclaimexist) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Use this claims transformation to check if a claim exists or contains any value.
## Hash
-Hash the provided plain text using the salt and a secret. The hashing algorithm used is SHA-256.
+Hash the provided plain text using the salt and a secret. The hashing algorithm used is SHA-256. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/general#hash) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following example demonstrates how to hash an email address. The claims tran
## Next steps -- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation) on the Azure AD B2C community GitHub repo
+- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/general) on the Azure AD B2C community GitHub repo
active-directory-b2c Integer Transformations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/integer-transformations.md
Previously updated : 01/17/2022 Last updated : 02/16/2022
This article provides examples for using the integer claims transformations of t
## AdjustNumber
-Increases or decreases a numeric claim and return a new claim.
+Increases or decreases a numeric claim and return a new claim. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/integer#adjustnumber) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
If the input claim is null, the output claim will be one.
## AssertNumber
-Determines whether a numeric claim is greater, lesser, equal, or not equal to a number.
+Determines whether a numeric claim is greater, lesser, equal, or not equal to a number. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/integer#assertnumber) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
-| InputClaim | inputClaim | int | The first numeric claim to compare whether it is greater, lesser, equal, or not equal than the second number. Null value throws an exception. |
-| InputParameter | CompareToValue | int | The second number to compare whether it is greater, lesser, equal, or not equal than the first number. |
-| InputParameter | Operator | string | Possible values: `LESSTHAN`, `GREATERTHAN`, `GREATERTHANOREQUAL`, `LESSTHANOREQUAL`, `EQUAL`, `NOTEQUAL`. |
+| InputClaim | inputClaim | int | The first numeric claim to compare whether it's greater, lesser, equal, or not equal than the second number. Null value throws an exception. |
+| InputParameter | CompareToValue | int | The second number to compare whether it's greater, lesser, equal, or not equal than the first number. |
+| InputParameter | Operator | string | Possible values: `LessThan`, `GreaterThan`, `GreaterThanOrEqual`, `LessThanOrEqual`, `Equal`, `NotEqual`. |
| InputParameter | throwError | boolean | Specifies whether this assertion should throw an error if the comparison result is `true`. Possible values: `true` (default), or `false`. <br />&nbsp;<br />When set to `true` (Assertion mode), and the comparison result is `true`, an exception will be thrown. When set to `false` (Evaluation mode), the result is a new boolean claim type with a value of `true`, or `false`.| | OutputClaim | outputClaim | boolean | If `ThrowError` is set to `false`, this output claim contains `true`, or `false` according to the comparison result. |
The following example asserts the number of attempts is over five. The claims t
<InputClaim ClaimTypeReferenceId="attempts" TransformationClaimType="inputClaim" /> </InputClaims> <InputParameters>
- <InputParameter Id="Operator" DataType="string" Value="GREATERTHAN" />
+ <InputParameter Id="Operator" DataType="string" Value="GreaterThan" />
<InputParameter Id="CompareToValue" DataType="int" Value="5" /> <InputParameter Id="throwError" DataType="boolean" Value="true" /> </InputParameters>
The following example asserts the number of attempts is over five. The claims t
- Input claims: - **inputClaim**: 10 - Input parameters:
- - **Operator**: GREATERTHAN
+ - **Operator**: GreaterThan
- **CompareToValue**: 5 - **throwError**: true - Result: Error thrown ### Example of AssertNumber evaluation mode
-The following example evaluates whether the number of attempts is over five. The output claim contains a boolean value according to the comparison result. The claims transformation will not throw an error.
+The following example evaluates whether the number of attempts is over five. The output claim contains a boolean value according to the comparison result. The claims transformation won't throw an error.
```xml <ClaimsTransformation Id="isOverLimit" TransformationMethod="AssertNumber">
The following example evaluates whether the number of attempts is over five. The
<InputClaim ClaimTypeReferenceId="attempts" TransformationClaimType="inputClaim" /> </InputClaims> <InputParameters>
- <InputParameter Id="Operator" DataType="string" Value="GREATERTHAN" />
+ <InputParameter Id="Operator" DataType="string" Value="GreaterThan" />
<InputParameter Id="CompareToValue" DataType="int" Value="5" /> <InputParameter Id="throwError" DataType="boolean" Value="false" /> </InputParameters>
The following example evaluates whether the number of attempts is over five. The
- Input claims: - **inputClaim**: 10 - Input parameters:
- - **Operator**: GREATERTHAN
+ - **Operator**: GreaterThan
- **CompareToValue**: 5 - **throwError**: false - Output claims:
The following example evaluates whether the number of attempts is over five. The
## ConvertNumberToStringClaim
-Converts a long data type into a string data type.
+Converts a long data type into a string data type. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/integer#convertnumbertostringclaim) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
In this example, the `numericUserId` claim with a value type of long is converte
## Next steps -- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation) on the Azure AD B2C community GitHub repo
+- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/integer) on the Azure AD B2C community GitHub repo
active-directory-b2c Json Transformations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/json-transformations.md
Previously updated : 01/17/2022 Last updated : 02/16/2022
This article provides examples for using the JSON claims transformations of the
## CreateJsonArray
-Create a JSON single element array from a claim value.
+Create a JSON single element array from a claim value. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/json#createjsonarray) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following example creates a JSON single array.
Use either claim values or constants to generate a JSON string. The path string following dot notation is used to indicate where to insert the data into a JSON string. After splitting by dots, any integers are interpreted as the index of a JSON array and non-integers are interpreted as the index of a JSON object.
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/json#generatejson) of this claims transformation.
+ | Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- | | InputClaim | Any string following dot notation | string | The JsonPath of the JSON where the claim value will be inserted into. |
The following claims transformation outputs a JSON string claim that will be the
## GetClaimFromJson
-Get a specified element from a JSON data.
+Get a specified element from a JSON data. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/json#getclaimfromjson) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The GetClaimFromJson claims transformation gets a single element from a JSON dat
## GetClaimsFromJsonArray
-Get a list of specified elements from Json data.
+Get a list of specified elements from Json data. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/json#getclaimsfromjsonarray) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
In the following example, the claims transformation extracts the following claim
## GetNumericClaimFromJson
-Gets a specified numeric (long) element from a JSON data.
+Gets a specified numeric (long) element from a JSON data. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/json#getnumericclaimfromjson) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
In the following example, the claims transformation extracts the `id` element fr
## GetSingleItemFromJson
-Gets the first element from a JSON data.
+Gets the first element from a JSON data. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/json#getsingleitemfromjson) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
In the following example, the claims transformation extracts the first element (
## GetSingleValueFromJsonArray
-Gets the first element from a JSON data array.
+Gets the first element from a JSON data array. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/json#getsinglevaluefromjsonarray) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
In the following example, the claims transformation extracts the first element (
## XmlStringToJsonString
-Convert XML data to JSON format.
+Convert XML data to JSON format. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/json#xmlstringtojsonstring) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Output claim:
## Next steps -- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation) on the Azure AD B2C community GitHub repo
+- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/json) on the Azure AD B2C community GitHub repo
active-directory-b2c Phone Number Claims Transformations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/phone-number-claims-transformations.md
Previously updated : 01/17/2022 Last updated : 02/16/2022
This article provides reference and examples for using the phone number claims t
## ConvertPhoneNumberClaimToString
-Converts a `phoneNumber` data type into a `string` data type.
+Converts a `phoneNumber` data type into a `string` data type. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/phoneNumber#convertphonenumberclaimtostring) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
In this example, the cellPhoneNumber claim with a value type of `phoneNumber` is
## ConvertStringToPhoneNumberClaim
-Validates the format of a phone number. If valid, change it to a standard format used by Azure AD B2C. If the provided phone number is not in a valid format, an error message is returned.
+Validates the format of a phone number. If valid, change it to a standard format used by Azure AD B2C. If the provided phone number isn't in a valid format, an error message is returned. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/phoneNumber#convertstringtophonenumberclaim) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following example checks that the **phoneString** claim is indeed a valid ph
### Example of ConvertStringToPhoneNumberClaim without country code claim
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/phoneNumber#convertstringtophonenumberclaim-without-country-code-claim) of this mode of the claims transformation.
+ - Input claims: - **phoneNumberString**: +1 (123) 456-7890 - Output claims:
The following example checks that the **phoneString** claim is indeed a valid ph
The self-asserted technical profile that calls the validation technical profile that contains this claims transformation can define the error message. ```xml
-<TechnicalProfile Id="SelfAsserted-LocalAccountSignup-Phone">
+<TechnicalProfile Id="SelfAsserted-LocalAccountSignUp-Phone">
<Metadata> <Item Key="UserMessageIfClaimsTransformationInvalidPhoneNumber">Custom error message if the phone number is not valid.</Item> </Metadata>
The self-asserted technical profile that calls the validation technical profile
## GetNationalNumberAndCountryCodeFromPhoneNumberString
-Extracts the country/region code and the national number from the input claim, and optionally throws an exception if the supplied phone number is not valid.
+Extracts the country/region code and the national number from the input claim, and optionally throws an exception if the supplied phone number isn't valid. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/phoneNumber#getnationalnumberandcountrycodefromphonenumberstring) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- | | InputClaim | phoneNumber | string | The string claim of the phone number. The phone number has to be in international format, complete with a leading "+" and country/region code. |
-| InputParameter | throwExceptionOnFailure | boolean | [Optional] A parameter indicating whether an exception is thrown when the phone number is not valid. Default value is false. |
+| InputParameter | throwExceptionOnFailure | boolean | [Optional] A parameter indicating whether an exception is thrown when the phone number isn't valid. Default value is false. |
| InputParameter | countryCodeType | string | [Optional] A parameter indicating the type of country/region code in the output claim. Available values are **CallingCode** (the international calling code for a country/region, for example +1) or **ISO3166** (the two-letter ISO-3166 country/region code). | | OutputClaim | nationalNumber | string | The string claim for the national number of the phone number. | | OutputClaim | countryCode | string | The string claim for the country/region code of the phone number. |
If the **GetNationalNumberAndCountryCodeFromPhoneNumberString** claims transform
![Diagram of error message execution path](./media/phone-authentication/assert-execution.png)
-You can use this claims transformation to split a full phone number into the country/region code and the national number. If the phone number provided is not valid, you can choose to throw an error message.
+You can use this claims transformation to split a full phone number into the country/region code and the national number. If the phone number provided isn't valid, you can choose to throw an error message.
### Example of GetNationalNumberAndCountryCodeFromPhoneNumberString
-The following example tries to split the phone number into national number and country/region code. If the phone number is valid, the phone number will be overridden by the national number. If the phone number is not valid, an exception will not be thrown and the phone number still has its original value.
+The following example tries to split the phone number into national number and country/region code. If the phone number is valid, the phone number will be overridden by the national number. If the phone number isn't valid, an exception won't be thrown and the phone number still has its original value.
```xml <ClaimsTransformation Id="GetNationalNumberAndCountryCodeFromPhoneNumberString" TransformationMethod="GetNationalNumberAndCountryCodeFromPhoneNumberString">
The self-asserted technical profile that calls the validation technical profile
## Next steps -- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation) on the Azure AD B2C community GitHub repo
+- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/phoneNumber) on the Azure AD B2C community GitHub repo
active-directory-b2c Social Transformations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/social-transformations.md
Previously updated : 01/17/2022 Last updated : 02/16/2022
This article provides examples for using the social account claims transformatio
## AddItemToAlternativeSecurityIdCollection
-Adds an `AlternativeSecurityId` to an `alternativeSecurityIdCollection` claim.
+Adds an `AlternativeSecurityId` to an `alternativeSecurityIdCollection` claim. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/social#additemtoalternativesecurityidcollection) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Adds an `AlternativeSecurityId` to an `alternativeSecurityIdCollection` claim.
The following example links a new social identity with an existing account. To link a new social identity: 1. In the **AAD-UserReadUsingAlternativeSecurityId** and **AAD-UserReadUsingObjectId** technical profiles, output the user's **alternativeSecurityIds** claim.
-1. Ask the user to sign in with one of the identity providers that are not associated with this user.
+1. Ask the user to sign in with one of the identity providers that aren't associated with this user.
1. Using the **CreateAlternativeSecurityId** claims transformation, create a new **alternativeSecurityId** claim type with a name of `AlternativeSecurityId2` 1. Call the **AddItemToAlternativeSecurityIdCollection** claims transformation to add the **AlternativeSecurityId2** claim to the existing **AlternativeSecurityIds** claim. 1. Persist the **alternativeSecurityIds** claim to the user account
The following example links a new social identity with an existing account. To l
``` - Input claims:
- - **item**: { "issuer": "facebook.com", "issuerUserId": "MTIzNDU=" }
- - **collection**: [ { "issuer": "live.com", "issuerUserId": "MTA4MTQ2MDgyOTI3MDUyNTYzMjcw" } ]
+ - **item**:
+
+ ```json
+ {
+ "issuer": "facebook.com",
+ "issuerUserId": "MTIzNDU="
+ }
+ ```
+
+ - **collection**:
+
+ ```json
+ [
+ {
+ "issuer": "live.com",
+ "issuerUserId": "MTA4MTQ2MDgyOTI3MDUyNTYzMjcw"
+ }
+ ]
+ ```
+
- Output claims:
- - **collection**: [ { "issuer": "live.com", "issuerUserId": "MTA4MTQ2MDgyOTI3MDUyNTYzMjcw" }, { "issuer": "facebook.com", "issuerUserId": "MTIzNDU=" } ]
+ - **collection**:
+
+ ```json
+ [
+ {
+ "issuer": "live.com",
+ "issuerUserId": "MTA4MTQ2MDgyOTI3MDUyNTYzMjcw"
+ },
+ {
+ "issuer": "facebook.com",
+ "issuerUserId": "MTIzNDU="
+ }
+ ]
+ ```
## CreateAlternativeSecurityId
-Creates a JSON representation of the userΓÇÖs alternativeSecurityId property that can be used in the calls to Azure Active Directory. For more information, see the [AlternativeSecurityId](/graph/api/resources/alternativesecurityid) schema.
+Creates a JSON representation of the userΓÇÖs alternativeSecurityId property that can be used in the calls to Azure Active Directory. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/social#createalternativesecurityid) of this claims transformation. For more information, see the [AlternativeSecurityId](/graph/api/resources/alternativesecurityid) schema.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Use this claims transformation to generate a `alternativeSecurityId` claim. It's
## GetIdentityProvidersFromAlternativeSecurityIdCollectionTransformation
-Returns list of issuers from the **alternativeSecurityIdCollection** claim into a new **stringCollection** claim.
+Returns list of issuers from the **alternativeSecurityIdCollection** claim into a new **stringCollection** claim. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/social#getidentityprovidersfromalternativesecurityidcollectiontransformation) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Returns list of issuers from the **alternativeSecurityIdCollection** claim into
### Example of GetIdentityProvidersFromAlternativeSecurityIdCollectionTransformation
-The following claims transformation reads the user **alternativeSecurityIds** claim and extracts the list of identity provider names associated with that account. Use output **identityProvidersCollection** to show the user the list of identity providers associated with the account. Or, on the identity provider selection page, filter the list of identity providers based on output **identityProvidersCollection** claim. So, user can select to link new social identity that is not already associated with the account.
+The following claims transformation reads the user **alternativeSecurityIds** claim and extracts the list of identity provider names associated with that account. Use output **identityProvidersCollection** to show the user the list of identity providers associated with the account. Or, on the identity provider selection page, filter the list of identity providers based on output **identityProvidersCollection** claim. So, user can select to link new social identity that isn't already associated with the account.
```xml <ClaimsTransformation Id="ExtractIdentityProviders" TransformationMethod="GetIdentityProvidersFromAlternativeSecurityIdCollectionTransformation">
The following claims transformation reads the user **alternativeSecurityIds** cl
``` - Input claims:
- - **alternativeSecurityIdCollection**: [ { "issuer": "google.com", "issuerUserId": "MTA4MTQ2MDgyOTI3MDUyNTYzMjcw" }, { "issuer": "facebook.com", "issuerUserId": "MTIzNDU=" } ]
+ - **alternativeSecurityIdCollection**:
+
+ ```json
+ [
+ {
+ "issuer": "google.com",
+ "issuerUserId": "MTA4MTQ2MDgyOTI3MDUyNTYzMjcw"
+ },
+ {
+ "issuer": "facebook.com",
+ "issuerUserId": "MTIzNDU="
+ }
+ ]
+ ```
+ - Output claims: - **identityProvidersCollection**: [ "facebook.com", "google.com" ] ## RemoveAlternativeSecurityIdByIdentityProvider
-Removes an **AlternativeSecurityId** from an **alternativeSecurityIdCollection** claim.
+Removes an **AlternativeSecurityId** from an **alternativeSecurityIdCollection** claim. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/social#removealternativesecurityidbyidentityprovider) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following example unlinks one of the social identities with an existing acco
## Next steps -- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation) on the Azure AD B2C community GitHub repo
+- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/social) on the Azure AD B2C community GitHub repo
active-directory-b2c String Transformations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/string-transformations.md
Previously updated : 01/17/2022 Last updated : 02/16/2022
This article provides examples for using the string claims transformations of th
## AssertStringClaimsAreEqual
-Compares two claims, and throw an exception if they are not equal according to the specified comparison inputClaim1, inputClaim2 and stringComparison.
+Compares two claims, and throw an exception if they aren't equal according to the specified comparison inputClaim1, inputClaim2 and stringComparison.
+
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#assertstringclaimsareequal) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Compares two claims, and throw an exception if they are not equal according to t
The **AssertStringClaimsAreEqual** claims transformation is always executed from a [validation technical profile](validation-technical-profile.md) that is called by a [self-asserted technical profile](self-asserted-technical-profile.md), or a [DisplayControl](display-controls.md). The `UserMessageIfClaimsTransformationStringsAreNotEqual` metadata of a self-asserted technical profile controls the error message that is presented to the user. The error messages can be [localized](localization-string-ids.md#claims-transformations-error-messages).
-![AssertStringClaimsAreEqual execution](./media/string-transformations/assert-execution.png)
+![Diagram shows how to use the assert string claims are equal claims transformation.](./media/string-transformations/assert-execution.png)
### Example of AssertStringClaimsAreEqual
-You can use this claims transformation to make sure, two claims have the same value. If not, an error message is thrown. The following example checks that the **strongAuthenticationEmailAddress** claim is equal to **email** claim. Otherwise an error message is thrown.
+You can use this claims transformation to make sure, two claims have the same value. If not, an error message is thrown. The following example checks that the **strongAuthenticationEmailAddress** claim is equal to **email** claim. Otherwise an error message is thrown.
```xml <ClaimsTransformation Id="AssertEmailAndStrongAuthenticationEmailAddressAreEqual" TransformationMethod="AssertStringClaimsAreEqual">
The self-asserted technical profile calls the validation **login-NonInteractive*
## BuildUri
-Creates a time based on time password (TOTP) URI. The URI is a combination of the user's unique identifier, such as email address, and a secret key. The URI is later converted into a QR code that is presented to the user.
+Creates a time based on time password (TOTP) URI. The URI is a combination of the user's unique identifier, such as email address, and a secret key. The URI is later converted into a QR code that is presented to the user. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#builduri) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following claims transformation generates a TOTP URI that will be displayed
## ChangeCase
-Changes the case of the provided claim to lower or upper case depending on the operator.
+Changes the case of the provided claim to lower or upper case depending on the operator. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#changecase) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following claim transformation changes the email claim to lower case.
## CompareClaims
-Determines whether one string claim is equal to another. The result is a new boolean claim with a value of `true` or `false`.
+Determines whether one string claim is equal to another. The result is a new boolean claim with a value of `true` or `false`. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#compareclaims) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Use this claims transformation to check if a claim is equal to another claim. T
## CompareClaimToValue
-Determines whether a claim value is equal to the input parameter value.
+Determines whether a claim value is equal to the input parameter value. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#compareclaimtovalue) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Use this claims transformation to check if a claim is equal to a value you speci
## CopyClaimIfPredicateMatch
-Copies value of a claim to another if the value of the input claim matches the output claim predicate.
+Copies value of a claim to another if the value of the input claim matches the output claim predicate. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#copyclaimifpredicatematch) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Copies value of a claim to another if the value of the input claim matches the o
### Example of CopyClaimIfPredicateMatch
-The following example tries to copy the signInName claim value to phoneNumber claim. In this example, the value will not be copied. The signInName claim is not in the expected format, phone number. For the complete sample, see [Phone number or email sign-in](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/scenarios/phone-number-passwordless/Phone_Email_Base.xml) starter pack policy.
+The following example tries to copy the signInName claim value to phoneNumber claim. In this example, the value won't be copied. The signInName claim isn't in the expected format, phone number. For the complete sample, see [Phone number or email sign-in](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/scenarios/phone-number-passwordless/Phone_Email_Base.xml) starter pack policy.
```xml <ClaimsTransformation Id="SetPhoneNumberIfPredicateMatch" TransformationMethod="CopyClaimIfPredicateMatch">
In this example, the claims transformation will copy the value. The signInName c
## CreateOtpSecret
-Creates a TOTP string claim. The output of this claims transformation is a TOTP secret that is later stored in the Azure AD B2C user's account and shared with the Microsoft Authenticator app. The authenticator app uses the key to generate TOTP codes when the user needs to go through MFA. Your policy uses the key to validate the TOTP code provided by the user.
+Creates a TOTP string claim. The output of this claims transformation is a TOTP secret that is later stored in the Azure AD B2C user's account and shared with the Microsoft Authenticator app. The authenticator app uses the key to generate TOTP codes when the user needs to go through MFA. Your policy uses the key to validate the TOTP code provided by the user.
+
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#createotpsecret) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | |-- | -- | | -- |
The following claims transformation creates a secret for the TOTP multi-factor a
Creates a random string using the random number generator. If the random number generator is of type `integer`, optionally a seed parameter and a maximum number may be provided. An optional string format parameter allows the output to be formatted using it, and an optional base64 parameter specifies whether the output is base64 encoded randomGeneratorType [guid, integer] outputClaim (String).
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#createrandomstring) of this claims transformation.
+ | Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- | | InputParameter | randomGeneratorType | string | Specifies the random value to be generated, `GUID` (global unique ID) or `INTEGER` (a number). |
Following example generates an integer random value between 0 and 1000. The valu
## CreateStringClaim
-Creates a string claim from the provided input parameter in the transformation.
+Creates a string claim from the provided input parameter in the transformation. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#createstringclaim) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | |-- | -- | | -- |
The following claims transformation creates a string value with terms of service
## FormatLocalizedString
-Formats multiple claims according to a provided localized format string. This transformation uses the C# `String.Format` method.
+Formats multiple claims according to a provided localized format string. This transformation uses the C# `String.Format` method. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#formatlocalizedstring) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The claims transformation creates a response message based on the localized stri
- Input parameters: - **stringFormat**: ResponseMessge_EmailExists - Output claims:
- - **outputClaim**: The email 'sarah@contoso.com' is already an account in this organization. Click Next to sign in with that account.
+ - **outputClaim**: The email 'sarah@contoso.com' is already an account in this organization. Select Next to sign in with that account.
## FormatStringClaim
-Formats a claim according to the provided format string. This transformation uses the C# `String.Format` method.
+Formats a claim according to the provided format string. This transformation uses the C# `String.Format` method. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#formatstringclaim) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Use this claims transformation to format any string with one parameter {0}. The
## FormatStringMultipleClaims
-Formats two claims according to the provided format string. This transformation uses the C# `String.Format` method.
+Formats two claims according to the provided format string. This transformation uses the C# `String.Format` method. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#formatstringmultipleclaims) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Use this claims transformation to format any string with two parameters, {0} and
## GetLocalizedStringsTransformation
-Copies localized strings into claims.
+Copies localized strings into claims. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#getlocalizedstringstransformation) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Copies localized strings into claims.
To use the GetLocalizedStringsTransformation claims transformation:
-1. Define a [localization string](localization.md) and associate it with a [self-asserted-technical-profile](self-asserted-technical-profile.md).
-1. The `ElementType` of the `LocalizedString` element must be set to `GetLocalizedStringsTransformationClaimType`.
-1. The `StringId` is a unique identifier that you define, and use it later in your claims transformation.
-1. In the claims transformation, specify the list of claims to be set with the localized string. The `ClaimTypeReferenceId` is a reference to a claim already defined in the ClaimsSchema section in the policy. The `TransformationClaimType` is the name of the localized string as defined in the `StringId` of the `LocalizedString` element.
-1. In a [self-asserted technical profile](self-asserted-technical-profile.md), or a [display control](display-controls.md) input or output claims transformation, make a reference to your claims transformation.
+1. Define a [localization string](localization.md) for your [content definition](contentdefinitions.md), such as `api.selfasserted`.
+2. The `ElementType` of the `LocalizedString` element must be set to `GetLocalizedStringsTransformationClaimType`.
+3. The `StringId` is a unique identifier that you define, and use it later in your claims transformation.
+4. In the claims transformation, specify the list of claims to be set with the localized string. The `ClaimTypeReferenceId` is a reference to a claim already defined in the ClaimsSchema section in the policy. The `TransformationClaimType` is the name of the localized string as defined in the `StringId` of the `LocalizedString` element.
+5. In a [self-asserted](self-asserted-technical-profile.md), or [claims transformation](claims-transformation-technical-profile.md) technical profile's claims transformation, make a reference to your claims transformation.
+6. Associate the technical profile with the content definition, such as `api.selfasserted`. The following example shows how to associate a technical profile to the `api.selfasserted` content definition.
-![GetLocalizedStringsTransformation](./media/string-transformations/get-localized-strings-transformation.png)
+ ```xml
+ <Metadata>
+ <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
+ </Metadata>
+ ```
+
+The following diagram shows how to configure the claims transformation with the localization elements:
+
+![Diagram shows how to use the get localized strings claims transformation.](./media/string-transformations/get-localized-strings-transformation.png)
### Example of GetLocalizedStringsTransformation
The claims transformation sets the value of the claim type *subject* with the va
## GetMappedValueFromLocalizedCollection
-Maps an element from the input claim's **Restriction** collection.
+Maps an element from the input claim's **Restriction** collection. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#getmappedvaluefromlocalizedcollection) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The claims transformation looks up the text of the item and returns its value. I
- Input claims: - **mapFromClaim**: B2C_V1_90001 - Output claims:
- - **restrictionValueClaim**: You cannot sign in because you are a minor.
+ - **restrictionValueClaim**: You canΓÇÖt sign in because you're a minor.
## LookupValue
-Looks up a claim value from a list of values based on the value of another claim.
+Looks up a claim value from a list of values based on the value of another claim. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#lookupvalue) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following example looks up the domain name in one of the inputParameters col
When `errorOnFailedLookup` input parameter is set to `true`, the **LookupValue** claims transformation is always executed from a [validation technical profile](validation-technical-profile.md) that is called by a [self-asserted technical profile](self-asserted-technical-profile.md), or a [DisplayConrtol](display-controls.md). The `LookupNotFound` metadata of a self-asserted technical profile controls the error message that is presented to the user.
-![AssertStringClaimsAreEqual execution](./media/string-transformations/assert-execution.png)
+![Diagram shows how to use the lookup value claims transformation.](./media/string-transformations/assert-execution.png)
The following example looks up the domain name in one of the inputParameters collections. The claims transformation looks up the domain name in the identifier and returns its value (an application ID), or raises an error message.
The following example looks up the domain name in one of the inputParameters col
- **test.com**: c7026f88-4299-4cdb-965d-3f166464b8a9 - **errorOnFailedLookup**: true - Error:
- - No match found for the input claim value in the list of input parameter ids and errorOnFailedLookup is true.
+ - No match found for the input claim value in the list of input parameter IDs and errorOnFailedLookup is true.
## NullClaim
-Cleans the value of a given claim.
+Cleans the value of a given claim. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#nullclaim) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Use this claim transformation to remove unnecessary data from the claims propert
``` - Input claims:
- - **outputClaim**: Welcome to Contoso App. If you continue to browse and use this website, you are agreeing to comply with and be bound by the following terms and conditions...
+ - **outputClaim**: Welcome to Contoso App. If you continue to browse and use this website, you're agreeing to comply with and be bound by the following terms and conditions...
- Output claims: - **outputClaim**: NULL ## ParseDomain
-Gets the domain portion of an email address.
+Gets the domain portion of an email address. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#parsedomain) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Use this claims transformation to parse the domain name after the @ symbol of th
## SetClaimIfBooleansMatch
-Checks that a boolean claim is `true`, or `false`. If yes, sets the output claims with the value present in `outputClaimIfMatched` input parameter.
+Checks that a boolean claim is `true`, or `false`. If yes, sets the output claims with the value present in `outputClaimIfMatched` input parameter. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#setclaimifbooleansmatch) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
For example, the following claims transformation checks if the value of **hasPro
Checks that a string claim `claimToMatch` and `matchTo` input parameter are equal, and sets the output claims with the value present in `outputClaimIfMatched` input parameter, along with compare result output claim, which is to be set as `true` or `false` based on the result of comparison.
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#setclaimsifregexmatch) of this claims transformation.
+ | Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- | | inputClaim | claimToMatch | string | The claim type, which is to be compared. |
Checks whether the provided phone number is valid, based on phone number regular
</InputClaims> <InputParameters> <InputParameter Id="matchTo" DataType="string" Value="^[0-9]{4,16}$" />
- <InputParameter Id="outputClaimIfMatched" DataType="string" Value="isPhone" />
+ <InputParameter Id="outputClaimIfMatched" DataType="string" Value="Phone" />
</InputParameters> <OutputClaims> <OutputClaim ClaimTypeReferenceId="validationResult" TransformationClaimType="outputClaim" />
Checks whether the provided phone number is valid, based on phone number regular
- **claimToMatch**: "64854114520" - Input parameters: - **matchTo**: "^[0-9]{4,16}$"
- - **outputClaimIfMatched**: "isPhone"
+ - **outputClaimIfMatched**: "Phone"
- Output claims:
- - **outputClaim**: "isPhone"
+ - **outputClaim**: "iPhone"
- **regexCompareResultClaim**: true ### Example of SetClaimsIfRegexMatch with extract groups
-Checks whether the provided email address is valid, and return the email alias.
+Checks whether the provided email address is valid, and return the email alias. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#setclaimsifregexmatch-with-groups) of this claims transformation with extract groups.
```xml <ClaimsTransformation Id="GetAliasFromEmail" TransformationMethod="SetClaimsIfRegexMatch">
Checks whether the provided email address is valid, and return the email alias.
Checks that a string claim and `matchTo` input parameter are equal, and sets the output claims with the value present in `stringMatchMsg` and `stringMatchMsgCode` input parameters, along with compare result output claim, which is to be set as `true` or `false` based on the result of comparison.
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#setclaimsifstringsareequal) of this claims transformation.
+ | Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- | | InputClaim | inputClaim | string | The claim type, which is to be compared. |
You can use this claims transformation to check if a claim is equal to value you
Checks that a string claim and `matchTo` input parameter are equal, and sets the output claims with the value present in `outputClaimIfMatched` input parameter, along with compare result output claim, which is to be set as `true` or `false` based on the result of comparison.
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#setclaimsifstringsmatch) of this claims transformation.
+ | Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- | | InputClaim | claimToMatch | string | The claim type, which is to be compared. |
For example, the following claims transformation checks if the value of **ageGro
Determines whether a specified substring occurs within the input claim. The result is a new boolean claim with a value of `true` or `false`. `true` if the value parameter occurs within this string, otherwise, `false`.
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#stringcontains) of this claims transformation.
+ | Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- | | InputClaim | inputClaim | string | The claim type, which is to be searched. |
Use this claims transformation to check if a string claim type contains a substr
## StringSubstring
-Extracts parts of a string claim type, beginning at the character at the specified position, and returns the specified number of characters.
+Extracts parts of a string claim type, beginning at the character at the specified position, and returns the specified number of characters. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#stringjoin) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
For example, get the phone number country/region prefix.
Searches a claim type string for a specified value, and returns a new claim type string in which all occurrences of a specified string in the current string are replaced with another specified string.
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#stringreplace) of this claims transformation.
+ | Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- | | InputClaim | inputClaim | string | The claim type, which contains the string. | | InputParameter | oldValue | string | The string to be searched. | | InputParameter | newValue | string | The string to replace all occurrences of `oldValue` |
-| OutputClaim | outputClaim | boolean | A string that is equivalent to the current string except that all instances of oldValue are replaced with newValue. If oldValue is not found in the current instance, the method returns the current instance unchanged. |
+| OutputClaim | outputClaim | boolean | A string that is equivalent to the current string except that all instances of oldValue are replaced with newValue. If oldValue isn't found in the current instance, the method returns the current instance unchanged. |
### Example of StringReplace
For example, normalize a phone number, by removing the `-` characters
</ClaimsTransformation> ``` - - Input claims: - **inputClaim**: "+164-411-452-054" - Input parameters:
For example, normalize a phone number, by removing the `-` characters
Concatenates the elements of a specified string collection claim type, using the specified separator between each element or member.
+Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#stringsplit) of this claims transformation.
+ | Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- | | InputClaim | inputClaim | stringCollection | A collection that contains the strings to concatenate. |
The following example takes a string collection of user roles, and converts it t
## StringSplit
-Returns a string array that contains the substrings in this instance that are delimited by elements of a specified string.
+Returns a string array that contains the substrings in this instance that are delimited by elements of a specified string. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string#stringsubstring) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Claim transformations expressions in Azure AD B2C custom policies provide contex
## Next steps -- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation) on the Azure AD B2C community GitHub repo
+- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/string) on the Azure AD B2C community GitHub repo
active-directory-b2c Stringcollection Transformations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/stringcollection-transformations.md
Previously updated : 01/17/2022 Last updated : 02/16/2022
This article provides examples for using the string collection claims transforma
## AddItemToStringCollection
-Adds a string claim to a new unique values stringCollection claim.
+Adds a string claim to a new unique values stringCollection claim. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/stringCollection#additemtostringcollection) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following claims transformation adds the **email** ClaimType to **otherMails
## AddParameterToStringCollection
-Adds a string parameter to a new unique values stringCollection claim.
+Adds a string parameter to a new unique values stringCollection claim. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/stringCollection#addparametertostringcollection) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following example adds a constant email address (admin@contoso.com) to the *
## GetSingleItemFromStringCollection
-Gets the first item from the provided string collection.
+Gets the first item from the provided string collection. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/stringCollection#getsingleitemfromstringcollection) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
The following example reads the **otherMails** claim and returns the first item
## StringCollectionContains
-Checks if a StringCollection claim type contains an element.
+Checks if a StringCollection claim type contains an element. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/stringCollection#stringcollectioncontains) of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Following example checks whether the `roles` stringCollection claim type contain
## StringCollectionContainsClaim
-Checks if a StringCollection claim type contains a claim value.
+Checks if a StringCollection claim type contains a claim value. Check out the [Live demo]() of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- |
Following example checks whether the `roles` stringCollection claim type contain
## Next steps -- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation) on the Azure AD B2C community GitHub repo
+- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/stringCollection) on the Azure AD B2C community GitHub repo
active-directory-domain-services Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/policy-reference.md
Title: Built-in policy definitions for Azure Active Directory Domain Services description: Lists Azure Policy built-in policy definitions for Azure Active Directory Domain Services. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
active-directory Functions For Customizing Application Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/functions-for-customizing-application-data.md
Previously updated : 11/16/2021 Last updated : 02/16/2022
Replaces values within a string in a case-sensitive manner. The function behaves
* When **regexPattern** and **replacementValue** are provided: * The function applies the **regexPattern** to the **source** string and you can use the regex group names to construct the string for **replacementValue**
+> [!NOTE]
+> To learn more about regex grouping constructs and named sub-expressions, see [Grouping Constructs in Regular Expressions](/dotnet/standard/base-types/grouping-constructs-in-regular-expressions).
* When **regexPattern**, **regexGroupName**, **replacementValue** are provided: * The function applies the **regexPattern** to the **source** string and replaces all values matching **regexGroupName** with **replacementValue** * When **regexPattern**, **regexGroupName**, **replacementAttributeName** are provided:
- * If **source** has no value, **source** is returned
- * If **source** has a value, the function applies the **regexPattern** to the **source** string and replaces all values matching **regexGroupName** with the value associated with **replacementAttributeName**
+ * If **source** has a value, **source** is returned
+ * If **source** has no value, the function applies the **regexPattern** to the **replacementAttributeName** and returns the value matching **regexGroupName**
**Parameters:**
Replaces values within a string in a case-sensitive manner. The function behaves
| | | | | | **source** |Required |String |Usually name of the attribute from the **source** object. | | **oldValue** |Optional |String |Value to be replaced in **source** or **template**. |
-| **regexPattern** |Optional |String |Regex pattern for the value to be replaced in **source**. Or, when **replacementPropertyName** is used, pattern to extract value from **replacementPropertyName**. |
-| **regexGroupName** |Optional |String |Name of the group inside **regexPattern**. Only when **replacementPropertyName** is used, we will extract value of this group as **replacementValue** from **replacementPropertyName**. |
+| **regexPattern** |Optional |String |Regex pattern for the value to be replaced in **source**. When **replacementAttributeName** is used, the **regexPattern** is applied to extract a value from **replacementAttributeName**. |
+| **regexGroupName** |Optional |String |Name of the group inside **regexPattern**. When named **replacementAttributeName** is used, we will extract the value of the named regex group from the **replacementAttributeName** and return it as the replacement value. |
| **replacementValue** |Optional |String |New value to replace old one with. | | **replacementAttributeName** |Optional |String |Name of the attribute to be used for replacement value | | **template** |Optional |String |When **template** value is provided, we will look for **oldValue** inside the template and replace it with **source** value. | #### Replace characters using a regular expression
-Example: You need to find characters that match a regular expression value and remove them.
+**Example 1:** Using **oldValue** and **replacementValue** to replace the entire source string with another string.
-**Expression:**
+LetΓÇÖs say your HR system has an attribute `BusinessTitle`. As part of recent job title changes, your company wants to update anyone with the business title ΓÇ£Product DeveloperΓÇ¥ to ΓÇ£Software EngineerΓÇ¥.
+Then in this case, you can use the following expression in your attribute mapping.
-Replace([mailNickname], , "[a-zA-Z_]*", , "", , )
+`Replace([BusinessTitle],"Product Developer", , , "Software Engineer", , )`
-**Sample input/output:**
+* **source**: `[BusinessTitle]`
+* **oldValue**: ΓÇ£Product DeveloperΓÇ¥
+* **replacementValue**: ΓÇ£Software EngineerΓÇ¥
+* **Expression output**: Software Engineer
+
+**Example 2:** Using **oldValue** and **template** to insert the source string into another *templatized* string.
+
+The parameter **oldValue** is a misnomer in this scenario. It is actually the value that will get replaced.
+LetΓÇÖs say you want to always generate login id in the format `<username>@contoso.com`. There is a source attribute called **UserID** and you want that value to be used for the `<username>` portion of the login id.
+Then in this case, you can use the following expression in your attribute mapping.
+
+`Replace([UserID],"<username>", , , , , "<username>@contoso.com")`
+
+* **source:** `[UserID]` = ΓÇ£jsmithΓÇ¥
+* **oldValue:** ΓÇ£`<username>`ΓÇ¥
+* **template:** ΓÇ£`<username>@contoso.com`ΓÇ¥
+* **Expression output:** ΓÇ£jsmith@contoso.comΓÇ¥
+
+**Example 3:** Using **regexPattern** and **replacementValue** to extract a portion of the source string and replace it with an empty string or a custom value built using regex patterns or regex group names.
+
+LetΓÇÖs say you have a source attribute `telephoneNumber` that has components `country code` and `phone number` separated by a space character. E.g. `+91 9998887777`
+Then in this case, you can use the following expression in your attribute mapping to extract the 10 digit phone number.
+
+`Replace([telephoneNumber], , "\\+(?<isdCode>\\d* )(?<phoneNumber>\\d{10})", , "${phoneNumber}", , )`
+
+* **source:** `[telephoneNumber]` = ΓÇ£+91 9998887777ΓÇ¥
+* **regexPattern:** ΓÇ£`\\+(?<isdCode>\\d* )(?<phoneNumber>\\d{10})`ΓÇ¥
+* **replacementValue:** ΓÇ£`${phoneNumber}`ΓÇ¥
+* **Expression output:** 9998887777
+
+You can also use this pattern to remove characters and collapse a string.
+For example, the expression below removes parenthesis, dashes and space characters in the mobile number string and returns only digits.
+
+`Replace([mobile], , "[()\\s-]+", , "", , )`
+
+* **source:** `[mobile] = ΓÇ£+1 (999) 888-7777ΓÇ¥`
+* **regexPattern:** ΓÇ£`[()\\s-]+`ΓÇ¥
+* **replacementValue:** ΓÇ£ΓÇ¥ (empty string)
+* **Expression output:** 19998887777
+
+**Example 4:** Using **regexPattern**, **regexGroupName** and **replacementValue** to extract a portion of the source string and replace it with another literal value or empty string.
+
+LetΓÇÖs say your source system has an attribute AddressLineData with two components street number and street name. As part of a recent move, letΓÇÖs say the street number of the address changed and you want to update only the street number portion of the address line.
+Then in this case, you can use the following expression in your attribute mapping to extract the 10 digit phone number.
+
+`Replace([AddressLineData], ,"(?<streetNumber>^\\d*)","streetNumber", "888", , )`
+
+* **source:** `[AddressLineData]` = ΓÇ£545 Tremont StreetΓÇ¥
+* **regexPattern:** ΓÇ£`(?<streetNumber>^\\d*)`ΓÇ¥
+* **regexGroupName:** ΓÇ£streetNumberΓÇ¥
+* **replacementValue:** ΓÇ£888ΓÇ¥
+* **Expression output:** 888 Tremont Street
+
+Here is another example where the domain suffix from a UPN is replaced with an empty string to generate login id without domain suffix.
+
+`Replace([userPrincipalName], , "(?<Suffix>@(.)*)", "Suffix", "", , )`
+
+* **source:** `[userPrincipalName]` = ΓÇ£jsmith@contoso.comΓÇ¥
+* **regexPattern:** ΓÇ£`(?<Suffix>@(.)*)`ΓÇ¥
+* **regexGroupName:** ΓÇ£SuffixΓÇ¥
+* **replacementValue:** ΓÇ£ΓÇ¥ (empty string)
+* **Expression output:** jsmith
+
+**Example 5:** Using **regexPattern**, **regexGroupName** and **replacementAttributeName** to handle scenarios when the source attribute is empty or doesnΓÇÖt have a value.
+
+LetΓÇÖs say your source system has an attribute telephoneNumber. If telephoneNumber is empty, you want to extract the 10 digits of the mobile number attribute.
+Then in this case, you can use the following expression in your attribute mapping.
+
+`Replace([telephoneNumber], , "\\+(?<isdCode>\\d* )(?<phoneNumber>\\d{10})", "phoneNumber" , , [mobile], )`
+
+* **source:** `[telephoneNumber]` = ΓÇ£ΓÇ¥ (empty string)
+* **regexPattern:** ΓÇ£`\\+(?<isdCode>\\d* )(?<phoneNumber>\\d{10})`ΓÇ¥
+* **regexGroupName:** ΓÇ£phoneNumberΓÇ¥
+* **replacementAttributeName:** `[mobile]` = ΓÇ£+91 8887779999ΓÇ¥
+* **Expression output:** 8887779999
+
+**Example 6:** You need to find characters that match a regular expression value and remove them.
-* **INPUT** (mailNickname: "john_doe72"
-* **OUTPUT**: "72"
+`Replace([mailNickname], , "[a-zA-Z_]*", , "", , )`
+* **source** \[mailNickname\]
+* **oldValue**: "john_doe72"
+* **replaceValue**: ""
+* **Expression output**: 72
### SelectUniqueValue
active-directory Active Directory Certificate Based Authentication Android https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/active-directory-certificate-based-authentication-android.md
Previously updated : 11/21/2019 Last updated : 02/16/2022
Android devices can use certificate-based authentication (CBA) to authenticate t
Configuring this feature eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.
-This topic provides you with the requirements and the supported scenarios for configuring CBA on an Android device for users of tenants in Office 365 Enterprise, Business, Education, US Government, China, and Germany plans.
-
-This feature is available in preview in Office 365 US Government Defense and Federal plans.
## Microsoft mobile applications support
active-directory Active Directory Certificate Based Authentication Ios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/active-directory-certificate-based-authentication-ios.md
Previously updated : 04/17/2020 Last updated : 02/16/2022
To improve security, iOS devices can use certificate-based authentication (CBA)
Using certificates eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.
-This article details the requirements and the supported scenarios for configuring CBA on an iOS device. CBA for iOS is available across Azure public clouds, Microsoft Government Cloud, Microsoft Cloud Germany, and Microsoft Azure China 21Vianet.
## Microsoft mobile applications support
active-directory Concept Mfa Data Residency https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-mfa-data-residency.md
Previously updated : 06/03/2021 Last updated : 02/16/2021
For Azure public clouds, excluding Azure AD B2C authentication, the NPS Extensio
| Voice call | Multifactor authentication logs<br/>Multifactor authentication activity report data store<br/>Blocked users (if fraud was reported) | | Microsoft Authenticator notification | Multifactor authentication logs<br/>Multifactor authentication activity report data store<br/>Blocked users (if fraud was reported)<br/>Change requests when the Microsoft Authenticator device token changes |
-For Microsoft Azure Government, Microsoft Azure Germany, Microsoft Azure operated by 21Vianet, Azure AD B2C authentication, the NPS extension, and the Windows Server 2016 or 2019 AD FS adapter, the following personal data is stored:
+For Microsoft Azure Government, Microsoft Azure operated by 21Vianet, Azure AD B2C authentication, the NPS extension, and the Windows Server 2016 or 2019 AD FS adapter, the following personal data is stored:
| Event type | Data store type | |--|--|
The following table shows the location for service logs for sovereign clouds.
| Sovereign cloud | Sign-in logs | Multifactor authentication activity report | Multifactor authentication service logs | |--|--|--|--|
-| Microsoft Azure Germany | Germany | United States | United States |
| Azure China 21Vianet | China | United States | United States | | Microsoft Government Cloud | United States | United States | United States |
active-directory Concept Registration Mfa Sspr Combined https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md
Previously updated : 07/29/2021 Last updated : 02/16/2022
This article outlines what combined security registration is. To get started wit
Before enabling the new experience, review this administrator-focused documentation and the user-focused documentation to ensure you understand the functionality and effect of this feature. Base your training on the [user documentation](https://support.microsoft.com/account-billing/set-up-your-security-info-from-a-sign-in-prompt-28180870-c256-4ebf-8bd7-5335571bf9a8) to prepare your users for the new experience and help to ensure a successful rollout.
-Azure AD combined security information registration is available for Azure US Government but not Azure Germany or Azure China 21Vianet.
+Azure AD combined security information registration is available for Azure US Government but not Azure China 21Vianet.
> [!IMPORTANT] > Users that are enabled for both the original preview and the enhanced combined registration experience see the new behavior. Users that are enabled for both experiences see only the My Account experience. The *My Account* aligns with the look and feel of combined registration and provides a seamless experience for users. Users can see My Account by going to [https://myaccount.microsoft.com](https://myaccount.microsoft.com).
active-directory Manage Stale Devices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-stale-devices.md
Using the same commands we can pipe the output to the set command to disable the
```powershell $dt = (Get-Date).AddDays(-90)
-Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $dt} | Set-AzureADDevice -AccountEnabled $false
+$Devices = Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $dt}
+foreach ($Device in $Devices) {
+Set-AzureADDevice -ObjectId $Device.ObjectId -AccountEnabled $false
+}
``` ### Delete devices
Building on the [disable devices example](#disable-devices) we look for disabled
```powershell $dt = (Get-Date).AddDays(-120)
-$state = $false
-Get-AzureADDevice -All:$true | Where {($_.ApproximateLastLogonTimeStamp -le $dt) -and ($_.AccountEnabled -le $state)} | Remove-AzureADDevice
+$Devices = Get-AzureADDevice -All:$true | Where {($_.ApproximateLastLogonTimeStamp -le $dt) -and ($_.AccountEnabled -eq $false)}
+foreach ($Device in $Devices) {
+Remove-AzureADDevice -ObjectId $Device.ObjectId
+}
``` ## What you should know
active-directory Plan Connect Topologies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/plan-connect-topologies.md
It's possible to have more than one staging server when you want to have multipl
## Multiple Azure AD tenants We recommend having a single tenant in Azure AD for an organization. Before you plan to use multiple Azure AD tenants, see the article [Administrative units management in Azure AD](../roles/administrative-units.md). It covers common scenarios where you can use a single tenant.
-### (Public preview) Sync AD objects to multiple Azure AD tenants
+### Sync AD objects to multiple Azure AD tenants
![Diagram that shows a topology of multiple Azure A D tenants.](./media/plan-connect-topologies/multi-tenant-2.png)
-> [!NOTE]
-> This topology is currently in Public Preview. As the supported scenarios might still change, we recommend not deploying this topology in a production environment.
- This topology implements the following use cases: * AADConnect can synchronize the same users, groups, and contacts from a single Active Directory to multiple Azure AD tenants. These tenants can be in different Azure environments, such as the Azure China environment or the Azure Government environment, but they could also be in the same Azure environment, such as two tenants that are both in Azure Commercial.
active-directory Managed Identity Best Practice Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md
In the example below, ΓÇ£Virtual Machine 4ΓÇ¥ has both a user-assigned identity,
## Limits
-View the limits for [managed identities](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-rbac-limits)
+View the limits for [managed identities](../../azure-resource-manager/management/azure-subscription-service-limits.md#managed-identity-limits)
and for [custom roles and role assignments](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-rbac-limits). ## Follow the principle of least privilege when granting access
In both cases, for non-human identities such as Azure AD Applications and Manage
Given that the identity's groups and roles are claims in the access token, any authorization changes do not take effect until the token is refreshed. For a human user that's typically not a problem, because a user can acquire a new access token by logging out and in again (or waiting for the token lifetime to expire, which is 1 hour by default). Managed identity tokens on the other hand are cached by the underlying Azure infrastructure for performance and resiliency purposes: the back-end services for managed identities maintain a cache per resource URI for around 24 hours. This means that it can take several hours for changes to a managed identity's group or role membership to take effect. Today, it is not possible to force a managed identity's token to be refreshed before its expiry. If you change a managed identityΓÇÖs group or role membership to add or remove permissions, you may therefore need to wait several hours for the Azure resource using the identity to have the correct access.
-If this delay is not acceptable for your requirements, consider alternatives to using groups or roles in the token. To ensure that changes to permissions for managed identities take effect quickly, we recommend that you group Azure resources using a [user-assigned managed identity](how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azcli) with permissions applied directly to the identity, instead of adding to or removing managed identities from an Azure AD group that has permissions. A user-assigned managed identity can be used like a group because it can be assigned to one or more Azure resources to use it. The assignment operation can be controlled using the [Managed identity contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) and [Managed identity operator role](../../role-based-access-control/built-in-roles.md#managed-identity-operator).
+If this delay is not acceptable for your requirements, consider alternatives to using groups or roles in the token. To ensure that changes to permissions for managed identities take effect quickly, we recommend that you group Azure resources using a [user-assigned managed identity](how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azcli) with permissions applied directly to the identity, instead of adding to or removing managed identities from an Azure AD group that has permissions. A user-assigned managed identity can be used like a group because it can be assigned to one or more Azure resources to use it. The assignment operation can be controlled using the [Managed identity contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) and [Managed identity operator role](../../role-based-access-control/built-in-roles.md#managed-identity-operator).
active-directory Manage Roles Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/manage-roles-portal.md
Previously updated : 02/04/2022 Last updated : 02/16/2022
To grant access to users in Azure Active Directory (Azure AD), you assign Azure
## Prerequisites -- Privileged Role Administrator or Global Administrator
+- Privileged Role Administrator or Global Administrator. To know who your Privileged Role Administrator or Global Administrator is, see [List Azure AD role assignments](view-assignments.md)
- Azure AD Premium P2 license when using Privileged Identity Management (PIM) - AzureADPreview module when using PowerShell - Admin consent when using Graph explorer for Microsoft Graph API
active-directory View Assignments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/view-assignments.md
This procedure describes how to list role assignments with organization-wide sco
It's easy to list your own permissions as well. Select **Your Role** on the **Roles and administrators** page to see the roles that are currently assigned to you.
+ ![List my role assignments](./media/view-assignments/list-my-role-assignments.png)
+ ### Download role assignments To download all assignments for a specific role, on the **Roles and administrators** page, select a role, and then select **Download role assignments**. A CSV file that lists assignments at all scopes for that role is downloaded.
aks Azure Files Dynamic Pv https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-files-dynamic-pv.md
A storage class is used to define how an Azure file share is created. A storage
* *Premium_ZRS* - premium zone redundant storage (ZRS) > [!NOTE]
-> minimum premium file share is 100GB
+> Minimum premium file share is 100GB.
For more information on Kubernetes storage classes for Azure Files, see [Kubernetes Storage Classes][kubernetes-storage-classes].
aks Cluster Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-configuration.md
AKS supports Ubuntu 18.04 as the default node operating system (OS) in general a
## Container runtime configuration
-A container runtime is software that executes containers and manages container images on a node. The runtime helps abstract away sys-calls or operating system (OS) specific functionality to run containers on Linux or Windows. For Linux node pools, `containerd` is used for node pools using Kubernetes version 1.19 and greater. For Windows Server 2019 node pools, `containerd` is available in preview and can be used in node pools using Kubernetes 1.20 and greater, but Docker is still used by default.
+A container runtime is software that executes containers and manages container images on a node. The runtime helps abstract away sys-calls or operating system (OS) specific functionality to run containers on Linux or Windows. For Linux node pools, `containerd` is used for node pools using Kubernetes version 1.19 and greater. For Windows Server 2019 node pools, `containerd` is generally available and can be used in node pools using Kubernetes 1.20 and greater, but Docker is still used by default.
[`Containerd`](https://containerd.io/) is an [OCI](https://opencontainers.org/) (Open Container Initiative) compliant core container runtime that provides the minimum set of required functionality to execute containers and manage images on a node. It was [donated](https://www.cncf.io/announcement/2017/03/29/containerd-joins-cloud-native-computing-foundation/) to the Cloud Native Compute Foundation (CNCF) in March of 2017. The current Moby (upstream Docker) version that AKS uses already leverages and is built on top of `containerd`, as shown above.
By using `containerd` for AKS nodes, pod startup latency improves and node resou
> [!IMPORTANT] > Clusters with Linux node pools created on Kubernetes v1.19 or greater default to `containerd` for its container runtime. Clusters with node pools on a earlier supported Kubernetes versions receive Docker for their container runtime. Linux node pools will be updated to `containerd` once the node pool Kubernetes version is updated to a version that supports `containerd`. You can still use Docker node pools and clusters on older supported versions until those fall off support. >
-> Using `containerd` with Windows Server 2019 node pools is currently in preview. For more details, see [Add a Windows Server node pool with `containerd`][aks-add-np-containerd].
+> Using `containerd` with Windows Server 2019 node pools is generally available, although the default for node pools created on Kubernetes v1.22 and earlier is still Docker. For more details, see [Add a Windows Server node pool with `containerd`][aks-add-np-containerd].
> > It is highly recommended to test your workloads on AKS node pools with `containerd` prior to using clusters with a Kubernetes version that supports `containerd` for your node pools.
aks Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/policy-reference.md
Title: Built-in policy definitions for Azure Kubernetes Service description: Lists Azure Policy built-in policy definitions for Azure Kubernetes Service. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
aks Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Kubernetes Service (AKS) description: Lists Azure Policy Regulatory Compliance controls available for Azure Kubernetes Service (AKS). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
aks Supported Kubernetes Versions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/supported-kubernetes-versions.md
For the past release history, see [Kubernetes](https://en.wikipedia.org/wiki/Kub
| K8s version | Upstream release | AKS preview | AKS GA | End of life | |--|-|--||-|
-| 1.19* | Aug-04-20 | Sep 2020 | Nov 2020 | 1.22 GA |
| 1.20 | Dec-08-20 | Jan 2021 | Mar 2021 | 1.23 GA | | 1.21 | Apr-08-21 | May 2021 | Jul 2021 | 1.24 GA | | 1.22 | Aug-04-21 | Sept 2021 | Dec 2021 | 1.25 GA |
-| 1.23 | Dec 2021 | Jan 2022 | Feb 2022 | 1.26 GA |
-
-> [!NOTE]
-> AKS and the Holiday Season: To ease the burden of upgrade and change during the holiday season, AKS is extending a limited scope of support for all clusters and node pools on 1.19 as a courtesy. Customers with clusters and node pools on 1.19 after the [announced deprecation date of 2021-11-30](#aks-kubernetes-release-calendar) will be granted an extension of capabilities outside the [usual scope of support for deprecated versions](#kubernetes-version-support-policy).
- The scope of this limited extension is effective from '2021-12-01 to 2022-01-31' and is limited to the following:
-> * Creation of new clusters and node pools on 1.19.
-> * CRUD operations on 1.19 clusters.
-> * Azure Support of non-Kubernetes related, platform issues. Platform issues include trouble with networking, storage, or compute running on Azure. Any support requests for K8s patching and troubleshooting will be requested to upgrade into a supported version.
+| 1.23 | Dec 2021 | Jan 2022 | Mar 2022 | 1.26 GA |
## FAQ
For information on how to upgrade your cluster, see [Upgrade an Azure Kubernetes
[az-extension-update]: /cli/azure/extension#az-extension-update [az-aks-get-versions]: /cli/azure/aks#az_aks_get_versions [preview-terms]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/
-[get-azaksversion]: /powershell/module/az.aks/get-azaksversion
+[get-azaksversion]: /powershell/module/az.aks/get-azaksversion
aks Use Azure Ad Pod Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-azure-ad-pod-identity.md
Last updated 3/12/2021
Azure Active Directory (Azure AD) pod-managed identities use Kubernetes primitives to associate [managed identities for Azure resources][az-managed-identities] and identities in Azure AD with pods. Administrators create identities and bindings as Kubernetes primitives that allow pods to access Azure resources that rely on Azure AD as an identity provider. > [!NOTE]
-> The feature described in this document, pod-managed identities (preview), will be replaced with pod-managed identities V2 (preview).
