Updates from: 02/24/2022 02:11:51
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Customize Ui With Html https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/customize-ui-with-html.md
Previously updated : 10/14/2021 Last updated : 02/23/2022
Instead of creating your custom page content from scratch, you can customize Azu
The following table lists the default page content provided by Azure AD B2C. Download the files and use them as a starting point for creating your own custom pages.
-| Default page | Description | Content definition ID<br/>(custom policy only) |
+| Page | Description | Templates |
|:--|:--|-|
-| [exception.html](https://login.microsoftonline.com/static/tenant/default/exception.cshtml) | **Error page**. This page is displayed when an exception or an error is encountered. | *api.error* |
-| [selfasserted.html](https://login.microsoftonline.com/static/tenant/default/selfAsserted.cshtml) | **Self-Asserted page**. Use this file as a custom page content for a social account sign-up page, a local account sign-up page, a local account sign-in page, password reset, and more. The form can contain various input controls, such as: a text input box, a password entry box, a radio button, single-select drop-down boxes, and multi-select check boxes. | *api.localaccountsignin*, *api.localaccountsignup*, *api.localaccountpasswordreset*, *api.selfasserted* |
-| [multifactor-1.0.0.html](https://login.microsoftonline.com/static/tenant/default/multifactor-1.0.0.cshtml) | **Multi-factor authentication page**. On this page, users can verify their phone numbers (by using text or voice) during sign-up or sign-in. | *api.phonefactor* |
-| [updateprofile.html](https://login.microsoftonline.com/static/tenant/default/updateProfile.cshtml) | **Profile update page**. This page contains a form that users can access to update their profile. This page is similar to the social account sign-up page, except for the password entry fields. | *api.selfasserted.profileupdate* |
-| [unified.html](https://login.microsoftonline.com/static/tenant/default/unified.cshtml) | **Unified sign-up or sign-in page**. This page handles the user sign-up and sign-in process. Users can use enterprise identity providers, social identity providers such as Facebook or Google+, or local accounts. | *api.signuporsignin* |
+| Unified sign-up or sign-in | This page handles the user sign-up and sign-in process. Users can use enterprise identity providers, social identity providers such as Facebook, Microsoft account, or local accounts. | [Classic](https://login.microsoftonline.com/static/tenant/default/unified.cshtml), [Ocean Blue](https://login.microsoftonline.com/static/tenant/templates/AzureBlue/unified.cshtml), and [Slate Gray](https://login.microsoftonline.com/static/tenant/templates/MSA/unified.cshtml). |
+| Sign-in (only)| The sign-in page is also known as the *Identity provider selection*. It handles the user sign-in with local account, or federated identity providers. Use this page to allow sign-in without the ability to sign-up. For example before user can edit their profile. | [Classic](https://login.microsoftonline.com/static/tenant/default/idpSelector.cshtml), [Ocean Blue](https://login.microsoftonline.com/static/tenant/templates/AzureBlue/idpSelector.cshtml), and [Slate Gray](https://login.microsoftonline.com/static/tenant/templates/MSA/idpSelector.cshtml).
+| Self-Asserted | Most interactions in Azure AD B2C where the user is expected to provide input are self-asserted. For example, a sign-up page, sign-in page, or password reset page. Use this template as a custom page content for a social account sign-up page, a local account sign-up page, a local account sign-in page, password reset, edit profile, block page and more. The self-asserted page can contain various input controls, such as: a text input box, a password entry box, a radio button, single-select drop-down boxes, and multi-select check boxes. | [Classic](https://login.microsoftonline.com/static/tenant/default/selfAsserted.cshtml), [Ocean Blue](https://login.microsoftonline.com/static/tenant/templates/AzureBlue/selfAsserted.cshtml), and [Slate Gray](https://login.microsoftonline.com/static/tenant/templates/MSA/selfAsserted.cshtml). |
+| Multi-factor authentication | On this page, users can verify their phone numbers (by using text or voice) during sign-up or sign-in. | [Classic](https://login.microsoftonline.com/static/tenant/default/multifactor-1.0.0.cshtml), [Ocean Blue](https://login.microsoftonline.com/static/tenant/templates/AzureBlue/multifactor-1.0.0.cshtml), and [Slate Gray](https://login.microsoftonline.com/static/tenant/templates/MSA/multifactor-1.0.0.cshtml). |
+| Error | This page is displayed when an exception or an error is encountered. | [Classic](https://login.microsoftonline.com/static/tenant/default/exception.cshtml), [Ocean Blue](https://login.microsoftonline.com/static/tenant/templates/AzureBlue/exception.cshtml), and [Slate Gray](https://login.microsoftonline.com/static/tenant/templates/MSA/exception.cshtml). |
++ ## Hosting the page content
When using your own HTML and CSS files to customize the UI, host your UI content
You localize your HTML content by enabling [language customization](language-customization.md) in your Azure AD B2C tenant. Enabling this feature allows Azure AD B2C to set the HTML page language attribute and pass the OpenID Connect parameter `ui_locales` to your endpoint.
-#### Single-template approach
+### Single-template approach
During page load, Azure AD B2C sets the HTML page language attribute with the current language. For example, `<html lang="en">`. To render different styles per the current language, use the CSS `:lang` selector along with your CSS definition.
To host your HTML content in Blob storage, perform the following steps:
1. **Redundancy** can remain **Geo-redundant storage (GRS)** 1. Select **Review + create** and wait a few seconds for Azure AD to run a validation. 1. Select **Create** to create the storage account. After the deployment is completed, the storage account page opens automatically or select **Go to resource**.+ #### 2.1 Create a container To create a public container in Blob storage, perform the following steps:
To use [company branding](customize-ui.md#configure-company-branding) assets in
## Next steps
-Learn how to enable [client-side JavaScript code](javascript-and-page-layout.md).
+Learn how to enable [client-side JavaScript code](javascript-and-page-layout.md).
active-directory-b2c Partner Dynamics 365 Fraud Protection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-dynamics-365-fraud-protection.md
In the provided [custom policies](https://github.com/azure-ad-b2c/partner-integr
For additional information, review the following articles: -- [Microsoft DFP samples](https://github.com/Microsoft/Dynamics-365-Fraud-Protection-Samples)
+- [Microsoft DFP samples](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/Dynamics-Fraud-Protection)
- [Custom policies in Azure AD B2C](./custom-policy-overview.md)
active-directory How To Authentication Find Coverage Gaps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-authentication-find-coverage-gaps.md
Previously updated : 11/03/2021 Last updated : 02/22/2022
# Find and address gaps in strong authentication coverage for your administrators
-Requiring multi-factor authentication (MFA) for the administrators in your tenant is one of the first steps you can take to increase the security of your tenant. In this article, we'll cover how to make sure all of your administrators are covered by multi-factor authentication.
+Requiring multifactor authentication (MFA) for the administrators in your tenant is one of the first steps you can take to increase the security of your tenant. In this article, we'll cover how to make sure all of your administrators are covered by multifactor authentication.
## Detect current usage for Azure AD Built-in administrator roles
The [Azure AD Secure Score](../fundamentals/identity-secure-score.md) provides a
There are different ways to check if your admins are covered by an MFA policy. -- To troubleshoot sign-in for a specific administrator, you can use the sign-in logs. The sign-in logs let you filter **Authentication requirement** for specific users. Any sign-in where **Authentication requirement** is **Single-factor authentication** means there was no multi-factor authentication policy that was required for the sign-in.
+- To troubleshoot sign-in for a specific administrator, you can use the sign-in logs. The sign-in logs let you filter **Authentication requirement** for specific users. Any sign-in where **Authentication requirement** is **Single-factor authentication** means there was no multifactor authentication policy that was required for the sign-in.
![Screenshot of the sign-in log.](./media/how-to-authentication-find-coverage-gaps/auth-requirement.png)
There are different ways to check if your admins are covered by an MFA policy.
- To choose which policy to enable based on your user licenses, we have a new MFA enablement wizard to help you [compare MFA policies](concept-mfa-licensing.md#compare-multi-factor-authentication-policies) and see which steps are right for your organization. The wizard shows administrators who were protected by MFA in the last 30 days.
- ![Screenshot of the Multi-factor authentication enablement wizard.](./media/how-to-authentication-find-coverage-gaps/wizard.png)
+ ![Screenshot of the multifactor authentication enablement wizard.](./media/how-to-authentication-find-coverage-gaps/wizard.png)
-- To programmatically create a report listing all users with Admins roles in your tenant and their strong authentication status, you can run a [PowerShell script](https://github.com/microsoft/AzureADToolkit/blob/main/src/Find-AADToolkitUnprotectedUsersWithAdminRoles.ps1). This script enumerates all permanent and eligible built-in and custom role assignments as well as groups with roles assigned, and finds users that are either not registered for MFA or not signing in with MFA by evaluating their authentication methods and their sign-in activity.
+- You can run [this script](https://github.com/microsoft/AzureADToolkit/blob/main/src/Find-AADToolkitUnprotectedUsersWithAdminRoles.ps1) to programmatically generate a report of all users with directory role assignments who have signed in with or without MFA in the last 30 days. This script will enumerate all active built-in and custom role assignments, all eligible built-in and custom role assignments, and groups with roles assigned.
-## Enforce multi-factor authentication on your administrators
+## Enforce multifactor authentication on your administrators
-Based on gaps you found, require administrators to use multi-factor authentication in one of the following ways:
+If you find administrators who aren't protected by multifactor authentication, you can protect them in one of the following ways:
- If your administrators are licensed for Azure AD Premium, you can [create a Conditional Access policy](tutorial-enable-azure-mfa.md) to enforce MFA for administrators. You can also update this policy to require MFA from users who are in custom roles. - Run the [MFA enablement wizard](https://aka.ms/MFASetupGuide) to choose your MFA policy. -- If you assign custom or built-in admin roles in [Privileged Identity Management](../privileged-identity-management/pim-configure.md), require multi-factor authentication upon role activation.
+- If you assign custom or built-in admin roles in [Privileged Identity Management](../privileged-identity-management/pim-configure.md), require multifactor authentication upon role activation.
## Use Passwordless and phishing resistant authentication methods for your administrators
-After your admins are enforced for multi-factor authentication and have been using it for a while, it is time to raise the bar on strong authentication and use Passwordless and phishing resistant authentication method:
+After your admins are enforced for multifactor authentication and have been using it for a while, it is time to raise the bar on strong authentication and use Passwordless and phishing resistant authentication method:
- [Phone Sign-in (with Microsoft Authenticator)](concept-authentication-authenticator-app.md) - [FIDO2](concept-authentication-passwordless.md#fido2-security-keys)
active-directory How To Mfa Number Match https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-number-match.md
description: Learn how to use number matching in MFA notifications
Previously updated : 11/17/2021 Last updated : 02/23/2022
Number matching is available for the following scenarios. When enabled, all scen
- [AD FS adapter](howto-mfaserver-adfs-windows-server.md) - [NPS extension](howto-mfa-nps-extension.md)
+>[!NOTE]
+>For passwordless users, enabling number matching has no impact because it's already part of the passwordless experience.
+ ### Multifactor authentication When a user responds to an MFA push notification using Microsoft Authenticator, they will be presented with a number. They need to type that number into the app to complete the approval.
To enable number matching in the Azure AD portal, complete the following steps:
![Screenshot of enabling number match.](media/howto-authentication-passwordless-phone/enable-number-matching.png)
-## Known issues
--- Number matching for admin roles during SSPR is pending and unavailable for a couple days.- ## Next steps [Authentication methods in Azure Active Directory - Microsoft Authenticator app](concept-authentication-authenticator-app.md)
active-directory Cloudknox All Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-all-reports.md
+
+ Title: View a list and description of all system reports available in CloudKnox Permissions Management reports
+description: View a list and description of all system reports available in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View a list and description of system reports
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+CloudKnox Permissions Management (CloudKnox) has various types of system reports that capture specific sets of data. These reports allow management, auditors, and administrators to:
+
+- Make timely decisions.
+- Analyze trends and system/user performance.
+- Identify trends in data and high risk areas so that management can address issues more quickly and improve their efficiency.
+
+This article provides you with a list and description of the system reports available in CloudKnox. Depending on the report, you can download it in comma-separated values (**CSV**) format, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) format.
+
+## Download a system report
+
+1. In the CloudKnox home page, select the **Reports** tab, and then select the **Systems reports** subtab.
+1. In the **Report Name** column, find the report you want, and then select the down arrow to the right of the report name to download the report.
+
+ Or, from the ellipses **(...)** menu, select **Download**.
+
+ The following message displays: **Successfully started to generate on demand report.**
++
+## Summary of available system reports
+
+| Report name | Type of the report | File format | Description | Availability | Collated report? |
+|-|--|--|| -|-|
+| Access Key Entitlements and Usage Report | Summary </p>Detailed | CSV | This report displays: </p> - Access key age, last rotation date, and last usage date availability in the summary report. Use this report to decide when to rotate access keys. </p> - Granted task and Permissions creep index (PCI) score. This report provides supporting information when you want to take the action on the keys. | AWS</p>Azure</p>GCP | Yes |
+| All Permissions for Identity | Detailed | CSV | This report lists all the assigned permissions for the selected identities. | Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) | N/A |
+| Group Entitlements and Usage | Summary | CSV | This report tracks all group level entitlements and the permission assignment, PCI. The number of members is also listed as part of this report. | AWS, Azure, or GCP | Yes |
+| Identity Permissions | Summary | CSV | This report tracks any, or specific, task usage per **User**, **Group**, **Role**, or **App**. | AWS, Azure, or GCP | No |
+| NIST 800-53 | Detailed </p>Summary </p>Dashboard | CSV </p>PDF | **Dashboard**: This report helps track the overall progress of the NIST 800-53 benchmark. It lists the percentage passing, overall pass or fail of test control along with the breakup of L1/L2 per Auth system. </p>**Summary**: For each authorized system, this report lists the test control pass or fail per authorized system and the number of resources evaluated for each test control. </p>**Detailed**: This report helps auditors and administrators to track the resource level pass or fail per test control. | AWS, Azure, or GCP | Yes |
+| PCI DSS | Detailed </p>Summary </p>Dashboard | CSV | **Dashboard**: This report helps track the overall progress of the PCI-DSS benchmark. It lists the percentage passing, overall pass or fail of test control along with the breakup of L1/L2 per Auth system. </p>**Summary**: For each authorized system, this report lists the test control pass or fail per authorized system and the number of resources evaluated for each test control. </p>**Detailed**: This report helps auditors and administrators to track the resource level pass or fail per test control. | AWS, Azure, or GCP | Yes |
+| PCI History | Summary | CSV | This report helps track **Monthly PCI History** for each authorized system. It can be used to plot the trend of the PCI. | AWS, Azure, or GCP | Yes |
+| Permissions Analytics Report (PAR) | Summary | PDF | This report helps monitor the **Identity Privilege** related activity across the authorized systems. It captures any Identity permission change. </p>This report has the following main sections: **User Summary**, **Group Summary**, **Role Summary & Delete Task Summary**. </p>The **User Summary** lists the current granted permissions along with high-risk permissions and resources accessed in 1-day, 7-day, or 30-days durations. There are subsections for newly added or deleted users, users with PCI change, high-risk active/inactive users. </p>The **Group Summary** lists the administrator level groups with the current granted permissions along with high-risk permissions and resources accessed in 1-day, 7-day, or 30-day durations. There are subsections for newly added or deleted groups, groups with PCI change, High-risk active/inactive groups. </p>The **Role Summary** and the **Group Summary** list similar details. </p>The **Delete Task** summary section lists the number of times the **Delete Task** has been executed in the given period. | AWS, Azure, or GCP | No |
+| Permissions Analytics Report (PAR) | Detailed | CSV | This report lists the different key findings in the selected authorized systems. The key findings include **Super identities**, **Inactive identities**, **Over-provisioned active identities**, **Storage bucket hygiene**, **Access key age (AWS)**, and so on. </p>This report helps administrators to visualize the findings across the organization and make decisions. | AWS, Azure, or GCP | Yes |
+| Role/Policy Details | Summary | CSV | This report captures **Assigned/Unassigned** and **Custom/system policy with used/unused condition** for specific or all AWS accounts. </p>Similar data can be captured for Azure and GCP for assigned and unassigned roles. | AWS, Azure, or GCP | No |
+| User Entitlements and Usage | Detailed <p>Summary | CSV | This report provides a summary and details of **User entitlements and usage**. </p>**Data displayed on Usage Analytics** screen is downloaded as part of the **Summary** report. </p>**Detailed permissions usage per User** is listed in the Detailed report. | AWS, Azure, or GCP | Yes |
++
+## Next steps
+
+- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](cloudknox-product-reports.md).
+- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](cloudknox-report-view-system-report.md).
+- For information about how to create and view a custom report, see [Generate and view a custom report](cloudknox-report-create-custom-report.md).
+- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](cloudknox-product-permissions-analytics-reports.md).
active-directory Cloudknox Faqs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-faqs.md
+
+ Title: Frequently asked questions (FAQs) about CloudKnox Permissions Management
+description: Frequently asked questions (FAQs) about CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Frequently asked questions (FAQs)
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
++
+This article answers frequently asked questions (FAQs) about CloudKnox Permissions Management (CloudKnox).
+
+## What's CloudKnox Permissions Management?
+
+CloudKnox is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multi-cloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). CloudKnox detects, automatically right-sizes, and continuously monitors unused and excessive permissions. It deepens the Zero Trust security strategy by augmenting the least privilege access principle.
++
+## What are the prerequisites to use CloudKnox?
+
+CloudKnox supports data collection from AWS, GCP, and/or Microsoft Azure. For data collection and analysis, customers are required to have an Azure Active Directory (Azure AD) account to use CloudKnox, however, an Azure subscription or Azure AD P1 or P2 license aren't required to use CloudKnox for AWS or GCP.
+
+## Can a customer use CloudKnox if they have other identities with access to their IaaS platform that arenΓÇÖt yet in Azure AD (for example, if part of their business has Okta or AWS Identity & Access Management (IAM))?
+
+Yes, a customer can detect, mitigate, and monitor the risk of ΓÇÿbackdoorΓÇÖ accounts that are local to AWS IAM, GCP, or from other identity providers such as Okta or AWS IAM.
+
+## Where can customers access CloudKnox?
+
+Customers can access the CloudKnox interface with a link from the Azure AD extension in the Azure portal.
+
+## Can non-cloud customers use CloudKnox on-premises?
+
+No, CloudKnox is a hosted cloud offering.
+
+## Can non-Azure customers use CloudKnox?
+
+Yes, non-Azure customers can use our solution. CloudKnox is a multi-cloud solution so even customers who have no subscription to Azure can benefit from it.
+
+## If IΓÇÖm already using Azure AD Privileged Identity Management (PIM) for Azure, what value does CloudKnox provide?
+
+CloudKnox complements Azure AD PIM. Azure AD PIM provides just-in-time access for admin roles in Azure (as well as Microsoft Online Services and apps that use groups), while CloudKnox allows multi-cloud discovery, remediation, and monitoring of privileged access across Azure, AWS, and GCP.
+
+## What languages does CloudKnox support?
+
+CloudKnox currently supports English.
+
+## What public cloud infrastructures are supported by CloudKnox?
+
+CloudKnox currently supports the three major public clouds: Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.
+
+## Does CloudKnox support hybrid environments?
+
+CloudKnox currently doesnΓÇÖt support hybrid environments.
+
+## What types of identities are supported by CloudKnox?
+
+CloudKnox supports user identities (for example, employees, customers, external partners) and workload identities (for example, virtual machines, containers, web apps, serverless functions).
+
+<!## Is CloudKnox General Data Protection Regulation (GDPR) compliant?
+
+CloudKnox is currently not GDPR compliant.>
+
+## Is CloudKnox available in Government Cloud?
+
+No, CloudKnox is currently not available in Government clouds.
+
+## Is CloudKnox available for sovereign clouds?
+
+No, CloudKnox is currently not available in sovereign Clouds.
+
+## How does CloudKnox collect insights about permissions usage?
+
+CloudKnox has a data collector that collects access permissions assigned to various identities, activity logs, and resources metadata. This gathers full visibility into permissions granted to all identities to access the resources and details on usage of granted permissions.
+
+## How does CloudKnox evaluate cloud permissions risk?
+
+CloudKnox offers granular visibility into all identities and their permissions granted versus used, across cloud infrastructures to uncover any action performed by any identity on any resource. This isn't limited to just user identities, but also workload identities such as virtual machines, access keys, containers, and scripts. The dashboard gives an overview of permission profile to locate the riskiest identities and resources.
+
+## What is the Permissions Creep Index?
+
+The Permissions Creep Index (PCI) is a quantitative measure of risk associated with an identity or role determined by comparing permissions granted versus permissions exercised. It allows users to instantly evaluate the level of risk associated with the number of unused or over-provisioned permissions across identities and resources. It measures how much damage identities can cause based on the permissions they have.
+
+## How can customers use CloudKnox to delete unused or excessive permissions?
+
+CloudKnox allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed.
+
+## How can customers grant permissions on-demand with CloudKnox?
+
+For any break-glass or one-off scenarios where an identity needs to perform a specific set of actions on a set of specific resources, the identity can request those permissions on-demand for a limited period with a self-service workflow. Customers can either use the built-in workflow engine or their IT service management (ITSM) tool. The user experience is the same for any identity type, identity source (local, enterprise directory, or federated) and cloud.
+
+## What is the difference between permissions on-demand and just-in-time access?
+
+Just-in-time (JIT) access is a method used to enforce the principle of least privilege to ensure identities are given the minimum level of permissions to perform the task at hand. Permissions on-demand are a type of JIT access that allows the temporary elevation of permissions, enabling identities to access resources on a by-request, timed basis.
+
+## How can customers monitor permissions usage with CloudKnox?
+
+Customers only need to track the evolution of their Permission Creep Index to monitor permissions usage. They can do this in the ΓÇ£AnalyticsΓÇ¥ tab in their CloudKnox dashboard where they can see how the PCI of each identity or resource is evolving over time.
+
+## Can customers generate permissions usage reports?
+
+Yes, CloudKnox has various types of system report available that capture specific data sets. These reports allow customers to:
+- Make timely decisions
+- Analyze usage trends and system/user performance
+- Identify high-risk areas
+
+For information about permissions usage reports, see [Generate and download the Permissions analytics report](cloudknox-product-permissions-analytics-reports.md).
+
+## Does CloudKnox integrate with third-party ITSM (Information Technology Security Management) tools?
+
+CloudKnox integrates with ServiceNow.
++
+## How is CloudKnox being deployed?
+
+Customers with Global Admin role have first to onboard CloudKnox on their Azure AD tenant, and then onboard their AWS accounts, GCP projects, and Azure subscriptions. More details about onboarding can be found in our product documentation.
+
+## How long does it take to deploy CloudKnox?
+
+It depends on each customer and how many AWS accounts, GCP projects, and Azure subscriptions they have.
+
+## Once CloudKnox is deployed, how fast can I get permissions insights?
+
+Once fully onboarded with data collection set up, customers can access permissions usage insights within hours. Our machine-learning engine refreshes the Permission Creep Index every hour so that customers can start their risk assessment right away.
+
+## Is CloudKnox collecting and storing sensitive personal data?
+
+No, CloudKnox doesnΓÇÖt have access to sensitive personal data.
+
+## Where can I find more information about CloudKnox?
+
+You can read our blog and visit our web page. You can also get in touch with your Microsoft point of contact to schedule a demo.
+
+## Resources
+
+- [Public Preview announcement blog](https://www.aka.ms/CloudKnox-Public-Preview-Blog)
+- [CloudKnox Permissions Management web page](https://microsoft.com/security/business/identity-access-management/permissions-management)
+++
+## Next steps
+
+- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](cloudknox-overview.md).
+- For information on how to onboard CloudKnox in your organization, see [Enable CloudKnox in your organization](cloudknox-onboard-enable-tenant.md).
active-directory Cloudknox Howto Add Remove Role Task https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-add-remove-role-task.md
+
+ Title: Add and remove roles and tasks for groups, users, and service accounts for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in CloudKnox Permissions Management
+description: How to attach and detach permissions for groups, users, and service accounts for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Add and remove roles and tasks for Microsoft Azure and Google Cloud Platform (GCP) identities
++
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can add and remove roles and tasks for Microsoft Azure and Google Cloud Platform (GCP) identities using the **Remediation** dashboard.
+
+> [!NOTE]
+> To view the **Remediation** tab, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you donΓÇÖt have these permissions, contact your system administrator.
+
+## View permissions
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Select an authorization system type** dropdown, select **Azure** or **GCP**.
+1. From the **Select an authorization system** dropdown, select the accounts you want to access.
+1. From the **Search for** dropdown, select **Group**, **User**, or **APP**.
+1. To search for more parameters, you can make a selection from the **User States**, **Privilege Creep Index**, and **Task usage** dropdowns.
+1. Select **Apply**.
+ CloudKnox displays a list of groups, users, and service accounts that match your criteria.
+1. In **Enter a username**, enter or select a user.
+1. In **Enter a group name**, enter or select a group, then select **Apply**.
+1. Make a selection from the results list.
+
+ The table displays the **Username** **Domain/Account**, **Source**, **Resource** and **Current role**.
++
+## Add a role
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Select an authorization system type** dropdown, select **Azure** or **GCP**.
+1. From the **Select an authorization system** dropdown, select the accounts you want to access.
+1. From the **Search for** dropdown, select **Group**, **User**, or **APP**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To attach a role, select **Add role**.
+1. In the **Add role** page, from the **Available roles** list, select the plus sign **(+)** to move the role to the **Selected roles** list.
+1. When you have finished adding roles, select **Submit**.
+1. When the following message displays: **Are you sure you want to change permissions?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Remove a role
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Select an authorization system type** dropdown, select **Azure** or **GCP**.
+1. From the **Select an authorization system** dropdown, select the accounts you want to access.
+1. From the **Search for** dropdown, select **Group**, **User**, or **APP**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To remove a role, select **Remove role**.
+1. In the **Remove role** page, from the **Available roles** list, select the plus sign **(+)** to move the role to the **Selected roles** list.
+1. When you have finished selecting roles, select **Submit**.
+1. When the following message displays: **Are you sure you want to change permissions?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Add a task
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Select an authorization system type** dropdown, select **Azure** or **GCP**.
+1. From the **Select an authorization system** dropdown, select the accounts you want to access.
+1. From the **Search for** dropdown, select **Group**, **User**, or **APP**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To attach a role, select **Add tasks**.
+1. In the **Add tasks** page, from the **Available tasks** list, select the plus sign **(+)** to move the task to the **Selected tasks** list.
+1. When you have finished adding tasks, select **Submit**.
+1. When the following message displays: **Are you sure you want to change permissions?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Remove a task
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Select an authorization system type** dropdown, select **Azure** or **GCP**.
+1. From the **Select an authorization system** dropdown, select the accounts you want to access.
+1. From the **Search for** dropdown, select **Group**, **User**, or **APP**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To remove a task, select **Remove tasks**.
+1. In the **Remove tasks** page, from the **Available tasks** list, select the plus sign **(+)** to move the task to the **Selected tasks** list.
+1. When you have finished selecting tasks, select **Submit**.
+1. When the following message displays: **Are you sure you want to change permissions?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Next steps
++
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md).
+- For information on how to attach and detach permissions for Amazon Web Services (AWS) identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md)
+For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md).
active-directory Cloudknox Howto Attach Detach Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-attach-detach-permissions.md
+
+ Title: Attach and detach permissions for users, roles, and groups for Amazon Web Services (AWS) identities in the Remediation dashboard in CloudKnox Permissions Management
+description: How to attach and detach permissions for users, roles, and groups for Amazon Web Services (AWS) identities in the Remediation dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Attach and detach policies for Amazon Web Services (AWS) identities
++
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can attach and detach permissions for users, roles, and groups for Amazon Web Services (AWS) identities using the **Remediation** dashboard.
+
+> [!NOTE]
+> To view the **Remediation** tab, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you donΓÇÖt have these permissions, contact your system administrator.
+
+## View permissions
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Select an authorization system type** dropdown, select **AWS**.
+1. From the **Select an authorization system** dropdown, select the accounts you want to access.
+1. From the **Search For** dropdown, select **Group**, **User**, or **Role**.
+1. To search for more parameters, you can make a selection from the **User States**, **Privilege Creep Index**, and **Task usage** dropdowns.
+1. Select **Apply**.
+ CloudKnox displays a list of users, roles, or groups that match your criteria.
+1. In **Enter a username**, enter or select a user.
+1. In **Enter a group name**, enter or select a group, then select **Apply**.
+1. Make a selection from the results list.
+
+ The table displays the related **Username** **Domain/Account**, **Source** and **Policy name**.
++
+## Attach policies
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Select an authorization system type** dropdown, select **AWS**.
+1. In **Enter a username**, enter or select a user.
+1. In **Enter a group name**, enter or select a group, then select **Apply**.
+1. Make a selection from the results list.
+1. To attach a policy, select **Attach policies**.
+1. In the **Attach policies** page, from the **Available policies** list, select the plus sign **(+)** to move the policy to the **Selected policies** list.
+1. When you have finished adding policies, select **Submit**.
+1. When the following message displays: **Are you sure you want to change permissions?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Detach policies
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Select an authorization system type** dropdown, select **AWS**.
+1. In **Enter a username**, enter or select a user.
+1. In **Enter a group name**, enter or select a group, then select **Apply**.
+1. Make a selection from the results list.
+1. To remove a policy, select **Detach policies**.
+1. In the **Detach policies** page, from the **Available policies** list, select the plus sign **(+)** to move the policy to the **Selected policies** list.
+1. When you have finished selecting policies, select **Submit**.
+1. When the following message displays: **Are you sure you want to change permissions?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Next steps
++
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md)
+For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md).
+
active-directory Cloudknox Howto Audit Trail Results https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-audit-trail-results.md
+
+ Title: Generate an on-demand report from a query in the Audit dashboard in CloudKnox Permissions Management
+description: How to generate an on-demand report from a query in the **Audit** dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Generate an on-demand report from a query
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can generate an on-demand report from a query in the **Audit** dashboard in CloudKnox Permissions Management (CloudKnox). You can:
+
+- Run a report on-demand.
+- Schedule and run a report as often as you want.
+- Share a report with other members of your team and management.
+
+## Generate a custom report on-demand
+
+1. In the CloudKnox home page, select the **Audit** tab.
+
+ CloudKnox displays the query options available to you.
+1. In the **Audit** dashboard, select **Search** to run the query.
+1. Select **Export**.
+
+ CloudKnox generates the report and exports it in comma-separated values (**CSV**) format, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) format.
+
+<!
+## Create a schedule to automatically generate and share a report
+
+1. In the **Audit** tab, load the query you want to use to generate your report.
+2. Select **Settings** (the gear icon).
+3. In **Repeat on**, select on which days of the week you want the report to run.
+4. In **Date**, select the date when you want the query to run.
+5. In **hh mm** (time), select the time when you want the query to run.
+6. In **Request file format**, select the file format you want for your report.
+7. In **Share report with people**, enter email addresses for people to whom you want to send the report.
+8. Select **Schedule**.
+
+ CloudKnox generates the report as set in Steps 3 to 6, and emails it to the recipients you specified in Step 7.
++
+## Delete the schedule for a report
+
+1. In the **Audit** tab, load the query whose report schedule you want to delete.
+2. Select the ellipses menu **(…)** on the far right, and then select **Delete schedule**.
+
+ CloudKnox deletes the schedule for running the query. The query itself isn't deleted.
+>
++
+## Next steps
+
+- For information on how to view how users access information, see [Use queries to see how users access information](cloudknox-ui-audit-trail.md).
+- For information on how to filter and view user activity, see [Filter and query user activity](cloudknox-product-audit-trail.md).
+- For information on how to create a query,see [Create a custom query](cloudknox-howto-create-custom-queries.md).
active-directory Cloudknox Howto Clone Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-clone-role-policy.md
+
+ Title: Clone a role/policy in the Remediation dashboard in CloudKnox Permissions Management
+description: How to clone a role/policy in the Just Enough Permissions (JEP) Controller.
+++++++ Last updated : 02/23/2022+++
+# Clone a role/policy in the Remediation dashboard
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can use the **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) to clone roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems.
+
+> [!NOTE]
+> To view the **Remediation** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you donΓÇÖt have these permissions, contact your system administrator.
+
+> [!NOTE]
+> Microsoft Azure uses the term *role* for what other Cloud providers call *policy*. CloudKnox automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both.