+> The feature described in this document, pod-managed identities (preview), will be replaced with [Azure AD Workload Identity](https://github.com/Azure/AKS/issues/1480) .
[!INCLUDE [preview features callout](./includes/preview/preview-callout.md)]
api-management Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/policy-reference.md
Title: Built-in policy definitions for Azure API Management description: Lists Azure Policy built-in policy definitions for Azure API Management. These built-in policy definitions provide approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
api-management Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure API Management description: Lists Azure Policy Regulatory Compliance controls available for Azure API Management. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
app-service Using https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/using.md
To delete:
[Pricing]: https://azure.microsoft.com/pricing/details/app-service/ [ARMOverview]: ../../azure-resource-manager/management/overview.md [ConfigureSSL]: ../configure-ssl-certificate.md
-[Kudu]: https://azure.microsoft.com/resources/videos/super-secret-kudu-debug-console-for-azure-web-sites/
+[Kudu]: ../resources-kudu.md
[AppDeploy]: ../deploy-local-git.md [ASEWAF]: ./integrate-with-application-gateway.md [AppGW]: ../../web-application-firewall/ag/ag-overview.md
app-service Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/policy-reference.md
Title: Built-in policy definitions for Azure App Service description: Lists Azure Policy built-in policy definitions for Azure App Service. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
app-service Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure App Service description: Lists Azure Policy Regulatory Compliance controls available for Azure App Service. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
applied-ai-services Concept Read https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-read.md
The Form Recognizer v3.0 preview includes the new Read API. Read extracts text l
**Data extraction features**
-| **Read model** | **Text Extraction** | **Language detection** |
+| **Read model** | **Text Extraction** | **[Language detection](language-support.md#detected-languages-by-read)** |
| | | | | Read | Γ£ô |Γ£ô |
Read API extracts text from documents and images with multiple text angles and c
### Language detection (v3.0 preview)
-Read API in v3.0 preview 2 adds language detection as a new feature for text lines. Read will try to detect the languages at the text line level and output the language code with the highest confidence score for one or more text lines.
+Read API in v3.0 preview 2 adds [language detection](language-support.md#detected-languages-by-read) as a new feature for text lines. Read will perdict the language at the text line level along with the confidence score.
### Handwritten classification for text lines (Latin only)
applied-ai-services Concept W2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-w2.md
Title: Form Recognizer Form W-2 prebuilt-tax model
+ Title: Form Recognizer W-2 form prebuilt model
description: Data extraction and analysis extraction using the prebuilt-tax Form W-2 model
recommendations: false
-# Form Recognizer Form W-2 prebuilt-tax model | Preview
+# Form Recognizer W-2 Form prebuilt model | Preview
The Form W-2, Wage and Tax Statement, is a US Internal Revenue Service (IRS) tax form completed by employers to report employees' salary, wages, compensation, and taxes withheld. Employers send a W-2 form to each employee on or before January 31 each year and employees use the form to prepare their tax returns.
Each W-2 Form consists of more than 14 boxes, both numbered and lettered, that d
## Development options
-The prebuilt-tax, Form W-2, model is supported by Form Recognizer v3.0 with the following tools:
+The prebuilt W-2 form, model is supported by Form Recognizer v3.0 with the following tools:
| Feature | Resources | Model ID | |-|-|--|
See how data, including employee, employer, wage, and tax information is extract
* Explore our REST API: > [!div class="nextstepaction"]
- > [Form Recognizer API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/AnalyzeDocument)
+ > [Form Recognizer API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/AnalyzeDocument)
applied-ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/language-support.md
Language| Locale code |
|:--|:-:| |English (United States)|en-us|
+## Detected languages by Read
+
+The [Read API](concept-read.md) supports language detection for the following languages:
+
+| Language | Code |
+|||
+| Afrikaans | `af` |
+| Albanian | `sq` |
+| Amharic | `am` |
+| Arabic | `ar` |
+| Armenian | `hy` |
+| Assamese | `as` |
+| Azerbaijani | `az` |
+| Basque | `eu` |
+| Belarusian | `be` |
+| Bengali | `bn` |
+| Bosnian | `bs` |
+| Bulgarian | `bg` |
+| Burmese | `my` |
+| Catalan | `ca` |
+| Central Khmer | `km` |
+| Chinese | `zh` |
+| Chinese Simplified | `zh_chs` |
+| Chinese Traditional | `zh_cht` |
+| Corsican | `co` |
+| Croatian | `hr` |
+| Czech | `cs` |
+| Danish | `da` |
+| Dari | `prs` |
+| Divehi | `dv` |
+| Dutch | `nl` |
+| English | `en` |
+| Esperanto | `eo` |
+| Estonian | `et` |
+| Fijian | `fj` |
+| Finnish | `fi` |
+| French | `fr` |
+| Galician | `gl` |
+| Georgian | `ka` |
+| German | `de` |
+| Greek | `el` |
+| Gujarati | `gu` |
+| Haitian | `ht` |
+| Hausa | `ha` |
+| Hebrew | `he` |
+| Hindi | `hi` |
+| Hmong Daw | `mww` |
+| Hungarian | `hu` |
+| Icelandic | `is` |
+| Igbo | `ig` |
+| Indonesian | `id` |
+| Inuktitut | `iu` |
+| Irish | `ga` |
+| Italian | `it` |
+| Japanese | `ja` |
+| Javanese | `jv` |
+| Kannada | `kn` |
+| Kazakh | `kk` |
+| Kinyarwanda | `rw` |
+| Kirghiz | `ky` |
+| Korean | `ko` |
+| Kurdish | `ku` |
+| Lao | `lo` |
+| Latin | `la` |
+| Latvian | `lv` |
+| Lithuanian | `lt` |
+| Luxembourgish | `lb` |
+| Macedonian | `mk` |
+| Malagasy | `mg` |
+| Malay | `ms` |
+| Malayalam | `ml` |
+| Maltese | `mt` |
+| Maori | `mi` |
+| Marathi | `mr` |
+| Mongolian | `mn` |
+| Nepali | `ne` |
+| Norwegian | `no` |
+| Norwegian Nynorsk | `nn` |
+| Oriya | `or` |
+| Pasht | `ps` |
+| Persian | `fa` |
+| Polish | `pl` |
+| Portuguese | `pt` |
+| Punjabi | `pa` |
+| Queretaro Otomi | `otq` |
+| Romanian | `ro` |
+| Russian | `ru` |
+| Samoan | `sm` |
+| Serbian | `sr` |
+| Shona | `sn` |
+| Sindhi | `sd` |
+| Sinhala | `si` |
+| Slovak | `sk` |
+| Slovenian | `sl` |
+| Somali | `so` |
+| Spanish | `es` |
+| Sundanese | `su` |
+| Swahili | `sw` |
+| Swedish | `sv` |
+| Tagalog | `tl` |
+| Tahitian | `ty` |
+| Tajik | `tg` |
+| Tamil | `ta` |
+| Tatar | `tt` |
+| Telugu | `te` |
+| Thai | `th` |
+| Tibetan | `bo` |
+| Tigrinya | `ti` |
+| Tongan | `to` |
+| Turkish | `tr` |
+| Turkmen | `tk` |
+| Ukrainian | `uk` |
+| Urdu | `ur` |
+| Uzbek | `uz` |
+| Vietnamese | `vi` |
+| Welsh | `cy` |
+| Xhosa | `xh` |
+| Yiddish | `yi` |
+| Yoruba | `yo` |
+| Yucatec Maya | `yua` |
+| Zulu | `zu` |
attestation Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/policy-reference.md
Title: Built-in policy definitions for Azure Attestation description: Lists Azure Policy built-in policy definitions for Azure Attestation. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
automation Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/policy-reference.md
Title: Built-in policy definitions for Azure Automation description: Lists Azure Policy built-in policy definitions for Azure Automation. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
automation Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Automation description: Lists Azure Policy Regulatory Compliance controls available for Azure Automation. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
azure-app-configuration Enable Dynamic Configuration Java Spring App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/enable-dynamic-configuration-java-spring-app.md
Then, open the *pom.xml* file in a text editor and add a `<dependency>` for `azu
| Key | Value | |||
- | Sentinel | 1 |
+ | sentinel | 1 |
Leave **Label** and **Content Type** empty for now.
Then, open the *pom.xml* file in a text editor and add a `<dependency>` for `azu
| Key | Value | |||
- | Sentinel | 2 |
+ | sentinel | 2 |
1. Refresh the browser page to see the new message displayed.
azure-app-configuration Howto Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-best-practices.md
configBuilder.AddAzureAppConfiguration(options => {
App Configuration is designed to store any configuration data that you would normally save in configuration files or environment variables. However, some types of data may better suited to reside in other sources. For example, store secrets in Key Vault, files in Azure Storage, membership information in Azure AD groups, or customer lists in a database.
-You can still take advantage of App Configuration by saving a reference to external data in a key-value. You can [use content type](./concept-key-value.md#use-content-type) to differentiate each data source. When your application reads a reference, you load the data from the referenced source. In case that you change the location of your external data, you only need to update the reference in App Configuration instead of updating and redeploying your entire application.
+You can still take advantage of App Configuration by saving a reference to external data in a key-value. You can [use content type](./concept-key-value.md#use-content-type) to differentiate each data source. When your application reads a reference, it loads the actual data from the referenced source, assuming it has the necessary permission to the source. If you change the location of your external data, you only need to update the reference in App Configuration instead of updating and redeploying your entire application.
The App Configuration [Key Vault reference](use-key-vault-references-dotnet-core.md) feature is an example in this case. It allows the secrets required for an application to be updated as necessary while the underlying secrets themselves remain in Key Vault.
azure-app-configuration Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/policy-reference.md
Title: Built-in policy definitions for Azure App Configuration description: Lists Azure Policy built-in policy definitions for Azure App Configuration. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
azure-app-configuration Quickstart Aspnet Core App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/quickstart-aspnet-core-app.md
dotnet new mvc --no-https --output TestAppConfig
```
-This code will connect to your App Configuration store using a connection string and load all keys that have the *TestApp* prefix from a previous step. For more information on the configuration provider APIs, reference the [configuration provider for App Configuration docs](/dotnet/api/Microsoft.Extensions.Configuration.AzureAppConfiguration).
+This code will connect to your App Configuration store using a connection string and load all key-values. For more information on the configuration provider APIs, reference the [configuration provider for App Configuration docs](/dotnet/api/Microsoft.Extensions.Configuration.AzureAppConfiguration).
## Read from the App Configuration store
azure-app-configuration Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure App Configuration description: Lists Azure Policy Regulatory Compliance controls available for Azure App Configuration. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
azure-arc Reference Az Arcdata Dc Config https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/reference/reference-az-arcdata-dc-config.md
[az arcdata dc config patch](#az-arcdata-dc-config-patch) | Patch a config file based on a json patch file. ## az arcdata dc config init Initialize a data controller configuration profile that can be used with `az arcdata dc create`. The specific source of the configuration profile can be specified in the arguments.
-```bash
+```azurecli
az arcdata dc config init ``` ### Examples Guided data controller config init experience - you will receive prompts for needed values.
-```bash
+```azurecli
az arcdata dc config init ``` arcdata dc config init with arguments, creates a configuration profile of aks-dev-test in ./custom.
-```bash
+```azurecli
az arcdata dc config init --source azure-arc-kubeadm --path custom ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az arcdata dc config list List available configuration profile choices for use in `arcdata dc config init`
-```bash
+```azurecli
az arcdata dc config list ``` ### Examples Shows all available configuration profile names.
-```bash
+```azurecli
az arcdata dc config list ``` Shows json of a specific configuration profile.
-```bash
+```azurecli
az arcdata dc config list --config-profile aks-dev-test ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az arcdata dc config add Add the value at the json path in the config file. All examples below are given in Bash. If using another command line, you may need to escape quotations appropriately. Alternatively, you may use the patch file functionality.
-```bash
+```azurecli
az arcdata dc config add ``` ### Examples Add data controller storage.
-```bash
+```azurecli
az arcdata dc config add --path custom/control.json --json-values "spec.storage={"accessMode":"ReadWriteOnce","className":"managed-premium","size":"10Gi"}" ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az arcdata dc config remove Remove the value at the json path in the config file. All examples below are given in Bash. If using another command line, you may need to escape quotations appropriately. Alternatively, you may use the patch file functionality.
-```bash
+```azurecli
az arcdata dc config remove ``` ### Examples Ex 1 - Remove data controller storage.
-```bash
+```azurecli
az arcdata dc config remove --path custom/control.json --json-path ".spec.storage" ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az arcdata dc config replace Replace the value at the json path in the config file. All examples below are given in Bash. If using another command line, you may need to escape quotations appropriately. Alternatively, you may use the patch file functionality.
-```bash
+```azurecli
az arcdata dc config replace ``` ### Examples Ex 1 - Replace the port of a single endpoint (Data Controller Endpoint).
-```bash
+```azurecli
az arcdata dc config replace --path custom/control.json --json-values "$.spec.endpoints[?(@.name=="Controller")].port=30080" ``` Ex 2 - Replace data controller storage.
-```bash
+```azurecli
az arcdata dc config replace --path custom/control.json --json-values "spec.storage={"accessMode":"ReadWriteOnce","className":"managed-premium","size":"10Gi"}" ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az arcdata dc config patch Patch the config file according to the given patch file. Consult http://jsonpatch.com/ for a better understanding of how the paths should be composed. The replace operation can use conditionals in its path due to the jsonpath library https://jsonpath.com/. All patch json files must start with a key of "patch" that has an array of patches with their corresponding op (add, replace, remove), path, and value. The "remove" op does not require a value, just a path. See the examples below.
-```bash
+```azurecli
az arcdata dc config patch ``` ### Examples Ex 1 - Replace the port of a single endpoint (Data Controller Endpoint) with patch file.
-```bash
+```azurecli
az arcdata dc config patch --path custom/control.json --patch ./patch.json-
- Patch File Example (patch.json):
- {"patch":[{"op":"replace","path":"$.spec.endpoints[?(@.name=="Controller")].port","value":30080}]}
+```
+Patch File Example (patch.json):
+```json
+{"patch":[{"op":"replace","path":"$.spec.endpoints[?(@.name=="Controller")].port","value":30080}]}
``` Ex 2 - Replace data controller storage with patch file.
-```bash
+```azurecli
az arcdata dc config patch --path custom/control.json --patch ./patch.json-
- Patch File Example (patch.json):
- {"patch":[{"op":"replace","path":".spec.storage","value":{"accessMode":"ReadWriteMany","className":"managed-premium","size":"10Gi"}}]}
+```
+Patch File Example (patch.json):
+```json
+{"patch":[{"op":"replace","path":".spec.storage","value":{"accessMode":"ReadWriteMany","className":"managed-premium","size":"10Gi"}}]}
``` ### Global Arguments #### `--debug`
azure-arc Reference Az Arcdata Dc Debug https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/reference/reference-az-arcdata-dc-debug.md
[az arcdata dc debug dump](#az-arcdata-dc-debug-dump) | Trigger memory dump. ## az arcdata dc debug copy-logs Copy the debug logs from the data controller - Kubernetes configuration is required on your system.
-```bash
+```azurecli
az arcdata dc debug copy-logs ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az arcdata dc debug dump Trigger memory dump and copy it out from container - Kubernetes configuration is required on your system.
-```bash
+```azurecli
az arcdata dc debug dump ``` ### Global Arguments
azure-arc Reference Az Arcdata Dc Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/reference/reference-az-arcdata-dc-endpoint.md
[az arcdata dc endpoint list](#az-arcdata-dc-endpoint-list) | List the data controller endpoint. ## az arcdata dc endpoint list List the data controller endpoint.
-```bash
+```azurecli
az arcdata dc endpoint list ``` ### Examples Lists all available data controller endpoints.
-```bash
+```azurecli
az arcdata dc endpoint list --k8s-namespace namespace ``` ### Global Arguments
azure-arc Reference Az Arcdata Dc Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/reference/reference-az-arcdata-dc-status.md
[az arcdata dc status show](#az-arcdata-dc-status-show) | Show the status of the data controller. ## az arcdata dc status show Show the status of the data controller.
-```bash
+```azurecli
az arcdata dc status show ``` ### Examples Show the status of the data controller in a particular kubernetes namespace.
-```bash
+```azurecli
az arcdata dc status show --k8s-namespace namespace --use-k8s ``` Show the status of a directly connected data controller in a particular resource group.
-```bash
+```azurecli
az arcdata dc status show --resource-group resource-group ``` ### Global Arguments
azure-arc Reference Az Arcdata Dc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/reference/reference-az-arcdata-dc.md
[az arcdata dc upload](#az-arcdata-dc-upload) | Upload exported data file. ## az arcdata dc create Create data controller - kube config is required on your system along with credentials for the monitoring dashboards provided by the following environment variables - AZDATA_LOGSUI_USERNAME and AZDATA_LOGSUI_PASSWORD for Logs Dashboard, and AZDATA_METRICSUI_USERNAME and AZDATA_METRICSUI_PASSWORD for Metrics Dashboard. Alternatively AZDATA_USERNAME and AZDATA_PASSWORD will be used as a fallback if either sets of environment variables are missing.
-```bash
+```azurecli
az arcdata dc create ``` ### Examples Deploy an indirectly connected data controller.
-```bash
+```azurecli
az arcdata dc create --name name --k8s-namespace namespace --connectivity-mode indirect --resource-group group --location location --subscription subscription --use-k8s ``` Deploy a directly connected data controller.
-```bash
+```azurecli
az arcdata dc create --name name --connectivity-mode direct --resource-group group --location location --subscription subscription --custom-location custom-location ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az arcdata dc upgrade Upgrade data controller to the desired-version specified. If desired-version is not specified, an attempt to upgrade to the latest version will be made. If you are unsure of the desired version, you may use the list-upgrades command to view available versions, or use the --dry-run argument to show which version would be used
-```bash
+```azurecli
az arcdata dc upgrade ``` ### Examples Data controller upgrade.
-```bash
+```azurecli
az arcdata dc upgrade --k8s-namespace namespace --use-k8s ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az arcdata dc list-upgrades Attempts to list versions that are available in the docker image registry for upgrade. - kube config is required on your system along with the following environment variables ['AZDATA_USERNAME', 'AZDATA_PASSWORD'].
-```bash
+```azurecli
az arcdata dc list-upgrades ``` ### Examples Data controller upgrade.
-```bash
+```azurecli
az arcdata dc list-upgrades --k8s-namespace namespace --use-k8s ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az arcdata dc delete Delete data controller - kube config is required on your system.
-```bash
+```azurecli
az arcdata dc delete ``` ### Examples Delete an indirect connected data controller.
-```bash
+```azurecli
az arcdata dc delete --name name --k8s-namespace namespace --use-k8s ``` Delete a directly connected data controller.
-```bash
+```azurecli
az arcdata dc delete --name name --resource-group resource-group ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az arcdata dc export Export metrics, logs or usage to a file.
-```bash
+```azurecli
az arcdata dc export ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az arcdata dc upload Upload data file exported from a data controller to Azure.
-```bash
+```azurecli
az arcdata dc upload ``` ### Global Arguments
azure-arc Reference Az Arcdata Resource Kind https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/reference/reference-az-arcdata-resource-kind.md
[az arcdata resource-kind get](#az-arcdata-resource-kind-get) | Get the Arc resource-kind's template file. ## az arcdata resource-kind list List the available custom resource kinds for Arc that can be defined and created. After listing, you can proceed to getting the template file needed to define or create that custom resource.
-```bash
+```azurecli
az arcdata resource-kind list ``` ### Examples Example command for listing the available custom resource kinds for Arc.
-```bash
+```azurecli
az arcdata resource-kind list ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az arcdata resource-kind get Get the Arc resource-kind's template file.
-```bash
+```azurecli
az arcdata resource-kind get ``` ### Examples Example command for getting an Arc resource-kind's CRD template file.
-```bash
+```azurecli
az arcdata resource-kind get --kind SqlManagedInstance ``` ### Global Arguments
azure-arc Reference Az Postgres Arc Server Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/reference/reference-az-postgres-arc-server-endpoint.md
[az postgres arc-server endpoint list](#az-postgres-arc-server-endpoint-list) | List Azure Arc enabled PostgreSQL Hyperscale server group endpoints. ## az postgres arc-server endpoint list List Azure Arc enabled PostgreSQL Hyperscale server group endpoints.
-```bash
+```azurecli
az postgres arc-server endpoint list ``` ### Examples List Azure Arc enabled PostgreSQL Hyperscale server group endpoints.
-```bash
+```azurecli
az postgres arc-server endpoint list --name postgres01 --k8s-namespace namespace --use-k8s ``` ### Global Arguments
azure-arc Reference Az Postgres Arc Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/reference/reference-az-postgres-arc-server.md
[az postgres arc-server endpoint](reference-az-postgres-arc-server-endpoint.md) | Manage Azure Arc enabled PostgreSQL Hyperscale server group endpoints. ## az postgres arc-server create To set the password of the server group, please set the environment variable AZDATA_PASSWORD
-```bash
+```azurecli
az postgres arc-server create ``` ### Examples Create an Azure Arc enabled PostgreSQL Hyperscale server group.
-```bash
+```azurecli
az postgres arc-server create -n pg1 --k8s-namespace namespace --use-k8s ``` Create an Azure Arc enabled PostgreSQL Hyperscale server group with engine settings. Both below examples are valid.
-```bash
+```azurecli
az postgres arc-server create -n pg1 --engine-settings "key1=val1" --k8s-namespace namespace az postgres arc-server create -n pg1 --engine-settings "key2=val2" --k8s-namespace namespace --use-k8s ``` Create a PostgreSQL server group with volume claim mounts.
-```bash
+```azurecli
az postgres arc-server create -n pg1 --volume-claim-mounts backup-pvc:backup ``` Create a PostgreSQL server group with specific memory-limit for different node roles.
-```bash
+```azurecli
az postgres arc-server create -n pg1 --memory-limit "coordinator=2Gi,w=1Gi" --workers 1 --k8s-namespace namespace --use-k8s ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az postgres arc-server edit Edit the configuration of an Azure Arc enabled PostgreSQL Hyperscale server group.
-```bash
+```azurecli
az postgres arc-server edit ``` ### Examples Edit the configuration of an Azure Arc enabled PostgreSQL Hyperscale server group.
-```bash
+```azurecli
az postgres arc-server edit --path ./spec.json -n pg1 --k8s-namespace namespace --use-k8s ``` Edit an Azure Arc enabled PostgreSQL Hyperscale server group with engine settings for the coordinator node.
-```bash
+```azurecli
az postgres arc-server edit -n pg1 --coordinator-settings "key2=val2" --k8s-namespace namespace ``` Edits an Azure Arc enabled PostgreSQL Hyperscale server group and replaces existing engine settings with new setting key1=val1.
-```bash
+```azurecli
az postgres arc-server edit -n pg1 --engine-settings "key1=val1" --replace-settings --k8s-namespace namespace ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az postgres arc-server delete Delete an Azure Arc enabled PostgreSQL Hyperscale server group.
-```bash
+```azurecli
az postgres arc-server delete ``` ### Examples Delete an Azure Arc enabled PostgreSQL Hyperscale server group.
-```bash
+```azurecli
az postgres arc-server delete -n pg1 --k8s-namespace namespace --use-k8s ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az postgres arc-server show Show the details of an Azure Arc enabled PostgreSQL Hyperscale server group.
-```bash
+```azurecli
az postgres arc-server show ``` ### Examples Show the details of an Azure Arc enabled PostgreSQL Hyperscale server group.
-```bash
+```azurecli
az postgres arc-server show -n pg1 --k8s-namespace namespace --use-k8s ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az postgres arc-server list List Azure Arc enabled PostgreSQL Hyperscale server groups.
-```bash
+```azurecli
az postgres arc-server list ``` ### Examples List Azure Arc enabled PostgreSQL Hyperscale server groups.
-```bash
+```azurecli
az postgres arc-server list --k8s-namespace namespace --use-k8s ``` ### Global Arguments
azure-arc Reference Az Sql Mi Arc Config https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/reference/reference-az-sql-mi-arc-config.md
[az sql mi-arc config patch](#az-sql-mi-arc-config-patch) | Patch a config file based on a json patch file. ## az sql mi-arc config init Initialize the CRD and specification files for a SQL managed instance.
-```bash
+```azurecli
az sql mi-arc config init ``` ### Examples Initialize the CRD and specification files for a SQL managed instance.
-```bash
+```azurecli
az sql mi-arc config init --path ./template ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az sql mi-arc config add Add the value at the json path in the config file. All examples below are given in Bash. If using another command line, you may need to escape quotations appropriately. Alternatively, you may use the patch file functionality.
-```bash
+```azurecli
az sql mi-arc config add ``` ### Examples Ex 1 - Add storage.
-```bash
+```azurecli
az sql mi-arc config add --path custom/spec.json --json-values "spec.storage={"accessMode":"ReadWriteOnce","className":"managed-premium","size":"10Gi"}" ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az sql mi-arc config remove Remove the value at the json path in the config file. All examples below are given in Bash. If using another command line, you may need to escape quotations appropriately. Alternatively, you may use the patch file functionality.
-```bash
+```azurecli
az sql mi-arc config remove ``` ### Examples Ex 1 - Remove storage.
-```bash
+```azurecli
az sql mi-arc config remove --path custom/spec.json --json-path ".spec.storage" ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az sql mi-arc config replace Replace the value at the json path in the config file. All examples below are given in Bash. If using another command line, you may need to escape quotations appropriately. Alternatively, you may use the patch file functionality.
-```bash
+```azurecli
az sql mi-arc config replace ``` ### Examples Ex 1 - Replace the port of a single endpoint.
-```bash
+```azurecli
az sql mi-arc config replace --path custom/spec.json --json-values "$.spec.endpoints[?(@.name=="Controller")].port=30080" ``` Ex 2 - Replace storage.
-```bash
+```azurecli
az sql mi-arc config replace --path custom/spec.json --json-values "spec.storage={"accessMode":"ReadWriteOnce","className":"managed-premium","size":"10Gi"}" ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az sql mi-arc config patch Patch the config file according to the given patch file. Consult http://jsonpatch.com/ for a better understanding of how the paths should be composed. The replace operation can use conditionals in its path due to the jsonpath library https://jsonpath.com/. All patch json files must start with a key of `patch` that has an array of patches with their corresponding op (add, replace, remove), path, and value. The `remove` op does not require a value, just a path. See the examples below.
-```bash
+```azurecli
az sql mi-arc config patch ``` ### Examples Ex 1 - Replace the port of a single endpoint with patch file.
-```bash
+```azurecli
az sql mi-arc config patch --path custom/spec.json --patch ./patch.json-
- Patch File Example (patch.json):
- {"patch":[{"op":"replace","path":"$.spec.endpoints[?(@.name=="Controller")].port","value":30080}]}
+```
+Patch File Example (patch.json):
+```json
+{"patch":[{"op":"replace","path":"$.spec.endpoints[?(@.name=="Controller")].port","value":30080}]}
``` Ex 2 - Replace storage with patch file.
-```bash
+```azurecli
az sql mi-arc config patch --path custom/spec.json --patch ./patch.json-
- Patch File Example (patch.json):
- {"patch":[{"op":"replace","path":".spec.storage","value":{"accessMode":"ReadWriteMany","className":"managed-premium","size":"10Gi"}}]}
+```
+Patch File Example (patch.json):
+```json
+{"patch":[{"op":"replace","path":".spec.storage","value":{"accessMode":"ReadWriteMany","className":"managed-premium","size":"10Gi"}}]}
``` ### Global Arguments #### `--debug`
azure-arc Reference Az Sql Mi Arc Dag https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/reference/reference-az-sql-mi-arc-dag.md
[az sql mi-arc dag show](#az-sql-mi-arc-dag-show) | show a distributed availability group custom resource. ## az sql mi-arc dag create Create a distributed availability group custom resource to create a distributed availability group
-```bash
+```azurecli
az sql mi-arc dag create ``` ### Examples Ex 1 - Create a distributed availability group custom resource dagCr1 to create distributed availability group dagName1 between local sqlmi instance sqlmi1 and remote sqlmi instance sqlmi2. It requires remote sqlmi primary mirror remotePrimary:5022 and remote sqlmi mirror endpoint certificate file ./sqlmi2.cer.
-```bash
+```azurecli
az sql mi-arc dag create --name dagCr1 --dag-name dagName1 --local-instance-name sqlmi1 --local-primary local --remote-instance-name sqlmi2 --remote-mirroring-url remotePrimary:5022 --remote-mirroring-cert-file ./sqlmi2.cer --use-k8s ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az sql mi-arc dag delete Delete a distributed availability group custom resource on a sqlmi instance to delete a distributed availability group. It requires a custom resource name.
-```bash
+```azurecli
az sql mi-arc dag delete ``` ### Examples Ex 1 - delete distributed availability group resources named dagCr1.
-```bash
+```azurecli
az sql mi-arc dag delete --name dagCr1 --use-k8s ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az sql mi-arc dag show show a distributed availability group custom resource. It requires a custom resource name
-```bash
+```azurecli
az sql mi-arc dag show ``` ### Examples Ex 1 - show distributed availability group resources named dagCr1.
-```bash
+```azurecli
az sql mi-arc dag show --name dagCr1 --use-k8s ``` ### Global Arguments
azure-arc Reference Az Sql Mi Arc Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/reference/reference-az-sql-mi-arc-endpoint.md
[az sql mi-arc endpoint list](#az-sql-mi-arc-endpoint-list) | List the SQL endpoints. ## az sql mi-arc endpoint list List the SQL endpoints.
-```bash
+```azurecli
az sql mi-arc endpoint list ``` ### Examples List the endpoints for a SQL managed instance.
-```bash
+```azurecli
az sql mi-arc endpoint list -n sqlmi1 ``` ### Global Arguments
azure-arc Reference Az Sql Mi Arc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/reference/reference-az-sql-mi-arc.md
[az sql mi-arc dag](reference-az-sql-mi-arc-dag.md) | Create or Delete a Distributed Availability Group. ## az sql mi-arc create To set the password of the SQL managed instance, set the environment variable AZDATA_PASSWORD
-```bash
+```azurecli
az sql mi-arc create ``` ### Examples Create an indirectly connected SQL managed instance.
-```bash
+```azurecli
az sql mi-arc create -n sqlmi1 --k8s-namespace namespace --use-k8s ``` Create an indirectly connected SQL managed instance with 3 replicas in HA scenario.
-```bash
+```azurecli
az sql mi-arc create -n sqlmi2 --replicas 3 --k8s-namespace namespace --use-k8s ``` Create a directly connected SQL managed instance.
-```bash
+```azurecli
az sql mi-arc create --name name --resource-group group --location location --subscription subscription --custom-location custom-location ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az sql mi-arc update Update the configuration of a SQL managed instance.
-```bash
+```azurecli
az sql mi-arc update ``` ### Examples Update the configuration of a SQL managed instance.
-```bash
+```azurecli
az sql mi-arc update --path ./spec.json -n sqlmi1 --use-k8s ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az sql mi-arc delete Delete a SQL managed instance.
-```bash
+```azurecli
az sql mi-arc delete ``` ### Examples Delete a SQL managed instance using provided namespace.
-```bash
+```azurecli
az sql mi-arc delete --name sqlmi1 --k8s-namespace namespace --use-k8s ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az sql mi-arc show Show the details of a SQL managed instance.
-```bash
+```azurecli
az sql mi-arc show ``` ### Examples Show the details of an indirect connected SQL managed instance.
-```bash
+```azurecli
az sql mi-arc show --name sqlmi1 --k8s-namespace namespace --use-k8s ``` Show the details of a directly connected SQL managed instance.
-```bash
+```azurecli
az sql mi-arc show --name sqlmi1 --resource-group resource-group ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az sql mi-arc get-mirroring-cert Retrieve certificate of availability group mirroring endpoint from sql mi and store in a file.
-```bash
+```azurecli
az sql mi-arc get-mirroring-cert ``` ### Examples Retrieve certificate of availability group mirroring endpoint from sqlmi1 and store in file fileName1
-```bash
+```azurecli
az sql mi-arc get-mirroring-cert -n sqlmi1 --cert-file fileName1 ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az sql mi-arc upgrade Upgrade SQL managed instance to the desired-version specified. If desired-version is not specified, the data controller version will be used.
-```bash
+```azurecli
az sql mi-arc upgrade ``` ### Examples Upgrade SQL managed instance.
-```bash
+```azurecli
az sql mi-arc upgrade -n sqlmi1 --k8s-namespace arc --desired-version v1.1.0 --use-k8s ``` ### Global Arguments
JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more
Increase logging verbosity. Use `--debug` for full debug logs. ## az sql mi-arc list List SQL managed instances.
-```bash
+```azurecli
az sql mi-arc list ``` ### Examples List SQL managed instances.
-```bash
+```azurecli
az sql mi-arc list --use-k8s ``` ### Global Arguments
azure-arc Reference Az Sql Midb Arc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/reference/reference-az-sql-midb-arc.md
[az sql midb-arc restore](#az-sql-midb-arc-restore) | Restore a database to an Azure Arc enabled SQL managed instance. ## az sql midb-arc restore Restore a database to an Azure Arc enabled SQL managed instance.
-```bash
+```azurecli
az sql midb-arc restore ``` ### Examples Ex 1 - Restore a database using Point in time restore.
-```bash
+```azurecli
az sql midb-arc restore --managed-instance sqlmi1 --name mysourcedb --dest-name mynewdb --time "2021-10-20T05:34:22Z" --k8s-namespace arc --use-k8s --dry-run
azure-arc Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/faq.md
Last updated 02/15/2022 -- description: "This article contains a list of frequently asked questions related to Azure Arc-enabled Kubernetes and Azure GitOps"
-keywords: "Kubernetes, Arc, Azure, containers, configuration, GitOps, Flux, faq"
+keywords: "Kubernetes, Arc, Azure, containers, configuration, GitOps, faq"
-# Frequently Asked Questions - Azure Arc-enabled Kubernetes
+# Frequently Asked Questions - Azure Arc-enabled Kubernetes and GitOps
-This article addresses frequently asked questions about Azure Arc-enabled Kubernetes.
+This article addresses frequently asked questions about Azure Arc-enabled Kubernetes and GitOps.
## What is the difference between Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS)?
This feature applies baseline configurations (like network policies, role bindin
The compliance state of each GitOps configuration is reported back to Azure. This lets you keep track of any failed deployments.
-## Error installing the microsoft.flux extension (Flux v2)
-
-The `microsoft.flux` extension installs the Flux controllers and Azure GitOps agents into your Azure Arc-enabled Kubernetes or AKS clusters. If you experience an error during installation below are some troubleshooting actions.
-
-* Error message
-
- ```console
- {'code':'DeploymentFailed','message':'At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.','details':[{'code':'ExtensionCreationFailed','message':' Request failed to https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.ContainerService/managedclusters/<CLUSTER_NAME>/extensionaddons/flux?api-version=2021-03-01. Error code: BadRequest. Reason: Bad Request'}]}
- ```
-
-* For AKS cluster, assure that the subscription has the following feature flag enabled: `Microsoft.ContainerService/AKS-ExtensionManager`.
-
- ```console
- az feature register --namespace Microsoft.ContainerService --name AKS-ExtensionManager
- ```
-
-* Force delete the extension.
-
- ```console
- az k8s-extension delete --force -g <RESOURCE_GROUP> -c <CLUSTER_NAME> -n flux -t <managedClusters OR connectedClusters>
- ```
-
-* Assure that the cluster does not have any policies that restrict creation of the `flux-system` namespace or resources in that namespace.
-
-After you have verified the above, you can re-install the extension.
- ## Does Azure Arc-enabled Kubernetes store any customer data outside of the cluster's region? The feature to enable storing customer data in a single region is currently only available in the Southeast Asia Region (Singapore) of the Asia Pacific Geo and Brazil South (Sao Paulo State) Region of Brazil Geo. For all other regions, customer data is stored in Geo. For more information, see [Trust Center](https://azure.microsoft.com/global-infrastructure/data-residency/).
azure-arc Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/policy-reference.md
Title: Built-in policy definitions for Azure Arc-enabled Kubernetes description: Lists Azure Policy built-in policy definitions for Azure Arc-enabled Kubernetes. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022 #
azure-arc Quickstart Connect Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/quickstart-connect-cluster.md
Title: 'Quickstart: Connect an existing Kubernetes cluster to Azure Arc'
-description: "In this quickstart, learn how to connect an Azure Arc-enabled Kubernetes cluster."
-
+ Title: "Quickstart: Connect an existing Kubernetes cluster to Azure Arc"
+description: In this quickstart, you learn how to connect an Azure Arc-enabled Kubernetes cluster.
Previously updated : 09/09/2021 Last updated : 02/16/2022 ms.devlang: azurecli
-keywords: "Kubernetes, Arc, Azure, cluster"
# Quickstart: Connect an existing Kubernetes cluster to Azure Arc
-In this quickstart, you'll learn the benefits of Azure Arc-enabled Kubernetes and how to connect an existing Kubernetes cluster to Azure Arc. For a conceptual look at connecting clusters to Azure Arc, see the [Azure Arc-enabled Kubernetes Agent Architecture article](./conceptual-agent-overview.md).
+Get started with Azure Arc-enabled Kubernetes by using Azure CLI or Azure PowerShell to connect an existing Kubernetes cluster to Azure Arc.
+For a conceptual look at connecting clusters to Azure Arc, see [Azure Arc-enabled Kubernetes agent overview](./conceptual-agent-overview.md).
## Prerequisites ### [Azure CLI](#tab/azure-cli)
+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+
+* A basic understanding of [Kubernetes core concepts](/azure/aks/concepts-clusters-workloads).
+ * [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to version >= 2.16.0 and <= 2.29.0 * Install the **connectedk8s** Azure CLI extension of version >= 1.2.0:
- ```console
+ ```
az extension add --name connectedk8s ``` * [Log in to Azure CLI](/cli/azure/authenticate-azure-cli) using the identity (user or service principal) that you want to use for connecting your cluster to Azure Arc.
- * The identity used needs to at least have 'Read' and 'Write' permissions on the Azure Arc-enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`).
- * The [Kubernetes Cluster - Azure Arc Onboarding built-in role](../../role-based-access-control/built-in-roles.md#kubernetes-clusterazure-arc-onboarding) is useful for at-scale onboarding as it has the granular permissions required to only connect clusters to Azure Arc. This role doesn't have the permissions to update, delete, or modify any other clusters or other Azure resources.
+ * The identity used needs to at least have 'Read' and 'Write' permissions on the Azure Arc-enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`).
+ * The [Kubernetes Cluster - Azure Arc Onboarding built-in role](../../role-based-access-control/built-in-roles.md#kubernetes-clusterazure-arc-onboarding) is useful for at-scale onboarding as it has the granular permissions required to only connect clusters to Azure Arc. This role doesn't have the permissions to update, delete, or modify any other clusters or other Azure resources.
* An up-and-running Kubernetes cluster. If you don't have one, you can create a cluster using one of these options:
- * [Kubernetes in Docker (KIND)](https://kind.sigs.k8s.io/)
- * Create a Kubernetes cluster using Docker for [Mac](https://docs.docker.com/docker-for-mac/#kubernetes) or [Windows](https://docs.docker.com/docker-for-windows/#kubernetes)
- * Self-managed Kubernetes cluster using [Cluster API](https://cluster-api.sigs.k8s.io/user/quick-start.html)
- * If you want to connect a OpenShift cluster to Azure Arc, you need to execute the following command just once on your cluster before running `az connectedk8s connect`:
+ * [Kubernetes in Docker (KIND)](https://kind.sigs.k8s.io/)
+ * Create a Kubernetes cluster using Docker for [Mac](https://docs.docker.com/docker-for-mac/#kubernetes) or [Windows](https://docs.docker.com/docker-for-windows/#kubernetes)
+ * Self-managed Kubernetes cluster using [Cluster API](https://cluster-api.sigs.k8s.io/user/quick-start.html)
+ * If you want to connect a OpenShift cluster to Azure Arc, execute the following command one time on your cluster before running `az connectedk8s connect`:
- ```console
- oc adm policy add-scc-to-user privileged system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa
- ```
+ ```
+ oc adm policy add-scc-to-user privileged system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa
+ ```
>[!NOTE] > The cluster needs to have at least one node of operating system and architecture type `linux/amd64`. Clusters with only `linux/arm64` nodes aren't yet supported.
-* A `kubeconfig` file and context pointing to your cluster.
+* A [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) and context pointing to your cluster.
### [Azure PowerShell](#tab/azure-powershell)
+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+
+* A basic understanding of [Kubernetes core concepts](/azure/aks/concepts-clusters-workloads).
+ * [Azure PowerShell version 5.9.0 or later](/powershell/azure/install-az-ps) * Install the **Az.ConnectedKubernetes** PowerShell module:
In this quickstart, you'll learn the benefits of Azure Arc-enabled Kubernetes an
> the `Install-Module` cmdlet. * [Log in to Azure PowerShell](/powershell/azure/authenticate-azureps) using the identity (user or service principal) that you want to use for connecting your cluster to Azure Arc.
- * The identity used needs to at least have 'Read' and 'Write' permissions on the Azure Arc-enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`).
- * The [Kubernetes Cluster - Azure Arc Onboarding built-in role](../../role-based-access-control/built-in-roles.md#kubernetes-clusterazure-arc-onboarding) is useful for at-scale onboarding as it has the granular permissions required to only connect clusters to Azure Arc. This role doesn't have the permissions to update, delete, or modify any other clusters or other Azure resources.
+ * The identity used needs to at least have 'Read' and 'Write' permissions on the Azure Arc-enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`).
+ * The [Kubernetes Cluster - Azure Arc Onboarding built-in role](../../role-based-access-control/built-in-roles.md#kubernetes-clusterazure-arc-onboarding) is useful for at-scale onboarding as it has the granular permissions required to only connect clusters to Azure Arc. This role doesn't have the permissions to update, delete, or modify any other clusters or other Azure resources.
* An up-and-running Kubernetes cluster. If you don't have one, you can create a cluster using one of these options:
- * [Kubernetes in Docker (KIND)](https://kind.sigs.k8s.io/)
- * Create a Kubernetes cluster using Docker for [Mac](https://docs.docker.com/docker-for-mac/#kubernetes) or [Windows](https://docs.docker.com/docker-for-windows/#kubernetes)
- * Self-managed Kubernetes cluster using [Cluster API](https://cluster-api.sigs.k8s.io/user/quick-start.html)
- * If you want to connect a OpenShift cluster to Azure Arc, you need to execute the following command just once on your cluster before running `New-AzConnectedKubernetes`:
+ * [Kubernetes in Docker (KIND)](https://kind.sigs.k8s.io/)
+ * Create a Kubernetes cluster using Docker for [Mac](https://docs.docker.com/docker-for-mac/#kubernetes) or [Windows](https://docs.docker.com/docker-for-windows/#kubernetes)
+ * Self-managed Kubernetes cluster using [Cluster API](https://cluster-api.sigs.k8s.io/user/quick-start.html)
+ * If you want to connect a OpenShift cluster to Azure Arc, you need to execute the following command just once on your cluster before running `New-AzConnectedKubernetes`:
- ```console
- oc adm policy add-scc-to-user privileged system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa
- ```
+ ```
+ oc adm policy add-scc-to-user privileged system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa
+ ```
>[!NOTE] > The cluster needs to have at least one node of operating system and architecture type `linux/amd64`. Clusters with only `linux/arm64` nodes aren't yet supported.
-* A `kubeconfig` file and context pointing to your cluster.
+* A [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) and context pointing to your cluster.
* Install [Helm 3](https://helm.sh/docs/intro/install). Ensure that the Helm 3 version is &lt; 3.7.0.
In this quickstart, you'll learn the benefits of Azure Arc-enabled Kubernetes an
|`*.servicebus.windows.net`, `guestnotificationservice.azure.com`, `*.guestnotificationservice.azure.com`, `sts.windows.net` | For [Cluster Connect](cluster-connect.md) and for [Custom Location](custom-locations.md) based scenarios. | |`https://k8connecthelm.azureedge.net` | `az connectedk8s connect` uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
-## 1. Register providers for Azure Arc-enabled Kubernetes
+## Register providers for Azure Arc-enabled Kubernetes
### [Azure CLI](#tab/azure-cli) 1. Enter the following commands:+ ```azurecli az provider register --namespace Microsoft.Kubernetes az provider register --namespace Microsoft.KubernetesConfiguration az provider register --namespace Microsoft.ExtendedLocation ```
-2. Monitor the registration process. Registration may take up to 10 minutes.
+
+1. Monitor the registration process. Registration may take up to 10 minutes.
+ ```azurecli az provider show -n Microsoft.Kubernetes -o table az provider show -n Microsoft.KubernetesConfiguration -o table
In this quickstart, you'll learn the benefits of Azure Arc-enabled Kubernetes an
### [Azure PowerShell](#tab/azure-powershell) 1. Enter the following commands:+ ```azurepowershell Register-AzResourceProvider -ProviderNamespace Microsoft.Kubernetes Register-AzResourceProvider -ProviderNamespace Microsoft.KubernetesConfiguration Register-AzResourceProvider -ProviderNamespace Microsoft.ExtendedLocation ```+ 1. Monitor the registration process. Registration may take up to 10 minutes.+ ```azurepowershell Get-AzResourceProvider -ProviderNamespace Microsoft.Kubernetes Get-AzResourceProvider -ProviderNamespace Microsoft.KubernetesConfiguration
In this quickstart, you'll learn the benefits of Azure Arc-enabled Kubernetes an
``` Once registered, you should see the `RegistrationState` state for these namespaces change to `Registered`.+
-## 2. Create a resource group
+## Create a resource group
Run the following command:
az group create --name AzureArcTest --location EastUS --output table
``` Output:
-<pre>
+
+```
Location Name - eastus AzureArcTest
-</pre>
+```
### [Azure PowerShell](#tab/azure-powershell)
New-AzResourceGroup -Name AzureArcTest -Location EastUS
``` Output:
-<pre>
+
+```
ResourceGroupName : AzureArcTest Location : eastus ProvisioningState : Succeeded Tags : ResourceId : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureArcTest
-</pre>
+```
-## 3. Connect an existing Kubernetes cluster
+## Connect an existing Kubernetes cluster
Run the following command:
az connectedk8s connect --name AzureArcTest1 --resource-group AzureArcTest
``` > [!NOTE]
-> If you are logged into Azure CLI using a service principal, an [additional parameter](troubleshooting.md#enable-custom-locations-using-service-principal) needs to be set for enabling the custom location feature on the cluster.
+> If you are logged into Azure CLI using a service principal, an [additional parameter](troubleshooting.md#enable-custom-locations-using-service-principal) needs to be set to enable the custom location feature on the cluster.
Output:
-<pre>
+
+```
Helm release deployment succeeded {
Helm release deployment succeeded
"totalNodeCount": null, "type": "Microsoft.Kubernetes/connectedClusters" }
-</pre>
+```
> [!TIP] > The above command without the location parameter specified creates the Azure Arc-enabled Kubernetes resource in the same location as the resource group. To create the Azure Arc-enabled Kubernetes resource in a different location, specify either `--location <region>` or `-l <region>` when running the `az connectedk8s connect` command.
New-AzConnectedKubernetes -ClusterName AzureArcTest1 -ResourceGroupName AzureArc
``` Output:
-<pre>
+
+```
Location Name Type -- - - eastus AzureArcTest1 microsoft.kubernetes/connectedclusters
-</pre>
+```
-## 4a. Connect using an outbound proxy server
+## Connect using an outbound proxy server
-### [Azure CLI](#tab/azure-cli)
+If your cluster is behind an outbound proxy server, requests must be routed via the outbound proxy server.
-If your cluster is behind an outbound proxy server, Azure CLI and the Azure Arc-enabled Kubernetes agents need to route their requests via the outbound proxy server.
+### [Azure CLI](#tab/azure-cli)
1. Set the environment variables needed for Azure CLI to use the outbound proxy server:
If your cluster is behind an outbound proxy server, Azure CLI and the Azure Arc-
az connectedk8s connect --name <cluster-name> --resource-group <resource-group> --proxy-https https://<proxy-server-ip-address>:<port> --proxy-http http://<proxy-server-ip-address>:<port> --proxy-skip-range <excludedIP>,<excludedCIDR> --proxy-cert <path-to-cert-file> ```
- > [!NOTE]
- > * Some network requests such as the ones involving in-cluster service-to-service communication need to be separated from the traffic that is routed via the proxy server for outbound communication. The `--proxy-skip-range` parameter can be used to specify the CIDR range and endpoints in a comma-separated way so that any communication from the agents to these endpoints do not go via the outbound proxy. At a minimum, the CIDR range of the services in the cluster should be specified as value for this parameter. For example, let's say `kubectl get svc -A` returns a list of services where all the services have ClusterIP values in the range `10.0.0.0/16`. Then the value to specify for `--proxy-skip-range` is `10.0.0.0/16,kubernetes.default.svc,.svc.cluster.local,.svc`.
- > * `--proxy-http`, `--proxy-https`, and `--proxy-skip-range` are expected for most outbound proxy environments. `--proxy-cert` is *only* required if you need to inject trusted certificates expected by proxy into the trusted certificate store of agent pods.
- > * The outbound proxy has to be configured to allow websocket connections.
+> [!NOTE]
+>
+> * Some network requests such as the ones involving in-cluster service-to-service communication need to be separated from the traffic that is routed via the proxy server for outbound communication. The `--proxy-skip-range` parameter can be used to specify the CIDR range and endpoints in a comma-separated way so that any communication from the agents to these endpoints do not go via the outbound proxy. At a minimum, the CIDR range of the services in the cluster should be specified as value for this parameter. For example, let's say `kubectl get svc -A` returns a list of services where all the services have ClusterIP values in the range `10.0.0.0/16`. Then the value to specify for `--proxy-skip-range` is `10.0.0.0/16,kubernetes.default.svc,.svc.cluster.local,.svc`.
+> * `--proxy-http`, `--proxy-https`, and `--proxy-skip-range` are expected for most outbound proxy environments. `--proxy-cert` is *only* required if you need to inject trusted certificates expected by proxy into the trusted certificate store of agent pods.
+> * The outbound proxy has to be configured to allow websocket connections.
### [Azure PowerShell](#tab/azure-powershell)
-If your cluster is behind an outbound proxy server, Azure PowerShell and the Azure Arc-enabled Kubernetes agents need to route their requests via the outbound proxy server.
- 1. Set the environment variables needed for Azure PowerShell to use the outbound proxy server: ```powershell
If your cluster is behind an outbound proxy server, Azure PowerShell and the Azu
-## 5. Verify cluster connection
+## Verify cluster connection
Run the following command:
az connectedk8s list --resource-group AzureArcTest --output table
``` Output:
-<pre>
+
+```
Name Location ResourceGroup - - AzureArcTest1 eastus AzureArcTest
-</pre>
+```
### [Azure PowerShell](#tab/azure-powershell)
Get-AzConnectedKubernetes -ResourceGroupName AzureArcTest
``` Output:
-<pre>
+
+```
Location Name Type -- - - eastus AzureArcTest1 microsoft.kubernetes/connectedclusters
-</pre>
+```
> [!NOTE] > After onboarding the cluster, it takes around 5 to 10 minutes for the cluster metadata (cluster version, agent version, number of nodes, etc.) to surface on the overview page of the Azure Arc-enabled Kubernetes resource in Azure portal.
-## 6. View Azure Arc agents for Kubernetes
+## View Azure Arc agents for Kubernetes
-Azure Arc-enabled Kubernetes deploys a few operators into the `azure-arc` namespace.
+Azure Arc-enabled Kubernetes deploys a few agents into the `azure-arc` namespace.
1. View these deployments and pods using:
- ```console
- kubectl get deployments,pods -n azure-arc
- ```
+ ```
+ kubectl get deployments,pods -n azure-arc
+ ```
1. Verify all pods are in a `Running` state.
- Output:
- <pre>
+ Output:
+ ```
NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/cluster-metadata-operator 1/1 1 1 13d deployment.apps/clusterconnect-agent 1/1 1 1 13d
Azure Arc-enabled Kubernetes deploys a few operators into the `azure-arc` namesp
pod/kube-aad-proxy-67b87b9f55-bthqv 2/2 Running 0 13d pod/metrics-agent-575c565fd9-k5j2t 2/2 Running 0 13d pod/resource-sync-agent-6bbd8bcd86-x5bk5 2/2 Running 0 13d
- </pre>
+ ```
-A conceptual overview of these agents is available [here](conceptual-agent-overview.md).
+For more information about these agents, see [Azure Arc-enabled Kubernetes agent overview](conceptual-agent-overview.md).
-## 7. Clean up resources
+## Clean up resources
### [Azure CLI](#tab/azure-cli)
az connectedk8s delete --name AzureArcTest1 --resource-group AzureArcTest
``` >[!NOTE]
-> Deleting the Azure Arc-enabled Kubernetes resource using Azure portal removes any associated configuration resources, but *does not* remove any agents running on the cluster. Best practice is to delete the Azure Arc-enabled Kubernetes resource using `az connectedk8s delete` instead of Azure portal.
+> Deleting the Azure Arc-enabled Kubernetes resource using the Azure portal removes any associated configuration resources, but *does not* remove any agents running on the cluster. Best practice is to delete the Azure Arc-enabled Kubernetes resource using `az connectedk8s delete` rather than deleting the resource in the Azure portal.
### [Azure PowerShell](#tab/azure-powershell)
Remove-AzConnectedKubernetes -ClusterName AzureArcTest1 -ResourceGroupName Azure
``` >[!NOTE]
-> Deleting the Azure Arc-enabled Kubernetes resource using Azure portal removes any associated configuration resources, but *does not* remove any agents running on the cluster. Best practice is to delete the Azure Arc-enabled Kubernetes resource using `Remove-AzConnectedKubernetes` instead of Azure portal.
+> Deleting the Azure Arc-enabled Kubernetes resource using the Azure portal removes any associated configuration resources, but *does not* remove any agents running on the cluster. Best practice is to delete the Azure Arc-enabled Kubernetes resource using `Remove-AzConnectedKubernetes` rather than deleting the resource in the Azure portal.
azure-arc Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/troubleshooting.md
Title: "Troubleshoot common Azure Arc-enabled Kubernetes issues"
# Previously updated : 12/07/2021 Last updated : 02/16/2022
-description: "Troubleshooting common issues with Azure Arc-enabled Kubernetes clusters."
-keywords: "Kubernetes, Arc, Azure, containers"
+description: "Troubleshooting common issues with Azure Arc-enabled Kubernetes clusters and GitOps."
+keywords: "Kubernetes, Arc, Azure, containers, GitOps, Flux"
-# Azure Arc-enabled Kubernetes troubleshooting
+# Azure Arc-enabled Kubernetes and GitOps troubleshooting
-This document provides troubleshooting guides for issues with connectivity, permissions, and agents.
+This document provides troubleshooting guides for issues with Azure Arc-enabled Kubernetes connectivity, permissions, and agents. It also provides troubleshooting guides for Azure GitOps, which can be used in either Azure Arc-enabled Kubernetes or Azure Kubernetes Service (AKS) clusters.
## General troubleshooting
To recover from this issue, follow these steps:
## GitOps management
-### General
+### Flux v1 - General
To help troubleshoot issues with `sourceControlConfigurations` resource (Flux v1), run these az commands with `--debug` parameter specified:
az provider show -n Microsoft.KubernetesConfiguration --debug
az k8s-configuration flux create <parameters> --debug ```
-### Create configurations
+### Flux v1 - Create configurations
Write permissions on the Azure Arc-enabled Kubernetes resource (`Microsoft.Kubernetes/connectedClusters/Write`) are necessary and sufficient for creating configurations on that cluster.
metadata:
selfLink: "" ```
-### Installing the `microsoft.flux` extension (Flux v2)
+### Flux v2 - Error installing the `microsoft.flux` extension
-If the `microsoft.flux` extension is in a failed state, you can run a script to investigate. The cluster-type parameter can be set to `connectedClusters` for Arc cluster or `managedClusters` for AKS cluster. The name of the `microsoft.flux` extension will be "flux" if the extension was installed automatically during creation of a `fluxConfigurations` resource. Look in the "statuses" object for information.
+The `microsoft.flux` extension installs the Flux controllers and Azure GitOps agents into your Azure Arc-enabled Kubernetes or Azure Kubernetes Service (AKS) clusters. If the extension is not already installed in a cluster and you create a GitOps configuration resource for that cluster, the extension will be installed automatically.
+
+If you experience an error during installation or if the extension is in a failed state, you can first run a script to investigate. The cluster-type parameter can be set to `connectedClusters` for an Arc-enabled cluster or `managedClusters` for an AKS cluster. The name of the `microsoft.flux` extension will be "flux" if the extension was installed automatically during creation of a GitOps configuration. Look in the "statuses" object for information.
One example: ```console
-az k8s-extension show --resource-group RESOURCE_GROUP --cluster-name CLUSTER_NAME --cluster-type connectedClusters -n flux
+az k8s-extension show -g <RESOURCE_GROUP> -c <CLUSTER_NAME> -n flux -t <connectedClusters or managedClusters>
+flux
... "statuses": [
az k8s-extension show --resource-group RESOURCE_GROUP --cluster-name CLUSTER_NAM
Another example: ```console
-az k8s-extension show --resource-group RESOURCE_GROUP --cluster-name CLUSTER_NAME --cluster-type connectedClusters -n flux
+az k8s-extension show -g <RESOURCE_GROUP> -c <CLUSTER_NAME> -n flux -t <connectedClusters or managedClusters>
"statuses": [ {
az k8s-extension show --resource-group RESOURCE_GROUP --cluster-name CLUSTER_NAM
] ```
-In both of these cases, delete the `flux-system` namespace and uninstall the Helm release. This should resolve the extension installation issue.
+Another example from the portal:
+
+```console
+{'code':'DeploymentFailed','message':'At least one resource deployment operation failed. Please list
+deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
+','details':[{'code':'ExtensionCreationFailed', 'message':' Request failed to https://management.azure.com/
+subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.ContainerService/
+managedclusters/<CLUSTER_NAME>/extensionaddons/flux?api-version=2021-03-01. Error code: BadRequest.
+Reason: Bad Request'}]}
+```
+
+For all these cases, possible remediation actions are to force delete the extension, uninstall the Helm release, and delete the `flux-system` namespace from the cluster.
+
+```console
+az k8s-extension delete --force -g <RESOURCE_GROUP> -c <CLUSTER_NAME> -n flux -t <managedClusters OR connectedClusters>
+helm uninstall flux -n flux-system
+kubectl delete namespaces flux-system
+```
+
+Some other aspects to consider:
+
+* For AKS cluster, assure that the subscription has the following feature flag enabled: `Microsoft.ContainerService/AKS-ExtensionManager`.
+
+ ```console
+ az feature register --namespace Microsoft.ContainerService --name AKS-ExtensionManager
+ ```
+
+* Assure that the cluster does not have any policies that restrict creation of the `flux-system` namespace or resources in that namespace.
+
+With these actions accomplished you can either [re-create a flux configuration](./tutorial-use-gitops-flux2.md) which will install the flux extension automatically or you can re-install the flux extension manually.
+
+### Flux v2 - Installing the `microsoft.flux` extension in a cluster with AAD Pod Identity enabled
+
+If you attempt to install the Flux extension in a cluster that has AAD Pod Identity enabled, an error may occur in the extension-agent pod.
+
+```console
+{"Message":"2021/12/02 10:24:56 Error: in getting auth header : error {adal: Refresh request failed. Status Code = '404'. Response body: no azure identity found for request clientID <REDACTED>\n}","LogType":"ConfigAgentTrace","LogLevel":"Information","Environment":"prod","Role":"ClusterConfigAgent","Location":"westeurope","ArmId":"/subscriptions/<REDACTED>/resourceGroups/<REDACTED>/providers/Microsoft.Kubernetes/managedclusters/<REDACTED>","CorrelationId":"","AgentName":"FluxConfigAgent","AgentVersion":"0.4.2","AgentTimestamp":"2021/12/02 10:24:56"}
+```
+
+The extension status also returns as "Failed".
```console
-kubectl delete namespaces flux-system -A
-helm uninstall flux -n -flux-system
+"{\"status\":\"Failed\",\"error\":{\"code\":\"ResourceOperationFailure\",\"message\":\"The resource operation completed with terminal provisioning state 'Failed'.\",\"details\":[{\"code\":\"ExtensionCreationFailed\",\"message\":\" error: Unable to get the status from the local CRD with the error : {Error : Retry for given duration didn't get any results with err {status not populated}}\"}]}}",
```
-If that doesn't resolve the issue, you can delete the extension. After deleting the extension, you can either [re-create a flux configuration](./tutorial-use-gitops-flux2.md) which will install the flux extension automatically or you can re-install the flux extension manually.
+The issue is that the extension-agent pod is trying to get its token from IMDS on the cluster in order to talk to the extension service in Azure; however, this token request is being intercepted by pod identity ([details here](../../aks/use-azure-ad-pod-identity.md)).
+
+The workaround is to create an `AzurePodIdentityException` that will tell AAD Pod Identity to ignore the token requests from flux-extension pods.
```console
-az k8s-extension delete --resource-group RESOURCE_GROUP --cluster-name CLUSTER_NAME --cluster-type connectedClusters ΓÇôname flux
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzurePodIdentityException
+metadata:
+ name: flux-extension-exception
+ namespace: flux-system
+spec:
+ podLabels:
+ app.kubernetes.io/name: flux-extension
``` ## Monitoring
azure-arc Tutorial Gitops Ci Cd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/tutorial-gitops-ci-cd.md
This tutorial assumes familiarity with Azure DevOps, Azure Repos and Pipelines,
* Complete the [previous tutorial](./tutorial-use-gitops-connected-cluster.md) to learn how to deploy GitOps for your CI/CD environment. * Understand the [benefits and architecture](./conceptual-configurations.md) of this feature. * Verify you have:
- * A [connected Azure Arc-enabled Kubernetes cluster](./quickstart-connect-cluster.md#3-connect-an-existing-kubernetes-cluster) named **arc-cicd-cluster**.
+ * A [connected Azure Arc-enabled Kubernetes cluster](./quickstart-connect-cluster.md#connect-an-existing-kubernetes-cluster) named **arc-cicd-cluster**.
* A connected Azure Container Registry (ACR) with either [AKS integration](../../aks/cluster-container-registry-integration.md) or [non-AKS cluster authentication](../../container-registry/container-registry-auth-kubernetes.md). * "Build Admin" and "Project Admin" permissions for [Azure Repos](/azure/devops/repos/get-started/what-is-repos) and [Azure Pipelines](/azure/devops/pipelines/get-started/pipelines-get-started). * Install the following Azure Arc-enabled Kubernetes CLI extensions of versions >= 1.0.0:
azure-arc Tutorial Gitops Flux2 Ci Cd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/tutorial-gitops-flux2-ci-cd.md
If you don't have an Azure subscription, create a [free account](https://azure.m
* Complete the [previous tutorial](./tutorial-use-gitops-flux2.md) to learn how to deploy GitOps for your CI/CD environment. * Understand the [benefits and architecture](./conceptual-gitops-flux2.md) of this feature. * Verify you have:
- * A [connected Azure Arc-enabled Kubernetes cluster](./quickstart-connect-cluster.md#3-connect-an-existing-kubernetes-cluster) named **arc-cicd-cluster**.
+ * A [connected Azure Arc-enabled Kubernetes cluster](./quickstart-connect-cluster.md#connect-an-existing-kubernetes-cluster) named **arc-cicd-cluster**.
* A connected Azure Container Registry with either [AKS integration](../../aks/cluster-container-registry-integration.md) or [non-AKS cluster authentication](../../container-registry/container-registry-auth-kubernetes.md). * Install the latest versions of these Azure Arc-enabled Kubernetes CLI extensions:
azure-arc Tutorial Use Gitops Connected Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/tutorial-use-gitops-connected-cluster.md
Just like private keys, you can provide your known_hosts content directly or in
>[!NOTE] >* Helm operator chart version 1.2.0+ supports the HTTPS Helm release private auth. >* HTTPS Helm release is not supported for AKS managed clusters.
->* If you need Flux to access the Git repository through your proxy, you will need to update the Azure Arc agents with the proxy settings. For more information, see [Connect using an outbound proxy server](./quickstart-connect-cluster.md#4a-connect-using-an-outbound-proxy-server).
+>* If you need Flux to access the Git repository through your proxy, you will need to update the Azure Arc agents with the proxy settings. For more information, see [Connect using an outbound proxy server](./quickstart-connect-cluster.md#connect-using-an-outbound-proxy-server).
## Additional Parameters
azure-arc Tutorial Use Gitops Flux2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/tutorial-use-gitops-flux2.md
To manage GitOps through the Azure CLI or the Azure portal, you need the followi
* An Azure Arc-enabled Kubernetes connected cluster that's up and running.
- [Learn how to Azure Arc-enable a Kubernetes cluster](./quickstart-connect-cluster.md). If you need to connect through an outbound proxy, then assure you [install the Arc agents with proxy settings](./quickstart-connect-cluster.md?tabs=azure-cli#4a-connect-using-an-outbound-proxy-server).
+ [Learn how to Azure Arc-enable a Kubernetes cluster](./quickstart-connect-cluster.md). If you need to connect through an outbound proxy, then assure you [install the Arc agents with proxy settings](./quickstart-connect-cluster.md?tabs=azure-cli#connect-using-an-outbound-proxy-server).
* Read and write permissions on the `Microsoft.Kubernetes/connectedClusters` resource type. ### For Azure Kubernetes Service clusters
Learn more about using a local Kubernetes secret with these authentication metho
* [Bucket static authentication](https://fluxcd.io/docs/components/source/buckets/#static-authentication) >[!NOTE]
->If you need Flux to access the source through your proxy, you'll need to update the Azure Arc agents with the proxy settings. For more information, see [Connect using an outbound proxy server](./quickstart-connect-cluster.md?tabs=azure-cli#4a-connect-using-an-outbound-proxy-server).
+>If you need Flux to access the source through your proxy, you'll need to update the Azure Arc agents with the proxy settings. For more information, see [Connect using an outbound proxy server](./quickstart-connect-cluster.md?tabs=azure-cli#connect-using-an-outbound-proxy-server).
### Git implementation
azure-arc Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/policy-reference.md
Title: Built-in policy definitions for Azure Arc-enabled servers description: Lists Azure Policy built-in policy definitions for Azure Arc-enabled servers (preview). These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
azure-arc Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Arc-enabled servers (preview) description: Lists Azure Policy Regulatory Compliance controls available for Azure Arc-enabled servers (preview). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
azure-cache-for-redis Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/policy-reference.md
Title: Built-in policy definitions for Azure Cache for Redis description: Lists Azure Policy built-in policy definitions for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
azure-cache-for-redis Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Cache for Redis description: Lists Azure Policy Regulatory Compliance controls available for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
azure-functions Functions Bindings Service Bus https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-service-bus.md
The example host.json file below contains only the settings for version 5.0.0 an
"maxRetries": 3 }, "prefetchCount": 0,
+ "transportType": "amqpWebSockets",
+ "webProxy": "https://proxyserver:8080",
"autoCompleteMessages": true, "maxAutoLockRenewalDuration": "00:05:00", "maxConcurrentCalls": 16,
When using service bus extension version 5.x and higher, the following global co
|Property |Default | Description | |||| |prefetchCount|0|Gets or sets the number of messages that the message receiver can simultaneously request.|
+| transportType| amqpTcp | The protocol and transport that is used for communicating with Service Bus. Available options: `amqpTcp`, `amqpWebSockets`|
+| webProxy| n/a | The proxy to use for communicating with Service Bus over web sockets. A proxy cannot be used with the `amqpTcp` transport. |
|autoCompleteMessages|true|Determines whether or not to automatically complete messages after successful execution of the function and should be used in place of the `autoComplete` configuration setting.| |maxAutoLockRenewalDuration|00:05:00|The maximum duration within which the message lock will be renewed automatically. This setting only applies for functions that receive a single message at a time.| |maxConcurrentCalls|16|The maximum number of concurrent calls to the callback that the should be initiate per scaled instance. By default, the Functions runtime processes multiple messages concurrently. This setting only applies for functions that receive a single message at a time.|
azure-government Documentation Government Overview Nerc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-overview-nerc.md
+
+ Title: NERC CIP standards and cloud computing
+description: This article discusses implications of NERC CIP standards on cloud computing. It explores compliance assurances that cloud service providers can furnish to registered entities subject to compliance with NERC CIP standards.
++++
+recommendations: false
Last updated : 02/16/2022++
+# NERC CIP standards and cloud computing
+
+This article is intended for electric power utilities and [registered entities](https://www.nerc.com/pa/comp/Pages/Registration.aspx) considering cloud adoption for data and workloads subject to compliance with the North American Electric Reliability Corporation (NERC) [Critical Infrastructure Protection (CIP) standards](https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx).
+
+Microsoft makes two different cloud environments available to electric utilities and other registered entities: Azure and Azure Government. Both provide a multi-tenant cloud services platform that registered entities can use to deploy various solutions. A multi-tenant cloud platform implies that multiple customer applications and data are stored on the same physical hardware. Azure and Azure Government use logical isolation to segregate applications and data belonging to different customers. This approach provides the scale and economic benefits of multi-tenant cloud services while rigorously preventing customers from accessing one another's data or applications. This article addresses common security and isolation concerns pertinent to the electric power industry. It also discusses compliance considerations for data and workloads deployed on Azure or Azure Government that are subject to NERC CIP standards. For in-depth technical description of isolation approaches, see [Azure guidance for secure isolation](./azure-secure-isolation-guidance.md).
+
+Both Azure and Azure Government have the same comprehensive security controls in place. They also share the same Microsoft commitment on the safeguarding of customer data. Azure Government provides an extra layer of protection to registered entities through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons. Moreover, Azure Government is only available in the United States to US-based registered entities.
+
+Both Azure and Azure Government are suitable for registered entities deploying certain workloads subject to compliance with NERC CIP standards.
+
+## NERC overview
+
+The [North American Electric Reliability Corporation (NERC)](https://www.nerc.com/AboutNERC/Pages/default.aspx) is a not-for-profit regulatory authority whose mission is to ensure the reliability of the North American bulk power system. NERC is subject to oversight by the US Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. In 2006, FERC granted the Electric Reliability Organization (ERO) designation to NERC in accordance with the Energy Policy Act of 2005, as stated in the US Public Law 109-58. NERC has jurisdiction over users, owners, and operators of the bulk power system that serves nearly 400 million people in North America. For more information about NERC ERO Enterprise and NERC regional entities, see [NERC key players](https://www.nerc.com/AboutNERC/keyplayers/Pages/default.aspx).
+
+NERC develops and enforces reliability standards known as NERC [CIP standards](https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx). In the United States, FERC approved the first set of CIP standards in 2007 and has continued to do so with every new revision. In Canada, the Federal, Provincial, and Territorial Monitoring and Enforcement Subgroup (MESG) develops provincial summaries for making CIP standards enforceable in Canadian jurisdictions.
+
+## Azure and Azure Government
+
+Azure provides core infrastructure and virtualization technologies and services such as compute, storage, and networking that are designed with stringent controls to meet tenant separation requirements. These services also help enable secure connection to your on-premises environment. Most Azure services enable you to specify the [region](../availability-zones/az-overview.md) where your [customer data](https://www.microsoft.com/trust-center/privacy/customer-data-definitions) will be stored. Microsoft may [replicate](https://azure.microsoft.com/global-infrastructure/data-residency/) your customer data to other regions within the same [geography](https://azure.microsoft.com/global-infrastructure/geographies/) for data resiliency. However, Microsoft won't replicate your customer data outside the chosen geography, for example, United States.
+
+Microsoft provides two different cloud environments to registered entities to deploy their applications and data: Azure and Azure Government. Azure is generally available in more than 60 regions around the world; however, for registered entities subject to NERC CIP standards, the geographies of most interest are United States and Canada.
+
+- Azure is available to NERC registered entities in both the United States and Canada.
+- [Azure Government](./documentation-government-welcome.md) is only available in the United States to US-based NERC registered entities.
+
+For Azure regions available in the United States and Canada, and for Azure Government regions in the United States, see [Azure geographies](https://azure.microsoft.com/global-infrastructure/geographies/#geographies). For Azure service availability in a given region, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,usgov-arizona,usgov-texas,usgov-virginia,us-central,us-east,us-east-2,us-north-central,us-south-central,us-west-central,us-west,us-west-2,us-west-3,canada-central,canada-east).
+
+Both Azure and Azure Government have the same strong security controls in place to provide you with robust assurances about the safeguarding of your customer data and applications. They offer various services in a multi-tenant cloud environment that uses virtualization technologies to provide scale and resource utilization. They also provide superior data separation and isolation in a shared environment. This design helps ensure that you can use Azure and Azure Government efficiently and keep your data and workloads isolated from other tenants. Both cloud environments provide the same data redundancy for Azure Storage by maintaining three copies of customer data across separate fault domains in the primary region. You can also enable [geo-redundant storage](../storage/common/storage-redundancy.md), which maintains three extra copies of customer data also across separate fault domains in the [paired region](../availability-zones/cross-region-replication-azure.md). At any given time, Azure Storage maintains six healthy replicas of your customer data kept in two paired regions that are located at least 400 miles apart.
+
+[Azure Government](./documentation-government-welcome.md) is a US government community cloud that is physically separated from the Azure cloud. It provides extra assurances regarding US government specific background screening requirements. For example, Azure Government mandates US persons verification for operations personnel with potential access to customer data. Azure Government can also support customers subject to certain [export controls laws and regulations](./documentation-government-overview-itar.md). **Both Azure and Azure Government are suitable for registered entities deploying certain workloads subject to compliance with NERC CIP standards.**
+
+Azure and Azure Government have the broadest [compliance coverage](../compliance/index.yml) in the industry, including key independent certifications and attestations. Azure Government adds extra [compliance coverage](./documentation-government-plan-compliance.md) that is specific to US government requirements.
+
+Nuclear electric utility customers may also be subject to the Department of Energy (DoE) / National Nuclear Security Administration (NNSA) 10 CFR Part 810 export control requirements. Among other things, **DoE 10 CFR Part 810** controls the export of unclassified nuclear technology and assistance. Paragraph 810.7 (b) states that specific DoE authorization is required for providing or transferring sensitive nuclear technology to any foreign entity.
+
+- Export is the transfer of protected technology or information to a foreign destination or foreign person irrespective of the destination.
+- Deemed export represents the transmission of protected technology and information to a foreign person inside the United States.
+
+Azure Government is designed to meet specific controls that restrict access to information and systems to US persons. This commitment isn't applied in Azure. Therefore, customers deploying on Azure should conduct proper risk assessment to determine if extra technical measures should be deployed to secure data that shouldn't be disclosed to foreign persons. For more information, see Azure [DoE 10 CFR Part 810 compliance offering](/azure/compliance/offerings/offering-doe-10-cfr-part-810).
+
+**Nuclear utility customers are wholly responsible for ensuring their own compliance with all applicable laws and regulations. The forgoing isn't legal advice, and you should consult your legal advisors for any questions regarding regulatory compliance.**
+
+## Categorizing NERC CIP data and workloads
+
+> [!NOTE]
+>
+> Customers operating the Bulk Electric System (BES) are wholly responsible for ensuring their own compliance with NERC CIP standards. Neither Azure nor Azure Government constitutes a Bulk Electric System (BES) or BES Cyber Asset.
+
+As stated by NERC, CIP standards apply to the Bulk Electric System (BES):
+
+- Generally, 100 kV and above, but with some exceptions, primarily for radial lines.
+- 20MVA and above generating units, 75MVA and above generating plants, with some exceptions for wholly behind-the-meter generation.
+- Includes Control Centers that monitor and control the BES.
+
+As stated by NERC, CIP standards don't apply to distribution, that is, non-BES, with several exceptions, primarily Under Frequency Load Shedding (UFLS), Under Voltage Load Shedding (UVLS), Blackstart Resources (generation), and Cranking Paths.
+
+**To assess the suitability of NERC CIP standards data and workloads for cloud deployment, registered entities should consult with their own compliance officers and NERC auditors.** What follows are some key BES-related definitions that are provided by NERC in the current set of [CIP standards](https://www.nerc.com/pa/Stand/Reliability%20Standards%20Complete%20Set/RSCompleteSet.pdf) and NERCΓÇÖs [Glossary of Terms](https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf):
+
+- **Cyber Asset:** Programmable electronic devices, including the hardware, software, and data in those devices.
+- **BES Cyber Asset (BCA):** A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, mis-operation, or non-operation, adversely impact one or more facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems.
+- **BES Cyber System (BCS):** One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.
+ - Components of the BCS also include ΓÇ£glueΓÇ¥ infrastructure components (for example, networking infrastructure) necessary for the system to perform its reliability tasks, such as network switches).
+ - Tremendous flexibility is built into the definition ΓÇô BCS could be the entire control system, or a subset based on function (HMI, server, database, FEP, and so on).
+- **Electronic Security Perimeter (ESP):** The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.
+- **Protected Cyber Asset (PCA):** One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that isn't part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP.
+- **Electronic Access Point (EAP):** A Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter.
+- **Electronic Access Control or Monitoring Systems (EACMS):** Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeters or BES Cyber Systems, including intermediate systems.
+- **Control Center:** One or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real time to perform the reliability tasks, including their associated data centers, of: 1) a reliability coordinator, 2) a balancing authority, 3) a transmission operator for transmission facilities at two or more locations, or 4) a generator operator for generation facilities at two or more locations.
+ - Includes rooms and equipment where power system operators sit and rooms and equipment containing the ΓÇ£back officeΓÇ¥ servers, databases, telecommunications equipment, and so on.
+ - They may all be in the same room or be in different buildings or in different cities.
+
+As stated by NERC, BES Cyber Assets perform real-time functions of monitoring or controlling the BES. There's heavy emphasis in the current definition on physical assets within the Electronic Security Perimeter, for example, the specific term *ΓÇ£in those devicesΓÇ¥* referring to BES Cyber Assets. There are no provisions for key cloud concepts such as virtualization and multi-tenancy. To accommodate properly BES Cyber Assets and Protected Cyber Assets in a cloud environment, existing definitions in NERC CIP standards would [need to be revised](https://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx). However, there are many workloads that deal with CIP sensitive data and don't fall under the 15-minute rule. More detailed discussion was provided by NERC in November 2016 at the [Emerging Technology Roundtable on Cloud Computing](https://www.nerc.com/pa/CI/Documents/roundtable%20-%20cloud%20computing%20slides%20%20(20161116).pdf).
+
+Depending on registered entityΓÇÖs implementation, some of the following workloads may not be considered a BES Cyber System (BCS) or placed within the Electronic Security Perimeter (ESP):
+
+- Transmission asset status, management, planning, predictive maintenance
+- Transmission network planning, demand forecasting, contingency analysis
+- Common Information Model (CIM) modeling and geo-spatial asset location information
+- Operational equipment data and Supervisory Control and Data Acquisition (SCADA) historical information system
+- Artificial intelligence and advanced analytics for forecasting, maintenance, outage management
+- Internet of Things (IoT) scenarios for transmission line monitoring and maintenance
+- NERC CIP audit evidence, reports, records
+
+These workloads require careful assessment that takes into consideration individual registered entity facts and circumstances.
+
+Another class of data not subject to the 15-minute rule is the BES Cyber System Information (BCSI) if proper security controls are in place to safeguard BCSI. The following [definition](https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf) is provided by NERC:
+
+**BES Cyber System Information (BCSI)** is information about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System. BES Cyber System Information doesn't include individual pieces of information that by themselves don't pose a threat or couldn't be used to allow unauthorized access to BES Cyber Systems, such as, but not limited to, device names, individual IP addresses without context, ESP names, or policy statements. Examples of BES Cyber System Information may include, but aren't limited to:
+
+- Security procedures or security information about BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or Monitoring Systems that aren't publicly available and could be used to allow unauthorized access or unauthorized distribution
+- Collections of network addresses
+- Network topology of the BES Cyber System
+
+The NERC Electric Reliability Organization (ERO) Enterprise [released](https://www.nerc.com/pa/comp/guidance/Pages/default.aspx) a Compliance Monitoring and Enforcement Program (CMEP) [practice guide](https://www.nerc.com/pa/comp/guidance/CMEPPracticeGuidesDL/ERO%20Enterprise%20CMEP%20Practice%20Guide%20_%20BCSI%20-%20v0.2%20CLEAN.pdf) to provide guidance to ERO Enterprise CMEP staff when assessing a registered entityΓÇÖs process to authorize access to designated BCSI storage locations and any access controls the registered entity implemented.
+
+## Compliance considerations for NERC CIP standards
+
+The National Institute of Standards and Technology (NIST) [Special Publication (SP) 800-145](https://csrc.nist.gov/publications/detail/sp/800-145/final) defines the following cloud service models:
+
+- Infrastructure as a Service (IaaS)
+- Platform as a Service (PaaS)
+- Software as a Service (SaaS)
+
+The [shared responsibility model](../security/fundamentals/shared-responsibility.md) in the cloud allocates responsibility differently based on the cloud service model. With on-premises deployment in your own datacenter, you assume responsibility for all layers in the stack. As workloads get migrated to the cloud, Microsoft assumes progressively more responsibility depending on the cloud service model. For example, with the IaaS model, MicrosoftΓÇÖs responsibility ends at the virtualization (Hypervisor) layer. You're responsible for all layers above the virtualization layer, including maintaining the base operating system in guest virtual machines. With finished cloud services in the SaaS model such as Microsoft Office 365 or Dynamics 365, Microsoft assumes responsibility for extra layers in the stack. However, you're still responsible for administering the service, including granting proper access rights to end users. Irrespective of the cloud service model, you're always responsible for your customer data.
+
+The concept of shared responsibility extends also to certification dependencies and compliance obligations. If you're a registered entity deploying applications on Azure or Azure Government, you take certification dependencies on Microsoft. You're ultimately responsible for meeting your NERC CIP compliance obligations. However, you inherit security controls from the underlying cloud platform, and can count on Microsoft for compliance assurances that are applicable to cloud service providers (CSPs).
+
+Both Azure and Azure Government are audited extensively by independent third-party auditors. You can use some of these audits when assessing your NERC CIP compliance obligations. In discussions with NERC regulators, the following independent third-party audits were identified as relevant and potentially useful to registered entities:
+
+- Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) certification and attestation
+- American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) 2 Type 2 attestation
+- United States Federal Risk and Authorization Management Program (FedRAMP) authorization
+
+Microsoft maintains all three of these compliance audits for both Azure and Azure Government and makes the respective audit documents available to registered entities.
+
+NERC CIP compliance requirements can be addressed during a NERC audit and in line with the [shared responsibility model](../security/fundamentals/shared-responsibility.md) for cloud computing. We believe that Azure and Azure Government cloud services can be used in a manner compliant with NERC CIP standards. Microsoft is prepared to assist you with NERC audits by furnishing Azure or Azure Government audit documentation and control implementation details in support of NERC audit requirements. Moreover, Microsoft has developed a **[Cloud implementation guide for NERC audits](https://aka.ms/AzureNERCGuide)**, which is a technical how-to guidance to help you address NERC CIP compliance requirements for your Azure assets. The document contains pre-filled [Reliability Standard Audit Worksheets](https://www.nerc.com/pa/comp/Pages/Reliability-Standard-Audit-Worksheets-(RSAWs).aspx) (RSAWs) narratives that help explain how Azure controls address NERC CIP requirements. It also contains guidance to help you use Azure services to implement controls that you own. The guide is available for download to existing Azure or Azure Government customers under a non-disclosure agreement (NDA) from the Service Trust Portal (STP). You must sign in to access this document on the STP. For more information, see [Get started with the Microsoft Service Trust Portal](https://aka.ms/stphelp).
+
+> [!NOTE]
+>
+> For more information regarding Azure support for NERC CIP standards, see **[Azure NERC compliance offering](/azure/compliance/offerings/offering-nerc)**.
+
+### CSA STAR
+
+The [Cloud Security Alliance (CSA)](https://cloudsecurityalliance.org/) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It's dedicated to defining best practices to help ensure a more secure cloud computing environment. CSA helps potential cloud customers make informed decisions when transitioning their IT operations to the cloud. CSA maintains the [Security, Trust, Assurance, and Risk (STAR)](https://cloudsecurityalliance.org/star/) Registry, a free, publicly accessible registry in which cloud service providers (CSPs) can publish their CSA-related assessments.
+
+The CSA [Cloud Controls Matrix (CCM)](https://cloudsecurityalliance.org/research/cloud-controls-matrix/) is a controls framework composed of 197 control objectives covering fundamental security principles across 17 domains to help cloud customers assess the overall security risk of a CSP. The CCM maps to industry-accepted security standards, regulations, and control frameworks such as ISO 27001, ISO 27017, ISO 27018, NIST SP 800-53, PCI DSS, AICPA Trust Services Criteria, and others.
+
+CSA STAR provides [two levels of assurance](https://cloudsecurityalliance.org/star/#levels) based on the CCM. CSA STAR Self-Assessment is the introductory offering at Level 1, which is free and open to all CSPs. Going further up the assurance stack, Level 2 of the STAR program involves third-party assessment-based certifications (for example, CSA STAR Certification and CSA STAR Attestation). **Azure and Azure Government maintain CSA STAR Certification and CSA STAR Attestation submissions in the STAR Registry, in addition to CSA STAR Self-Assessment.** For more information, see:
+
+- [CSA STAR Level 1 Self-Assessment](/azure/compliance/offerings/offering-csa-star-self-assessment)
+- [CSA STAR Level 2 Certification](/azure/compliance/offerings/offering-csa-star-certification)
+- [CSA STAR Level 2 Attestation](/azure/compliance/offerings/offering-csa-star-attestation)
+
+To download the Azure and Azure Government CSA STAR Registry submissions, see the [CSA STAR Registry for Microsoft](https://cloudsecurityalliance.org/star/registry/microsoft/).
+
+### SOC 2 Type 2
+
+System and Organization Controls (SOC) for Service Organizations are internal control reports created by the American Institute of Certified Public Accountants (AICPA). They're intended to examine services provided by a service organization so that end users can assess and address the risk associated with an outsourced service.
+
+A SOC 2 Type 2 attestation is performed under:
+
+- SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, *Concepts Common to All Attestation Engagements*, and AT-C section 205, *Examination Engagements* (AICPA, Professional Standards).
+- SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (AICPA Guide).
+- TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria).
+
+At the conclusion of a SOC 2 Type 2 audit, the auditor renders an opinion in a SOC 2 Type 2 report. The attestation report describes the cloud service providerΓÇÖs (CSPΓÇÖs) system and assesses the fairness of the CSPΓÇÖs description of its controls. It also evaluates whether the CSPΓÇÖs controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.
+
+**Azure and Azure Government undergo rigorous independent third-party SOC 2 Type 2 audits conducted by a reputable Certified Public Accountant (CPA) firm.** The resulting SOC 2 Type 2 reports are relevant to system Security, Availability, Processing Integrity, Confidentiality, and Privacy. In addition, these reports address the requirements in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) and the German Federal Office for Information Security (BSI) Cloud Computing Compliance Criteria Catalogue (C5:2020). For more information, see [Azure SOC 2 Type 2 compliance offering](/azure/compliance/offerings/offering-soc-2).
+
+### FedRAMP
+
+The United States Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. Cloud service providers (CSPs) desiring to sell services to a US federal agency can take three paths to demonstrate FedRAMP compliance:
+
+- Earn a Provisional Authorization to Operate (P-ATO) from the FedRAMP Joint Authorization Board (JAB).
+- Receive an Authorization to Operate (ATO) from a federal agency.
+- Work independently to develop a CSP Supplied Package that meets program requirements.
+
+Each of these paths requires an assessment by an independent third-party assessment organization (3PAO) that is accredited by the program and a stringent technical review by the FedRAMP Program Management Office (PMO).
+
+FedRAMP is based on the National Institute of Standards and Technology (NIST) [Special Publication (SP) 800-53](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53) standard, augmented by FedRAMP controls and control enhancements. FedRAMP authorizations are granted at three impact levels based on the NIST [FIPS 199](https://csrc.nist.gov/publications/detail/fips/199/final) guidelines: Low, Moderate, and High. These levels rank the impact that the loss of confidentiality, integrity, or availability could have on an organization: Low (limited effect), Moderate (serious adverse effect), and High (severe or catastrophic effect). The number of controls in the corresponding baseline increases with the impact level, as shown in the following table:
+
+| FedRAMP control baseline | Low | Moderate | High |
+|--|--|-||
+| Total number of controls and control enhancements | 125 | 325 | 421 |
+
+The FedRAMP High authorization represents the highest bar for FedRAMP compliance. FedRAMP isn't a point-in-time certification or accreditation but an assessment and authorization program. It comes with provisions for continuous monitoring to ensure that deployed security controls in a cloud service offering (CSO) remain effective in an evolving threat landscape and changes that occur in the system environment. A CSP is required to furnish various evidence to demonstrate continuous compliance, including system inventory reports, vulnerability scans, plan of actions and milestones, and so on. FedRAMP is one of the most rigorous and demanding audits that a CSP can undergo.
+
+**Both Azure and Azure Government maintain FedRAMP High P-ATOs issued by the JAB** in addition to more than 250 Moderate and High ATOs issued by individual federal agencies for the in-scope services. For more information, see [Azure FedRAMP compliance offering](/azure/compliance/offerings/offering-fedramp).
+
+A comparison between the FedRAMP Moderate control baseline and NERC CIP standards requirements reveals that FedRAMP Moderate control baseline encompasses all NERC CIP requirements. Microsoft has developed a **[Cloud implementation guide for NERC audits](https://aka.ms/AzureNERCGuide)** that includes control mappings between the current set of NERC CIP standards requirements and FedRAMP Moderate control baseline as documented in [NIST SP 800-53 Rev 4](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53). The Cloud implementation guide for NERC audits contains pre-filled [Reliability Standard Audit Worksheets](https://www.nerc.com/pa/comp/Pages/Reliability-Standard-Audit-Worksheets-(RSAWs).aspx) (RSAWs) narratives that help explain how Azure controls address NERC CIP requirements. It also contains guidance to help you use Azure services to implement controls that you own. You can download the Cloud implementation guide for NERC audits under a non-disclosure agreement (NDA) from the Service Trust Portal (STP). You must sign in to access this document on the STP. For more information, see [Get started with the Microsoft Service Trust Portal](https://aka.ms/stphelp).
+
+There are many valid reasons why a registered entity subject to NERC CIP compliance obligations might want to use an existing FedRAMP P-ATO or ATO when assessing the security posture of a cloud services offering:
+
+- Reinventing the established NIST SP 800-53 standard and FedRAMP assessment and authorization program would be a significant undertaking.
+- FedRAMP is already in place, and it's an adopted framework for US federal government agencies when assessing cloud services.
+- In the United States, FERC approves NERC CIP standards. As a US federal agency, FERC relies on FedRAMP when assessing cloud services for their own cloud computing needs. The choice of FedRAMP as a compliance path for CSPs would be consistent with the approach adopted by FERC and other US government agencies.
+- In Canada, the Federal, Provincial, and Territorial Monitoring and Enforcement Subgroup develops provincial summaries for making CIP standards enforceable in Canadian jurisdictions. The Government of Canada has aligned their [security control profile for cloud-based services](https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/government-canada-security-control-profile-cloud-based-it-services.html) to the FedRAMP Moderate security control profile to maximize both the interoperability of cloud services and reusability of the authorization evidence produced by CSPs.
+- FedRAMP relies on an in-depth audit with mandatory provisions for continuous monitoring. It provides strong assurances to registered entities that audited controls are operating effectively.
+- NERC is interested in enabling registered entities to adopt new technologies, including cloud computing. Given the number of registered entities that are subject to NERC CIP compliance obligations, it would be infeasible for a CSP to accommodate audits initiated by individual entities. Instead, relying on an existing FedRAMP authorization provides a scalable and efficient approach for addressing NERC audit requirements for CSPs.
+
+The preceding rationale pertains only to cloud services providers. It doesn't alter the relationship between NERC and [registered entities](https://www.nerc.com/pa/comp/pages/registration.aspx). Existing NERC CIP compliance obligations would remain unchanged, and they would still be the responsibility of registered entities.
+
+The NERC ERO Enterprise [released](https://www.nerc.com/pa/comp/guidance/Pages/default.aspx) a Compliance Monitoring and Enforcement Program (CMEP) [practice guide](https://www.nerc.com/pa/comp/guidance/CMEPPracticeGuidesDL/ERO%20Enterprise%20CMEP%20Practice%20Guide%20_%20BCSI%20-%20v0.2%20CLEAN.pdf) to provide guidance to ERO Enterprise CMEP staff when assessing a registered entityΓÇÖs process to authorize access to designated BCSI storage locations and any access controls the registered entity implemented. Moreover, NERC reviewed Azure control implementation details and FedRAMP audit evidence related to NERC CIP-004-6 and CIP-011-2 standards that are applicable to BCSI. Based on the ERO Enterprise issued CMEP practice guide and reviewed FedRAMP controls to ensure registered entities encrypt their data, no extra guidance or clarification is needed to deploy BCSI and associated workloads in the cloud. However, registered entities are ultimately responsible for compliance with NERC CIP standards according to their own facts and circumstances. Registered entities should review the [Cloud implementation guide for NERC audits](https://aka.ms/AzureNERCGuide) for help with documenting their processes and evidence used to authorize electronic access to BCSI storage locations, including encryption key management used for BCSI encryption in Azure and Azure Government.
+
+## Restrictions on insider access
+
+Microsoft takes strong measures to protect [customer data](https://www.microsoft.com/trust-center/privacy/customer-data-definitions) from inappropriate access or use by unauthorized persons. Access to customer data isn't needed to operate Azure and Azure Government, and Microsoft engineers don't have default access to customer data in the cloud. Instead, they're granted access, under management oversight, only when necessary. Customer data includes data subject to NERC CIP standards protection. For more information, see [Restrictions on insider access](./documentation-government-plan-security.md#restrictions-on-insider-access)
+
+## Background screening
+
+Background screening requirements are documented in NERC CIP-004-6 under:
+
+- R2: formal training
+- R3: personnel risk assessments
+- R4: access authorization
+
+Requirements are enforced on support and operations personnel with access to NERC CIP protected assets and data. Registered entities have written these requirements into their policies under the goals provided by NERC CIP standards.
+
+Some registered entities may have written requirements for restriction on data access to US citizens into their policies as well. Nuclear electric utility companies may additionally be subject to export control requirements mandated by the Department of Energy (DoE) under [10 CFR Part 810](/azure/compliance/offerings/offering-doe-10-cfr-part-810) and administered by the National Nuclear Security Administration (NNSA). Among other things, these requirements are in place to prevent the export of unclassified nuclear technology and assistance to foreign persons.
+
+All Azure and Azure Government employees in the United States are subject to Microsoft background checks. Personnel with the ability to access customer data for troubleshooting purposes in Azure Government are additionally subject to the verification of US persons and extra screening requirements where appropriate. For more information, see [Screening](./documentation-government-plan-security.md#screening).
+
+Information security training and awareness are provided to all Azure and Azure Government engineering personnel on an ongoing basis. The purpose of this training is to educate engineering personnel about applicable policies, standards, and information security practices. All engineering staff is required to complete a computer-based training module when they join the team. In addition, all staff participates in mandatory security, compliance, and privacy training administered annually. Training is also covered by controls in many compliance assurances applicable to Azure and Azure Government, including CSA STAR certification, SOC 2 Type 2 attestation, and FedRAMP authorization.
+
+## Logical isolation considerations
+
+A multi-tenant cloud platform implies that multiple customer applications and data are stored on the same physical hardware. Azure and Azure Government use logical isolation to segregate applications and data belonging to different customers. This approach provides the scale and economic benefits of multi-tenant cloud services while rigorously enforcing controls designed to keep customers from accessing one another's data or applications. For more information, see [Azure guidance for secure isolation](./azure-secure-isolation-guidance.md). If you're migrating from traditional on-premises physically isolated infrastructure to the cloud, see [Logical isolation considerations](./azure-secure-isolation-guidance.md#logical-isolation-considerations).
+
+### Identity and access
+
+Azure Active Directory (Azure AD) is an identity repository and cloud service that provides authentication, authorization, and access control for an organizationΓÇÖs users, groups, and objects. Azure AD can be used as a standalone cloud directory or as an integrated solution with existing on-premises Active Directory to enable key enterprise features such as directory synchronization and single sign-on. The separation of the accounts used to administer cloud applications is critical to achieving logical isolation. Account isolation in Azure is achieved using Azure AD and its capabilities to support granular Azure role-based access control (RBAC). Azure AD implements extensive data protection features, including tenant isolation and access control, data operational considerations for insider access, and more.
+
+For more information, see [Identity-based isolation](./azure-secure-isolation-guidance.md#identity-based-isolation).
+
+### Data encryption key management
+
+Azure services rely on [FIPS 140](/azure/compliance/offerings/offering-fips-140-2) validated cryptographic modules in the underlying operating system. With Azure services, you have a [wide range of options for encrypting data](../security/fundamentals/encryption-overview.md) in transit and at rest. You can manage data encryption keys using [Azure Key Vault](../key-vault/general/overview.md), which can store encryption keys in FIPS 140 validated hardware security modules (HSMs). You can use [customer-managed keys](../security/fundamentals/encryption-models.md) (CMK) with Azure Key Vault to have sole control over encryption keys stored in HSMs. Keys generated inside the Azure Key Vault HSMs aren't exportable ΓÇô there can be no clear-text version of the key outside the HSMs. This binding is enforced by the underlying HSM. Moreover, Azure Key Vault is designed, deployed, and operated such that Microsoft and its agents don't see or extract your cryptographic keys.
+
+You're responsible for choosing the Azure regions for deploying your applications and data. Moreover, you're responsible for designing your applications to use end-to-end data encryption that meets NERC CIP standards requirements. Microsoft doesn't inspect or approve your Azure applications.
+
+For more information, see [Data encryption key management](./azure-secure-isolation-guidance.md#data-encryption-key-management).
+
+### Compute isolation
+
+Microsoft Azure compute platform is based on machine virtualization. This approach means that your code ΓÇô whether itΓÇÖs deployed in a PaaS worker role or an IaaS virtual machine ΓÇô executes in a virtual machine hosted by a Windows Server Hyper-V hypervisor. Azure provides extensive support for tenant separation using logical isolation. In addition to robust logical compute isolation available by design to all Azure tenants, you can also use Azure Dedicated Host or Isolated Virtual Machines to achieve physical compute isolation. With this approach, your virtual machines are deployed on physical hardware dedicated to you.
+
+For more information, see [Compute isolation](./azure-secure-isolation-guidance.md#compute-isolation).
+
+### Networking isolation
+
+The logical isolation of tenant infrastructure in a public multi-tenant cloud is fundamental to maintaining security. The overarching principle for a virtualized solution is to allow only connections and communications that are necessary for that virtualized solution to operate, blocking all other ports and connections by default. Azure Virtual Network (VNet) helps ensure that your private network traffic is logically isolated from traffic belonging to other customers. Virtual Machines (VMs) in one VNet can't communicate directly with VMs in a different VNet even if both VNets are created by the same customer. Networking isolation ensures that communication between your VMs remains private within a VNet. You have multiple options to connect your VNets depending on your connectivity options, including bandwidth, latency, and encryption requirements.
+
+Azure provides many options for encrypting data in transit. Data encryption in transit isolates your network traffic from other traffic and helps protect data from interception.
+
+For more information, see [Networking isolation](./azure-secure-isolation-guidance.md#networking-isolation).
+
+### Storage isolation
+
+Microsoft Azure separates your VM-based computation resources from storage as part of its fundamental design. The separation allows computation and storage to scale independently, making it easier to provide multi-tenancy and isolation. Therefore, Azure Storage runs on separate hardware with no network connectivity to Azure Compute except logically.
+
+Azure provides extensive options for data encryption at rest to help you safeguard your data and meet your NERC CIP standards compliance needs using both Microsoft-managed encryption keys and customer-managed encryption keys. This process relies on multiple encryption keys and services such as Azure Key Vault and Azure Active Directory to ensure secure key access and centralized key management.
+
+For more information, see [Storage isolation](./azure-secure-isolation-guidance.md#storage-isolation).
+
+## Summary
+
+Microsoft Azure and Azure Government are multi-tenant cloud services platforms available to electric power utilities and other registered entities. A multi-tenant cloud platform implies that multiple customer applications and data are stored on the same physical hardware. Azure and Azure Government use logical isolation to segregate applications and data belonging to different customers. This approach provides the scale and economic benefits of multi-tenant cloud services while rigorously enforcing controls designed to keep customers from accessing one another's data or applications. The following table summarizes key considerations for cloud adoption. Both Azure and Azure Government are suitable for registered entities deploying certain workloads subject to compliance with NERC CIP standards.
+
+| Requirement | Azure | Azure Government |
+|-|-||
+| Data subject to compliance with NERC CIP standards | &#x2705; | &#x2705; |
+| Data must reside in continental United States | &#x2705; | &#x2705; |
+| CSA STAR Certification and CSA STAR Attestation | &#x2705; | &#x2705; |
+| AICPA SOC 2 Type 2 Attestation | &#x2705; | &#x2705; |
+| FedRAMP High authorization | &#x2705; | &#x2705; |
+| Microsoft cloud background check | &#x2705; | &#x2705; |
+| Require US persons for operations personnel | &#10060; | &#x2705; |
+
+Current NERC CIP definitions place heavy emphasis on physical assets within the Electronic Security Perimeter (for example, the specific term *ΓÇ£in those devicesΓÇ¥* referring to BES Cyber Assets), and make no provisions for key cloud concepts such as virtualization and multi-tenancy. To properly accommodate BES Cyber Assets and Protected Cyber Assets in cloud computing, existing definitions in NERC CIP standards would [need to be revised](https://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx). However, there are many workloads that deal with CIP sensitive data and don't fall under the 15-minute rule pertaining to BES Cyber Asset impact on the Bulk Electric System reliable operation. One such broad category of data includes BES Cyber System Information (BCSI) if proper security controls are in place to safeguard BCSI.
+
+The NERC ERO Enterprise [released](https://www.nerc.com/pa/comp/guidance/Pages/default.aspx) a Compliance Monitoring and Enforcement Program (CMEP) [practice guide](https://www.nerc.com/pa/comp/guidance/CMEPPracticeGuidesDL/ERO%20Enterprise%20CMEP%20Practice%20Guide%20_%20BCSI%20-%20v0.2%20CLEAN.pdf) to provide guidance to ERO Enterprise CMEP staff when assessing a registered entityΓÇÖs process to authorize access to designated BCSI storage locations and any access controls the registered entity implemented. Moreover, NERC reviewed Azure control implementation details and FedRAMP audit evidence related to NERC CIP-004-6 and CIP-011-2 standards that are applicable to BCSI. Based on the ERO Enterprise issued CMEP practice guide and reviewed FedRAMP controls to ensure registered entities encrypt their data, no extra guidance or clarification is needed to deploy BCSI and associated workloads in the cloud. However, registered entities are ultimately responsible for compliance with NERC CIP standards according to their own facts and circumstances. Registered entities should review the [Cloud implementation guide for NERC audits](https://aka.ms/AzureNERCGuide) for help with documenting their processes and evidence used to authorize electronic access to BCSI storage locations, including encryption key management used for BCSI encryption in Azure and Azure Government.
+
+Both Azure and Azure Government have comprehensive security controls and compliance coverage to provide you with robust assurances about the safeguarding of your customer data and applications. Azure Government is a US government community cloud that is physically separated from the Azure cloud. It provides an extra layer of protection to registered entities through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons. Moreover, Azure Government is only available in the United States to US-based registered entities. Registered entities in the US are eligible for Azure Government onboarding by stating ΓÇ£NERC Compliance EntityΓÇ¥ in their submission.
+
+Nuclear electric utilities may also be subject to the DoE 10 CFR Part 810 export control requirements on unclassified nuclear technology and assistance. Azure Government is designed to meet specific controls regarding access to information and systems by US persons. This commitment isn't applied in Azure so customers deploying on Azure should conduct proper risk assessment to determine if extra technical measures should be deployed to secure data that shouldn't be disclosed to foreign persons.
+
+Registered entities subject to NERC CIP compliance obligations can use existing audits applicable to cloud services when assessing the security posture of a cloud services offering, including the Cloud Security Alliance STAR program, SOC 2 Type 2 attestation, and FedRAMP authorization. For example, FedRAMP relies on an in-depth audit with mandatory provisions for continuous monitoring. It provides strong assurances to registered entities that audited controls are operating effectively. A comparison between the FedRAMP Moderate control baseline and NERC CIP standards requirements reveals that FedRAMP Moderate control baseline encompasses all NERC CIP standards requirements. FedRAMP doesn't replace NERC CIP standards and it doesn't alter the responsibility that registered entities have for meeting their NERC CIP compliance obligations. Rather, a cloud service providerΓÇÖs existing FedRAMP authorization can deliver assurances that NIST-based control evidence mapped to NERC CIP standards requirements for which cloud service provider is responsible has already been examined by an accredited FedRAMP auditor.
+
+If you're a registered entity contemplating a NERC audit, you should review MicrosoftΓÇÖs **[Cloud implementation guide for NERC audits](https://aka.ms/AzureNERCGuide)**, which provides detailed technical how-to guidance to help you address NERC CIP compliance requirements for your Azure assets. It contains control mappings between the current set of NERC CIP standards and FedRAMP Moderate control baseline as documented in NIST SP 800-53 Rev 4. Moreover, a complete set of Reliability Standard Audit Worksheets (RSAWs) narratives with Azure control implementation details is provided to explain how Microsoft addresses NERC CIP standards requirements for controls that are part of cloud service providerΓÇÖs responsibility. Also provided is guidance to help you use Azure services to implement controls that you own. The guide is available for download to existing Azure or Azure Government customers under a non-disclosure agreement (NDA) from the Service Trust Portal (STP). You must sign in to access this document on the STP. For more information, see [Get started with the Microsoft Service Trust Portal](https://aka.ms/stphelp).
+
+If you're a registered entities subject to compliance with NERC CIP standards, you can also engage Microsoft for audit assistance, including furnishing Azure or Azure Government audit documentation and control implementation details in support of NERC audit requirements. Contact your Microsoft account team for assistance. You're ultimately responsible for meeting your NERC CIP compliance obligations.
+
+## Next steps
+
+- [Acquiring and accessing Azure Government](https://azure.microsoft.com/offers/azure-government/)
+- [Azure guidance for secure isolation](./azure-secure-isolation-guidance.md)
+- [Azure Government compliance](./documentation-government-plan-compliance.md)
+- [Azure Government security](./documentation-government-plan-security.md)
+- [Azure compliance](../compliance/index.yml)
+- [Azure CSA STAR Certification](/azure/compliance/offerings/offering-csa-star-certification)
+- [Azure CSA STAR Attestation](/azure/compliance/offerings/offering-csa-star-attestation)
+- [Azure SOC 2 Type 2 compliance offering](/azure/compliance/offerings/offering-soc-2)
+- [Azure FedRAMP compliance offering](/azure/compliance/offerings/offering-fedramp)
+- [NIST SP 800-53](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53) *Security and Privacy Controls for Information Systems and Organizations*
+- [North American Electric Reliability Corporation](https://www.nerc.com/) (NERC)
+- NERC [Critical Infrastructure Protection (CIP) standards](https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx)
+- NERC [compliance guidance](https://www.nerc.com/pa/comp/guidance/)
+- NERC [Glossary of Terms](https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf)
+- NERC [registered entities](https://www.nerc.com/pa/comp/Pages/Registration.aspx)
azure-monitor Azure Monitor Agent Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-migration.md
description: This article provides guidance for migrating from the existing lega
Previously updated : 7/12/2021 Last updated : 02/09/2022
-# Migrate from Log Analytics agents
-This article provides high-level guidance on when and how to migrate to the new Azure Monitor agent (AMA) and data collection rules (DCR). This article will be updated when new migration tooling is available.
+# Migrate to Azure Monitor agent from Log Analytics agent
+The [Azure Monitor agent (AMA)](azure-monitor-agent-overview.md) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor where it can be used by different features, insights, and other services such as [Microsoft Sentinel](../../sentintel/../sentinel/overview.md) and [Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-cloud-introduction.md). The Azure Monitor agent is meant to replace the Log Analytics agent (also known as MMA and OMS) for both Windows and Linux machines. This article provides high-level guidance on when and how to migrate to the new Azure Monitor agent (AMA) and the data collection rules (DCR) that define the data the agent should collect.
+The decision to migrate to AMA will be based on the different features and services that you use. Considerations for Azure Monitor and other supported features and services are provided in this article since they should be considered together in your migration strategy.
-## Review
-- To help you decide if you should migrate to the new Azure Monitor agent now or later, see the guidance in [Azure Monitor agent overview](./azure-monitor-agent-overview.md#should-i-switch-to-the-azure-monitor-agent).-- For the Azure Monitor agent, review the new capabilities; the availability of existing features, services, and solutions; and current limitations in [Overview of Azure Monitor agents](./agents-overview.md#azure-monitor-agent).
+> [!IMPORTANT]
+> The Log Analytics agent will be [retired on **31 August, 2024**](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). If you are currently using the Log Analytics agent with Azure Monitor or other supported features and services, you should start planning your migration to the Azure Monitor agent using the information in this article.
+
+## Current capabilities
+
+Azure Monitor agent currently supports the following core functionality:
+
+- **Collect guest logs and metrics** from any machine in Azure, in other clouds, or on-premises. [Azure Arc-enabled servers](/azure/azure-arc/servers/overview) are required for machines outside of Azure.
+- **Centrally manage data collection configuration** using [data collection rules](/azure/azure-monitor/agents/data-collection-rule-overview), and management configuration using Azure Resource Manager (ARM) templates or policies.
+- **Use Windows event filtering or multi-homing** for Windows or Linux logs.
+- **Improved extension management.** The Azure Monitor agent uses a new method of handling extensibility that's more transparent and controllable than management packs and Linux plug-ins in the current Log Analytics agents.
+
+> [!NOTE]
+> Windows and Linux machines that reside on cloud platforms other than Azure, or are on-premises machines, must be Azure Arc-enabled so that the AMA can send logs to the Log Analytics workspace. For more information, see:
+>
+> - [What are Azure ArcΓÇôenabled servers?](/azure/azure-arc/servers/overview)
+> - [Overview of Azure Arc ΓÇô enabled servers agent](/azure/azure-arc/servers/agent-overview)
+> - [Plan and deploy Azure Arc ΓÇô enabled servers at scale](/azure/azure-arc/servers/plan-at-scale-deployment)
+
+## Plan your migration
+
+You migration plan to the Azure Monitor agent should include the following considerations:
+
+|Consideration |Description |
+|||
+|**Environment requirements** | Verify that your environment is currently supported by the AMA. For more information, see [Supported operating systems](/azure/azure-monitor/agents/agents-overview#supported-operating-systems). |
+|**Current and new feature requirements** | While the AMA provides [several new features](#current-capabilities), such as filtering, scoping, and multi-homing, it is not yet at parity with the legacy Log Analytics agent.As you plan your migration, make sure that the features your organization requires are already supported by the AMA. You may decide to continue using the Log Analytics agent for now, and migrate at a later date. See [Supported services and features](/azure/azure-monitor/agents/azure-monitor-agent-overview#supported-services-and-features) for a current status of features that are supported and that may be in preview. |
++
+## Gap analysis between agents
+The following tables show gap analyses for the log types that are currently collected by each agent. This will be updated as support for AMA grows towards parity with the Log Analytics agent. For a general comparison of Azure Monitor agents, see [Overview of Azure Monitor agents](../agents/azure-monitor-agent-overview.md).
++
+> [!IMPORTANT]
+> If you use Microsoft Sentinel, see [Gap analysis for Microsoft Sentinel](../../sentinel/ama-migrate.md#gap-analysis-between-agents) for a comparison of the additional data collected by Microsoft Sentinel.
++
+### Windows logs
+
+|Log type / Support |Azure Monitor agent support |Log Analytics agent support |
+||||
+| **Security Events** | Yes | No |
+| **Performance counters** | Yes | Yes |
+| **Windows Event Logs** | Yes | Yes |
+| **Filtering by event ID** | Yes | No |
+| **Custom logs** | No | Yes |
+| **IIS logs** | No | Yes |
+| **Application and service logs** | Yes | Yes |
+| **DNS logs** | No | Yes |
+| **Multi-homing** | Yes | Yes |
+
+### Linux logs
+
+|Log type / Support |Azure Monitor agent support |Log Analytics agent support |
+||||
+| **Syslog** | Yes | Yes |
+| **Custom logs** | No | Yes |
+| **Multi-homing** | Yes | No |
## Test migration by using the Azure portal
-1. To ensure safe deployment during migration, begin testing with a few resources in your nonproduction environment that are running the existing Log Analytics agent. After you can validate the data collected on these test resources, roll out to production by following the same steps.
-1. Go to **Monitor** > **Settings** > **Data Collection Rules** and [create new data collection rules](./data-collection-rule-azure-monitor-agent.md#create-rule-and-association-in-azure-portal) to start collecting some of the existing data types. When you use the portal GUI, it performs the following steps on all the target resources for you:
- - Enables system-assigned managed identity
- - Installs the Azure Monitor agent extension
- - Creates and deploys data collection rule associations
-1. Validate data is flowing as expected via the Azure Monitor agent. Check the **Heartbeat** table for new agent version values. Ensure it matches data flowing through the existing Log Analytics agent.
--
-## At-scale migration by using policies
-1. Start by analyzing your current monitoring setup with MMA/OMS by using the following criteria:
- - Sources, such as virtual machines, virtual machine scale sets, and on-premises servers
- - Data sources, such as performance counters, Windows event logs, and Syslog
- - Destinations, such as Log Analytics workspaces
-1. [Create new data collection rules](/rest/api/monitor/datacollectionrules/create#examples) by using the preceding configuration. As a best practice, you might want to have a separate data collection rule for Windows versus Linux sources. Or you might want separate data collection rules for individual teams with different data collection needs.
-1. [Enable system-assigned managed identity](../../active-directory/managed-identities-azure-resources/qs-configure-template-windows-vm.md#system-assigned-managed-identity) on target resources.
-2. Install the Azure Monitor agent extension. Deploy data collection rule associations on all target resources by using the [built-in policy initiative](azure-monitor-agent-manage.md#using-azure-policy). Provide the preceding data collection rule as an input parameter.
-1. Validate data is flowing as expected via the Azure Monitor agent. Check the **Heartbeat** table for new agent version values. Ensure it matches data flowing through the existing Log Analytics agent.
-2. Validate all downstream dependencies like dashboards, alerts, and runbook workers. Workbooks all continue to function now by using data from the new agent.
-3. [Uninstall the Log Analytics agent](./agent-manage.md#uninstall-agent) from the resources. Don't uninstall it if you need to use it for System Center Operations Manager scenarios or other solutions not yet available on the Azure Monitor agent.
-4. Clean up any configuration files, workspace keys, or certificates that were used previously by the Log Analytics agent.
+To ensure safe deployment during migration, you should begin testing with a few resources in your nonproduction environment that are running the existing Log Analytics agent. After you can validate the data collected on these test resources, roll out to production by following the same steps.
+
+See [create new data collection rules](./data-collection-rule-azure-monitor-agent.md#create-rule-and-association-in-azure-portal) to start collecting some of the existing data types. Once you validate data is flowing as expected with the Azure Monitor agent, check the `Category` column in the [Heartbeat](/azure/azure-monitor/reference/tables/heartbeat) table for the value *Azure Monitor Agent* for AMA collected data. Ensure it matches data flowing through the existing Log Analytics agent.