+
+## Clone a role/policy
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** tab.
+1. Select the role/policy you want to clone, and from the **Actions** column, select **Clone**.
+1. **(AWS Only)** In the **Clone** box, the **Clone Resources** and **Clone Conditions** checkboxes are automatically selected.
+ Deselect the boxes if the resources and conditions are different from what is displayed.
+1. Enter a name for each authorization system that was selected in the **Policy Name** boxes, and then select **Next**.
+
+1. If the data collector hasn't been given controller privileges, the following message displays: **Only online/controller-enabled authorization systems can be submitted for cloning.**
+
+ To clone this role manually, download the script and JSON file.
+
+1. Select **Submit**.
+1. Refresh the **Role/Policies** tab to see the role/policy you cloned.
+
+## Next steps
++
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md).
+- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md)
+- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md).
+- For information on how to view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md)
active-directory Cloudknox Howto Create Alert Trigger https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-alert-trigger.md
+
+ Title: Create and view activity alerts and alert triggers in CloudKnox Permissions Management
+description: How to create and view activity alerts and alert triggers in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create and view activity alerts and alert triggers
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can create and view activity alerts and alert triggers in CloudKnox Permissions Management (CloudKnox).
+
+## Create an activity alert trigger
+
+1. In the CloudKnox home page, select **Activity Triggers** (the bell icon).
+1. In the **Activity** tab, select **Create Activity Trigger**.
+1. In the **Alert Name** box, enter a name for your alert.
+1. In **Authorization System Type**, select your authorization system: Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. In **Authorization System**, select **Is** or **In**, and then select one or more accounts and folders.
+1. From the **Select a Type** dropdown, select: **Access Key ID**, **Identity Tag Key**, **Identity Tag Key Value**, **Resource Name**, **Resource Tag Key**, **Resource Tag Key Value**, **Role Name**, **Role Session Name**, **State**, **Task Name**, or **Username**.
+1. From the **Operator** dropdown, select an option:
+
+ - **Is**/**Is Not**: Select in the value field to view a list of all available values. You can either select or enter the required value.
+ - **Contains**/**Not Contains**: Enter any text that the query parameter should or shouldn't contain, for example *CloudKnox*.
+ - **In**/**Not In**: Select in the value field to view list of all available values. Select the required multiple values.
+
+1. To add another parameter, select the plus sign **(+)**, then select an operator, and then enter a value.
+
+ To remove a parameter, select the minus sign **(-)**.
+1. To add another activity type, select **Add**, and then enter your parameters.
+1. To save your alert, select **Save**.
+
+ A message displays to confirm your activity trigger has been created.
+
+ The **Triggers** table in the **Alert Triggers** subtab displays your alert trigger.
+
+## View an activity alert
+
+1. In the CloudKnox home page, select **Activity Triggers** (the bell icon).
+1. In the **Activity** tab, select the **Alerts** subtab.
+1. From the **Alert Name** dropdown, select an alert.
+1. From the **Date** dropdown, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range**.
+
+ If you select **Custom range**, select date and time settings, and then select **Apply**.
+1. To view the alert, select **Apply**
+
+ The **Alerts** table displays information about your alert.
+++
+## View activity alert triggers
+
+1. In the CloudKnox home page, select **Activity triggers** (the bell icon).
+1. In the **Activity** tab, select the **Alert triggers** subtab.
+1. From the **Status** dropdown, select **All**, **Activated** or **Deactivated**, then select **Apply**.
+
+ The **Triggers** table displays the following information:
+
+ - **Alerts**: The name of the alert trigger.
+ - **# of users subscribed**: The number of users who have subscribed to a specific alert trigger.
+
+ - Select a number in this column to view information about the user.
+
+ - **Created by**: The email address of the user who created the alert trigger.
+ - **Modified by**: The email address of the user who last modified the alert trigger.
+ - **Last updated**: The date and time the alert trigger was last updated.
+ - **Subscription**: A switch that displays if the alert is **On** or **Off**.
+
+ - If the column displays **Off**, the current user isn't subscribed to that alert. Switch the toggle to **On** to subscribe to the alert.
+ - The user who creates an alert trigger is automatically subscribed to the alert, and will receive emails about the alert.
+
+1. To see only activated or only deactivated triggers, from the **Status** dropdown, select **Activated** or **Deactivated**, and then select **Apply**.
+
+1. To view other options available to you, select the ellipses (**...**), and then select from the available options.
+
+ If the **Subscription** is **On**, the following options are available:
+
+ - **Edit**: Enables you to modify alert parameters
+
+ > [!NOTE]
+ > Only the user who created the alert can perform the following actions: edit the trigger screen, rename an alert, deactivate an alert, and delete an alert. Changes made by other users aren't saved.
+
+ - **Duplicate**: Create a duplicate of the alert called "**Copy of XXX**".
+ - **Rename**: Enter the new name of the query, and then select **Save.**
+ - **Deactivate**: The alert will still be listed, but will no longer send emails to subscribed users.
+ - **Activate**: Activate the alert trigger and start sending emails to subscribed users.
+ - **Notification settings**: View the **Email** of users who are subscribed to the alert trigger and their **User status**.
+ - **Delete**: Delete the alert.
+
+ If the **Subscription** is **Off**, the following options are available:
+ - **View**: View details of the alert trigger.
+ - **Notification settings**: View the **Email** of users who are subscribed to the alert trigger and their **User status**.
+ - **Duplicate**: Create a duplicate copy of the selected alert trigger.
++++
+## Next steps
+
+- For an overview on activity triggers, see [View information about activity triggers](cloudknox-ui-triggers.md).
+- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](cloudknox-product-rule-based-anomalies.md).
+- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](cloudknox-product-statistical-anomalies.md).
+- For information on permission analytics triggers, see [Create and view permission analytics triggers](cloudknox-product-permission-analytics.md).
active-directory Cloudknox Howto Create Approve Privilege Request https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-approve-privilege-request.md
+
+ Title: Create or approve a request for permissions in the Remediation dashboard in CloudKnox Permissions Management
+description: How to create or approve a request for permissions in the Remediation dashboard.
+++++++ Last updated : 02/23/2022+++
+# Create or approve a request for permissions
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to create or approve a request for permissions in the **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox). You can create and approve requests for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems.
+
+The **Remediation** dashboard has two privilege-on-demand (POD) workflows you can use:
+- **New Request**: The workflow used by a user to create a request for permissions for a specified duration.
+- **Approver**: The workflow used by an approver to review and approve or reject a userΓÇÖs request for permissions.
++
+> [!NOTE]
+> To view the **Remediation** dashboard, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you donΓÇÖt have these permissions, contact your system administrator.
+
+## Create a request for permissions
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **My requests** subtab.
+
+ The **My requests** subtab displays the following options:
+ - **Pending**: A list of requests youΓÇÖve made but haven't yet been reviewed.
+ - **Approved**: A list of requests that have been reviewed and approved by the approver. These requests have either already been activated or are in the process of being activated.
+ - **Processed**: A summary of the requests youΓÇÖve created that have been approved (**Done**), **Rejected**, and requests that have been **Canceled**.
+
+1. To create a request for permissions, select **New request**.
+1. In the **Roles/Tasks** page:
+ 1. From the **Select an authorization system type** dropdown, select the authorization system type you want to access: **AWS**, **Azure** or **GCP**.
+ 1. From the **Select an authorization system** dropdown, select the accounts you want to access.
+ 1. From the **Identity** dropdown, select the identity on whose behalf youΓÇÖre requesting access.
+
+ - If the identity you select is a Security Assertions Markup Language (SAML) user, and since a SAML user accesses the system through assumption of a role, select the userΓÇÖs role in **Role**.
+
+ - If the identity you select is a local user, to select the policies you want:
+ 1. Select **Request policy(s)**.
+ 1. In **Available policies**, select the policies you want.
+ 1. To select a specific policy, select the plus sign, and then find and select the policy you want.
+
+ The policies youΓÇÖve selected appear in the **Selected policies** box.
+
+ - If the identity you select is a local user, to select the tasks you want:
+ 1. Select **Request Task(s)**.
+ 1. In **Available Tasks**, select the tasks you want.
+ 1. To select a specific task, select the plus sign, and then select the task you want.
+
+ The tasks youΓÇÖve selected appear in the **Selected Tasks** box.
+
+ If the user already has existing policies, they're displayed in **Existing Policies**.
+1. Select **Next**.
+
+1. If you selected **AWS**, the **Scope** page appears.
+
+ 1. In **Select scope**, select:
+ - **All Resources**
+ - **Specific Resources**, and then select the resources you want.
+ - **No Resources**
+ 1. In **Request Conditions**:
+ 1. Select **JSON** to add a JSON block of code.
+ 1. Select **Done** to accept the code youΓÇÖve entered, or **Clear** to delete what youΓÇÖve entered and start again.
+ 1. In **Effect**, select **Allow** or **Deny.**
+ 1. Select **Next**.
+
+1. The **Confirmation** page appears.
+1. In **Request Summary**, enter a summary for your request.
+1. Optional: In **Note**, enter a note for the approver.
+1. In **Schedule**, select when (how quickly) you want your request to be processed:
+ - **ASAP**
+ - **Once**
+ - In **Create Schedule**, select the **Frequency**, **Date**, **Time**, and **For** the required duration, then select **Schedule**.
+ - **Daily**
+ - **Weekly**
+ - **Monthly**
+1. Select **Submit**.
+
+ The following message appears: **Your request has been successfully submitted.**
+
+ The request you submitted is now listed in **Pending Requests**.
+
+## Approve or reject a request for permissions
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **My requests** subtab.
+1. To view a list of requests that haven't yet been reviewed, select **Pending Requests**.
+1. In the **Request Summary** list, select the ellipses **(…)** menu on the right of a request, and then select:
+
+ - **Details** to view the details of the request.
+ - **Approve** to approve the request.
+ - **Reject** to reject the request.
+
+1. (Optional) add a note to the requestor, and then select **Confirm.**
+
+ The **Approved** subtab displays a list of requests that have been reviewed and approved by the approver. These requests have either already been activated or are in the process of being activated.
+ The **Processed** subtab displays a summary of the requests that have been approved or rejected, and requests that have been canceled.
++
+## Next steps
++
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md).
+- For information on how to attach and detach permissions for Amazon Web Services (AWS) identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md).
+- For information on how to add and remove roles and tasks for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Add and remove roles and tasks for Azure and GCP identities](cloudknox-howto-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md)
active-directory Cloudknox Howto Create Custom Queries https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-custom-queries.md
+
+ Title: Create a custom query in CloudKnox Permissions Management
+description: How to create a custom query in the Audit dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create a custom query
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can use the **Audit** dashboard in CloudKnox Permissions Management (CloudKnox) to create custom queries that you can modify, save, and run as often as you want.
+
+## Open the Audit dashboard
+
+- In the CloudKnox home page, select the **Audit** tab.
+
+ CloudKnox displays the query options available to you.
+
+## Create a custom query
+
+1. In the **Audit** dashboard, in the **New Query** subtab, select **Authorization system type**, and then select the authorization systems you want to search: Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. Select the authorization systems you want to search from the **List** and **Folders** box, and then select **Apply**.
+
+1. In the **New Query** box, enter your query parameters, and then select **Add**.
+ For example, to query by a date, select **Date** in the first box. In the second and third boxes, select the down arrow, and then select one of the date-related options.
+
+1. To add parameters, select **Add**, select the down arrow in the first box to display a dropdown of available selections. Then select the parameter you want.
+1. To add more parameters to the same query, select **Add** (the plus sign), and from the first box, select **And** or **Or**.
+
+ Repeat this step for the second and third box to complete entering the parameters.
+1. To change your query as you're creating it, select **Edit** (the pencil icon), and then change the query parameters.
+1. To change the parameter options, select the down arrow in each box to display a dropdown of available selections. Then select the option you want.
+1. To discard your selections, select **Reset query** for the parameter you want to change, and then make your selections again.
+1. When youΓÇÖre ready to run your query, select **Search**.
+1. To save the query, select **Save**.
+
+ CloudKnox saves the query and adds it to the **Saved queries** list.
+
+## Save the query under a new name
+
+1. In the **Audit** dashboard, select the ellipses menu **(…)** on the far right and select **Save as**.
+2. Enter a new name for the query, and then select **Save**.
+
+ CloudKnox saves the query under the new name. Both the new query and the original query display in the **Saved queries** list.
+
+## View a saved query
+
+1. In the **Audit** dashboard, select the down arrow next to **Saved queries**.
+
+ A list of saved queries appears.
+2. Select the query you want to open.
+3. To open the query with the authorization systems you saved with the query, select **Load with the saved authorization systems**.
+4. To open the query with the authorization systems you have currently selected (which may be different from the ones you originally saved), select **Load with the currently selected authorization systems**.
+5. Select **Load Queries**.
+
+ CloudKnox displays details of the query in the **Activity** table. Select a query to see its details:
+
+ - The **Identity details**.
+ - The **Domain** name.
+ - The **Resource name** and **Resource type**.
+ - The **Task name**.
+ - The **Date**.
+ - The **IP address**.
+ - The **Authorization system**.
+
+## View a raw events summary
+
+1. In the **Audit** dashboard, select **View** (the eye icon) to open the **Raw events summary** box.
+
+ The **Raw events summary** box displays **Identity details**, the **Task name**, and the script for your query.
+1. Select **Copy** to copy the script.
+1. Select **X** to close the **Raw events summary** box.
++
+## Run a saved query
+
+1. In the **Audit** dashboard, select the query you want to run.
+
+ CloudKnox displays the results of the query in the **Activity** table.
+
+## Delete a query
+
+1. In the **Audit** dashboard, load the query you want to delete.
+2. Select **Delete**.
+
+ CloudKnox deletes the query. Deleted queries don't display in the **Saved queries** list.
+
+## Rename a query
+
+1. In the **Audit** dashboard, load the query you want to rename.
+2. Select the ellipses menu **(…)** on the far right, and select **Rename**.
+3. Enter a new name for the query, and then select **Save**.
+
+ CloudKnox saves the query under the new name. Both the new query and the original query display in the **Saved queries** list.
+
+## Duplicate a query
+
+1. In the **Audit** dashboard, load the query you want to duplicate.
+2. Select the ellipses menu **(…)** on the far right, and then select **Duplicate**.
+
+ CloudKnox creates a copy of the query. Both the copy of the query and the original query display in the **Saved queries** list.
+
+ You can rename the original or copy of the query, change it, and save it without changing the other query.
+++
+## Next steps
+
+- For information on how to view how users access information, see [Use queries to see how users access information](cloudknox-ui-audit-trail.md).
+- For information on how to filter and view user activity, see [Filter and query user activity](cloudknox-product-audit-trail.md).
+- For information on how to generate an on-demand report from a query, see [Generate an on-demand report from a query](cloudknox-howto-audit-trail-results.md).
active-directory Cloudknox Howto Create Group Based Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-group-based-permissions.md
+
+ Title: Select group-based permissions settings in CloudKnox Permissions Management with the User management dashboard
+description: How to select group-based permissions settings in CloudKnox Permissions Management with the User management dashboard.
+++++++ Last updated : 02/23/2022+++
+# Select group-based permissions settings
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can create and manage group-based permissions in CloudKnox Permissions Management (CloudKnox) with the User management dashboard.
+
+[!NOTE] The CloudKnox Administrator for all authorization systems will be able to create the new group based permissions.
+
+## Select administrative permissions settings for a group
+
+1. To display the **User Management** dashboard, select **User** (your initials) in the upper right of the screen, and then select **User Management**.
+1. Select the **Groups** tab, and then press the **Create Permission** button in the upper right of the table.
+1. In the **Set Group Permission** box, begin typing the name of an **Azure Active Directory Security Group** in your tenant.
+
+1. Select the permission setting you want:
+2.
+ - **Admin for all authorization system types** provides **View**, **Control**, and **Approve** permissions for all authorization system types.
+ - **Admin for selected authorization system types** provides **View**, **Control**, and **Approve** permissions for selected authorization system types.
+ - **Custom** allows you to set **View**, **Control**, and **Approve** permissions for the authorization system types that you select.
+1. Select **Next**
+
+1. If you selected **Admin for all authorization system types**
+ - Select Identities for each Authorization System that you would like members of this group to Request on.
+
+1. If you selected **Admin for selected authorization system types**
+ - Select **Viewer**, **Controller**, or **Approver** for the **Authorization system types** you want.
+ - Select **Next** and then select Identities for each Authorization System that you would like members of this group to Request on.
+
+1. If you select **Custom**, select the **Authorization system types** you want.
+ - Select **Viewer**, **Controller**, or **Approver** for the **Authorization Systems** you want.
+ - Select **Next** and then select Identities for each Authorization System that you would like members of this group to Request on.
+
+1. Select **Save**, The following message appears: **New group has been created successfully.**
+1. To see the group you created in the **Groups** table, refresh the page.
+
+## Next steps
+
+- For information about how to manage user information, see [Manage users and groups with the User management dashboard](cloudknox-ui-user-management.md).
+- For information about how to view information about active and completed tasks, see [View information about active and completed tasks](cloudknox-ui-tasks.md).
+- For information about how to view personal and organization information, see [View personal and organization information](cloudknox-product-account-settings.md).
+
active-directory Cloudknox Howto Create Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-role-policy.md
+
+ Title: Create a role/policy in the Remediation dashboard in CloudKnox Permissions Management
+description: How to create a role/policy in the Remediation dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create a role/policy in the Remediation dashboard
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can use the **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) to create roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems.
+
+> [!NOTE]
+> To view the **Remediation** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you donΓÇÖt have these permissions, contact your system administrator.
+
+> [!NOTE]
+> Microsoft Azure uses the term *role* for what other cloud providers call *policy*. CloudKnox automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both.
+
+## Create a policy for AWS
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** tab.
+1. Use the dropdown lists to select the **Authorization System Type** and **Authorization System**.
+1. Select **Create policy**.
+1. On the **Details** page, the **Authorization System Type** and **Authorization System** are pre-populated from your previous settings.
+ - To change the settings, make a selection from the dropdown.
+1. Under **How would you like to create the policy?**, select the required option:
+
+ - **Activity of user(s)**: Allows you to create a policy based on user activity.
+ - **Activity of group(s)**: Allows you to create a policy based on the aggregated activity of all the users belonging to the group(s).
+ - **Activity of resource(s)**: Allows you to create a policy based on the activity of a resource, for example, an EC2 instance.
+ - **Activity of role**: Allows you to create a policy based on the aggregated activity of all the users that assumed the role.
+ - **Activity of tag(s)**: Allows you to create a policy based on the aggregated activity of all the tags.
+ - **Activity of Lambda function**: Allows you to create a new policy based on the Lambda function.
+ - **From existing policy**: Allows you to create a new policy based on an existing policy.
+ - **New policy**: Allows you to create a new policy from scratch.
+1. In **Tasks performed in the last**, select the duration: **90 days**, **60 days**, **30 days**, **7 days**, or **1 day**.
+1. Depending on your preference, select or deselect **Include Access Advisor data.**
+1. In **Settings**, from the **Available** column, select the plus sign **(+)** to move the identity into the **Selected** column, and then select **Next**.
+
+1. On the **Tasks** page, from the **Available** column, select the plus sign **(+)** to move the task into the **Selected** column.
+ - To add a whole category, select a category.
+ - To add individual items from a category, select the down arrow on the left of the category name, and then select individual items.
+1. In **Resources**, select **All Resources** or **Specific Resources**.
+
+ If you select **Specific Resources**, a list of available resources appears. Find the resources you want to add, and then select **Add**.
+1. In **Request Conditions**, select **JSON** .
+1. In **Effect**, select **Allow** or **Deny**, and then select **Next**.
+1. In **Policy name:**, enter a name for your policy.
+1. To add another statement to your policy, select **Add statement**, and then, from the list of **Statements**, select a statement.
+1. Review your **Task**, **Resources**, **Request Conditions**, and **Effect** settings, and then select **Next**.
++
+1. On the **Preview** page, review the script to confirm it's what you want.
+1. If your controller isn't enabled, select **Download JSON** or **Download Script** to download the code and run it yourself.
+
+ If your controller is enabled, skip this step.
+1. Select **Split policy**, and then select **Submit**.
+
+ A message confirms that your policy has been submitted for creation
+
+1. The [**CloudKnox Tasks**](cloudknox-ui-tasks.md) pane appears on the right.
+ - The **Active** tab displays a list of the policies CloudKnox is currently processing.
+ - The **Completed** tab displays a list of the policies CloudKnox has completed.
+1. Refresh the **Role/Policies** tab to see the policy you created.
+++
+## Create a role for Azure
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** tab.
+1. Use the dropdown lists to select the **Authorization System Type** and **Authorization System**.
+1. Select **Create role**.
+1. On the **Details** page, the **Authorization System Type** and **Authorization System** are pre-populated from your previous settings.
+ - To change the settings, select the box and make a selection from the dropdown.
+1. Under **How would you like to create the role?**, select the required option:
+
+ - **Activity of user(s)**: Allows you to create a role based on user activity.
+ - **Activity of group(s)**: Allows you to create a role based on the aggregated activity of all the users belonging to the group(s).
+ - **Activity of app(s)**: Allows you to create a role based on the aggregated activity of all apps.
+ - **From existing role**: Allows you to create a new role based on an existing role.
+ - **New role**: Allows you to create a new role from scratch.
+
+1. In **Tasks performed in the last**, select the duration: **90 days**, **60 days**, **30 days**, **7 days**, or **1 day**.
+1. Depending on your preference:
+ - Select or deselect **Ignore non-Microsoft read actions**.
+ - Select or deselect **Include read-only tasks**.
+1. In **Settings**, from the **Available** column, select the plus sign **(+)** to move the identity into the **Selected** column, and then select **Next**.
+
+1. On the **Tasks** page, in **Role name:**, enter a name for your role.
+1. From the **Available** column, select the plus sign **(+)** to move the task into the **Selected** column.
+ - To add a whole category, select a category.
+ - To add individual items from a category, select the down arrow on the left of the category name, and then select individual items.
+1. Select **Next**.
+
+1. On the **Preview** page, review:
+ - The list of selected **Actions** and **Not actions**.
+ - The **JSON** or **Script** to confirm it's what you want.
+1. If your controller isn't enabled, select **Download JSON** or **Download Script** to download the code and run it yourself.
+
+ If your controller is enabled, skip this step.
+
+1. Select **Submit**.
+
+ A message confirms that your role has been submitted for creation
+
+1. The [**CloudKnox Tasks**](cloudknox-ui-tasks.md) pane appears on the right.
+ - The **Active** tab displays a list of the policies CloudKnox is currently processing.
+ - The **Completed** tab displays a list of the policies CloudKnox has completed.
+1. Refresh the **Role/Policies** tab to see the role you created.
+
+## Create a role for GCP
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** tab.
+1. Use the dropdown lists to select the **Authorization System Type** and **Authorization System**.
+1. Select **Create role**.
+1. On the **Details** page, the **Authorization System Type** and **Authorization System** are pre-populated from your previous settings.
+ - To change the settings, select the box and make a selection from the dropdown.
+1. Under **How would you like to create the role?**, select the required option:
+
+ - **Activity of user(s)**: Allows you to create a role based on user activity.
+ - **Activity of group(s)**: Allows you to create a role based on the aggregated activity of all the users belonging to the group(s).
+ - **Activity of service account(s)**: Allows you to create a role based on the aggregated activity of all service accounts.
+ - **From existing role**: Allows you to create a new role based on an existing role.
+ - **New role**: Allows you to create a new role from scratch.
+
+1. In **Tasks performed in the last**, select the duration: **90 days**, **60 days**, **30 days**, **7 days**, or **1 day**.
+1. If you selected **Activity of service account(s)** in the previous step, select or deselect **Collect activity across all GCP authorization systems.**
+1. From the **Available** column, select the plus sign **(+)** to move the identity into the **Selected** column, and then select **Next**.
++
+1. On the **Tasks** page, in **Role name:**, enter a name for your role.
+1. From the **Available** column, select the plus sign **(+)** to move the task into the **Selected** column.
+ - To add a whole category, select a category.
+ - To add individual items from a category, select the down arrow on the left of the category name, and then select individual items.
+1. Select **Next**.
+1. In **Role name:**, enter a name for your role.
+1. To add another statement to your role, select **Add statement**, and then, from the list of **Statements**, select a statement.
+1. Review your **Task**, **Resources**, **Request Conditions**, and **Effect** settings, and then select **Next**.
++
+1. On the **Preview** page, review:
+ - The list of selected **Actions**.
+ - The **YAML** or **Script** to confirm it's what you want.
+1. If your controller isn't enabled, select **Download YAML** or **Download Script** to download the code and run it yourself.
+1. Select **Submit**.
+ A message confirms that your role has been submitted for creation
+
+1. The [**CloudKnox Tasks**](cloudknox-ui-tasks.md) pane appears on the right.
+
+ - The **Active** tab displays a list of the policies CloudKnox is currently processing.
+ - The **Completed** tab displays a list of the policies CloudKnox has completed.
+1. Refresh the **Role/Policies** tab to see the role you created.
++
+## Next steps
+
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md).
+- For information on how to modify a role/policy, see [Modify a role/policy](cloudknox-howto-modify-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md).
+- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md)
+- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md).
+- For information on how to view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md)
active-directory Cloudknox Howto Create Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-rule.md
+
+ Title: Create a rule in the Autopilot dashboard in CloudKnox Permissions Management
+description: How to create a rule in the Autopilot dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create a rule in the Autopilot dashboard
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to create a rule in the CloudKnox Permissions Management (CloudKnox) **Autopilot** dashboard.
+
+> [!NOTE]
+> Only users with **Administrator** permissions can view and make changes on the Autopilot tab. If you donΓÇÖt have these permissions, contact your system administrator.
+
+## Create a rule
+
+1. In the CloudKnox home page, select the **Autopilot** tab.
+1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. From the **Authorization system** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**.
+1. In the **Autopilot** dashboard, select **New rule**.
+1. In the **Rule name** box, enter a name for your rule.
+1. Select **AWS**, **Azure**, **GCP**, and then select **Next**.
+
+1. Select **Authorization systems**, and then select **All** or the account names that you want.
+1. From the **Folders** dropdown, select a folder, and then select **Apply**.
+
+ To change your folder settings, select **Reset**.
+
+ - The **Status** column displays if the authorization system is **Online** or **Offline**.
+ - The **Controller** column displays if the controller is **Enabled** or **Not enabled**.
++
+1. Select **Configure** , and then select the following parameters for your rule:
+
+ - **Role created on is**: Select the duration in days.
+ - **Role last used on is**: Select the duration in days when the role was last used.
+ - **Cross account role**: Select **True** or **False**.
+
+1. Select **Mode**, and then, if you want recommendations to be generated and applied manually, select **On-demand**.
+1. Select **Save**
+
+ The following information displays in the **Autopilot rules** table:
+
+ - **Rule Name**: The name of the rule.
+ - **State**: The status of the rule: idle (not being use) or active (being used).
+ - **Rule Type**: The type of rule being applied.
+ - **Mode**: The status of the mode: on-demand or not.
+ - **Last Generated**: The date and time the rule was last generated.
+ - **Created By**: The email address of the user who created the rule.
+ - **Last Modified On**: The date and time the rule was last modified.
+ - **Subscription**: Provides an **On** or **Off** switch that allows you to receive email notifications when recommendations have been generated, applied, or unapplied.
++++
+## Next steps
+
+- For more information about viewing rules, see [View roles in the Autopilot dashboard](cloudknox-ui-autopilot.md).
+- For information about generating, viewing, and applying rule recommendations for rules, see [Generate, view, and apply rule recommendations for rules](cloudknox-howto-recommendations-rule.md).
+- For information about notification settings for rules, see [View notification settings for a rule](cloudknox-howto-notifications-rule.md).
active-directory Cloudknox Howto Delete Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-delete-role-policy.md
+
+ Title: Delete a role/policy in the Remediation dashboard in CloudKnox Permissions Management
+description: How to delete a role/policy in the Just Enough Permissions (JEP) Controller.
+++++++ Last updated : 02/23/2022+++
+# Delete a role/policy in the Remediation dashboard
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can use the **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) to delete roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems.
+
+> [!NOTE]
+> To view the **Remediation** dashboard, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you donΓÇÖt have these permissions, contact your system administrator.
+
+> [!NOTE]
+> Microsoft Azure uses the term *role* for what other Cloud providers call *policy*. CloudKnox automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both.
+
+## Delete a role/policy
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** subtab.
+1. Select the role/policy you want to delete, and from the **Actions** column, select **Delete**.
+
+ You can only delete a role/policy if it isn't assigned to an identity.
+
+ You can't delete system roles/policies.
+
+1. On the **Preview** page, review the role/policy information to make sure you want to delete it, and then select **Submit**.
+
+## Next steps
++
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md).
+- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md)
+- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md).
+- For information on how to view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md)
active-directory Cloudknox Howto Modify Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-modify-role-policy.md
+
+ Title: Modify a role/policy in the Remediation dashboard in CloudKnox Permissions Management
+description: How to modify a role/policy in the Remediation dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Modify a role/policy in the Remediation dashboard
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can use the **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) to modify roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems.
+
+> [!NOTE]
+> To view the **Remediation** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you donΓÇÖt have these permissions, contact your system administrator.
+
+> [!NOTE]
+> Microsoft Azure uses the term *role* for what other cloud providers call *policy*. CloudKnox automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both.
+
+## Modify a role/policy
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** tab.
+1. Select the role/policy you want to modify, and from the **Actions** column, select **Modify**.
+
+ You can't modify **System** policies and roles.
+
+1. On the **Statements** page, make your changes to the **Tasks**, **Resources**, **Request conditions**, and **Effect** sections as required, and then select **Next**.
+
+1. Review the changes to the JSON or script on the **Preview** page, and then select **Submit**.
+
+## Next steps
+
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md).
+- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md)
+- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md).
+- For information on how to view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md)
active-directory Cloudknox Howto Notifications Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-notifications-rule.md
+
+ Title: View notification settings for a rule in the Autopilot dashboard in CloudKnox Permissions Management
+description: How to view notification settings for a rule in the Autopilot dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View notification settings for a rule in the Autopilot dashboard
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to view notification settings for a rule in the CloudKnox Permissions Management (CloudKnox) **Autopilot** dashboard.
+
+> [!NOTE]
+> Only users with **Administrator** permissions can view and make changes on the Autopilot tab. If you donΓÇÖt have these permissions, contact your system administrator.
+
+## View notification settings for a rule
+
+1. In the CloudKnox home page, select the **Autopilot** tab.
+1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. From the **Authorization system** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**.
+1. In the **Autopilot** dashboard, select a rule.
+1. In the far right of the row, select the ellipses **(...)**
+1. To view notification settings for a rule, select **Notification settings**.
+
+ CloudKnox displays a list of subscribed users. These users are signed up to receive notifications for the selected rule.
+
+1. To close the **Notification settings** box, select **Close**.
++
+## Next steps
+
+- For more information about viewing rules, see [View roles in the Autopilot dashboard](cloudknox-ui-autopilot.md).
+- For information about creating rules, see [Create a rule](cloudknox-howto-create-rule.md).
+- For information about generating, viewing, and applying rule recommendations for rules, see [Generate, view, and apply rule recommendations for rules](cloudknox-howto-recommendations-rule.md).
active-directory Cloudknox Howto Recommendations Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-recommendations-rule.md
+
+ Title: Generate, view, and apply rule recommendations in the Autopilot dashboard in CloudKnox Permissions Management
+description: How to generate, view, and apply rule recommendations in the Autopilot dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Generate, view, and apply rule recommendations in the Autopilot dashboard
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to generate and view rule recommendations in the CloudKnox Permissions Management (CloudKnox) **Autopilot** dashboard.
+
+> [!NOTE]
+> Only users with **Administrator** permissions can view and make changes on the Autopilot tab. If you donΓÇÖt have these permissions, contact your system administrator.
+
+## Generate rule recommendations
+
+1. In the CloudKnox home page, select the **Autopilot** tab.
+1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. From the **Authorization system** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**.
+1. In the **Autopilot** dashboard, select a rule.
+1. In the far right of the row, select the ellipses **(...)**.
+1. To generate recommendations for each user and the authorization system, select **Generate recommendations**.
+
+ Only the user who created the selected rule can generate a recommendation.
+1. View your recommendations in the **Recommendations** subtab.
+1. Select **Close** to close the **Recommendations** subtab.
+
+## View rule recommendations
+
+1. In the CloudKnox home page, select the **Autopilot** tab.
+1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. From the **Authorization system** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**.
+1. In the **Autopilot** dashboard, select a rule.
+1. In the far right of the row, select the ellipses **(...)**
+
+1. To view recommendations for each user and the authorization system, select **View recommendations**.
+
+ CloudKnox displays the recommendations for each user and authorization system in the **Recommendations** subtab.
+
+1. Select **Close** to close the **Recommendations** subtab.
+
+## Apply rule recommendations
+
+1. In the CloudKnox home page, select the **Autopilot** tab.
+1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. From the **Authorization system** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**.
+1. In the **Autopilot** dashboard, select a rule.
+1. In the far right of the row, select the ellipses **(...)**
+
+1. To view recommendations for each user and the authorization system, select **View recommendations**.
+
+ CloudKnox displays the recommendations for each user and authorization system in the **Recommendations** subtab.
+
+1. To apply a recommendation, select the **Apply recommendations** subtab, and then select a recommendation.
+1. Select **Close** to close the **Recommendations** subtab.
+
+## Unapply rule recommendations
+
+1. In the CloudKnox home page, select the **Autopilot** tab.
+1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. From the **Authorization system** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**.
+1. In the **Autopilot** dashboard, select a rule.
+1. In the far right of the row, select the ellipses **(...)**
+
+1. To view recommendations for each user and the authorization system, select **View recommendations**.
+
+ CloudKnox displays the recommendations for each user and authorization system in the **Recommendations** subtab.
+
+1. To remove a recommendation, select the **Unapply recommendations** subtab, and then select a recommendation.
+1. Select **Close** to close the **Recommendations** subtab.
++
+## Next steps
+
+- For more information about viewing rules, see [View roles in the Autopilot dashboard](cloudknox-ui-autopilot.md).
+- For information about creating rules, see [Create a rule](cloudknox-howto-create-rule.md).
+- For information about notification settings for rules, see [View notification settings for a rule](cloudknox-howto-notifications-rule.md).
active-directory Cloudknox Howto Revoke Task Readonly Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-revoke-task-readonly-status.md
+
+ Title: Revoke access to high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in CloudKnox Permissions Management
+description: How to revoke access to high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Revoke access to high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities
++
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities using the **Remediation** dashboard.
+
+> [!NOTE]
+> To view the **Remediation** tab, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you donΓÇÖt have these permissions, contact your system administrator.
+
+## View an identity's permissions
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Select an authorization system type** dropdown, select **Azure** or **GCP**.
+1. From the **Select an authorization system** dropdown, select the accounts you want to access.
+1. From the **Search for** dropdown, select **Group**, **User**, or **APP**.
+1. To search for more parameters, you can make a selection from the **User States**, **Privilege Creep Index**, and **Task usage** dropdowns.
+1. Select **Apply**.
+
+ CloudKnox displays a list of groups, users, and service accounts that match your criteria.
+1. In **Enter a username**, enter or select a user.
+1. In **Enter a group name**, enter or select a group, then select **Apply**.
+1. Make a selection from the results list.
+
+ The table displays the **Username** **Domain/Account**, **Source**, **Resource** and **Current role**.
++
+## Revoke an identity's access to unused tasks
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Select an authorization system type** dropdown, select **Azure** or **GCP**.
+1. From the **Select an authorization system** dropdown, select the accounts you want to access.
+1. From the **Search for** dropdown, select **Group**, **User**, or **APP**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To revoke an identity's access to tasks they aren't using, select **Revoke unused tasks**.
+1. When the following message displays: **Are you sure you want to change permissions?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Revoke an identity's access to high-risk tasks
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Select an authorization system type** dropdown, select **Azure** or **GCP**.
+1. From the **Select an authorization system** dropdown, select the accounts you want to access.
+1. From the **Search for** dropdown, select **Group**, **User**, or **APP**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To revoke an identity's access to high-risk tasks, select **Revoke high-risk tasks**.
+1. When the following message displays: **Are you sure you want to change permissions?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Revoke an identity's ability to delete tasks
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Select an authorization system type** dropdown, select **Azure** or **GCP**.
+1. From the **Select an authorization system** dropdown, select the accounts you want to access.
+1. From the **Search for** dropdown, select **Group**, **User**, or **APP**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To revoke an identity's ability to delete tasks, select **Revoke delete tasks**.
+1. When the following message displays: **Are you sure you want to change permissions?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Assign read-only status to an identity
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Select an authorization system type** dropdown, select **Azure** or **GCP**.
+1. From the **Select an authorization system** dropdown, select the accounts you want to access.
+1. From the **Search for** dropdown, select **Group**, **User**, or **APP**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To assign read-only status to an identity, select **Assign read-only status**.
+1. When the following message displays: **Are you sure you want to change permissions?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+
+## Next steps
+
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md).
+- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md).
+- For information on how to add and remove roles and tasks for Azure and GCP identities, see [Add and remove roles and tasks for Azure and GCP identities](cloudknox-howto-attach-detach-permissions.md).
+- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md).
active-directory Cloudknox Howto View Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-view-role-policy.md
+
+ Title: View information about roles/ policies in the Remediation dashboard in CloudKnox Permissions Management
+description: How to view and filter information about roles/ policies in the Remediation dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View information about roles/ policies in the Remediation dashboard
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) enables system administrators to view, adjust, and remediate excessive permissions based on a user's activity data. You can use the **Roles/Policies** subtab in the dashboard to view information about roles and policies in the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems.
+
+> [!NOTE]
+> To view the **Remediation dashboard** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you donΓÇÖt have these permissions, contact your system administrator.
+
+> [!NOTE]
+> Microsoft Azure uses the term *role* for what other Cloud providers call *policy*. CloudKnox automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both.
++
+## View information about roles/policies
+
+1. On the CloudKnox home page, select the **Remediation** tab, and then select the **Role/Policies** subtab.
+
+ The **Role/Policies list** displays a list of existing roles/policies and the following information about each role/policy
+ - **Role/Policy name**: The name of the roles/policies available to you.
+ - **Role/Policy type**: **Custom**, **System**, or **CloudKnox only**
+ - **Actions**: The type of action you can perform on the role/policy, **Clone**, **Modify**, or **Delete**
++
+1. To display details about the role/policy and view its assigned tasks and identities, select the arrow to the left of the role/policy name.
+
+ The **Tasks** list appears, displaying:
+ - A list of **Tasks**.
+ - **For AWS:**
+ - The **Users**, **Groups**, and **Roles** the task is **Directly assigned to**.
+ - The **Group members** and **Role identities** the task is **Indirectly assessable by**.
+
+ - **For Azure:**
+ - The **Users**, **Groups**, **Enterprise applications** and **Managed identities** the task is **Directly assigned to**.
+ - The **Group members** the task is **Indirectly assessable by**.
+
+ - **For GCP:**
+ - The **Users**, **Groups**, and **Service accounts** the task is **Directly assigned to**.
+ - The **Group members** the task is **Indirectly assessable by**.
+
+1. To close the role/policy details, select the arrow to the left of the role/policy name.
+
+## Export information about roles/policies
+
+- **Export CSV**: Select this option to export the displayed list of roles/policies as a comma-separated values (CSV) file.
+
+ When the file is successfully exported, a message appears: **Exported successfully.**
+
+ - Check your email for a message from the CloudKnox Customer Success Team. This email contains a link to:
+ - The **Role Policy Details** report in CSV format.
+ - The **Reports** dashboard where you can configure how and when you can automatically receive reports.
++++
+## Filter information about roles/policies
+
+1. On the CloudKnox home page, select the **Remediation** dashboard, and then select the **Role/Policies** tab.
+1. To filter the roles/policies, select from the following options:
+
+ - **Authorization system type**: Select **AWS**, **Azure**, or **GCP**.
+ - **Authorization system**: Select the accounts you want.
+ - **Role/Policy type**: Select from the following options:
+
+ - **All**: All managed roles/policies.
+ - **Custom**: A customer-managed role/policy.
+ - **System**: A cloud service provider-managed role/policy.
+ - **CloudKnox only**: A role/policy created by CloudKnox.
+
+ - **Role/Policy status**: Select **All**, **Assigned**, or **Unassigned**.
+ - **Role/Policy usage**: Select **All** or **Unused**.
+1. Select **Apply**.
+
+ To discard your changes, select **Reset filter**.
++
+## Next steps
+
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md).
+- For information on how to attach and detach permissions AWS identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md)
+- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md).
+- For information on how to view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md)
active-directory Cloudknox Integration Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-integration-api.md
+
+ Title: Set and view configuration settings in CloudKnox Permissions Management
+description: How to view the CloudKnox Permissions Management API integration settings and create service accounts and roles.
+++++++ Last updated : 02/23/2022+++
+# Set and view configuration settings
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic describes how to view configuration settings, create and delete a service account, and create a role in CloudKnox Permissions Management (CloudKnox).
+
+## View configuration settings
+
+The **Integrations** dashboard displays the authorization systems available to you.
+
+1. To display the **Integrations** dashboard, select **User** (your initials) in the upper right of the screen, and then select **Integrations.**
+
+ The **Integrations** dashboard displays a tile for each available authorization system.
+
+1. Select an authorization system tile to view the following integration information:
+
+ 1. To find out more about the CloudKnox API, select **CloudKnox API**, and then select documentation.
+ <!Add Link: [documentation](https://developer.cloudknox.io/)>
+
+ 1. To view information about service accounts, select **Integration**:
+ - **Email**: Lists the email address of the user who created the integration.
+ - **Created By**: Lists the first and last name of the user who created the integration.
+ - **Created On**: Lists the date and time the integration was created.
+ - **Recent Activity**: Lists the date and time the integration was last used, or notes if the integration was never used.
+ - **Service Account ID**: Lists the service account ID.
+ - **Access Key**: Lists the access key code.
+
+ 1. To view settings information, select **Settings**:
+ - **Roles can create service account**: Lists the type of roles you can create.
+ - **Access Key Rotation Policy**: Lists notifications and actions you can set.
+ - **Access Key Usage Policy**: Lists notifications and actions you can set.
+
+## Create a service account
+
+1. On the **Integrations** dashboard, select **User**, and then select **Integrations.**
+2. Click **Create Service Account**. The following information is pre-populated on the page:
+ - **API Endpoint**
+ - **Service Account ID**
+ - **Access Key**
+ - **Secret Key**
+
+3. To copy the codes, select the **Duplicate** icon next to the respective information.
+
+ > [!NOTE]
+ > The codes are time sensitive and will regenerate after the box is closed.
+
+4. To regenerate the codes, at the bottom of the column, select **Regenerate**.
+
+## Delete a service account
+
+1. On the **Integrations** dashboard, select **User**, and then select **Integrations.**
+
+1. On the right of the email address, select **Delete Service Account**.
+
+ On the **Validate OTP To Delete [Service Name] Integration** box, a message displays asking you to check your email for a code sent to the email address on file.
+
+ If you don't receive the code, select **Resend OTP**.
+
+1. In the **Enter OTP** box, enter the code from the email.
+
+1. Click **Verify**.
+
+## Create a role
+
+1. On the **Integrations** dashboard, select **User**, and then select **Settings**.
+2. Under **Roles can create service account**, select the role you want:
+ - **Super Admin**
+ - **Viewer**
+ - **Controller**
+
+3. In the **Access Key Rotation Policy** column, select options for the following:
+
+ - **How often should the users rotate their access keys?**: Select **30 days**, **60 days**, **90 days**, or **Never**.
+ - **Notification**: Enter a whole number in the blank space within **Notify "X" days before the selected period**, or select **Don't Notify**.
+ - **Action (after the key rotation period ends)**: Select **Disable Action Key** or **No Action**.
+
+4. In the **Access Key Usage Policy** column, select options for the following:
+
+ - **How often should the users go without using their access keys?**: Select **30 days**, **60 days**, **90 days**, or **Never**.
+ - **Notification**: Enter a whole number in the blank space within **Notify "X" days before the selected period**, or select **Don't Notify**.
+ - **Action (after the key rotation period ends)**: Select **Disable Action Key** or **No Action**.
+
+5. Click **Save**.
+
+<!## Next steps>
+
+<!View integrated authorization systems](cloudknox-product-integrations)>
+<![Installation overview](cloudknox-installation.md)>
+<![Sign up and deploy FortSentry registration](cloudknox-fortsentry-registration.md)>
active-directory Cloudknox Multi Cloud Glossary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-multi-cloud-glossary.md
+
+ Title: CloudKnox Permissions Management - The CloudKnox glossary
+description: CloudKnox Permissions Management glossary
+++++++ Last updated : 02/23/2022+++
+# The CloudKnox glossary
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This glossary provides a list of some of the commonly used cloud terms in CloudKnox Permissions Management (CloudKnox). These terms will help CloudKnox users navigate through cloud-specific terms and cloud-generic terms.
+
+## Commonly-used acronyms and terms
+
+| Term | Definition |
+|--|--|
+| ACL | Access control list. A list of files or resources that contain information about which users or groups have permission to access those resources or modify those files. |
+| ARN | Azure Resource Notification |
+| ASIM | Azure Sentinel Information Model |
+| Cloud security | A form of cybersecurity that protects data stored online on cloud computing platforms from theft, leakage, and deletion. Includes firewalls, penetration testing, obfuscation, tokenization, virtual private networks (VPN), and avoiding public internet connections. |
+| CASB | Cloud Access Security Broker. Products and services that address security gaps in an organizationΓÇÖs use of cloud services. Designed to protect and control access to data thatΓÇÖs stored in someone elseΓÇÖs systems. Deliver differentiated, cloud-specific capabilities that may not be available as features in traditional security products. They provide a central location for policy and governance concurrently across multiple cloud services. They also provide granular visibility into and control over user activities and sensitive data from both inside and outside the enterprise perimeter, including cloud-to-cloud access. |
+| Cloud storage | A service model in which data is maintained, managed, and backed up remotely. Available to users over a network. |
+| CIAM | Cloud Infrastructure Access Management |
+| CIEM | Cloud Infrastructure Entitlement Management. The next generation of solutions for enforcing least privilege in the cloud. It addresses cloud-native security challenges of managing identity access management in cloud environments. |
+| CIS | Cloud infrastructure security |
+| CWP | Cloud Workload Protection. A workload-centric security solution that targets the unique protection requirements of workloads in modern enterprise environments. |
+| CNAPP | Cloud-Native Application Protection. The convergence of cloud security posture management (CSPM), cloud workload protection (CWP), cloud infrastructure entitlement management (CIEM), and cloud applications security broker (CASB). An integrated security approach that covers the entire lifecycle of cloud-native applications. |
+| CSPM | Cloud Security Posture Management. Addresses risks of compliance violations and misconfigurations in enterprise cloud environments. Also focuses on the resource level to identify deviations from best practice security settings for cloud governance and compliance. |
+| CWPP | Cloud Workload Protection Platform |
+| DRI | Data risk index. A comprehensive, integrated representation of data risk. |
+| Data risk management | The process an organization uses when acquiring, storing, transforming, and using its data, from creation to retirement, to eliminate data risk. |
+| Delete task | A high-risk task that allows users to permanently delete a resource. |
+| Entitlement | An abstract attribute that represents different forms of user permissions in a range of infrastructure systems and business applications.|
+| Entitlement management | Technology that grants, resolves, enforces, revokes, and administers fine-grained access entitlements (that is, authorizations, privileges, access rights, permissions and rules). Its purpose is to execute IT access policies to structured/unstructured data, devices, and services. It can be delivered by different technologies, and is often different across platforms, applications, network components, and devices. |
+| High-risk task | A task in which a user can cause data leakage, service disruption, or service degradation. |
+| Hybrid cloud | Sometimes called a cloud hybrid. A computing environment that combines an on-premises data center (a private cloud) with a public cloud. It allows data and applications to be shared between them. |
+| hybrid cloud storage | A private or public cloud used to store an organization's data. |
+| ICM | Incident Case Management |
+| IDS | Intrusion Detection Service |
+| Identity analytics | Includes basic monitoring and remediation, dormant and orphan account detection and removal, and privileged account discovery. |
+| Identity lifecycle management | Maintain digital identities, their relationships with the organization, and their attributes during the entire process from creation to eventual archiving, using one or more identity life cycle patterns. |
+| IGA | Identity governance and administration. Technology solutions that conduct identity management and access governance operations. IGA includes the tools, technologies, reports, and compliance activities required for identity lifecycle management. It includes every operation from account creation and termination to user provisioning, access certification, and enterprise password management. It looks at automated workflow and data from authoritative sources capabilities, self-service user provisioning, IT governance, and password management. |
+| ITSM | Information Technology Security Management. Tools that enable IT operations organizations (infrastructure and operations managers), to better support the production environment. Facilitate the tasks and workflows associated with the management and delivery of quality IT services. |
+| JIT | Just in Time access can be seen as a way to enforce the principle of least privilege to ensure users and non-human identities are given the minimum level of privileges. It also ensures that privileged activities are conducted in accordance with an organizationΓÇÖs Identity Access Management (IAM), IT Service Management (ITSM), and Privileged Access Management (PAM) policies, with its entitlements and workflows. JIT access strategy enables organizations to maintain a full audit trail of privileged activities so they can easily identify who or what gained access to which systems, what they did at what time, and for how long. |
+| Least privilege | Ensures that users only gain access to the specific tools they need to complete a task. |
+| Multi-tenant | A single instance of the software and its supporting infrastructure serves multiple customers. Each customer shares the software application and also shares a single database. |
+| OIDC | OpenID Connect. An authentication protocol that verifies user identity when a user is trying to access a protected HTTPs end point. OIDC is an evolutionary development of ideas implemented earlier in OAuth. |
+| PAM | Privileged access management. Tools that offer one or more of these features: discover, manage, and govern privileged accounts on multiple systems and applications; control access to privileged accounts, including shared and emergency access; randomize, manage, and vault credentials (password, keys, etc.) for administrative, service, and application accounts; single sign-on (SSO) for privileged access to prevent credentials from being revealed; control, filter, and orchestrate privileged commands, actions, and tasks; manage and broker credentials to applications, services, and devices to avoid exposure; and monitor, record, audit, and analyze privileged access, sessions, and actions. |
+| PASM | Privileged accounts are protected by vaulting their credentials. Access to those accounts is then brokered for human users, services, and applications. Privileged session management (PSM) functions establish sessions with possible credential injection and full session recording. Passwords and other credentials for privileged accounts are actively managed and changed at definable intervals or upon the occurrence of specific events. PASM solutions may also provide application-to-application password management (AAPM) and zero-install remote privileged access features for IT staff and third parties that don't require a VPN. |
+| PEDM | Specific privileges are granted on the managed system by host-based agents to logged-in users. PEDM tools provide host-based command control (filtering); application allow, deny, and isolate controls; and/or privilege elevation. The latter is in the form of allowing particular commands to be run with a higher level of privileges. PEDM tools execute on the actual operating system at the kernel or process level. Command control through protocol filtering is explicitly excluded from this definition because the point of control is less reliable. PEDM tools may also provide file integrity monitoring features. |
+| Permission | Rights and privileges. Details given by users or network administrators that define access rights to files on a network. Access controls attached to a resource dictating which identities can access it and how. Privileges are attached to identities and are the ability to perform certain actions. An identity having the ability to perform an action on a resource. |
+| POD | Permission on Demand. A type of JIT access that allows the temporary elevation of permissions, enabling identities to access resources on a by-request, timed basis. |
+| Permissions creep index (PCI) | A number from 0 to 100 that represents the incurred risk of users with access to high-risk privileges. PCI is a function of users who have access to high-risk privileges but aren't actively using them. |
+| Policy and role management | Maintain rules that govern automatic assignment and removal of access rights. Provides visibility of access rights for selection in access requests, approval processes, dependencies, and incompatibilities between access rights, and more. Roles are a common vehicle for policy management. |
+| Privilege | The authority to make changes to a network or computer. Both people and accounts can have privileges, and both can have different levels of privilege. |
+| Privileged account | A login credential to a server, firewall, or other administrative account. Often referred to as admin accounts. Comprised of the actual username and password; these two things together make up the account. A privileged account is allowed to do more things than a normal account. |
+| Public Cloud | Computing services offered by third-party providers over the public Internet, making them available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. |
+| Resource | Any entity that uses compute capabilities can be accessed by users and services to perform actions. |
+| Role | An IAM identity that has specific permissions. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. A role doesn't have standard long-term credentials such as a password or access keys associated with. |
+| SCIM | System for CrossΓÇôdomain Identity Management |
+| SCIΓÇôM | Security Compliance Identity and Management |
+| SIEM | Security Information and Event Management. Technology that supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards, and reporting). |
+| SOAR | Security orchestration, automation and response (SOAR). Technologies that enable organizations to take inputs from various sources (mostly from security information and event management [SIEM] systems) and apply workflows aligned to processes and procedures. These workflows can be orchestrated via integrations with other technologies and automated to achieve the desired outcome and greater visibility. Other capabilities include case and incident management features; the ability to manage threat intelligence, dashboards and reporting; and analytics that can be applied across various functions. SOAR tools significantly enhance security operations activities like threat detection and response by providing machine-powered assistance to human analysts to improve the efficiency and consistency of people and processes. |
+| Super user / Super identity | A powerful account used by IT system administrators that can be used to make configurations to a system or application, add or remove users, or delete data. |
+| Tenant | A dedicated instance of the services and organization data stored within a specific default location. |
+| UUID | Universally unique identifier. A 128-bit label used for information in computer systems. The term globally unique identifier (GUID) is also used.|
+| Zero trust security | The three foundational principles: explicit verification, breach assumption, and least privileged access.|
+| ZTNA | Zero trust network access. A product or service that creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities. The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. It removes application assets from public visibility and significantly reduces the surface area for attack.|
+
+## Next steps
+
+- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](cloudknox-overview.md).
active-directory Cloudknox Onboard Add Account After Onboarding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-add-account-after-onboarding.md
+
+ Title: Add an account/ subscription/ project to Microsoft CloudKnox Permissions Management after onboarding is complete
+description: How to add an account/ subscription/ project to Microsoft CloudKnox Permissions Management after onboarding is complete.
+++++++ Last updated : 02/23/2022+++
+# Add an account/ subscription/ project after onboarding is complete
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to add an Amazon Web Services (AWS) account, Microsoft Azure subscription, or Google Cloud Platform (GCP) project in Microsoft CloudKnox Permissions Management (CloudKnox) after you've completed the onboarding process.
+
+## Add an AWS account after onboarding is complete
+
+1. In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data collectors** tab.
+1. On the **Data collectors** dashboard, select **AWS**.
+1. Select the ellipses **(...)** at the end of the row, and then select **Edit Configuration**.
+
+ The **M-CIEM Onboarding - Summary** page displays.
+
+1. Go to **AWS Account IDs**, and then select **Edit** (the pencil icon).
+
+ The **M-CIEM On Boarding - AWS Member Account Details** page displays.
+
+1. Go to **Enter Your AWS Account IDs**, and then select **Add** (the plus **+** sign).
+1. Copy your account ID from AWS and paste it into the **Enter Account ID** box.
+
+ The AWS account ID is automatically added to the script.
+
+ If you want to add more account IDs, repeat steps 5 and 6 to add up to a total of 10 account IDs.
+
+1. Copy the script.
+1. Go to AWS and start the Cloud Shell.
+1. Create a new script for the new account and press the **Enter** key.
+1. Paste the script you copied.
+1. Locate the account line, delete the original account ID (the one that was previously added), and then run the script.
+1. Return to CloudKnox, and the new account ID you added will be added to the list of account IDs displayed in the **M-CIEM Onboarding - Summary** page.
+1. Select **Verify now & save**.
+
+ When your changes are saved, the following message displays: **Successfully updated configuration.**
++
+## Add an Azure subscription after onboarding is complete
+
+1. In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data collectors** tab.
+1. On the **Data collectors** dashboard, select **Azure**.
+1. Select the ellipses **(...)** at the end of the row, and then select **Edit Configuration**.
+
+ The **M-CIEM Onboarding - Summary** page displays.
+
+1. Go to **Azure subscription IDs**, and then select **Edit** (the pencil icon).
+1. Go to **Enter your Azure Subscription IDs**, and then select **Add subscription** (the plus **+** sign).
+1. Copy and paste your subscription ID from Azure and paste it into the subscription ID box.
+
+ The subscription ID is automatically added to the subscriptions line in the script.
+
+ If you want to add more subscription IDs, repeat steps 4 and 5 to add up to a total of 10 subscriptions.
+
+1. Copy the script.
+1. Go to Azure and start the Cloud Shell.
+1. Create a new script for the new subscription and press enter.
+1. Paste the script you copied.
+1. Locate the subscription line and delete the original subscription ID (the one that was previously added), and then run the script.
+1. Return to CloudKnox, and the new subscription ID you added will be added to the list of subscription IDs displayed in the **M-CIEM Onboarding - Summary** page.
+1. Select **Verify now & save**.
+
+ When your changes are saved, the following message displays: **Successfully updated configuration.**
+
+## Add a GCP project after onboarding is complete
+
+1. In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data collectors** tab.
+1. On the **Data collectors** dashboard, select **GCP**.
+1. Select the ellipses **(...)** at the end of the row, and then select **Edit Configuration**.
+
+ The **M-CIEM Onboarding - Summary** page displays.
+
+1. Go to **GCP Project IDs**, and then select **Edit** (the pencil icon).
+1. Go to **Enter your GCP Project IDs**, and then select **Add Project ID** (the plus **+** sign).
+1. Copy and paste your project ID from Azure and paste it into the **Project ID** box.
+
+ The project ID is automatically added to the **Project ID** line in the script.
+
+ If you want to add more project IDs, repeat steps 4 and 5 to add up to a total of 10 project IDs.
+
+1. Copy the script.
+1. Go to GCP and start the Cloud Shell.
+1. Create a new script for the new project ID and press enter.
+1. Paste the script you copied.
+1. Locate the project ID line and delete the original project ID (the one that was previously added), and then run the script.
+1. Return to CloudKnox, and the new project ID you added will be added to the list of project IDs displayed in the **M-CIEM Onboarding - Summary** page.
+1. Select **Verify now & save**.
+
+ When your changes are saved, the following message displays: **Successfully updated configuration.**
+++
+## Next steps
+
+- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an AWS account](cloudknox-onboard-aws.md).
+ - For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](cloudknox-onboard-azure.md).
+- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a GCP project](cloudknox-onboard-gcp.md).
+- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](cloudknox-onboard-enable-controller-after-onboarding.md).
active-directory Cloudknox Onboard Aws https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-aws.md
+
+ Title: Onboard an Amazon Web Services (AWS) account on CloudKnox Permissions Management
+description: How to onboard an Amazon Web Services (AWS) account on CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Onboard an Amazon Web Services (AWS) account
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+> [!Note]
+> Sign up for the CloudKnox Permissions Management public preview by filling [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR9AT7gfYe2NPtdIbYxQQX45UNEpIVjY4WUJNSUhMVjcyNzdYOFY2NFhISi4u).
+
+This article describes how to onboard an Amazon Web Services (AWS) account on CloudKnox Permissions Management (CloudKnox).
+
+> [!NOTE]
+> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable CloudKnox on your Azure Active Directory tenant](cloudknox-onboard-enable-tenant.md).
+
+## Onboard an AWS account
+
+1. If the **Data Collectors** dashboard isn't displayed when CloudKnox launches:
+
+ - In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
+
+1. On the **Data Collectors** dashboard, select **AWS**, and then select **Create Configuration**.
+
+### 1. Create an Azure AD OIDC App.
+
+1. On the **CloudKnox Onboarding - Azure AD OIDC App Creation** page, enter the **OIDC Azure app name**.
+
+ This app is used to set up an OpenID Connect (OIDC) connection to your AWS account. OIDC is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. The scripts generated on this page create the app of this specified name in your Azure AD tenant with the right configuration.
+
+1. To create the app registration, copy the script and run it in your Azure command-line app.
+
+ > [!NOTE]
+ > 1. To confirm that the app was created, open **App registrations** in Azure and, on the **All applications** tab, locate your app.
+ > 1. Select the app name to open the **Expose an API** page. The **Application ID URI** displayed in the **Overview** page is the *audience value* used while making an OIDC connection with your AWS account.
+
+1. Return to CloudKnox, and in the **CloudKnox Onboarding - Azure AD OIDC App Creation**, select **Next**.
+
+### 2. Set up an AWS OIDC account.
+
+1. In the **CloudKnox Onboarding - AWS OIDC Account Setup** page, enter the **AWS OIDC account ID** where the OIDC provider is created. You can change the role name to your requirements.
+1. Open another browser window and sign in to the AWS account where you want to create the OIDC provider.
+1. Select **Launch Template**. This link takes you to the **AWS CloudFormation create stack** page.
+1. Scroll to the bottom of the page, and in the **Capabilities** box, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**. Then select **Create Stack.**
+
+ This AWS CloudFormation stack creates an OIDC Identity Provider (IdP) representing Azure AD STS and an AWS IAM role with a trust policy that allows external identities from Azure AD to assume it via the OIDC IdP. These entities are listed on the **Resources** page.
+
+1. Return to CloudKnox, and in the **CloudKnox Onboarding - AWS OIDC Account Setup** page, select **Next**.
+
+### 3. Set up an AWS master account. (Optional)
+
+1. If your organization has Service Control Policies (SCPs) that govern some or all of the member accounts, set up the master account connection in the **CloudKnox Onboarding - AWS Master Account Details** page.
+
+ Setting up the master account connection allows CloudKnox to auto-detect and onboard any AWS member accounts that have the correct CloudKnox role.
+
+ - In the **CloudKnox Onboarding - AWS Master Account Details** page, enter the **Master Account ID** and **Master Account Role**.
+
+1. Open another browser window and sign in to the AWS console for your master account.
+
+1. Return to CloudKnox, and in the **CloudKnox Onboarding - AWS Master Account Details** page, select **Launch Template**.
+
+ The **AWS CloudFormation create stack** page opens, displaying the template.
+
+1. Review the information in the template, make changes, if necessary, then scroll to the bottom of the page.
+
+1. In the **Capabilities** box, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**. Then select **Create stack**.
+
+ This AWS CloudFormation stack creates a role in the master account with the necessary permissions (policies) to collect SCPs and list all the accounts in your organization.
+
+ A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack.
+
+1. Return to CloudKnox, and in **CloudKnox Onboarding - AWS Master Account Details**, select **Next**.
+
+### 4. Set up an AWS Central logging account. (Optional but recommended)
+
+1. If your organization has a central logging account where logs from some or all of your AWS account are stored, in the **CloudKnox Onboarding - AWS Central Logging Account Details** page, set up the logging account connection.
+
+ In the **CloudKnox Onboarding - AWS Central Logging Account Details** page, enter the **Logging Account ID** and **Logging Account Role**.
+
+1. In another browser window, sign in to the AWS console for the AWS account you use for central logging.
+
+1. Return to CloudKnox, and in the **CloudKnox Onboarding - AWS Central Logging Account Details** page, select **Launch Template**.
+
+ The **AWS CloudFormation create stack** page opens, displaying the template.
+
+1. Review the information in the template, make changes, if necessary, then scroll to the bottom of the page.
+
+1. In the **Capabilities** box, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**, and then select **Create stack**.
+
+ This AWS CloudFormation stack creates a role in the logging account with the necessary permissions (policies) to read S3 buckets used for central logging. A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack.
+
+1. Return to CloudKnox, and in the **CloudKnox Onboarding - AWS Central Logging Account Details** page, select **Next**.
+
+### 5. Set up an AWS member account.
+
+1. In the **CloudKnox Onboarding - AWS Member Account Details** page, enter the **Member Account Role** and the **Member Account IDs**.
+
+ You can enter up to 10 account IDs. Click the plus icon next to the text box to add more account IDs.
+
+ > [!NOTE]
+ > Perform the next 5 steps for each account ID you add.
+
+1. Open another browser window and sign in to the AWS console for the member account.
+
+1. Return to the **CloudKnox Onboarding - AWS Member Account Details** page, select **Launch Template**.
+
+ The **AWS CloudFormation create stack** page opens, displaying the template.
+
+1. In the **CloudTrailBucketName** page, enter a name.
+
+ You can copy and paste the **CloudTrailBucketName** name from the **Trails** page in AWS.