++
+## At-scale migration using Azure Policy
+[Azure Policy](../../governance/policy/overview.md) and [Resource Manager templates](../resource-manager-samples.md) provide scalability to migrate a large number of agents.
+Start by analyzing your current monitoring setup with the Log Analytics agent using the following criteria:
+
+ - Sources, such as virtual machines, virtual machine scale sets, and on-premises servers
+ - Data sources, such as performance counters, Windows event logs, and Syslog
+ - Destinations, such as Log Analytics workspaces
+
+> [!IMPORTANT]
+> Before you deploy to a large number of agents, you should consider [configuring the workspace](agent-data-sources.md) to disable data collection for the Log Analytics agent. If you leave it enabled, you may collect duplicate data resulting in increased cost until you remove the Log Analytics agents from your virtual machines. Alternatively, you may choose to have duplicate collection during the migration period until you can confirm that the AMA has been deployed and configured correctly.
+
+See [Using Azure Policy](azure-monitor-agent-manage.md#using-azure-policy) for details on deploying Azure Monitor agent across a set of virtual machines. Associate the agents to the data collection rules developed during your [testing](#test-migration-by-using-the-azure-portal).
+
+Validate that data is flowing as expected with the Azure Monitor agent and that all downstream dependencies like dashboards, alerts, and runbook workers. Workbooks should all continue to function using data from the new agent.
+
+When you confirm that data is being collected properly, [uninstall the Log Analytics agent](./agent-manage.md#uninstall-agent) from the resources. Don't uninstall it if you need to use it for System Center Operations Manager scenarios or others solutions not yet available on the Azure Monitor agent. Clean up any configuration files, workspace keys, or certificates that were used previously by the Log Analytics agent.
+
+## Next steps
+For more information, see:
+- [Overview of the Azure Monitor agents](agents-overview.md)
+- [AMA migration for Microsoft Sentinel](../../sentinel/ama-migrate.md)
+- [Frequently asked questions for AMA migration](/azure/azure-monitor/faq#azure-monitor-agent)
azure-monitor Migrate From Instrumentation Keys To Connection Strings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/migrate-from-instrumentation-keys-to-connection-strings.md
Last updated 02/14/2022
-# Migration process to connection strings for Application Insights resources
+# Migrate from instrumentation keys to connection strings
This guide walks through migrating from [instrumentation keys](separate-resources.md#about-resources-and-instrumentation-keys) to [connection strings](sdk-connection-string.md#overview).
This guide walks through migrating from [instrumentation keys](separate-resource
- A [supported SDK version](#supported-sdk-versions) - An existing [application insights resource](create-workspace-resource.md)
-## Migration process
+## Migration
-1. Find your connection string displayed on the Overview blade of your Application Insights resource.
- :::image type="content" source="media/migrate-from-instrumentation-keys-to-connection-strings/migrate-from-instrumentation-keys-to-connection-strings.png" alt-text="Screenshot displaying Application Insights overview and connection string" lightbox="media/migrate-from-instrumentation-keys-to-connection-strings/migrate-from-instrumentation-keys-to-connection-strings.png":::
+1. Go to the Overview blade of your Application Insights resource.
-2. Hover over the connection string and select the ΓÇ£Copy to clipboardΓÇ¥ icon.
+1. Find your connection string displayed on the right.
-3. Configure the Application Insights SDK by following [How to set connection strings](sdk-connection-string.md#how-to-set-a-connection-string).
+1. Hover over the connection string and select the ΓÇ£Copy to clipboardΓÇ¥ icon.
+
+1. Configure the Application Insights SDK by following [How to set connection strings](sdk-connection-string.md#how-to-set-a-connection-string).
> [!IMPORTANT] > Using both a connection string and instrumentation key isn't recommended. Whichever was set last takes precedence.
-## Migration at scale (for multiple subscriptions)
+## Migration at scale
+
+Use environment variables to pass a connection string to the Application Insights SDK or agent.
-You can use environment variables to easily pass a connection string to the Application Insights SDK or Agent. If you hardcode an instrumentation key in your application code, that programming may take precedence before environment variables.
+To set a connection string via environment variable, place the value of the connection string into an environment variable named ΓÇ£APPLICATIONINSIGHTS_CONNECTION_STRINGΓÇ¥.
-To set a connection string via environment variable, place the value of the connection string into an environment variable named ΓÇ£APPLICATIONINSIGHTS_CONNECTION_STRINGΓÇ¥. This process can be automated in your Azure deployments. For example, the following ARM template shows how you can automatically include the correct connection string with an App Services deployment (be sure to include any other App Settings your app requires):
+This process can be automated in your Azure deployments. For example, the following ARM template shows how you can automatically include the correct connection string with an App Services deployment (be sure to include any other App Settings your app requires):
```JSON {
To set a connection string via environment variable, place the value of the conn
} ```
-## Supported SDK Versions
--- .NET and .NET Core v2.12.0-- Java v2.5.1 and Java 3.0-- JavaScript v2.3.0-- NodeJS v1.5.0-- Python v1.0.0- ## New capabilities
-Just like instrumentation keys, connections strings identify a resource to associate your telemetry data with. Connection strings provide a single configuration setting and eliminate the need for multiple proxy settings. It's a reliable, secure, and useful technology for sending data to the monitoring service.
-
-Connection strings allow you to take advantage of the latest capabilities of Application Insights.
+Connection strings provide a single configuration setting and eliminate the need for multiple proxy settings.
- **Reliability:** Connection strings make telemetry ingestion more reliable by removing dependencies on global ingestion endpoints.
Connection strings allow you to take advantage of the latest capabilities of App
- **Privacy (regional endpoints)** ΓÇô Connection strings ease privacy concerns by sending data to regional endpoints, ensuring data doesn't leave a geographic region.
+## Supported SDK Versions
+
+- .NET and .NET Core v2.12.0+
+- Java v2.5.1 and Java 3.0+
+- JavaScript v2.3.0+
+- NodeJS v1.5.0+
+- Python v1.0.0+
## Troubleshooting
-Follow these steps if data isn't arriving after migration:
+### Missing data
+
+1. Confirm you're using a [supported SDK version](#supported-sdk-versions). If you use Application Insights integration in another Azure product offering, check its documentation on how to properly configure a connection string.
+
+1. Confirm you aren't setting both an instrumentation key and connection string at the same time. Instrumentation key settings should be removed from your configuration.
-1. Confirm you're using a supported SDK/agent that supports connection strings. If you use Application Insights integration in another Azure product offering, check its documentation on how to properly configure a connection string.
+1. Confirm your connection string is exactly as provided in the Azure portal.
-2. Confirm you aren't setting both an instrumentation key and connection string at the same time. Instrumentation key settings should be removed from your configuration.
+### Environment variables aren't working
-3. Confirm your connection string is exactly as provided in the Azure portal.
+ If you hardcode an instrumentation key in your application code, that programming may take precedence before environment variables.
## FAQ ### Where else can I find my connection string? The connection string is also included in the ARM resource properties for your Application Insights resource, under the field name ΓÇ£ConnectionStringΓÇ¥.
-### How does this impact auto instrumentation?
+### How does this affect auto instrumentation?
Auto instrumentation scenarios aren't impacted.
-### Is auto instrumentation affected?
+### Can I use Azure AD authentication with auto instrumentation?
You can't enable [Azure AD authentication](azure-ad-authentication.md) for [auto instrumentation](codeless-overview.md) scenarios. We have plans to address this limitation in the future.
azure-monitor Autoscale Predictive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-predictive.md
+
+ Title: Use predictive autoscale to scale out before load demands in virtual machine scale sets (Preview)
+description: Details on the new predictive autoscale feature in Azure Monitor.
+ Last updated : 01/24/2022+++
+# Use predictive autoscale to scale out before load demands in virtual machine scale sets (Preview)
+
+**Predictive autoscale** uses machine learning to help manage and scale Azure Virtual Machine Scale Sets with cyclical workload patterns. It forecasts the overall CPU load to your virtual machine scale set, based on your historical CPU usage patterns. By observing and learning from historical usage, it predicts the overall CPU load ensuring scale-out occurs in time to meet the demand.
+
+Predictive autoscale needs a minimum of 7 days of history to provide predictions, though 15 days of historical data provides the most accurate results. It adheres to the scaling boundaries you have set for your virtual machine scale set. When the system predicts that the percentage CPU load of your virtual machine scale set will cross your scale-out boundary, new instances are added according to your specifications. You can also configure how far in advance you would like new instances to be provisioned, up to 1 hour before the predicted workload spike will occur.
+
+**Forecast only** allows you to view your predicted CPU forecast without actually triggering the scaling action based on the prediction. You can then compare the forecast with your actual workload patterns to build confidence in the prediction models before enabling the predictive autoscale feature.
+
+## Public preview support, availability and limitations
+
+>[!NOTE]
+> This is a public preview release. We are testing and gathering feedback for future releases. As such, we do not provide production level support for this feature. Support is best effort. Send feature suggestions or feedback on predicative autoscale to predautoscalesupport@microsoft.com.
+
+During public preview, predictive autoscale is only available in the following regions:
+
+- West Central US
+- West US2
+- UK South
+- UK West
+- Southeast Asia
+- East Asia
+- Australia East
+- Australia South east
+- Canada Central
+- Canada East
+
+The following limitations apply during public preview. Predictive autoscale:
+
+- Only works for workloads exhibiting cyclical CPU usage patterns.
+- Only can be enabled for Virtual Machine Scale Sets.
+- Only supports using the metric *Percentage CPU* with the aggregation type *Average*.
+- Only supports scale-out. You canΓÇÖt use predictive autoscale to scale-in.
+
+You have to enable standard (or reactive) autoscale to manage scale-in.
+Enabling predictive autoscale or forecast only with Azure portal
+
+1. Go to the virtual machine scale set screen and select on **Scaling**.
+
+ :::image type="content" source="media/autoscale-predictive/main-scaling-screen-1.png" alt-text="Screenshot showing selecting the scaling screen from the left hand menu in Azure portal":::
+
+2. Under **Custom autoscale** section, there's a new field called **Predictive autoscale**.
+
+ :::image type="content" source="media/autoscale-predictive/custom-autoscale-2.png" alt-text="Screenshot sowing selecting custom autoscale and then predictive autoscale option from Azure portal":::
+
+ Using the drop-down selection, you can:
+ - Disable predictive autoscale - Disable is the default selection when you first land on the page for predictive autoscale.
+ - Enable forecast only mode
+ - Enable predictive autoscale
+
+ > [!NOTE]
+ > Before you can enable predictive autoscale or forecast only mode, you must set up the standard reactive autoscale conditions.
+
+3. To enable forecast only, select it from the dropdown. Define a scale up trigger based on *Percentage CPU*. Then select **Save**. The same process applies to enable predictive autoscale. To disable predictive autoscale or forecast only mode, choose **Disable** from the drop-down.
+
+ :::image type="content" source="media/autoscale-predictive/enable-forecast-only-mode-3.png" alt-text="Screenshot of enable forecast only mode":::
+
+4. If desired, specify a pre-launch time so the instances are full running before they're needed. You can pre-launch instances between 5 and 60 minutes before the needed prediction time.
+
+ :::image type="content" source="media/autoscale-predictive/pre-launch-4.png" alt-text="Screenshot of predictive autoscale pre-launch setup":::
+
+5. Once you have enabled predictive autoscale or forecast only and saved it, select *Predictive charts*.
+
+ :::image type="content" source="media/autoscale-predictive/predictve-charts-option-5.png" alt-text="Screenshot of selecting predictive charts menu option":::
+
+6. You see three charts:
+
+ :::image type="content" source="media/autoscale-predictive/predictive-charts-6.png" alt-text="Screenshot of three charts for predictive autoscale" lightbox="media/autoscale-predictive/predictive-charts-6.png":::
+
+- The top chart shows an overlaid comparison of actual vs predicted total CPU percentage. The timespan of the graph shown is from the last 24 hours to the next 24 hours.
+- The second chart shows the number of instances running at specific times over the last 24 hours.
+- The third chart shows the current Average CPU utilization over the last 24 hours.
+
+## Enable using an Azure Resource Manager template
+
+1. Retrieve the virtual machine scale set resource ID and resource group of your virtual machine scale set. For example: /subscriptions/e954e48d-abcd-abcd-abcd-3e0353cb45ae/resourceGroups/patest2/providers/Microsoft.Compute/virtualMachineScaleSets/patest2
+
+2. Update *autoscale_only_parameters* file with the virtual machine scale set resource ID and any autoscale setting parameters.
+
+3. Use a PowerShell command to deploy the template containing the autoscale settings. For example,
+
+```cmd
+PS G:\works\kusto_onboard\test_arm_template> new-azurermresourcegroupdeployment -name binzAutoScaleDeploy -resourcegroupname cpatest2 -templatefile autoscale_only.json -templateparameterfile autoscale_only_parameters.json
+```
++
+**autoscale_only.json**
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "targetVmssResourceId": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "minimumCapacity": {
+ "type": "Int",
+ "defaultValue": 2,
+ "metadata": {
+ "description": "The minimum capacity. Autoscale engine will ensure the instance count is at least this value."
+ }
+ },
+ "maximumCapacity": {
+ "type": "Int",
+ "defaultValue": 5,
+ "metadata": {
+ "description": "The maximum capacity. Autoscale engine will ensure the instance count is not greater than this value."
+ }
+ },
+ "defaultCapacity": {
+ "type": "Int",
+ "defaultValue": 3,
+ "metadata": {
+ "description": "The default capacity. Autoscale engine will preventively set the instance count to be this value if it can not find any metric data."
+ }
+ },
+ "metricThresholdToScaleOut": {
+ "type": "Int",
+ "defaultValue": 30,
+ "metadata": {
+ "description": "The metric upper threshold. If the metric value is above this threshold then autoscale engine will initiate scale out action."
+ }
+ },
+ "metricTimeWindowForScaleOut": {
+ "type": "string",
+ "defaultValue": "PT5M",
+ "metadata": {
+ "description": "The metric look up time window."
+ }
+ },
+ "metricThresholdToScaleIn": {
+ "type": "Int",
+ "defaultValue": 20,
+ "metadata": {
+ "description": "The metric lower threshold. If the metric value is below this threshold then autoscale engine will initiate scale in action."
+ }
+ },
+ "metricTimeWindowForScaleIn": {
+ "type": "string",
+ "defaultValue": "PT5M",
+ "metadata": {
+ "description": "The metric look up time window."
+ }
+ },
+ "changeCountScaleOut": {
+ "type": "Int",
+ "defaultValue": 1,
+ "metadata": {
+ "description": "The instance count to increase when autoscale engine is initiating scale out action."
+ }
+ },
+ "changeCountScaleIn": {
+ "type": "Int",
+ "defaultValue": 1,
+ "metadata": {
+ "description": "The instance count to decrease the instance count when autoscale engine is initiating scale in action."
+ }
+ },
+ "predictiveAutoscaleMode": {
+ "type": "String",
+ "defaultValue": "ForecastOnly",
+ "metadata": {
+ "description": "The predictive Autoscale mode."
+ }
+ }
+ },
+ "variables": {
+ },
+ "resources": [{
+ "type": "Microsoft.Insights/autoscalesettings",
+ "name": "cpuPredictiveAutoscale",
+ "apiVersion": "2015-04-01",
+ "location": "[parameters('location')]",
+ "properties": {
+ "profiles": [{
+ "name": "DefaultAutoscaleProfile",
+ "capacity": {
+ "minimum": "[parameters('minimumCapacity')]",
+ "maximum": "[parameters('maximumCapacity')]",
+ "default": "[parameters('defaultCapacity')]"
+ },
+ "rules": [{
+ "metricTrigger": {
+ "metricName": "Percentage CPU",
+ "metricNamespace": "",
+ "metricResourceUri": "[parameters('targetVmssResourceId')]",
+ "timeGrain": "PT1M",
+ "statistic": "Average",
+ "timeWindow": "[parameters('metricTimeWindowForScaleOut')]",
+ "timeAggregation": "Average",
+ "operator": "GreaterThan",
+ "threshold": "[parameters('metricThresholdToScaleOut')]"
+ },
+ "scaleAction": {
+ "direction": "Increase",
+ "type": "ChangeCount",
+ "value": "[parameters('changeCountScaleOut')]",
+ "cooldown": "PT5M"
+ }
+ }, {
+ "metricTrigger": {
+ "metricName": "Percentage CPU",
+ "metricNamespace": "",
+ "metricResourceUri": "[parameters('targetVmssResourceId')]",
+ "timeGrain": "PT1M",
+ "statistic": "Average",
+ "timeWindow": "[parameters('metricTimeWindowForScaleIn')]",
+ "timeAggregation": "Average",
+ "operator": "LessThan",
+ "threshold": "[parameters('metricThresholdToScaleIn')]"
+ },
+ "scaleAction": {
+ "direction": "Decrease",
+ "type": "ChangeCount",
+ "value": "[parameters('changeCountScaleOut')]",
+ "cooldown": "PT5M"
+ }
+ }
+ ]
+ }
+ ],
+ "enabled": true,
+ "targetResourceUri": "[parameters('targetVmssResourceId')]",
+ "predictiveAutoscalePolicy": {
+ "scaleMode": "[parameters('predictiveAutoscaleMode')]"
+ }
+ }
+ }
+ ],
+ "outputs": {
+ "targetVmssResourceId" : {
+ "type" : "string",
+ "value" : "[parameters('targetVmssResourceId')]"
+ },
+ "settingLocation" : {
+ "type" : "string",
+ "value" : "[parameters('location')]"
+ },
+ "predictiveAutoscaleMode" : {
+ "type" : "string",
+ "value" : "[parameters('predictiveAutoscaleMode')]"
+ }
+ }
+}
+```
+
+**autoscale-only-parameters.json**
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "targetVmssResourceId": {
+ "value": "/subscriptions/e954e48d-b252-b252-b252-3e0353cb45ae/resourceGroups/patest2/providers/Microsoft.Compute/virtualMachineScaleSets/patest2"
+ },
+ "location": {
+ "value": "East US"
+ },
+ "minimumCapacity": {
+ "value": 1
+ },
+ "maximumCapacity": {
+ "value": 4
+ },
+ "defaultCapacity": {
+ "value": 4
+ },
+ "metricThresholdToScaleOut": {
+ "value": 50
+ },
+ "metricTimeWindowForScaleOut": {
+ "value": "PT5M"
+ },
+ "metricThresholdToScaleIn": {
+ "value": 30
+ },
+ "metricTimeWindowForScaleIn": {
+ "value": "PT5M"
+ },
+ "changeCountScaleOut": {
+ "value": 1
+ },
+ "changeCountScaleIn": {
+ "value": 1
+ },
+ "predictiveAutoscaleMode": {
+ "value": "Enabled"
+ }
+ }
+}
+```
+
+For more information on Azure Resource Manager templates, see [Resource Manager template overview](/azure/azure-resource-manager/templates/overview)
+
+## Common questions
+
+### What happens over time when you turn on predictive autoscale for a virtual machine scale set?
+
+Prediction autoscale uses the history of a running virtual machine scale set. If your scale set has been running less than 7 days, you'll receive a message that the model is being trained. See the [no predictive data message](#errors-and-warnings). Predictions improve as time goes by achieving its maximum accuracy 15 days after the virtual machine scale set is created.
+
+If changes to the workload pattern occur (but remain periodic), the model recognizes the change and begins to adjust the forecast accordingly. The forecast improves as time goes by. Maximum accuracy is reached 15 days after the change in the traffic pattern happens. Remember that your standard autoscale rules still apply. If a new unpredicted increase in traffic occurs, your virtual machine scale set will still scale out to meet the demand.
+
+### What if the model isn't working well for me?
+
+The modeling works best with workloads that exhibit periodicity. We recommended you first evaluate the predictions by enabling "forecast only" which will overlay the scale setΓÇÖs predicted CPU usage with the actual, observed usage. Once you compare and evaluate the results, you can then choose to enable scaling based on the predicted metrics if the model predictions are close enough for your scenario.
+
+### Why do I need to enable standard autoscale before enabling predictive autoscale?
+
+Standard autoscaling is a necessary fallback if the predictive model doesn't work well for your scenario. Standard autoscale will cover unexpected load spikes which aren't part of your typical CPU load pattern. It also provides a fallback should there be any error retrieving the predictive data.
+
+## Errors and Warnings
+
+### Didn't enable standard autoscale
+
+You receive the error message as seen below:
+
+ *Predictive autoscale is based on the metric percentage CPU of the current resource. Choose this metric in the scale up trigger rules*.
++
+This message means you attempted to enable predictive autoscale before you enabled standard autoscale and set it up to use the *Percentage CPU* metric with the *Average* aggregation type.
+
+### No predictive data
+
+You won't see data on the predictive charts under certain conditions. This isn't an error; it's the intended behavior.
+
+When predictive autoscale is disabled, you instead receive a message beginning with "No data to show..." and giving you instructions on what to enable so you can see a predictive chart.
+
+ :::image type="content" source="media/autoscale-predictive/message-no-data-to-show-11.png" alt-text="Screenshot of message No data to show":::
+
+When you first create a virtual machine scale set and enable forecast only mode, you receive a message telling you "Predictive data is being trained.." and a time to return to see the chart.
+
+ :::image type="content" source="media/autoscale-predictive/message-being-trained-12.png" alt-text="Screenshot of message Predictive data is being trained":::
+
+## Next steps
+
+Learn more about Autoscale by referring to the following:
+
+- [Overview of autoscale](./autoscale-overview.md)
+- [Azure Monitor autoscale common metrics](./autoscale-common-metrics.md)
+- [Best practices for Azure Monitor autoscale](./autoscale-best-practices.md)
+- [Use autoscale actions to send email and webhook alert notifications](./autoscale-webhook-email.md)
+- [Autoscale REST API](/rest/api/monitor/autoscalesettings)
azure-monitor Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/policy-reference.md
Title: Built-in policy definitions for Azure Monitor description: Lists Azure Policy built-in policy definitions for Azure Monitor. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
azure-monitor Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Monitor description: Lists Azure Policy Regulatory Compliance controls available for Azure Monitor. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
azure-netapp-files Azure Netapp Files Solution Architectures https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-solution-architectures.md
na Previously updated : 02/10/2022 Last updated : 02/16/2022 # Solution architectures using Azure NetApp Files
This section provides references to SAP on Azure solutions.
### Generic SAP and SAP Netweaver * [Run SAP NetWeaver in Windows on Azure - Azure Architecture Center](/azure/architecture/reference-architectures/sap/sap-netweaver)
-* [SAP applications on Microsoft Azure using Azure NetApp Files](https://www.netapp.com/us/media/tr-4746.pdf)
* [High availability for SAP NetWeaver on Azure VMs on SUSE Linux Enterprise Server with Azure NetApp Files for SAP applications](../virtual-machines/workloads/sap/high-availability-guide-suse-netapp-files.md) * [High availability for SAP NetWeaver on Azure VMs on Red Hat Enterprise Linux with Azure NetApp Files for SAP applications](../virtual-machines/workloads/sap/high-availability-guide-rhel-netapp-files.md) * [High availability for SAP NetWeaver on Azure VMs on Windows with Azure NetApp Files (SMB) for SAP applications](../virtual-machines/workloads/sap/high-availability-guide-windows-netapp-files-smb.md)
azure-portal Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-portal/policy-reference.md
Title: Built-in policy definitions for Azure portal description: Lists Azure Policy built-in policy definitions for Azure portal. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/custom-providers/policy-reference.md
Title: Built-in policy definitions for Azure Custom Resource Providers description: Lists Azure Policy built-in policy definitions for Azure Custom Resource Providers. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/policy-reference.md
Title: Built-in policy definitions for Azure Managed Applications description: Lists Azure Policy built-in policy definitions for Azure Managed Applications. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/policy-reference.md
Title: Built-in policy definitions for Azure Resource Manager description: Lists Azure Policy built-in policy definitions for Azure Resource Manager. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
azure-resource-manager Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Resource Manager description: Lists Azure Policy Regulatory Compliance controls available for Azure Resource Manager. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
azure-signalr Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/policy-reference.md
Title: Built-in policy definitions for Azure SignalR description: Lists Azure Policy built-in policy definitions for Azure SignalR. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
azure-signalr Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure SignalR description: Lists Azure Policy Regulatory Compliance controls available for Azure SignalR. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
azure-sql Data Discovery And Classification Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-sql/database/data-discovery-and-classification-overview.md
Previously updated : 08/24/2021 Last updated : 02/16/2022 tags: azure-synapse # Data Discovery & Classification
This is the required action to modify the data classification of a database are:
Learn more about role-based permissions in [Azure RBAC](../../role-based-access-control/overview.md).
+> [!NOTE]
+> The Azure SQL built-in roles in this section apply to a dedicated SQL pool (formerly SQL DW) but are not available for dedicated SQL pools and other SQL resources within Azure Synapse workspaces. For SQL resources in Azure Synapse workspaces, use the available actions for data classification to create custom Azure roles as needed for labelling. For more information on the `Microsoft.Synapse/workspaces/sqlPools` provider operations, see [Microsoft.Synapse](/azure/role-based-access-control/resource-provider-operations.md#microsoftsynapse).
+ ## Manage classifications You can use T-SQL, a REST API, or PowerShell to manage classifications.
azure-sql Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-sql/database/policy-reference.md
Title: Built-in policy definitions for Azure SQL Database description: Lists Azure Policy built-in policy definitions for Azure SQL Database and SQL Managed Instance. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
azure-sql Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-sql/database/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure SQL Database description: Lists Azure Policy Regulatory Compliance controls available for Azure SQL Database and SQL Managed Instance. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
azure-sql Connectivity Architecture Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-sql/managed-instance/connectivity-architecture-overview.md
Deploy SQL Managed Instance in a dedicated subnet inside the virtual network. Th
- **Locks on virtual network:** [Locks](../../azure-resource-manager/management/lock-resources.md) on the dedicated subnet's virtual network, its parent resource group, or subscription, may occasionally interfere with SQL Managed Instance's management and maintenance operations. Take special care when you use such locks. > [!IMPORTANT]
-> When you create a managed instance, a network intent policy is applied on the subnet to prevent noncompliant changes to networking setup. After the last instance is removed from the subnet, the network intent policy is also removed. Rules below are for the informational purposes only, and you should not deploy them using ARM template / PowerShell / CLI. If you want to use the latest official template you could always [retrieve it from the portal](../../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md).
+> When you create a managed instance, a network intent policy is applied on the subnet to prevent noncompliant changes to networking setup. This policy is a hidden resource located in the virtual network of the resource group. After the last instance is removed from the subnet, the network intent policy is also removed. Rules below are for the informational purposes only, and you should not deploy them using ARM template / PowerShell / CLI. If you want to use the latest official template you could always [retrieve it from the portal](../../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md). Replication traffic for auto-failover groups between two SQL Managed Instances should be direct, and not through a hub network.
### Mandatory inbound security rules with service-aided subnet configuration These rules are necessary to ensure inbound management traffic flow. See [paragraph above](#high-level-connectivity-architecture) for more information on connectivity architecture and management traffic.
backup Backup Support Matrix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-support-matrix.md
The following table describes the features of Recovery Services vaults:
**Move vaults** | You can [move vaults](./backup-azure-move-recovery-services-vault.md) across subscriptions or between resource groups in the same subscription. However, moving vaults across regions isn't supported. **Move data between vaults** | Moving backed-up data between vaults isn't supported. **Modify vault storage type** | You can modify the storage replication type (either geo-redundant storage or locally redundant storage) for a vault before backups are stored. After backups begin in the vault, the replication type can't be modified.
-**Zone-redundant storage (ZRS)** | Supported in preview in UK South, South East Asia, Australia East, North Europe, Central US, East US 2, Brazil South, South Central US, Korea Central, Norway East, France Central, West Europe, East Asia, Sweden Central, Canada Central, Japan East and West US 3.
+**Zone-redundant storage (ZRS)** | Supported in preview in UK South, South East Asia, Australia East, North Europe, Central US, East US 2, Brazil South, South Central US, Korea Central, Norway East, France Central, West Europe, East Asia, Sweden Central, Canada Central, India Central, South Africa North, West US 2, Japan East and West US 3.
**Private Endpoints** | See [this section](./private-endpoints.md#before-you-start) for requirements to create private endpoints for a recovery service vault. ## On-premises backup support
backup Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/policy-reference.md
Title: Built-in policy definitions for Azure Backup description: Lists Azure Policy built-in policy definitions for Azure Backup. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
backup Private Endpoints Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/private-endpoints-overview.md
This article will help you understand how private endpoints for Azure Backup wor
- Private endpoints can be created for new Recovery Services vaults only (that don't have any items registered to the vault). So private endpoints must be created before you attempt to protect any items to the vault. - One virtual network can contain private endpoints for multiple Recovery Services vaults. Also, one Recovery Services vault can have private endpoints for it in multiple virtual networks. However, the maximum number of private endpoints that can be created for a vault is 12. - Once a private endpoint is created for a vault, the vault will be locked down. It won't be accessible (for backups and restores) from networks apart from ones that contain a private endpoint for the vault. If all private endpoints for the vault are removed, the vault will be accessible from all networks.-- A private endpoint connection for Backup uses a total of 11 private IPs in your subnet, including those used by Azure Backup for storage. This number may be higher (up to 25) for certain Azure regions. So we suggest that you have enough private IPs available when you attempt to create private endpoints for Backup.
+- A private endpoint connection for Backup uses a total of 11 private IPs in your subnet, including those used by Azure Backup for storage. This number may be higher for certain Azure regions. So we suggest that you have enough private IPs (/26) available when you attempt to create private endpoints for Backup.
- While a Recovery Services vault is used by (both) Azure Backup and Azure Site Recovery, this article discusses use of private endpoints for Azure Backup only. - Private endpoints for Backup donΓÇÖt include access to Azure Active Directory (Azure AD) and the same needs to be ensured separately. So, IPs and FQDNs required for Azure AD to work in a region will need outbound access to be allowed from the secured network when performing backup of databases in Azure VMs and backup using the MARS agent. You can also use NSG tags and Azure Firewall tags for allowing access to Azure AD, as applicable. - Virtual networks with Network Policies aren't supported for Private Endpoints. You'll need to [disable Network Polices](../private-link/disable-private-endpoint-network-policy.md) before continuing.
The following diagram shows how the name resolution works for storage accounts u
## Next steps -- [Create and use private endpoints](private-endpoints.md).
+- [Create and use private endpoints](private-endpoints.md).
backup Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Backup description: Lists Azure Policy Regulatory Compliance controls available for Azure Backup. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
batch Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/policy-reference.md
Title: Built-in policy definitions for Azure Batch description: Lists Azure Policy built-in policy definitions for Azure Batch. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
batch Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Batch description: Lists Azure Policy Regulatory Compliance controls available for Azure Batch. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
cloud-services Cloud Services Guestos Msrc Releases https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services/cloud-services-guestos-msrc-releases.md
na Previously updated : 2/11/2022 Last updated : 2/15/2022 # Azure Guest OS The following tables show the Microsoft Security Response Center (MSRC) updates applied to the Azure Guest OS. Search this article to determine if a particular update applies to the Guest OS you are using. Updates always carry forward for the particular [family][family-explain] they were introduced in.
+## February 2022 Guest OS
+
+>[!NOTE]
+
+>The February Guest OS is currently being rolled out to Cloud Service VMs that are configured for automatic updates. When the rollout is complete, this version will be made available for manual updates through the Azure portal and configuration files. The following patches are included in the February Guest OS. This list is subject to change.
+>
+
+| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |
+| | | | | |
+| Rel 22-02 | [5010351] | Latest Cumulative Update(LCU) | 6.41 | Feb 8, 2022 |
+| Rel 22-02 | [5006671] | IE Cumulative Updates | 2.120, 3.107, 4.100 | Oct 12, 2021 |
+| Rel 22-02 | [5010354] | Latest Cumulative Update(LCU) | 7.9 | Feb 8, 2022 |
+| Rel 22-02 | [5010359] | Latest Cumulative Update(LCU) | 5.65 | Feb 8, 2022 |
+| Rel 22-02 | [5008867] | .NET Framework 3.5 Security and Quality Rollup | 2.120 | Jan 11, 2022 |
+| Rel 22-02 | [5008860] | .NET Framework 4.5.2 Security and Quality Rollup | 2.120 | Jan 11, 2022 |
+| Rel 22-02 | [5008868] | .NET Framework 3.5 Security and Quality Rollup | 4.100 | Jan 11, 2022 |
+| Rel 22-02 | [5008870] | .NET Framework 4.5.2 Security and Quality Rollup | 4.100 | Jan 11, 2022 |
+| Rel 22-02 | [5008865] | .NET Framework 3.5 Security and Quality Rollup | 3.107 | Jan 11, 2022 |
+| Rel 22-02 | [5008869] | . NET Framework 4.5.2 Security and Quality Rollup | 3.107 | Jan 11, 2022 |
+| Rel 22-02 | [5008873] | . NET Framework 3.5 and 4.7.2 Cumulative Update | 6.41 | Jan 11, 2022 |
+| Rel 22-02 | [5008882] | .NET Framework 4.8 Security and Quality Rollup | 7.9 | Jan 11, 2022 |
+| Rel 22-02 | [5010404] | Monthly Rollup | 2.120 | Feb 8, 2022 |
+| Rel 22-02 | [5010392] | Monthly Rollup | 3.107 | Feb 8, 2022 |
+| Rel 22-02 | [5010419] | Monthly Rollup | 4.100 | Feb 8, 2022 |
+| Rel 22-02 | [5001401] | Servicing Stack update | 3.107 | Apr 13, 2021 |
+| Rel 22-02 | [5001403] | Servicing Stack update | 4.100 | Apr 13, 2021 |
+| Rel 22-02 | [4578013] | Standalone Security Update | 4.100 | Aug 19, 2020 |
+| Rel 22-02 | [5005698] | Servicing Stack update | 5.65 | Sep 14, 2021 |
+| Rel 22-02 | [5010451] | Servicing Stack update | 2.120 | Feb 8, 2022 |
+| Rel 22-02 | [4494175] | Microcode | 5.65 | Sep 1, 2020 |
+| Rel 22-02 | [4494174] | Microcode | 6.41 | Sep 1, 2020 |
+
+[5010351]: https://support.microsoft.com/kb/5010351
+[5006671]: https://support.microsoft.com/kb/5006671
+[5010354]: https://support.microsoft.com/kb/5010354
+[5010359]: https://support.microsoft.com/kb/5010359
+[5008867]: https://support.microsoft.com/kb/5008867
+[5008860]: https://support.microsoft.com/kb/5008860
+[5008868]: https://support.microsoft.com/kb/5008868
+[5008870]: https://support.microsoft.com/kb/5008870
+[5008865]: https://support.microsoft.com/kb/5008865
+[5008869]: https://support.microsoft.com/kb/5008869
+[5008873]: https://support.microsoft.com/kb/5008873
+[5008882]: https://support.microsoft.com/kb/5008882
+[5010404]: https://support.microsoft.com/kb/5010404
+[5010392]: https://support.microsoft.com/kb/5010392
+[5010419]: https://support.microsoft.com/kb/5010419
+[5001401]: https://support.microsoft.com/kb/5001401
+[5001403]: https://support.microsoft.com/kb/5001403
+[4578013]: https://support.microsoft.com/kb/4578013
+[5005698]: https://support.microsoft.com/kb/5005698
+[5010451]: https://support.microsoft.com/kb/5010451
+[4494175]: https://support.microsoft.com/kb/4494175
+[4494174]: https://support.microsoft.com/kb/4494174
## January 2022 Guest OS | Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |
cognitive-services Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/policy-reference.md
Title: Built-in policy definitions for Azure Cognitive Services description: Lists Azure Policy built-in policy definitions for Azure Cognitive Services. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
cognitive-services Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Cognitive Services description: Lists Azure Policy Regulatory Compliance controls available for Azure Cognitive Services. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
communication-services Teams User Calling https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/interop/teams-user-calling.md
The following list presents the set of Teams capabilities, which are currently a
| PSTN | Make an Emergency call | ❌ | | | Place a call honors location-based routing | ❌ | | | Support for survivable branch appliance | ❌ |
+| Phone system | Receive a call from Teams auto attendant | ✔️ |
+| | Transfer a call to Teams auto attendant | ✔️ |
+| | Receive a call from Teams call queue (only conference mode) | ✔️ |
+| | Transfer a call from Teams call queue (only conference mode) | ✔️ |
| Compliance | Place a call honors information barriers | ✔️ | | | Support for compliance recording | ✔️ |
communication-services Known Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/known-issues.md
This article provides information about limitations and known issues related to
The following sections provide information about known issues associated with the Communication Services JavaScript voice and video calling SDKs.
-### Some Android devices failing to join calls and meetings.
+### Chrome M98 - regression
+
+Chrome version 98 introduced a regression with anormal generation of video keyframes that impacts resolution of a sent video stream negatively for majority (70%+) of users.
+- This is a known regression introduced on [Chromium](https://bugs.chromium.org/p/chromium/issues/detail?id=1295815)
-A number of specific Android devices fail to join calls and meetings. The devices that run into this issue, wont recover and will fail on every attemp. These are mostly Samsung phones with biggest contributors A326U, A125U and A215U models.
+### Some Android devices failing to join calls and meetings.
+A number of specific Android devices fail to start, join or accept calls and meetings. The devices that run into this issue, won't recover and will fail on every attempt. These are mostly Samsung moodel A devices, particularly models A326U, A125U and A215U.
- This is a known regression introduced on [Chromium](https://bugs.chromium.org/p/webrtc/issues/detail?id=13223). ### iOS 15.1 users joining group calls or Microsoft Teams meetings.
container-apps Vnet Custom https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/vnet-custom.md
Previously updated : 1/28/2021 Last updated : 2/3/2022 zone_pivot_groups: azure-cli-or-portal
As you create an Azure Container Apps [environment](environment.md), a virtual n
- You can restrict inbound requests to the environment exclusively to the VNET by deploying the environment as internal. > [!IMPORTANT]
-> In order to ensure the environment deployment within your custom VNET is successful, configure your VNET with an "allow-all" configuration by default. The full list of traffic dependencies required to configure the VNET as "deny-all" is not yet available. Refer to the [custom VNET security sample](https://aka.ms/azurecontainerapps/customvnet) for additional details.
+> In order to ensure the environment deployment within your custom VNET is successful, configure your VNET with an "allow-all" configuration by default. The full list of traffic dependencies required to configure the VNET as "deny-all" is not yet available. Refer to [Known issues for public preview](https://github.com/microsoft/azure-container-apps/wiki/Known-Issues-for-public-preview) for additional details.
:::image type="content" source="media/networking/azure-container-apps-virtual-network.png" alt-text="Azure Container Apps environments use an existing VNET, or you can provide your own.":::
To create an internal only environment, provide the `--internal-only` parameter
::: zone-end
+## Managed resources
+
+When you deploy an internal or an external environment into your own network, a new resource group prefixed with `MC_` is created in the Azure subscription where your environment is hosted. This resource group contains infrastructure components managed by the Azure Container Apps platform, and shouldn't be modified. The resource group contains Public IP addresses used specifically for outbound connectivity from your environment as well as a load balancer. As the load balancer is created in your subscription, there are additional costs associated with deploying the service to a custom virtual network.
+ ## Example The following example shows you how to create a Container Apps environment in an existing virtual network.
container-instances Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/policy-reference.md
Title: Built-in policy definitions for Azure Container Instances description: Lists Azure Policy built-in policy definitions for Azure Container Instances. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
container-registry Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/policy-reference.md
Title: Built-in policy definitions for Azure Container Registry description: Lists Azure Policy built-in policy definitions for Azure Container Registry. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
container-registry Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Container Registry description: Lists Azure Policy Regulatory Compliance controls available for Azure Container Registry. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
cosmos-db Concepts Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/concepts-limits.md
Title: Azure Cosmos DB service quotas description: Azure Cosmos DB service quotas and default limits on different resource types.--++ Previously updated : 10/25/2021 Last updated : 02/16/2022 # Azure Cosmos DB service quotas
In summary, here are the minimum provisioned RU limits.
| Resource | Default limit | | | | | Minimum RUs per container ([dedicated throughput provisioned mode](./account-databases-containers-items.md#azure-cosmos-containers)) | 400 |
-| Minimum RUs per database ([shared throughput provisioned mode](./account-databases-containers-items.md#azure-cosmos-containers)) | 400 RU/s for first 25 containers. Additional 100 RU/s for each container afterward. |
+| Minimum RUs per database ([shared throughput provisioned mode](./account-databases-containers-items.md#azure-cosmos-containers)) | 400 RU/s for first 25 containers. |
Cosmos DB supports programmatic scaling of throughput (RU/s) per container or database via the SDKs or portal.
cosmos-db Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/policy-reference.md
Title: Built-in policy definitions for Azure Cosmos DB description: Lists Azure Policy built-in policy definitions for Azure Cosmos DB. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
cosmos-db Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Cosmos DB description: Lists Azure Policy Regulatory Compliance controls available for Azure Cosmos DB. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
cosmos-db Bulk Executor Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/sql/bulk-executor-java.md
This tutorial provides instructions on using the Azure Cosmos DB's bulk executor Java library to import, and update Azure Cosmos DB documents. To learn about bulk executor library and how it helps you use massive throughput and storage, see [bulk executor Library overview](../bulk-executor-overview.md) article. In this tutorial, you build a Java application that generates random documents and they are bulk imported into an Azure Cosmos container. After importing, you will bulk update some properties of a document.
-> [!NOTE]
-> The [Azure Cosmos DB Java V4 SDK](sql-api-sdk-java-v4.md) comes with the bulk executor library built-in to the SDK. If you are using an older version of Java SDK, it's recommended to [migrate to the latest version](migrate-java-v4-sdk.md).
-
-Currently, the bulk executor library is supported only by Azure Cosmos DB SQL API and Gremlin API accounts. This article describes how to use bulk executor Java library with SQL API accounts. To learn about using bulk executor .NET library with Gremlin API, see [perform bulk operations in Azure Cosmos DB Gremlin API](../graph/bulk-executor-graph-dotnet.md). The bulk executor library described is available is only available for the [Azure Cosmos DB Java sync SDK v2](sql-api-sdk-java.md) and it is the current recommended solution for Java bulk support. It is currently not available for the 3.x, 4.x or other higher SDK versions.
+> [!IMPORTANT]
+> The [Azure Cosmos DB Java V4 SDK](sql-api-sdk-java-v4.md) comes with the bulk executor library built-in to the SDK. If you are using an older version of Java SDK, it's recommended to [migrate to the latest version](migrate-java-v4-sdk.md). Azure Cosmos DB Java V4 SDK is the current recommended solution for Java bulk support. Currently, the bulk executor library is supported only by Azure Cosmos DB SQL API and Gremlin API accounts. To learn about using bulk executor .NET library with Gremlin API, see [perform bulk operations in Azure Cosmos DB Gremlin API](../graph/bulk-executor-graph-dotnet.md).
+>
## Prerequisites
cosmos-db Create Sql Api Spark https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/sql/create-sql-api-spark.md
Title: Quickstart - Manage data with Azure Cosmos DB Spark 3 OLTP Connector for SQL API description: This quickstart presents a code sample for the Azure Cosmos DB Spark 3 OLTP Connector for SQL API that you can use to connect to and query data in your Azure Cosmos DB account-+ ms.devlang: java Previously updated : 11/23/2021- Last updated : 02/15/2022+
For more information related to schema inference, see the full [schema inference
## Configuration reference
-### Generic configuration
-| Config Property Name | Default | Description |
-| : | :- | : |
-| `spark.cosmos.accountEndpoint` | None | Cosmos DB Account Endpoint Uri |
-| `spark.cosmos.accountKey` | None | Cosmos DB Account Key |
-| `spark.cosmos.database` | None | Cosmos DB database name |
-| `spark.cosmos.container` | None | Cosmos DB container name |
-
-### Extra tuning
-| Config Property Name | Default | Description |
-| : | :- | : |
-| `spark.cosmos.useGatewayMode` | `false` | Use gateway mode for the client operations |
-| `spark.cosmos.read.forceEventualConsistency` | `true` | Makes the client use Eventual consistency for read operations instead of using the default account level consistency |
-| `spark.cosmos.applicationName` | None | Application name |
-| `spark.cosmos.preferredRegionsList` | None | Preferred regions list to be used for a multi region Cosmos DB account. This is a comma-separated value (for example, `[East US, West US]` or `East US, West US`) provided preferred regions will be used as hint. You should use a collocated spark cluster with your Cosmos DB account and pass the spark cluster region as preferred region. See list of Azure regions [here](/dotnet/api/microsoft.azure.documents.locationnames?view=azure-dotnet&preserve-view=true). You can also use `spark.cosmos.preferredRegions` as alias |
-| `spark.cosmos.diagnostics` | None | Can be used to enable more verbose diagnostics. Currently the only supported option is to set this property to `simple` - which will result in extra logs being emitted as `INFO` logs in the Driver and Executor logs.|
-
-### Write config
-| Config Property Name | Default | Description |
-| : | :- | : |
-| `spark.cosmos.write.strategy` | `ItemOverwrite` | Cosmos DB Items write Strategy: `ItemOverwrite` (using upsert), `ItemAppend` (using create, ignore pre-existing items that are, Conflicts), `ItemDelete` (delete all documents), `ItemDeleteIfNotModified` (delete all documents for which the etag hasn't changed) |
-| `spark.cosmos.write.maxRetryCount` | `10` | Cosmos DB Write Max Retry Attempts on retryable failures (for example, connection error) |
-| `spark.cosmos.write.point.maxConcurrency` | None | Cosmos DB Item Write Max concurrency. If not specified it will be determined based on the Spark executor VM Size |
-| `spark.cosmos.write.bulk.maxPendingOperations` | None | Cosmos DB Item Write bulk mode maximum pending operations. Defines a limit of bulk operations being processed concurrently. If not specified it will be determined based on the Spark executor VM Size. If the volume of data is large for the provisioned throughput on the destination container, this setting can be adjusted by following the estimation of `1000 x Cores` |
-| `spark.cosmos.write.bulk.enabled` | `true` | Cosmos DB Item Write bulk enabled |
-
-### Query config
-| Config Property Name | Default | Description |
-| : | :- | : |
-| `spark.cosmos.read.customQuery` | None | When provided the custom query will be processed against the Cosmos endpoint instead of dynamically generating the query via predicate push down. Usually it is recommended to rely on Spark's predicate push down because that will allow to generate the most efficient set of filters based on the query plan. But there are a couple of predicates like aggregates (count, group by, avg, sum etc.) that cannot be pushed down yet (at least in Spark 3.1) - so the custom query is a fallback to allow them to be pushed into the query sent to Cosmos. If specified, with schema inference enabled, the custom query will also be used to infer the schema. |
-| `spark.cosmos.read.maxItemCount` | `1000` | Overrides the maximum number of documents that can be returned for a single query- or change feed request. The default value is `1000` - consider increasing this only for average document sizes smaller than 1 KB or when projection reduces the number of properties selected in queries significantly (like when only selecting "ID" of documents etc.). |
-
-### Schema inference config
-When doing read operations, users can specify a custom schema or allow the connector to infer it. Schema inference is enabled by default.
-
-| Config Property Name | Default | Description |
-| : | :- | : |
-| `spark.cosmos.read.inferSchema.enabled` | `true` | When schema inference is disabled and user is not providing a schema, raw json will be returned. |
-| `spark.cosmos.read.inferSchema.query` | `SELECT * FROM r` | When schema inference is enabled, used as custom query to infer it. For example, if you store multiple entities with different schemas within a container and you want to ensure inference only looks at certain document types or you want to project only particular columns. |
-| `spark.cosmos.read.inferSchema.samplingSize` | `1000` | Sampling size to use when inferring schema and not using a query. |
-| `spark.cosmos.read.inferSchema.includeSystemProperties` | `false` | When schema inference is enabled, whether the resulting schema will include all [Cosmos DB system properties](../account-databases-containers-items.md#properties-of-an-item). |
-| `spark.cosmos.read.inferSchema.includeTimestamp` | `false` | When schema inference is enabled, whether the resulting schema will include the document Timestamp (`_ts`). Not required if `spark.cosmos.read.inferSchema.includeSystemProperties` is enabled, as it will already include all system properties. |
-| `spark.cosmos.read.inferSchema.forceNullableProperties` | `true` | When schema inference is enabled, whether the resulting schema will make all columns nullable. By default, all columns (except cosmos system properties) will be treated as nullable even if all rows within the sample set have non-null values. When disabled, the inferred columns are treated as nullable or not depending on whether any record in the sample set has null-values within a column. |
-
-### Serialization config
-Used to influence the json serialization/deserialization behavior
-
-| Config Property Name | Default | Description |
-| : | :- | : |
-| `spark.cosmos.serialization.inclusionMode` | `Always` | Determines whether null/default values will be serialized to json or whether properties with null/default value will be skipped. The behavior follows the same ideas as [Jackson's JsonInclude.Include](https://github.com/FasterXML/jackson-annotations/blob/d0820002721c76adad2cc87fcd88bf60f56b64de/src/main/java/com/fasterxml/jackson/annotation/JsonInclude.java#L98-L227). `Always` means json properties are created even for null and default values. `NonNull` means no json properties will be created for explicit null values. `NonEmpty` means json properties will not be created for empty string values or empty arrays/mpas. `NonDefault` means json properties will be skipped not just for null/empty but also when the value is identical to the default value `0` for numeric properties for example. |
-
-### Change feed (only for Spark-Streaming using `cosmos.oltp.changeFeed` data source, which is read-only) configuration
-| Config Property Name | Default | Description |
-| : | :- | : |
-| spark.cosmos.changeFeed.startFrom | `Beginning` | ChangeFeed Start from settings (`Now`, `Beginning` or a certain point in time (UTC) for example `2020-02-10T14:15:03`) - the default value is `Beginning`. If the write config contains a `checkpointLocation` and any checkpoints exist, the stream is always continued independent of the `spark.cosmos.changeFeed.startFrom` settings - you need to change `checkpointLocation` or delete checkpoints to restart the stream if that is the intention. |
-| spark.cosmos.changeFeed.mode | `Incremental` | ChangeFeed mode (`Incremental` or `FullFidelity`) - NOTE: `FullFidelity` is in experimental state right now. It requires that the subscription/account has been enabled for the private preview and there are known breaking changes that will happen for `FullFidelity` (schema of the returned documents). It is recommended to only use `FullFidelity` for non-production scenarios at this point. |
-| spark.cosmos.changeFeed.itemCountPerTriggerHint | None | Approximate maximum number of items read from change feed for each micro-batch/trigger |
-
-### Json conversion configuration
-| Config Property Name | Default | Description |
-| : | :- | : |
-| `spark.cosmos.read.schemaConversionMode` | `Relaxed` | The schema conversion behavior (`Relaxed`, `Strict`). When reading json documents, if a document contains an attribute that does not map to the schema type, the user can decide whether to use a `null` value (Relaxed) or an exception (Strict). |
-
-### Partitioning strategy config
-| Config Property Name | Default | Description |
-| : | :- | : |
-| `spark.cosmos.read.partitioning.strategy` | `Default` | The partitioning strategy used (Default, Custom, Restrictive or Aggressive) |
-| `spark.cosmos.partitioning.targetedCount` | None | The targeted Partition Count. This parameter is optional and ignored unless strategy==Custom is used. In this case, the Spark Connector won't dynamically calculate number of partitions but stick with this value. |
-
-### Throughput control config
-| Config Property Name | Default | Description |
-| : | :- | : |
-| `spark.cosmos.throughputControl.enabled` | `false` | Whether throughput control is enabled |
-| `spark.cosmos.throughputControl.name` | None | Throughput control group name |
-| `spark.cosmos.throughputControl.targetThroughput` | None | Throughput control group target throughput |
-| `spark.cosmos.throughputControl.targetThroughputThreshold` | None | Throughput control group target throughput threshold |
-| `spark.cosmos.throughputControl.globalControl.database` | None | Database, which will be used for throughput global control |
-| `spark.cosmos.throughputControl.globalControl.container` | None | Container, which will be used for throughput global control |
-| `spark.cosmos.throughputControl.globalControl.renewIntervalInMS` | `5s` | How often the client is going to update the throughput usage of itself |
-| `spark.cosmos.throughputControl.globalControl.expireIntervalInMS` | `11s` | How quickly an offline client will be detected |
+The Azure Cosmos DB Spark 3 OLTP Connector for SQL API has a complete configuration reference that provides additional and advanced settings writing and querying data, serialization, streaming using change feed, partitioning and throughput management and more. For a complete listing with details see our [Spark Connector Configuration Reference](https://aka.ms/azure-cosmos-spark-3-config) on GitHub.
## Next steps
cosmos-db Migrate Dotnet V3 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/sql/migrate-dotnet-v3.md
Previously updated : 01/13/2022 Last updated : 02/15/2022 ms.devlang: csharp
The following classes have been replaced on the 3.0 SDK:
The Microsoft.Azure.Documents.UriFactory class has been replaced by the fluent design. The fluent design builds URLs internally and allows a single `Container` object to be passed around instead of a `DocumentClient`, `DatabaseName`, and `DocumentCollection`.
+Because the .NET v3 SDK allows users to configure a custom serialization engine, there is no direct replacement for the `Document` type. When using Newtonsoft.Json (default serialization engine), `JObject` can be used to achieve the same functionality. When using a different serialization engine, you can use its base json document type (for example, `JsonDocument` for System.Text.Json). The recommendation is to use a C# type that reflects the schema of your items instead of relying on generic types.
+ ### Changes to item ID generation Item ID is no longer auto populated in the .NET v3 SDK. Therefore, the Item ID must specifically include a generated ID. View the following example:
cosmos-db Sql Api Sdk Java Spring V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/sql/sql-api-sdk-java-spring-v2.md
Spring Data Azure Cosmos DB version 2 for Core (SQL) allows developers to use Azure Cosmos DB in Spring applications. Spring Data Azure Cosmos DB exposes the Spring Data interface for manipulating databases and collections, working with documents, and issuing queries. Both Sync and Async (Reactive) APIs are supported in the same Maven artifact.
-> [!IMPORTANT]
-> This is *not* the latest Azure Spring Data Cosmos SDK for Azure Cosmos DB and is outdated! Because of performance issues and instability in Azure Spring Data Cosmos SDK V2, we highly recommend to use [Azure Spring Data Cosmos v3](sql-api-sdk-java-spring-v3.md) for your project. To upgrade, follow the instructions in the [Migrate to Azure Cosmos DB Java SDK v4](migrate-java-v4-sdk.md) guide to understand the difference in the underlying Java SDK V4.
+> [!WARNING]
+> This version of Spring Data Cosmos SDK depends on a retired version of Cosmos DB Java SDK. This Spring Data Cosmos SDK will be announced as retiring in the near future! This is *not* the latest Azure Spring Data Cosmos SDK for Azure Cosmos DB and is outdated. Because of performance issues and instability in Azure Spring Data Cosmos SDK V2, we highly recommend to use [Azure Spring Data Cosmos v3](sql-api-sdk-java-spring-v3.md) for your project. To upgrade, follow the instructions in the [Migrate to Azure Cosmos DB Java SDK v4](migrate-java-v4-sdk.md) guide to understand the difference in the underlying Java SDK V4.
> The [Spring Framework](https://spring.io/projects/spring-framework) is a programming and configuration model that streamlines Java application development. Spring streamlines the "plumbing" of applications by using dependency injection. Many developers like Spring because it makes building and testing applications more straightforward. [Spring Boot](https://spring.io/projects/spring-boot) extends this handling of the plumbing with an eye toward web application and microservices development. [Spring Data](https://spring.io/projects/spring-data) is a programming model for accessing datastores like Azure Cosmos DB from the context of a Spring or Spring Boot application.
cosmos-db Tutorial Setup Ci Cd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/tutorial-setup-ci-cd.md
This step is optional and it's only required if you are setting up the CI/CD pip
Now, we'll configure our tests to use the emulator. The emulator build task exports an environment variable ΓÇô ΓÇÿCosmosDbEmulator.EndpointΓÇÖ ΓÇô that any tasks further in the build pipeline can issue requests against.
-In this tutorial, we'll use the [Visual Studio Test task](https://github.com/Microsoft/azure-pipelines-tasks/blob/master/Tasks/VsTestV2/README.md) to run unit tests configured via a **.runsettings** file. To learn more about unit test setup, visit the [documentation](/visualstudio/test/configure-unit-tests-by-using-a-dot-runsettings-file?preserve-view=true&view=vs-2017). The complete Todo application code sample that you use in this document is available on [GitHub](https://github.com/Azure-Samples/documentdb-dotnet-todo-app)
+In this tutorial, we'll use the [Visual Studio Test task](https://github.com/Microsoft/azure-pipelines-tasks/blob/master/Tasks/VsTestV2/README.md) to run unit tests configured via a **.runsettings** file. To learn more about unit test setup, visit the [documentation](/visualstudio/test/configure-unit-tests-by-using-a-dot-runsettings-file?preserve-view=true&view=vs-2017). The complete Todo application code sample that you use in this document is available on [GitHub](https://github.com/Azure-Samples/cosmos-dotnet-core-todo-app)
Below is an example of a **.runsettings** file that defines parameters to be passed into an application's unit tests. Note the `authKey` variable used is the [well-known key](./local-emulator.md#authenticate-requests) for the emulator. This `authKey` is the key expected by the emulator build task and should be defined in your **.runsettings** file.
data-factory Concepts Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/concepts-integration-runtime.md
Previously updated : 09/09/2021 Last updated : 02/15/2022 # Integration runtime in Azure Data Factory
For high availability and scalability, you can scale out the self-hosted IR by a
## Azure-SSIS integration runtime
-> [!NOTE]
-> Azure-SSIS integration runtimes are not currently supported in Synapse pipelines.