+
+ > [!NOTE]
+ > A *cloud bucket* collects all the activity in a single account that CloudKnox monitors. Enter the name of a cloud bucket here to provide CloudKnox with the access required to collect activity data.
+
+1. From the **Enable Controller** dropdown, select:
+
+ - **True**, if you want the controller to provide CloudKnox with read and write access so that any remediation you want to do from the CloudKnox platform can be done automatically.
+ - **False**, if you want the controller to provide CloudKnox with read-only access.
+
+1. Scroll to the bottom of the page, and in the **Capabilities** box, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**. Then select **Create stack**.
+
+ This AWS CloudFormation stack creates a collection role in the member account with necessary permissions (policies) for data collection.
+
+ A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack.
+
+1. Return to CloudKnox, and in the **CloudKnox Onboarding - AWS Member Account Details** page, select **Next**.
+
+ This step completes the sequence of required connections from Azure AD STS to the OIDC connection account and the AWS member account.
+
+### 6. Review and save.
+
+1. In **CloudKnox Onboarding ΓÇô Summary**, review the information youΓÇÖve added, and then select **Verify Now & Save**.
+
+ The following message appears: **Successfully created configuration.**
+
+ On the **Data Collectors** dashboard, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.**
+
+ You have now completed onboarding AWS, and CloudKnox has started collecting and processing your data.
+
+### 7. View the data.
+
+1. To view the data, select the **Authorization Systems** tab.
+
+ The **Status** column in the table displays **Collecting Data.**
+
+ The data collection process may take some time, depending on the size of the account and how much data is available for collection.
++
+## Next steps
+
+- For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](cloudknox-onboard-azure.md).
+- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a Google Cloud Platform (GCP) project](cloudknox-onboard-gcp.md).
+- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](cloudknox-onboard-enable-controller-after-onboarding.md).
+- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](cloudknox-onboard-add-account-after-onboarding.md).
active-directory Cloudknox Onboard Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-azure.md
+
+ Title: Onboard a Microsoft Azure subscription in CloudKnox Permissions Management
+description: How to a Microsoft Azure subscription on CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Onboard a Microsoft Azure subscription
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+> [!Note]
+> Sign up for the CloudKnox Permissions Management public preview by filling [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR9AT7gfYe2NPtdIbYxQQX45UNEpIVjY4WUJNSUhMVjcyNzdYOFY2NFhISi4u).
+
+This article describes how to onboard a Microsoft Azure subscription or subscriptions on CloudKnox Permissions Management (CloudKnox). Onboarding a subscription creates a new authorization system to represent the Azure subscription in CloudKnox.
+
+> [!NOTE]
+> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable CloudKnox on your Azure Active Directory tenant](cloudknox-onboard-enable-tenant.md).
+
+## Prerequisites
+
+To add CloudKnox to your Azure AD tenant:
+- You must have an Azure AD user account and an Azure command-line interface (Azure CLI) on your system, or an Azure subscription. If you don't already have one, [create a free account](https://azure.microsoft.com/free/).
+- You must have **Microsoft.Authorization/roleAssignments/write** permission at the subscription or management group scope to perform these tasks. If you don't have this permission, you can ask someone who has this permission to perform these tasks for you.
+
+## Onboard an Azure subscription
+
+1. If the **Data Collectors** dashboard isn't displayed when CloudKnox launches:
+
+ - In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
+
+1. On the **Data Collectors** dashboard, select **Azure**, and then select **Create Configuration**.
+
+### 1. Add Azure subscription details
+
+1. On the **CloudKnox Onboarding - Azure Subscription Details** page, enter the **Subscription IDs** that you want to onboard.
+
+ > [!NOTE]
+ > To locate the Azure subscription IDs, open the **Subscriptions** page in Azure.
+ > You can enter up to 10 subscriptions IDs. Select the plus sign **(+)** icon next to the text box to enter more subscriptions.
+
+1. From the **Scope** dropdown, select **Subscription** or **Management Group**. The script box displays the role assignment script.
+
+ > [!NOTE]
+ > Select **Subscription** if you want to assign permissions separately for each individual subscription. The generated script has to be executed once per subscription.
+ > Select **Management Group** if all of your subscriptions are under one management group. The generated script must be executed once for the management group.
+
+1. To give this role assignment to the service principal, copy the script to a file on your system where Azure CLI is installed and execute it.
+
+ You can execute the script once for each subscription, or once for all the subscriptions in the management group.
+
+1. From the **Enable Controller** dropdown, select:
+
+ - **True**, if you want the controller to provide CloudKnox with read and write access so that any remediation you want to do from the CloudKnox platform can be done automatically.
+ - **False**, if you want the controller to provide CloudKnox with read-only access.
+
+1. Return to **CloudKnox Onboarding - Azure Subscription Details** page and select **Next**.
+
+### 2. Review and save.
+
+- In **CloudKnox Onboarding ΓÇô Summary** page, review the information youΓÇÖve added, and then select **Verify Now & Save**.
+
+ The following message appears: **Successfully Created Configuration.**
+
+ On the **Data Collectors** tab, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.**
+
+ You have now completed onboarding Azure, and CloudKnox has started collecting and processing your data.
+
+### 3. View the data.
+
+- To view the data, select the **Authorization Systems** tab.
+
+ The **Status** column in the table displays **Collecting Data.**
+
+ The data collection process will take some time, depending on the size of the account and how much data is available for collection.
++
+## Next steps
+
+- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an Amazon Web Services (AWS) account](cloudknox-onboard-aws.md).
+- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a Google Cloud Platform (GCP) project](cloudknox-onboard-gcp.md).
+- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](cloudknox-onboard-enable-controller-after-onboarding.md).
+- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](cloudknox-onboard-add-account-after-onboarding.md).
+- For an overview on CloudKnox, see [What's CloudKnox Permissions Management?](cloudknox-overview.md).
+- For information on how to start viewing information about your authorization system in CloudKnox, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md).
active-directory Cloudknox Onboard Enable Controller After Onboarding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-enable-controller-after-onboarding.md
+
+ Title: Enable or disable the controller in Microsoft CloudKnox Permissions Management after onboarding is complete
+description: How to enable or disable the controller in Microsoft CloudKnox Permissions Management after onboarding is complete.
+++++++ Last updated : 02/23/2022+++
+# Enable or disable the controller after onboarding is complete
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to enable or disable the controller in Microsoft Azure and Google Cloud Platform (GCP) after onboarding is complete.
+
+This article also describes how to enable the controller in Amazon Web Services (AWS) if you disabled it during onboarding. You can only enable the controller in AWS at this time; you can't disable it.
+
+## Enable the controller in AWS
+
+> [!NOTE]
+> You can only enable the controller in AWS; you can't disable it at this time.
+
+1. Sign in to the AWS console of the member account in a separate browser window.
+1. Go to the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
+1. On the **Data Collectors** dashboard, select **AWS**, and then select **Create Configuration**.
+1. On the **CloudKnox Onboarding - AWS Member Account Details** page, select **Launch Template**.
+
+ The **AWS CloudFormation create stack** page opens, displaying the template.
+1. In the **CloudTrailBucketName** box, enter a name.
+
+ You can copy and paste the **CloudTrailBucketName** name from the **Trails** page in AWS.
+
+ > [!NOTE]
+ > A *cloud bucket* collects all the activity in a single account that CloudKnox monitors. Enter the name of a cloud bucket here to provide CloudKnox with the access required to collect activity data.
+
+1. In the **EnableController** box, from the drop-down list, select **True** to provide CloudKnox with read and write access so that any remediation you want to do from the CloudKnox platform can be done automatically.
+
+1. Scroll to the bottom of the page, and in the **Capabilities** box and select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**. Then select **Create stack**.
+
+ This AWS CloudFormation stack creates a collection role in the member account with necessary permissions (policies) for data collection. A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack.
+
+1. Return to CloudKnox, and on the CloudKnox **Onboarding - AWS Member Account Details** page, select **Next**.
+1. On **CloudKnox Onboarding ΓÇô Summary** page, review the information youΓÇÖve added, and then select **Verify Now & Save**.
+
+ The following message appears: **Successfully created configuration.**
+
+## Enable or disable the controller in Azure
++
+1. In Azure, open the **Access control (IAM)** page.
+1. In the **Check access** section, in the **Find** box, enter **Cloud Infrastructure Entitlement Management**.
+
+ The **Cloud Infrastructure Entitlement Management assignments** page appears, displaying the roles assigned to you.
+
+ - If you have read-only permission, the **Role** column displays **Reader**.
+ - If you have administrative permission, the **Role** column displays **User Access Administrative**.
+
+1. To add the administrative role assignment, return to the **Access control (IAM)** page, and then select **Add role assignment**.
+1. Add or remove the role assignment for Cloud Infrastructure Entitlement Management.
+
+1. Go to the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
+1. On the **Data Collectors** dashboard, select **Azure**, and then select **Create Configuration**.
+1. On the **CloudKnox Onboarding - Azure Subscription Details** page, enter the **Subscription ID**, and then select **Next**.
+1. On **CloudKnox Onboarding ΓÇô Summary** page, review the controller permissions, and then select **Verify Now & Save**.
+
+ The following message appears: **Successfully Created Configuration.**
++
+## Enable or disable the controller in GCP
+
+1. Execute the **gcloud auth login**.
+1. Follow the instructions displayed on the screen to authorize access to your Google account.
+1. Execute the **sh mciem-workload-identity-pool.sh** to create the workload identity pool, provider, and service account.
+1. Execute the **sh mciem-member-projects.sh** to give CloudKnox permissions to access each of the member projects.
+
+ - If you want to manage permissions through CloudKnox, select **Y** to **Enable controller**.
+ - If you want to onboard your projects in read-only mode, select **N** to **Disable controller**.
+
+1. Optionally, execute **mciem-enable-gcp-api.sh** to enable all recommended GCP APIs.
+
+1. Go to the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
+1. On the **Data Collectors** dashboard, select **GCP**, and then select **Create Configuration**.
+1. On the **CloudKnox Onboarding - Azure AD OIDC App Creation** page, select **Next**.
+1. On the **CloudKnox Onboarding - GCP OIDC Account Details & IDP Access** page, enter the **OIDC Project Number** and **OIDC Project ID**, and then select **Next**.
+1. On the **CloudKnox Onboarding - GCP Project IDs** page, enter the **Project IDs**, and then select **Next**.
+1. On the **CloudKnox Onboarding ΓÇô Summary** page, review the information youΓÇÖve added, and then select **Verify Now & Save**.
+
+ The following message appears: **Successfully Created Configuration.**
+
+## Next steps
+
+- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an AWS account](cloudknox-onboard-aws.md).
+- For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](cloudknox-onboard-azure.md).
+- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a GCP project](cloudknox-onboard-gcp.md).
+- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](cloudknox-onboard-add-account-after-onboarding.md).
+
active-directory Cloudknox Onboard Enable Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-enable-tenant.md
+
+ Title: Enable CloudKnox Permissions Management in your organization
+description: How to enable CloudKnox Permissions Management in your organization.
+++++++ Last updated : 02/23/2022+++
+# Enable CloudKnox in your organization
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+> [!Note]
+> Sign up for the CloudKnox Permissions Management public preview by filling [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR9AT7gfYe2NPtdIbYxQQX45UNEpIVjY4WUJNSUhMVjcyNzdYOFY2NFhISi4u).
+
+This article describes how to enable CloudKnox Permissions Management (CloudKnox) in your organization. Once you've enabled CloudKnox, you can connect it to your Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) platforms.
+
+> [!NOTE]
+> To complete this task, you must have *global administrator* permissions as a user in that tenant. You can't enable CloudKnox as a user from other tenant who has signed in via B2B or via Azure Lighthouse.
+
+## Prerequisites
+
+To enable CloudKnox in your organization, you must:
+
+- Have an Azure AD tenant. If you don't already have one, [create a free account](https://azure.microsoft.com/free/).
+- Be eligible for or have an active assignment to the global administrator role as a user in that tenant.
+
+> [!NOTE]
+> During public preview, CloudKnox doesn't perform a license check.
+
+## Enable CloudKnox on your Azure AD tenant
+
+1. In your browser:
+ 1. Go to [Azure services](https://portal.azure.com) and use your credentials to sign in to [Azure Active Directory](https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview).
+ 1. If you aren't already authenticated, sign in as a global administrator user.
+ 1. If needed, activate the global administrator role in your Azure AD tenant.
+ 1. In the Azure AD portal, select **Features highlights**, and then select **CloudKnox Permissions Management**.
+
+ 1. If you're prompted to select a sign in account, sign in as a global administrator for a specified tenant.
+
+ The **Welcome to CloudKnox Permissions Management** screen appears, displaying information on how to enable CloudKnox on your tenant.
+
+1. To provide access to the CloudKnox application, create a service principal.
+
+ An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources.
+
+ > [!NOTE]
+ > To complete this step, you must have Azure CLI or Azure PowerShell on your system, or an Azure subscription where you can run Cloud Shell.
+
+ - To create a service principal that points to the CloudKnox application via Cloud Shell:
+
+ 1. Copy the script on the **Welcome** screen:
+
+ `az ad ap create --id b46c3ac5-9da6-418f-a849-0a7a10b3c6c`
+
+ 1. If you have an Azure subscription, return to the Azure AD portal and select **Cloud Shell** on the navigation bar.
+ If you don't have an Azure subscription, open a command prompt on a Windows Server.
+ 1. If you have an Azure subscription, paste the script into Cloud Shell and press **Enter**.
+
+ - For information on how to create a service principal through the Azure portal, see [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli).
+
+ - For information on the **az** command and how to sign in with the no subscriptions flag, see [az login](/cli/azure/reference-index?view=azure-cli-latest#az-login&preserve-view=true).
+
+ - For information on how to create a service principal via Azure PowerShell, see [Create an Azure service principal with Azure PowerShell](/powershell/azure/create-azure-service-principal-azureps?view=azps-7.1.0&preserve-view=true).
+
+ 1. After the script runs successfully, the service principal attributes for CloudKnox display. Confirm the attributes.
+
+ The **Cloud Infrastructure Entitlement Management** application displays in the Azure AD portal under **Enterprise applications**.
+
+1. Return to the **Welcome to CloudKnox** screen and select **Enable CloudKnox Permissions Management**.
+
+ You have now completed enabling CloudKnox on your tenant. CloudKnox launches with the **Data Collectors** dashboard.
+
+## Configure data collection settings
+
+Use the **Data Collectors** dashboard in CloudKnox to configure data collection settings for your authorization system.
+
+1. If the **Data Collectors** dashboard isn't displayed when CloudKnox launches:
+
+ - In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
+
+1. Select the authorization system you want: **AWS**, **Azure**, or **GCP**.
+
+1. For information on how to onboard an AWS account, Azure subscription, or GCP project into CloudKnox, select one of the following articles and follow the instructions:
+
+ - [Onboard an AWS account](cloudknox-onboard-aws.md)
+ - [Onboard an Azure subscription](cloudknox-onboard-azure.md)
+ - [Onboard a GCP project](cloudknox-onboard-gcp.md)
+
+## Next steps
+
+- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](cloudknox-overview.md)
+- For a list of frequently asked questions (FAQs) about CloudKnox, see [FAQs](cloudknox-faqs.md).
+- For information on how to start viewing information about your authorization system in CloudKnox, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md).
active-directory Cloudknox Onboard Gcp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-gcp.md
+
+ Title: Onboard a Google Cloud Platform (GCP) project in CloudKnox Permissions Management
+description: How to onboard a Google Cloud Platform (GCP) project on CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Onboard a Google Cloud Platform (GCP) project
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+> [!Note]
+> Sign up for the CloudKnox Permissions Management public preview by filling [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR9AT7gfYe2NPtdIbYxQQX45UNEpIVjY4WUJNSUhMVjcyNzdYOFY2NFhISi4u).
+
+This article describes how to onboard a Google Cloud Platform (GCP) project on CloudKnox Permissions Management (CloudKnox).
+
+> [!NOTE]
+> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable CloudKnox on your Azure Active Directory tenant](cloudknox-onboard-enable-tenant.md).
+
+## Onboard a GCP project
+
+1. If the **Data Collectors** dashboard isn't displayed when CloudKnox launches:
+
+ - In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
+
+1. On the **Data Collectors** tab, select **GCP**, and then select **Create Configuration**.
+
+### 1. Create an Azure AD OIDC app.
+
+1. On the **CloudKnox Onboarding - Azure AD OIDC App Creation** page, enter the **OIDC Azure App Name**.
+
+ This app is used to set up an OpenID Connect (OIDC) connection to your GCP project. OIDC is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. The scripts generated will create the app of this specified name in your Azure AD tenant with the right configuration.
+
+1. To create the app registration, copy the script and run it in your command-line app.
+
+ > [!NOTE]
+ > 1. To confirm that the app was created, open **App registrations** in Azure and, on the **All applications** tab, locate your app.
+ > 1. Select the app name to open the **Expose an API** page. The **Application ID URI** displayed in the **Overview** page is the *audience value* used while making an OIDC connection with your AWS account.
+
+ 1. Return to CloudKnox, and in the **CloudKnox Onboarding - Azure AD OIDC App Creation**, select **Next**.
+
+### 2. Set up a GCP OIDC project.
+
+1. In the **CloudKnox Onboarding - GCP OIDC Account Details & IDP Access** page, enter the **OIDC Project ID** and **OIDC Project Number** of the GCP project in which the OIDC provider and pool will be created. You can change the role name to your requirements.
+
+ > [!NOTE]
+ > You can find the **Project number** and **Project ID** of your GCP project on the GCP **Dashboard** page of your project in the **Project info** panel.
+
+1. You can change the **OIDC Workload Identity Pool Id**, **OIDC Workload Identity Pool Provider Id** and **OIDC Service Account Name** to meet your requirements.
+
+ Optionally, specify **G-Suite IDP Secret Name** and **G-Suite IDP User Email** to enable G-Suite integration.
+
+ You can either download and run the script at this point or you can do it in the Google Cloud Shell, as described in [later in this article](cloudknox-onboard-gcp.md#4-run-scripts-in-cloud-shell-optional-if-not-already-executed).
+1. Select **Next**.
+
+### 3. Set up GCP member projects.
+
+1. In the **CloudKnox Onboarding - GCP Project Ids** page, enter the **Project IDs**.
+
+ You can enter up to 10 GCP project IDs. Select the plus icon next to the text box to insert more project IDs.
+
+1. You can choose to download and run the script at this point, or you can do it via Google Cloud Shell, as described in the [next step](cloudknox-onboard-gcp.md#4-run-scripts-in-cloud-shell-optional-if-not-already-executed).
+
+### 4. Run scripts in Cloud Shell. (Optional if not already executed.)
+
+1. In the **CloudKnox Onboarding - GCP Project Ids** page, select **Launch SSH**.
+1. To copy all your scripts into your current directory, in **Open in Cloud Shell**, select **Trust repo**, and then select **Confirm**.
+
+ The Cloud Shell provisions the Cloud Shell machine and makes a connection to your Cloud Shell instance.
+
+ > [!NOTE]
+ > Follow the instructions in the browser as they may be different from the ones given here.
+
+ The **Welcome to CloudKnox GCP onboarding** screen appears, displaying steps you must complete to onboard your GCP project.
+
+### 5. Paste the environment vars from the CloudKnox portal.
+
+1. Return to CloudKnox and select **Copy export variables**.
+1. In the GCP Onboarding shell editor, paste the variables you copied, and then press **Enter**.
+1. Execute the **gcloud auth login**.
+1. Follow instructions displayed on the screen to authorize access to your Google account.
+1. Execute the **sh mciem-workload-identity-pool.sh** to create the workload identity pool, provider, and service account.
+1. Execute the **sh mciem-member-projects.sh** to give CloudKnox permissions to access each of the member projects.
+
+ - If you want to manage permissions through CloudKnox, select **Y** to **Enable controller**.
+
+ - If you want to onboard your projects in read-only mode, select **N** to **Disable controller**.
+
+1. Optionally, execute **mciem-enable-gcp-api.sh** to enable all recommended GCP APIs.
+
+1. Return to **CloudKnox Onboarding - GCP Project Ids**, and then select **Next**.
+
+### 6. Review and save.
+
+1. In the **CloudKnox Onboarding ΓÇô Summary** page, review the information youΓÇÖve added, and then select **Verify Now & Save**.
+
+ The following message appears: **Successfully Created Configuration.**
+
+ On the **Data Collectors** tab, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.**
+
+ You have now completed onboarding GCP, and CloudKnox has started collecting and processing your data.
+
+### 7. View the data.
+
+- To view the data, select the **Authorization Systems** tab.
+
+ The **Status** column in the table displays **Collecting Data.**
+
+ The data collection process may take some time, depending on the size of the account and how much data is available for collection.
+++
+## Next steps
+
+- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an Amazon Web Services (AWS) account](cloudknox-onboard-aws.md).
+- For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](cloudknox-onboard-azure.md).
+- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](cloudknox-onboard-enable-controller-after-onboarding.md).
+- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](cloudknox-onboard-add-account-after-onboarding.md).
active-directory Cloudknox Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-overview.md
+
+ Title: What's CloudKnox Permissions Management?
+description: An introduction to CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# What's CloudKnox Permissions Management?
++
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+> [!Note]
+> Sign up for the CloudKnox Permissions Management public preview by filling [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR9AT7gfYe2NPtdIbYxQQX45UNEpIVjY4WUJNSUhMVjcyNzdYOFY2NFhISi4u).
+
+## Overview
+
+CloudKnox Permissions Management (CloudKnox) is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multi-cloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
+
+CloudKnox detects, automatically right-sizes, and continuously monitors unused and excessive permissions.
+
+Organizations have to consider permissions management as a central piece of their Zero Trust security to implement least privilege access across their entire infrastructure:
+
+- Organizations are increasingly adopting multi-cloud strategy and are struggling with the lack of visibility and the increasing complexity of managing access permissions.
+- With the proliferation of identities and cloud services, the number of high-risk cloud permissions is exploding, expanding the attack surface for organizations.
+- IT security teams are under increased pressure to ensure access to their expanding cloud estate is secure and compliant.
+- The inconsistency of cloud providersΓÇÖ native access management models makes it even more complex for Security and Identity to manage permissions and enforce least privilege access policies across their entire environment.
++
+## Key use cases
+
+CloudKnox allows customers to address three key use cases: *discover*, *remediate*, and *monitor*.
+
+### Discover
+
+Customers can assess permission risks by evaluating the gap between permissions granted and permissions used.
+
+- Cross-cloud permissions discovery: Granular and normalized metrics for key cloud platforms: AWS, Azure, and GCP.
+- Permission Creep Index (PCI): An aggregated metric that periodically evaluates the level of risk associated with the number of unused or excessive permissions across your identities and resources. It measures how much damage identities can cause based on the permissions they have.
+- Permission usage analytics: Multi-dimensional view of permissions risk for all identities, actions, and resources.
+
+### Remediate
+
+Customers can right-size permissions based on usage, grant new permissions on-demand, and automate just-in-time access for cloud resources.
+
+- Automated deletion of permissions unused for the past 90 days.
+- Permissions on-demand: Grant identities permissions on-demand for a time-limited period or an as-needed basis.
++
+### Monitor
+
+Customers can detect anomalous activities with machine language-powered (ML-powered) alerts and generate detailed forensic reports.
+
+- ML-powered anomaly detections.
+- Context-rich forensic reports around identities, actions, and resources to support rapid investigation and remediation.
+
+CloudKnox deepens Zero Trust security strategies by augmenting the least privilege access principle, allowing customers to:
+
+- Get comprehensive visibility: Discover which identity is doing what, where, and when.
+- Automate least privilege access: Use access analytics to ensure identities have the right permissions, at the right time.
+- Unify access policies across infrastructure as a service (IaaS) platforms: Implement consistent security policies across your cloud infrastructure.
+++
+## Next steps
+
+- For information on how to onboard CloudKnox in your organization, see [Enable CloudKnox in your organization](cloudknox-onboard-enable-tenant.md).
+- For a list of frequently asked questions (FAQs) about CloudKnox, see [FAQs](cloudknox-faqs.md).
active-directory Cloudknox Product Account Explorer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-account-explorer.md
+
+ Title: The CloudKnox Permissions Management - View roles and identities that can access account information from an external account
+description: How to view information about identities that can access accounts from an external account in CloudKnox Permissions Management.
+++++ Last updated : 02/23/2022+++
+# View roles and identities that can access account information from an external account
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+You can view information about users, groups, and resources that can access account information from an external account in CloudKnox Permissions Management (CloudKnox).
+
+## Display information about users, groups, or tasks
+
+1. In CloudKnox, select the **Usage analytics** tab, and then, from the dropdown, select one of the following:
+
+ - **Users**
+ - **Group**
+ - **Active resources**
+ - **Active tasks**
+ - **Active resources**
+ - **Serverless functions**
+
+1. To choose an account from your authorization system, select the lock icon in the left panel.
+1. In the **Authorization systems** pane, select an account, then select **Apply**.
+1. To choose a user, role, or group, select the person icon.
+1. Select a user or group, then select **Apply**.
+1. To choose an account from your authorization system, select it from the Authorization Systems menu.
+1. In the user type filter, user, role, or group.
+1. In the **Task** filter, select **All** or **High-risk tasks**, then select **Apply**.
+1. To delete a task, select **Delete**, then select **Apply**.
+
+## Export information about users, groups, or tasks
+
+To export the data in comma-separated values (CSV) file format, select **Export** from the top-right hand corner of the table.
+
+## View users and roles
+1. To view users and roles, select the lock icon, and then select the person icon to open the **Users** pane.
+1. To view the **Role summary**, select the "eye" icon to the right of the role name.
+
+ The following details display:
+ - **Policies**: A list of all the policies attached to the role.
+ - **Trusted entities**: The identities from external accounts that can assume this role.
+
+1. To view all the identities from various accounts that can assume this role, select the down arrow to the left of the role name.
+1. To view a graph of all the identities that can access the specified account and through which role(s), select the role name.
+
+ If CloudKnox is monitoring the external account, it lists specific identities from the accounts that can assume this role. Otherwise, it lists the identities declared in the **Trusted entity** section.
+
+ **Connecting roles**: Lists the following roles for each account:
+ - *Direct roles* that are trusted by the account role.
+ - *Intermediary roles* that aren't directly trusted by the account role but are assumable by identities through role-chaining.
+
+1. To view all the roles from that account that are used to access the specified account, select the down arrow to the left of the account name.
+1. To view the trusted identities declared by the role, select the down arrow to the left of the role name.
+
+ The trusted identities for the role are listed only if the account is being monitored by CloudKnox.
+
+1. To view the role definition, select the "eye" icon to the right of the role name.
+
+ When you select the down arrow and expand details, a search box is displayed. Enter your criteria in this box to search for specific roles.
+
+ **Identities with access**: Lists the identities that come from external accounts:
+ - To view all the identities from that account can access the specified account, select the down arrow to the left of the account name.
+ - To view the **Role summary** for EC2 instances and Lambda functions, select the "eye" icon to the right of the identity name.
+ - To view a graph of how the identity can access the specified account and through which role(s), select the identity name.
+
+1. The **Info** tab displays the **Privilege creep index** and **Service control policy (SCP)** information about the account.
+
+For more information about the **Privilege creep index** and SCP information, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md).
active-directory Cloudknox Product Account Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-account-settings.md
+
+ Title: View personal and organization information in CloudKnox Permissions Management
+description: How to view personal and organization information in the Account settings dashboard in CloudKnox Permissions Management.
+++++ Last updated : 02/23/2022+++
+# View personal and organization information
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Account settings** dashboard in CloudKnox Permissions Management (CloudKnox) allows you to view personal information, passwords, and account preferences.
+This information can't be modified because the user information is pulled from Azure AD. Only **User Session Time(min)**
+
+## View personal information
+
+1. In the CloudKnox home page, select the down arrow to the right of the **User** (your initials) menu, and then select **Account settings**.
+
+ The **Personal information** box displays your **First name**, **Last name**, and the **Email address** that was used to register your account on CloudKnox.
+
+## View current organization information
+
+1. In the CloudKnox home page, select the down arrow to the right of the **User** (your initials) menu, and then select **Account settings**.
+
+ The **Current organization information** displays the **Name** of your organization, the **Tenant ID** box, and the **User session timeout (min)**.
+
+1. To change duration of the **User session timeout (min)**, select **Edit** (the pencil icon), and then enter the number of minutes before you want a user session to time out.
+1. Select the check mark to confirm your new setting.
++
+## Next steps
+
+- For information about how to manage user information, see [Manage users and groups with the User management dashboard](cloudknox-ui-user-management.md).
+- For information about how to view information about active and completed tasks, see [View information about active and completed tasks](cloudknox-ui-tasks.md).
+- For information about how to select group-based permissions settings, see [Select group-based permissions settings](cloudknox-howto-create-group-based-permissions.md).
active-directory Cloudknox Product Audit Trail https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-audit-trail.md
+
+ Title: Filter and query user activity in CloudKnox Permissions Management
+description: How to filter and query user activity in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Filter and query user activity
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Audit** dashboard in CloudKnox Permissions Management (CloudKnox) details all user activity performed in your authorization system. It captures all high risk activity in a centralized location, and allows system administrators to query the logs. The **Audit** dashboard enables you to:
+
+- Create and save new queries so you can access key data points easily.
+- Query across multiple authorization systems in one query.
+
+## Filter information by authorization system
+
+If you haven't used filters before, the default filter is the first authorization system in the filter list.
+
+If you have used filters before, the default filter is last filter you selected.
+
+1. To display the **Audit** dashboard, on the CloudKnox home page, select **Audit**.
+
+1. To select your authorization system type, in the **Authorization system type** box, select Amazon Web Services (**AWS**), Microsoft Azure (**Azure**), or Google Cloud Platform (**GCP**).
+
+1. To select your authorization system, in the **Authorization system** box:
+
+ - From the **List** subtab, select the accounts you want to use.
+ - From the **Folders** subtab, select the folders you want to use.
+
+1. To view your query results, select **Apply**.
+
+## Create, view, modify, or delete a query
+
+There are several different query parameters you can configure individually or in combination. The query parameters and corresponding instructions are listed in the following sections.
+
+- To create a new query, select **New query**.
+- To view an existing query, select **View** (the eye icon).
+- To edit an existing query, select **Edit** (the pencil icon).
+- To delete a function line in a query, select **Delete** (the minus sign **-** icon).
+- To create multiple queries at one time, select **Add new tab** to the right of the **Query** tabs that are displayed.
+
+ You can open a maximum number of six query tab pages at the same time. A message will appear when you've reached the maximum.
+
+## Create a query with specific parameters
+
+### Create a query with a date
+
+1. In the **New query** section, the default parameter displayed is **Date In "Last day"**.
+
+ The first-line parameter always defaults to **Date** and can't be deleted.
+
+1. To edit date details, select **Edit** (the pencil icon).
+
+ To view query details, select **View** (the eye icon).
+
+1. Select **Operator**, and then select an option:
+ - **In**: Select this option to set a time range from the past day to the past year.
+ - **Is**: Select this option to choose a specific date from the calendar.
+ - **Custom**: Select this option to set a date range from the **From** and **To** calendars.
+
+1. To run the query on the current selection, select **Search**.
+
+1. To save your query, select **Save**.
+
+ To clear the recent selections, select **Reset**.
+
+### View operator options for identities
+
+The **Operator** menu displays the following options depending on the identity you select in the first dropdown:
+
+- **Is** / **Is Not**: View a list of all available usernames. You can either select or enter a username in the box.
+- **Contains** / **Not Contains**: Enter text that the **Username** should or shouldn't contain, for example, *CloudKnox*.
+- **In** / **Not In**: View a list all available usernames and select multiple usernames.
+
+### Create a query with a username
+
+1. In the **New query** section, select **Add**.
+
+1. From the menu, select **Username**.
+
+1. From the **Operator** menu, select the required option.
+
+1. To add criteria to this section, select **Add**.
+
+ You can change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with the username **Test**.
+
+1. Select the plus (**+**) sign, select **Or** with **Contains**, and then enter a username, for example, *CloudKnox*.
+
+1. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+1. To run the query on the current selection, select **Search**.
+
+1. To clear the recent selections, select **Reset**.
+
+### Create a query with a resource name
+
+1. In the **New query** section, select **Add**.
+
+1. From the menu, select **Resource name**.
+
+1. From the **Operator** menu, select the required option.
+
+1. To add criteria to this section, select **Add**.
+
+ You can change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with resource name **Test**.
+
+1. Select the plus (**+**) sign, select **Or** with **Contains**, and then enter a username, for example, *CloudKnox*.
+
+1. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+1. To run the query on the current selection, select **Search**.
+
+1. To clear the recent selections, select **Reset**.
+
+### Create a query with a resource type
+
+1. In the **New query** section, select **Add**.
+
+1. From the menu, select **Resource type**.
+
+1. From the **Operator** menu, select the required option.
+
+1. To add criteria to this section, select **Add**.
+
+1. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with resource type **s3::bucket**.
+
+1. Select the plus (**+**) sign, select **Or** with **Is**, and then enter or select `ec2::instance`.
+
+1. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+1. To run the query on the current selection, select **Search**.
+
+1. To clear the recent selections, select **Reset**.
++
+### Create a query with a task name
+
+1. In the **New query** section, select **Add**.
+
+1. From the menu, select **Task name**.
+
+1. From the **Operator** menu, select the required option.
+
+1. To add criteria to this section, select **Add**.
+
+1. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with task name **s3:CreateBucket**.
+
+1. Select **Add**, select **Or** with **Is**, and then enter or select `ec2:TerminateInstance`.
+
+1. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+1. To run the query on the current selection, select **Search**.
+
+1. To clear the recent selections, select **Reset**.
+
+### Create a query with a state
+
+1. In the **New query** section, select **Add**.
+
+1. From the menu, select **State**.
+
+1. From the **Operator** menu, select the required option.
+
+ - **Is** / **Is not**: Allows a user to select in the value field and select **Authorization failure**, **Error**, or **Success**.
+
+1. To add criteria to this section, select **Add**.
+
+1. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with State **Authorization failure**.
+
+1. Select the **Add** icon, select **Or** with **Is**, and then select **Success**.
+
+1. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+1. To run the query on the current selection, select **Search**.
+
+1. To clear the recent selections, select **Reset**.
+
+### Create a query with a role name
+
+1. In the **New query** section, select **Add**.
+
+2. From the menu, select **Role Name**.
+
+3. From the **Operator** menu, select the required option.
+
+4. To add criteria to this section, select **Add**.
+
+5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Contains** with free text **Test**.
+
+6. Select the **Add** icon, select **Or** with **Contains**, and then enter your criteria, for example *CloudKnox*.
+
+7. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+8. To run the query on the current selection, select **Search**.
+
+9. To clear the recent selections, select **Reset**.
+
+### Create a query with a role session name
+
+1. In the **New query** section, select **Add**.
+
+2. From the menu, select **Role session name**.
+
+3. From the **Operator** menu, select the required option.
+
+4. To add criteria to this section, select **Add**.
+
+5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Contains** with free text **Test**.
+
+6. Select the **Add** icon, select **Or** with **Contains**, and then enter your criteria, for example *CloudKnox*.
+
+7. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+8. To run the query on the current selection, select **Search**.
+
+9. To clear the recent selections, select **Reset**.
+
+### Create a query with an access key ID
+
+1. In the **New query** section, select **Add**.
+
+2. From the menu, select **Access Key ID**.
+
+3. From the **Operator** menu, select the required option.
+
+4. To add criteria to this section, select **Add**.
+
+5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Contains** with free `AKIAIFXNDW2Z2MPEH5OQ`.
+
+6. Select the **Add** icon, select **Or** with **Not** **Contains**, and then enter `AKIAVP2T3XG7JUZRM7WU`.
+
+7. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+8. To run the query on the current selection, select **Search**.
+
+9. To clear the recent selections, select **Reset**.
+
+### Create a query with a tag key
+
+1. In the **New query** section, select **Add**.
+
+2. From the menu, select **Tag Key**.
+
+3. From the **Operator** menu, select the required option.
+
+4. To add criteria to this section, select **Add**.
+
+5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** and type in, or select **Test**.
+
+6. Select the **Add** icon, select **Or** with **Is**, and then enter your criteria, for example *CloudKnox*.
+
+7. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+8. To run the query on the current selection, select **Search**.
+
+9. To clear the recent selections, select **Reset**.
+
+### Create a query with a tag key value
+
+1. In the **New query** section, select **Add**.
+
+2. From the menu, select **Tag Key Value**.
+
+3. From the **Operator** menu, select the required option.
+
+4. To add criteria to this section, select **Add**.
+
+5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** and type in, or select **Test**.
+
+6. Select the **Add** icon, select **Or** with **Is**, and then enter your criteria, for example *CloudKnox*.
+
+7. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+8. To run the query on the current selection, select **Search**.
+
+9. To clear the recent selections, select **Reset**.
+
+### View query results
+
+1. In the **Activity** table, your query results display in columns.
+
+ The results display all executed tasks that aren't read-only.
+
+1. To sort each column by ascending or descending value, select the up or down arrows next to the column name.
+
+ - **Identity details**: The name of the identity, for example the name of the role session performing the task.
+
+ - To view the **Raw events summary**, which displays the full details of the event, next to the **Name** column, select **View**.
+
+ - **Resource name**: The name of the resource on which the task is being performed.
+
+ If the column displays **Multiple**, it means multiple resources are listed in the column.
+
+1. To view a list of all resources, hover over **Multiple**.
+
+ - **Resource type**: Displays the type of resource, for example, *Key* (encryption key) or *Bucket* (storage).
+ - **Task name**: The name of the task that was performed by the identity.
+
+ An exclamation mark (**!**) next to the task name indicates that the task failed.
+
+ - **Date**: The date when the task was performed.
+
+ - **IP address**: The IP address from where the user performed the task.
+
+ - **Authorization system**: The authorization system name in which the task was performed.
+
+1. To download the results in comma-separated values (CSV) file format, select **Download**.
+
+## Save a query
+
+1. After you complete your query selections from the **New query** section, select **Save**.
+
+2. In the **Query name** box, enter a name for your query, and then select **Save**.
+
+3. To save a query with a different name, select the ellipses (**...**) next to **Save**, and then select **Save as**.
+
+4. Make your query selections from the **New query** section, select the ellipses (**...**), and then select **Save as**.
+
+5. To save a new query, in the **Save query** box, enter the name for the query, and then select **Save**.
+
+ The following message displays in green at the top of the screen to indicate the query was saved successfully: **Saved query as XXX**.
+
+6. To save an existing query you've modified, select the ellipses (**...**).
+
+ - To save a modified query under the same name, select **Save**.
+ - To save a modified query under a different name, select **Save as**.
+
+### View a saved query
+
+1. Select **Saved Queries**, and then select **Load queries**.
+
+ A message box opens with the following options: **Load with the saved authorization system** or **Load with the currently selected authorization system**.
+
+1. Select the appropriate option, and then select **Load query**.
+
+1. View the query information:
+
+ - **Query**: Displays the name of the saved query.
+ - **Query type**: Displays whether the query is a *System* query or a *Custom* query.
+ - **Schedule**: Displays how often a report will be generated. You can schedule a one-time report or a monthly report.
+ - **Next on**: Displays the date and time the next report will be generated.
+ - **Format**: Displays the output format for the report, for example, CSV.
+
+1. To view or set schedule details, select the gear icon, select **Create schedule**, and then set the details.
+
+ If a schedule has already been created, select the gear icon to open the **Edit schedule** box.
+
+ - **Repeats**: Sets how often the report should repeat.
+ - **Date**: Sets the date when you want to receive the report.
+ - **hh:mm**: Sets the specific time when you want to receive the report.
+ - **Report file format**: Select the output type for the file, for example, CSV.
+ - **Share report with people**: The email address of the user who is creating the schedule is displayed in this field. You can add other email addresses.
+
+1. After selecting your options, select **Schedule**.
++
+### Save a query under a different name
+
+- Select the ellipses (**...**).
+
+ System queries have only one option:
+
+ - **Duplicate**: Creates a duplicate of the query and names the file *Copy of XXX*.
+
+ Custom queries have the following options:
+
+ - **Rename**: Enter the new name of the query and select **Save**.
+ - **Delete**: Delete the saved query.
+
+ The **Delete query** box opens, asking you to confirm that you want to delete the query. Select **Yes** or **No**.
+
+ - **Duplicate**: Creates a duplicate of the query and names it *Copy of XXX*.
+ - **Delete schedule**: Deletes the schedule details for this query.
+
+ This option isn't available if you haven't yet saved a schedule.
+
+ The **Delete schedule** box opens, asking you to confirm that you want to delete the schedule. Select **Yes** or **No**.
++
+## Export the results of a query as a report
+
+- To export the results of the query, select **Export**.
+
+ CloudKnox exports the results in comma-separated values (**CSV**) format, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) format.
++
+## Next steps
+
+- For information on how to view how users access information, see [Use queries to see how users access information](cloudknox-ui-audit-trail.md).
+- For information on how to create a query, see [Create a custom query](cloudknox-howto-create-custom-queries.md).
+- For information on how to generate an on-demand report from a query, see [Generate an on-demand report from a query](cloudknox-howto-audit-trail-results.md).
active-directory Cloudknox Product Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-dashboard.md
+
+ Title: View data about the activity in your authorization system in CloudKnox Permissions Management
+description: How to view data about the activity in your authorization system in the CloudKnox Dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++++
+# View data about the activity in your authorization system
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The CloudKnox Permissions Management (CloudKnox) **Dashboard** provides an overview of the authorization system and account activity being monitored. You can use this dashboard to view data collected from your Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) authorization systems.
+
+## View data about your authorization system
+
+1. In the CloudKnox home page, select **Dashboard**.
+1. From the **Authorization systems type** dropdown, select **AWS**, **Azure**, or **GCP**.
+1. Select the **Authorization system** box to display a **List** of accounts and **Folders** available to you.
+1. Select the accounts and folders you want, and then select **Apply**.
+
+ The **Permission creep index (PCI)** chart updates to display information about the accounts and folders you selected. The number of days since the information was last updated displays in the upper right corner.
+
+1. In the Permission creep index (PCI) graph, select a bubble.
+
+ The bubble displays the number of identities that are considered high-risk.
+
+ *High-risk* refers to the number of users who have permissions that exceed their normal or required usage.
+
+1. Select the box to display detailed information about the identities contributing to the **Low PCI**, **Medium PCI**, and **High PCI**.
+
+1. The **Highest PCI change** displays the authorization system name with the PCI number and the change number for the last seven days, if applicable.
+
+ - To view all the changes and PCI ratings in your authorization system, select **View all**.
+
+1. To return to the PCI graph, select the **Graph** icon in the upper right of the list box.
+
+For more information about the CloudKnox **Dashboard**, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md).
+
+## View user data on the PCI heat map
+
+The **Permission creep index (PCI)** heat map shows the incurred risk of users with access to high-risk privileges. The distribution graph displays all the users who contribute to the privilege creep. It displays how many users contribute to a particular score. For example, if the score from the PCI chart is 14, the graph shows how many users have a score of 14.
+
+- To view detailed data about a user, select the number.
+
+ The PCI trend graph shows you the historical trend of the PCI score over the last 90 days.
+
+- To download the **PCI History** report, select **Download** (the down arrow icon).
++
+## View information about users, roles, resources, and PCI trends
+
+To view specific information about the following, select the number displayed on the heat map.
+
+- **Users**: Displays the total number of users and how many fall into the high, medium, and low categories.
+- **Roles**: Displays the total number of roles and how many fall into the high, medium, and low categories.
+- **Resources**: Displays the total number of resources and how many fall into the high, medium, and low categories.
+- **PCI trend**: Displays a line graph of the PCI trend over the last several weeks.
+
+## View identity findings
+
+The **Identity** section below the heat map on the left side of the page shows all the relevant findings about identities, including roles that can access secret information, roles that are inactive, over provisioned active roles, and so on.
+
+- To expand the full list of identity findings, select **All findings**.
+
+## View resource findings
+
+The **Resource** section below the heat map on the right side of the page shows all the relevant findings about your resources. It includes unencrypted S3 buckets, open security groups, managed keys, and so on.
+
+## Next steps
+
+- For more information about how to view key statistics and data in the Dashboard, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md).
active-directory Cloudknox Product Data Inventory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-data-inventory.md
+
+ Title: CloudKnox Permissions Management - Display an inventory of created resources and licenses for your authorization system
+description: How to display an inventory of created resources and licenses for your authorization system in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Display an inventory of created resources and licenses for your authorization system
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+You can use the **Inventory** dashboard in CloudKnox Permissions Management (CloudKnox) to display an inventory of created resources and licensing information for your authorization system and its associated accounts.
+
+## View resources created for your authorization system
+
+1. To access your inventory information, in the CloudKnox home page, select **Settings** (the gear icon).
+1. Select the **Inventory** tab, select the **Inventory** subtab, and then select your authorization system type:
+
+ - **AWS** for Amazon Web Services.
+ - **Azure** for Microsoft Azure.
+ - **GCP** for Google Cloud Platform.
+
+ The **Inventory** tab displays information pertinent to your authorization system type.
+
+1. To change the columns displayed in the table, select **Columns**, and then select the information you want to display.
+
+ - To discard your changes, select **Reset to default**.
+
+## View the number of licenses associated with your authorization system
+
+1. To access licensing information about your data sources, in the CloudKnox home page, select **Settings** (the gear icon).
+
+1. Select the **Inventory** tab, select the **Licensing** subtab, and then select your authorization system type.
+
+ The **Licensing** table displays the following information pertinent to your authorization system type:
+
+ - The names of your accounts in the **Authorization system** column.
+ - The number of **Compute** licenses.
+ - The number of **Serverless** licenses.
+ - The number of **Compute containers**.
+ - The number of **Databases**.
+ - The **Total number of licenses**.
++
+## Next steps
+
+- For information about viewing and configuring settings for collecting data from your authorization system and its associated accounts, see [View and configure settings for data collection](cloudknox-product-data-sources.md).
active-directory Cloudknox Product Data Sources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-data-sources.md
+
+ Title: View and configure settings for data collection from your authorization system in CloudKnox Permissions Management
+description: How to view and configure settings for collecting data from your authorization system in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View and configure settings for data collection
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
++
+You can use the **Data Collectors** dashboard in CloudKnox Permissions Management (CloudKnox) to view and configure settings for collecting data from your authorization systems. It also provides information about the status of the data collection.
+
+## Access and view data sources
+
+1. To access your data sources, in the CloudKnox home page, select **Settings** (the gear icon). Then select the **Data Collectors** tab.
+
+1. On the **Data Collectors** dashboard, select your authorization system type:
+
+ - **AWS** for Amazon Web Services.
+ - **Azure** for Microsoft Azure.
+ - **GCP** for Google Cloud Platform.
+
+1. To display specific information about an account:
+
+ 1. Enter the following information:
+
+ - **Uploaded on**: Select **All** accounts, **Online** accounts, or **Offline** accounts.
+ - **Transformed on**: Select **All** accounts, **Online** accounts, or **Offline** accounts.
+ - **Search**: Enter an ID or Internet Protocol (IP) address to find a specific account.
+
+ 1. Select **Apply** to display the results.
+
+ Select **Reset Filter** to discard your settings.
+
+1. The following information displays:
+
+ - **ID**: The unique identification number for the data collector.
+ - **Data types**: Displays the data types that are collected:
+ - **Entitlements**: The permissions of all identities and resources for all the configured authorization systems.
+ - **Recently uploaded on**: Displays whether the entitlement data is being collected.
+
+ The status displays *ONLINE* if the data collection has no errors and *OFFLINE* if there are errors.
+ - **Recently transformed on**: Displays whether the entitlement data is being processed.
+
+ The status displays *ONLINE* if the data processing has no errors and *OFFLINE* if there are errors.
+ - The **Tenant ID**.
+ - The **Tenant name**.
+
+## Modify a data collector
+
+1. Select the ellipses **(...)** at the end of the row in the table.
+1. Select **Edit Configuration**.
+
+ The **M-CIEM Onboarding - Summary** box displays.
+
+1. Select **Edit** (the pencil icon) for each field you want to change.
+1. Select **Verify now & save**.
+
+ To verify your changes later, select **Save & verify later**.
+
+ When your changes are saved, the following message displays: **Successfully updated configuration.**
+
+## Delete a data collector
+
+1. Select the ellipses **(...)** at the end of the row in the table.
+1. Select **Delete Configuration**.
+
+ The **M-CIEM Onboarding - Summary** box displays.
+1. Select **Delete**.
+1. Check your email for a one time password (OTP) code, and enter it in **Enter OTP**.
+
+ If you don't receive an OTP, select **Resend OTP**.
+
+ The following message displays: **Successfully deleted configuration.**
+
+## Start collecting data from an authorization system
+
+1. Select the **Authorization Systems** tab, and then select your authorization system type.
+1. Select the ellipses **(...)** at the end of the row in the table.
+1. Select **Collect Data**.
+
+ A message displays to confirm data collection has started.
+
+## Stop collecting data from an authorization system
+
+1. Select the ellipses **(...)** at the end of the row in the table.
+1. To delete your authorization system, select **Delete**.
+
+ The **Validate OTP To Delete Authorization System** box displays.
+
+1. Enter the OTP code
+1. Select **Verify**.
+
+## Next steps
+
+- For information about viewing an inventory of created resources and licensing information for your authorization system, see [Display an inventory of created resources and licenses for your authorization system](cloudknox-product-data-inventory.md)
active-directory Cloudknox Product Define Permission Levels https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-define-permission-levels.md
+
+ Title: Define and manage users, roles, and access levels in CloudKnox Permissions Management
+description: How to define and manage users, roles, and access levels in CloudKnox Permissions Management User management dashboard.
+++++++ Last updated : 02/23/2022+++
+# Define and manage users, roles, and access levels
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+In CloudKnox Permissions Management (CloudKnox), a key component of the interface is the User management dashboard. This topic describes how system administrators can define and manage users, their roles, and their access levels in the system.
+
+## The User management dashboard
+
+The CloudKnox User management dashboard provides a high-level overview of:
+
+- Registered and invited users.
+- Permissions allowed for each user within a given system.
+- Recent user activity.
+
+It also provides the functionality to invite or delete a user, edit, view, and customize permissions settings.
++
+## Manage users for customers without SAML integration
+
+Follow this process to invite users if the customer hasn't enabled SAML integration with the CloudKnox application.
+
+### Invite a user to CloudKnox
+
+Inviting a user to CloudKnox adds the user to the system and allows system administrators to assign permissions to those users. Follow the steps below to invite a user to CloudKnox.
+
+1. To invite a user to CloudKnox, select the down caret icon next to the **User** icon on the right of the screen, and then select **User Management**.
+2. From the **Users** tab, select **Invite User**.
+3. From the **Set User Permission** window, in the **User** text box, enter the user's email address.
+4. Under **Permission**, select the applicable option.
+
+ - **Admin for All Authorization System Types**: **View**, **Control**, and **Approve** permissions for all Authorization System Types.
+
+ 1. Select **Next**.
+ 2. Select **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+ 3. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select the **Add** icon and the **Users** icon to request access for all their accounts.
+ 4. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+ - **Admin for Selected Authorization System Types**: **View**, **Control**, and **Approve** permissions for selected Authorization System Types.
+
+ 1. Select **Viewer**, **Controller**, or **Approver** for the appropriate authorization system(s).
+ 2. Select **Next**.
+ 3. Select **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+ 4. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+ 5. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+ - **Custom**: **View**, **Control**, and **Approve** permissions for specific accounts in **Auth System Types**.
+
+ 1. Select **Next**.
+
+ The default view displays the **List** section.
+ 2. Select the appropriate boxes for **Viewer**, **Controller**, or **Approver**.
+
+ For access to all authorization system types, select **All (Current and Future)**.
+ 1. Select **Next**.
+ 1. Select **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+ 5. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+ 6. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+5. Select **Save**.
+
+ The following message displays in green at the top of the screen: **New User Has Been Invited Successfully**.
+++
+## Manage users for customers with SAML integration
+
+Follow this process to invite users if the customer has enabled SAML integration with the CloudKnox application.
+
+### Create a permission in CloudKnox
+
+Creating a permission directly in CloudKnox allows system administrators to assign permissions to specific users. The following steps help you to create a permission.
+
+- On the right side of the screen, select the down caret icon next to **User**, and then select **User management**.
+
+- For **Users**:
+ 1. To create permissions for a specific user, select the **Users** tab, and then select **Permission.**
+ 2. From the **Set User Permission** window, enter the user's email address in the **User** text box.
+ 3. Under **Permission**, select the applicable button. Then expand menu to view instructions for each option.
+ - **Admin for All Authorization System Types**: **View**, **Control**, and **Approve** permissions for all Authorization System Types.
+ 1. Select **Next**.
+ 2. Check **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+
+ 3. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+
+ 4. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+ - **Admin for Selected Authorization System Types**: **View**, **Control**, and **Approve** permissions for selected Authorization System Types.
+ 1. Check **Viewer**, **Controller**, or **Approver** for the appropriate authorization system(s).
+ 2. Select **Next**.
+ 3. Check **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+
+ 4. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+ 5. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+ - **Custom**: **View**, **Control**, and **Approve** permissions for specific accounts in **Auth System Types**.
+
+ 1. Select **Next**.
+
+ The default view displays the **List** tab, which displays individual authorization systems.
+ - To view groups of authorization systems organized into folder, select the **Folder** tab.
+ 2. Check the appropriate boxes for **Viewer**, **Controller**, or **Approver**.
+
+ For access to all authorization system types, select **All (Current and Future)**.
+ 3. Select **Next**.
+ 4. Check **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+ 5. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user can have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+
+ 6. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+ 4. Select **Save**.
+
+ The following message displays in green at the top of the screen:
+ **New User Has Been Created Successfully**.
+ 5. The new user receives an email invitation to log in to CloudKnox.
+
+### The Pending tab
+
+1. To view the created permission, select the **Pending** tab. The system administrator can view the following details:
+ - **Email Address**: Displays the email address of the invited user.
+ - **Permissions**: Displays each service account and if the user has permissions as a **Viewer**, **Controller**, **Approver**, or **Requestor**.
+ - **Invited By**: Displays the email address of the person who sent the invitation.
+ - **Sent**: Displays the date the invitation was sent to the user.
+2. To make changes to the following, select the ellipses **(...)** in the far right column.
+ - **View Permissions**: Displays a list of accounts for which the user has permissions.
+ - **Edit Permissions**: System administrators can edit a user's permissions.
+ - **Delete**: System administrators can delete a permission
+ - **Reinvite**: System administrator can reinvite the permission if the user didn't receive the email invite
+
+ When a user registers with CloudKnox, they move from the **Pending** tab to the **Registered** tab.
+
+### The Registered tab
+
+- For **Users**:
+
+ 1. The **Registered** tab provides a high-level overview of user details to system administrators:
+ - The **Name/Email Address** column lists the name and email address of the user.
+ - The **Permissions** column lists each authorization system, and each type of permission.
+
+ If a user has all permissions for all authorization systems, **Admin for All Authorization Types** display across all columns. If a user only has some permissions, numbers display in each column they have permissions for. For example, if the number "3" is listed in the **Viewer** column, the user has viewer permission for three accounts within that authorization system.
+ - The **Joined On** column records when the user registered for CloudKnox.
+ - The **Recent Activity** column displays the date when a user last performed an activity.
+ - The **Search** button allows a system administrator to search for a user by name and all users who match the criteria displays.
+ - The **Filters** option allows a system administrator to filter by specific details. When the filter option is selected, the **Authorization System** box displays.
+
+ To display all authorization system accounts,Select **All**. Then select the appropriate boxes for the accounts that need to be viewed.
+ 2. To make the changes to the following changes, select the ellipses **(...)** in the far right column:
+ - **View Permissions**: Displays a list of accounts for which the user has permissions.
+ - **Edit Permissions**: System administrators can edit the accounts for which a user has permissions.
+ - **Remove Permissions**: System administrators can remove permissions from a user.
+
+- For **Groups**:
+ 1. To create permissions for a specific user, select the **Groups** tab, and then select **Permission**.
+ 2. From the **Set Group Permission** window, enter the name of the group in the **Group Name** box.
+
+ The identity provider creates groups.
+
+ Some users may be part of multiple groups. In this case, the user's overall permissions is a union of the permissions assigned the various groups the user is a member of.
+ 3. Under **Permission**, select the applicable button and expand the menu to view instructions for each option.
+
+ - **Admin for All Authorization System Types**: **View**, **Control**, and **Approve** permissions for all Authorization System Types.
+ 1. Select **Next**.
+ 2. Check **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+ 3. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+
+ 4. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+ - **Admin for Selected Authorization System Types**: **View**, **Control**, and **Approve** permissions for selected Authorization System Types.
+ 1. Check **Viewer**, **Controller**, or **Approver** for the appropriate authorization system(s).
+ 2. Select **Next**.
+ 3. Check **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+ 4. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+
+ 5. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+ - **Custom**: **View**, **Control**, and **Approve** permissions for specific accounts in Auth System Types.
+ 1. Select **Next**.
+
+ The default view displays the **List** section.
+
+ 2. Check the appropriate boxes for **Viewer**, **Controller**, or **Approver.
+
+ For access to all authorization system types, select **All (Current and Future)**.
+
+ 3. Select **Next**.
+
+ 4. Check **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+
+ 5. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+
+ 6. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+ 4. Select **Save**.
+
+ The following message displays in green at the top of the screen: **New Group Has Been Created Successfully**.
+
+### The Groups tab
+
+1. The **Groups** tab provides a high-level overview of user details to system administrators:
+
+ - The **Name** column lists the name of the group.
+ - The **Permissions** column lists each authorization system, and each type of permission.
+
+ If a group has all permissions for all authorization systems, **Admin for All Authorization Types** displays across all columns.
+
+ If a group only has some permissions, the corresponding columns display numbers for the groups.
+
+ For example, if the number "3" is listed in the **Viewer** column, then the group has viewer permission for three accounts within that authorization system.
+ - The **Modified By** column records the email address of the person who created the group.
+ - The **Modified On** column records the date the group was last modified on.
+ - The **Search** button allows a system administrator to search for a group by name and all groups who match the criteria displays.
+ - The **Filters** option allows a system administrator to filter by specific details. When the filter option is selected, the **Authorization System** box displays.
+
+ To display all authorization system accounts, select **All**. Then select the appropriate boxes for the accounts that need to be viewed.
+
+2. To make changes to the following, select the ellipses **(...)** in the far right column:
+ - **View Permissions**: Displays a list of the accounts for which the group has permissions.
+ - **Edit Permissions**: System administrators can edit a group's permissions.
+ - **Duplicate**: System administrators can duplicate permissions from one group to another.
+ - **Delete**: System administrators can delete permissions from a group.
++
+## Next steps
+
+- For information about how to view user management information, see [Manage users with the User management dashboard](cloudknox-ui-user-management.md).
+- For information about how to create group-based permissions, see [Create group-based permissions](cloudknox-howto-create-group-based-permissions.md).
+
active-directory Cloudknox Product Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-integrations.md
+
+ Title: View integration information about an authorization system in CloudKnox Permissions Management
+description: View integration information about an authorization system in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View integration information about an authorization system
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Integrations** dashboard in CloudKnox Permissions Management (CloudKnox) allows you to view all your authorization systems in one place, and to ensure all applications are functioning as one. This information helps improve quality and performance as a whole.
+
+## Display integration information about an authorization system
+
+Refer to the **Integration** subpages in CloudKnox for information about available authorization systems for integration.
+
+1. To display the **Integrations** dashboard, select **User** (your initials) in the upper right of the screen, and then select **Integrations.**
+
+ The **Integrations** dashboard displays a tile for each available authorization system.
+
+1. Select an authorization system tile to view its integration information.
+
+## Available integrated authorization systems
+
+The following authorization systems may be listed in the **Integrations** dashboard, depending on which systems are integrated into the CloudKnox application.
+
+- **ServiceNow**: Manages digital workflows for enterprise operations, and the CloudKnox integration allows you to request and approve permissions through the ServiceNow ticketing workflow.
+- **Splunk**: Searches, monitors, and analyzes machine-generated data, and the CloudKnox integration enables exporting usage analytics data, alerts, and logs.
+- **HashiCorp Terraform**: CloudKnox enables the generation of least-privilege policies through the Hashi Terraform provider.
+- **CloudKnox API**: The CloudKnox application programming interface (API) provides access to CloudKnox features.
+- **Saviynt**: Enables you to view Identity entitlements and usage inside the Saviynt console.
+- **Securonix**: Enables exporting usage analytics data, alerts, and logs.
++++
+<!## Next steps>
+
+<![Installation overview](cloudknox-installation.md)>
+<![Configure integration with the CloudKnox API](cloudknox-integration-api.md)>
+<![Sign up and deploy FortSentry in your organization](cloudknox-fortsentry-registration.md)>
active-directory Cloudknox Product Permission Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-permission-analytics.md
+
+ Title: Create and view permission analytics triggers in CloudKnox Permissions Management
+description: How to create and view permission analytics triggers in the Permission analytics tab in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create and view permission analytics triggers
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can create and view permission analytics triggers in CloudKnox Permissions Management (CloudKnox).
+
+## View permission analytics triggers
+
+1. In the CloudKnox home page, select **Activity triggers** (the bell icon).
+1. Select **Permission analytics**, and then select the **Alerts** subtab.
+
+ The **Alerts** subtab displays the following information:
+
+ - **Alert name**: Lists the name of the alert.
+ - To view the name, ID, role, domain, authorization system, statistical condition, anomaly date, and observance period, select **Alert name**.
+ - To expand the top information found with a graph of when the anomaly occurred, select **Details**.
+ - **Anomaly alert rule**: Displays the name of the rule select when creating the alert.
+ - **# of Occurrences**: Displays how many times the alert trigger has occurred.
+ - **Task**: Displays how many tasks are affected by the alert
+ - **Resources**: Displays how many resources are affected by the alert
+ - **Identity**: Displays how many identities are affected by the alert
+ - **Authorization System**: Displays which authorization systems the alert applies to
+ - **Date/Time**: Displays the date and time of the alert.
+ - **Date/Time (UTC)**: Lists the date and time of the alert in Coordinated Universal Time (UTC).
+
+1. To filter the alerts, select the appropriate alert name or, from the **Alert Name** menu,select **All**.
+
+ - From the **Date** dropdown menu, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range**, and then select **Apply**.
+
+ If you select **Custom range**, select date and time settings, and then select **Apply**. - **View Trigger**: Displays the current trigger settings and applicable authorization system details.
+
+1. To view the following details, select the ellipses (**...**):
+
+ - **Details**: Displays **Authorization System Type**, **Authorization Systems**, **Resources**, **Tasks**, and **Identities** that matched the alert criteria.
+1. To view specific matches, select **Resources**, **Tasks**, or **Identities**.
+
+ The **Activity** section displays details about the **Identity Name**, **Resource Name**, **Task Name**, **Date**, and **IP Address**.
+
+## Create a permission analytics trigger
+
+1. In the CloudKnox home page, select **Activity triggers** (the bell icon).
+1. Select **Permission analytics**, select the **Alerts** subtab, and then select **Create Permission Analytics Trigger**.
+1. In the **Alert name** box, enter a name for the alert.
+1. Select the **Authorization system**.
+1. Select **Identity performed high number of tasks**, and then select **Next**.
+1. On the **Authorization systems** tab, select the appropriate accounts and folders, or select **All**.
+
+ This screen defaults to the **List** view but can also be changed to the **Folder** view, and the applicable folder can be selected instead of individually by system.
+
+ - The **Status** column displays if the authorization system is online or offline
+ - The **Controller** column displays if the controller is enabled or disabled.
+
+1. On the **Configuration** tab, to update the **Time Interval**, select **90 Days**, **60 Days**, or **30 Days** from the **Time range** dropdown.
+1. Select **Save**.
+
+## View permission analytics alert triggers
+
+1. In the CloudKnox home page, select **Activity triggers** (the bell icon).
+1. Select **Permission analytics**, and then select the **Alert triggers** subtab.
+
+ The **Alert triggers** subtab displays the following information:
+
+ - **Alert**: Lists the name of the alert.
+ - **Anomaly alert rule**: Displays the name of the rule select when creating the alert.
+ - **# of users subscribed**: Displays the number of users subscribed to the alert.
+ - **Created by**: Displays the email address of the user who created the alert.
+ - **Last modified by**: Displays the email address of the user who last modified the alert.
+ - **Last Modified On**: Displays the date and time the trigger was last modified.
+ - **Subscription**: Toggle the button to **On** or **Off**.
+ - **View trigger**: Displays the current trigger settings and applicable authorization system details.