- To lift and shift existing SSIS workload, you can create an Azure-SSIS IR to natively execute SSIS packages. ### Azure-SSIS IR network environment
data-factory Create Azure Ssis Integration Runtime Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/create-azure-ssis-integration-runtime-portal.md
This article shows you how to create an Azure-SQL Server Integration Services (SSIS) integration runtime (IR) in Azure Data Factory (ADF) or Synapse Pipelines via Azure portal.
+> [!NOTE]
+> Azure-SSIS IR in Azure Synapse Analytics is in public preview, please check [limitations](https://aka.ms/AAfq9i3) for preview.
+ ## Provision an Azure-SSIS integration runtime # [Azure Data Factory](#tab/data-factory)
On the home page, select the **Configure SSIS** tile to open the **Integration r
1. On the home page of the Azure Synapse UI, select the Manage tab from the leftmost pane.
- :::image type="content" source="media/doc-common-process/get-started-page-manage-button-synapse.png" alt-text="The home page Manage button":::
+ :::image type="content" source="media/doc-common-process/get-started-page-manage-button-synapse.png" alt-text="Screenshot of the home page Manage button.":::
1. Select **Integration runtimes** on the left pane, and then select **+New**.
- :::image type="content" source="media/doc-common-process/manage-new-integration-runtime-synapse.png" alt-text="Create an integration runtime":::
+ :::image type="content" source="media/doc-common-process/manage-new-integration-runtime-synapse.png" alt-text="Screenshot of create an integration runtime.":::
1. On the following page, select **Azure-SSIS** to create an SSIS IR, and then select **Continue**.
- :::image type="content" source="media/tutorial-create-azure-ssis-runtime-portal/new-sssis-integration-runtime-synapse.png" alt-text="Create an SSIS IR":::
+ :::image type="content" source="media/tutorial-create-azure-ssis-runtime-portal/new-sssis-integration-runtime-synapse.png" alt-text="Screenshot of create an SSIS IR.":::
data-factory Create Azure Ssis Integration Runtime Resource Manager Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/create-azure-ssis-integration-runtime-resource-manager-template.md
[!INCLUDE[appliesto-adf-asa-preview-md](includes/appliesto-adf-asa-preview-md.md)]
-In this section, you use an Azure Resource Manager template to create the Azure-SSIS integration runtime.
+In this section, you use an Azure Resource Manager template to create the Azure-SSIS integration runtime in Azure Data Factory.
## Sample Azure Resource Manager template
data-factory How To Invoke Ssis Package Ssis Activity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-invoke-ssis-package-ssis-activity.md
In this step, you use the Data Factory UI or app to create a pipeline. You add a
Navigate to the Integrate tab in Synapse Studio (represented by the pipeline icon), then create a new pipeline.
data-factory Join Azure Ssis Integration Runtime Virtual Network Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/join-azure-ssis-integration-runtime-virtual-network-powershell.md
[!INCLUDE[appliesto-adf-asa-preview-md](includes/appliesto-adf-asa-preview-md.md)]
-This article shows you how to join your existing Azure-SQL Server Integration Services (SSIS) integration runtime (IR) to a virtual network via Azure PowerShell.
+This article shows you how to join your existing Azure-SQL Server Integration Services (SSIS) integration runtime (IR) in Azure Data Factory to a virtual network via Azure PowerShell.
> [!NOTE] > For Azure-SSIS IR in Azure Synapse Analytics, replace with corresponding Azure Synapse Analytics PowerShell interfaces: [Set-AzSynapseIntegrationRuntime (Az.Synapse)](/powershell/module/az.synapse/set-azsynapseintegrationruntime), [Start-AzSynapseIntegrationRuntime](/powershell/module/az.synapse/start-azsynapseintegrationruntime) and [Stop-AzSynapseIntegrationRuntime](/powershell/module/az.synapse/stop-azsynapseintegrationruntime).
data-factory Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/policy-reference.md
Previously updated : 01/18/2022 Last updated : 02/15/2022 # Azure Policy built-in definitions for Data Factory (Preview)
data-factory Self Hosted Integration Runtime Proxy Ssis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/self-hosted-integration-runtime-proxy-ssis.md
Previously updated : 02/15/2022 Last updated : 02/16/2022 # Configure a self-hosted IR as a proxy for an Azure-SSIS IR
If you need to access data stores that have been configured to use only the stro
## Next steps
-After you've configured your self-hosted IR as a proxy for your Azure-SSIS IR, you can deploy and run your packages to access data on-premises as Execute SSIS Package activities in Data Factory pipelines. To learn how, see [Run SSIS packages as Execute SSIS Package activities in Data Factory pipelines](./how-to-invoke-ssis-package-ssis-activity.md).
+After you've configured your self-hosted IR as a proxy for your Azure-SSIS IR, you can deploy and run your packages to access data and or run any SQL statements/processes on premises as Execute SSIS Package activities in Data Factory pipelines. To learn how, see [Run SSIS packages as Execute SSIS Package activities in Data Factory pipelines](./how-to-invoke-ssis-package-ssis-activity.md). See also our blogs: [Run Any SQL Anywhere in 3 Easy Steps with SSIS in Azure Data Factory](https://techcommunity.microsoft.com/t5/sql-server-integration-services/run-any-sql-anywhere-in-3-easy-steps-with-ssis-in-azure-data/ba-p/2457244) and [Run Any Process Anywhere in 3 Easy Steps with SSIS in Azure Data Factory](https://techcommunity.microsoft.com/t5/sql-server-integration-services/run-any-process-anywhere-in-3-easy-steps-with-ssis-in-azure-data/ba-p/2962609).
data-factory Solution Template Bulk Copy From Files To Database https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/solution-template-bulk-copy-from-files-to-database.md
Last updated 12/09/2020
# Bulk copy from files to database This article describes a solution template that you can use to copy data in bulk from Azure Data Lake Storage Gen2 to Azure Synapse Analytics / Azure SQL Database.
The template defines the following two parameters:
## Next steps -- [Introduction to Azure Data Factory](introduction.md)
+- [Introduction to Azure Data Factory](introduction.md)
data-factory Solution Template Bulk Copy With Control Table https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/solution-template-bulk-copy-with-control-table.md
Last updated 12/09/2020
# Bulk copy from a database with a control table To copy data from a data warehouse in Oracle Server, Netezza, Teradata, or SQL Server to Azure Synapse Analytics, you have to load huge amounts of data from multiple tables. Usually, the data has to be partitioned in each table so that you can load rows with multiple threads in parallel from a single table. This article describes a template to use in these scenarios.
data-factory Solution Template Copy Files Multiple Containers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/solution-template-copy-files-multiple-containers.md
Last updated 01/31/2022
# Copy multiple folders with Azure Data Factory This article describes a solution template that you can use multiple copy activities to copy containers or folders between file-based stores, where each copy activity is supposed to copy single container or folder.
data-factory Solution Template Copy New Files Lastmodifieddate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/solution-template-copy-new-files-lastmodifieddate.md
Last updated 01/31/2022
# Copy new and changed files by LastModifiedDate with Azure Data Factory This article describes a solution template that you can use to copy new and changed files only by LastModifiedDate from a file-based store to a destination store.
data-factory Solution Template Databricks Notebook https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/solution-template-databricks-notebook.md
Last updated 01/31/2022
# Transformation with Azure Databricks In this tutorial, you create an end-to-end pipeline that contains the **Validation**, **Copy data**, and **Notebook** activities in Azure Data Factory.
data-factory Solution Template Delta Copy With Control Table https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/solution-template-delta-copy-with-control-table.md
Last updated 12/09/2020
# Delta copy from a database with a control table This article describes a template that's available to incrementally load new or updated rows from a database table to Azure by using an external control table that stores a high-watermark value.
data-factory Solution Template Migration S3 Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/solution-template-migration-s3-azure.md
Last updated 01/31/2022
# Migrate data from Amazon S3 to Azure Data Lake Storage Gen2 Use the templates to migrate petabytes of data consisting of hundreds of millions of files from Amazon S3 to Azure Data Lake Storage Gen2.
data-factory Solution Template Move Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/solution-template-move-files.md
Last updated 01/26/2022
# Move files with Azure Data Factory ADF copy activity has built-in support on ΓÇ£moveΓÇ¥ scenario when copying binary files between storage stores. The way to enable it is to set ΓÇ£deleteFilesAfterCompletionΓÇ¥ as true in copy activity. By doing so, copy activity will delete files from data source store after job completion.
The template defines four parameters:
- [Copy new and changed files by LastModifiedDate with Azure Data Factory](solution-template-copy-new-files-lastmodifieddate.md) -- [Copy files from multiple containers with Azure Data Factory](solution-template-copy-files-multiple-containers.md)
+- [Copy files from multiple containers with Azure Data Factory](solution-template-copy-files-multiple-containers.md)
data-factory Solution Templates Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/solution-templates-introduction.md
Last updated 09/09/2021
# Templates Templates are predefined Azure Data Factory pipelines that allow you to get started quickly with Data Factory. Templates are useful when you're new to Data Factory and want to get started quickly. These templates reduce the development time for building data integration projects thereby improving developer productivity.
data-lake-analytics Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-analytics/policy-reference.md
Title: Built-in policy definitions for Azure Data Lake Analytics description: Lists Azure Policy built-in policy definitions for Azure Data Lake Analytics. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
data-lake-analytics Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-analytics/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Data Lake Analytics description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Lake Analytics. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
data-lake-store Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/policy-reference.md
Title: Built-in policy definitions for Azure Data Lake Storage Gen1 description: Lists Azure Policy built-in policy definitions for Azure Data Lake Storage Gen1. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
data-lake-store Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Data Lake Storage Gen1 description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Lake Storage Gen1. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
databox-online Azure Stack Edge Gpu 2202 Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-2202-release-notes.md
+
+ Title: Azure Stack Edge 2202 release notes
+description: Describes critical open issues and resolutions for the Azure Stack Edge running 2202 release.
++
+
+++ Last updated : 02/14/2022+++
+# Azure Stack Edge 2202 release notes
++
+The following release notes identify the critical open issues and the resolved issues for the 2202 release for your Azure Stack Edge devices. These release notes are applicable for Azure Stack Edge Pro GPU, Azure Stack Edge Pro R, and Azure Stack Edge Mini R devices. Features and issues that correspond to a specific model are called out wherever applicable.
+
+The release notes are continuously updated, and as critical issues requiring a workaround are discovered, they are added. Before you deploy your device, carefully review the information contained in the release notes.
+
+This article applies to the **Azure Stack Edge 2202** release, which maps to software version number **2.2.1868.4470**. This software can be applied to your device if you are running at least Azure Stack Edge 2106 (2.2.1636.3457) software.
+
+## What's new
+
+The 2202 release introduces clustering for Azure Stack Edge. You can now deploy a two-node device cluster in addition to a single node device. The clustering feature is in preview and is available only for the Azure Stack Edge Pro GPU devices.
+
+For more information, see [What is clustering on Azure Stack Edge?](azure-stack-edge-gpu-clustering-overview.md).
++
+<!--## Issues fixed in 2202 release
+
+The following table lists the issues that were release noted in previous releases and fixed in the current release.
+
+| No. | Feature | Issue |
+| | | |
+|**1.**|Multi-Access Edge Compute | In previous releases, the Azure Stack Edge device did not send VNF operation results back to the Azure Network Function Manager, owing to the MEC Operation Manager (a component of MEC agent) being reset. |-->
++
+## Known issues in 2202 release
+
+The following table provides a summary of known issues in this release.
+
+| No. | Feature | Issue | Workaround/comments |
+| | | | |
+|**1.**|Preview features |For this release, the following features are available in preview: <ul><li>Clustering and Multi-Access Edge Computing (MEC) for Azure Stack Edge Pro GPU devices only. </li><li>VPN for Azure Stack Edge Pro R and Azure Stack Edge Mini R only.</li><li>Local Azure Resource Manager, VMs, Cloud management of VMs, Kubernetes cloud management, and Multi-process service (MPS) for Azure Stack Edge Pro GPU, Azure Stack Edge Pro R, and Azure Stack Edge Mini R.</li></ul> |These features will be generally available in later releases. |
+|**2.**|Update |For a two-node cluster, in rare instances the update may fail. | If the update fails and you see a message indicating that updates are available, retry updating your device. If the update fails and no updates are available, and your device continues to be in maintenance mode, contact Microsoft Support to determine next steps. |
+
+## Known issues from previous releases
+
+The following table provides a summary of known issues carried over from the previous releases.
+
+| No. | Feature | Issue | Workaround/comments |
+| | | | |
+| **1.** |Azure Stack Edge Pro + Azure SQL | Creating SQL database requires Administrator access. |Do the following steps instead of Steps 1-2 in [Create-the-sql-database](../iot-edge/tutorial-store-data-sql-server.md#create-the-sql-database). <ol><li>In the local UI of your device, enable compute interface. Select **Compute > Port # > Enable for compute > Apply.**</li><li>Download `sqlcmd` on your client machine from [SQL command utility](/sql/tools/sqlcmd-utility). </li><li>Connect to your compute interface IP address (the port that was enabled), adding a ",1401" to the end of the address.</li><li>Final command will look like this: sqlcmd -S {Interface IP},1401 -U SA -P "Strong!Passw0rd".</li>After this, steps 3-4 from the current documentation should be identical. </li></ol> |
+| **2.** |Refresh| Incremental changes to blobs restored via **Refresh** are NOT supported |For Blob endpoints, partial updates of blobs after a Refresh, may result in the updates not getting uploaded to the cloud. For example, sequence of actions such as:<ol><li>Create blob in cloud. Or delete a previously uploaded blob from the device.</li><li>Refresh blob from the cloud into the appliance using the refresh functionality.</li><li>Update only a portion of the blob using Azure SDK REST APIs.</li></ol>These actions can result in the updated sections of the blob to not get updated in the cloud. <br>**Workaround**: Use tools such as robocopy, or regular file copy through Explorer or command line, to replace entire blobs.|
+|**3.**|Throttling|During throttling, if new writes to the device aren't allowed, writes by the NFS client fail with a "Permission Denied" error.| The error will show as below:<br>`hcsuser@ubuntu-vm:~/nfstest$ mkdir test`<br>mkdir: cannot create directory 'test': Permission deniedΓÇï|
+|**4.**|Blob Storage ingestion|When using AzCopy version 10 for Blob storage ingestion, run AzCopy with the following argument: `Azcopy <other arguments> --cap-mbps 2000`| If these limits aren't provided for AzCopy, it could potentially send a large number of requests to the device, resulting in issues with the service.|
+|**5.**|Tiered storage accounts|The following apply when using tiered storage accounts:<ul><li> Only block blobs are supported. Page blobs are not supported.</li><li>There is no snapshot or copy API support.</li><li> Hadoop workload ingestion through `distcp` is not supported as it uses the copy operation heavily.</li></ul>||
+|**6.**|NFS share connection|If multiple processes are copying to the same share, and the `nolock` attribute isn't used, you may see errors during the copy.ΓÇï|The `nolock` attribute must be passed to the mount command to copy files to the NFS share. For example: `C:\Users\aseuser mount -o anon \\10.1.1.211\mnt\vms Z:`.|
+|**7.**|Kubernetes cluster|When applying an update on your device that is running a Kubernetes cluster, the Kubernetes virtual machines will restart and reboot. In this instance, only pods that are deployed with replicas specified are automatically restored after an update. |If you have created individual pods outside a replication controller without specifying a replica set, these pods won't be restored automatically after the device update. You will need to restore these pods.<br>A replica set replaces pods that are deleted or terminated for any reason, such as node failure or disruptive node upgrade. For this reason, we recommend that you use a replica set even if your application requires only a single pod.|
+|**8.**|Kubernetes cluster|Kubernetes on Azure Stack Edge Pro is supported only with Helm v3 or later. For more information, go to [Frequently asked questions: Removal of Tiller](https://v3.helm.sh/docs/faq/).|
+|**9.**|Kubernetes |Port 31000 is reserved for Kubernetes Dashboard. Port 31001 is reserved for Edge container registry. Similarly, in the default configuration, the IP addresses 172.28.0.1 and 172.28.0.10, are reserved for Kubernetes service and Core DNS service respectively.|Do not use reserved IPs.|
+|**10.**|Kubernetes |Kubernetes does not currently allow multi-protocol LoadBalancer services. For example, a DNS service that would have to listen on both TCP and UDP. |To work around this limitation of Kubernetes with MetalLB, two services (one for TCP, one for UDP) can be created on the same pod selector. These services use the same sharing key and spec.loadBalancerIP to share the same IP address. IPs can also be shared if you have more services than available IP addresses. <br> For more information, see [IP address sharing](https://metallb.universe.tf/usage/#ip-address-sharing).|
+|**11.**|Kubernetes cluster|Existing Azure IoT Edge marketplace modules may require modifications to run on IoT Edge on Azure Stack Edge device.|For more information, see [Run existing IoT Edge modules from Azure Stack Edge Pro FPGA devices on Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-modify-fpga-modules-gpu.md).|
+|**12.**|Kubernetes |File-based bind mounts aren't supported with Azure IoT Edge on Kubernetes on Azure Stack Edge device.|IoT Edge uses a translation layer to translate `ContainerCreate` options to Kubernetes constructs. Creating `Binds` maps to `hostpath` directory and thus file-based bind mounts cannot be bound to paths in IoT Edge containers. If possible, map the parent directory.|
+|**13.**|Kubernetes |If you bring your own certificates for IoT Edge and add those certificates on your Azure Stack Edge device after the compute is configured on the device, the new certificates are not picked up.|To work around this problem, you should upload the certificates before you configure compute on the device. If the compute is already configured, [Connect to the PowerShell interface of the device and run IoT Edge commands](azure-stack-edge-gpu-connect-powershell-interface.md#use-iotedge-commands). Restart `iotedged` and `edgehub` pods.|
+|**14.**|Certificates |In certain instances, certificate state in the local UI may take several seconds to update. |The following scenarios in the local UI may be affected.<ul><li>**Status** column in **Certificates** page.</li><li>**Security** tile in **Get started** page.</li><li>**Configuration** tile in **Overview** page.</li></ul> |
+|**15.**|Certificates|Alerts related to signing chain certificates aren't removed from the portal even after uploading new signing chain certificates.| |
+|**16.**|Web proxy |NTLM authentication-based web proxy is not supported. ||
+|**17.**|Internet Explorer|If enhanced security features are enabled, you may not be able to access local web UI pages. | Disable enhanced security, and restart your browser.|
+|**18.**|Kubernetes |Kubernetes doesn't support ":" in environment variable names that are used by .NET applications. This is also required for Event Grid IoT Edge module to function on Azure Stack Edge device and other applications. For more information, see [ASP.NET core documentation](/aspnet/core/fundamentals/configuration/?tabs=basicconfiguration#environment-variables).|Replace ":" by double underscore. For more information,see [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/53201)|
+|**19.** |Azure Arc + Kubernetes cluster |By default, when resource `yamls` are deleted from the Git repository, the corresponding resources are not deleted from the Kubernetes cluster. |To allow the deletion of resources when they're deleted from the git repository, set `--sync-garbage-collection` in Arc OperatorParams. For more information, see [Delete a configuration](../azure-arc/kubernetes/tutorial-use-gitops-connected-cluster.md#additional-parameters). |
+|**20.**|NFS |Applications that use NFS share mounts on your device to write data should use Exclusive write. That ensures the writes are written to the disk.| |
+|**21.**|Compute configuration |Compute configuration fails in network configurations where gateways or switches or routers respond to Address Resolution Protocol (ARP) requests for systems that do not exist on the network.| |
+|**22.**|Compute and Kubernetes |If Kubernetes is set up first on your device, it claims all the available GPUs. Hence, it is not possible to create Azure Resource Manager VMs using GPUs after setting up the Kubernetes. |If your device has 2 GPUs, then you can create 1 VM that uses the GPU and then configure Kubernetes. In this case, Kubernetes will use the remaining available 1 GPU. |
+|**23.**|Custom script VM extension |There is a known issue in the Windows VMs that were created in an earlier release and the device was updated to 2103. <br> If you add a custom script extension on these VMs, the Windows VM Guest Agent (Version 2.7.41491.901 only) gets stuck in the update causing the extension deployment to time out. | To work around this issue: <ol><li> Connect to the Windows VM using remote desktop protocol (RDP). </li><li> Make sure that the `waappagent.exe` is running on the machine: `Get-Process WaAppAgent`. </li><li> If the `waappagent.exe` is not running, restart the `rdagent` service: `Get-Service RdAgent` \| `Restart-Service`. Wait for 5 minutes.</li><li> While the `waappagent.exe` is running, kill the `WindowsAzureGuest.exe` process. </li><li>After you kill the process, the process starts running again with the newer version.</li><li>Verify that the Windows VM Guest Agent version is 2.7.41491.971 using this command: `Get-Process WindowsAzureGuestAgent` \| `fl ProductVersion`.</li><li>[Set up custom script extension on Windows VM](azure-stack-edge-gpu-deploy-virtual-machine-custom-script-extension.md). </li><ol> |
+|**24.**|GPU VMs |Prior to this release, GPU VM lifecycle was not managed in the update flow. Hence, when updating to 2103 release, GPU VMs are not stopped automatically during the update. You will need to manually stop the GPU VMs using a `stop-stayProvisioned` flag before you update your device. For more information, see [Suspend or shut down the VM](azure-stack-edge-gpu-deploy-virtual-machine-powershell.md#suspend-or-shut-down-the-vm).<br> All the GPU VMs that are kept running before the update, are started after the update. In these instances, the workloads running on the VMs aren't terminated gracefully. And the VMs could potentially end up in an undesirable state after the update. <br>All the GPU VMs that are stopped via the `stop-stayProvisioned` before the update, are automatically started after the update. <br>If you stop the GPU VMs via the Azure portal, you'll need to manually start the VM after the device update.| If running GPU VMs with Kubernetes, stop the GPU VMs right before the update. <br>When the GPU VMs are stopped, Kubernetes will take over the GPUs that were used originally by VMs. <br>The longer the GPU VMs are in stopped state, higher the chances that Kubernetes will take over the GPUs. |
+|**25.**|Multi-Process Service (MPS) |When the device software and the Kubernetes cluster are updated, the MPS setting is not retained for the workloads. |[Re-enable MPS](azure-stack-edge-gpu-connect-powershell-interface.md#connect-to-the-powershell-interface) and redeploy the workloads that were using MPS. |
++
+## Next steps
+
+- [Update your device](azure-stack-edge-gpu-install-update.md)
databox-online Azure Stack Edge Gpu Cluster Failover Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-cluster-failover-scenarios.md
+
+ Title: Cluster failure scenarios on your Azure Stack Edge device
+description: Describes clustering-related failure scenarios on your Azure Stack Edge device.
++++++ Last updated : 02/15/2022+++
+# Cluster failover scenarios on your Azure Stack Edge Pro GPU device
+
+This article identifies the common failover scenarios, how the Azure Stack Edge device responds, and the overall impact on the workloads deployed on the cluster should a failover occur.
+
+## About failover
+
+Azure Stack Edge can be set up as a single standalone device or a two-node cluster. In a two-node cluster, the clustered nodes provide high availability for applications and services that are running on the cluster.
+
+If one of the clustered node fails, the other node begins to provide service - this process is known as failover. Failover may also occur if hardware components associated with one or both nodes of your device such as disk drives, power supply units (PSUs), or network fail or when you update your device nodes.
+
+## Failover scenarios
+
+Failover may occur as a result of hardware component failure, node failure or when updating the Azure Stack Edge cluster.
++
+## Hardware failures
+
+These tables summarize the failure scenarios for a physical hardware component associated with your device cluster such as one or more of disk drives, power supply, or network.
+
+### Disk drive failures
+
+| Node A | Node B | Cluster survives | Failover | Details |
+|-|-||-|-|
+| 1 disk drive fails | No failures | Yes | No | Cluster is degraded until the disk is replaced. |
+| 2 or more disk drives fail | No failures | Yes | No | Cluster is degraded until the disk is replaced. |
+| 1 or more disk drives fail | 1 or more disk drives fail | No | | Cluster goes offline. |
+
+### Power supply unit failures
+
+| Node A | Node B | Cluster survives | Failover | Details |
+|-|-||-||
+| I PSU fails | No failures | Yes | No | Another power supply failure on node A will result in failover to node B. |
+| 1 PSU fails | 1 PSU fails | Yes | No | Another power supply failure on either node will result in failover. |
+| 2 PSUs fail | No failures | Yes | Yes | VMs on node A fail over to node B. |
+| 2 PSUs fail (TBC) | 1 PSU fails | Yes | Yes | VMs on node A fail over to node B. |
+| 2 PSUs fail | 2 PSUs fail | No | | Cluster goes offline. |
+
+### Network failures
+
+| Node A | Node B | Cluster survives | Failover | Details |
+|--|-||-|-|
+| Port 1, Port 2, Port 5, or Port 6 fails | No failures | Yes | No | Failed port is unavailable. Apps listening on this port are impacted |
+| 1 or both of Port 3 and Port 4 fail | No failures | Yes | Yes | VMs on node A fail over to node B |
+++
+## Node failures and updates
+++
+### Node failure
+
+This table summarizes the failure scenarios when an entire node has failed on your cluster.
+
+| Node A | Node B | Cluster survives | Failover | Details |
+||||-|--|
+| Entire node fails | No failures | Yes | Yes | VMs from node A fail over to node B |
+| Entire node fails | Entire node fails | No | - | Cluster goes offline |
+| Reboot | No failures | Yes | Yes | VMs from node A fail over to node B |
+| Reboot | Reboot | No | - | Cluster is offline until the reboot completes |
+| Core component fails. For example, motherboard, DIMM, and OS disk. | No failures | Yes | Yes | VMs from node A fail over to node B |
+| Core component fails. For example, motherboard, DIMM, and OS disk. | Core component fails. For example, motherboard, DIMM, and OS disk. | No | - | Cluster goes offline |
+++
+### Node update
+
+| Node A | Node B | Cluster survives | Failover | Details |
+|-|--||-|-|
+| Node update | No failures | Yes | Yes | VMs from node A fail over to node B |
+| Node update | 2 PSUs fail | No | - | Cluster goes offline |
+| Node update | Entire node fails or goes offline | No | - | Cluster goes offline |
+| Node update | Reboot | No | - | Cluster goes offline |
+| Node update | Core component fails such as motherboard, DIMM, and OS disk. | No | - | Cluster goes offline |
+
+<!--## High availability requirements and procedures
+
+Review the following information carefully to ensure the high availability of your Azure Stack Edge two-node devices.
+
+### PSUs
+
+Azure Stack Edge devices include redundant, hot-swappable power supply units (PSUs). Each PSU has enough capacity to provide service for the entire chassis. To ensure high availability, both PSUs must be installed. Are these hot swappable?
+
+- Connect your PSUs to different power sources to provide availability if a power source fails.
+- If a PSU fails, request a replacement immediately.
+- Remove a failed PSU only when you have the replacement and are ready to install it.
+- Do not remove both PSUs concurrently. Removing both of the PSUs of one of the nodes will result in failover.
+
+### Nodes
+
+Azure Stack Edge devices include two nodes working together as a two-node cluster.
+
+- For a two-node cluster to work properly, make sure that both nodes are installed at all times.
+- If a node fails, request a replacement immediately.
+- Remove a failed node only when you have the replacement and are ready to install it.
+
+### Network interfaces
+
+Azure Stack Edge devices each have two 1 Gigabit and four 10 Gigabit Ethernet network interfaces.
+
+- When possible, deploy network connections across different switches to ensure service availability in the event of a network device failure.
+- Connect at least two data interfaces to the network from each node.
+- If you have enabled the two 10 GbE interfaces, deploy those across different switches.
++
+### SSDs
+
+Azure Stack Edge devices include NVMe solid state disks (SSDs) that are protected using mirrored spaces. Use of mirrored spaces ensures that the device is able to tolerate the failure of one or more SSDs.
+
+- Make sure that all SSDs modules are installed.
+- If an SSD fails, request a replacement immediately.
+- If an SSD fails or requires replacement, make sure that you remove only the SSD that requires replacement.
+- Do not remove more than one SSD from the system at any point in time. A failure of 2 or more disks on a node would result in failover to another node. -->
+
+## Next steps
+
+- Learn about [VM sizes and types for Azure Stack Edge Pro GPU](azure-stack-edge-gpu-virtual-machine-sizes.md).
+++
databox-online Azure Stack Edge Gpu Cluster Witness Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-cluster-witness-overview.md
+
+ Title: Overview of cluster witness on your Azure Stack Edge device
+description: Describes a high-level overview of a cluster witness on your Azure Stack Edge device.
++++++ Last updated : 02/15/2022+++
+# Cluster witness on your Azure Stack Edge Pro GPU device
+
+This article provides a brief overview of cluster witness on your Azure Stack Edge device including cluster witness requirements, setup, and management.
+
+## About cluster quorum and witness
+
+In Windows Server Failover Clustering, quorum needs to be maintained in order for the Windows Server cluster to remain online in the event of a failure. When nodes in a Windows Server cluster fail, surviving nodes need to verify that they constitute the majority of the cluster to remain online.
+
+However, the concept of majority only exists for clusters with an odd number of nodes. When the number of nodes in a cluster is even, the system requires a way to make the total number of votes odd. This is where the role of cluster witness is important. The cluster witness is given a vote, so that in the event of a failure, the total number of votes in the cluster (which originally had an even number of nodes) is odd.
+
+For more information on cluster quorum, see [Understand cluster quorum](/windows-server/storage/storage-spaces/understand-quorum).
++
+## Cluster quorum and witness on Azure Stack Edge
+
+Windows Server Failover Clustering is implemented on a two-node Azure Stack Edge device. A quorum is always maintained on your Azure Stack Edge cluster so that the device can remain online in the event of a failure. If one of the nodes fails, then the majority of the surviving nodes must verify that the cluster remains online. The concept of majority only exists for clusters with an odd number of nodes.
+
+For an Azure Stack Edge cluster with two nodes, if a node fails, then a cluster witness provides the third vote so that the cluster stays online (since the cluster is left with 2/3 votes - a majority).
+
+## Cluster witness on Azure Stack Edge
+
+A two-node Azure Stack Edge cluster requires a cluster witness, so that if one of the Azure Stack Edge nodes fails, the cluster witness accounts for the third vote, and the cluster stays online (since the cluster is left with 2/3 votes - a majority). On the other hand, if both the device nodes fail simultaneously, or a second Azure Stack Edge node fails after the first has failed, there is no majority vote, and the cluster goes offline.
+
+
+
+This system requires both Azure Stack Edge nodes to have connectivity to each other and the cluster witness. If the cluster witness were to go offline or lose connectivity with either of the device nodes, the total number of votes in the event of a single Azure Stack Edge node failure would be even. In this case, Windows Server Failover Clustering will try to remediate this by arbitrarily picking a device node that will not get to vote (in order to make the total number of votes odd). In this case, if the Azure Stack Edge node that failed happened to be the one that got the single vote in the Azure Stack Edge cluster, there will be no majority vote and the cluster will go offline. This is why, in order to prevent the Azure Stack Edge cluster from going offline in the event of a single device node failure, it is important for the cluster witness to be online and have connectivity to both the device nodes.
++
+### Witness requirements
+
+Cluster witness can be in the cloud or live locally. In each case, there are certain requirements that the witness must meet.
+
+- **Cloud witness requirements**
+
+ - Both the device nodes in the cluster should have a reliable internet connection.
+ - Make sure that the HTTPS default port 443 is open on your device as cloud witness uses this port to establish outbound communication with the Azure blob service.
+
+- **Local witness requirements**
+
+ - SMB 2.0 File share is created on-premises but not on the nodes of your device.
+ - A minimum of 5 MB of free space exists on the file share.
+ - Your device can access the file share over the network.
+
+### Cluster witness setup and configuration
+
+In order for the witness to have an independent vote, it must always be hosted outside of the Azure Stack Edge nodes in the device cluster. The witness can be deployed in either of the following ways.
+
+- **Cloud witness** - Use the cloud witness when both the nodes on your Azure Stack Edge cluster are connected to Azure. To set up a cloud witness, use an Azure Storage account in the cloud and configure the witness via the local UI of the device.
+
+ We recommend that you deploy the cloud witness with redundant connections so that the witness is highly available. For more information, see [Set up cloud witness via the local UI](azure-stack-edge-gpu-manage-cluster.md#configure-cloud-witness).
+
+- **Local witness** - Use the local witness when both the nodes are not connected to Azure or have sporadic connectivity. If you're in an IT environment with other machines and file shares, use a file share witness. To set up a local witness, you can use an SMB fileshare on a local server in the network where the device is deployed and configure the fileshare path to the server via the local UI.
+
+ We recommend that you deploy the witness in a way that it is highly available. For example, a switch running a file server could be used to host a file share. For more information, see [Set up local witness via the local UI](azure-stack-edge-gpu-manage-cluster.md#configure-local-witness).
++
+
+## Next steps
+
+- Learn how to [Configure cloud witness for Azure Stack Edge Pro GPU](azure-stack-edge-gpu-manage-cluster.md#configure-cloud-witness).
+- Learn how to [Set up local witness for Azure Stack Edge Pro GPU](azure-stack-edge-gpu-manage-cluster.md#configure-local-witness).
+++
databox-online Azure Stack Edge Gpu Clustering Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-clustering-overview.md
+
+ Title: Overview of clustering on your Azure Stack Edge Pro GPU device
+description: Describes an overview of clustering on your Azure Stack Edge Pro GPU device.
++++++ Last updated : 02/15/2022+++
+# Clustering on your Azure Stack Edge Pro GPU device
+
+This article provides a brief overview of clustering on your Azure Stack Edge device.
+
+## About failover clustering
+
+Azure Stack Edge can be set up as a single standalone device or a two-node cluster. A two-node cluster consists of two independent Azure Stack Edge devices that are connected by physical cables and by software. These nodes when clustered work together as in a Windows failover cluster, provide high availability for applications and services that are running on the cluster.
+
+If one of the clustered nodes fails, the other node begins to provide service (the process is known as failover). The clustered roles are also proactively monitored to make sure that theyΓÇÖre working properly. If they arenΓÇÖt working, theyΓÇÖre restarted or moved to the second node.
+
+Azure Stack Edge uses Windows Server Failover Clustering for its two-node cluster. For more information, see [Failover clustering in Windows Server](/windows-server/failover-clustering/failover-clustering-overview).
+
+## Cluster quorum and witness
+
+A quorum is always maintained on your Azure Stack Edge cluster to remain online in the event of a failure. If one of the nodes fails, then the majority of the surviving nodes must verify that the cluster remains online. The concept of majority only exists for clusters with an odd number of nodes. For more information on cluster quorum, see [Understand quorum](/windows-server/storage/storage-spaces/understand-quorum).
+
+For an Azure Stack Edge cluster with two nodes, if a node fails, then a cluster witness provides the third vote so that the cluster stays online (since the cluster is left with two out of three votes - a majority). A cluster witness is required on your Azure Stack Edge cluster. You can set up the witness in the cloud or in a local fileshare using the local UI of your device.
+
+For more information on cluster witness, see [Cluster witness on Azure Stack Edge](azure-stack-edge-gpu-cluster-witness-overview.md).
++
+## Infrastructure cluster
+
+The infrastructure cluster on your device provides persistent storage and is shown in the following diagram:
+
+![Infrastructure cluster of Azure Stack Edge](media/azure-stack-edge-gpu-clustering-overview/azure-stack-edge-infrastructure-cluster.png)
+
+- The infrastructure cluster consists of the two independent nodes running Windows Server operating system with a Hyper-V layer. The nodes contain physical disks for storage and network interfaces that are connected back-to-back or with switches.
+- The disks across the two nodes are used to create a logical storage pool. The storage spaces direct on this pool provides mirroring and parity for the cluster.
+- You can deploy your application workloads on top of the infrastructure cluster.
+
+ - Non-containerized workloads such as VMs can be directly deployed on top of the infrastructure cluster.
+
+ ![VMs workloads deployed on infrastructure cluster of Azure Stack Edge](media/azure-stack-edge-gpu-clustering-overview/azure-stack-edge-virtual-machine-workloads-infrastructure-cluster.png)
+
+ - Containerized workloads use Kubernetes for workload deployment and management. A Kubernetes cluster that consists of a master VM and two worker VMs (one for each node) is deployed on top of the infrastructure cluster.
+
+ <!--![Kubernetes or IoT Edge workloads deployed on infrastructure cluster of Azure Stack Edge](media/azure-stack-edge-gpu-clustering-overview/azure-stack-edge-kubernetes-workloads-infrastructure-cluster.png)-->
+
+ The Kubernetes cluster allows for application orchestration whereas the infrastructure cluster provides persistent storage.
++
+## Supported networking topologies
+
+On your Azure Stack Edge device node:
+
+- Port 2 is used for management traffic.
+- Port 3 and Port 4 are used for storage and cluster traffic. This traffic includes that needed for storage mirroring and Azure Stack Edge cluster heartbeat traffic that is required for the cluster to be online.
+
+Based on the use-case and workloads, you can select how the two Azure Stack Edge nodes will be connected. The following networking topologies are available:
+
+![Available network topologies](media/azure-stack-edge-gpu-clustering-overview/azure-stack-edge-network-topologies.png)
+
+1. **Switchless** - Use this option when you don't have high speed switches available in the environment for storage and cluster traffic.
+
+ In this option, Port 3 and Port 4 are connected back-to-back without a switch. These ports are dedicated to storage and Azure Stack Edge cluster traffic and aren't available for workload traffic. <!--For example, these ports can't be enabled for compute--> Optionally you can also provide IP addresses for these ports.
++
+1. **Using switches and NIC teaming** - Use this option when you have high speed switches available for use with your device nodes for storage and cluster traffic.
+
+ Each of ports 3 and 4 of the two nodes of your device are connected via an external switch. The Port 3 and Port 4 are teamed on each node and a virtual switch and two virtual NICs are created that allow for port-level redundancy for storage and cluster traffic. These ports can be used for workload traffic as well.
+
+
+1. **Using switches and without NIC teaming** - Use this option when you need an extra dedicated port for workload traffic and port-level redundancy isnΓÇÖt required for storage and cluster traffic.
+
+ Port 3 on each node is connected via an external switch. If Port 3 fails, the cluster may go offline. Separate virtual switches are created on Port 3 and Port 4.
+
+For more information, see how to [Choose a network topology for your device node](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#configure-network).
++
+## Cluster deployment
+
+Before you configure clustering on your device, you must cable the devices as per one of the supported network topologies that you intend to configure. To deploy a two-node infrastructure cluster on your Azure Stack Edge devices, follow these high-level steps:
+
+![Azure Stack Edge clustering deployment](media/azure-stack-edge-gpu-clustering-overview/azure-stack-edge-clustering-deployment-1.png)
+
+1. Order two independent Azure Stack Edge devices. For more information, see [Order an Azure Stack Edge device](azure-stack-edge-gpu-deploy-prep.md#create-a-new-resource).
+1. Cable each node independently as you would for a single node device. Based on the workloads that you intend to deploy, cross connect the network interfaces on these devices via cables, and with or without switches. For detailed instructions, see [Cable your two-node cluster device](azure-stack-edge-gpu-deploy-install.md#cable-the-device).
+1. Start cluster creation on the first node. Choose the network topology that conforms to the cabling across the two nodes. The chosen topology would dictate the storage and clustering traffic between the nodes. See detailed steps in [Configure network and web proxy on your device](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md).
+1. Prepare the second node. Configure the network on the second node the same way you configured it on the first node. Get the authentication token on this node.
+1. Use the authentication token from the prepared node and join this node to the first node to form a cluster.
+1. Set up a cloud witness using an Azure Storage account or a local witness on an SMB fileshare.
+1. Assign a virtual IP to provide an endpoint for Azure Consistent Services or when using NFS.
+1. Assign compute or management intents to the virtual switches created on the network interfaces. You may also configure Kubernetes node IPs and Kubernetes service IPs here for the network interface enabled for compute.
+1. Optionally configure web proxy, set up device settings, configure certificates and then finally, activate the device.
+
+For more information, see the two-node device deployment tutorials starting with [Get deployment configuration checklist](azure-stack-edge-gpu-deploy-checklist.md).
+
+## Clustering workloads
+
+On your two-node cluster, you can deploy non-containerized workloads or containerized workloads.
+
+- **Non-containerized workloads such as VMs**: The two-node cluster will ensure high availability of the virtual machines that are deployed on the device cluster. <!--Your two-node device actively manages capacity to ensure successful failover of the deployed VMs.--> Live migration of VMs isnΓÇÖt supported.
+
+- **Containerized workloads such as Kubernetes or IoT Edge**: The Kubernetes cluster deployed on top of the device cluster consists of one Kubernetes master VM and two Kubernetes worker VMs. Each Kubernetes node has a worker VM that is pinned to each Azure Stack Edge node. Failover results in the failover of Kubernetes master VM (if needed) and Kubernetes-based rebalancing of pods on the surviving worker VM.
+
+ For more information, see [Kubernetes on a clustered Azure Stack Edge device](azure-stack-edge-gpu-kubernetes-failover-scenarios.md).
++
+## Cluster management
+
+You can manage the Azure Stack Edge cluster via the PowerShell interface of the device, or through the local UI. Some typical management tasks are:
+
+- [Undo node preparation](azure-stack-edge-gpu-manage-cluster.md#undo-node-preparation)
+- [Configure cloud witness](azure-stack-edge-gpu-manage-cluster.md#configure-cloud-witness)
+- [Set up a local witness](azure-stack-edge-gpu-manage-cluster.md#configure-local-witness)
+- [Configure virtual IP settings](azure-stack-edge-gpu-manage-cluster.md#configure-virtual-ips)
+- [Remove the cluster](azure-stack-edge-gpu-manage-cluster.md#remove-the-cluster)
++
+## Cluster updates
+
+A two-node clustered device upgrade will first apply the device updates followed by the Kubernetes cluster updates. Rolling updates to device nodes ensure minimal downtime of workloads.
+
+When you apply these updates via the Azure portal, you only have to start the process on one node and both the nodes are updated.For step-by-step instructions, see [Apply updates to your two-node Azure Stack Edge device](azure-stack-edge-gpu-install-update.md).
+
+## Billing
+
+If you deploy an Azure Stack Edge two-node cluster, each node is billed separately. For more information, see [Pricing page for Azure Stack Edge](https://azure.microsoft.com/pricing/details/azure-stack/edge/#pricing).
+
+## Next steps
+
+- Learn about [Cluster witness for your Azure Stack Edge](azure-stack-edge-gpu-cluster-witness-overview.md).
+- See [Kubernetes for your Azure Stack Edge](azure-stack-edge-gpu-kubernetes-overview.md)
+- Understand [Cluster failover scenarios](azure-stack-edge-gpu-cluster-failover-scenarios.md)
++
databox-online Azure Stack Edge Gpu Create Virtual Switch Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-create-virtual-switch-powershell.md
Previously updated : 06/25/2021 Last updated : 02/15/2022
Before you begin, make sure that:
The client machine should be running a [Supported OS](azure-stack-edge-gpu-system-requirements.md#supported-os-for-clients-connected-to-device). -- Use the local UI to enable compute on one of the physical network interfaces on your device as per the instructions in [Enable compute network](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#enable-compute-network) on your device.
+- Use the local UI to enable compute on one of the physical network interfaces on your device as per the instructions in [Enable compute network](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#configure-virtual-switches-and-compute-ips) on your device.
## Connect to the PowerShell interface
databox-online Azure Stack Edge Gpu Deploy Arc Kubernetes Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-deploy-arc-kubernetes-cluster.md
Before you enable Azure Arc on the Kubernetes cluster, you will need to enable a
![Register Kubernetes resource providers 3](media/azure-stack-edge-gpu-connect-powershell-interface/register-k8-resource-providers-4.png)
-You can also register resource providers via the `az cli`. For more information, see [Register the two providers for Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/quickstart-connect-cluster.md#1-register-providers-for-azure-arc-enabled-kubernetes).
+You can also register resource providers via the `az cli`. For more information, see [Register the two providers for Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/quickstart-connect-cluster.md#register-providers-for-azure-arc-enabled-kubernetes).
## Create service principal, assign role
databox-online Azure Stack Edge Gpu Deploy Checklist https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-deploy-checklist.md
Previously updated : 06/07/2021 Last updated : 01/28/2022
+zone_pivot_groups: azure-stack-edge-device-deployment
# Deployment checklist for your Azure Stack Edge Pro GPU device This article describes the information that can be gathered ahead of the actual deployment of your Azure Stack Edge Pro device.
-Use the following checklist to ensure you have this information after you have placed an order for an Azure Stack Edge Pro device and before you have received the device.
+Use the following checklist to ensure you have this information after youΓÇÖve placed an order for an Azure Stack Edge Pro device and before youΓÇÖve received the device.
## Deployment checklist + | Stage | Parameter | Details | |--|-|-|
-| Device management | <li>Azure subscription</li><li>Resource providers registered</li><li>Azure Storage account</li>|<li>Enabled for Azure Stack Edge Pro/Data Box Gateway, owner or contributor access.</li><li>In Azure portal, go to **Home > Subscriptions > Your-subscription > Resource providers**. Search for `Microsoft.DataBoxEdge` and register. Repeat for `Microsoft.Devices` if deploying IoT workloads.</li><li>Need access credentials</li> |
+| Device management | <li>Azure subscription</li><li>Resource providers registered</li><li>Azure Storage account</li>|<li>Enabled for Azure Stack Edge, owner or contributor access.</li><li>In Azure portal, go to **Home > Subscriptions > Your-subscription > Resource providers**. Search for `Microsoft.EdgeOrder` and register. Repeat for `Microsoft.Devices` if deploying IoT workloads.</li><li>Need access credentials</li> |
| Device installation | Power cables in the package. <br>For US, an SVE 18/3 cable rated for 125 V and 15 Amps with a NEMA 5-15P to C13 (input to output) connector is shipped. | For more information, see the list of [Supported power cords by country](azure-stack-edge-technical-specifications-power-cords-regional.md) |
-| | <li>At least 1 X 1-GbE RJ-45 network cable for Port 1 </li><li> At least 1 X 25/10-GbE SFP+ copper cable for Port 3, Port 4, Port 5, or Port 6</li>| Customer needs to procure these cables.<br>For a full list of supported network cables, switches, and transceivers for device network cards from Cavium, see [Cavium FastlinQ 41000 Series Interoperability Matrix](https://www.marvell.com/documents/xalflardzafh32cfvi0z/)<br>For a full list of supported cables and modules for 25 GbE and 10 GbE from Mellanox, see [Mellanox dual port 25G ConnectX-4 channel network adapter compatible products](https://docs.mellanox.com/display/ConnectX4LxFirmwarev14271016/Firmware+Compatible+Products).|
+| | <li>At least one 1-GbE RJ-45 network cable for Port 1 </li><li> At least one 25/10-GbE SFP+ copper cable for Port 3, Port 4, Port 5, or Port 6</li>| Customer needs to procure these cables.<br>For a full list of supported network cables, switches, and transceivers for device network cards from Cavium, see [Cavium FastlinQ 41000 Series Interoperability Matrix](https://www.marvell.com/documents/xalflardzafh32cfvi0z/)<br>For a full list of supported cables and modules for 25 GbE and 10 GbE from Mellanox, see [Mellanox dual port 25G ConnectX-4 channel network adapter compatible products](https://docs.mellanox.com/display/ConnectX4LxFirmwarev14271016/Firmware+Compatible+Products).|
+| First-time device connection | <li>Laptop whose IPv4 settings can be changed. This laptop connects to Port 1 via a switch or a USB to Ethernet adaptor. </li><!--<li> A minimum of 1 GbE switch must be used for the device once the initial setup is complete. The local web UI will not be accessible if the connected switch is not at least 1 Gbe.</li>-->| |
+| Device sign-in | Device administrator password, between 8 and 16 characters, including three of the following character types: uppercase, lowercase, numeric, and special characters. | Default password is *Password1*, which expires at first sign-in. |
+| Network settings | Device comes with 2 x 1-GbE, 4 x 25-GbE network ports. <li>Port 1 is used for initial configuration only. One or more data ports can be connected and configured. </li><li> At least one data network interface from among Port 2 - Port 6 needs to be connected to the Internet (with connectivity to Azure).</li><li> DHCP and static IPv4 configuration supported. | Static IPv4 configuration requires IP, DNS server, and default gateway. |
+| Advanced networking settings | <li>Require 2 free, static, contiguous IPs for Kubernetes nodes, and one static IP for IoT Edge service.</li><li>Require one additional IP for each extra service or module that you'll deploy.</li>| Only static IPv4 configuration is supported.|
+| (Optional) Web proxy settings | <li>Web proxy server IP/FQDN, port </li><li>Web proxy username, password</li> | |
+| Firewall and port settings | If using firewall, make sure the [listed URLs patterns and ports](azure-stack-edge-system-requirements.md#networking-port-requirements) are allowed for device IPs. | |
+| (Recommended) Time settings | Configure time zone, primary NTP server, secondary NTP server. | Configure primary and secondary NTP server on local network.<br>If local server isnΓÇÖt available, public NTP servers can be configured. |
+| (Optional) Update server settings | <li>Require update server IP address on local network, path to WSUS server. </li> | By default, public windows update server is used.|
+| Device settings | <li>Device fully qualified domain name (FQDN) </li><li>DNS domain</li> | |
+| (Optional) Certificates | To test non-production workloads, use [Generate certificates option](azure-stack-edge-gpu-deploy-configure-certificates.md#generate-device-certificates) <br><br> If you bring your own certificates including the signing chain(s), [Add certificates](azure-stack-edge-gpu-deploy-configure-certificates.md#bring-your-own-certificates) in appropriate format.| Configure certificates only if you change the device name and/or DNS domain. |
+| Activation | Require activation key from the Azure Stack Edge resource. | Once generated, the key expires in three days. |
+++++
+| Stage | Parameter | Details |
+|--|-|-|
+| Device management | <li>Azure subscription</li><li>Resource providers registered</li><li>Azure Storage account</li>|<li>Enabled for Azure Stack Edge, owner or contributor access.</li><li>In Azure portal, go to **Home > Subscriptions > Your-subscription > Resource providers**. Search for `Microsoft.EdgeOrder` and register. Repeat for `Microsoft.Devices` if deploying IoT workloads.</li><li>Need access credentials</li> |
+| Device installation | Four power cables for the two device nodes in the package. <br>For US, an SVE 18/3 cable rated for 125 V and 15 Amps with a NEMA 5-15P to C13 (input to output) connector is shipped. | For more information, see the list of [Supported power cords by country](azure-stack-edge-technical-specifications-power-cords-regional.md) |
+| | <li>At least two 1-GbE RJ-45 network cables for Port 1 on the two device nodes </li><li> You would need two 1-GbE RJ-45 network cables to connect Port 2 on each device node to the internet. Depending on the network topology you wish to deploy, you also need SFP+ copper cables to connect Port 3 and Port 4 across the device nodes and also from device nodes to the switches. See the [Supported network topologies](azure-stack-edge-gpu-clustering-overview.md#supported-networking-topologies). </li>| Customer needs to procure these cables.<br>For a full list of supported network cables, switches, and transceivers for device network cards from Cavium, see [Cavium FastlinQ 41000 Series Interoperability Matrix](https://www.marvell.com/documents/xalflardzafh32cfvi0z/)<br>For a full list of supported cables and modules for 25 GbE and 10 GbE from Mellanox, see [Mellanox dual port 25G ConnectX-4 channel network adapter compatible products](https://docs.mellanox.com/display/ConnectX4LxFirmwarev14271016/Firmware+Compatible+Products).|
| First-time device connection | <li>Laptop whose IPv4 settings can be changed. This laptop connects to Port 1 via a switch or a USB to Ethernet adaptor. </li><!--<li> A minimum of 1 GbE switch must be used for the device once the initial setup is complete. The local web UI will not be accessible if the connected switch is not at least 1 Gbe.</li>-->| | | Device sign-in | Device administrator password, between 8 and 16 characters, including three of the following character types: uppercase, lowercase, numeric, and special characters. | Default password is *Password1*, which expires at first sign-in. |
-| Network settings | Device comes with 2 x 1-GbE, 4 x 25-GbE network ports. <li>Port 1 is used to configure management settings only. One or more data ports can be connected and configured. </li><li> At least one data network interface from among Port 2 - Port 6 needs to be connected to the Internet (with connectivity to Azure).</li><li> DHCP and static IPv4 configuration supported. | Static IPv4 configuration requires IP, DNS server, and default gateway. |
-| Compute network settings | <li>Require 2 free, static, contiguous IPs for Kubernetes nodes, and 1 static IP for IoT Edge service.</li><li>Require one additional IP for each extra service or module that you'll deploy.</li>| Only static IPv4 configuration is supported.|
+| Network settings | Each device node has 2 x 1-GbE, 4 x 25-GbE network ports. <li>Port 1 is used for initial configuration only. </li><li>Port 2 must be connected to the Internet (with connectivity to Azure). Port 3 and Port 4 must be configured and connected across the two device nodes in accordance with the network topology you intend to deploy. You can choose from one of the three [Supported network topologies](azure-stack-edge-gpu-clustering-overview.md#supported-networking-topologies). </li><li> DHCP and static IPv4 configuration supported. | Static IPv4 configuration requires IP, DNS server, and default gateway. |
+| Advanced networking settings | <li>Require 2 free, static, contiguous IPs for Kubernetes nodes, and one static IP for IoT Edge service.</li><li>Require one additional IP for each extra service or module that you'll deploy.</li>| Only static IPv4 configuration is supported.|
| (Optional) Web proxy settings | <li>Web proxy server IP/FQDN, port </li><li>Web proxy username, password</li> | | | Firewall and port settings | If using firewall, make sure the [listed URLs patterns and ports](azure-stack-edge-system-requirements.md#networking-port-requirements) are allowed for device IPs. | |
-| (Recommended) Time settings | Configure time zone, primary NTP server, secondary NTP server. | Configure primary and secondary NTP server on local network.<br>If local server is not available, public NTP servers can be configured. |
+| (Recommended) Time settings | Configure time zone, primary NTP server, secondary NTP server. | Configure primary and secondary NTP server on local network.<br>If local server isnΓÇÖt available, public NTP servers can be configured. |
| (Optional) Update server settings | <li>Require update server IP address on local network, path to WSUS server. </li> | By default, public windows update server is used.| | Device settings | <li>Device fully qualified domain name (FQDN) </li><li>DNS domain</li> | | | (Optional) Certificates | To test non-production workloads, use [Generate certificates option](azure-stack-edge-gpu-deploy-configure-certificates.md#generate-device-certificates) <br><br> If you bring your own certificates including the signing chain(s), [Add certificates](azure-stack-edge-gpu-deploy-configure-certificates.md#bring-your-own-certificates) in appropriate format.| Configure certificates only if you change the device name and/or DNS domain. |
-| Activation | Require activation key from the Azure Stack Edge Pro/ Data Box Gateway resource. | Once generated, the key expires in 3 days. |
+| Activation | Require activation key from the Azure Stack Edge resource. | Once generated, the key expires in three days. |
-<!--
-| (Optional) MAC Address | If MAC address needs to be on the allowed list, get the address of the connected port from local UI of the device. | |
-| (Optional) Network switch port | Device hosts Hyper-V VMs for compute. Some network switch port configurations donΓÇÖt accommodate these setups by default. | |-->
## Next steps
-Prepare to deploy your [Azure Stack Edge Pro device](azure-stack-edge-gpu-deploy-prep.md).
+
+Prepare to deploy your [Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-deploy-prep.md).
++
databox-online Azure Stack Edge Gpu Deploy Configure Certificates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-deploy-configure-certificates.md
Previously updated : 02/08/2022 Last updated : 02/15/2022
+zone_pivot_groups: azure-stack-edge-device-deployment
# Customer intent: As an IT admin, I need to understand how to configure certificates for Azure Stack Edge Pro GPU so I can use it to transfer data to Azure. # Tutorial: Configure certificates for your Azure Stack Edge Pro with GPU + This tutorial describes how you can configure certificates for your Azure Stack Edge Pro device with an onboard GPU by using the local web UI. ++
+This tutorial describes how you can configure certificates for your 2-node Azure Stack Edge Pro GPU device by using the local web UI.
++ The time taken for this step can vary depending on the specific option you choose and how the certificate flow is established in your environment. In this tutorial, you learn about:
Before you configure and set up your Azure Stack Edge Pro device with GPU, make
## Configure certificates for device
-1. In the **Certificates** page, you will configure your certificates. Depending on whether you changed the device name or the DNS domain in the **Device** page, you can choose one of the following options for your certificates.
- - If you have not changed the device name or the DNS domain in the earlier step and do not wish to bring your own certificates, then you can skip this step and proceed to the next step. The device has automatically generated self-signed certificates to begin with.
+
+1. Open the **Certificates** page in the local web UI of your device. This page will display the certificates available on your device. The device is shipped with self-signed certificates, also referred to as the device certificates. You can also bring your own certificates.
+1. If you didn't change the device name or DNS domain when you [configured device settings earlier](azure-stack-edge-gpu-deploy-set-up-device-update-time.md#configure-device-settings), and you don't want to use your own certificates, you don't need any configuration on this page. You just need to verify that the status of all the certificates shows as valid on this page.
- ![Screenshot of the Certificates page in the local web UI of Azure Stack Edge. The Certificates menu item is highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/generate-certificate-2.png)
+ ![Screenshot of the Certificates page in the local web UI of Azure Stack Edge. The Certificates menu item is highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/generate-certificate-2.png)
- - If you changed the device name or DNS domain, you will see that the status of certificates will show as **Not valid**.
+ You're ready to [Activate your device](azure-stack-edge-gpu-deploy-activate.md) with the existing device certificates.
- ![Screenshot of the Certificates page in the local web UI for Azure Stack Edge. Certificates with Not Valid status are highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/generate-certificate-1.png)
+1. Follow these steps only if you've changed the device name or the DNS domain for your device. In these instances, the status of your device certificates will be **Not valid**. That's because the device name and DNS domain in the certificates' `subject name` and `subject alternative` settings are out of date.