+
+1. To view other options available to you, select the ellipses (**...**), and then make a selection from the available options:
+
+ - **Details** displays **Authorization System Type**, **Authorization Systems**, **Resources**, **Tasks**, and **Identities** that matched the alert criteria.
+ - To view the specific matches, select **Resources**, **Tasks**, or **Identities**.
+ - The **Activity** section displays details about the **Identity Name**, **Resource Name**, **Task Name**, **Date**, and **IP Address**.
+
+1. To filter by **Activated** or **Deactivated**, in the **Status** section, select **All**, **Activated**, or **Deactivated**, and then select **Apply**.
++
+## Next steps
+
+- For an overview on activity triggers, see [View information about activity triggers](cloudknox-ui-triggers.md).
+- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](cloudknox-howto-create-alert-trigger.md).
+- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](cloudknox-product-rule-based-anomalies.md).
+- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](cloudknox-product-statistical-anomalies.md).
active-directory Cloudknox Product Permissions Analytics Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-permissions-analytics-reports.md
+
+ Title: Generate and download the Permissions analytics report in CloudKnox Permissions Management
+description: How to generate and download the Permissions analytics report in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Generate and download the Permissions analytics report
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to generate and download the **Permissions analytics report** in CloudKnox Permissions Management (CloudKnox).
+
+> [!NOTE]
+> This topic applies only to Amazon Web Services (AWS) users.
+
+## Generate the Permissions analytics report
+
+1. In the CloudKnox home page, select the **Reports** tab, and then select the **Systems Reports** subtab.
+
+ The **Systems Reports** subtab displays a list of reports the **Reports** table.
+1. Find **Permissions analytics report** in the list, and to download the report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**.
+
+ The following message displays: **Successfully started to generate on-demand report.**
+
+1. For detailed information in the report, select the right arrow next to one of the following categories. Or, select the required category under the **Findings** column.
+
+ - **AWS**
+ - Inactive Identities
+ - Users
+ - Roles
+ - Resources
+ - Serverless Functions
+ - Inactive Groups
+ - Super Identities
+ - Users
+ - Roles
+ - Resources
+ - Serverless Functions
+ - Over-Provisioned Active Identities
+ - Users
+ - Roles
+ - Resources
+ - Serverless Functions
+ - PCI Distribution
+ - Privilege Escalation
+ - Users
+ - Roles
+ - Resources
+ - S3 Bucket Encryption
+ - Unencrypted Buckets
+ - SSE-S3 Buckets
+ - S3 Buckets Accessible Externally
+ - EC2 S3 Buckets Accessibility
+ - Open Security Groups
+ - Identities That Can Administer Security Tools
+ - Users
+ - Roles
+ - Resources
+ - Serverless Functions
+ - Identities That Can Access Secret Information
+ - Users
+ - Roles
+ - Resources
+ - Serverless Functions
+ - Cross-Account Access
+ - External Accounts
+ - Roles That Allow All Identities
+ - Hygiene: MFA Enforcement
+ - Hygiene: IAM Access Key Age
+ - Hygiene: Unused IAM Access Keys
+ - Exclude From Reports
+ - Users
+ - Roles
+ - Resources
+ - Serverless Functions
+ - Groups
+ - Security Groups
+ - S3 Buckets
++
+1. Select a category and view the following columns of information:
+
+ - **User**, **Role**, **Resource**, **Serverless function name**: Displays the name of the identity.
+ - **Authorization system**: Displays the authorization system to which the identity belongs.
+ - **Domain**: Displays the domain name to which the identity belongs.
+ - **Permissions**: Displays the maximum number of permissions that the identity can be granted.
+ - **Used**: Displays how many permissions that the identity has used.
+ - **Granted**: Displays how many permissions that the identity has been granted.
+ - **PCI**: Displays the permission creep index (PCI) score of the identity.
+ - **Date last active on**: Displays the date that the identity was last active.
+ - **Date created on**: Displays the date when the identity was created.
+++
+<!## Add and remove tags in the Permissions analytics report
+
+1. Select **Tags**.
+1. Select one of the categories from the **Permissions analytics report**.
+1. Select the identity name to which you want to add a tag. Then, select the checkbox at the top to select all identities.
+1. Select **Add tag**.
+1. In the **tag** column:
+ - To select from the available options from the list, select **Select a tag**.
+ - To search for a tag, enter the tag name.
+ - To create a new custom tag, select **New custom tag**.
+ - To create a new tag, enter a name for the tag and select **Create**.
+ - To remove a tag, select **Delete**.
+
+1. In the **Value (optional)** box, enter a value, if necessary.
+1. Select **Save**.>
+
+## Next steps
+
+- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](cloudknox-product-reports.md).
+- For a detailed overview of available system reports, see [View a list and description of system reports](cloudknox-all-reports.md).
+- For information about how to generate and view a system report, see [Generate and view a system report](cloudknox-report-view-system-report.md).
+- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](cloudknox-report-view-system-report.md).
active-directory Cloudknox Product Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-reports.md
+
+ Title: View system reports in the Reports dashboard in CloudKnox Permissions Management
+description: How to view system reports in the Reports dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View system reports in the Reports dashboard
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+CloudKnox Permissions Management (CloudKnox) has various types of system report types available that capture specific sets of data. These reports allow management to:
+
+- Make timely decisions.
+- Analyze trends and system/user performance.
+- Identify trends in data and high risk areas so that management can address issues more quickly and improve their efficiency.
+
+## Explore the Reports dashboard
+
+The **Reports** dashboard provides a table of information with both system reports and custom reports. The **Reports** dashboard defaults to the **System reports** tab, which has the following details:
+
+- **Report Name**: The name of the report.
+- **Category**: The type of report. For example, **Permission**.
+- **Authorization System**: Displays which authorizations the custom report applies to.
+- **Format**: Displays the output format the report can be generated in. For example, comma-separated values (CSV) format, portable document format (PDF), or Microsoft Excel Open XML Spreadsheet (XLSX) format.
+
+ - To download a report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**.
+
+ The following message displays across the top of the screen in green if the download is successful: **Successfully started to generate on demand report**.
+
+## Available system reports
+
+CloudKnox offers the following reports for management associated with the authorization systems noted in parenthesis:
+
+- **Access key entitlements and usage**:
+ - **Summary of report**: Provides information about access key, for example, permissions, usage, and rotation date.
+ - **Applies to**: Amazon Web Services (AWS) and Microsoft Azure
+ - **Report output type**: CSV
+ - **Ability to collate report**: Yes
+ - **Type of report**: **Summary** or **Detailed**
+ - **Use cases**:
+ - The access key age, last rotation date, and last usage date is available in the summary report to help with key rotation.
+ - The granted task and Permissions creep index (PCI) score to take action on the keys.
+
+- **User entitlements and usage**:
+ - **Summary of report**: Provides information about the identities' permissions, for example, entitlement, usage, and PCI.
+ - **Applies to**: AWS, Azure, and Google Cloud Platform (GCP)
+ - **Report output type**: CSV
+ - **Ability to collate report**: Yes
+ - **Type of report**: **Summary** or **Detailed**
+ - **Use cases**:
+ - The data displayed on the **Usage Analytics** screen is downloaded as part of the **Summary** report. The user's detailed permissions usage is listed in the **Detailed** report.
+
+- **Group entitlements and usage**:
+ - **Summary of report**: Provides information about the group's permissions, for example, entitlement, usage, and PCI.
+ - **Applies to**: AWS, Azure, and GCP
+ - **Report output type**: CSV
+ - **Ability to collate report**: Yes
+ - **Type of report**: **Summary**
+ - **Use cases**:
+ - All group level entitlements and permission assignments, PCIs, and the number of members are listed as part of this report.
+
+- **Identity permissions**:
+ - **Summary of report**: Report on identities that have specific permissions, for example, identities that have permission to delete any S3 buckets.
+ - **Applies to**: AWS, Azure, and GCP
+ - **Report output type**: CSV
+ - **Ability to collate report**: No
+ - **Type of report**: **Summary**
+ - **Use cases**:
+ - Any task usage or specific task usage via User/Group/Role/App can be tracked with this report.
+
+- **Identity privilege activity report**
+ - **Summary of report**: Provides information about permission changes that have occurred in the selected duration.
+ - **Applies to**: AWS, Azure, and GCP
+ - **Report output type**: PDF
+ - **Ability to collate report**: No
+ - **Type of report**: **Summary**
+ - **Use cases**:
+ - Any identity permission change can be captured using this report.
+ - The **Identity Privilege Activity** report has the following main sections: **User Summary**, **Group Summary**, **Role Summary**, and **Delete Task Summary**.
+ - The **User** summary lists the current granted permissions and high-risk permissions and resources accessed in 1 day, 7 days, or 30 days. There are subsections for newly added or deleted users, users with PCI change, and High-risk active/inactive users.
+ - The **Group** summary lists the administrator level groups with the current granted permissions and high-risk permissions and resources accessed in 1 day, 7 days, or 30 days. There are subsections for newly added or deleted groups, groups with PCI change, and High-risk active/inactive groups.
+ - The **Role summary** lists similar details as **Group Summary**.
+ - The **Delete Task summary** section lists the number of times the **Delete task** has been executed in the given time period.
+
+- **Permissions analytics report**
+ - **Summary of report**: Provides information about the violation of key security best practices.
+ - **Applies to**: AWS, Azure, and GCP
+ - **Report output type**: CSV
+ - **Ability to collate report**: Yes
+ - **Type of report**: **Detailed**
+ - **Use cases**:
+ - This report lists the different key findings in the selected auth systems. The key findings include super identities, inactive identities, over provisioned active identities, storage bucket hygiene, and access key age (for AWS only). The report helps administrators to visualize the findings across the organization.
+
+ For more information about this report, see [Permissions analytics report](cloudknox-product-permissions-analytics-reports.md).
+
+- **Role/Policy Details**
+ - **Summary of report**: Provides information about roles and policies.
+ - **Applies to**: AWS, Azure, GCP
+ - **Report output type**: CSV
+ - **Ability to collate report**: No
+ - **Type of report**: **Summary**
+ - **Use cases**:
+ - Assigned/Unassigned, custom/system policy, and the used/unused condition is captured in this report for any specific, or all, AWS accounts. Similar data can be captured for Azure/GCP for the assigned/unassigned roles.
+
+- **PCI History**
+ - **Summary of report**: Provides a report of privilege creep index (PCI) history.
+ - **Applies to**: AWS, Azure, GCP
+ - **Report output type**: CSV
+ - **Ability to collate report**: Yes
+ - **Type of report**: **Summary**
+ - **Use cases**:
+ - This report plots the trend of the PCI by displaying the monthly PCI history for each authorization system.
+
+- **All Permissions for Identity**
+ - **Summary of report**: Provides results of all permissions for identities.
+ - **Applies to**: AWS, Azure, GCP
+ - **Report output type**: CSV
+ - **Ability to collate report**: Yes
+ - **Type of report**: **Detailed**
+ - **Use cases**:
+ - This report lists all the assigned permissions for the selected identities.
++++
+## Next steps
+
+- For a detailed overview of available system reports, see [View a list and description of system reports](cloudknox-all-reports.md).
+- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](cloudknox-report-view-system-report.md).
+- For information about how to create and view a custom report, see [Generate and view a custom report](cloudknox-report-create-custom-report.md).
+- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](cloudknox-product-permissions-analytics-reports.md).
active-directory Cloudknox Product Rule Based Anomalies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-rule-based-anomalies.md
+
+ Title: Create and view rule-based anomalies and anomaly triggers in CloudKnox Permissions Management
+description: How to create and view rule-based anomalies and anomaly triggers in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create and view rule-based anomaly alerts and anomaly triggers
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Rule-based anomalies identify recent activity in CloudKnox Permissions Management (CloudKnox) that is determined to be unusual based on explicit rules defined in the activity trigger. The goal of rule-based anomaly is high precision detection.
+
+## View rule-based anomaly alerts
+
+1. In the CloudKnox home page, select **Activity triggers** (the bell icon).
+1. Select **Rule-based anomaly**, and then select the **Alerts** subtab.
+
+ The **Alerts** subtab displays the following information:
+
+ - **Alert name**: Lists the name of the alert.
+
+ - To view the specific identity, resource, and task names that occurred during the alert collection period, select the **Alert Name**.
+
+ - **Anomaly alert rule**: Displays the name of the rule select when creating the alert.
+ - **# of occurrences**: How many times the alert trigger has occurred.
+ - **Task**: How many tasks performed are triggered by the alert.
+ - **Resources**: How many resources accessed are triggered by the alert.
+ - **Identity**: How many identities performing unusual behavior are triggered by the alert.
+ - **Authorization system**: Displays which authorization systems the alert applies to, Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+ - **Date/Time**: Lists the date and time of the alert.
+ - **Date/Time (UTC)**: Lists the date and time of the alert in Coordinated Universal Time (UTC).
+
+
+1. To filter alerts:
+
+ - From the **Alert Name** dropdown, select **All** or the appropriate alert name.
+ - From the **Date** dropdown menu, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range**, and select **Apply**.
+
+ - If you select **Custom Range**, also enter **From** and **To** duration settings.
+1. To view details that match the alert criteria, select the ellipses (**...**).
+
+ - **View Trigger**: Displays the current trigger settings and applicable authorization system details
+ - **Details**: Displays details about **Authorization System Type**, **Authorization Systems**, **Resources**, **Tasks**, **Identities**, and **Activity**
+ - **Activity**: Displays details about the **Identity Name**, **Resource Name**, **Task Name**, **Date/Time**, **Inactive For**, and **IP Address**. Selecting the "eye" icon displays the **Raw Events Summary**
+
+## Create a rule-based anomaly trigger
+
+1. In the CloudKnox home page, select **Activity triggers** (the bell icon).
+1. Select **Rule-based anomaly**, and then select the **Alerts** subtab.
+1. Select **Create Anomaly Trigger**.
+
+1. In the **Alert Name** box, enter a name for the alert.
+1. Select the **Authorization system**, **AWS**, **Azure**, or **GCP**.
+1. Select one of the following conditions:
+ - **Any Resource Accessed for the First Time**: The identity accesses a resource for the first time during the specified time interval.
+ - **Identity Performs a Particular Task for the First Time**: The identity does a specific task for the first time during the specified time interval.
+ - **Identity Performs a Task for the First Time**: The identity performs any task for the first time during the specified time interval
+1. Select **Next**.
+1. On the **Authorization Systems** tab, select the available authorization systems and folders, or select **All**.
+
+ This screen defaults to **List** view, but you can change it to **Folders** view. You can select the applicable folder instead of individually selecting by authorization system.
+
+ - The **Status** column displays if the authorization system is online or offline.
+ - The **Controller** column displays if the controller is enabled or disabled.
+
+1. On the **Configuration** tab, to update the **Time Interval**, select **90 Days**, **60 Days**, or **30 Days** from the **Time range** dropdown.
+1. Select **Save**.
+
+## View a rule-based anomaly trigger
+
+1. In the CloudKnox home page, select **Activity triggers** (the bell icon).
+1. Select **Rule-based anomaly**, and then select the **Alert triggers** subtab.
+
+ The **Alert triggers** subtab displays the following information:
+
+ - **Alerts**: Displays the name of the alert.
+ - **Anomaly Alert Rule**: Displays the name of the selected rule when creating the alert.
+ - **# of users subscribed**: Displays the number of users subscribed to the alert.
+ - **Created by**: Displays the email address of the user who created the alert.
+ - **Last Modified By**: Displays the email address of the user who last modified the alert.
+ - **Last Modified On**: Displays the date and time the trigger was last modified.
+ - **Subscription**: Subscribes you to receive alert emails. Switches between **On** and **Off**.
+
+1. To view other options available to you, select the ellipses (**...**), and then select from the available options:
+
+ If the **Subscription** is **On**, the following options are available:
+
+ - **Edit**: Enables you to modify alert parameters.
+
+ Only the user who created the alert can edit the trigger screen, rename an alert, deactivate an alert, and delete an alert. Changes made by other users aren't saved.
+
+ - **Duplicate**: Create a duplicate copy of the selected alert trigger.
+ - **Rename**: Enter the new name of the query, and then select **Save.**
+ - **Deactivate**: The alert will still be listed, but will no longer send emails to subscribed users.
+ - **Activate**: Activate the alert trigger and start sending emails to subscribed users.
+ - **Notification settings**: View the **Email** of users who are subscribed to the alert trigger.
+ - **Delete**: Delete the alert.
+
+ If the **Subscription** is **Off**, the following options are available:
+ - **View**: View details of the alert trigger.
+ - **Notification settings**: View the **Email** of users who are subscribed to the alert trigger.
+ - **Duplicate**: Create a duplicate copy of the selected alert trigger.
+
+1. To filter by **Activated** or **Deactivated**, in the **Status** section, select **All**, **Activated**, or **Deactivated**, and then select **Apply**.
+++
+## Next steps
+
+- For an overview on activity triggers, see [View information about activity triggers](cloudknox-ui-triggers.md).
+- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](cloudknox-howto-create-alert-trigger.md).
+- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](cloudknox-product-statistical-anomalies.md).
+- For information on permission analytics triggers, see [Create and view permission analytics triggers](cloudknox-product-permission-analytics.md).
active-directory Cloudknox Product Statistical Anomalies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-statistical-anomalies.md
+
+ Title: Create and view statistical anomalies and anomaly triggers in CloudKnox Permissions Management
+description: How to create and view statistical anomalies and anomaly triggers in the Statistical Anomaly tab in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create and view statistical anomalies and anomaly triggers
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Statistical anomalies can detect outliers in an identity's behavior if recent activity is determined to be unusual based on models defined in an activity trigger. The goal of this anomaly trigger is a high recall rate.
+
+## View statistical anomalies in an identity's behavior
+
+1. In the CloudKnox home page, select **Activity triggers** (the bell icon).
+1. Select **Statistical anomaly**, and then select the **Alerts** subtab.
+
+ The **Alerts** subtab displays the following information:
+
+ - **Alert Name**: Lists the name of the alert.
+ - **Anomaly Alert Rule**: Displays the name of the rule select when creating the alert.
+ - **# of Occurrences**: Displays how many times the alert trigger has occurred.
+ - **Authorization System**: Displays which authorization systems the alert applies to.
+ - **Date/Time**: Lists the day of the outlier occurring.
+ - **Date/Time (UTC)**: Lists the day of the outlier occurring in Coordinated Universal Time (UTC).
+
+
+1. To filter the alerts based on name, select the appropriate alert name or choose **All** from the **Alert Name** dropdown menu, and select **Apply**.
+1. To filter the alerts based on alert time, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range** from the **Date** dropdown menu, and select **Apply**.
+1. If you select the ellipses (**...**) and select:
+ - **Details**, this brings you to an Alert Summary view with **Authorization System**, **Statistical Model** and **Observance Period** displayed along with a table with a row per identity triggering this alert. From here you can click:
+ - **Details**: Displays graph(s) highlighting the anomaly with context, and up to the top 3 actions performed on the day of the anomaly
+ - **View Trigger**: Displays the current trigger settings and applicable authorization system details
+ - **View Trigger**: Displays the current trigger settings and applicable authorization system details
+
+## Create a statistical anomaly trigger
+
+1. In the CloudKnox home page, select **Activity triggers** (the bell icon).
+1. Select **Statistical anomaly**, select the **Alerts** subtab, and then select **Create alert trigger**.
+1. Enter a name for the alert in the **Alert Name** box.
+1. Select the **Authorization system**, Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. Select one of the following conditions:
+
+ - **Identity Performed High Number of Tasks**: The identity performs higher than their usual volume of tasks. For example, an identity typically performs 25 tasks per day, and now it is performing 100 tasks per day.
+ - **Identity Performed Low Number of Tasks**: The identity performs lower than their usual volume of tasks. For example, an identity typically performs 100 tasks per day, and now it is performing 25 tasks per day.
+ - **Identity Performed Tasks with Unusual Results**: The identity performing an action gets a different result than usual, such as most tasks end in a successful result and are now ending in a failed result or vice versa.
+ - **Identity Performed Tasks with Unusual Timing**: The identity does tasks at unusual times as established by their baseline in the observance period. Times are grouped by the following UTC 4 hour windows.
+ - 12AM-4AM UTC
+ - 4AM-8AM UTC
+ - 8AM-12PM UTC
+ - 12PM-4PM UTC
+ - 4PM-8PM UTC
+ - 8PM-12AM UTC
+ - **Identity Performed Tasks with Unusual Types**: The identity performs unusual types of tasks as established by their baseline in the observance period. For example, an identity performs read, write, or delete tasks they wouldn't ordinarily perform.
+ - **Identity Performed Tasks with Multiple Unusual Patterns**: The identity has several unusual patterns in the tasks performed by the identity as established by their baseline in the observance period.
+1. Select **Next**.
+
+1. On the **Authorization systems** tab, select the appropriate systems, or, to select all systems, select **All**.
+
+ The screen defaults to the **List** view but you can switch to **Folder** view using the menu, and then select the applicable folder instead of individually by system.
+
+ - The **Status** column displays if the authorization system is online or offline.
+
+ - The **Controller** column displays if the controller is enabled or disabled.
++
+1. On the **Configuration** tab, to update the **Time Interval**, from the **Time range** dropdown, select **90 Days**, **60 Days**, or **30 Days**, and then select **Save**.
+
+## View statistical anomaly triggers
+
+1. In the CloudKnox home page, select **Activity triggers** (the bell icon).
+1. Select **Statistical anomaly**, and then select the **Alert triggers** subtab.
+
+ The **Alert triggers** subtab displays the following information:
+
+ - **Alert**: Displays the name of the alert.
+ - **Anomaly alert rule**: Displays the name of the rule select when creating the alert.
+ - **# of users subscribed**: Displays the number of users subscribed to the alert.
+ - **Created by**: Displays the email address of the user who created the alert.
+ - **Last modified by**: Displays the email address of the user who last modified the alert.
+ - **Last modified on**: Displays the date and time the trigger was last modified.
+ - **Subscription**: Subscribes you to receive alert emails. Toggle the button to **On** or **Off**.
+
+1. To filter by **Activated** or **Deactivated**, in the **Status** section, select **All**, **Activated**, or **Deactivated**, and then select **Apply**.
+
+1. To view other options available to you, select the ellipses (**...**), and then select from the available options:
+
+ If the **Subscription** is **On**, the following options are available:
+ - **Edit**: Enables you to modify alert parameters
+
+ > [!NOTE]
+ > Only the user who created the alert can perform the following actions: edit the trigger screen, rename an alert, deactivate an alert, and delete an alert. Changes made by other users aren't saved.
+ - **Duplicate**: Create a duplicate copy of the selected alert trigger.
+ - **Rename**: Enter the new name of the query, and then select **Save.**
+ - **Deactivate**: The alert will still be listed, but will no longer send emails to subscribed users.
+ - **Activate**: Activate the alert trigger and start sending emails to subscribed users.
+ - **Notification settings**: View the **Email** of users who are subscribed to the alert trigger.
+ - **Delete**: Delete the alert.
+
+ If the **Subscription** is **Off**, the following options are available:
+ - **View**: View details of the alert trigger.
+ - **Notification settings**: View the **Email** of users who are subscribed to the alert trigger.
+ - **Duplicate**: Create a duplicate copy of the selected alert trigger.
+
+
+1. Select **Apply**.
+++
+## Next steps
+
+- For an overview on activity triggers, see [View information about activity triggers](cloudknox-ui-triggers.md).
+- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](cloudknox-howto-create-alert-trigger.md).
+- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](cloudknox-product-rule-based-anomalies.md).
+- For information on permission analytics triggers, see [Create and view permission analytics triggers](cloudknox-product-permission-analytics.md).
active-directory Cloudknox Report Create Custom Report https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-report-create-custom-report.md
+
+ Title: Create, view, and share a custom report a custom report in CloudKnox Permissions Management
+description: How to create, view, and share a custom report in the CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create, view, and share a custom report
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to create, view, and share a custom report in CloudKnox Permissions Management (CloudKnox).
+
+## Create a custom report
+
+1. In the CloudKnox home page, select the **Reports** tab, and then select the **Custom reports** subtab.
+1. Select **New Custom Report**.
+1. In the **Report Name** box, enter a name for your report.
+1. From the **Report Based on** list:
+ 1. To view which authorization systems the report applies to, hover over each report name.
+ 1. To view a description of a report, select the report.
+1. Select a report you want to use as the base for your custom report, and then select **Next**.
+1. In the **MyReport** box, select the **Authorization system** you want: Amazon Web Services (**AWS**), Microsoft Azure (**Azure**), or Google Cloud Platform (**GCP**).
+
+1. To add specific accounts, select the **List** subtab, and then select **All** or the account names.
+1. To add specific folders, select the **Folders** subtab, and then select **All** or the folder names.
+
+1. Select the **Report Format** subtab, and then select the format for your report: comma-separated values (**CSV**) file, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) file.
+1. Select the **Schedule** tab, and then select the frequency for your report, from **None** up to **Monthly**.
+
+ - For **Hourly** and **Daily** options, set the start date by choosing from the **Calendar** dropdown, and can input a specific time of the day they want to receive the report.
+
+ In addition to date and time, the **Weekly** and **Biweekly** provide options for you to select on which day(s)of the week the report should repeat.
+
+1. Select **Save**.
+
+ The following message displays across the top of the screen in green if the download is successful: **Report has been created**.
+The report name appears in the **Reports** table.
+
+## View a custom report
+
+1. In the CloudKnox home page, select the **Reports** tab, and then select the **Custom reports** subtab.
+
+ The **Custom Reports** tab displays the following information in the **Reports** table:
+
+ - **Report Name**: The name of the report.
+ - **Category**: The type of report: **Permission**.
+ - **Authorization System**: The authorization system in which you can view the report: AWS, Azure, and GCP.
+ - **Format**: The format of the report, **CSV**, **PDF**, or **XLSX** format.
+
+1. To view a report, from the **Report Name** column, select the report you want.
+1. To download a report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**.
+1. To refresh the list of reports, select **Reload**.
+
+## Share a custom report
+
+1. In the CloudKnox home page, select the **Reports** tab, and then select the **Custom reports** subtab.
+1. In the **Reports** table, select a report and then select the ellipses (**...**) icon.
+1. In the **Report settings** box, select **Share with**.
+1. In the **Search Email to add** box, enter the name of other CloudKnox user(s).
+
+ You can only share reports with other CloudKnox users.
+1. Select **Save**.
+
+## Search for a custom report
+
+1. In the CloudKnox home page, select the **Reports** tab, and then select the **Custom reports** subtab.
+1. On the **Custom Reports** tab, select **Search**.
+1. In the **Search** box, enter the name of the report you want.
+
+ The **Custom Reports** tab displays a list of reports that match your search criteria.
+1. Select the report you want.
+1. To download a report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**.
+1. To refresh the list of reports, select **Reload**.
++
+## Modify a saved or scheduled custom report
+
+1. In the CloudKnox home page, select the **Reports** tab, and then select the **Custom reports** subtab.
+1. Hover over the report name on the **Custom Reports** tab.
+
+ - To rename the report, select **Edit** (the pencil icon), and enter a new name.
+ - To change the settings for your report, select **Settings** (the gear icon). Make your changes, and then select **Save**.
+
+ - To download a copy of the report, select the **Down arrow** icon.
+
+1. To perform other actions to the report, select the ellipses (**...**) icon:
+
+ - **Download**: Downloads a copy of the report.
+
+ - **Report Settings**: Displays the settings for the report, including scheduling, sharing the report, and so on.
+
+ - **Duplicate**: Creates a duplicate of the report called **"Copy of XXX"**. Any reports not created by the current user are listed as **Duplicate**.
+
+ When you select **Duplicate**, a box appears asking if you're sure you want to create a duplicate. Select **Confirm**.
+
+ When the report is successfully duplicated, the following message displays: **Report generated successfully**.
+
+ - **API Settings**: Download the report using your Application Programming Interface (API) settings.
+
+ When this option is selected, the **API Settings** window opens and displays the **Report ID** and **Secret Key**. Select **Generate New Key**.
+
+ - **Delete**: Select this option to delete the report.
+
+ After selecting **Delete**, a pop-up box appears asking if the user is sure they want to delete the report. Select **Confirm**.
+
+ **Report is deleted successfully** appears across the top of the screen in green if successfully deleted.
+
+ - **Unsubscribe**: Unsubscribe the user from receiving scheduled reports and notifications.
+
+ This option is only available after a report has been scheduled.
++
+## Next steps
+
+- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](cloudknox-product-reports.md).
+- For a detailed overview of available system reports, see [View a list and description of system reports](cloudknox-all-reports.md).
+- For information about how to generate and view a system report, see [Generate and view a system report](cloudknox-report-view-system-report.md).
+- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](cloudknox-product-permissions-analytics-reports.md).
active-directory Cloudknox Report View System Report https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-report-view-system-report.md
+
+ Title: Generate and view a system report in CloudKnox Permissions Management
+description: How to generate and view a system report in the CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Generate and view a system report
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to generate and view a system report in CloudKnox Permissions Management (CloudKnox).
+
+## Generate a system report
+
+1. In the CloudKnox home page, select the **Reports** tab, and then select the **Systems reports** subtab.
+ The **Systems Reports** subtab displays the following options in the **Reports** table:
+
+ - **Report Name**: The name of the report.
+ - **Category**: The type of report: **Permission**.
+ - **Authorization System**: The authorization system activity in the report: Amazon Web Services (AWS), Microsoft Azure (Azure), and Google Cloud Platform (GCP).
+ - **Format**: The format in which the report is available: comma-separated values (**CSV**) format, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) format.
+
+1. In the **Report Name** column, find the report you want, and then select the down arrow to the right of the report name to download the report.
+
+ Or, from the ellipses **(...)** menu, select **Download**.
+
+ The following message displays: **Successfully started to generate on demand report.**
+
+ > [!NOTE]
+ > If you select one authorization system, the report includes a summary. If you select more than one authorization system, the report does not include a summary.
+
+1. To refresh the list of reports, select **Reload**.
+
+## Search for a system report
+
+1. On the **Systems Reports** subtab, select **Search**.
+1. In the **Search** box, enter the name of the report you want.
+
+ The **Systems Reports** subtab displays a list of reports that match your search criteria.
+1. Select a report from the **Report Name** column.
+1. To download a report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**.
+1. To refresh the list of reports, select **Reload**.
++
+## Next steps
+
+- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](cloudknox-product-reports.md).
+- For a detailed overview of available system reports, see [View a list and description of system reports](cloudknox-all-reports.md).
+- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](cloudknox-report-view-system-report.md).
+- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](cloudknox-product-permissions-analytics-reports.md).
active-directory Cloudknox Training Videos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-training-videos.md
+
+ Title: Microsoft CloudKnox Permissions Management training videos
+description: Microsoft CloudKnox Permissions Management training videos.
+++++++ Last updated : 12/27/2021+++
+# Microsoft CloudKnox Permissions Management training videos
+
+To view step-by-step training videos on how to use CloudKnox features, select a link below.
+
+## Privilege on demand (POD) work flows
+
+- View a step-by-step video on the [privilege on demand (POD) work flow from the Just Enough Permissions (JEP) Controller](https://vimeo.com/461508166/3d88107f41).
+
+## Usage analytics
+
+- View a step-by-step video on [usage analytics](https://vimeo.com/461509556/b7bb392b83).
+
+## Just Enough Permissions (JEP) roles and policies
+
+- View a step-by-step video on [how to use and interpret data on the Role/Policy tab under the JEP Controller](https://vimeo.com/461510754/3dd31d85b7).
+
+## Attach or detach permissions for users, roles, and resources
+
+- View a step-by-step video on [how to attach and detach permissions for users, roles, and resources](https://vimeo.com/461512552/6f6a06e6c1).
+
+## Audit trails
+
+- View a step-by-step video on [how to use the audit trail](https://vimeo.com/461513290/b431a38b6c).
+
+## Alert triggers
+
+- View a step-by-step video on [how to create an alert trigger](https://vimeo.com/461881849/019c843cc6).
+
+## Group permissions
+
+- View a step-by-step video on [how to create group-based permissions](https://vimeo.com/462797947/d041de9157).
++
+<!## Next steps>
active-directory Cloudknox Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-troubleshoot.md
+
+ Title: Troubleshoot issues with CloudKnox Permissions Management
+description: Troubleshoot issues with CloudKnox Permissions Management
+++++++ Last updated : 02/23/2022+++
+# Troubleshoot issues with CloudKnox Permissions Management
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This section answers troubleshoot issues with CloudKnox Permissions Management (CloudKnox).