- Select a certificate to view the details of the status.
+ Select a certificate to view status details.
- ![Screenshot of Certificate Details for a certificate on the Certificates page of an Azure Stack Edge device. The selected certificate and certificate details are highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/generate-certificate-1-a.png)
+ ![Screenshot of Certificate Details for a certificate on the Certificates page of an Azure Stack Edge device. The selected certificate and certificate details are highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/generate-certificate-1-a.png)
- This is because the certificates do not reflect the updated device name and DNS domain (that are used in subject name and subject alternative). To successfully activate your device, choose one of the following options:
+1. If you've changed the device name or DNS domain of your device, and you don't provide new certificates, **activation of the device will be blocked**. To use a new set of certificates on your device, choose one of the following options:
- - **Generate all the device certificates**. These device certificates should only be used for testing and not used with production workloads. For more information, go to [Generate device certificates on your Azure Stack Edge Pro GPU](#generate-device-certificates).
+ - **Generate all the device certificates**. Select this option, and then complete the steps in [Generate device certificates](#generate-device-certificates), if you plan to use automatically generated device certificates and need to generate new device certificates. You should only use these device certificates for testing, not with production workloads.
- - **Bring your own certificates**. You can bring your own signed endpoint certificates and the corresponding signing chains. **We recommend that you always bring your own certificates for production workloads.** For more information, go to [Bring your own certificates on your Azure Stack Edge Pro GPU device](#bring-your-own-certificates).
+ - **Bring your own certificates**. Select this option, and then do the steps in [Bring your own certificates](#bring-your-own-certificates), if you want to use your own signed endpoint certificates and the corresponding signing chains. **We recommend that you always bring your own certificates for production workloads.**
- - You can bring some of your own certificates and generate some device certificates. The **Generate certificates** option will only regenerate the device certificates.
+ - You can choose to bring some of your own certificates and generate some device certificates. The **Generate all the device certificates** option only regenerates the device certificates.
+
+1. When you have a full set of valid certificates for your device, the device is ready for activation. Select **< Back to Get started** to proceed to the next deployment step, [Activate your device](azure-stack-edge-gpu-deploy-activate.md).
+
- - If you changed the device name or DNS domain, and you do not generate certificates or bring your own certificates, then the **activation will be blocked**.
+
+1. Open the **Certificates** page in the local web UI of your device. This page will display the certificates available on your device. The device is shipped with self-signed certificates, also referred to as the device certificates. You can also bring your own certificates.
+1. If you didn't change the device name or DNS domain when you [configured device settings earlier](azure-stack-edge-gpu-deploy-set-up-device-update-time.md#configure-device-settings), and you don't want to use your own certificates, you don't need any configuration on this page. You just need to verify that the status of all the certificates shows as valid on this page.
+
+ ![Screenshot of the Certificates page in the local web UI of Azure Stack Edge. The Certificates menu item is highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/cluster-generate-certificate-2.png)
+
+ You're ready to [Activate your device](azure-stack-edge-gpu-deploy-activate.md) with the existing device certificates.
+
+1. Follow these steps only if you've changed the device name or the DNS domain for your device. In these instances, the status of your device certificates will be **Not valid**. That's because the device name and DNS domain in the certificates' `subject name` and `subject alternative` settings are out of date.
+
+ Select a certificate to view status details.
+
+ ![Screenshot of Certificate Details for a certificate on the Certificates page of an Azure Stack Edge device. The selected certificate and certificate details are highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/generate-certificate-1-a.png)
+
+1. If you've changed the device name or DNS domain of your device, and you don't provide new certificates, **activation of the device will be blocked**. To use a new set of certificates on your device, choose one of the following options:
+
+ - **Generate all the device certificates**. Select this option, and then complete the steps in [Generate device certificates](#generate-device-certificates), if you plan to use automatically generated device certificates and need to generate new device certificates. You should only use these device certificates for testing, not with production workloads.
+
+ - **Bring your own certificates**. Select this option, and then do the steps in [Bring your own certificates](#bring-your-own-certificates), if you want to use your own signed endpoint certificates and the corresponding signing chains. **We recommend that you always bring your own certificates for production workloads.**
+
+ - You can choose to bring some of your own certificates and generate some device certificates. The **Generate all the device certificates** option only regenerates the device certificates.
+
+1. When you have a full set of valid certificates for your device, the device is ready for activation. Select **< Back to Get started** to proceed to the next deployment step, [Activate your device](azure-stack-edge-gpu-deploy-activate.md).
+ ## Generate device certificates
Follow these steps to generate device certificates.
Use these steps to regenerate and download the Azure Stack Edge Pro GPU device certificates: + 1. In the local UI of your device, go to **Configuration > Certificates**. Select **Generate certificates**. ![Screenshot of the Certificates page in the local web UI of an Azure Stack Edge device. The Generate Certificates button is highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/generate-certificate-3.png)
Use these steps to regenerate and download the Azure Stack Edge Pro GPU device c
![Screenshot showing downloaded certificates in Windows File Explorer. Certificates for an Azure Stack Edge device are highlighted.](./media/azure-stack-edge-gpu-deploy-configure-certificates/generate-certificate-8.png)
- The device generated certificates are saved as DER certificates with the following name format:
++
+1. In the local UI of your device, go to **Configuration > Certificates**. Select **Generate certificates**.
+
+ ![Generate and download certificate 1](./media/azure-stack-edge-gpu-deploy-configure-certificates/cluster-generate-certificate-3.png)
+
+2. In the **Generate device certificates**, select **Generate**.
+
+ ![Generate and download certificate 2](./media/azure-stack-edge-gpu-deploy-configure-certificates/cluster-generate-certificate-4.png)
+
+ The device certificates are now generated and applied. It takes a few minutes to generate and apply the certificates.
+
+ > [!IMPORTANT]
+ > While the certificate generation operation is in progress, do not bring your own certificates and try to add those via the **+ Add certificate** option.
+
+ You are notified when the operation is successfully completed. **To avoid any potential cache issues, restart your browser.**
+
+ ![Generate and download certificate 4](./media/azure-stack-edge-gpu-deploy-configure-certificates/generate-certificate-5.png)
+
+3. After the certificates are generated:
+
+ - The status of all the certificates shows as **Valid**.
+
+ ![Generate and download certificate 5](./media/azure-stack-edge-gpu-deploy-configure-certificates/cluster-generate-certificate-6.png)
+
+ - You can select a specific certificate name, and view the certificate details.
+
+ ![Generate and download certificate 6](./media/azure-stack-edge-gpu-deploy-configure-certificates/cluster-generate-certificate-6a.png)
+
+ - The **Download** column is now populated. This column has links to download the regenerated certificates.
+
+ ![Generate and download certificate 7](./media/azure-stack-edge-gpu-deploy-configure-certificates/cluster-generate-certificate-6b.png)
++
+4. Select the download link for a certificate and when prompted, save the certificate.
+
+ ![Generate and download certificate 8](./media/azure-stack-edge-gpu-deploy-configure-certificates/cluster-generate-certificate-7.png)
+
+5. Repeat this process for all the certificates that you wish to download.
+
+ ![Generate and download certificate 9](./media/azure-stack-edge-gpu-deploy-configure-certificates/cluster-generate-certificate-8.png)
++
+The device generated certificates are saved as DER certificates with the following name format:
+
+- `<Device name>_<Endpoint name>.cer`
- `<Device name>_<Endpoint name>.cer`. These certificates contain the public key for the corresponding certificates installed on the device.
+These certificates contain the public key for the corresponding certificates installed on the device.
You will need to install these certificates on the client system that you are using to access the endpoints on the Azure Stack Edge device. These certificates establish trust between the client and the device.
databox-online Azure Stack Edge Gpu Deploy Configure Compute https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-deploy-configure-compute.md
Previously updated : 03/08/2021 Last updated : 02/15/2022 # Customer intent: As an IT admin, I need to understand how to configure compute on Azure Stack Edge Pro so I can use it to transform the data before sending it to Azure.
<!--ALPA WILL VERIFY - [!INCLUDE [applies-to-skus](../../includes/azure-stack-edge-applies-to-all-sku.md)]-->
-This tutorial describes how to configure a compute role and create a Kubernetes cluster on your Azure Stack Edge Pro device.
+This tutorial describes how to configure a compute role and create a Kubernetes cluster on your Azure Stack Edge Pro GPU device.
This procedure can take around 20 to 30 minutes to complete.
In this tutorial, you learn how to:
Before you set up a compute role on your Azure Stack Edge Pro device, make sure that: - You've activated your Azure Stack Edge Pro device as described in [Activate Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-activate.md).-- Make sure that you've followed the instructions in [Enable compute network](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#enable-compute-network) and:
+- Make sure that you've followed the instructions in [Enable compute network](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#configure-virtual-switches-and-compute-ips) and:
- Enabled a network interface for compute. - Assigned Kubernetes node IPs and Kubernetes external service IPs.
databox-online Azure Stack Edge Gpu Deploy Configure Network Compute Web Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md
Previously updated : 07/07/2021 Last updated : 02/15/2022
+zone_pivot_groups: azure-stack-edge-device-deployment
# Customer intent: As an IT admin, I need to understand how to connect and activate Azure Stack Edge Pro so I can use it to transfer data to Azure. # Tutorial: Configure network for Azure Stack Edge Pro with GPU + This tutorial describes how to configure network for your Azure Stack Edge Pro device with an onboard GPU by using the local web UI. The connection process can take around 20 minutes to complete. ++
+This tutorial describes how to configure network for your two-node Azure Stack Edge Pro GPU device by using the local web UI.
+
+The procedure can take around 45 minutes to complete.
++ In this tutorial, you learn about: + > [!div class="checklist"]
->
> * Prerequisites > * Configure network
-> * Enable compute network
+> * Configure advanced networking
+> * Configure web proxy
+++
+> [!div class="checklist"]
+> * Prerequisites
+> * Select device setup type
+> * Configure network and network topology on both nodes
+> * Get authentication token for prepared node
+> * Configure cluster witness and add prepared node
+> * Configure virtual IP settings for Azure Consistent Services and NFS
+> * Configure advanced networking
> * Configure web proxy ## Prerequisites
Before you configure and set up your Azure Stack Edge Pro device with GPU, make
* You've connected to the local web UI of the device as detailed in [Connect to Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-connect.md) +
+## Configure setup type
+
+1. Go to the **Get started** page.
+1. In the **Set up a single node device** tile, select **Start**.
+
+ ![Screenshot of local web UI "Get started" page for one node.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/setup-type-single-node-1.png)
++ ## Configure network
-Your **Get started** page displays the various settings that are required to configure and register the physical device with the Azure Stack Edge service.
+Your **Get started** page displays the various settings that are required to configure and activate the physical device with the Azure Stack Edge service.
Follow these steps to configure the network for your device.
Follow these steps to configure the network for your device.
2. On the **Network** tile, select **Configure**.
- ![Local web UI "Network settings" tile](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/network-1.png)
+ ![Screenshot of local web UI "Network" tile for one node.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/network-1.png)
On your physical device, there are six network interfaces. PORT 1 and PORT 2 are 1-Gbps network interfaces. PORT 3, PORT 4, PORT 5, and PORT 6 are all 25-Gbps network interfaces that can also serve as 10-Gbps network interfaces. PORT 1 is automatically configured as a management-only port, and PORT 2 to PORT 6 are all data ports. For a new device, the **Network settings** page is as shown below.
- ![Local web UI "Network settings" page](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/network-2a.png)
+ ![Screenshot of local web UI "Network" page for one node.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/network-2a.png)
3. To change the network settings, select a port and in the right pane that appears, modify the IP address, subnet, gateway, primary DNS, and secondary DNS. - If you select Port 1, you can see that it is preconfigured as static.
- ![Local web UI "Port 1 Network settings"](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/network-3.png)
+ ![Screenshot of local web UI "Port 1 Network settings" for one node.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/network-3.png)
- If you select Port 2, Port 3, Port 4, or Port 5, all of these ports are configured as DHCP by default.
- ![Local web UI "Port 3 Network settings"](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/network-4.png)
+ ![Screenshot of local web UI "Port 3 Network settings" for one node.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/network-4.png)
As you configure the network settings, keep in mind:
Follow these steps to configure the network for your device.
* If DHCP is enabled in your environment, network interfaces are automatically configured. An IP address, subnet, gateway, and DNS are automatically assigned. * If DHCP isn't enabled, you can assign static IPs if needed. * You can configure your network interface as IPv4.
- * On 25-Gbps interfaces, you can set the RDMA (Remote Direct Access Memory) mode to iWarp or RoCE (RDMA over Converged Ethernet). Where low latencies are the primary requirement and scalability is not a concern, use RoCE. When latency is a key requirement, but ease-of-use and scalability are also high priorities, iWARP is the best candidate.
- * Network Interface Card (NIC) Teaming or link aggregation is not supported with Azure Stack Edge.
- * Serial number for any port corresponds to the node serial number.
+ * Serial number for any port corresponds to the node serial number. <!--* On 25-Gbps interfaces, you can set the RDMA (Remote Direct Access Memory) mode to iWarp or RoCE (RDMA over Converged Ethernet). Where low latencies are the primary requirement and scalability is not a concern, use RoCE. When latency is a key requirement, but ease-of-use and scalability are also high priorities, iWARP is the best candidate.-->
+ <!--* Network Interface Card (NIC) Teaming or link aggregation is not supported with Azure Stack Edge. <!--NIC teaming should work for 2-node -->
Once the device network is configured, the page updates as shown below.
- ![Local web UI "Network settings" page 2](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/network-2.png)
+ ![Screenshot of local web UI "Network" page for fully configured one node. ](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/network-2.png)
> [!NOTE] > We recommend that you do not switch the local IP address of the network interface from static to DCHP, unless you have another IP address to connect to the device. If using one network interface and you switch to DHCP, there would be no way to determine the DHCP address. If you want to change to a DHCP address, wait until after the device has activated with the service, and then change. You can then view the IPs of all the adapters in the **Device properties** in the Azure portal for your service.
- After you have configured and applied the network settings, select **Next: Compute** to configure compute network.
+ After you have configured and applied the network settings, select **Next: Advanced networking** to configure compute network.
-## Enable compute network
+## Configure virtual switches and compute IPs
-Follow these steps to enable compute and configure compute network.
+Follow these steps to enable compute on a virtual switch and configure virtual networks.
-<!--1. Go to the **Get started** page in the local web UI of your device. On the **Network** tile, select **Compute network**.
+1. In the local UI, go to **Advanced networking** page.
+1. In the **Virtual switch** section, you'll assign compute intent to a virtual switch. Select **Add virtual switch** to create a new switch.
- ![Compute page in local UI 1](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/compute-network-1.png)-->
+ ![Screenshot of "Advanced networking" page in local UI for one node with Add virtual switch selected.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-compute-network-1.png)
-1. In the **Compute** page, select a network interface that you want to enable for compute.
+1. In the **Network settings** blade, if using a new switch, provide the following:
- ![Compute page in local UI 2](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/compute-network-2.png)
-
-1. In the **Network settings** dialog, select **Enable**. When you enable compute, a virtual switch is created on your device on that network interface. The virtual switch is used for the compute infrastructure on the device.
+ 1. Provide a name for your virtual switch.
+ 1. Choose the network interface on which the virtual switch should be created.
+ 1. If deploying 5G workloads, set **Supports accelerated networking** to **Yes**.
+ 1. Select the intent to associate with this network interface as **compute**. Alternatively, the switch can be used for management traffic as well. You can't configure storage intent as storage traffic was already configured based on the network topology that you selected earlier.
-1. Assign **Kubernetes node IPs**. These static IP addresses are for the compute VM.
+ > [!TIP]
+ > Use *CTRL + Click* to select more than one intent for your virtual switch.
+
+1. Assign **Kubernetes node IPs**. These static IP addresses are for the Kubernetes VMs.
- For an *n*-node device, a contiguous range of a minimum of *n+1* IPv4 addresses (or more) are provided for the compute VM using the start and end IP addresses. Given Azure Stack Edge is a 1-node device, a minimum of 2 contiguous IPv4 addresses are provided.
+ For an *n*-node device, a contiguous range of a minimum of *n+1* IPv4 addresses (or more) are provided for the compute VM using the start and end IP addresses. For a 1-node device, provide a minimum of 2 contiguous IPv4 addresses.
+
+ > [!IMPORTANT]
+ > - Kubernetes on Azure Stack Edge uses 172.27.0.0/16 subnet for pod and 172.28.0.0/16 subnet for service. Make sure that these are not in use in your network. If these subnets are already in use in your network, you can change these subnets by running the `Set-HcsKubeClusterNetworkInfo` cmdlet from the PowerShell interface of the device. For more information, see [Change Kubernetes pod and service subnets](azure-stack-edge-gpu-connect-powershell-interface.md#change-kubernetes-pod-and-service-subnets).
+ > - DHCP mode is not supported for Kubernetes node IPs. If you plan to deploy IoT Edge/Kubernetes, you must assign static Kubernetes IPs and then enable IoT role. This will ensure that static IPs are assigned to Kubernetes node VMs.
+1. Assign **Kubernetes external service IPs**. These are also the load-balancing IP addresses. These contiguous IP addresses are for services that you want to expose outside of the Kubernetes cluster and you specify the static IP range depending on the number of services exposed.
+
> [!IMPORTANT]
- > Kubernetes on Azure Stack Edge uses 172.27.0.0/16 subnet for pod and 172.28.0.0/16 subnet for service. Make sure that these are not in use in your network. If these subnets are already in use in your network, you can change these subnets by running the `Set-HcsKubeClusterNetworkInfo` cmdlet from the PowerShell interface of the device. For more information, see [Change Kubernetes pod and service subnets](azure-stack-edge-gpu-connect-powershell-interface.md#change-kubernetes-pod-and-service-subnets).
+ > We strongly recommend that you specify a minimum of 1 IP address for Azure Stack Edge Hub service to access compute modules. You can then optionally specify additional IP addresses for other services/IoT Edge modules (1 per service/module) that need to be accessed from outside the cluster. The service IP addresses can be updated later.
+
+1. Select **Apply**.
+
+ ![Screenshot of "Advanced networking" page in local UI with fully configured Add virtual switch blade for one node.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-compute-network-2.png)
+
+1. The configuration takes a couple minutes to apply and you may need to refresh the browser. You can see that the specified virtual switch is created and enabled for compute.
+
+ ![Screenshot of "Advanced networking" page with virtual switch added and enabled for compute in local UI for one node.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-compute-network-3.png)
++
+To delete a virtual switch, under the **Virtual switch** section, select **Delete virtual switch**. When a virtual switch is deleted, the associated virtual networks will also be deleted.
+
+> [!IMPORTANT]
+> Only one virtual switch can be assigned for compute.
+
+### Configure virtual network
+
+You can add or delete virtual networks associated with your virtual switches. To add a virtual switch, follow these steps:
+
+1. In the local UI on the **Advanced networking** page, under the **Virtual network** section, select **Add virtual network**.
+1. In the **Add virtual network** blade, input the following information:
+
+ 1. Select a virtual switch for which you want to create a virtual network.
+ 1. Provide a **Name** for your virtual network.
+ 1. Enter a **VLAN ID** as a unique number in 1-4094 range.
+ 1. Specify the **Subnet mask** and **Gateway** for your virtual LAN network as per the physical network configuration.
+ 1. Select **Apply**.
+
+ ![Screenshot of how to add virtual network in "Advanced networking" page in local UI for one node.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/add-virtual-network-one-node-1.png)
+
+To delete a virtual network, under the **Virtual network** section, select **Delete virtual network**.
+
+Select **Next: Web proxy** to configure web proxy.
++++
+## Configure setup type
+1. In the local UI for one of the devices, go to the **Get started** page.
+1. In the **Set up a 2-node cluster** tile, select **Start**.
-1. Assign **Kubernetes external service IPs**. These are also the load balancing IP addresses. These contiguous IP addresses are for services that you want to expose outside of the Kubernetes cluster and you specify the static IP range depending on the number of services exposed.
+ ![Local web UI "Set up a 2-node cluster" on "Get started" page](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/setup-type-two-node-1m.png)
+
+1. In the local UI for the second device, go to the **Get started** page.
+1. In the **Prepare a node** tile, select **Start**.
+
+ ![Local web UI "Prepare a node" on "Get started" page](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/setup-type-prepare-node-1m.png)
++
+## Configure network, topology
+
+You'll configure network as well as network topology on both the nodes. These steps can be done in parallel. The cabling on both nodes should be identical and should conform with the network topology you choose.
+
+### Configure network on first node
+
+To configure the network for a 2-node device, follow these steps on the first node of the device:
+
+1. In the local UI of the first node, in the **Network** tile, select **Needs setup**.
+
+ ![Local web UI "Network" tile](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/select-network-1m.png)
+
+1. In the **Network** page, configure the IP addresses for your network interfaces. On your physical device, there are six network interfaces. PORT 1 and PORT 2 are 1-Gbps network interfaces. PORT 3, PORT 4, PORT 5, and PORT 6 are all 25-Gbps network interfaces that can also serve as 10-Gbps network interfaces. PORT 1 is automatically configured as a management-only port, and PORT 2 to PORT 6 are all data ports. For a new device, the **Network settings** page is as shown below.
+
+ ![Local web UI "Advanced networking" page for a new device 1](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-network-interface-1.png)
+
+ To change the network settings, select a port and in the right pane that appears, modify the IP address, subnet, gateway, primary DNS, and secondary DNS. You can configure your network interface as IPv4.
+
+ ![Local web UI "Advanced networking" page for a new device 2](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-network-settings-1m.png)
+
+ As you configure the network settings, keep in mind:
+
+ * Make sure that Port 5 and Port 6 are connected for Network Function Manager deployments. For more information, see [Tutorial: Deploy network functions on Azure Stack Edge (Preview)](../network-function-manager/deploy-functions.md).
+ * If DHCP is enabled in your environment, network interfaces are automatically configured. An IP address, subnet, gateway, and DNS are automatically assigned. If DHCP isn't enabled, you can assign static IPs if needed.
+ * On 25-Gbps interfaces, you can set the RDMA (Remote Direct Access Memory) mode to iWarp or RoCE (RDMA over Converged Ethernet). Where low latencies are the primary requirement and scalability is not a concern, use RoCE. When latency is a key requirement, but ease-of-use and scalability are also high priorities, iWARP is the best candidate.
+ * Serial number for any port corresponds to the node serial number.
++
+ Once you apply the network settings, select **Next: Advanced networking >** to configure your network topology.
+
+### Configure network topology on first node
+
+1. In the **Advanced networking** page, choose the topology for cluster and the storage traffic between nodes from the following options:
+
+ - **Switchless**. Use this option when high-speed switches aren't available for storage and clustering traffic.
+ - **Use switches and NIC teaming**. Use this option when you need port level redundancy through teaming. NIC Teaming allows you to group two physical ports on the device node, Port 3 and Port 4 in this case, into two software-based virtual network interfaces. These teamed network interfaces provide fast performance and fault tolerance in the event of a network interface failure. For more information, see [NIC teaming on Windows Server](/windows-server/networking/technologies/nic-teaming/nic-teaming).
+ - **Use switches without NIC teaming**. Use this option if you need an extra port for workload traffic and port level redundancy is not required.
+
+ ![Local web UI "Network" page with "Use switches and NIC teaming" option selected](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/select-network-topology-1m.png)
+
+1. Make sure that your node is cabled as per the selected topology.
+1. Select **Apply**.
+1. You'll see a **Confirm network setting** dialog. This dialog reminds you to make sure that your node is cabled as per the network topology you selected. Once you choose the network cluster topology, you can't change this topology without a device reset. Select **Yes** to confirm the network topology.
+
+ ![Local web UI "Confirm network setting" dialog](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/confirm-network-setting-1.png)
+
+ The network topology setting takes a few minutes to apply and you see a notification when the settings are successfully applied.
+
+1. Once the network topology is applied, the **Network** page updates. For example, if you selected network topology that uses switches and NIC teaming, you will see that on a device node, a virtual switch **vSwitch1** is created at Port 2 and another virtual switch, **vSwitch2** is created on Port 3 and Port 4. Port 3 and Port 4 are teamed and then on the teamed network interface, two virtual network interfaces are created, **vPort3** and **vPort4**. The same is true for the second device node. The teamed network interfaces are then connected via switches.
+
+ ![Local web UI "Network" page updated](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/network-settings-updated-1.png)
+
+You'll now configure the network and the network topology of the second node.
+
+### Configure network on second node
+
+You'll now prepare the second node for clustering. You'll first need to configure the network. Follow these steps in the local UI of the second node:
+
+1. On the **Prepare a node for clustering** page, in the **Network** tile, select **Needs setup**.
+
+ ![Local web UI "Network" tile on second node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/select-network-2.png)
++
+### Configure network topology on second node
+
+1. Make sure that the second node is cabled as per the topology you selected for the first node. In the **Network** page, choose and **Apply** the same topology that you selected for the first node.
+
+ ![Local web UI "Network" page with "Use switches and NIC teaming" option selected on second node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/select-network-topology-2.png)
+
+1. Select **Back to get started**.
++
+## Get authentication token
+
+You'll now get the authentication token that will be needed when adding this node to form a cluster. Follow these steps in the local UI of the second node:
+
+1. On the **Prepare a node for clustering** page, in the **Get authentication token** tile, select **Prepare node**.
+
+ ![Local web UI "Get authentication token" tile with "Prepare node" option selected on second node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/select-get-authentication-token-1m.png)
+
+1. Select **Get token**.
+1. Copy the node serial number and the authentication token. You will use this information when you add this node to the cluster on the first node.
+
+ ![Local web UI "Get authentication token" on second node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/get-authentication-token-1m.png)
++
+## Configure cluster
+
+To configure the cluster, you'll need to establish a cluster witness and then add a prepared node. You'll also need to configure virtual IP settings so that you can connect to a cluster as opposed to a specific node.
++
+### Configure cluster witness
+
+You'll now create a cluster witness. A cluster witness helps establish quorum for a two-node device if a node goes down. To learn about quorum, see [Understanding quorum](/windows-server/failover-clustering/manage-cluster-quorum#understanding-quorum).
+
+A cluster witness can be:
+
+- **Cloud witness** if you use an Azure Storage account to provide a vote on cluster quorum. A cloud witness uses Azure Blob Storage to read or write a blob file and then uses it to arbitrate in split-brain resolution.
+
+ Use cloud witness when you have internet access. For more information on cloud witness, see [Deploy a cloud witness for Failover cluster](/windows-server/failover-clustering/deploy-cloud-witness).
+
+- **File share witness** if you use a local SMB file share to provide a vote in the cluster quorum. Use a file share witness if all the servers in a cluster have spotty internet connectivity or can't use disk witness as there aren't any shared drives.
+
+ Use file share witness if you're in an IT environment with other machines and file shares. For more information on file share witness, see [Deploy a file share witness for Failover cluster](/windows-server/failover-clustering/file-share-witness).
+
+Before you create a cluster witness, make sure that you've reviewed the cluster witness requirements.
+
+Follow these steps to configure the cluster witness.
+
+#### Configure cloud witness
+
+1. In the local UI of the first node, go to the **Cluster (Preview)** page. Under **Cluster witness type**, select **Modify**.
+
+ ![Local web UI "Cluster" page with "Modify" option selected for "Cluster witness" on first node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/add-cluster-witness-1m.png)
+
+1. In the **Modify cluster witness** blade, enter the following inputs.
+ 1. Choose the **Witness type** as **Cloud.**
+ 1. Enter the **Azure Storage account name**.
+ 1. Specify Storage account authentication from Access key or SAS token.
+ 1. If you chose Access key as the authentication mechanism, enter the Access key of the Storage account, Azure Storage container where the witness lives, and the service endpoint.
+ 1. Select **Apply**.
+
+ ![Local web UI "Cluster" page with cloud witness type selected in "Modify cluster witness" blade on first node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/add-cluster-witness-cloud-1m.png)
+
+#### Configure local witness
+
+1. In the local UI of the first node, go to the **Cluster** page. Under **Cluster witness type**, select **Modify**.
+
+ ![Local web UI "Cluster" page with "Modify" option selected for "Cluster witness" on first node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/add-cluster-witness-1m.png)
+
+1. In the **Modify cluster witness** blade, enter the following inputs.
+ 1. Choose the **Witness type** as **Local.**
+ 1. Enter the file share path as *//server/fileshare* format.
+ 1. Select **Apply**.
+
+ ![Local web UI "Cluster" page with local witness type selected in "Modify cluster witness" blade on first node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/add-cluster-witness-local-1m.png)
+++
+### Add prepared node to cluster
+
+You'll now add the prepared node to the first node and form the cluster. Before you add the prepared node, make sure the networking on the incoming node is configured in the same way as that of this node where you initiated cluster creation.
+
+1. In the local UI of the first node, go to the **Cluster** page. Under **Existing nodes**, select **Add node**.
+
+ ![Local web UI "Cluster" page with "Add node" option selected for "Existing" on first node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/add-node-1m.png)
++
+1. In the **Add node** blade, input the following information for the incoming node:
+
+ 1. Provide the serial number for the incoming node.
+ 1. Enter the authentication token for the incoming node.
+
+1. Select **Validate & add**. This step takes a few minutes.
+
+ ![Local web UI "Add node" page with "Add node" option selected for "Existing" on first node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/add-node-2m.png)
+
+ You see a notification when the node is successfully validated.
+
+1. The node is now ready to join the cluster. Select **Apply**. The cluster creation takes several minutes. Once the cluster is created, the page updates to show both the nodes are added.
++
+## Configure virtual IPs
+
+For Azure consistent services and NFS, you'll also need to define a virtual IP that allows you to connect to a clustered device as opposed to a specific node. A virtual IP is an available IP in the cluster network and any client connecting to the cluster network on the two-node device should be able to access this IP.
++
+### For Azure Consistent Services
+
+For Azure Consistent Services, follow these steps to configure virtual IP.
+
+1. In the local UI on the **Cluster** page, under the **Virtual IP settings** section, select **Azure Consistent Services**.
+
+ ![Local web UI "Cluster" page with "Azure Consistent Services" selected for "Virtual IP Settings" on first node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-azure-consistent-services-1m.png)
+
+1. In the **Virtual IP settings** blade, input the following.
+
+ 1. From the dropdown list, select the **Azure Consistent Services network**.
+ 1. Choose IP settings from **DHCP** or **static**.
+ 1. If you chose IP settings as static, enter a virtual IP. This should be a free IP from within the Azure Consistent Services network that you specified. If you selected DHCP, a virtual IP is automatically picked from the Azure Consistent Services network that you selected.
+1. Select **Apply**.
+
+ ![Local web UI "Cluster" page with "Virtual IP Settings" blade configured for Azure consistent services on first node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-azure-consistent-services-2m.png)
++
+### For Network File System
+
+For clients connecting via NFS protocol to the two-node device, follow these steps to configure virtual IP.
+
+1. In the local UI on the **Cluster** page, under the **Virtual IP settings** section, select **Network File System**.
+
+ ![Local web UI "Cluster" page with "Network File System" selected for "Virtual IP Settings" on first node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-network-file-system-1m.png)
+
+1. In the **Virtual IP settings** blade, input the following.
+
+ 1. From the dropdown list, select the **NFS network**.
+ 1. Choose IP settings from **DHCP** or **Static**.
+ 1. If you chose IP settings as static, enter a virtual IP. This should be a free IP from within the NFS network that you specified. If you selected DHCP, a virtual IP is automatically picked from the NFS network that you selected.
+1. Select **Apply**.
+
+ ![Local web UI "Cluster" page with "Virtual IP Settings" blade configured for NFS on first node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-network-file-system-2m.png)
+
+> [!NOTE]
+> Virtual IP settings are required. If you do not configure this IP, you will be blocked when configuring the **Device settings** in the next step.
+
+### Configure virtual switches and compute IPs
+
+After the cluster is formed and configured, you'll now create new virtual switches or assign intent to the existing virtual switches that are created based on the selected network topology.
+
+> [!IMPORTANT]
+> On a two-node cluster, compute should only be configured on a virtual switch.
+
+1. In the local UI, go to **Advanced networking** page.
+1. In the **Virtual switch** section, you'll assign compute intent to a virtual switch. You can select an existing virtual switch or select **Add virtual switch** to create a new switch.
+
+ ![Configure compute page in Advanced networking in local UI 1](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-compute-network-1.png)
+
+1. In the **Network settings** blade, if using a new switch, provide the following:
+
+ 1. Provide a name for your virtual switch.
+ 1. Choose the network interface on which the virtual switch should be created.
+ 1. If deploying 5G workloads, set **Supports accelerated networking** to **Yes**.
+ 1. Select the intent to associate with this network interface as **compute**. Alternatively, the switch can be used for management traffic as well. You can't configure storage intent as storage traffic was already configured based on the network topology that you selected earlier.
+
+ > [!TIP]
+ > Use *CTRL + Click* to select more than one intent for your virtual switch.
+
+1. Assign **Kubernetes node IPs**. These static IP addresses are for the Kubernetes VMs.
+
+ For an *n*-node device, a contiguous range of a minimum of *n+1* IPv4 addresses (or more) are provided for the compute VM using the start and end IP addresses. For a 1-node device, provide a minimum of 2 contiguous IPv4 addresses. For a two-node cluster, provide a minimum of 3 contiguous IPv4 addresses.
+
+ > [!IMPORTANT]
+ > - Kubernetes on Azure Stack Edge uses 172.27.0.0/16 subnet for pod and 172.28.0.0/16 subnet for service. Make sure that these are not in use in your network. If these subnets are already in use in your network, you can change these subnets by running the `Set-HcsKubeClusterNetworkInfo` cmdlet from the PowerShell interface of the device. For more information, see [Change Kubernetes pod and service subnets](azure-stack-edge-gpu-connect-powershell-interface.md#change-kubernetes-pod-and-service-subnets).
+ > - DHCP mode is not supported for Kubernetes node IPs. If you plan to deploy IoT Edge/Kubernetes, you must assign static Kubernetes IPs and then enable IoT role. This will ensure that static IPs are assigned to Kubernetes node VMs.
+
+1. Assign **Kubernetes external service IPs**. These are also the load-balancing IP addresses. These contiguous IP addresses are for services that you want to expose outside of the Kubernetes cluster and you specify the static IP range depending on the number of services exposed.
> [!IMPORTANT] > We strongly recommend that you specify a minimum of 1 IP address for Azure Stack Edge Hub service to access compute modules. You can then optionally specify additional IP addresses for other services/IoT Edge modules (1 per service/module) that need to be accessed from outside the cluster. The service IP addresses can be updated later. 1. Select **Apply**.
- ![Compute page in local UI 3](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/compute-network-3.png)
+ ![Configure compute page in Advanced networking in local UI 2](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-compute-network-2.png)
-1. The configuration takes a couple minutes to apply and you may need to refresh the browser. You can see that the specified port is enabled for compute.
+1. The configuration takes a couple minutes to apply and you may need to refresh the browser. You can see that the specified virtual switch is created and enabled for compute.
- ![Compute page in local UI 4](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/compute-network-4.png)
+ ![Configure compute page in Advanced networking in local UI 3](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-compute-network-3.png)
++
+To delete a virtual switch, under the **Virtual switch** section, select **Delete virtual switch**. When a virtual switch is deleted, the associated virtual networks will also be deleted.
+
+> [!IMPORTANT]
+> Only one virtual switch can be assigned for compute.
+
+### Configure virtual network
+
+You can add or delete virtual networks associated with your virtual switches. To add a virtual switch, follow these steps:
+
+1. In the local UI on the **Advanced networking** page, under the **Virtual network** section, select **Add virtual network**.
+1. In the **Add virtual network** blade, input the following information:
+
+ 1. Select a virtual switch for which you want to create a virtual network.
+ 1. Provide a **Name** for your virtual network.
+ 1. Enter a **VLAN ID** as a unique number in 1-4094 range.
+ 1. Specify the **Subnet mask** and **Gateway** for your virtual LAN network as per the physical network configuration.
+ 1. Select **Apply**.
+
- Select **Next: Web proxy** to configure web proxy.
+To delete a virtual network, under the **Virtual network** section, select **Delete virtual network**.
## Configure web proxy
-This is an optional configuration.
+This is an optional configuration. Although web proxy configuration is optional, if you use a web proxy, you can configure it on this page only.
> [!IMPORTANT] > * Proxy-auto config (PAC) files are not supported. A PAC file defines how web browsers and other user agents can automatically choose the appropriate proxy server (access method) for fetching a given URL. > * Transparent proxies work well with Azure Stack Edge Pro. For non-transparent proxies that intercept and read all the traffic (via their own certificates installed on the proxy server), upload the public key of the proxy's certificate as the signing chain on your Azure Stack Edge Pro device. You can then configure the proxy server settings on your Azure Stack Edge device. For more information, see [Bring your own certificates and upload through the local UI](azure-stack-edge-gpu-deploy-configure-certificates.md#bring-your-own-certificates).
-<!--1. Go to the **Get started** page in the local web UI of your device.
-2. On the **Network** tile, configure your web proxy server settings. Although web proxy configuration is optional, if you use a web proxy, you can configure it on this page only.
-
- ![Local web UI "Web proxy settings" page](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/web-proxy-1.png)-->
- 1. On the **Web proxy settings** page, take the following steps: 1. In the **Web proxy URL** box, enter the URL in this format: `http://host-IP address or FQDN:Port number`. HTTPS URLs are not supported. 2. To validate and apply the configured web proxy settings, select **Apply**.
- ![Local web UI "Web proxy settings" page 2](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/web-proxy-2.png)<!--UI text update for instruction text is needed.-->
+ ![Local web UI "Web proxy settings" page 2](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-web-proxy-1.png)<!--UI text update for instruction text is needed.-->
+
+1. After the settings are applied, select **Next: Device**.
-2. After the settings are applied, select **Next: Device**.
+Repeat the above steps for the second node of the 2-node device. Make sure to use the same web proxy settings on both the device nodes.
+ ## Next steps In this tutorial, you learned about: + > [!div class="checklist"] > * Prerequisites > * Configure network > * Enable compute network > * Configure web proxy ++
+> [!div class="checklist"]
+> * Prerequisites
+> * Select device setup type
+> * Configure network on both nodes
+> * Get authentication token for prepared node
+> * Configure cluster witness and add prepared node
+> * Configure virtual IP settings for Azure Consistent Services and NFS
+> * Configure advanced networking
+> * Configure web proxy
+
-To learn how to set up your Azure Stack Edge Pro device, see:
+To learn how to set up your Azure Stack Edge Pro GPU device, see:
> [!div class="nextstepaction"] > [Configure device settings](./azure-stack-edge-gpu-deploy-set-up-device-update-time.md)
databox-online Azure Stack Edge Gpu Deploy Connect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-deploy-connect.md
Title: Tutorial to connect to, configure, activate Azure Stack Edge Pro device with GPU in Azure portal | Microsoft Docs
+ Title: Tutorial to connect to local web UI for Azure Stack Edge Pro GPU device | Microsoft Docs
description: Learn how you can connect to your Azure Stack Edge device with an onboard GPU by using the local web UI.
Previously updated : 08/29/2020 Last updated : 11/07/2021
-# Customer intent: As an IT admin, I need to understand how to connect and activate Azure Stack Edge Pro so I can use it to transfer data to Azure.
+zone_pivot_groups: azure-stack-edge-device-deployment
+# Customer intent: As an IT admin, I need to understand how to connect to Azure Stack Edge Pro GPU so I can use it to transfer data to Azure.
# Tutorial: Connect to Azure Stack Edge Pro with GPU + This tutorial describes how you can connect to your Azure Stack Edge Pro device with an onboard GPU by using the local web UI. The connection process can take around 5 minutes to complete. ++
+This tutorial describes how you can connect to the local web UI on the two nodes of your Azure Stack Edge device.
+
+The connection process can take around 10-15 minutes to complete.
++ In this tutorial, you learn about: > [!div class="checklist"]
In this tutorial, you learn about:
## Prerequisites
-Before you configure and set up your Azure Stack Edge Pro device with GPU, make sure that:
+Before you configure and set up your Azure Stack Edge Pro GPU device, make sure that:
* You've installed the physical device as detailed in [Install Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-install.md). ## Connect to the local web UI setup + 1. Configure the Ethernet adapter on your computer to connect to the Azure Stack Edge Pro device with a static IP address of 192.168.100.5 and subnet 255.255.255.0. 2. Connect the computer to PORT 1 on your device. If connecting the computer to the device directly (without a switch), use a crossover cable or a USB Ethernet adapter. Use the following illustration to identify PORT 1 on your device.
- ![Backplane of a cabled device](./media/azure-stack-edge-gpu-deploy-install/ase-two-pci-slots.png)
+ ![Backplane of a cabled device](./media/azure-stack-edge-gpu-deploy-install/two-pci-slots.png)
The backplane of the device may look slightly different depending on the exact model you have received. For more information, see [Cable your device](azure-stack-edge-gpu-deploy-install.md#cable-the-device).
Before you configure and set up your Azure Stack Edge Pro device with GPU, make
You're now at the **Overview** page of your device. The next step is to configure the network settings for your device. ++
+1. Configure the Ethernet adapter on your computer to connect to the first node of your Azure Stack Edge device with a static IP address of 192.168.100.5 and subnet 255.255.255.0.
+
+1. Connect the computer to PORT 1 on the first node of your 2-node device. If connecting the computer to the device directly (without a switch), use a crossover cable or a USB Ethernet adapter.
+
+1. Open a browser window and access the local web UI of the device at `https://192.168.100.10`.
+ This action may take a few minutes after you've turned on the device.
+
+ You see an error or a warning indicating that there is a problem with the website's security certificate.
+
+ ![Website security certificate error message for 2-node device](./media/azure-stack-edge-deploy-connect-setup-activate/image2.png)
+
+1. Select **Continue to this webpage**.
+ These steps might vary depending on the browser you're using.
+
+1. Sign in to the web UI of your device. The default password is *Password1*.
+
+ ![Azure Stack Edge Pro device sign-in page for 2-node device](./media/azure-stack-edge-deploy-connect-setup-activate/image3.png)
+
+1. At the prompt, change the device administrator password.
+ The new password must contain between 8 and 16 characters. It must contain three of the following characters: uppercase, lowercase, numeric, and special characters. You're now at the **Overview** page in the local web UI of the first node of your 2-node device.
+
+1. Repeat the above steps to connect to the second node of your 2-node device.
+
+The next step is to configure the network settings for your device.
++ ## Next steps
databox-online Azure Stack Edge Gpu Deploy Install https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-deploy-install.md
Previously updated : 07/07/2021 Last updated : 11/11/2021
+zone_pivot_groups: azure-stack-edge-device-deployment
# Customer intent: As an IT admin, I need to understand how to install Azure Stack Edge Pro in datacenter so I can use it to transfer data to Azure. # Tutorial: Install Azure Stack Edge Pro with GPU + This tutorial describes how to install an Azure Stack Edge Pro physical device with a GPU. The installation procedure involves unpacking, rack mounting, and cabling the device. The installation can take around two hours to complete. ++
+This tutorial describes how to install a two-node Azure Stack Edge Pro GPU cluster. The installation procedure involves unpacking, rack mounting, and cabling the device.
+
+The installation can take around 2.5 hours to complete.
++ In this tutorial, you learn how to: > [!div class="checklist"]
Before you begin:
## Unpack the device + This device is shipped in a single box. Complete the following steps to unpack your device. 1. Place the box on a flat, level surface.
This device is shipped in a single box. Complete the following steps to unpack y
- One rail kit assembly - A Safety, Environmental, and Regulatory Information booklet ++
+This device is shipped in a two boxes. Complete the following steps to unpack your device.
+
+1. Place the boxes on a flat, level surface.
+2. Inspect the boxes and the packaging foam for crushes, cuts, water damage, or any other obvious damage. If the box or packaging is severely damaged, don't open it. Contact Microsoft Support to help you assess whether the devices are in good working order.
+3. Unpack each box. After unpacking the box, make sure that you have the following in each box:
+ - One single enclosure Azure Stack Edge devices
+ - Two power cords
+ - One rail kit assembly
+ - A Safety, Environmental, and Regulatory Information booklet
++ If you didn't receive all of the items listed here, [Contact Microsoft Support](azure-stack-edge-contact-microsoft-support.md). The next step is to rack mount your device.
Locate the components for installing the rail kit assembly:
Route the cables and then cable your device. The following procedures explain how to cable your Azure Stack Edge Pro device for power and network.
+### Cabling checklist
++ Before you start cabling your device, you need the following things: - Your Azure Stack Edge Pro physical device, unpacked, and rack mounted.
Before you start cabling your device, you need the following things:
> - For best performance and to handle large volumes of data, consider connecting all the data ports. > - The Azure Stack Edge Pro device should be connected to the datacenter network so that it can ingest data from data source servers.
-On your Azure Stack Edge Pro device:
++
+Before you start cabling your device, you need the following things:
+
+- Both of your Azure Stack Edge physical devices, unpacked, and rack mounted.
+- 4 power cables, 2 for each device node. <!-- check w/ PIT team around how the bezel is shipped or attached to the device -->
+- At least two 1-GbE RJ-45 network cables to connect Port 1 on each device node for initial configuration. <!-- check with Ernie if is clustered in the factory, only 1 node may be connected to mgmt -->
+- At least two 1-GbE RJ-45 network cables to connect Port 2 on each device node to the internet (with connectivity to Azure).
+- 25/10-GbE SFP+ copper cables for Port 3 and Port 4 to be configured. Additional 25/10-GbR SFP+ copper cables if you will also connect Port 5 and Port 6. Port 5 and Port 6 must be connected if you intend to [Deploy network functions on Azure Stack Edge](../network-function-manager/deploy-functions.md).
+- 25-GbE or 10-GbE switches if opting for a switched network topology. See [Supported network topologies](azure-stack-edge-gpu-clustering-overview.md).
+- Access to two power distribution units (recommended).
+
+> [!NOTE]
+> - For best performance and to handle large volumes of data, consider connecting all the data ports. <!-- should we still say this given we ask them to choose specific topologies-->
+> - The Azure Stack Edge Pro device should be connected to the datacenter network so that it can ingest data from data source servers.
++ -- The front panel has disk drives and a power button.
+### Device front panel
+
+The front panel on Azure Stack Edge device:
+
+- Has disk drives and a power button.
- There are 10 disk slots in the front of your device. - Slot 0 has a 240-GB SATA drive used as an operating system disk. Slot 1 is empty and slots 2 to 6 are NVMe SSDs used as data disks. Slots 7 to 9 are also empty.-- The back plane includes redundant power supply units (PSUs).-- The back plane has six network interfaces:++
+### Device backplane
+
+The backplane of Azure Stack Edge device:
+
+- Includes redundant power supply units (PSUs).
+- Has six network interfaces:
- Two 1-Gbps interfaces. - Four 25-Gbps interfaces that can also serve as 10-Gbps interfaces. - A baseboard management controller (BMC). -- The back plane has two network cards corresponding to the six ports:
+- Has two network cards corresponding to the six ports:
- **Custom Microsoft `Qlogic` Cavium 25G NDC adapter** - Port 1 through port 4. - **Mellanox dual port 25G ConnectX-4 channel network adapter** - Port 5 and port 6.
For a full list of supported cables, switches, and transceivers for these networ
- [`Qlogic` Cavium 25G NDC adapter interoperability matrix](https://www.marvell.com/documents/xalflardzafh32cfvi0z/). - 25 GbE and 10 GbE cables and modules in [Mellanox dual port 25G ConnectX-4 channel network adapter compatible products](https://docs.mellanox.com/display/ConnectX4LxFirmwarev14271016/Firmware+Compatible+Products).
-
+### Power cabling
+ Take the following steps to cable your device for power and network. + 1. Identify the various ports on the back plane of your device. You may have received one of the following devices from the factory depending on the number of GPUs in your device.
+
+ - Device with two Peripheral Component Interconnect (PCI) slots and one GPU
- ![Back plane of a cabled device](./media/azure-stack-edge-gpu-deploy-install/ase-two-pci-slots.png)
+ ![Back plane of a cabled device](./media/azure-stack-edge-gpu-deploy-install/two-pci-slots.png)
- Device with three PCI slots and one GPU
- ![Back plane of a cabled device 2](./media/azure-stack-edge-gpu-deploy-install/ase-three-pci-slots-one-gpu.png)
+ ![Back plane of a cabled device 2](./media/azure-stack-edge-gpu-deploy-install/three-pci-slots-one-gpu.png)
- Device with three PCI slots and two GPUs
- ![Back plane of a cabled device 3](./media/azure-stack-edge-gpu-deploy-install/ase-three-pci-slots-two-gpu.png)
+ ![Back plane of a cabled device 3](./media/azure-stack-edge-gpu-deploy-install/three-pci-slots-two-gpu.png)
2. Locate the disk slots and the power button on the front of the device.
- ![Front plane of a device](./media/azure-stack-edge-gpu-deploy-install/ase-gpu-device-front-plane-labeled.png)
+ ![Front plane of a device](./media/azure-stack-edge-gpu-deploy-install/front-plane-labeled.png)
-3. Connect the power cords to each of the PSUs in the enclosure. To ensure high availability, install and connect both PSUs to different power sources.
+3. Connect the power cords to each of the PSUs in the enclosure. To ensure high availability, install and connect both PSUs to different power sources.
4. Attach the power cords to the rack power distribution units (PDUs). Make sure that the two PSUs use separate power sources. 5. Press the power button to turn on the device. 6. Connect the 1-GbE network interface PORT 1 to the computer that's used to configure the physical device. PORT 1 serves as the management interface. > [!NOTE]
- > If connecting the computer directly to your device (without going through a switch), use a crossover cable or a USB Ethernet adapter.
+ > If connecting the computer directly to your device (without going through a switch), use an Ethernet crossover cable or a USB Ethernet adapter.
7. Connect one or more of PORT 2, PORT 3, PORT 4, PORT 5, or PORT 6 to the datacenter network/Internet.
Take the following steps to cable your device for power and network.
- For the 10/25-GbE network interfaces, use the SFP+ copper cables or fiber. If using fiber, use an optical to SFP adapter. - For Network Function Manager deployments, make sure that PORT 5 and PORT 6 are connected. For more information, see [Tutorial: Deploy network functions on Azure Stack Edge (Preview)](../network-function-manager/deploy-functions.md). ++
+1. Identify the various ports on the back plane of your device. <!--You may have received one of the following devices from the factory depending on the number of GPUs in your device.-->
+
+ ![Back plane of a cabled device](./media/azure-stack-edge-gpu-deploy-install/backplane-ports.png)
++
+2. Locate the disk slots and the power button on the front of the device.
+
+ ![Front plane of a device](./media/azure-stack-edge-gpu-deploy-install/front-plane-labeled.png)
+
+3. Connect the power cords to each of the PSUs in the enclosure.
+1. To ensure high availability, the right power supply of the two devices should be connected to a Power Distribution Unit (PDU) or power source. The left power supply of both the devices should be connected to another PDU or power source.
+
+ ![Back plane of clustered device cabled for power](./media/azure-stack-edge-gpu-deploy-install/cluster-power-cabling.png)
+
+1. Press the power button in the front panel of the device to turn on the device.
+
+### Network cabling
+
+The two-node device can be configured in the following different ways:
+
+- Without switches.
+- Connect Port 3 and Port 4 via switches.
+- Connect Port 3 via a switch.
+
+Each of these configurations is described in the following sections. For more information on when to use these configurations, see [Supported network topologies](azure-stack-edge-gpu-clustering-overview.md)
+
+#### Switchless
+
+Use this configuration when high speed switches aren't available for storage and clustering traffic.
++
+![Back plane of clustered device cabled for networking without switches](./media/azure-stack-edge-gpu-deploy-install/backplane-clustered-device-networking-switchless.png)
+
+1. Connect the 1-GbE network interface PORT 1 to the computer that's used to configure the physical device. If connecting the computer directly to your device (without going through a switch), use an Ethernet crossover cable or a USB Ethernet adapter.
+1. Connect PORT 2 to the internet using a 1-GbE RJ-45 network cable.
+1. Connect PORT 3 and PORT 4 on both the devices via SFP+ copper cables or fiber. If using fiber, use an optical to SFP adapter.
+
+
+#### Connect Port 3 and Port 4 via switches
+
+Use this configuration when you need port level redundancy through teaming.
+
+![Back plane of clustered device cabled for networking with switches and NIC teaming](./media/azure-stack-edge-gpu-deploy-install/backplane-clustered-device-networking-switches-with-nic-teaming.png)
+
+1. Connect the 1-GbE network interface PORT 1 to the computer that's used to configure the physical device. If connecting the computer directly to your device (without going through a switch), use an Ethernet crossover cable or a USB Ethernet adapter.
+1. Connect PORT 2 to the internet using a 1-GbE RJ-45 network cable.
+1. Connect PORT 3 and PORT 4 on both the devices via SFP+ copper cables or fiber and using a 10/25 GbE switch. If using fiber, use an optical to SFP adapter.
++
+#### Connect Port 3 via switch
+
+Use this configuration if you need an extra port for workload traffic and port level redundancy is not required.
+
+![Back plane of clustered device cabled for networking with switches and without NIC teaming](./media/azure-stack-edge-gpu-deploy-install/backplane-clustered-device-networking-switches-without-nic-teaming.png)
+
+1. Connect the 1-GbE network interface PORT 1 to the computer that's used to configure the physical device. If connecting the computer directly to your device (without going through a switch), use an Ethernet crossover cable or a USB Ethernet adapter.
+1. Connect PORT 2 to the internet using a 1-GbE RJ-45 network cable.
+1. Connect PORT 3 on both the devices via SFP+ copper cables or fiber and using a 10/25 GbE switch. If using fiber, use an optical to SFP adapter.
+
+>[!NOTE]
+> For Network Function Manager deployments, make sure that PORT 5 and PORT 6 are connected. For more information, see [Tutorial: Deploy network functions on Azure Stack Edge (Preview)](../network-function-manager/deploy-functions.md).
+
+ ## Next steps
-In this tutorial, you learned about Azure Stack Edge Pro topics such as how to:
+In this tutorial, you learned about Azure Stack Edge Pro GPU topics such as how to:
> [!div class="checklist"] > * Unpack the device
databox-online Azure Stack Edge Gpu Deploy Prep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-deploy-prep.md
Title: Tutorial to prepare Azure portal, datacenter environment to deploy Azure Stack Edge Pro GPU | Microsoft Docs
-description: The first tutorial about deploying Azure Stack Edge Pro GPU involves preparing the Azure portal.
+ Title: Tutorial to prepare Azure portal, datacenter environment to deploy Azure Stack Edge Pro GPU
+description: The first tutorial about deploying Azure Stack Edge Pro GPU involves preparing the Azure portal, placing a device order, and then creating a management resource.
Previously updated : 12/20/2021 Last updated : 01/28/2022
-# Customer intent: As an IT admin, I need to understand how to prepare the portal to deploy Azure Stack Edge Pro so I can use it to transfer data to Azure.
+# Customer intent: As an IT admin, I need to understand how to prepare the portal to deploy Azure Stack Edge Pro GPU so I can use it to compute at the edge and to transfer data to Azure.
-# Tutorial: Prepare to deploy Azure Stack Edge Pro with GPU
-This tutorial is the first in the series of deployment tutorials that are required to completely deploy Azure Stack Edge Pro with GPU. This tutorial describes how to prepare the Azure portal to deploy an Azure Stack Edge resource.
+# Tutorial: Prepare to deploy Azure Stack Edge Pro GPU
+
+This tutorial is the first in the series of deployment tutorials that are required to completely deploy Azure Stack Edge Pro GPU. This tutorial describes how to prepare the Azure portal to deploy an Azure Stack Edge resource.
You need administrator privileges to complete the setup and configuration process. The portal preparation takes less than 10 minutes.
In this tutorial, you learn how to:
### Get started
-For Azure Stack Edge Pro deployment, you need to first prepare your environment. Once the environment is ready, follow the required steps and if needed, optional steps and procedures to fully deploy the device. The step-by-step deployment instructions indicate when you should perform each of these required and optional steps.
+For Azure Stack Edge Pro GPU deployment, you need to first prepare your environment. After the environment is ready, follow the required steps and if needed, optional steps and procedures to fully deploy the device. The step-by-step deployment instructions indicate when you should perform each of these required and optional steps.
| Step | Description | | | |
For Azure Stack Edge Pro deployment, you need to first prepare your environment.
| **[Deployment configuration checklist](#deployment-configuration-checklist)** |Use this checklist to gather and record information before and during the deployment. | | **[Deployment prerequisites](#prerequisites)** |These prerequisites validate that the environment is ready for deployment. | | | |
-|**Deployment tutorials** |These tutorials are required to deploy your Azure Stack Edge Pro device in production. |
-|**[1. Prepare the Azure portal for Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-prep.md)** |Create and configure your Azure Stack Edge resource before you install an Azure Stack Box Edge physical device. |
-|**[2. Install Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-install.md)**|Unpack, rack, and cable the Azure Stack Edge Pro physical device. |
-|**[3. Connect to Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-connect.md)** |Once the device is installed, connect to device local web UI. |
-|**[4. Configure network settings for Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md)** |Configure network including the compute network and web proxy settings for your device. |
-|**[5. Configure device settings for Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-set-up-device-update-time.md)** |Assign a device name and DNS domain, configure update server and device time. |
-|**[6. Configure security settings for Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-configure-certificates.md)** |Configure certificates for your device. Use device-generated certificates or bring your own certificates. |
-|**[7. Activate Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-activate.md)** |Use the activation key from service to activate the device. The device is ready to set up SMB or NFS shares or connect via REST. |
+|**Deployment tutorials** |These tutorials are required to deploy your Azure Stack Edge Pro GPU device in production. |
+|**[1. Prepare the Azure portal for Azure Stack Edge Pro GPU](azure-stack-edge-gpu-deploy-prep.md)** |Create and configure your Azure Stack Edge resource before you install an Azure Stack Box Edge physical device. |
+|**[2. Install Azure Stack Edge Pro GPU](azure-stack-edge-gpu-deploy-install.md)**|Unpack, rack, and cable the Azure Stack Edge Pro GPU physical device. |
+|**[3. Connect to Azure Stack Edge Pro GPU](azure-stack-edge-gpu-deploy-connect.md)** |Once the device is installed, connect to device local web UI. |
+|**[4. Configure network settings for Azure Stack Edge Pro GPU](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md)** |Configure network including the compute network and web proxy settings for your device. If setting up a two-node cluster, advanced networking and cluster configuration is also needed. |
+|**[5. Configure device settings for Azure Stack Edge Pro GPU](azure-stack-edge-gpu-deploy-set-up-device-update-time.md)** |Assign a device name and DNS domain, configure update server and device time. |
+|**[6. Configure security settings for Azure Stack Edge Pro GPU](azure-stack-edge-gpu-deploy-configure-certificates.md)** |Configure certificates for your device. Use device-generated certificates or bring your own certificates. |
+|**[7. Activate Azure Stack Edge Pro GPU](azure-stack-edge-gpu-deploy-activate.md)** |Use the activation key from service to activate the device. The device is ready to set up SMB or NFS shares or connect via REST. |
|**[8. Configure compute](azure-stack-edge-gpu-deploy-configure-compute.md)** |Configure the compute role on your device. A Kubernetes cluster is also created. | |**[9A. Transfer data with Edge shares](./azure-stack-edge-gpu-deploy-add-shares.md)** |Add shares and connect to shares via SMB or NFS. | |**[9B. Transfer data with Edge storage accounts](./azure-stack-edge-gpu-deploy-add-storage-accounts.md)** |Add storage accounts and connect to blob storage via REST APIs. |
-You can now begin to gather information regarding the software configuration for your Azure Stack Edge Pro device.
+You can now begin to gather information regarding the software configuration for your Azure Stack Edge Pro GPU device.
## Deployment configuration checklist
-Before you deploy your device, you need to collect information to configure the software on your Azure Stack Edge Pro device. Preparing some of this information ahead of time helps streamline the process of deploying the device in your environment. Use the [Azure Stack Edge Pro deployment configuration checklist](azure-stack-edge-gpu-deploy-checklist.md) to note down the configuration details as you deploy your device.
+Before you deploy your device, you need to collect information to configure the software on your Azure Stack Edge Pro GPU device. Preparing some of this information ahead of time helps streamline the process of deploying the device in your environment. Use the [Azure Stack Edge Pro GPU deployment configuration checklist](azure-stack-edge-gpu-deploy-checklist.md) to note down the configuration details as you deploy your device.
## Prerequisites
-Following are the configuration prerequisites for your Azure Stack Edge resource, your Azure Stack Edge Pro device, and the datacenter network.
+Following are the configuration prerequisites for your Azure Stack Edge resource, your Azure Stack Edge Pro GPU device, and the datacenter network.
### For the Azure Stack Edge resource Before you begin, make sure that: - Your Microsoft Azure subscription is enabled for an Azure Stack Edge resource. Make sure that you used a supported subscription such as [Microsoft Enterprise Agreement (EA)](https://azure.microsoft.com/overview/sales-number/), [Cloud Solution Provider (CSP)](/partner-center/azure-plan-lp), or [Microsoft Azure Sponsorship](https://azure.microsoft.com/offers/ms-azr-0036p/). Pay-as-you-go subscriptions aren't supported. To identify the type of Azure subscription you have, see [What is an Azure offer?](../cost-management-billing/manage/switch-azure-offer.md#what-is-an-azure-offer).-- You have owner or contributor access at resource group level for the Azure Stack Edge Pro, IoT Hub, and Azure Storage resources.
+- You have owner or contributor access at resource group level for the Azure Stack Edge, IoT Hub, and Azure Storage resources.
- To create any Azure Stack Edge resource, you should have permissions as a contributor (or higher) scoped at resource group level. - You also need to make sure that the `Microsoft.DataBoxEdge` and `Microsoft.KeyVault` resource providers are registered. To create any IoT Hub resource, `Microsoft.Devices` provider should be registered.
Before you begin, make sure that:
- To create an order in the Azure Edge Hardware Center, you need to make sure that the `Microsoft.EdgeOrder` provider is registered. For information on how to register, go to [Register resource provider](azure-stack-edge-gpu-manage-access-power-connectivity-mode.md#register-resource-providers). - You have admin or user access to Azure Active Directory Graph API for generating activation key or credential operations such as share creation that uses a storage account. For more information, see [Azure Active Directory Graph API](/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes#default-access-for-administrators-users-and-guest-users-).
-### For the Azure Stack Edge Pro device
+### For the Azure Stack Edge Pro GPU device
Before you deploy a physical device, make sure that: - You've reviewed the safety information that was included in the shipment package.-- You have a 1U slot available in a standard 19" rack in your datacenter for rack mounting the device.
+- To rackmount the device in a standard 19* rack in your datacenter, make sure to have:
+
+ - A 1U slot available when deploying a single node device.
+ - Two 1U slots available when deploying a two-node cluster.
- You have access to a flat, stable, and level work surface where the device can rest safely. - The site where you intend to set up the device has standard AC power from an independent source or a rack power distribution unit (PDU) with an uninterruptible power supply (UPS).-- You have access to a physical device.
+- You have access to your device.
### For the datacenter network Before you begin, make sure that: -- The network in your datacenter is configured per the networking requirements for your Azure Stack Edge Pro device. For more information, see [Azure Stack Edge Pro System Requirements](azure-stack-edge-system-requirements.md).
+- The network in your datacenter is configured per the networking requirements for your Azure Stack Edge Pro GPU device. For more information, see [Azure Stack Edge Pro GPU System Requirements](azure-stack-edge-system-requirements.md).
-- For normal operating conditions of your Azure Stack Edge Pro, you have:
+- For normal operating conditions of your Azure Stack Edge Pro GPU, you have:
- A minimum of 10-Mbps download bandwidth to ensure the device stays updated. - A minimum of 20-Mbps dedicated upload and download bandwidth to transfer files. ## Create a new resource
-If you have an existing Azure Stack Edge resource to manage your physical device, skip this step and go to [Get the activation key](#get-the-activation-key).
+<!--If you have an existing Azure Stack Edge resource to manage your physical device, skip this step and go to [Get the activation key](#get-the-activation-key).-->
+In this step, youΓÇÖll first order a device and then create a management resource to manage the device with the service in the cloud.
### Create an order resource
-To create an order resource, use the Azure Edge Hardware Center. [Azure Edge Hardware Center](../azure-edge-hardware-center/azure-edge-hardware-center-overview.md) lets you explore and order a variety of hardware from the Azure hybrid portfolio including Azure Stack Edge Pro devices.
+To order a device, use the Azure Edge Hardware Center. [Azure Edge Hardware Center](../azure-edge-hardware-center/azure-edge-hardware-center-overview.md) lets you explore and order a variety of hardware from the Azure hybrid portfolio including Azure Stack Edge Pro GPU devices.
+
+If you have an existing device, skip this step and [Create a management resource for your device](#create-a-management-resource-for-each-device).
When you place an order through the Edge Hardware Center, you can order multiple devices, to be shipped to more than one address, and you can reuse ship to addresses from other orders.
-Ordering through Edge Hardware Center will create an Azure resource that will contain all your order-related information. One resource each will be created for each of the units ordered. You will have to create an Azure Stack Edge resource after you receive the device to activate and manage it.
+Ordering through Edge Hardware Center will create an Azure resource that will contain all your order-related information. One resource each will be created for each of the units ordered. YouΓÇÖll have to create an Azure Stack Edge resource after you receive the device to activate and manage the devices.
[!INCLUDE [Create order in Azure Edge Hardware Center](../../includes/azure-edge-hardware-center-new-order.md)]
Ordering through Edge Hardware Center will create an Azure resource that will co
[!INCLUDE [Create management resource](../../includes/azure-edge-hardware-center-create-management-resource.md)]
-<!--### [Azure CLI](#tab/azure-cli)
-
-If necessary, prepare your environment for Azure CLI.
--
-To create an Azure Stack Edge resource, run the following commands in Azure CLI.
-
-1. Create a resource group by using the [az group create](/cli/azure/group#az_group_create) command, or use an existing resource group:
-
- ```azurecli
- az group create --name myasepgpu1 --location eastus
- ```
-
-1. To create a device, use the [az databoxedge device create](/cli/azure/databoxedge/device#az_databoxedge_device_create) command:
- ```azurecli
- az databoxedge device create --resource-group myasepgpu1 \
- --device-name myasegpu1 --location eastus --sku EdgeP_Base
- ```
-
- Choose a location closest to the geographical region where you want to deploy your device. The region stores only the metadata for device management. The actual data can be stored in any storage account.
-
- For a list of all the regions where the Azure Stack Edge resource is available, see [Azure products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=databox&regions=all). If using Azure Government, all the government regions are available as shown in the [Azure regions](https://azure.microsoft.com/global-infrastructure/regions/).
-
-1. To create an order, run the [az databoxedge order create](/cli/azure/databoxedge/order#az_databoxedge_order_create) command:
-
- ```azurecli
- az databoxedge order create --resource-group myasepgpu1 \
- --device-name myasegpu1 --company-name "Contoso" \
- --address-line1 "1020 Enterprise Way" --city "Sunnyvale" \
- --state "California" --country "United States" --postal-code 94089 \
- --contact-person "Gus Poland" --email-list gus@contoso.com --phone 4085555555
- ```
-
-The resource creation takes a few minutes. Run the [az databoxedge order show](/cli/azure/databoxedge/order#az_databoxedge_order_show) command to see the order:
-
-```azurecli
-az databoxedge order show --resource-group myasepgpu1 --device-name myasegpu1
-```
-
-After you place an order, Microsoft reviews the order and contacts you by email with shipping details.-->
-- ## Get the activation key
-After the Azure Stack Edge resource is up and running, you'll need to get the activation key. This key is used to activate and connect your Azure Stack Edge Pro device with the resource. You can get this key now while you are in the Azure portal.
+After the Azure Stack Edge resource is up and running, you'll need to get the activation key. This key is used to activate and connect your Azure Stack Edge Pro GPU device with the resource. You can get this key now while you are in the Azure portal.
1. Select the resource you created, and select **Overview**.
After the Azure Stack Edge resource is up and running, you'll need to get the ac
## Next steps
-In this tutorial, you learned about Azure Stack Edge Pro topics such as:
+In this tutorial, you learned about Azure Stack Edge articles such as:
> [!div class="checklist"] > * Create a new resource > * Get the activation key
-Advance to the next tutorial to learn how to install Azure Stack Edge Pro.
+Advance to the next tutorial to learn how to install Azure Stack Edge.
> [!div class="nextstepaction"]
-> [Install Azure Stack Edge Pro](./azure-stack-edge-gpu-deploy-install.md)
+> [Install Azure Stack Edge Pro GPU](./azure-stack-edge-gpu-deploy-install.md)
databox-online Azure Stack Edge Gpu Deploy Set Up Device Update Time https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-deploy-set-up-device-update-time.md
Title: Tutorial to connect, configure, activate Azure Stack Edge Pro device with GPU in Azure portal | Microsoft Docs
+ Title: Tutorial to connect, configure, activate Azure Stack Edge Pro device GPU in Azure portal | Microsoft Docs
description: Tutorial to deploy Azure Stack Edge Pro GPU instructs you to connect, set up, and activate your physical device.
Previously updated : 09/10/2020 Last updated : 02/15/2022
+zone_pivot_groups: azure-stack-edge-device-deployment
# Customer intent: As an IT admin, I need to understand how to connect and activate Azure Stack Edge Pro so I can use it to transfer data to Azure.
-# Tutorial: Configure the device settings for Azure Stack Edge Pro with GPU
-This tutorial describes how you configure device related settings for your Azure Stack Edge Pro device with an onboard GPU. You can set up your device name, update server, and time server via the local web UI.
+# Tutorial: Configure the device settings for Azure Stack Edge Pro GPU
++
+This tutorial describes how to configure device related settings for your 1-node Azure Stack Edge Pro GPU device. You can set up your device name, update server, and time server via the local web UI.
+
+The device settings can take around 5-7 minutes to complete.
+++
+This tutorial describes how to configure device related settings for your 2-node Azure Stack Edge Pro GPU device. You can set up your device name, update server, and time server via the local web UI.
The device settings can take around 5-7 minutes to complete. + In this tutorial, you learn about: > [!div class="checklist"]
In this tutorial, you learn about:
## Prerequisites
-Before you configure device related settings on your Azure Stack Edge Pro device with GPU, make sure that:
+Before you configure device related settings on your Azure Stack Edge Pro device GPU, make sure that:
* For your physical device:
Before you configure device related settings on your Azure Stack Edge Pro device
Follow these steps to configure device related settings:
-1. On the **Device** page, take the following steps:
+1. In the local web UI for your device, go to the **Device** page.
- 1. Enter a friendly name for your device. The friendly name must contain from 1 to 13 characters and can have letter, numbers, and hyphens.
+1. Enter a **Name** for your device. The name must contain from 1 to 13 characters and can have letter, numbers, and hyphens.
- 2. Provide a **DNS domain** for your device. This domain is used to set up the device as a file server.
+1. Provide a **DNS domain** for your device. This domain is used to set up the device as a file server.
- 3. To validate and apply the configured device settings, select **Apply**.
+1. To validate and apply the configured device settings, select **Apply**.
- ![Local web UI "Device" page 1](./media/azure-stack-edge-gpu-deploy-set-up-device-update-time/device-2.png)
+ ![Local web UI "Device" page 1](./media/azure-stack-edge-gpu-deploy-set-up-device-update-time/device-2.png)
- If you have changed the device name and the DNS domain, the automatically generated self-signed certificates on the device will not work. You need to choose one of the following options when you configure certificates.:
-
- - Generate and download the device certificates.
- - Bring your own certificates for the device including the signing chain.
+ When the device name and the DNS domain are changed, the SMB endpoint is created.
+
+ If you have changed the device name and the DNS domain, the automatically generated self-signed certificates on the device will not work. You'll need to regenerate device certificates or bring your own certificates.
+ ![Local web UI "Device" page 2](./media/azure-stack-edge-gpu-deploy-set-up-device-update-time/device-3.png)
+
+1. After the settings are applied, select **Next: Update server**.
- ![Local web UI "Device" page 2](./media/azure-stack-edge-gpu-deploy-set-up-device-update-time/device-3.png)
+ ![Local web UI "Device" page 3](./media/azure-stack-edge-gpu-deploy-set-up-device-update-time/device-4.png)
- 4. When the device name and the DNS domain are changed, the SMB endpoint is created.
- 5. After the settings are applied, select **Next: Update server**.
+Repeat all the above steps for the second node of your device. Make sure that the same DNS domain is used for both the nodes.
+
- ![Local web UI "Device" page 3](./media/azure-stack-edge-gpu-deploy-set-up-device-update-time/device-4.png)
## Configure update
Follow these steps to configure device related settings:
> [!NOTE] > If a separate Windows Update server is configured and if you choose to connect over *https* (instead of *http*), then signing chain certificates required to connect to the update server are needed. For information on how to create and upload certificates, go to [Manage certificates](azure-stack-edge-gpu-manage-certificates.md).
-2. Select **Apply**.
-3. After the update server is configured, select **Next: Time**.
+1. Select **Apply**.
+1. After the update server is configured, select **Next: Time**.
++
+Repeat all the above steps for the second node of your device. Make sure that the same update server is used for both the nodes.
+ ## Configure time
NTP servers are required because your device must synchronize time so that it ca
![Local web UI "Time" page](./media/azure-stack-edge-gpu-deploy-set-up-device-update-time/time-2.png)
-2. After the settings are applied, select **Next: Certificates**.
+1. After the settings are applied, select **Next: Certificates**.
++
+Repeat all the above steps for the second node of your device. Make sure that the same NTP server is used for both the nodes.
## Next steps
databox-online Azure Stack Edge Gpu Install Update https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-install-update.md
Previously updated : 11/16/2021 Last updated : 02/15/2022 # Update your Azure Stack Edge Pro GPU
This article describes the steps required to install update on your Azure Stack Edge Pro with GPU via the local web UI and via the Azure portal. You apply the software updates or hotfixes to keep your Azure Stack Edge Pro device and the associated Kubernetes cluster on the device up-to-date.
-The procedure described in this article was performed using a different version of software, but the process remains the same for the current software version.
+The procedure described in this article was performed using a different version of software, but the process remains the same for the current software version.
## About latest update
-The current update is Update 2110. This update installs two updates, the device update followed by Kubernetes updates. The associated versions for this update are:
+The current update is Update 2202. This update installs two updates, the device update followed by Kubernetes updates. The associated versions for this update are:
-- Device software version - **2.2.1777.4088**
+- Device software version - **2.2.1868.4470**
- Kubernetes server version - **v1.20.9** - IoT Edge version: **0.1.0-beta15**-- GPU driver version: **460.32.03**-- CUDA version: **11.2**
+- Azure Arc version: **1.5.3**
+- GPU driver version: **470.57.02**
+- CUDA version: **11.4**
-For information on what's new in this update, go to [Release notes](azure-stack-edge-gpu-2111-release-notes.md).
+For information on what's new in this update, go to [Release notes](azure-stack-edge-gpu-2202-release-notes.md).
-**To apply 2111 update, your device must be running 2106.**
+**To apply 2202 update, your device must be running 2106.**
- If you are not running the minimal supported version, you'll see this error: *Update package cannot be installed as its dependencies are not met*. -- You can update to 2106 from an older version and then install 2111.
+- You can update to 2106 from an older version and then install 2202.
-Keep in mind that installing an update or hotfix restarts your device. Given that the Azure Stack Edge Pro GPU is a single node device, any I/O in progress is disrupted and your device experiences a downtime of up to 1.5 hours for the update.
+
+### Updates for a single-node vs two-node
+
+The procedure to update an Azure Stack Edge is the same whether it is a single-node device or a two-node cluster. This applies both to the Azure portal or the local UI procedure.
+
+- **Single node** - For a single node device, installing an update or hotfix is disruptive and will restart your device. Your device will experience a downtime for the entire duration of the update.
+
+- **Two-node** - For a two-node cluster, this is an optimized update. The two-node cluster may experience short, intermittent disruptions while the update is in progress. We recommend that you shouldn't perform any operations on the other node when update is in progress on the first node of the cluster.
+
+ The Kubernetes worker VMs will go down when a node goes down. The Kubernetes master VM will fail over to the other node. Workloads will continue to run. For more information, see [Kubernetes failover scenarios for Azure Stack Edge](azure-stack-edge-gpu-kubernetes-failover-scenarios.md).
+
+Provisioning actions such as creating shares or virtual machines are not supported during update. The update takes approximately 60 to 75 minutes per node to complete.
To install updates on your device, you need to follow these steps:
Each of these steps is described in the following sections.
1. In the local web UI, go to **Configuration** > **Update server**.
- ![Configure updates 1](./media/azure-stack-edge-gpu-install-update/configure-update-server-1.png)
+ <!--![Configure updates 1](./media/azure-stack-edge-gpu-install-update/configure-update-server-1.png)-->
2. In **Select update server type**, from the dropdown list, choose from Microsoft Update server (default) or Windows Server Update Services. If updating from the Windows Server Update Services, specify the server URI. The server at that URI will deploy the updates on all the devices connected to this server.
- ![Configure updates 2](./media/azure-stack-edge-gpu-install-update/configure-update-server-2.png)
+ <!--![Configure updates 2](./media/azure-stack-edge-gpu-install-update/configure-update-server-2.png)-->
The WSUS server is used to manage and distribute updates through a management console. A WSUS server can also be the update source for other WSUS servers within the organization. The WSUS server that acts as an update source is called an upstream server. In a WSUS implementation, at least one WSUS server on your network must be able to connect to Microsoft Update to get available update information. As an administrator, you can determine - based on network security and configuration - how many other WSUS servers connect directly to Microsoft Update.
Each of these steps is described in the following sections.
We recommend that you install updates through the Azure portal. The device automatically scans for updates once a day. Once the updates are available, you see a notification in the portal. You can then download and install the updates. > [!NOTE]
-> Make sure that the device is healthy and status shows as **Your device is running fine!** before you proceed to install the updates.
+> - Make sure that the device is healthy and status shows as **Your device is running fine!** before you proceed to install the updates.
+ Depending on the software version that you are running, install process may differ slightly. -- If you are updating from 2106 to 2110 or 2111, you will have a one-click install. See the **version 2106 and later** tab for instructions.
+- If you are updating from 2106 to 2110 or later, you will have a one-click install. See the **version 2106 and later** tab for instructions.
- If you are updating to versions prior to 2110, you will have a two-click install. See **version 2105 and earlier** tab for instructions. ### [version 2106 and later](#tab/version-2106-and-later)
Depending on the software version that you are running, install process may diff
Go to the local web UI and then go to **Software update** page. Verify that the Kubernetes update has successfully installed and the software version reflects that.
- ![Software version after update 17](./media/azure-stack-edge-gpu-install-update/portal-update-16.png)
+ ![Software version after update 17](./media/azure-stack-edge-gpu-install-update/portal-update-16-mod.png)
Once the device software and Kubernetes updates are successfully installed, the banner notification disappears.
Do the following steps to download the update from the Microsoft Update Catalog.
2. In the search box of the Microsoft Update Catalog, enter the Knowledge Base (KB) number of the hotfix or terms for the update you want to download. For example, enter **Azure Stack Edge**, and then click **Search**.
- The update listing appears as **Azure Stack Edge Update 2111**.
+ The update listing appears as **Azure Stack Edge Update 2202**.
<!--![Search catalog 2](./media/azure-stack-edge-gpu-install-update/download-update-2-b.png)-->
-4. Select **Download**. There are two packages to download: one for the device software updates (*SoftwareUpdatePackage.exe*) and another for the Kubernetes updates (*Kubernetes_Package.exe*), respectively. Download the packages to a folder on the local system. You can also copy the folder to a network share that is reachable from the device.
+4. Select **Download**. There are two packages to download for the update. The first package will have two files for the device software updates (*SoftwareUpdatePackage.0.exe*, *SoftwareUpdatePackage.1.exe*) and the second package has two files for the Kubernetes updates (*Kubernetes_Package.0.exe*, *Kubernetes_Package.1.exe*), respectively. Download the packages to a folder on the local system. You can also copy the folder to a network share that is reachable from the device.
+ ### Install the update or the hotfix
This procedure takes around 20 minutes to complete. Perform the following steps
![update device 2](./media/azure-stack-edge-gpu-install-update/local-ui-update-2.png)
-2. Provide the path to the update file. You can also browse to the update installation file if placed on a network share. Select the software update file with *SoftwareUpdatePackage.exe* suffix.
+2. Provide the path to the update file. You can also browse to the update installation file if placed on a network share. Select the two software files (with *SoftwareUpdatePackage.0.exe* and *SoftwareUpdatePackage.1.exe* suffix) together.
- ![update device 3](./media/azure-stack-edge-gpu-install-update/local-ui-update-3-a.png)
+ ![Screenshot of files selected for the device software update.](./media/azure-stack-edge-gpu-install-update/local-ui-update-3-a.png)
3. Select **Apply update**.
This procedure takes around 20 minutes to complete. Perform the following steps
5. The update starts. After the device is successfully updated, it restarts. The local UI is not accessible in this duration.
-6. After the restart is complete, you are taken to the **Sign in** page. To verify that the device software has been updated, in the local web UI, go to **Maintenance** > **Software update**. For the current release, the displayed software version should be **Azure Stack Edge 2111**.
+6. After the restart is complete, you are taken to the **Sign in** page. To verify that the device software has been updated, in the local web UI, go to **Maintenance** > **Software update**. For the current release, the displayed software version should be **Azure Stack Edge 2202**.
-7. You will now update the Kubernetes software version. Repeat the above steps. Provide a path to the Kubernetes update file with the *Kubernetes_Package.exe* suffix.
+7. You will now update the Kubernetes software version. Select the remaining two Kubernetes files together (file with the *Kubernetes_Package.0.exe* and *Kubernetes_Package.1.exe* suffix) and repeat the above steps to apply update.
- <!--![update device](./media/azure-stack-edge-gpu-install-update/local-ui-update-7.png)-->
+ ![Screenshot of files selected for the Kubernetes update.](./media/azure-stack-edge-gpu-install-update/local-ui-update-7.png)
8. Select **Apply Update**.
databox-online Azure Stack Edge Gpu Kubernetes Failover Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-kubernetes-failover-scenarios.md
+
+ Title: Kubernetes failover scenarios on a clustered Azure Stack Edge Pro GPU, Pro R, Mini R device
+description: Describes Kubernetes failover scenarios and the device responses on your Azure Stack Edge Pro GPU 2-node cluster device.
++++++ Last updated : 02/15/2022+++
+# Kubernetes failover scenarios on a clustered Azure Stack Edge device
+
+Kubernetes cluster is deployed as a popular open-source platform to orchestrate containerized applications. This article describes how Kubernetes works on your 2-node Azure Stack Edge device including the failure modes and the corresponding device responses.
+
+## About Kubernetes on Azure Stack Edge
+
+On your Azure Stack Edge device, you can create a Kubernetes cluster by configuring the compute. When the compute role is configured, the Kubernetes cluster including the master and worker nodes are all deployed and configured for you. This cluster is then used for workload deployment via `kubectl`, IoT Edge, or Azure Arc.
+
+The Azure Stack Edge device is available as a 1-node configuration or a 2-node configuration that constitutes the infrastructure cluster. The Kubernetes cluster is separate from the infrastructure cluster and is deployed on top of the infrastructure cluster. The infrastructure cluster provides the persistent storage for your Azure Stack Edge device while the Kubernetes cluster is responsible solely for application orchestration.
+
+The Kubernetes cluster comprises a master node and worker nodes. The Kubernetes nodes in a cluster are virtual machines that run your applications and cloud workflows.
+
+- The Kubernetes master node is responsible for maintaining the desired state for your cluster. The master node also controls the worker node.
+- The worker nodes run the containerized applications.
++
+### Kubernetes cluster on two-node device
+
+The Kubernetes cluster on the 2-node device has one master node and two worker nodes. The 2-node device is highly available, and if one of the nodes fails, both the device and the Kubernetes cluster keep running. For more information on the Kubernetes cluster architecture, go to [Kubernetes core concepts](https://kubernetes.io/docs/concepts/architecture/).
+
+<!--The following diagram illustrates the implementation of Kubernetes on a 2-node Azure Stack Edge device.-->
+
+<!-- update this diagram-->
+
+<!--![Kubernetes architecture for a 2-node Azure Stack Edge device](media/azure-stack-edge-gpu-clustering-overview/azure-stack-edge-kubernetes-workloads-infrastructure-cluster.png)-->
+
+
+On a 2-node Azure Stack Edge device, the Kubernetes master VM and a Kubernetes worker VM are running on node A of your device. On the node B, a single Kubernetes worker VM is running.
+
+Each worker VM in the Kubernetes cluster is a pinned Hyper-V VM. A pinned VM is tied to the specific node it is running on. If the node A on the device fails, the master VM fails over to node B. But the worker VM on node A which is a pinned VM does not fail over to node B and vice-versa. Instead, the pods from the worker VM on node A are rebalanced onto node B.
+
+In order for the rebalanced pods to have enough capacity to run on the device node B, the system enforces that no more than 50% of each ASE nodeΓÇÖs capacity be used during regular 2-node Azure Stack Edge cluster operations. This capacity usage is done on a best effort basis and there are circumstances (for example, workloads requiring unavailable GPU resources when they are rebalanced to ASE Node B) in which rebalanced pods may not have sufficient resources to run.
+
+These scenarios are covered in detail in the next section on [Failure Modes and Behavior](#failure-modes-and-behavior).
+
+## Failure modes and behavior
+
+The Azure Stack Edge device nodes may fail under certain conditions. The various failure modes and the corresponding device responses are tabulated in this section.
+
+#### Azure Stack Edge node failures or reboots
+
+| Node | Failures | Responses |
+|-|--|--|
+| Node A has failures <br>(Node B has no failures) | Following possible failures can occur: <ul><li>Both PSUs fail</li><li>One or both Port 3, Port 4 fail</li><li>Core component fails, includes motherboard, DIMM, OS disk</li><li>Entire node fails</li><ul> | Following responses are seen for each of these failures:<ul><li>Kubernetes master VM fails over from node A to node B</li><li>Master VM takes few minutes to come up on node B</li><li>Pods from node A are rebalanced on node B</li><li>GPU workloads keep running if GPU is available on node B</ul> |
+| Node A reboots <br>(Node B has no failures) | Node reboots | After node A completes rebooting and the worker VM is available, master VM will rebalance the pods from node B. |
+| Node B has failures <br>(Node A has no failures) | Following possible failures can occur: <ul><li>Both PSUs fail</li><li>One or both Port 3, Port 4 fail</li><li>Core component fails, includes motherboard, DIMM, OS disk</li><li>Entire node fails</li><ul> | Following responses are seen for each of these failures: <ul><li>Kubernetes master VM rebalances pods from node B. This could take a few minutes.</li></ul> |
+| Node B reboots <br>(Node A has no failures) | Node reboots | After node B completes rebooting and the worker VM is available, master VM will rebalance the pods from node B. |
+
+#### Azure Stack Edge node updates
+
+| Update type |Responses |
+|-|--|
+| Device node update | Rolling updates are applied to device nodes and the nodes will reboot. |
+| Kubernetes service update | Kubernetes service update includes: <ul><li> A failover of the Kubernetes master VM from device node A to device node B </li><li> A Kubernetes master update. </li><li> Kubernetes worker node updates (not necessarily in that order). </li></ul>The entire update process could take 30 minutes or more, and during this window the Kubernetes cluster is available for any management operations (like deploying a new workload). Although pods will be drained from the device node while it is being updated, workloads may be offline for several seconds during this process. |
++
+## Next steps
+
+<!--update the next steps to include clustering docs-->
+- Learn more about Kubernetes storage on [Azure Stack Edge device](azure-stack-edge-gpu-kubernetes-storage.md).
+- Understand the Kubernetes networking model on [Azure Stack Edge device](azure-stack-edge-gpu-kubernetes-networking.md).
+- Deploy [Azure Stack Edge](azure-stack-edge-gpu-deploy-prep.md) in Azure portal.
databox-online Azure Stack Edge Gpu Kubernetes Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-kubernetes-overview.md
Title: Overview of Kubernetes cluster on Microsoft Azure Stack Edge Pro device| Microsoft Docs
-description: Describes how Kubernetes is implemented on your Azure Stack Edge Pro device.
+ Title: Overview of Kubernetes cluster on Azure Stack Edge Pro GPU, Pro R, Mini R device
+description: Describes how Kubernetes is implemented on your Azure Stack Edge Pro GPU, Pro R, Mini R device.
Previously updated : 03/01/2021 Last updated : 11/07/2021
[!INCLUDE [applies-to-GPU-and-pro-r-and-mini-r-skus](../../includes/azure-stack-edge-applies-to-gpu-pro-r-mini-r-sku.md)]
-Kubernetes is a popular open-source platform to orchestrate containerized applications. This article provides an overview of Kubernetes and then describes how Kubernetes works on your Azure Stack Edge Pro device.
+Kubernetes is a popular open-source platform to orchestrate containerized applications. This article provides an overview of Kubernetes and then describes how Kubernetes works on your Azure Stack Edge device.
## About Kubernetes
As an open platform, you can use Kubernetes to build applications with your pref
For more information, see [How Kubernetes works](https://www.youtube.com/watch?v=q1PcAawa4Bg&list=PLLasX02E8BPCrIhFrc_ZiINhbRkYMKdPT&index=2&t=0s).
-## Kubernetes on Azure Stack Edge Pro
+## Kubernetes on Azure Stack Edge
-On your Azure Stack Edge Pro device, you can create a Kubernetes cluster by configuring the compute. When the compute role is configured, the Kubernetes cluster including the master and worker nodes are all deployed and configured for you. This cluster is then used for workload deployment via `kubectl`, IoT Edge, or Azure Arc.
+On your Azure Stack Edge device, you can create a Kubernetes cluster by configuring the compute. When the compute role is configured, the Kubernetes cluster including the master and worker nodes are all deployed and configured for you. This cluster is then used for workload deployment via `kubectl`, IoT Edge, or Azure Arc.
-The Azure Stack Edge Pro device is available as a 1-node configuration that constitutes the infrastructure cluster. The Kubernetes cluster is separate from the infrastructure cluster and is deployed on top of the infrastructure cluster. The infrastructure cluster provides the persistent storage for your Azure Stack Edge Pro device while the Kubernetes cluster is responsible solely for application orchestration.
+The Azure Stack Edge device is available as a 1-node configuration or a 2-node configuration (for Pro GPU model only) that constitutes the infrastructure cluster. The Kubernetes cluster is separate from the infrastructure cluster and is deployed on top of the infrastructure cluster. The infrastructure cluster provides the persistent storage for your Azure Stack Edge device while the Kubernetes cluster is responsible solely for application orchestration.
-The Kubernetes cluster in this case has a master node and a worker node. The Kubernetes nodes in a cluster are virtual machines that run your applications and cloud workflows.
+The Kubernetes cluster has master node and worker nodes. The Kubernetes nodes in a cluster are virtual machines that run your applications and cloud workflows.
-The Kubernetes master node is responsible for maintaining the desired state for your cluster. The master node also controls the worker node which in turn runs the containerized applications.
+The Kubernetes master node is responsible for maintaining the desired state for your cluster. The master node also controls the worker node which in turn runs the containerized applications.
-The following diagram illustrates the implementation of Kubernetes on a 1-node Azure Stack Edge Pro device. The 1-node device is not highly available and if the single node fails, the device goes down. The Kubernetes cluster also goes down.
+### Kubernetes cluster on single node device
-![Kubernetes architecture for a 1-node Azure Stack Edge Pro device](media/azure-stack-edge-gpu-kubernetes-overview/kubernetes-architecture-1-node.png)
+The following diagram illustrates the implementation of Kubernetes on a 1-node Azure Stack Edge device. The 1-node device has one master node and one worker node. The 1-node device is not highly available and if the single node fails, the device goes down. The Kubernetes cluster also goes down.
+
+![Kubernetes architecture for a 1-node Azure Stack Edge device](media/azure-stack-edge-gpu-kubernetes-overview/kubernetes-architecture-1-node.png)
+
+### Kubernetes cluster on two-node device
+
+<!--The following diagram illustrates the implementation of Kubernetes on a 2-node Azure Stack Edge device.--> The 2-node Azure Stack Edge device has one master node and two worker nodes. The 2-node device is highly available and if one of the node fails, the master node fails over to the other node. Both the device and the Kubernetes cluster keep running.
++
+<!--![Kubernetes architecture for a 2-node Azure Stack Edge device](media/azure-stack-edge-gpu-clustering-overview/azure-stack-edge-kubernetes-workloads-infrastructure-cluster.png)-->
For more information on the Kubernetes cluster architecture, go to [Kubernetes core concepts](https://kubernetes.io/docs/concepts/architecture/).
-The master and the worker nodes are virtual machines that consume CPU and memory. When deploying Kubernetes workloads, it is important to understand the compute requirements for the master and worker VMs.
+
+### Kubernetes compute requirements
+
+The Kubernetes master and the worker nodes are virtual machines that consume CPU and memory. When deploying Kubernetes workloads, it is important to understand the compute requirements for the master and worker VMs.
|Kubernetes VM type|CPU and memory requirement| ||| |Master VM|4 cores, 4-GB RAM| |Worker VM|12 cores, 32-GB RAM|+ <!--The Kubernetes cluster control plane components make global decisions about the cluster. The control plane has: - *kubeapiserver* that is the front end of the Kubernetes API and exposes the API.
The master and the worker nodes are virtual machines that consume CPU and memory
## Storage volume provisioning
-To support application workloads, you can mount storage volumes for persistent data on your Azure Stack Edge Pro device shares. Both static and dynamic volumes can be used.
+To support application workloads, you can mount storage volumes for persistent data on your Azure Stack Edge device shares. Both static and dynamic volumes can be used.
-For more information, see storage provisioning options for applications in [Kubernetes storage for your Azure Stack Edge Pro device](azure-stack-edge-gpu-kubernetes-storage.md).
+For more information, see storage provisioning options for applications in [Kubernetes storage for your Azure Stack Edge device](azure-stack-edge-gpu-kubernetes-storage.md).
## Networking
-Kubernetes networking enables you to configure communication within your Kubernetes network including container-to-container networking, pod-to-pod networking, pod-to-service networking, and Internet-to-service networking. For more information, see the networking model in [Kubernetes networking for your Azure Stack Edge Pro device](azure-stack-edge-gpu-kubernetes-networking.md).
+Kubernetes networking enables you to configure communication within your Kubernetes network including container-to-container networking, pod-to-pod networking, pod-to-service networking, and Internet-to-service networking. For more information, see the networking model in [Kubernetes networking for your Azure Stack Edge device](azure-stack-edge-gpu-kubernetes-networking.md).
## Updates
-As new Kubernetes versions become available, your cluster can be upgraded using the standard updates available for your Azure Stack Edge Pro device. For steps on how to upgrade, see [Apply updates for your Azure Stack Edge Pro](azure-stack-edge-gpu-install-update.md).
+As new Kubernetes versions become available, your cluster can be upgraded using the standard updates available for your Azure Stack Edge device. For steps on how to upgrade, see [Apply updates for your Azure Stack Edge](azure-stack-edge-gpu-install-update.md).
## Access, monitoring
-The Kubernetes cluster on your Azure Stack Edge Pro device allows Kubernetes role-based access control (Kubernetes RBAC). For more information, see [Kubernetes role-based access control on your Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-kubernetes-rbac.md).
+The Kubernetes cluster on your Azure Stack Edge device allows Kubernetes role-based access control (Kubernetes RBAC). For more information, see [Kubernetes role-based access control on your Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-kubernetes-rbac.md).
-You can also monitor the health of your cluster and resources via the Kubernetes dashboard. Container logs are also available. For more information, see [Use the Kubernetes dashboard to monitor the Kubernetes cluster health on your Azure Stack Edge Pro device](azure-stack-edge-gpu-monitor-kubernetes-dashboard.md).
+You can also monitor the health of your cluster and resources via the Kubernetes dashboard. Container logs are also available. For more information, see [Use the Kubernetes dashboard to monitor the Kubernetes cluster health on your Azure Stack Edge device](azure-stack-edge-gpu-monitor-kubernetes-dashboard.md).
Azure Monitor is also available as an add-on to collect health data from containers, nodes, and controllers. For more information, see [Azure Monitor overview](../azure-monitor/overview.md)
-<!--## Private container registry
+## Edge container registry
-Kubernetes on Azure Stack Edge Pro device allows for the private storage of your images by providing a local container registry.-->
+Kubernetes on Azure Stack Edge device allows for the private storage of your images by providing a local container registry. For more information, see [Enable Edge container registry on your Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-edge-container-registry.md).
## Application management
-After a Kubernetes cluster is created on your Azure Stack Edge Pro device, you can manage the applications deployed on this cluster via any of the following methods:
+After a Kubernetes cluster is created on your Azure Stack Edge device, you can manage the applications deployed on this cluster via any of the following methods:
- Native access via `kubectl` - IoT Edge
These methods are explained in the following sections.
Once the Kubernetes cluster is deployed, then you can manage the applications deployed on the cluster locally from a client machine. You use a native tool such as *kubectl* via the command line to interact with the applications.
-For more information on deploying Kubernetes cluster, go to [Deploy a Kubernetes cluster on your Azure Stack Edge Pro device](azure-stack-edge-gpu-create-kubernetes-cluster.md). For information on management, go to [Use kubectl to manage Kubernetes cluster on your Azure Stack Edge Pro device](azure-stack-edge-gpu-create-kubernetes-cluster.md).
+For more information on deploying Kubernetes cluster, go to [Deploy a Kubernetes cluster on your Azure Stack Edge device](azure-stack-edge-gpu-create-kubernetes-cluster.md). For information on management, go to [Use kubectl to manage Kubernetes cluster on your Azure Stack Edge device](azure-stack-edge-gpu-create-kubernetes-cluster.md).
### Kubernetes and IoT Edge
-Kubernetes can also be integrated with IoT Edge workloads on Azure Stack Edge Pro device where Kubernetes provides scale and the ecosystem and IoT provides the IoT centric ecosystem. The Kubernetes layer is used as an infrastructure layer to deploy Azure IoT Edge workloads. The module lifetime and network load balancing are managed by Kubernetes whereas the edge application platform is managed by IoT Edge.
+Kubernetes can also be integrated with IoT Edge workloads on Azure Stack Edge device where Kubernetes provides scale and the ecosystem and IoT provides the IoT centric ecosystem. The Kubernetes layer is used as an infrastructure layer to deploy Azure IoT Edge workloads. The module lifetime and network load balancing are managed by Kubernetes whereas the edge application platform is managed by IoT Edge.
For more information on deploying applications on your Kubernetes cluster via IoT Edge, go to: -- [Expose stateless applications on Azure Stack Edge Pro device via IoT Edge](azure-stack-edge-gpu-deploy-stateless-application-iot-edge-module.md).
+- [Expose stateless applications on Azure Stack Edge device via IoT Edge](azure-stack-edge-gpu-deploy-stateless-application-iot-edge-module.md).
### Kubernetes and Azure Arc Azure Arc is a hybrid management tool that will allow you to deploy applications on your Kubernetes clusters. Azure Arc also allows you to use Azure Monitor for containers to view and monitor your clusters. For more information, go to [What is Azure Arc-enabled Kubernetes?](../azure-arc/kubernetes/overview.md). For information on Azure Arc pricing, go to [Azure Arc pricing](https://azure.microsoft.com/services/azure-arc/#pricing).
+<!-- confirm with Anoob/Rohan if this needs to be updated as Azure Arc is now GA-->
+ Beginning March 2021, Azure Arc-enabled Kubernetes will be generally available to the users and standard usage charges apply. As a valued preview customer, the Azure Arc-enabled Kubernetes will be available to you at no charge for Azure Stack Edge device(s). To avail the preview offer, create a [Support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest): 1. Under **Issue type**, select **Billing**.
Beginning March 2021, Azure Arc-enabled Kubernetes will be generally available t
## Next steps -- Learn more about Kubernetes storage on [Azure Stack Edge Pro device](azure-stack-edge-gpu-kubernetes-storage.md).-- Understand the Kubernetes networking model on [Azure Stack Edge Pro device](azure-stack-edge-gpu-kubernetes-networking.md).-- Deploy [Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-prep.md) in Azure portal.
+- Learn more about Kubernetes storage on [Azure Stack Edge device](azure-stack-edge-gpu-kubernetes-storage.md).
+- Understand the Kubernetes networking model on [Azure Stack Edge device](azure-stack-edge-gpu-kubernetes-networking.md).
+- Deploy [Azure Stack Edge](azure-stack-edge-gpu-deploy-prep.md) in Azure portal.
databox-online Azure Stack Edge Gpu Manage Certificates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-manage-certificates.md
Previously updated : 06/01/2021 Last updated : 01/28/2022
-# Upload, import, and export certificates on Azure Stack Edge Pro GPU
+# Upload, import, export, and delete certificates on Azure Stack Edge Pro GPU
[!INCLUDE [applies-to-GPU-and-pro-r-and-mini-r-skus](../../includes/azure-stack-edge-applies-to-gpu-pro-r-mini-r-sku.md)]
-To ensure secure and trusted communication between your Azure Stack Edge device and the clients connecting to it, you can use self-signed certificates or bring your own certificates. This article describes how to manage these certificates including how to upload, import, export these certificates or view their expiration date.
+To ensure secure and trusted communication between your Azure Stack Edge device and the clients connecting to it, you can use self-signed certificates or bring your own certificates. This article describes how to manage these certificates, including how to upload, import, and export these certificates. You can also view certificate expiration dates and delete your old signing certificates.
To know more about how to create these certificates, see [Create certificates using Azure PowerShell](azure-stack-edge-gpu-create-certificates-powershell.md).
To upload the root and endpoint certificates on the device, use the **+ Add cert
1. Upload the root certificates first. In the local web UI, go to **Certificates**. 1. Select **+ Add certificate**.
- ![Add signing chain certificate 1](media/azure-stack-edge-gpu-manage-certificates/add-cert-1.png)
+ ![Screenshot showing Add Certificate screen when adding a Signing Chain certificate to an Azure Stack Edge device. The Save Certificate button is highlighted.](media/azure-stack-edge-gpu-manage-certificates/add-cert-1.png)
1. Save the certificate.
To upload the root and endpoint certificates on the device, use the **+ Add cert
1. Next upload the endpoint certificates.
- ![Add signing chain certificate 2](media/azure-stack-edge-gpu-manage-certificates/add-cert-2.png)
+ ![Screenshot showing Add Certificate screen when adding Endpoint certificates to an Azure Stack Edge device. The Save Certificate button is highlighted.](media/azure-stack-edge-gpu-manage-certificates/add-cert-2.png)
Choose the certificate files in *.pfx* format and enter the password you supplied when you exported the certificate. The Azure Resource Manager certificate may take a few minutes to apply. If the signing chain is not updated first, and you try to upload the endpoint certificates, then you will get an error.
- ![Apply certificate error](media/azure-stack-edge-gpu-manage-certificates/apply-cert-error-1.png)
+ ![Screenshot showing Apply Certificate error when an Endpoint certificate is uploaded without first uploading a Signing Chain certificate on an Azure Stack Edge device.](media/azure-stack-edge-gpu-manage-certificates/apply-cert-error-1.png)
Go back and upload the signing chain certificate and then upload and apply the endpoint certificates.
The Kubernetes certificates can be for Edge Container Registry or for Kubernetes
1. Upload the Kubernetes certificate and the corresponding key file that you generated earlier. - For Edge Container Registry
-
- ![Screenshot for adding an Edge Container Registry certificate and key file](media/azure-stack-edge-gpu-manage-certificates/add-cert-3.png)
- - For Kubernetes dashboard
+ ![Screenshot showing Add Certificate screen when adding an Edge Container Registry certificate to an Azure Stack Edge device. Browse buttons for the certificate and key file are highlighted.](media/azure-stack-edge-gpu-manage-certificates/add-cert-3.png)
+
+ - For Kubernetes dashboard
- ![Screenshot for adding a Kubernetes dashboard certificate and key file](media/azure-stack-edge-gpu-manage-certificates/add-cert-4.png)
+ ![Screenshot showing Add Certificate screen when adding a Kubernetes dashboard certificate to an Azure Stack Edge device. Browse buttons for the certificate and key file are highlighted.](media/azure-stack-edge-gpu-manage-certificates/add-cert-4.png)
## Import certificates on the client accessing the device
To import certificates on a Windows client, take the following steps:
1. Right-click the file and select **Install certificate**. This action starts the Certificate Import Wizard.
- ![Import certificate 1](media/azure-stack-edge-gpu-manage-certificates/import-cert-1.png)
+ ![Screenshot the context menu for a file in Windows File Explorer. The Install Certificate option is highlighted.](media/azure-stack-edge-gpu-manage-certificates/import-cert-1.png)
2. For **Store location**, select **Local Machine**, and then select **Next**.
- ![Import certificate 2](media/azure-stack-edge-gpu-manage-certificates/import-cert-2.png)
+ ![Screenshot of the Certificate Import Wizard on a Windows client. The Local Machine storage location is highlighted.](media/azure-stack-edge-gpu-manage-certificates/import-cert-2.png)
3. Select **Place all certificates in the following store**, and then select **Browse**. - To import into personal store, navigate to the Personal store of your remote host, and then select **Next**.
- ![Import certificate 4](media/azure-stack-edge-gpu-manage-certificates/import-cert-4.png)
-
+ ![Screenshot of Certificate Import Wizard in Windows with the Personal certificate store selected. The Certificate Store option and Next button are highlighted.](media/azure-stack-edge-gpu-manage-certificates/import-cert-4.png)
- To import into trusted store, navigate to the Trusted Root Certificate Authority, and then select **Next**.
- ![Import certificate 3](media/azure-stack-edge-gpu-manage-certificates/import-cert-3.png)
+ ![Screenshot of Certificate Import Wizard in Windows with the Trusted Root Certification Authority certificate store selected. The Certificate Store option and Next button are highlighted.](media/azure-stack-edge-gpu-manage-certificates/import-cert-3.png)
-
4. Select **Finish**. A message to the effect that the import was successful appears.
To import certificates on a Windows client, take the following steps:
If you bring in your own certificates, the certificates will expire typically in 1 year or 6 months. To view the expiration date on your certificate, go to the **Certificates** page in the local web UI of your device. If you select a specific certificate, you can view the expiration date on your certificate.
+## Delete signing chain certificate
+
+You can delete an old, expired signing chain certificate from your device. When you do, any dependent certificates in the signing chain will no longer be valid. Only signing chain certificates can be deleted.
+
+To delete a signing chain certificate from your Azure Stack Edge device, take the following steps:
+
+1. In the local web UI of your device, go to **CONFIGURATION** > **Certificates**.
+
+1. Select the signing chain certificate you want to delete. Then select **Delete**.
+
+ [ ![Screenshot of the Certificates blade of the local Web UI of an Azure Stack Edge device. The Delete option for the signing certificates is highlighted.](media/azure-stack-edge-gpu-manage-certificates/delete-signing-certificate-01.png) ](media/azure-stack-edge-gpu-manage-certificates/delete-signing-certificate-01.png)
+
+1. On the **Delete certificate** pane, verify the certificate's thumbprint, and then select **Delete**. Certificate deletion can't be reversed.
+
+ ![Screenshot of the Delete Certificate screen for a Signing Certificate on an Azure Stack Edge device. The certificate thumbprint and Delete button are highlighted.](media/azure-stack-edge-gpu-manage-certificates/delete-signing-certificate-02.png)
+
+ After certificate deletion is complete, all dependent certificates in the signing chain are no longer valid.
+
+1. To see the status updates, refresh the display. The signing chain certificate will no longer be displayed, and dependent certificates will have **Not valid** status.
## Next steps
databox-online Azure Stack Edge Gpu Manage Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-manage-cluster.md
+
+ Title: Cluster management on your two-node Azure Stack Edge device
+description: Describes how to manage your Azure Stack Edge two-node device cluster.
++++++ Last updated : 02/14/2022+++
+# Manage your Azure Stack Edge cluster
+
+This article provides a brief overview of clustering-related management tasks on your Azure Stack Edge device. Some of these tasks include how to add a node, configure or modify a cluster witness or remove the cluster. The cluster can be managed via the local UI of your device.
+
+## Undo node preparation
+
+Perform these steps on the node of the device that you were trying to prepare. You may use the undo node preparation option when you decide not to proceed with preparing this node to form a cluster.
+
+1. In the local UI, go to the **Get started** page. Under **Prepare a node for clustering**, select **Undo node preparation**.
+
+ ![Screenshot of local web UI "Get started" page when Preparing a node for clustering with Undo node preparation is selected.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/undo-node-preparation-1.png)
+
+1. When you select **Undo node preparation**, you'll go back to the **Get authentication token** tile and **Prepare node** option will be available. If you decide to prepare this node again, you'll need to select **Prepare node** again.
+
+ ![Screenshot of local web UI "Get started" page when Preparing a node for clustering with Prepare node is selected in Get authentication token tile.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/undo-node-preparation-2.png)
+
+## View existing nodes
+
+1. In the local UI, go to the **Cluster** page.
+1. Under **Existing nodes**, you can view the existing nodes for your cluster.
+
+ ![Screenshot of local web UI "Cluster" page with "Modify" option selected for "Cluster witness" on first node -1.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/view-cluster-nodes-1.png)
+
+## Replace a node
+
+You may need to replace a node if one of the nodes on your device is down or not healthy. Perform these steps on the node that you are trying to replace.
+
+1. In the local UI, go to the **Cluster** page. Under **Existing nodes**, view the status of the nodes. You'll want to replace the node that shows the status as **Down**.
+
+ ![Screenshot of local web UI "Cluster" page with "Existing nodes" option displaying a node status as Down.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/replace-node-1.png)
+
+1. Select **Replace node** and enter the following inputs.
+
+ 1. Choose the node to replace. This should be automatically selected as the node, which is down.
+ 1. Prepare another node. Configure the networking on this node in the same way as you set up on the first node. Get the node serial number and authentication token from the new incoming node.
+ 1. Provide the **Node serial number** for the incoming replacement node.
+ 1. Supply the **Node token** for the incoming replacement node.
+ 1. Select **Validate & add**. The credentials of the incoming node are now validated.
+
+ ![Screenshot of local web UI "Cluster" page with "Apply" selected on "Validate & add" blade.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/replace-node-2.png)
+
+ 1. Once the validation has successfully completed, select **Add node** to complete the node replacement. It may take several minutes for the replacement node to get added to form the cluster.
++
+## Configure cluster witness
+
+Follow these steps to configure the cluster witness.
+
+### Configure cloud witness
+
+Perform these steps on the first node of the device.
+
+1. In the local UI, go to the **Cluster** page. Under **Cluster witness type**, select **Modify**.
+
+ ![Screenshot of local web UI "Cluster" page with "Modify" option selected for "Cluster witness" on first node - 2.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/add-cluster-witness-1m.png)
+
+1. In the **Modify cluster witness** blade, enter the following inputs.
+ 1. Choose the **Witness type** as **Cloud.**
+ 1. Enter the **Azure Storage account name**.
+ 1. Specify Storage account authentication from Access key or SAS token.
+ 1. If you chose Access key as the authentication mechanism, enter the Access key of the Storage account, Azure Storage container where the witness lives, and the service endpoint.
+ 1. Select **Apply**.
+
+ ![Screenshot of local web UI "Cluster" page with cloud witness type selected in "Modify cluster witness" blade on first node.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/add-cluster-witness-cloud-1.png)
+
+### Configure local witness
+
+Perform these steps on the first node of the device.
+
+1. In the local UI, go to the **Cluster** page. Under **Cluster witness type**, select **Modify**.
+
+ ![Screenshot of local web UI "Cluster" page with "Modify" option selected for "Cluster witness" on first node - 3.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/add-cluster-witness-1m.png)
+
+1. In the **Modify cluster witness** blade, enter the following inputs.
+ 1. Choose the **Witness type** as **Local.**
+ 1. Enter the file share path as *//server/fileshare* format.
+ 1. Select **Apply**.
+
+ ![Screenshot of local web UI "Cluster" page with local witness type selected in "Modify cluster witness" blade on first node](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/add-cluster-witness-local-1.png)
++
+## Configure virtual IPs
+
+For Azure consistent services and NFS, you'll also need to define a virtual IP that allows you to connect to a clustered device as opposed to a specific node. A virtual IP is an available IP in the cluster network and any client connecting to the cluster network on the two-node device should be able to access this IP.
++
+### For Azure Consistent Services
+
+For Azure Consistent Services, follow these steps to configure virtual IP.
+
+1. In the local UI on the **Cluster** page, under the **Virtual IP settings** section, select **Azure Consistent Services**.
+
+ ![Screenshot of local web UI "Cluster" page with "Azure Consistent Services" selected for "Virtual IP Settings" on first node.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-azure-consistent-services-1m.png)
+
+1. In the **Virtual IP settings** blade, input the following.
+
+ 1. From the dropdown list, select the **Azure Consistent Services network**.
+ 1. Choose IP settings from **DHCP** or **static**.
+ 1. If you chose IP settings as static, enter a virtual IP. This should be a free IP from within the Azure Consistent Services network that you specified. If you selected DHCP, a virtual IP is automatically picked from the Azure Consistent Services network that you selected.
+1. Select **Apply**.
+
+ ![Screenshot of local web UI "Cluster" page with "Virtual IP Settings" blade configured for Azure consistent services on first node.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-azure-consistent-services-2.png)
++
+### For Network File System
+
+For clients connecting via NFS protocol to the two-node device, follow these steps to configure virtual IP.
+
+1. In the local UI on the **Cluster** page, under the **Virtual IP settings** section, select **Network File System**.
+
+ ![Screenshot of local web UI "Cluster" page with "Network File System" selected for "Virtual IP Settings" on first node.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-network-file-system-1m.png)
+
+1. In the **Virtual IP settings** blade, input the following.
+
+ 1. From the dropdown list, select the **NFS network**.
+ 1. Choose IP settings from **DHCP** or **Static**.
+ 1. If you chose IP settings as static, enter a virtual IP. This should be a free IP from within the NFS network that you specified. If you selected DHCP, a virtual IP is automatically picked from the NFS network that you selected.
+1. Select **Apply**.
+
+ ![Screenshot of local web UI "Cluster" page with "Virtual IP Settings" blade configured for NFS on first node.](./media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/configure-network-file-system-2.png)
+
+> [!NOTE]
+> Virtual IP settings are required. If you do not configure this IP, you will be blocked when configuring the **Device settings** in the next step.
+
+## Remove the cluster
+
+In this release, the only way to remove or destroy the cluster is to reset the device.
+
+> [!NOTE]
+> To remove the cluster, you need to reset only one device node. In this release, if a reset is triggered on one node in a two-node cluster, it will trigger reset on both the nodes in the cluster.
+
+Follow these steps to reset the device:
+
+1. In the local web UI of your first device node, go to **Maintenance > Device reset**.
+1. Select **Reset device**.
+1. On the **Confirm reset** dialog, enter **Yes** and select **Yes** to continue with the device reset. Resetting the device will delete all the local data on the device.
+
+The reset process will take approximately 35-40 minutes.
++
+## Next steps
+
+- Learn about [VM sizes and types for Azure Stack Edge Pro GPU](azure-stack-edge-gpu-virtual-machine-sizes.md).