+
+## One time passcode (OTP) email
+
+### The user didn't receive the OTP email.
+
+- Check your junk or Spam mail folder for the email.
+
+## Reports
+
+### The individual files are generated according to the authorization system (subscription/account/project).
+
+- Select the **Collate** option in the **Custom report** screen in the CloudKnox **Reports** tab.
+
+## Data collection in AWS
+
+### Data collection > AWS Authorization system data collection status is offline. Upload and transform is also offline.
+
+- Check the CloudKnox-related role that exists in these accounts.
+- Validate the trust relationship with the OpenID Connect (OIDC) role.
+
+<!Next steps>
active-directory Cloudknox Ui Audit Trail https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-audit-trail.md
+
+ Title: Use queries to see how users access information in an authorization system in CloudKnox Permissions Management
+description: How to use queries to see how users access information in an authorization system in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Use queries to see how users access information
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Audit** dashboard in CloudKnox Permissions Management (CloudKnox) provides an overview of queries a CloudKnox user has created to review how users access their authorization systems and accounts.
+
+This article provides an overview of the components of the **Audit** dashboard.
+
+## View information in the Audit dashboard
++
+1. In CloudKnox, select the **Audit** tab.
+
+ CloudKnox displays the query options available to you.
+
+1. The following options display at the top of the **Audit** dashboard:
+
+ - A tab for each existing query. Select the tab to see details about the query.
+ - **New query**: Select the tab to create a new query.
+ - **New tab (+)**: Select the tab to add a **New query** tab.
+ - **Saved queries**: Select to view a list of saved queries.
+
+1. To return to the main page, select **Back to Audit**.
++
+## Use a query to view information
+
+1. In CloudKnox, select the **Audit** tab.
+1. The **New query** tab displays the following options:
+
+ - **Authorization systems type**: A list of your authorization systems: Amazon Web Services (**AWS**), Microsoft Azure (**Azure**), or Google Cloud Platform (**GCP**).
+
+ - **Authorization system**: A **List** of accounts and **Folders** in the authorization system.
+
+ - To display a **List** of accounts and **Folders** in the authorization system, select the down arrow, and then select **Apply**.
+
+1. To add an **Audit condition**, select **Conditions** (the eye icon), select the conditions you want to add, and then select **Close**.
+
+1. To edit existing parameters, select **Edit** (the pencil icon).
+
+1. To add the parameter that you created to the query, select **Add**.
+
+1. To search for activity data that you can add to the query, select **Search** .
+
+1. To save your query, select **Save**.
+
+1. To save your query under a different name, select **Save As** (the ellipses **(...)** icon).
+
+1. To discard your work and start creating a query again, select **Reset query**.
+
+1. To delete a query, select the **X** to the right of the query tab.
+++
+## Next steps
+
+- For information on how to filter and view user activity, see [Filter and query user activity](cloudknox-product-audit-trail.md).
+- For information on how to create a query,see [Create a custom query](cloudknox-howto-create-custom-queries.md).
+- For information on how to generate an on-demand report from a query, see [Generate an on-demand report from a query](cloudknox-howto-audit-trail-results.md).
active-directory Cloudknox Ui Autopilot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-autopilot.md
+
+ Title: View rules in the Autopilot dashboard in CloudKnox Permissions Management
+description: How to view rules in the Autopilot dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View rules in the Autopilot dashboard
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Autopilot** dashboard in CloudKnox Permissions Management (CloudKnox) provides a table of information about **Autopilot rules** for administrators.
++
+> [!NOTE]
+> Only users with the **Administrator** role can view and make changes on this tab.
+
+## View a list of rules
+
+1. In the CloudKnox home page, select the **Autopilot** tab.
+1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select the authorization system types you want: Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. From the **Authorization system** dropdown, in the **List** and **Folders** box, select the account and folder names that you want.
+1. Select **Apply**.
+
+ The following information displays in the **Autopilot rules** table:
+
+ - **Rule Name**: The name of the rule.
+ - **State**: The status of the rule: idle (not being use) or active (being used).
+ - **Rule Type**: The type of rule being applied.
+ - **Mode**: The status of the mode: on-demand or not.
+ - **Last Generated**: The date and time the rule was last generated.
+ - **Created By**: The email address of the user who created the rule.
+ - **Last Modified**: The date and time the rule was last modified.
+ - **Subscription**: Provides an **On** or **Off** subscription that allows you to receive email notifications when recommendations have been generated, applied, or unapplied.
+
+## View other available options for rules
+
+- Select the ellipses **(...)**
+
+ The following options are available:
+
+ - **View rule**: Select to view details of the rule.
+ - **Delete rule**: Select to delete the rule. Only the user who created the selected rule can delete the rule.
+ - **Generate recommendations**: Creates recommendations for each user and the authorization system. Only the user who created the selected rule can create recommendations.
+ - **View recommendations**: Displays the recommendations for each user and authorization system.
+ - **Notification settings**: Displays the users subscribed to this rule. Only the user who created the selected rule can add other users to be notified.
+
+You can also select:
+
+- **Reload**: Select to refresh the displayed list of roles/policies.
+- **Search**: Select to search for a specific role/policy.
+- **Columns**: From the dropdown list, select the columns you want to display.
+ - Select **Reset to default** to return to the system defaults.
+- **New Rule**: Select to create a new rule. For more information, see [Create a rule](cloudknox-howto-create-rule.md).
+++
+## Next steps
+
+- For information about creating rules, see [Create a rule](cloudknox-howto-create-rule.md).
+- For information about generating, viewing, and applying rule recommendations for rules, see [Generate, view, and apply rule recommendations for rules](cloudknox-howto-recommendations-rule.md).
+- For information about notification settings for rules, see [View notification settings for a rule](cloudknox-howto-notifications-rule.md).
active-directory Cloudknox Ui Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-dashboard.md
+
+ Title: View key statistics and data about your authorization system in CloudKnox Permissions Management
+description: How to view statistics and data about your authorization system in the CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022++++
+# View key statistics and data about your authorization system
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+CloudKnox Permissions Management (CloudKnox) provides a summary of key statistics and data about your authorization system regularly. This information is available for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
+
+## View metrics related to avoidable risk
+
+The data provided by CloudKnox includes metrics related to avoidable risk. These metrics allow the CloudKnox administrator to identify areas where they can reduce risks related to the principle of least permissions.
+
+You can view the following information in CloudKnox:
+
+- The **Permission creep index (PCI)** heat map on the CloudKnox **Dashboard** identifies:
+ - The number of users who have been granted high-risk permissions but aren't using them.
+ - The number of users who contribute to the permission creep index (PCI) and where they are on the scale.
+
+- The [**Analytics** dashboard](cloudknox-usage-analytics-home.md) provides a snapshot of permission metrics within the last 90 days.
++
+## Components of the CloudKnox Dashboard
+
+The CloudKnox **Dashboard** displays the following information:
+
+- **Authorization system types**: A dropdown list of authorization system types you can access: AWS, Azure, and GCP.
+
+- **Authorization system**: Displays a **List** of accounts and **Folders** in the selected authorization system you can access.
+
+ - To add or remove accounts and folders, from the **Name** list, select or deselect accounts and folders, and then select **Apply**.
+
+- **Permission creep index (PCI)**: The graph displays the **# of identities contributing to PCI**.
+
+ The PCI graph may display one or more bubbles. Each bubble displays the number of identities that are considered high risk. *High-risk* refers to the number of users who have permissions that exceed their normal or required usage.
+ - To display a list of the number of identities contributing to the **Low PCI**, **Medium PCI**, and **High PCI**, select the **List** icon in the upper right of the graph.
+ - To display the PCI graph again, select the **Graph** icon in the upper right of the list box.
+
+- **Highest PCI change**: Displays a list of your accounts and information about the **PCI** and **Change** in the index over the past 7 days.
+ - To download the list, select the down arrow in the upper right of the list box.
+
+ The following message displays: **We'll email you a link to download the file.**
+ - Check your email for the message from the CloudKnox Customer Success Team. The email contains a link to the **PCI history** report in Microsoft Excel format.
+ - The email also includes a link to the **Reports** dashboard, where you can configure how and when you want to receive reports automatically.
+ - To view all the PCI changes, select **View all**.
+
+- **Identity**: A summary of the **Findings** that includes:
+ - The number of **Inactive** identities that haven't been accessed in over 90 days.
+ - The number of **Super** identities that access data regularly.
+ - The number of identities that can **Access secret information**: A list of roles that can access sensitive or secret information.
+ - **Over-provisioned active** identities that have more permissions than they currently access.
+ - The number of identities **With permission escalation**: A list of roles that can increase permissions.
+
+ To view the list of all identities, select **All findings**.
+
+- **Resources**: A summary of the **Findings** that includes the number of resources that are:
+ - **Open security groups**
+ - **Microsoft managed keys**
+ - **Instances with access to S3 buckets**
+ - **Unencrypted S3 buckets**
+ - **SSE-S3 Encrypted buckets**
+ - **S3 Bucket accessible externally**
+++
+## The PCI heat map
+
+The **Permission creep index** heat map shows the incurred risk of users with access to high-risk permissions, and provides information about:
+
+- Users who were given access to high-risk permissions but aren't actively using them. *High-risk permissions* include the ability to modify or delete information in the authorization system.
+
+- The number of resources a user has access to, otherwise known as resource reach.
+
+- The high-risk permissions coupled with the number of resources a user has access to produce the score seen on the chart.
+
+ Permissions are classified as *high*, *medium*, and *low*.
+
+ - **High** (displayed in red) - The score is between 68 and 100. The user has access to many high-risk permissions they aren't using, and has high resource reach.
+ - **Medium** (displayed in yellow) - The score is between 34 and 67. The user has access to some high-risk permissions that they use, or have medium resource reach.
+ - **Low** (displayed in green) - The score is between 0 and 33. The user has access to few high-risk permissions. They use all their permissions and have low resource reach.
+
+- The number displayed on the graph shows how many users contribute to a particular score. To view detailed data about a user, hover over the number.
+
+ The distribution graph displays all the users who contribute to the permission creep. It displays how many users contribute to a particular score. For example, if the score from the PCI chart is 14, the graph shows how many users have a score of 14.
+
+- The **PCI Trend** graph shows you the historical trend of the PCI score over the last 90 days.
+ - To download the **PCI history report**, select **Download**.
+
+### View information on the heat map
+
+1. Select the number on the heat map bubble to display:
+
+ - The total number of **Identities** and how many of them are in the high, medium, and low categories.
+ - The **PCI trend** over the last several weeks.
+
+1. The **Identity** section below the heat map on the left side of the page shows all the relevant findings about identities, including roles that can access secret information, roles that are inactive, over provisioned active roles, and so on.
+
+ - To expand the full list of identities, select **All findings**.
+
+1. The **Resource** section below the heat map on the right side of the page shows all the relevant findings about resources. It includes unencrypted S3 buckets, open security groups, and so on.
++
+## The Analytics summary
+
+You can also view a summary of users and activities section on the [Analytics dashboard](cloudknox-usage-analytics-home.md). This dashboard provides a snapshot of the following high-risk tasks or actions users have accessed, and displays the total number of users with the high-risk access, how many users are inactive or have unexecuted tasks, and how many users are active or have executed tasks:
+
+- **Users with access to high-risk tasks**: Displays the total number of users with access to a high risk task (**Total**), how many users have access but haven't used the task (**Inactive**), and how many users are actively using the task (**Active**).
+
+- **Users with access to delete tasks**: A subset of high-risk tasks, which displays the number of users with access to delete tasks (**Total**), how many users have the delete permissions but haven't used the permissions (**Inactive**), and how many users are actively executing the delete capability (**Active**).
+
+- **High-risk tasks accessible by users**: Displays all available high-risk tasks in the authorization system (**Granted**), how many high-risk tasks aren't used (**Unexecuted**), and how many high-risk tasks are used (**Executed**).
+
+- **Delete tasks accessible by users**: Displays all available delete tasks in the authorization system (**Granted**), how many delete tasks aren't used (**Unexecuted**), and how many delete tasks are used (**Executed**).
+
+- **Resources that permit high-risk tasks**: Displays the total number of resources a user has access to (**Total**), how many resources are available but not used (**Inactive**), and how many resources are used (**Active**).
+
+- **Resources that permit delete tasks**: Displays the total number of resources that permit delete tasks (**Total**), how many resources with delete tasks aren't used (**Inactive**), and how many resources with delete tasks are used (**Active**).
+++
+## Next steps
+
+- For information on how to view authorization system and account activity data on the CloudKnox Dashboard, see [View data about the activity in your authorization system](cloudknox-product-dashboard.md).
+- For an overview of the Analytics dashboard, see [An overview of the Analytics dashboard](cloudknox-usage-analytics-home.md).
++
active-directory Cloudknox Ui Remediation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-remediation.md
+
+ Title: View existing roles/policies and requests for permission in the Remediation dashboard in CloudKnox Permissions Management
+description: How to view existing roles/policies and requests for permission in the Remediation dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View roles/policies and requests for permission in the Remediation dashboard
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Remediation** dashboard in CloudKnox Permissions Management (CloudKnox) provides an overview of roles/policies, permissions, a list of existing requests for permissions, and requests for permissions you have made.
+
+This article provides an overview of the components of the **Remediation** dashboard.
+
+> [!NOTE]
+> To view the **Remediation** dashboard, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this dashboard, you must have **Controller** or **Administrator** permissions. If you donΓÇÖt have these permissions, contact your system administrator.
+
+> [!NOTE]
+> Microsoft Azure uses the term *role* for what other cloud providers call *policy*. CloudKnox automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both.
+
+## Display the Remediation dashboard
+
+1. On the CloudKnox home page, select the **Remediation** tab.
+
+ The **Remediation** dashboard includes six subtabs:
+
+ - **Roles/Policies**: Use this subtab to perform Create Read Update Delete (CRUD) operations on roles/policies.
+ - **Permissions**: Use this subtab to perform Read Update Delete (RUD) on granted permissions.
+ - **Role/Policy template**: Use this subtab to create a template for roles/policies template.
+ - **Requests**: Use this subtab to view approved, pending, and processed Permission on Demand (POD) requests.
+ - **My requests**: Use this tab to manage lifecycle of the POD request either created by you or needs your approval.
+ - **Settings**: Use this subtab to select **Request role/policy filters**, **Request settings**, and **Auto-approve** settings.
+
+1. Use the dropdown to select the **Authorization System Type** and **Authorization System**, and then select **Apply**.
+
+## View and create roles/policies
+
+The **Role/Policies** subtab provides the following settings that you can use to view and create a role/policy.
+
+- **Authorization system type**: Displays a dropdown with authorization system types you can access, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
+- **Authorization system**: Displays a list of authorization systems accounts you can access.
+- **Role/Policy type**: A dropdown with available role/policy types. You can select **All**, **Custom**, **System**, or **CloudKnox only**.
+- **Role/Policy status**: A dropdown with available role/policy statuses. You can select **All**, **Assigned**, or **Unassigned**.
+- **Role/Policy usage**: A dropdown with **All** or **Unused** roles/policies.
+- **Apply**: Select this option to save the changes you've made.
+- **Reset Filter**: Select this option to discard the changes you've made.
+
+The **Role/Policies list** displays a list of existing roles/policies and the following information about each role/policy.
+
+- **Role/Policy name**: The name of the roles/policies available to you.
+- **Role/Policy type**: **Custom**, **System**, or **CloudKnox only**
+- **Actions**
+ - Select **Clone** to create a duplicate copy of the role/policy.
+ - Select **Modify** to change the existing role/policy.
+ - Select **Delete** to delete the role/policy.
+
+Other options available to you:
+- **Search**: Select this option to search for a specific role/policy.
+- **Reload**: Select this option to refresh the displayed list of roles/policies.
+- **Export CSV**: Select this option to export the displayed list of roles/policies as a comma-separated values (CSV) file.
+
+ When the file is successfully exported, a message appears: **Exported successfully.**
+
+ - Check your email for a message from the CloudKnox Customer Success Team. This email contains a link to:
+ - The **Role Policy Details** report in CSV format.
+ - The **Reports** dashboard where you can configure how and when you can automatically receive reports.
+- **Create Role/Policy**: Select this option to create a new role/policy. For more information, see [Create a role/policy](cloudknox-howto-create-role-policy.md).
++
+## Add filters to permissions
+
+The **Permissions** subtab provides the following settings that you can use to add filters to your permissions.
+
+- **Authorization system type**: Displays a dropdown with authorization system types you can access, AWS, Azure, and GCP.
+- **Authorization system**: Displays a list of authorization systems accounts you can access.
+- **Search for**: A dropdown from which you can select **Group**, **User**, or **Role**.
+- **User status**: A dropdown from which you can select **Any**, **Active**, or **Inactive**.
+- **Privilege creep index** (PCI): A dropdown from which you can select a PCI rating of **Any**, **High**, **Medium**, or **Low**.
+- **Task Usage**: A dropdown from which you can select **Any**, **Granted**, **Used**, or **Unused**.
+- **Enter a username**: A dropdown from which you can select a username.
+- **Enter a Group Name**: A dropdown from which you can select a group name.
+- **Apply**: Select this option to save the changes you've made and run the filter.
+- **Reset Filter**: Select this option to discard the changes you've made.
+- **Export CSV**: Select this option to export the displayed list of roles/policies as a comma-separated values (CSV) file.
+
+ When the file is successfully exported, a message appears: **Exported successfully.**
+
+ - Check your email for a message from the CloudKnox Customer Success Team. This email contains a link to:
+ - The **Role Policy Details** report in CSV format.
+ - The **Reports** dashboard where you can configure how and when you can automatically receive reports.
++
+## Create templates for roles/policies
+
+Use the **Role/Policy template** subtab to create a template for roles/policies.
+
+1. Select:
+ - **Authorization system type**: Displays a dropdown with authorization system types you can access, WS, Azure, and GCP.
+ - **Create template**: Select this option to create a template.
+
+1. In the **Details** page, make the required selections:
+ - **Authorization system type**: Select the authorization system types you want, **AWS**, **Azure**, or **GCP**.
+ - **Template name**: Enter a name for your template, and then select **Next**.
+
+1. In the **Statements** page, complete the **Tasks**, **Resources**, **Request conditions** and **Effect** sections. Then select **Save** to save your role/policy template.
+
+Other options available to you:
+- **Search**: Select this option to search for a specific role/policy.
+- **Reload**: Select this option to refresh the displayed list of roles/policies.
+
+## View requests for permission
+
+Use the **Requests** tab to view a list of **Pending**, **Approved**, and **Processed** requests for permissions your team members have made.
+
+- Select:
+ - **Authorization system type**: Displays a dropdown with authorization system types you can access, AWS, Azure, and GCP.
+ - **Authorization system**: Displays a list of authorization systems accounts you can access.
+
+Other options available to you:
+
+- **Reload**: Select this option to refresh the displayed list of roles/policies.
+- **Search**: Select this option to search for a specific role/policy.
+- **Columns**: Select one or more of the following to view more information about the request:
+ - **Submitted by**
+ - **On behalf of**
+ - **Authorization system**
+ - **Tasks/scope/policies**
+ - **Request date**
+ - **Schedule**
+ - **Submitted**
+ - **Reset to default**: Select this option to discard your settings.
+
+### View pending requests
+
+The **Pending** table displays the following information:
+
+- **Summary**: A summary of the request.
+- **Submitted By**: The name of the user who submitted the request.
+- **On Behalf Of**: The name of the user on whose behalf the request was made.
+- **Authorization System**: The authorization system the user selected.
+- **Task/Scope/Policies**: The type of task/scope/policy selected.
+- **Request Date**: The date when the request was made.
+- **Submitted**: The period since the request was made.
+- The ellipses **(...)** menu - Select the ellipses, and then select **Details**, **Approve**, or **Reject**.
+- Select an option:
+ - **Reload**: Select this option to refresh the displayed list of roles/policies.
+ - **Search**: Select this option to search for a specific role/policy.
+ - **Columns**: From the dropdown, select the columns you want to display.
+
+**To return to the previous view:**
+
+- Select the up arrow.
+
+### View approved requests
+
+The **Approved** table displays information about the requests that have been approved.
+
+### View processed requests
+
+The **Processed** table displays information about the requests that have been processed.
+
+## View requests for permission for your approval
+
+Use the **My Requests** subtab to view a list of **Pending**, **Approved**, and **Processed** requests for permissions your team members have made and you must approve or reject.
+
+- Select:
+ - **Authorization system type**: Displays a dropdown with authorization system types you can access, AWS, Azure, and GCP.
+ - **Authorization system**: Displays a list of authorization systems accounts you can access.
+
+Other options available to you:
+
+- **Reload**: Select this option to refresh the displayed list of roles/policies.
+- **Search**: Select this option to search for a specific role/policy.
+- **Columns**: Select one or more of the following to view more information about the request:
+ - **On behalf of**
+ - **Authorization system**
+ - **Tasks/scope/policies**
+ - **Request date**
+ - **Schedule**
+ - **Reset to default**: Select this option to discard your settings.
+- **New request**: Select this option to create a new request for permissions. For more information, see Create a request for permissions.
+
+### View pending requests
+
+The **Pending** table displays the following information:
+
+- **Summary**: A summary of the request.
+- **Submitted By**: The name of the user who submitted the request.
+- **On Behalf Of**: The name of the user on whose behalf the request was made.
+- **Authorization System**: The authorization system the user selected.
+- **Task/Scope/Policies**: The type of task/scope/policy selected.
+- **Request Date**: The date when the request was made.
+- **Submitted**: The period since the request was made.
+- The ellipses **(...)** menu - Select the ellipses, and then select **Details**, **Approve**, or **Reject**.
+- Select an option:
+ - **Reload**: Select this option to refresh the displayed list of roles/policies.
+ - **Search**: Select this option to search for a specific role/policy.
+ - **Columns**: From the dropdown, select the columns you want to display.
++
+### View approved requests
+
+The **Approved** table displays information about the requests that have been approved.
+
+### View processed requests
+
+The **Processed** table displays information about the requests that have been processed.
+
+## Make setting selections for requests and auto-approval
+
+The **Settings** subtab provides the following settings that you can use to make setting selections to **Request role/policy filters**, **Request settings**, and **Auto-approve** requests.
+
+- **Authorization system type**: Displays a dropdown with authorization system types you can access, AWS, Azure, and GCP.
+- **Authorization system**: Displays a list of authorization systems accounts you can access.
+- **Reload**: Select this option to refresh the displayed list of role/policy filters.
+- **Create filter**: Select this option to create a new filter.
+
+## Next steps
++
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](cloudknox-ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](cloudknox-howto-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](cloudknox-howto-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](cloudknox-howto-delete-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](cloudknox-howto-modify-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md).
+- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](cloudknox-howto-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](cloudknox-howto-revoke-task-readonly-status.md)
+- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](cloudknox-howto-create-approve-privilege-request.md).
+- For information on how to view information about roles/policies, see [View information about roles/policies](cloudknox-howto-view-role-policy.md)
+
active-directory Cloudknox Ui Tasks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-tasks.md
+
+ Title: View information about active and completed tasks in CloudKnox Permissions Management
+description: How to view information about active and completed tasks in the Activities pane in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View information about active and completed tasks
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes the usage of the **CloudKnox Tasks** pane in CloudKnox Permissions Management (CloudKnox).
+
+## Display active and completed tasks
+
+1. In the CloudKnox home page, select **Tasks** (the timer icon).
+
+ The **CloudKnox Tasks** pane appears on the right of the CloudKnox home page. It has two tabs:
+ - **Active**: Displays a list of active tasks, a description of each task, and when the task was started.
+
+ If there are no active tasks, the following message displays: **There are no active tasks**.
+ - **Completed**: Displays a list of completed tasks, a description of each task, when the task was started and ended, and whether the task **Failed** or **Succeeded**.
+
+ If there are no completed activities, the following message displays: **There are no recently completed tasks**.
+1. To close the **CloudKnox Tasks** pane, click outside the pane.
+
+## Next steps
+
+- For information on how to create a role/policy in the **Remediation** dashboard, see [Create a role/policy](cloudknox-howto-create-role-policy.md).
active-directory Cloudknox Ui Triggers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-triggers.md
+
+ Title: View information about activity triggers in CloudKnox Permissions Management
+description: How to view information about activity triggers in the Activity triggers dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View information about activity triggers
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to use the **Activity triggers** dashboard in CloudKnox Permissions Management (CloudKnox) to view information about activity alerts and triggers.
+
+## Display the Activity triggers dashboard
+
+- In the CloudKnox home page, select **Activity triggers** (the bell icon).
+
+ The **Activity triggers** dashboard has four tabs:
+
+ - **Activity**
+ - **Rule-based anomaly**
+ - **Statistical anomaly**
+ - **Permission analytics**
+
+ Each tab has two subtabs:
+
+ - **Alerts**
+ - **Alert triggers**
+
+## View information about alerts
+
+The **Alerts** subtab in the **Activity**, **Rule-based anomaly**, **Statistical anomaly**, and **Permission analytics** tabs display the following information:
+
+- **Alert Name**: Select **All** alert names or specific ones.
+- **Date**: Select **Last 24 hours**, **Last 2 Days**, **Last week**, or **Custom range.**
+
+ - If you select **Custom range**, also enter **From** and **To** duration settings.
+- **Apply**: Select this option to activate your settings.
+- **Reset filter**: Select this option to discard your settings.
+- **Reload**: Select this option to refresh the displayed information.
+- **Create Activity Trigger**: Select this option to [create a new alert trigger](cloudknox-howto-create-alert-trigger.md).
+- The **Alerts** table displays a list of alerts with the following information:
+ - **Alerts**: The name of the alert.
+ - **# of users subscribed**: The number of users who have subscribed to the alert.
+ - **Created by**: The name of the user who created the alert.
+ - **Modified By**: The name of the user who modified the alert.
+
+The **Rule-based anomaly** tab and the **Statistical anomaly** tab both have one more option:
+
+- **Columns**: Select the columns you want to display: **Task**, **Resource**, and **Identity**.
+ - To return to the system default settings, select **Reset to default**.
+
+## View information about alert triggers
+
+The **Alert triggers** subtab in the **Activity**, **Rule-based anomaly**, **Statistical anomaly**, and **Permission analytics** tab displays the following information:
+
+- **Status**: Select the alert status you want to display: **All**, **Activated**, or **Deactivated**.
+- **Apply**: Select this option to activate your settings.
+- **Reset filter**: Select this option to discard your settings.
+- **Reload**: Select **Reload** to refresh the displayed information.
+- **Create Activity Trigger**: Select this option to [create a new alert trigger](cloudknox-howto-create-alert-trigger.md).
+- The **Triggers** table displays a list of triggers with the following information:
+ - **Alerts**: The name of the alert.
+ - **# of users subscribed**: The number of users who have subscribed to the alert.
+ - **Created by**: The name of the user who created the alert.
+ - **Modified By**: The name of the user who modified the alert.
++++++
+## Next steps
+
+- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](cloudknox-howto-create-alert-trigger.md).
+- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](cloudknox-product-rule-based-anomalies.md).
+- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](cloudknox-product-statistical-anomalies.md).
+- For information on permission analytics triggers, see [Create and view permission analytics triggers](cloudknox-product-permission-analytics.md).
active-directory Cloudknox Ui User Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-user-management.md
+
+ Title: Manage users and groups with the User management dashboard in CloudKnox Permissions Management
+description: How to manage users and groups in the User management dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Manage users and groups with the User management dashboard
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to use the CloudKnox Permissions Management (CloudKnox) **User management** dashboard to view and manage users and groups.
+
+**To display the User management dashboard**:
+
+- In the upper right of the CloudKnox home page, select **User** (your initials) in the upper right of the screen, and then select **User management.**
+
+ The **User management** dashboard has two tabs:
+
+ - **Users**: Displays information about registered users.
+ - **Groups**: Displays information about groups.
+
+## Manage users
+
+Use the **Users** tab to display the following information about users:
+
+- **User name** and **Email address**: The user's name and email address.
+- **Joined on**: The date the user registered on the system.
+- **Recent activity**: The date the user last used their permissions to access the system.
+- The ellipses **(...)** menu: Select the ellipses, and then select **View Permissions** to open the **View user permission** box.
+
+ - To view details about the user's permissions, select one of the following options:
+ - **Admin for all authorization system types** provides **View**, **Control**, and **Approve** permissions for all authorization system types.
+ - **Admin for selected authorization system types** provides **View**, **Control**, and **Approve** permissions for selected authorization system types.
+ - **Custom** provides **View**, **Control**, and **Approve** permissions for the authorization system types you select.
+
+You can also select the following options:
+
+- **Reload**: Select this option to refresh the information displayed in the **User** table.
+- **Search**: Enter a name or email address to search for a specific user.
+
+## Manage groups
+
+Use the **Groups** tab to display the following information about groups:
+
+- **Group name**: Displays the registered user's name and email address.
+- **Permissions**:
+ - The **Authorization systems** and the type of permissions the user has been granted: **Admin for all authorization system types**, **Admin for selected authorization system types**, or **Custom**.
+ - Information about the **Viewer**, **Controller**, **Approver**, and **Requestor**.
+- **Modified by**: The email address of the user who modified the group.
+- **Modified on**: The date the user last modified the group.
+
+- The ellipses **(...)** menu: Select the ellipses to:
+
+ - **View permissions**: Select this option to view details about the group's permissions, and then select one of the following options:
+ - **Admin for all authorization system types** provides **View**, **Control**, and **Approve** permissions for all authorization system types.
+ - **Admin for selected authorization system types** provides **View**, **Control**, and **Approve** permissions for selected authorization system types.
+ - **Custom** provides **View**, **Control**, and **Approve** permissions for specific authorization system types that you select.
+
+ - **Edit permissions**: Select this option to modify the group's permissions.
+ - **Delete**: Select this option to delete the group's permissions.
+
+ The **Delete permission** box asks you to confirm that you want to delete the group.
+ - Select **Delete** if you want to delete the group, **Cancel** to discard your changes.
++
+You can also select the following options:
+
+- **Reload**: Select this option to refresh the information displayed in the **User** table.
+- **Search**: Enter a name or email address to search for a specific user.
+- **Filters**: Select the authorization systems and accounts you want to display.
+- **Create permission**: Create a group and set up its permissions. For more information, see [Create group-based permissions](cloudknox-howto-create-group-based-permissions.md)
+++
+## Next steps
+
+- For information about how to view information about active and completed tasks, see [View information about active and completed tasks](cloudknox-ui-tasks.md).
+- For information about how to view personal and organization information, see [View personal and organization information](cloudknox-product-account-settings.md).
+- For information about how to select group-based permissions settings, see [Select group-based permissions settings](cloudknox-howto-create-group-based-permissions.md).
active-directory Cloudknox Usage Analytics Access Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-access-keys.md
+
+ Title: View analytic information about access keys in CloudKnox Permissions Management
+description: How to view analytic information about access keys in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View analytic information about access keys
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Analytics** dashboard in CloudKnox Permissions Management (CloudKnox) provides details about identities, resources, and tasks that you can use make informed decisions about granting permissions, and reducing risk on unused permissions.
+
+- **Users**: Tracks assigned permissions and usage of various identities.
+- **Groups**: Tracks assigned permissions and usage of the group and the group members.
+- **Active resources**: Tracks active resources (used in the last 90 days).
+- **Active tasks**: Tracks active tasks (performed in the last 90 days).
+- **Access keys**: Tracks the permission usage of access keys for a given user.
+- **Serverless functions**: Tracks assigned permissions and usage of the serverless functions.
+
+This article describes how to view usage analytics about access keys.
+
+## Create a query to view access keys
+
+When you select **Access keys**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities.
+
+1. On the main **Analytics** dashboard, select **Access keys** from the drop-down list at the top of the screen.
+
+ The following components make up the **Access keys** dashboard:
+
+ - **Authorization system type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
+ - **Authorization system**: Select from a **List** of accounts and **Folders***.
+ - **Key status**: Select **All**, **Active**, or **Inactive**.
+ - **Key activity state**: Select **All**, how long the access key has been used, or **Not used**.
+ - **Key age**: Select **All** or how long ago the access key was created.
+ - **Task type**: Select **All** tasks, **High-risk tasks** or, for a list of tasks where users have deleted data, select **Delete tasks**.
+ - **Search**: Enter criteria to find specific tasks.