++
databox-online Azure Stack Edge Gpu Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-overview.md
Azure Stack Edge Pro with GPU is a Hardware-as-a-Service solution. Microsoft shi
Here are the various scenarios where Azure Stack Edge Pro GPU can be used for rapid Machine Learning (ML) inferencing at the edge and preprocessing data before sending it to Azure. -- **Inference with Azure Machine Learning** - With Azure Stack Edge Pro GPU, you can run ML models to get quick results that can be acted on before the data is sent to the cloud. The full data set can optionally be transferred to continue to retrain and improve your ML models. For more information on how to use the Azure ML hardware accelerated models on the Azure Stack Edge Pro GPU device, see
+- **Inference with Azure Machine Learning** - With Azure Stack Edge Pro GPU, you can run ML models to get quick results that can be acted on before the data is sent to the cloud. The full data set can optionally be transferred to continue to retrain and improve your ML models. For more information, see how to use
[Deploy Azure ML hardware accelerated models on Azure Stack Edge Pro GPU](../machine-learning/how-to-deploy-fpga-web-service.md#deploy-to-a-local-edge-server). - **Preprocess data** - Transform data before sending it to Azure via compute options such as containerized workloads and Virtual Machines to create a more actionable dataset. Preprocessing can be used to:
Azure Stack Edge Pro GPU has the following capabilities:
|Data access | Direct data access from Azure Storage Blobs and Azure Files using cloud APIs for additional data processing in the cloud. Local cache on the device is used for fast access of most recently used files.| |Cloud-managed |Device and service are managed via the Azure portal.| |Offline upload | Disconnected mode supports offline upload scenarios.|
-|Supported file transfer protocols | Support for standard SMB, NFS, and REST protocols for data ingestion. <br> For more information on supported versions, see [Azure Stack Edge Pro GPU system requirements](azure-stack-edge-system-requirements.md).|
+|Supported file transfer protocols | Support for standard Server Message Block (SMB), Network File System (NFS), and Representational State Transfer (REST) protocols for data ingestion. <br> For more information on supported versions, see [Azure Stack Edge Pro GPU system requirements](azure-stack-edge-system-requirements.md).|
|Data refresh | Ability to refresh local files with the latest from cloud. <br> For more information, see [Refresh a share on your Azure Stack Edge](azure-stack-edge-gpu-manage-shares.md#refresh-shares).| |Encryption | BitLocker support to locally encrypt data and secure data transfer to cloud over *https*.| |Bandwidth throttling| Throttle to limit bandwidth usage during peak hours. <br> For more information, see [Manage bandwidth schedules on your Azure Stack Edge](azure-stack-edge-gpu-manage-bandwidth-schedules.md).| |Easy ordering| Bulk ordering and tracking of the device via Azure Edge Hardware Center (Preview). <br> For more information, see [Order a device via Azure Edge Hardware Center](azure-stack-edge-gpu-deploy-prep.md#create-a-new-resource).|
+|Scale out | Devices can be deployed as a single node or a two-node cluster. For more information, see [What is clustering on Azure Stack Edge?](azure-stack-edge-gpu-clustering-overview.md).|
|Specialized network functions|Use the Marketplace experience from Azure Network Function Manager to rapidly deploy network functions such as mobile packet core, SD-WAN edge, and VPN services to an Azure Stack Edge device running in your on-premises environment. For more information, see [What is Azure Network Function Manager? (Preview)](../network-function-manager/overview.md).| <!--|ExpressRoute | Added security through ExpressRoute. Use peering configuration where traffic from local devices to the cloud storage endpoints travels over the ExpressRoute. For more information, see [ExpressRoute overview](../expressroute/expressroute-introduction.md).|-->
The Azure Stack Edge Pro GPU solution includes the Azure Stack Edge resource, Az
For more information, go to [Create an order for your Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-deploy-prep.md#create-a-new-resource).
+ The devices can be deployed as a single node or a two-node cluster. For more information, see [What is clustering for Azure Stack Edge?](azure-stack-edge-gpu-clustering-overview.md) and how to [Deploy a two-node cluster](azure-stack-edge-gpu-deploy-prep.md).
+ * **Azure Stack Edge resource** ΓÇô A resource in the Azure portal that lets you manage an Azure Stack Edge Pro GPU device from a web interface that you can access from different geographical locations. Use the Azure Stack Edge resource to create and manage resources, view, and manage devices and alerts, and manage shares.
The Azure Stack Edge Pro GPU solution includes the Azure Stack Edge resource, Az
## Region availability
-Azure Stack Edge Pro GPU physical device, Azure resource, and target storage account to which you transfer data do not all have to be in the same region.
+Azure Stack Edge Pro GPU physical device, Azure resource, and target storage account to which you transfer data donΓÇÖt all have to be in the same region.
- **Resource availability** - For this release, the resource is available in East US, West EU, and South East Asia regions.
Azure Stack Edge Pro GPU physical device, Azure resource, and target storage acc
- **Destination Storage accounts** - The storage accounts that store the data are available in all Azure regions. For best performance, the regions where the storage accounts store Azure Stack Edge Pro GPU data should be close to the device location. A storage account located far from the device results in long latencies and slower performance.
-Azure Stack Edge service is a non-regional service. For more information, see [Regions and Availability Zones in Azure](../availability-zones/az-overview.md). Azure Stack Edge service does not have dependency on a specific Azure region, making it resilient to zone-wide outages and region-wide outages.
+Azure Stack Edge service is a non-regional service. For more information, see [Regions and Availability Zones in Azure](../availability-zones/az-overview.md). Azure Stack Edge service doesnΓÇÖt have dependency on a specific Azure region, making it resilient to zone-wide outages and region-wide outages.
For a discussion of considerations for choosing a region for the Azure Stack Edge service, device, and data storage, see [Choosing a region for Azure Stack Edge](azure-stack-edge-gpu-regions.md). ## Billing model
-Microsoft Azure charges a monthly, recurring subscription fee for an Azure Stack Edge device. In addition, there is a onetime fee for shipping. There is no on-premises software license for the device although guest virtual machine (VMs) may require their own licenses under Bring Your Own License (BYOL).
+The users are charged a monthly, recurring subscription fee for an Azure Stack Edge device. In addition, thereΓÇÖs a onetime fee for shipping. ThereΓÇÖs no on-premises software license for the device although guest virtual machine (VMs) may require their own licenses under Bring Your Own License (BYOL).
Currency conversion and discounts are handled centrally by the Azure Commerce billing platform, and you get one unified, itemized bill at the end of each month.
databox-online Azure Stack Edge Gpu Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-quickstart.md
Previously updated : 06/09/2021 Last updated : 02/15/2022 #Customer intent: As an IT admin, I need to understand how to prepare the portal to quickly deploy Azure Stack Edge so I can use it to transfer data to Azure.
Before you deploy, make sure that following prerequisites are in place:
## Deployment steps
-1. **Install**: Connect PORT 1 to a client computer via a crossover cable or USB Ethernet adapter. Connect at least one other device port for data, preferably 25 GbE, (from PORT 3 to PORT 6) to Internet via SFP+ copper cables or use PORT 2 with RJ45 patch cable. Connect the provided power cords to the Power Supply Units and to separate power distribution outlets. Press the power button on the front panel to turn on the device.
+1. **Install**: Connect PORT 1 to a client computer via an Ethernet crossover cable or USB Ethernet adapter. Connect at least one other device port for data, preferably 25 GbE, (from PORT 3 to PORT 6) to Internet via SFP+ copper cables or use PORT 2 with RJ45 patch cable. Connect the provided power cords to the Power Supply Units and to separate power distribution outlets. Press the power button on the front panel to turn on the device.
See [Cavium FastlinQ 41000 Series Interoperability Matrix](https://www.marvell.com/documents/xalflardzafh32cfvi0z/) and [Mellanox dual port 25G ConnectX-4 channel network adapter compatible products](https://docs.mellanox.com/display/ConnectX4LxFirmwarev14271016/Firmware+Compatible+Products) to get compatible network cables and switches.
Before you deploy, make sure that following prerequisites are in place:
5. **Configure compute network**: Create a virtual switch by enabling a port on your device. Enter 2 free, contiguous static IPs for Kubernetes nodes in the same network that you created the switch. Provide at least 1 static IP for IoT Edge Hub service to access compute modules and 1 static IP for each extra service or container that you want to access from outside the Kubernetes cluster.
- Kubernetes is required to deploy all containerized workloads. See more information on [Compute network settings](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#enable-compute-network).
+ Kubernetes is required to deploy all containerized workloads. See more information on [Compute network settings](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#configure-virtual-switches-and-compute-ips).
6. **Configure web proxy**: If you use web proxy in your environment, enter web proxy server IP in `http://<web-proxy-server-FQDN>:<port-id>`. Set authentication to **None**. See more information on [Web proxy settings](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#configure-web-proxy).
databox-online Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/policy-reference.md
Title: Built-in policy definitions for Azure Stack Edge description: Lists Azure Policy built-in policy definitions for Azure Stack Edge. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
databox Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/policy-reference.md
Title: Built-in policy definitions for Azure Data Box description: Lists Azure Policy built-in policy definitions for Azure Data Box. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
databox Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Data Box description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Box. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
ddos-protection Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/policy-reference.md
na Previously updated : 01/18/2022 Last updated : 02/15/2022
defender-for-cloud Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/policy-reference.md
Title: Built-in policy definitions for Microsoft Defender for Cloud description: Lists Azure Policy built-in policy definitions for Microsoft Defender for Cloud. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022 # Azure Policy built-in definitions for Microsoft Defender for Cloud
event-grid Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/concepts.md
Title: Azure Event Grid concepts description: Describes Azure Event Grid and its concepts. Defines several key components of Event Grid. Previously updated : 01/21/2021 Last updated : 02/16/2022 # Concepts in Azure Event Grid
event-grid Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/policy-reference.md
Title: Built-in policy definitions for Azure Event Grid description: Lists Azure Policy built-in policy definitions for Azure Event Grid. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
event-grid Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Event Grid description: Lists Azure Policy Regulatory Compliance controls available for Azure Event Grid. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
event-hubs Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/policy-reference.md
Title: Built-in policy definitions for Azure Event Hubs description: Lists Azure Policy built-in policy definitions for Azure Event Hubs. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/18/2022 Last updated : 02/15/2022
event-hubs Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Event Hubs description: Lists Azure Policy Regulatory Compliance controls available for Azure Event Hubs. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/19/2022 Last updated : 02/15/2022
expressroute Expressroute Howto Coexist Resource Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-howto-coexist-resource-manager.md
You can configure a Site-to-Site VPN connection as a backup for ExpressRoute. Th
> [!NOTE] > While ExpressRoute circuit is preferred over Site-to-Site VPN when both routes are the same, Azure will use the longest prefix match to choose the route towards the packet's destination. >
->
![Diagram that shows a Site-to-Site VPN connection as a backup for ExpressRoute.](media/expressroute-howto-coexist-resource-manager/scenario1.jpg)
expressroute How To Configure Coexisting Gateway Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/how-to-configure-coexisting-gateway-portal.md
+
+ Title: 'Configure ExpressRoute and S2S VPN coexisting connections: Azure portal'
+description: Configure ExpressRoute and a Site-to-Site VPN connection that can coexist for the Resource Manager model using the Azure portal.
+++++ Last updated : 02/15/2022+++
+# Configure ExpressRoute and Site-to-Site coexisting connections using the Azure portal
+> [!div class="op_single_selector"]
+> * [Azure portal](how-to-configure-coexisting-gateway-portal.md)
+> * [PowerShell - Resource Manager](expressroute-howto-coexist-resource-manager.md)
+> * [PowerShell - Classic](expressroute-howto-coexist-classic.md)
+>
+
+This article helps you configure ExpressRoute and Site-to-Site VPN connections that coexist. Having the ability to configure Site-to-Site VPN and ExpressRoute has several advantages. You can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that aren't connected through ExpressRoute. We'll cover the steps to configure both scenarios in this article. This article applies to the Resource Manager deployment model.
+
+Configuring Site-to-Site VPN and ExpressRoute coexisting connections has several advantages:
+
+* You can configure a Site-to-Site VPN as a secure failover path for ExpressRoute.
+* Alternatively, you can use Site-to-Site VPNs to connect to sites that aren't connected through ExpressRoute.
+
+The steps to configure both scenarios are covered in this article. You can configure either gateway first. Typically, you'll incur no downtime when adding a new gateway or gateway connection.
+
+>[!NOTE]
+>If you want to create a Site-to-Site VPN over an ExpressRoute connection, see [Site-to-site over Microsoft peering](site-to-site-vpn-over-microsoft-peering.md).
+>
+
+## Limits and limitations
+
+* **Only route-based VPN gateway is supported.** You must use a route-based [VPN gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md). You also can use a route-based VPN gateway with a VPN connection configured for 'policy-based traffic selectors' as described in [Connect to multiple policy-based VPN devices](../vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps.md).
+* **ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU**.
+* **If you want to use transit routing between ExpressRoute and VPN, the ASN of Azure VPN Gateway must be set to 65515.** Azure VPN Gateway supports the BGP routing protocol. For ExpressRoute and Azure VPN to work together, you must keep the Autonomous System Number of your Azure VPN gateway at its default value, 65515. If you previously selected an ASN other than 65515 and you change the setting to 65515, you must reset the VPN gateway for the setting to take effect.
+* **The gateway subnet must be /27 or a shorter prefix**, (such as /26, /25), or you'll receive an error message when you add the ExpressRoute virtual network gateway.
+* **Coexistence in a dual-stack vnet is not supported.** If you're using ExpressRoute IPv6 support and a dual-stack ExpressRoute gateway, coexistence with VPN Gateway won't be possible.
+
+## Configuration designs
+
+### Configure a Site-to-Site VPN as a failover path for ExpressRoute
+You can configure a Site-to-Site VPN connection as a backup for ExpressRoute. This connection applies only to virtual networks linked to the Azure private peering path. There's no VPN-based failover solution for services accessible through Azure Microsoft peering. The ExpressRoute circuit is always the primary link. Data flows through the Site-to-Site VPN path only if the ExpressRoute circuit fails. To avoid asymmetrical routing, your local network configuration should also prefer the ExpressRoute circuit over the Site-to-Site VPN. You can prefer the ExpressRoute path by setting higher local preference for the routes received the ExpressRoute.
+
+>[!NOTE]
+> If you have ExpressRoute Microsoft Peering enabled, you can receive the public IP address of your Azure VPN gateway on the ExpressRoute connection. To set up your site-to-site VPN connection as a backup, you must configure your on-premises network so that the VPN connection is routed to the Internet.
+>
+
+> [!NOTE]
+> While ExpressRoute circuit is preferred over Site-to-Site VPN when both routes are the same, Azure will use the longest prefix match to choose the route towards the packet's destination.
+>
++
+### Configure a Site-to-Site VPN to connect to sites not connected through ExpressRoute
+You can configure your network where some sites connect directly to Azure over Site-to-Site VPN, and some sites connect through ExpressRoute.
++
+## Selecting the steps to use
+There are two different sets of procedures to choose from. The configuration procedure that you select depends on whether you have an existing virtual network that you want to connect to, or you want to create a new virtual network.
+
+* I don't have a VNet and need to create one.
+
+ If you donΓÇÖt already have a virtual network, this procedure walks you through creating a new virtual network using Resource Manager deployment model and creating new ExpressRoute and Site-to-Site VPN connections. To configure a virtual network, follow the steps in [To create a new virtual network and coexisting connections](#to-create-a-new-virtual-network-and-coexisting-connections).
+
+* I already have a Resource Manager deployment model VNet.
+
+ You may already have a virtual network in place with an existing Site-to-Site VPN connection or ExpressRoute connection. In this scenario if the gateway subnet prefix is /28 or longer (/29, /30, etc.), you have to delete the existing gateway. The [To configure coexisting connections for an already existing VNet](#to-configure-coexisting-connections-for-an-already-existing-vnet) section walks you through deleting the gateway, and then creating new ExpressRoute and Site-to-Site VPN connections.
+
+ If you delete and recreate your gateway, you'll have downtime for your cross-premises connections. However, your VMs and services will still be able to communicate out through the load balancer while you configure your gateway if they're configured to do so.
+
+## To create a new virtual network and coexisting connections
+
+This procedure walks you through creating a VNet and Site-to-Site and ExpressRoute connections that will coexist.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. On the top left-hand side of the screen, select **+ Create a resource** and search for *Virtual network*.
+
+1. Select **Create** to begin configuring the virtual network.
+
+ :::image type="content" source="media/how-to-configure-coexisting-gateway-portal/create-vnet.png" alt-text="Screenshot of the create a virtual network page.":::
+
+1. On the *Basics* tab, select or create a new **resource group** to store the virtual network. Then enter the **name** and select the **region** to deploy the virtual network. Select **Next: IP Addresses >** to configure the address space and subnets.
+
+ :::image type="content" source="media/how-to-configure-coexisting-gateway-portal/vnet-basics.png" alt-text="Screenshot of basics tab for creating a virtual network.":::
+
+1. On **IP Addresses** tab, configure the virtual network address space. Then define the subnets you want to create, including the gateway subnet. Select **Review + create**, then *Create** to deploy the virtual network. For more information about creating a virtual network, see [Create a virtual network](../virtual-network/manage-virtual-network.md#create-a-virtual-network). For more information about creating subnets, see [Create a subnet](../virtual-network/virtual-network-manage-subnet.md#add-a-subnet)
+
+ > [!IMPORTANT]
+ > The Gateway Subnet must be /27 or a shorter prefix (such as /26 or /25).
+ >
+
+ :::image type="content" source="media/how-to-configure-coexisting-gateway-portal/vnet-ip-addresses.png" alt-text="Screenshot of IP addresses tab for creating a virtual network.":::
+
+1. Create the site-to-site VPN gateway and local network gateway. For more information about the VPN gateway configuration, see [Configure a VNet with a Site-to-Site connection](../vpn-gateway/tutorial-site-to-site-portal.md#VNetGateway). The GatewaySku is only supported for *VpnGw1*, *VpnGw2*, *VpnGw3*, *Standard*, and *HighPerformance* VPN gateways. ExpressRoute-VPN Gateway coexist configurations aren't supported on the Basic SKU. The VpnType must be *RouteBased*.
+
+1. Configure your local VPN device to connect to the new Azure VPN gateway. For more information about VPN device configuration, see [VPN Device Configuration](../vpn-gateway/vpn-gateway-about-vpn-devices.md).
+
+1. If you're connecting to an existing ExpressRoute circuit, skip steps 8 & 9 and, jump to step 10. Configure ExpressRoute circuits. For more information about configuring ExpressRoute circuit, see [create an ExpressRoute circuit](expressroute-howto-circuit-arm.md).
+
+1. Configure Azure private peering over the ExpressRoute circuit. For more information about configuring Azure private peering over the ExpressRoute circuit, see [configure peering](expressroute-howto-routing-arm.md)
+
+1. Select **+ Create a resource** and search for *Virtual network gateway*. Then select **Create**.
+
+1. Select the **ExpressRoute** gateway type, the appropriate **SKU** and the virtual network to deploy the gateway to.
+
+ :::image type="content" source="media/how-to-configure-coexisting-gateway-portal/create-expressroute-gateway.png" alt-text="Screenshot of the create a virtual network gateway for ExpressRoute.":::
+
+1. Link the ExpressRoute gateway to the ExpressRoute circuit. After this step has been completed, the connection between your on-premises network and Azure, through ExpressRoute, is established. For more information about the link operation, see [Link VNets to ExpressRoute](expressroute-howto-linkvnet-portal-resource-manager.md).
+
+## To configure coexisting connections for an already existing VNet
+
+If you have a virtual network that has only one virtual network gateway (let's say, Site-to-Site VPN gateway) and you want to add another gateway of a different type (let's say, ExpressRoute gateway), check the gateway subnet size. If the gateway subnet is /27 or larger, you can skip the steps below and follow the steps in the previous section to add either a Site-to-Site VPN gateway or an ExpressRoute gateway. If the gateway subnet is /28 or /29, you've to first delete the virtual network gateway and increase the gateway subnet size. The steps in this section show you how to do that.
+
+1. Delete the existing ExpressRoute or Site-to-site VPN gateway.
+
+1. Delete and recreate the GatewaySubnet to have prefix of /27 or shorter.
+
+1. [Configure a VNet with a Site-to-Site connection](../vpn-gateway/tutorial-site-to-site-portal.md#VNetGateway) and then [Configure the ExpressRoute gateway](expressroute-howto-add-gateway-portal-resource-manager.md#create-the-virtual-network-gateway).
+
+1. Once the ExpressRoute gateway is deployed, you can [link the virtual network to the ExpressRoute circuit](expressroute-howto-linkvnet-portal-resource-manager.md).
+
+## To add point-to-site configuration to the VPN gateway
+
+You can add a Point-to-Site configuration to your co-existing set by following the instruction in [Configuring Point-to-Site VPN connection using Azure certificate authentication](../vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal.md#addresspool)
+
+## To enable transit routing between ExpressRoute and Azure VPN
+If you want to enable connectivity between one of your local networks that is connected to ExpressRoute and another of your local network that is connected to a site-to-site VPN connection, you'll need to set up [Azure Route Server](../route-server/expressroute-vpn-support.md).
+
+## Next steps
+For more information about ExpressRoute, see the [ExpressRoute FAQ](expressroute-faqs.md).
firewall Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall/overview.md
Azure Firewall Standard has the following known issues:
|SNAT on inbound connections|In addition to DNAT, connections via the firewall public IP address (inbound) are SNATed to one of the firewall private IPs. This requirement today (also for Active/Active NVAs) to ensure symmetric routing.|To preserve the original source for HTTP/S, consider using [XFF](https://en.wikipedia.org/wiki/X-Forwarded-For) headers. For example, use a service such as [Azure Front Door](../frontdoor/front-door-http-headers-protocol.md#front-door-to-backend) or [Azure Application Gateway](../application-gateway/rewrite-http-headers-url.md) in front of the firewall. You can also add WAF as part of Azure Front Door and chain to the firewall. |SQL FQDN filtering support only in proxy mode (port 1433)|For Azure SQL Database, Azure Synapse Analytics, and Azure SQL Managed Instance:<br><br>SQL FQDN filtering is supported in proxy-mode only (port 1433).<br><br>For Azure SQL IaaS:<br><br>If you're using non-standard ports, you can specify those ports in the application rules.|For SQL in redirect mode (the default if connecting from within Azure), you can instead filter access using the SQL service tag as part of Azure Firewall network rules. |Outbound SMTP traffic on TCP port 25 is blocked|Outbound email messages that are sent directly to external domains (like `outlook.com` and `gmail.com`) on TCP port 25 are blocked by Azure Firewall. This is the default platform behavior in Azure. |Use authenticated SMTP relay services, which typically connect through TCP port 587, but also supports other ports. For more information, see [Troubleshoot outbound SMTP connectivity problems in Azure](../virtual-network/troubleshoot-outbound-smtp-connectivity.md). Currently, Azure Firewall may be able to communicate to public IPs by using outbound TCP 25, but it's not guaranteed to work, and it's not supported for all subscription types. For private IPs like virtual networks, VPNs, and Azure ExpressRoute, Azure Firewall supports an outbound connection of TCP port 25.
-|SNAT port exhaustion|Azure Firewall currently supports 1024 ports per Public IP address per backend virtual machine scale set instance. By default, there are two virtual machine scale set instances.|This is an SLB limitation and we are constantly looking for opportunities to increase the limits. In the meantime, it is recommended to configure Azure Firewall deployments with a minimum of five public IP addresses for deployments susceptible to SNAT exhaustion. This increases the SNAT ports available by five times. Allocate from an IP address prefix to simplify downstream permissions.|
+|SNAT port exhaustion|Azure Firewall currently supports 2496 ports per Public IP address per backend virtual machine scale set instance. By default, there are two virtual machine scale set instances. So, there are 4992 ports per flow (destination IP, destination port and protocol (TCP or UDP). The firewall scales up to a maximum of 20 instances. |This is a platform limitation. You can work around the limits by configuring Azure Firewall deployments with a minimum of five public IP addresses for deployments susceptible to SNAT exhaustion. This increases the SNAT ports available by five times. Allocate from an IP address prefix to simplify downstream permissions. For a more permanent solution, you can deploy a NAT gateway to overcome the SNAT port limits. This approach is supported for VNET deployments. <br /><br /> For more information, see [Scale SNAT ports with Azure Virtual Network NAT](integrate-with-nat-gateway.md).|
|DNAT isn't supported with Forced Tunneling enabled|Firewalls deployed with Forced Tunneling enabled can't support inbound access from the Internet because of asymmetric routing.|This is by design because of asymmetric routing. The return path for inbound connections goes via the on-premises firewall, which hasn't seen the connection established. |Outbound Passive FTP may not work for Firewalls with multiple public IP addresses, depending on your FTP server configuration.|Passive FTP establishes different connections for control and data channels. When a Firewall with multiple public IP addresses sends data outbound, it randomly selects one of its public IP addresses for the source IP address. FTP may fail when data and control channels use different source IP addresses, depending on your FTP server configuration.|An explicit SNAT configuration is planned. In the meantime, you can configure your FTP server to accept data and control channels from different source IP addresses (see [an example for IIS](/iis/configuration/system.applicationhost/sites/sitedefaults/ftpserver/security/datachannelsecurity)). Alternatively, consider using a single IP address in this situation.| |Inbound Passive FTP may not work depending on your FTP server configuration |Passive FTP establishes different connections for control and data channels. Inbound connections on Azure Firewall are SNATed to one of the firewall private IP addresses to ensure symmetric routing. FTP may fail when data and control channels use different source IP addresses, depending on your FTP server configuration.|Preserving the original source IP address is being investigated. In the meantime, you can configure your FTP server to accept data and control channels from different source IP addresses.|
firewall Premium Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall/premium-features.md
Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments, such as the payment and healthcare industries.
-Organizations can leverage Premium stock-keeping unit (SKU) features like IDPS and TLS inspection to prevent malware and viruses from spreading across networks in both lateral and horizontal directions. To meet the increased performance demands of IDPS and TLS inspection, Azure Firewall Premium uses a more powerful virtual machine SKU. Like the Standard SKU, the Premium SKU can seamlessly scale up to 30 Gbps and integrate with availability zones to support the service level agreement (SLA) of 99.99 percent. The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs.
+Organizations can use Premium stock-keeping unit (SKU) features like IDPS and TLS inspection to prevent malware and viruses from spreading across networks in both lateral and horizontal directions. To meet the increased performance demands of IDPS and TLS inspection, Azure Firewall Premium uses a more powerful virtual machine SKU. Like the Standard SKU, the Premium SKU can seamlessly scale up to 30 Gbps and integrate with availability zones to support the service level agreement (SLA) of 99.99 percent. The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs.
:::image type="content" source="media/premium-features/premium-overview.png" alt-text="Azure Firewall Premium overview diagram":::
Azure Firewall Premium includes the following features:
## TLS inspection
-Azure Firewall Premium terminates outbound and east-west TLS connections. Inbound TLS inspection is supported with [Azure Application Gateway](../web-application-firewall/ag/ag-overview.md) allowing end-to-end encryption. Azure Firewall does the required value-added security functions and re-encrypts the traffic that is sent to the original destination.
+The TLS (Transport Layer Security) protocol primarily provides cryptography for privacy, integrity, and authenticity using certificates between two or more communicating applications. It runs in the application layer and is widely used to encrypt the HTTP protocol.
+
+Encrypted traffic has a possible security risk and can hide illegal user activity and malicious traffic. Azure Firewall Premium terminates and inspects TLS connections to detect, alert, and mitigate malicious activity in HTTPS.
+
+The following three use cases are supported:
+- Outbound TLS Inspection: To protect against malicious traffic that is sent from an internal client hosted in Azure to the Internet.
+- East-West TLS Inspection: To protect your Azure workloads from potential malicious traffic sent from within Azure.
+- Inbound TLS Inspection: To protect internal servers or applications hosted in Azure from malicious requests that arrive from the Internet or an external network. Inbound TLS inspection is supported with [Azure Application Gateway](../web-application-firewall/ag/ag-overview.md), which provides end-to-end encryption.
+ > [!TIP] > TLS 1.0 and 1.1 are being deprecated and wonΓÇÖt be supported. TLS 1.0 and 1.1 versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable, and while they still currently work to allow backwards compatibility, they aren't recommended. Migrate to TLS 1.2 as soon as possible.
To learn more about Azure Firewall Premium Intermediate CA certificate requireme
A network intrusion detection and prevention system (IDPS) allows you to monitor your network for malicious activity, log information about this activity, report it, and optionally attempt to block it.
-Azure Firewall Premium provides signature-based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. The IDPS signatures are applicable for both application and network level traffic (Layers 4-7), they are fully managed, and continuously updated. IDPS can be applied to inbound, spoke-to-spoke (East-West), and outbound traffic.
+Azure Firewall Premium provides signature-based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. The IDPS signatures are applicable for both application and network level traffic (Layers 4-7), they're fully managed, and continuously updated. IDPS can be applied to inbound, spoke-to-spoke (East-West), and outbound traffic.
The Azure Firewall signatures/rulesets include: - An emphasis on fingerprinting actual malware, Command and Control, exploit kits, and in the wild malicious activity missed by traditional prevention methods.
IDPS signature rules allow you to:
- Get a holistic view of the entire 55,000 signatures - Smart search
- Allows you to search through the entire signatures database by any type of attribute. For example, you can search for specific CVE-ID to discovered what signatures are taking care of this CVE by simply typing the ID in the search bar.
+ Allows you to search through the entire signatures database by any type of attribute. For example, you can search for specific CVE-ID to discovered what signatures are taking care of this CVE by typing the ID in the search bar.
IDPS signature rules have the following properties:
IDPS signature rules have the following properties:
|Column |Description | ||| |Signature ID |Internal ID for each signature. This ID is also presented in Azure Firewall Network Rules logs.|
-|Mode |Indicates if the signature is active or not, and whether firewall will drop or alert upon matched traffic. The below signature mode can override IDPS mode<br>- **Disabled**: The signature is not enabled on your firewall.<br>- **Alert**: You will receive alerts when suspicious traffic is detected.<br>- **Alert and Deny**: You will receive alerts and suspicious traffic will be blocked. Few signature categories are defined as ΓÇ£Alert OnlyΓÇ¥, therefore by default, traffic matching their signatures will not be blocked even though IDPS mode is set to ΓÇ£Alert and DenyΓÇ¥. Customers may override this by customizing these specific signatures to ΓÇ£Alert and DenyΓÇ¥ mode. <br><br> Note: IDPS alerts are available in the portal via network rule log query.|
-|Severity |Each signature has an associated severity level that indicates the probability that the signature is an actual attack.<br>- **Low**: An abnormal event is one that does not normally occur on a network or Informational events are logged. Probability of attack is low.<br>- **Medium**: The signature indicates an attack of a suspicious nature. The administrator should investigate further.<br>- **High**: The attack signatures indicate that an attack of a severe nature is being launched. There is very little probability that the packets have a legitimate purpose.|
+|Mode |Indicates if the signature is active or not, and whether firewall will drop or alert upon matched traffic. The below signature mode can override IDPS mode<br>- **Disabled**: The signature isn't enabled on your firewall.<br>- **Alert**: You'll receive alerts when suspicious traffic is detected.<br>- **Alert and Deny**: You'll receive alerts and suspicious traffic will be blocked. Few signature categories are defined as ΓÇ£Alert OnlyΓÇ¥, therefore by default, traffic matching their signatures won't be blocked even though IDPS mode is set to ΓÇ£Alert and DenyΓÇ¥. Customers may override this by customizing these specific signatures to ΓÇ£Alert and DenyΓÇ¥ mode. <br><br> Note: IDPS alerts are available in the portal via network rule log query.|
+|Severity |Each signature has an associated severity level that indicates the probability that the signature is an actual attack.<br>- **Low**: An abnormal event is one that doesn't normally occur on a network or Informational events are logged. Probability of attack is low.<br>- **Medium**: The signature indicates an attack of a suspicious nature. The administrator should investigate further.<br>- **High**: The attack signatures indicate that an attack of a severe nature is being launched. There's little probability that the packets have a legitimate purpose.|
|Direction |The traffic direction for which the signature is applied.<br>- **Inbound**: Signature is applied only on traffic arriving from the Internet and destined in Azure private IP range (according to IANA RFC 1918).<br>- **Outbound**: Signature is applied only on traffic sent from Azure private IP range (according to IANA RFC 1918) to the Internet.<br>- **Bidirectional**: Signature is always applied on any traffic direction.| |Group |The group name that the signature belongs to.| |Description |Structured from the following three parts:<br>- **Category name**: The category name that the signature belongs to as described in [Azure Firewall IDPS signature rule categories](idps-signature-categories.md).<br>- High level description of the signature<br>- **CVE-ID** (optional) in the case where the signature is associated with a specific CVE. The ID is listed here.|
For example, if Azure Firewall intercepts an HTTPS request for `www.google.com/n
The categories are organized based on severity under **Liability**, **High-Bandwidth**, **Business Use**, **Productivity Loss**, **General Surfing**, and **Uncategorized**. For a detailed description of the web categories, see [Azure Firewall web categories](web-categories.md). ### Web category logging
-You can view traffic that has been filtered by **Web categories** in the Application logs. **Web categories** field is only displayed if it has been explicitly configured in your firewall policy application rules. For example, if you do not have a rule that explicitly denies *Search Engines*, and a user requests to go to www.bing.com, only a default deny message is displayed as opposed to a Web categories message. This is because the web category was not explicitly configured.
+You can view traffic that has been filtered by **Web categories** in the Application logs. **Web categories** field is only displayed if it has been explicitly configured in your firewall policy application rules. For example, if you don't have a rule that explicitly denies *Search Engines*, and a user requests to go to www.bing.com, only a default deny message is displayed as opposed to a Web categories message. This is because the web category wasn't explicitly configured.
### Category exceptions
You can create exceptions to your web category rules. Create a separate allow or
### Web category search
-You can identify what category a given FQDN or URL is by using the **Web Category Check** feature. To use this, select the **Web Categories** tab under **Firewall Policy Settings**. This is particularly useful when defining your application rules for destination traffic.
+You can identify what category a given FQDN or URL is by using the **Web Category Check** feature. To use this, select the **Web Categories** tab under **Firewall Policy Settings**. This is useful when defining your application rules for destination traffic.
:::image type="content" source="media/premium-features/firewall-category-search.png" alt-text="Firewall category search dialog":::
Under the **Web Categories** tab in **Firewall Policy Settings**, you can reques
- have a suggested category for an uncategorized FQDN or URL
- Once you submit a category change report, you will be given a token in the notifications that indicate that we have received the request for processing. You can check whether the request is in progress, denied, or approved by entering the token in the search bar. Be sure to save your token ID to do so.
+ Once you submit a category change report, you'll be given a token in the notifications that indicate that we've received the request for processing. You can check whether the request is in progress, denied, or approved by entering the token in the search bar. Be sure to save your token ID to do so.
:::image type="content" source="media/premium-features/firewall-category-change.png" alt-text="Firewall category report dialog":::
firewall Tutorial Hybrid Portal Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall/tutorial-hybrid-portal-policy.md
If you want to use Azure PowerShell instead to complete this procedure, see [Dep
## Prerequisites
-A hybrid network uses the hub-and-spoke architecture model to route traffic between Azure VNets and on-premise networks. The hub-and-spoke architecture has the following requirements:
+A hybrid network uses the hub-and-spoke architecture model to route traffic between Azure VNets and on-premises networks. The hub-and-spoke architecture has the following requirements:
- Set **Use this virtual network's gateway or Route Server** when peering VNet-Hub to VNet-Spoke. In a hub-and-spoke network architecture, a gateway transit allows the spoke virtual networks to share the VPN gateway in the hub, instead of deploying VPN gateways in every spoke virtual network.
You can keep your firewall resources for the next tutorial, or if no longer need
## Next steps > [!div class="nextstepaction"]
-> [Deploy and configure Azure Firewall Premium](premium-deploy.md)
+> [Deploy and configure Azure Firewall Premium](premium-deploy.md)
frontdoor Front Door Quickstart Template Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-quickstart-template-samples.md
na Previously updated : 11/01/2021 Last updated : 02/16/2022 # Azure Resource Manager deployment model templates for Front Door
The following table includes links to Azure Resource Manager deployment model te
| Sample | Description | |-|-|
-| [Front Door (quick create)](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-standard-premium/) | Creates a basic Front Door profile including an endpoint, origin group, origin, and route. |
-| [Rule set](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-standard-premium-rule-set/) | Creates a Front Door profile and rule set. |
-| [WAF policy with managed rule set](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-premium-waf-managed/) | Creates a Front Door profile and WAF with managed rule set. |
-| [WAF policy with custom rule](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-standard-premium-waf-custom/) | Creates a Front Door profile and WAF with custom rule. |
-| [WAF policy with rate limit](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-standard-premium-rate-limit/) | Creates a Front Door profile and WAF with a custom rule to perform rate limiting. |
-| [WAF policy with geo-filtering](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-standard-premium-geo-filtering/) | Creates a Front Door profile and WAF with a custom rule to perform geo-filtering. |
+| [Front Door (quick create)](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium/) | Creates a basic Front Door profile including an endpoint, origin group, origin, and route. |
+| [Rule set](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-rule-set/) | Creates a Front Door profile and rule set. |
+| [WAF policy with managed rule set](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-premium-waf-managed/) | Creates a Front Door profile and WAF with managed rule set. |
+| [WAF policy with custom rule](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-waf-custom/) | Creates a Front Door profile and WAF with custom rule. |
+| [WAF policy with rate limit](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-rate-limit/) | Creates a Front Door profile and WAF with a custom rule to perform rate limiting. |
+| [WAF policy with geo-filtering](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-geo-filtering/) | Creates a Front Door profile and WAF with a custom rule to perform geo-filtering. |
|**App Service origins**| **Description** |
-| [App Service](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-standard-premium-app-service-public) | Creates an App Service app with a public endpoint, and a Front Door profile. |
-| [App Service with Private Link](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-premium-app-service-private-link) | Creates an App Service app with a private endpoint, and a Front Door profile. |
+| [App Service](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-app-service-public) | Creates an App Service app with a public endpoint, and a Front Door profile. |
+| [App Service with Private Link](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-premium-app-service-private-link) | Creates an App Service app with a private endpoint, and a Front Door profile. |
|**Azure Functions origins**| **Description** |
-| [Azure Functions](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-standard-premium-function-public/) | Creates an Azure Functions app with a public endpoint, and a Front Door profile. |
-| [Azure Functions with Private Link](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-premium-function-private-link) | Creates an Azure Functions app with a private endpoint, and a Front Door profile. |
+| [Azure Functions](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-function-public/) | Creates an Azure Functions app with a public endpoint, and a Front Door profile. |
+| [Azure Functions with Private Link](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-premium-function-private-link) | Creates an Azure Functions app with a private endpoint, and a Front Door profile. |
|**API Management origins**| **Description** |
-| [API Management (external)](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-standard-premium-api-management-external) | Creates an API Management instance with external VNet integration, and a Front Door profile. |
+| [API Management (external)](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-api-management-external) | Creates an API Management instance with external VNet integration, and a Front Door profile. |
|**Storage origins**| **Description** |
-| [Storage static website](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-standard-premium-storage-static-website) | Creates an Azure Storage account and static website with a public endpoint, and a Front Door profile. |
-| [Storage blobs with Private Link](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-premium-storage-blobs-private-link) | Creates an Azure Storage account and blob container with a private endpoint, and a Front Door profile. |
+| [Storage static website](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-storage-static-website) | Creates an Azure Storage account and static website with a public endpoint, and a Front Door profile. |
+| [Storage blobs with Private Link](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-premium-storage-blobs-private-link) | Creates an Azure Storage account and blob container with a private endpoint, and a Front Door profile. |
|**Application Gateway origins**| **Description** |
-| [Application Gateway](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-standard-premium-application-gateway-public) | Creates an Application Gateway, and a Front Door profile. |
+| [Application Gateway](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-application-gateway-public) | Creates an Application Gateway, and a Front Door profile. |
|**Virtual machine origins**| **Description** |
-| [Virtual machine with Private Link service](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-premium-vm-private-link) | Creates a virtual machine and Private Link service, and a Front Door profile. |
+| [Virtual machine with Private Link service](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-premium-vm-private-link) | Creates a virtual machine and Private Link service, and a Front Door profile. |
| | | ## Next steps
governance Policy For Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/concepts/policy-for-kubernetes.md
For more information about troubleshooting the Add-on for Kubernetes, see the
of the Azure Policy troubleshooting article. For Azure Policy extension for Arc extension related issues, please see:-- [Azure Arc enabled Kubernetes troubleshooting](../../../azure-arc/kubernetes/troubleshooting.md#azure-arc-enabled-kubernetes-troubleshooting)
+- [Azure Arc enabled Kubernetes troubleshooting](../../../azure-arc/kubernetes/troubleshooting.md)
For Azure Policy related issues, please see: - [Inspect Azure Policy logs](#logging)
governance Australia Ism https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/australia-ism.md
Title: Regulatory Compliance details for Australian Government ISM PROTECTED description: Details of the Australian Government ISM PROTECTED Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 01/19/2022 Last updated : 02/15/2022
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[MFA should be enabled accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9297c21d-2ed6-4474-b48f-163f75654ce3) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) |
-|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) |
-|[MFA should be enabled on accounts with read permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3576e28-8b17-4677-84c3-db2990658d64) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json) |
+|[MFA should be enabled accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9297c21d-2ed6-4474-b48f-163f75654ce3) |Multi-factor authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) |
+|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-factor authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) |
+|[MFA should be enabled on accounts with read permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3576e28-8b17-4677-84c3-db2990658d64) |Multi-factor authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json) |
### User identification - 415
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
-|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but don't have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but don't have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | ### Suspension of access to systems - 430
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
-|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but don't have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but don't have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | ### Standard access to systems - 1503
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) |It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
-|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but don't have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but don't have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | |[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) |It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
-|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but don't have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but don't have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | ### Privileged access to systems - 1508
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) |It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
-|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but don't have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but don't have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | |[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) | |[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) |It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but don't have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but don't have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |
-|[Windows machines should meet requirements for 'Security Settings - Account Policies'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff2143251-70de-4e81-87a8-36cee5a2f29d) |Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecuritySettingsAccountPolicies_AINE.json) |
+|[Windows machines should meet requirements for 'Security Settings - Account Policies'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff2143251-70de-4e81-87a8-36cee5a2f29d) |Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecuritySettingsAccountPolicies_AINE.json) |
### Multi-factor authentication - 1173
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
-|[Audit Linux machines that allow remote connections from accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea53dbee-c6c9-4f0e-9f9e-de0039b78023) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords |AuditIfNotExists, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json) |
-|[Audit Linux machines that have accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) |
-|[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but don't have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but don't have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Audit Linux machines that allow remote connections from accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea53dbee-c6c9-4f0e-9f9e-de0039b78023) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json) |
+|[Audit Linux machines that have accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) |
+|[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |deployIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) |
|[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | |[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they're running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
-|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which don't satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) | |[Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9) |Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json) | |[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
-|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
+|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers, which don't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
### When to patch security vulnerabilities - 1144
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they're running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
-|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers, which don't satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) | |[Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9) |Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json) |
-|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
-|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
+|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance, which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
+|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers, which don't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
### When to patch security vulnerabilities - 1472
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they're running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
-|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers, which don't satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) | |[Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9) |Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json) |
-|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
-|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
+|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance, which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
+|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers, which don't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
### When to patch security vulnerabilities - 1494
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they're running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
-|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which don't satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) | |[Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9) |Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json) | |[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
-|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
+|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers, which don't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
### When to patch security vulnerabilities - 1495
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they're running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
-|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which don't satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) | |[Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9) |Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json) | |[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
-|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
+|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers, which don't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
### When to patch security vulnerabilities - 1496
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they're running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
-|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which don't satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) | |[Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9) |Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json) | |[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
-|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
+|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers, which don't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
## Guidelines for System Management - Data backup and restoration
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Audit virtual machines without disaster recovery configured](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56) |Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit [https://aka.ms/asr-doc](../../../site-recovery/index.yml). |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json) |
+|[Audit virtual machines without disaster recovery configured](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56) |Audit virtual machines which don't have disaster recovery configured. To learn more about disaster recovery, visit [https://aka.ms/asr-doc](../../../site-recovery/index.yml). |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json) |
## Guidelines for System Monitoring - Event logging and auditing
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but don't have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but don't have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | |[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) | |[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) |
-|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
+|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
### Protecting database server contents - 1425
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but don't have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but don't have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | |[Latest TLS version should be used in your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e) |Upgrade to the latest TLS version |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_ApiApp_Audit.json) | |[Latest TLS version should be used in your Function App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Upgrade to the latest TLS version |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) | |[Latest TLS version should be used in your Web App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Upgrade to the latest TLS version |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
-|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
+|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
## Guidelines for Gateways - Content filtering
governance Azure Security Benchmark https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/azure-security-benchmark.md
Title: Regulatory Compliance details for Azure Security Benchmark description: Details of the Azure Security Benchmark Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 01/19/2022 Last updated : 02/15/2022
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |
+|[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |
|[MFA should be enabled accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9297c21d-2ed6-4474-b48f-163f75654ce3) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) | |[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) | |[MFA should be enabled on accounts with read permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3576e28-8b17-4677-84c3-db2990658d64) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json) |
initiative definition.
|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) | |[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) | |[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
-|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
+|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
### Enable data at rest encryption by default
initiative definition.
|[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Azure Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) |
-|[Windows Defender Exploit Guard should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbed48b13-6647-468e-aa2f-1af1d3f4dd40) |Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). |AuditIfNotExists, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json) |
+|[Windows Defender Exploit Guard should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbed48b13-6647-468e-aa2f-1af1d3f4dd40) |Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json) |
### Enable threat detection for identity and access management
initiative definition.
|[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Azure Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) |
-|[Windows Defender Exploit Guard should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbed48b13-6647-468e-aa2f-1af1d3f4dd40) |Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). |AuditIfNotExists, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json) |
+|[Windows Defender Exploit Guard should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbed48b13-6647-468e-aa2f-1af1d3f4dd40) |Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json) |
### Enable logging for security investigation
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
-|[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) |Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) |
+|[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) |Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) |
|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) | |[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) | |[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) |
initiative definition.
|[Linux machines should have Log Analytics agent installed on Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1e7fed80-8321-4605-b42c-65fc300f23a3) |Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. |AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxLogAnalyticsAgentInstalled_AINE.json) | |[Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4fe33eb-e377-4efb-ab31-0784311bc499) |This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json) | |[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) |Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) |
-|[Windows machines should have Log Analytics agent installed on Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4078e558-bda6-41fb-9b3c-361e8875200d) |Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsLogAnalyticsAgentInstalled_AINE.json) |
+|[Windows machines should have Log Analytics agent installed on Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4078e558-bda6-41fb-9b3c-361e8875200d) |Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsLogAnalyticsAgentInstalled_AINE.json) |
### Configure log storage retention
initiative definition.
|[Kubernetes cluster containers should only use allowed capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc26596ff-4d70-4e6a-9a30-c2506bd2f80c) |Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[4.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) | |[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[7.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | |[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[4.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) |
-|[Kubernetes cluster pod hostPath volumes should only use allowed host paths](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F098fc59e-46c7-4d99-9b16-64990e543d75) |Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[4.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json) |
+|[Kubernetes cluster pod hostPath volumes should only use allowed host paths](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F098fc59e-46c7-4d99-9b16-64990e543d75) |Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[4.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json) |
|[Kubernetes cluster pods and containers should only run with approved user and group IDs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff06ddb64-5fa3-4b77-b166-acb36f7f6042) |Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[4.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json) | |[Kubernetes cluster pods should only use approved host network and port range](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F82985f06-dc18-4a48-bc1c-b9f4f0098cfe) |Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[4.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json) | |[Kubernetes cluster services should listen only on allowed ports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F233a2a17-77ca-4fb1-9b6b-69223d272a44) |Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[6.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ServiceAllowedPorts.json) | |[Kubernetes cluster should not allow privileged containers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F95edb821-ddaf-4404-9732-666045e056b4) |Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[7.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json) | |[Kubernetes clusters should disable automounting API credentials](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F423dd1ba-798e-40e4-9c4d-b6902674b423) |Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockAutomountToken.json) | |[Kubernetes clusters should not allow container privilege escalation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c6e92c9-99f0-4e55-9cf2-0c234dc48f99) |Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[4.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json) |
-|[Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd2e7ea85-6b44-4317-a0be-1b951587f626) |To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[3.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedSysAdminCapability.json) |
+|[Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd2e7ea85-6b44-4317-a0be-1b951587f626) |To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedSysAdminCapability.json) |
|[Kubernetes clusters should not use the default namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9f061a12-e40d-4183-a00e-171812443373) |Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[2.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json) | |[Remote debugging should be turned off for API Apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9c8d085-d9cc-4b17-9cdc-059f1f01f19e) |Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_ApiApp_Audit.json) | |[Remote debugging should be turned off for Function Apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) |
initiative definition.
|[\[Preview\]: Secure Boot should be enabled on supported Windows virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F97566dd7-78ae-4997-8b36-1c7bfe0d8121) |Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment only applies to trusted launch enabled Windows virtual machines. |Audit, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableWindowsSB_Audit.json) | |[\[Preview\]: vTPM should be enabled on supported virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c30f9cd-b84c-49cc-aa2c-9288447cc3b3) |Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. |Audit, Disabled |[2.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableVTPM_Audit.json) | |[Guest Configuration extension should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fae89ebca-1c92-4898-ac2c-9f63decb045c) |To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at [https://aka.ms/gcpol](../concepts/guest-configuration.md). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json) |
-|[Linux machines should meet requirements for the Azure compute security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc9b3da7-8347-4380-8e70-0a0361d8dedd) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. |AuditIfNotExists, Disabled |[1.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AzureLinuxBaseline_AINE.json) |
+|[Linux machines should meet requirements for the Azure compute security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc9b3da7-8347-4380-8e70-0a0361d8dedd) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AzureLinuxBaseline_AINE.json) |
|[Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd26f7642-7545-4e18-9b75-8c9bbdee3a9a) |The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at [https://aka.ms/gcpol](../concepts/guest-configuration.md) |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVmWithNoSAMI.json) |
-|[Windows machines should meet requirements of the Azure compute security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72650e9f-97bc-4b2a-ab5f-9781a9fcecbc) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AzureWindowsBaseline_AINE.json) |
+|[Windows machines should meet requirements of the Azure compute security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72650e9f-97bc-4b2a-ab5f-9781a9fcecbc) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AzureWindowsBaseline_AINE.json) |
### Perform vulnerability assessments
initiative definition.
|[Ensure that 'Java version' is the latest, if used as a part of the Function app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc) |Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json) | |[Ensure that 'Java version' is the latest, if used as a part of the Web app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F496223c3-ad65-4ecd-878a-bae78737e9ed) |Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json) | |[Ensure that 'PHP version' is the latest, if used as a part of the API app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba) |Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json) |
-|[Ensure that 'PHP version' is the latest, if used as a part of the WEB app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7261b898-8a84-4db8-9e04-18527132abb3) |Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json) |
+|[Ensure that 'PHP version' is the latest, if used as a part of the WEB app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7261b898-8a84-4db8-9e04-18527132abb3) |Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json) |
|[Ensure that 'Python version' is the latest, if used as a part of the API app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F74c3584d-afae-46f7-a20a-6f8adba71a16) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json) | |[Ensure that 'Python version' is the latest, if used as a part of the Function app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7238174a-fd10-4ef0-817e-fc820a951d73) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json) | |[Ensure that 'Python version' is the latest, if used as a part of the Web app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7008174a-fd10-4ef0-817e-fc820a951d73) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json) |
initiative definition.
|[Endpoint protection should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f7c564c-0a90-4d44-b7e1-9d456cffaee8) |To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionShouldBeInstalledOnYourMachines_Audit.json) | |[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) | |[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) |
-|[Windows Defender Exploit Guard should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbed48b13-6647-468e-aa2f-1af1d3f4dd40) |Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). |AuditIfNotExists, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json) |
+|[Windows Defender Exploit Guard should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbed48b13-6647-468e-aa2f-1af1d3f4dd40) |Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json) |
### Ensure anti-malware software and signatures are updated
governance Azure Security Benchmarkv1 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/azure-security-benchmarkv1.md
Title: Regulatory Compliance details for Azure Security Benchmark v1 description: Details of the Azure Security Benchmark v1 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 01/19/2022 Last updated : 02/15/2022
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |
-|[Windows machines should meet requirements for 'Administrative Templates - Network'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67e010c1-640d-438e-a3a5-feaccb533a98) |Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministrativeTemplatesNetwork_AINE.json) |
-|[Windows machines should meet requirements for 'Security Options - Microsoft Network Server'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcaf2d518-f029-4f6b-833b-d7081702f253) |Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsMicrosoftNetworkServer_AINE.json) |
-|[Windows machines should meet requirements for 'Security Options - Network Access'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd) |Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkAccess_AINE.json) |
-|[Windows machines should meet requirements for 'Security Options - Network Security'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1221c620-d201-468c-81e7-2817e6107e84) |Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkSecurity_AINE.json) |
+|[Windows machines should meet requirements for 'Administrative Templates - Network'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67e010c1-640d-438e-a3a5-feaccb533a98) |Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministrativeTemplatesNetwork_AINE.json) |
+|[Windows machines should meet requirements for 'Security Options - Microsoft Network Server'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcaf2d518-f029-4f6b-833b-d7081702f253) |Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsMicrosoftNetworkServer_AINE.json) |
+|[Windows machines should meet requirements for 'Security Options - Network Access'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd) |Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkAccess_AINE.json) |
+|[Windows machines should meet requirements for 'Security Options - Network Security'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1221c620-d201-468c-81e7-2817e6107e84) |Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkSecurity_AINE.json) |
### Monitor and log the configuration and traffic of Vnets, Subnets, and NICs
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Audit Windows machines on which the Log Analytics agent is not connected as expected](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6265018c-d7e2-432f-a75d-094d5f6f4465) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsLogAnalyticsAgentConnection_AINE.json) |
+|[Audit Windows machines on which the Log Analytics agent is not connected as expected](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6265018c-d7e2-432f-a75d-094d5f6f4465) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsLogAnalyticsAgentConnection_AINE.json) |
|[Auto provisioning of the Log Analytics agent should be enabled on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F475aae12-b88a-4572-8b36-9b712b2b3a17) |To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json) | |[Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1a4e592a-6a6e-44a5-9814-e36264ca96e7) |This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllCategories.json) | |[Azure Monitor should collect activity logs from all regions](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F41388f1c-2db0-4c25-95b2-35d7f5ccbfa9) |This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllRegions.json) |
initiative definition.
||||| |[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) | |[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
-|[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) |Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) |
+|[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) |Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) |
|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) | |[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) | |[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Audit Windows machines on which the Log Analytics agent is not connected as expected](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6265018c-d7e2-432f-a75d-094d5f6f4465) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsLogAnalyticsAgentConnection_AINE.json) |
+|[Audit Windows machines on which the Log Analytics agent is not connected as expected](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6265018c-d7e2-432f-a75d-094d5f6f4465) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsLogAnalyticsAgentConnection_AINE.json) |
|[Auto provisioning of the Log Analytics agent should be enabled on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F475aae12-b88a-4572-8b36-9b712b2b3a17) |To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json) | |[The Log Analytics extension should be installed on Virtual Machine Scale Sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fefbde977-ba53-4479-b8e9-10b957924fbf) |This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json) | |[Virtual machines should have the Log Analytics extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa70ca396-0a34-413a-88e1-b956c1e683be) |This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) |It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) |
-|[Audit Windows machines missing any of specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToInclude_AINE.json) |
-|[Audit Windows machines that have extra accounts in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3d2a3320-2a72-4c67-ac5f-caa40fbee2b2) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembers_AINE.json) |
-|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
+|[Audit Windows machines missing any of specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToInclude_AINE.json) |
+|[Audit Windows machines that have extra accounts in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3d2a3320-2a72-4c67-ac5f-caa40fbee2b2) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembers_AINE.json) |
+|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
|[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) |It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) | ### Use multi-factor authentication for all Azure Active Directory based access
initiative definition.
|[Ensure that 'Java version' is the latest, if used as a part of the Function app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc) |Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json) | |[Ensure that 'Java version' is the latest, if used as a part of the Web app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F496223c3-ad65-4ecd-878a-bae78737e9ed) |Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json) | |[Ensure that 'PHP version' is the latest, if used as a part of the API app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba) |Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json) |
-|[Ensure that 'PHP version' is the latest, if used as a part of the WEB app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7261b898-8a84-4db8-9e04-18527132abb3) |Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json) |
+|[Ensure that 'PHP version' is the latest, if used as a part of the WEB app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7261b898-8a84-4db8-9e04-18527132abb3) |Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json) |
|[Ensure that 'Python version' is the latest, if used as a part of the API app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F74c3584d-afae-46f7-a20a-6f8adba71a16) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json) | |[Ensure that 'Python version' is the latest, if used as a part of the Function app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7238174a-fd10-4ef0-817e-fc820a951d73) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json) | |[Ensure that 'Python version' is the latest, if used as a part of the Web app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7008174a-fd10-4ef0-817e-fc820a951d73) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json) |
governance Built In Initiatives https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/built-in-initiatives.md
Title: List of built-in policy initiatives description: List built-in policy initiatives for Azure Policy. Categories include Regulatory Compliance, Guest Configuration, and more. Previously updated : 01/18/2022 Last updated : 02/15/2022
governance Built In Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/built-in-policies.md
Title: List of built-in policy definitions description: List built-in policy definitions for Azure Policy. Categories include Tags, Regulatory Compliance, Key Vault, Kubernetes, Guest Configuration, and more. Previously updated : 01/18/2022 Last updated : 02/15/2022
governance Canada Federal Pbmm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/canada-federal-pbmm.md
Title: Regulatory Compliance details for Canada Federal PBMM description: Details of the Canada Federal PBMM Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 01/19/2022 Last updated : 02/15/2022
This built-in initiative is deployed as part of the
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) |It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
-|[Audit Windows machines missing any of specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToInclude_AINE.json) |
-|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Audit Windows machines missing any of specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToInclude_AINE.json) |
+|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | |[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) |It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) |
This built-in initiative is deployed as part of the
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) |It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
-|[Audit Windows machines missing any of specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToInclude_AINE.json) |
-|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). |modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assig