+1. Select **Apply** to display the criteria you've selected.
+
+ Select **Reset filter** to discard your changes.
++
+## View the results of your query
+
+The **Access keys** table displays the results of your query.
+
+- **Access key ID**: Provides the ID for the access key.
+ - To view details about the access keys, select the down arrow to the left of the ID.
+- The **Owner** name.
+- The **Account** number.
+- The **Permission creep index (PCI)**: Provides the following information:
+ - **Index**: A numeric value assigned to the PCI.
+ - **Since**: How many days the PCI value has been at the displayed level.
+- **Tasks** Displays the number of **Granted** and **Executed** tasks.
+- **Resources**: The number of resources used.
+- **Access key age**: How old the access key is, in days.
+- **Last used**: How long ago the access key was last accessed.
+
+## Apply filters to your query
+
+There are many filter options within the **Active tasks** screen, including filters by **Authorization system**, filters by **User** and filters by **Task**.
+Filters can be applied in one, two, or all three categories depending on the type of information you're looking for.
+
+### Apply filters by authorization system type
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
++
+### Apply filters by authorization system
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select accounts from a **List** of accounts and **Folders**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+### Apply filters by key status
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Key status** dropdown, select the type of key: **All**, **Active**, or **Inactive**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+### Apply filters by key activity status
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Key activity state** dropdown, select **All**, the duration for how long the access key has been used, or **Not used**.
+
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+### Apply filters by key age
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Key age** dropdown, select **All** or how long ago the access key was created.
+
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+### Apply filters by task type
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Task type** dropdown, select **All** tasks, **High-risk tasks** or, for a list of tasks where users have deleted data, select **Delete tasks**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+++
+## Export the results of your query
+
+- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV** or **CSV (Detailed)**.
+
+## Next steps
+
+- To view active tasks, see [View usage analytics about active tasks](cloudknox-usage-analytics-active-tasks.md).
+- To view assigned permissions and usage by users, see [View usage analytics about users](cloudknox-usage-analytics-users.md).
+- To view assigned permissions and usage of the group and the group members, see [View usage analytics about groups](cloudknox-usage-analytics-groups.md).
+- To view active resources, see [View usage analytics about active resources](cloudknox-usage-analytics-active-resources.md).
+- To view assigned permissions and usage of the serverless functions, see [View usage analytics about serverless functions](cloudknox-usage-analytics-serverless-functions.md).
active-directory Cloudknox Usage Analytics Active Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-active-resources.md
+
+ Title: View analytic information about active resources in CloudKnox Permissions Management
+description: How to view usage analytics about active resources in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View analytic information about active resources
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Analytics** dashboard in CloudKnox Permissions Management (CloudKnox) collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for:
+
+- **Users**: Tracks assigned permissions and usage of various identities.
+- **Groups**: Tracks assigned permissions and usage of the group and the group members.
+- **Active resources**: Tracks active resources (used in the last 90 days).
+- **Active tasks**: Tracks active tasks (performed in the last 90 days).
+- **Access keys**: Tracks the permission usage of access keys for a given user.
+- **Serverless functions**: Tracks assigned permissions and usage of the serverless functions.
+
+This article describes how to view usage analytics about active resources.
+
+## Create a query to view active resources
+
+1. On the main **Analytics** dashboard, select **Active resources** from the drop-down list at the top of the screen.
+
+ The dashboard only lists tasks that are active. The following components make up the **Active resources** dashboard:
+1. From the dropdowns, select:
+ - **Authorization system type**: The authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
+ - **Authorization system**: The **List** of accounts and **Folders** you want to include.
+ - **Tasks type**: Select **All** tasks, **High-risk tasks** or, for a list of tasks where users have deleted data, select **Delete tasks**.
+ - **Service resource type**: The service resource type.
+ - **Search**: Enter criteria to find specific tasks.
+
+1. Select **Apply** to display the criteria you've selected.
+
+ Select **Reset filter** to discard your changes.
++
+## View the results of your query
+
+The **Active resources** table displays the results of your query:
+
+- **Resource Name**: Provides the name of the task.
+ - To view details about the task, select the down arrow.
+- **Account**: The name of the account.
+- **Resources type**: The type of resources used, for example, **bucket** or **key**.
+- **Tasks**: Displays the number of **Granted** and **Executed** tasks.
+- **Number of users**: The number of users with access and accessed.
+- Select the ellipses **(...)** and select **Tags** to add a tag.
+
+## Add a tag to an active resource
+
+1. Select the ellipses **(...)** and select **Tags**.
+1. From the **Select a tag** dropdown, select a tag.
+1. To create a custom tag select **New custom tag**, add a tag name, and then select **Create**.
+1. In the **Value (Optional)** box, enter a value.
+1. Select the ellipses **(...)** to select **Advanced save** options, and then select **Save**.
+1. To add the tag to the serverless function, select **Add tag**.
++
+## Apply filters to your query
+
+There are many filter options within the **Active resources** screen, including filters by **Authorization system**, filters by **User** and filters by **Task**.
+Filters can be applied in one, two, or all three categories depending on the type of information you're looking for.
+
+### Apply filters by authorization system
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
++
+### Apply filters by authorization system type
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+### Apply filters by task type
+
+You can filter user details by type of user, user role, app, or service used, or by resource.
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Task type**, select the type of user: **All**, **User**, **Role/App/Service a/c**, or **Resource**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
++
+### Apply filters by service resource type
+
+You can filter user details by type of user, user role, app, or service used, or by resource.
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Service Resource type**, select the type of service resource.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+## Export the results of your query
+
+- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**.
++
+## Next steps
+
+- To track active tasks, see [View usage analytics about active tasks](cloudknox-usage-analytics-active-tasks.md).
+- To track assigned permissions and usage of users, see [View usage analytics about users](cloudknox-usage-analytics-users.md).
+- To track assigned permissions and usage of the group and the group members, see [View usage analytics about groups](cloudknox-usage-analytics-groups.md).
+- To track the permission usage of access keys for a given user, see [View usage analytics about access keys](cloudknox-usage-analytics-access-keys.md).
+- To track assigned permissions and usage of the serverless functions, see [View usage analytics about serverless functions](cloudknox-usage-analytics-serverless-functions.md).
active-directory Cloudknox Usage Analytics Active Tasks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-active-tasks.md
+
+ Title: View analytic information about active tasks in CloudKnox Permissions Management
+description: How to view analytic information about active tasks in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View analytic information about active tasks
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Analytics** dashboard in CloudKnox Permissions Management (CloudKnox) collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for:
+
+- **Users**: Tracks assigned permissions and usage of various identities.
+- **Groups**: Tracks assigned permissions and usage of the group and the group members.
+- **Active resources**: Tracks active resources (used in the last 90 days).
+- **Active tasks**: Tracks active tasks (performed in the last 90 days).
+- **Access keys**: Tracks the permission usage of access keys for a given user.
+- **Serverless functions**: Tracks assigned permissions and usage of the serverless functions.
+
+This article describes how to view usage analytics about active tasks.
+
+## Create a query to view active tasks
+
+When you select **Active tasks**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities.
+
+1. On the main **Analytics** dashboard, select **Active tasks** from the drop-down list at the top of the screen.
+
+ The dashboard only lists tasks that are active. The following components make up the **Active tasks** dashboard:
+
+ - **Authorization system type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
+ - **Authorization system**: Select from a **List** of accounts and **Folders***.
+ - **Tasks type**: Select **All** tasks, **High-risk tasks** or, for a list of tasks where users have deleted data, select **Delete tasks**.
+ - **Search**: Enter criteria to find specific tasks.
+
+1. Select **Apply** to display the criteria you've selected.
+
+ Select **Reset filter** to discard your changes.
++
+## View the results of your query
+
+The **Active tasks** table displays the results of your query.
+
+- **Task Name**: Provides the name of the task.
+ - To view details about the task, select the down arrow in the table.
+
+ - A **Normal task** icon displays to the left of the task name if the task is normal (that is, not risky).
+ - A **Deleted task** icon displays to the left of the task name if the task involved deleting data.
+ - A **High-risk task** icon displays to the left of the task name if the task is high-risk.
+
+- **Performed on (resources)**: The number of resources on which the task was used.
+
+- **Number of Users**: Displays how many users performed tasks. The tasks are organized into the following columns:
+ - **With access**: Displays the number of users that have access to the task but haven't accessed it.
+ - **Accessed**: Displays the number of users that have accessed the task.
++
+## Apply filters to your query
+
+There are many filter options within the **Active tasks** screen, including **Authorization system**, **User**, and **Task**.
+Filters can be applied in one, two, or all three categories depending on the type of information you're looking for.
+
+### Apply filters by authorization system type
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+### Apply filters by authorization system
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select accounts from a **List** of accounts and **Folders**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
++
+### Apply filters by task type
+
+You can filter user details by type of user, user role, app, or service used, or by resource.
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Task type** dropdown, select the type of tasks: **All**, **High risk tasks**, or **Delete tasks**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
++
+## Export the results of your query
+
+- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**.
+
+## Next steps
+
+- To view assigned permissions and usage by users, see [View analytic information about users](cloudknox-usage-analytics-users.md).
+- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](cloudknox-usage-analytics-groups.md).
+- To view active resources, see [View analytic information about active resources](cloudknox-usage-analytics-active-resources.md).
+- To view the permission usage of access keys for a given user, see [View analytic information about access keys](cloudknox-usage-analytics-access-keys.md).
+- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](cloudknox-usage-analytics-serverless-functions.md).
active-directory Cloudknox Usage Analytics Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-groups.md
+
+ Title: View analytic information about groups in CloudKnox Permissions Management
+description: How to view analytic information about groups in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View analytic information about groups
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Analytics** dashboard in CloudKnox Permissions Management (CloudKnox) collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for:
+
+- **Users**: Tracks assigned permissions and usage of various identities.
+- **Groups**: Tracks assigned permissions and usage of the group and the group members.
+- **Active resources**: Tracks active resources (used in the last 90 days).
+- **Active tasks**: Tracks active tasks (performed in the last 90 days).
+- **Access keys**: Tracks the permission usage of access keys for a given user.
+- **Serverless functions**: Tracks assigned permissions and usage of the serverless functions.
+
+This article describes how to view usage analytics about groups.
+
+## Create a query to view groups
+
+When you select **Groups**, the **Usage Analytics** dashboard provides a high-level overview of groups.
+
+1. On the main **Analytics** dashboard, select **Groups** from the drop-down list at the top of the screen.
+
+ The following components make up the **Groups** dashboard:
+
+ - **Authorization system type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
+ - **Authorization system**: Select from a **List** of accounts and **Folders**.
+ - **Group type**: Select **All**, **ED**, or **Local**.
+ - **Group activity status**: Select **All**, **Active**, or **Inactive**.
+ - **Tasks Type**: Select **All**, **High-risk tasks**, or **Delete tasks**
+ - **Search**: Enter group name to find specific group.
+1. To display the criteria you've selected, select **Apply**.
+ - **Reset filter**: Select to discard your changes.
++
+## View the results of your query
+
+The **Groups** table displays the results of your query:
+
+- **Group Name**: Provides the name of the group.
+ - To view details about the group, select the down arrow.
+- A **Group type** icon displays to the left of the group name to describe the type of group (**ED** or **Local**).
+- The **Domain/Account** name.
+- The **Permission creep index (PCI)**: Provides the following information:
+ - **Index**: A numeric value assigned to the PCI.
+ - **Since**: How many days the PCI value has been at the displayed level.
+- **Tasks**: Displays the number of **Granted** and **Executed** tasks.
+- **Resources**: The number of resources used.
+- **Users**: The number of users who accessed the group.
+- Select the ellipses **(...)** and select **Tags** to add a tag.
+
+## Add a tag to a group
+
+1. Select the ellipses **(...)** and select **Tags**.
+1. From the **Select a tag** dropdown, select a tag.
+1. To create a custom tag select **New custom tag**, add a tag name, and then select **Create**.
+1. In the **Value (Optional)** box, enter a value.
+1. Select the ellipses **(...)** to select **Advanced save** options, and then select **Save**.
+1. To add the tag to the serverless function, select **Add tag**.
+
+## View detailed information about a group
+
+1. Select the down arrow to the left of the **Group name**.
+
+ The list of **Tasks** organized by **Unused** and **Used** displays.
+
+1. Select the arrow to the left of the group name to view details about the task.
+1. Select **Information** (**i**) to view when the task was last used.
+1. From the **Tasks** dropdown, select **All tasks**, **High-risk tasks**, and **Delete tasks**.
+1. The pane on the right displays a list of **Users**, **Policies** for **AWS** and **Roles** for **GCP or AZURE**, and **Tags**.
+
+## Apply filters to your query
+
+There are many filter options within the **Groups** screen, including filters by **Authorization system type**, **Authorization system**, **Group type**, **Group activity status**, and **Tasks type**.
+Filters can be applied in one, two, or all three categories depending on the type of information you're looking for.
+
+### Apply filters by authorization system type
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+### Apply filters by authorization system
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select accounts from a **List** of accounts and **Folders**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
++
+### Apply filters by group type
+
+You can filter user details by type of user, user role, app, or service used, or by resource.
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Group type** dropdown, select the type of user: **All**, **ED**, or **Local**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+### Apply filters by group activity status
+
+You can filter user details by type of user, user role, app, or service used, or by resource.
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Group activity status** dropdown, select the type of user: **All**, **Active**, or **Inactive**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+### Apply filters by tasks type
+
+You can filter user details by type of user, user role, app, or service used, or by resource.
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Tasks type** dropdown, select the type of user: **All**, **High-risk tasks**, or **Delete tasks**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
++
+## Export the results of your query
+
+- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**.
+- To view a list of members of the groups in your query, select **Export**, and then select **Memberships**.
+++
+## Next steps
+
+- To view active tasks, see [View analytic information about active tasks](cloudknox-usage-analytics-active-tasks.md).
+- To view assigned permissions and usage by users, see [View analytic information about users](cloudknox-usage-analytics-users.md).
+- To view active resources, see [View analytic information about active resources](cloudknox-usage-analytics-active-resources.md).
+- To view the permission usage of access keys for a given user, see [View analytic information about access keys](cloudknox-usage-analytics-access-keys.md).
+- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](cloudknox-usage-analytics-serverless-functions.md).
active-directory Cloudknox Usage Analytics Home https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-home.md
+
+ Title: View analytic information with the Analytics dashboard in CloudKnox Permissions Management
+description: How to use the Analytics dashboard in CloudKnox Permissions Management to view details about users, groups, active resources, active tasks, access keys, and serverless functions.
+++++++ Last updated : 02/23/2022+++
+# View analytic information with the Analytics dashboard
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article provides a brief overview of the Analytics dashboard in CloudKnox Permissions Management (CloudKnox), and the type of analytic information it provides for Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
+
+## Display the Analytics dashboard
+
+- From the CloudKnox home page, select the **Analytics** tab.
+
+ The **Analytics** dashboard displays detailed information about:
+
+ - **Users**: Tracks assigned permissions and usage by users. For more information, see [View analytic information about users](cloudknox-usage-analytics-users.md).
+
+ - **Groups**: Tracks assigned permissions and usage of the group and the group members. For more information, see [View analytic information about groups](cloudknox-usage-analytics-groups.md).
+
+ - **Active Resources**: Tracks resources that have been used in the last 90 days. For more information, see [View analytic information about active resources](cloudknox-usage-analytics-active-resources.md).
+
+ - **Active Tasks**: Tracks tasks that have been performed in the last 90 days. For more information, see [View analytic information about active tasks](cloudknox-usage-analytics-active-tasks.md).
+
+ - **Access Keys**: Tracks the permission usage of access keys for a given user. For more information, see [View analytic information about access keys](cloudknox-usage-analytics-access-keys.md).
+
+ - **Serverless Functions**: Tracks assigned permissions and usage of the serverless functions for AWS only. For more information, see [View analytic information about serverless functions](cloudknox-usage-analytics-serverless-functions.md).
+
+ System administrators can use this information to make decisions about granting permissions and reducing risk on unused permissions.
+++
+## Next steps
+
+- To view active tasks, see [View analytic information about active tasks](cloudknox-usage-analytics-active-tasks.md).
+- To view assigned permissions and usage by users, see [View analytic information about users](cloudknox-usage-analytics-users.md).
+- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](cloudknox-usage-analytics-groups.md).
+- To view active resources, see [View analytic information about active resources](cloudknox-usage-analytics-active-resources.md).
+- To view the permission usage of access keys for a given user, see [View analytic information about access keys](cloudknox-usage-analytics-access-keys.md).
+- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](cloudknox-usage-analytics-serverless-functions.md).
active-directory Cloudknox Usage Analytics Serverless Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-serverless-functions.md
+
+ Title: View analytic information about serverless functions in CloudKnox Permissions Management
+description: How to view analytic information about serverless functions in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View analytic information about serverless functions
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Analytics** dashboard in CloudKnox Permissions Management (CloudKnox) collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for:
+
+- **Users**: Tracks assigned permissions and usage of various identities.
+- **Groups**: Tracks assigned permissions and usage of the group and the group members.
+- **Active resources**: Tracks active resources (used in the last 90 days).
+- **Active tasks**: Tracks active tasks (performed in the last 90 days).
+- **Access keys**: Tracks the permission usage of access keys for a given user.
+- **Serverless functions**: Tracks assigned permissions and usage of the serverless functions.
+
+This article describes how to view usage analytics about serverless functions.
+
+## Create a query to view serverless functions
+
+When you select **Serverless functions**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities.
+
+1. On the main **Analytics** dashboard, select **Serverless functions** from the dropdown list at the top of the screen.
+
+ The following components make up the **Serverless functions** dashboard:
+
+ - **Authorization system type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
+ - **Authorization system**: Select from a **List** of accounts and **Folders**.
+ - **Search**: Enter criteria to find specific tasks.
+1. Select **Apply** to display the criteria you've selected.
+
+ Select **Reset filter** to discard your changes.
++
+## View the results of your query
+
+The **Serverless functions** table displays the results of your query.
+
+- **Function name**: Provides the name of the serverless function.
+ - To view details about a serverless function, select the down arrow to the left of the function name.
+- A **Function type** icon displays to the left of the function name to describe the type of serverless function, for example **Lambda function**.
+- The **Permission creep index (PCI)**: Provides the following information:
+ - **Index**: A numeric value assigned to the PCI.
+ - **Since**: How many days the PCI value has been at the displayed level.
+- **Tasks**: Displays the number of **Granted** and **Executed** tasks.
+- **Resources**: The number of resources used.
+- **Last activity on**: The date the function was last accessed.
+- Select the ellipses **(...)**, and then select **Tags** to add a tag.
+
+## Add a tag to a serverless function
+
+1. Select the ellipses **(...)** and select **Tags**.
+1. From the **Select a tag** dropdown, select a tag.
+1. To create a custom tag select **New custom tag**, add a tag name, and then select **Create**.
+1. In the **Value (Optional)** box, enter a value.
+1. Select the ellipses **(...)** to select **Advanced save** options, and then select **Save**.
+1. To add the tag to the serverless function, select **Add tag**.
+
+## View detailed information about a serverless function
+
+1. Select the down arrow to the left of the function name to display the following:
+
+ - A list of **Tasks** organized by **Used** and **Unused**.
+ - **Versions**, if a version is available.
+
+1. Select the arrow to the left of the task name to view details about the task.
+1. Select **Information** (**i**) to view when the task was last used.
+1. From the **Tasks** dropdown, select **All tasks**, **High-risk tasks**, and **Delete tasks**.
++
+## Apply filters to your query
+
+You can filter the **Serverless functions** results by **Authorization system type** and **Authorization system**.
+
+### Apply filters by authorization system type
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
++
+### Apply filters by authorization system
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select accounts from a **List** of accounts and **Folders**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+++
+## Next steps
+
+- To view active tasks, see [View usage analytics about active tasks](cloudknox-usage-analytics-active-tasks.md).
+- To view assigned permissions and usage by users, see [View analytic information about users](cloudknox-usage-analytics-users.md).
+- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](cloudknox-usage-analytics-groups.md).
+- To view active resources, see [View analytic information about active resources](cloudknox-usage-analytics-active-resources.md).
+- To view the permission usage of access keys for a given user, see [View analytic information about access keys](cloudknox-usage-analytics-access-keys.md).
active-directory Cloudknox Usage Analytics Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-users.md
+
+ Title: View analytic information about users in CloudKnox Permissions Management
+description: How to view analytic information about users in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View analytic information about users
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Analytics** dashboard in CloudKnox Permissions Management (CloudKnox) collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for:
+
+- **Users**: Tracks assigned permissions and usage of various identities.
+- **Groups**: Tracks assigned permissions and usage of the group and the group members.
+- **Active resources**: Tracks active resources (used in the last 90 days).
+- **Active tasks**: Tracks active tasks (performed in the last 90 days).
+- **Access keys**: Tracks the permission usage of access keys for a given user.
+- **Serverless functions**: Tracks assigned permissions and usage of the serverless functions.
+
+This article describes how to view usage analytics about users.
+
+## Create a query to view users
+
+When you select **Users**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities.
+
+1. On the main **Analytics** dashboard, select **Users** from the drop-down list at the top of the screen.
+
+ The following components make up the **Users** dashboard:
+
+ - **Authorization system type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
+ - **Authorization system**: Select from a **List** of accounts and **Folders***.
+ - **Identity type**: Select **All** identity types, **User**, **Role/App/Service a/c** or **Resource**.
+ - **Search**: Enter criteria to find specific tasks.
+1. Select **Apply** to display the criteria you've selected.
+
+ Select **Reset filter** to discard your changes.
++
+## View the results of your query
+
+The **Identities** table displays the results of your query.
+
+- **Name**: Provides the name of the group.
+ - To view details about the group, select the down arrow.
+- The **Domain/Account** name.
+- The **Permission creep index (PCI)**: Provides the following information:
+ - **Index**: A numeric value assigned to the PCI.
+ - **Since**: How many days the PCI value has been at the displayed level.
+- **Tasks**: Displays the number of **Granted** and **Executed** tasks.
+- **Resources**: The number of resources used.
+- **User groups**: The number of users who accessed the group.
+- **Last activity on**: The date the function was last accessed.
+- The ellipses **(...)**: Select **Tags** to add a tag.
+
+ If you're using AWS, another selection is available from the ellipses menu: **Auto Remediate**. You can use this option to remediate your results automatically.
+
+## Add a tag to a user
+
+1. Select the ellipses **(...)** and select **Tags**.
+1. From the **Select a tag** dropdown, select a tag.
+1. To create a custom tag select **New custom tag**, add a tag name, and then select **Create**.
+1. In the **Value (Optional)** box, enter a value.
+1. Select the ellipses **(...)** to select **Advanced save** options, and then select **Save**.
+1. To add the tag to the serverless function, select **Add tag**.
+
+## Set the auto-remediate option (AWS only)
+
+- Select the ellipses **(...)** and select **Auto Remediate**.
+
+ A message displays to confirm that your remediation settings are automatically updated.
+
+## Apply filters to your query
+
+There are many filter options within the **Users** screen, including filters by **Authorization system**, **Identity type**, and **Identity state**.
+Filters can be applied in one, two, or all three categories depending on the type of information you're looking for.
+
+### Apply filters by authorization system type
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
++
+### Apply filters by authorization system
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select accounts from a **List** of accounts and **Folders**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+### Apply filters by identity type
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Identity type**, select the type of user: **All**, **User**, **Role/App/Service a/c**, or **Resource**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+### Apply filters by identity subtype
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Identity subtype**, select the type of user: **All**, **ED**, **Local**, or **Cross-account**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+### Apply filters by identity state
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Identity state**, select the type of user: **All**, **Active**, or **Inactive**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
++
+### Apply filters by identity filters
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Identity type**, select: **Risky** or **Inc. in PCI calculation only**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
++
+### Apply filters by task type
+
+You can filter user details by type of user, user role, app, or service used, or by resource.
+
+1. From the **Authorization system type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization system** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Task type**, select the type of user: **All** or **High-risk tasks**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
++
+## Export the results of your query
+
+- To export a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**.
+- To export the data in a detailed comma-separated values (CSV) file format, select **Export** and then select **CSV (Detailed)**.
+- To export a report of user permissions, select **Export** and then select **Permissions**.
++
+## Next steps
+
+- To view active tasks, see [View analytic information about active tasks](cloudknox-usage-analytics-active-tasks.md).
+- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](cloudknox-usage-analytics-groups.md).
+- To view active resources, see [View analytic information about active resources](cloudknox-usage-analytics-active-resources.md).
+- To view the permission usage of access keys for a given user, see [View analytic information about access keys](cloudknox-usage-analytics-access-keys.md).
+- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](cloudknox-usage-analytics-serverless-functions.md).
active-directory Azuread Join Sso https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/azuread-join-sso.md
If you have a hybrid environment, with both Azure AD and on-premises AD, it's li
1. The local security authority (LSA) service enables Kerberos and NTLM authentication on the device. > [!NOTE]
-> Windows Hello for Business requires additional configuration to enable on-premises SSO from an Azure AD joined device. For more information, see [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base).
+> Additional configuration is required when passwordless authentication to Azure AD joined devices is used.
>
-> FIDO2 security key based passwordless authentication with Windows 10 or newer requires additional configuration to enable on-premises SSO from an Azure AD joined device. For more information, see [Enable passwordless security key sign-in to on-premises resources with Azure Active Directory](../authentication/howto-authentication-passwordless-security-key-on-premises.md).
+> For FIDO2 security key based passwordless authentication and Windows Hello for Business Hybrid Cloud Trust, see [Enable passwordless security key sign-in to on-premises resources with Azure Active Directory](../authentication/howto-authentication-passwordless-security-key-on-premises.md).
+>
+> For Windows Hello for Business Hybrid Key Trust, see [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base).
+>
+> For Windows Hello for Business Hybrid Certificate Trust, see [Using Certificates for AADJ On-premises Single-sign On](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert).
During an access attempt to a resource requesting Kerberos or NTLM in the user's on-premises environment, the device:
active-directory Howto Vm Sign In Azure Ad Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md
This Exit code translates to `DSREG_AUTOJOIN_DISC_FAILED` because the extension
1. Verify the required endpoints are accessible from the VM using PowerShell:
- - `curl https://login.microsoftonline.com/ -D -`
- - `curl https://login.microsoftonline.com/<TenantID>/ -D -`
- - `curl https://enterpriseregistration.windows.net/ -D -`
- - `curl https://device.login.microsoftonline.com/ -D -`
- - `curl https://pas.windows.net/ -D -`
+ - `curl https://login.microsoftonline.com// -D`
+ - `curl https://login.microsoftonline.com/<TenantID>// -D`
+ - `curl https://enterpriseregistration.windows.net// -D`
+ - `curl https://device.login.microsoftonline.com// -D`
+ - `curl https://pas.windows.net// -D`
> [!NOTE] > Replace `<TenantID>` with the Azure AD Tenant ID that is associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name to get the directory / tenant ID, or select **Azure Active Directory > Properties > Directory ID** in the Azure portal.<br/>`enterpriseregistration.windows.net` and `pas.windows.net` should return 404 Not Found, which is expected behavior.
active-directory Cross Tenant Access Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-overview.md
Previously updated : 02/07/2022 Last updated : 02/23/2022
The output is a summary of all available sign-in events for inbound and outbound
To determine your users' access to external Azure AD organizations, you can use the [Get-MgAuditLogSignIn](/powershell/module/microsoft.graph.reports/get-mgauditlogsignin) cmdlet in the Microsoft Graph PowerShell SDK to view data from your sign-in logs for the last 30 days. For example, run the following command: ```powershell
-Get-MgAuditLogSignIn `
--Filter ΓÇ£ResourceTenantID ne ΓÇÿyour tenant idΓÇÖΓÇ¥ ` --all:$True| `
-group ResourceTenantId,AppDisplayName,UserPrincipalName| `
-select count, @{n=ΓÇÖExt TenantID/App User PairΓÇÖ;e={$_.name}}]
+#Initial connection
+Connect-MgGraph -Scopes "AuditLog.Read.All"
+Select-MgProfile -Name "beta"
+
+#Get external access
+$TenantId = "<replace-with-your-tenant-ID>"
+
+Get-MgAuditLogSignIn -Filter "ResourceTenantId ne '$TenantID'" -All:$True |
+Group-Object ResourceTenantId,AppDisplayName,UserPrincipalName |
+Select-Object count,@{n='Ext TenantID/App User Pair';e={$_.name}}
``` The output is a list of outbound sign-ins initiated by your users to apps in external tenants.
active-directory External Identities Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/external-identities-overview.md
Previously updated : 02/07/2022 Last updated : 02/23/2022
Learn more about [B2B collaboration in Azure AD](what-is-b2b.md).
Azure AD B2C is a Customer Identity and Access Management (CIAM) solution that lets you build user journeys for consumer- and customer-facing apps. If you're a business or individual developer creating customer-facing apps, you can scale to millions of consumers, customers, or citizens by using Azure AD B2C. Developers can use Azure AD B2C as the full-featured CIAM system for their applications.
-With Azure AD B2C, customers can sign in with an identity they've already established (like Facebook or Gmail). With Azure AD B2C, you can completely customize and control how customers sign up, sign in, and manage their profiles when using your applications. For more information, see the Azure AD B2C documentation.
+With Azure AD B2C, customers can sign in with an identity they've already established (like Facebook or Gmail). You can completely customize and control how customers sign up, sign in, and manage their profiles when using your applications.
-Learn more about [Azure AD B2C](../../active-directory-b2c/index.yml).
+Although Azure AD B2C is built on the same technology as Azure AD, it's a separate service with some feature differences. For more information about how an Azure AD B2C tenant differs from an Azure AD tenant, see [Supported Azure AD features](../../active-directory-b2c/supported-azure-ad-features.md) in the [Azure AD B2C documentation](../../active-directory-b2c/index.yml).
## Comparing External Identities feature sets
active-directory Entitlement Management Onboard External User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-onboard-external-user.md
Title: Tutorial - Onboard external users to Azure AD through an approval process
description: Step-by-step tutorial for how to create an access package for external users requiring approvals in Azure Active Directory entitlement management. documentationCenter: ''-+ na
For more information, see [License requirements](entitlement-management-overview
2. In the **Users who can request access** section, click **For users not in your directory** and then click **All users (All connected organizations + any new external users)**.
-3. Ensure that **Require approval** is set to **Yes**.
+3. Because any user who is not yet in your directory can view and submit a request for this access package, **Yes** is mandatory for the **Require approval** setting.
4. The following settings allow you to configure how your approvals work for your external users:
active-directory Smartsheet Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/smartsheet-provisioning-tutorial.md
This section guides you through the steps to configure the Azure AD provisioning
![Screenshot of the Provisioning Mode dropdown list with the Automatic option called out.](common/provisioning-automatic.png)
-5. Under the **Admin Credentials** section, input the **SCIM 2.0 base URL and Access Token** values retrieved earlier from Smartsheet in **Tenant URL** and **Secret Token** respectively.. Click **Test Connection** to ensure Azure AD can connect to Smartsheet. If the connection fails, ensure your Smartsheet account has SysAdmin permissions and try again.
+5. Under the **Admin Credentials** section, input the **SCIM 2.0 base URL** of https://scim.smartsheet.com/v2 and **Access Token** value retrieved earlier from Smartsheet in **Secret Token** respectively. Click **Test Connection** to ensure Azure AD can connect to Smartsheet. If the connection fails, ensure your Smartsheet account has SysAdmin permissions and try again.
![Token](common/provisioning-testconnection-tenanturltoken.png)
Once you've configured provisioning, use the following resources to monitor your
* 06/16/2020 - Added support for enterprise extension attributes "Cost Center", "Division", "Manager" and "Department" for users. * 02/10/2021 - Added support for core attributes "emails[type eq "work"]" for users.
+* 02/12/2022 - Added SCIM base/tenant URL of https://scim.smartsheet.com/v2 for SmartSheet integration under Admin Credentials section.
## Additional resources
Once you've configured provisioning, use the following resources to monitor your
## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Credential Design https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/credential-design.md
To ensure interoperability of your credentials, it's recommended that you work c
{ "mapping": { "first_name": {
- "claim": "$.vc.credentialSubject.firstName",
+ "claim": "$.vc.credentialSubject.firstName"
}, "last_name": { "claim": "$.vc.credentialSubject.lastName",
To ensure interoperability of your credentials, it's recommended that you work c
"vc": { "type": [ "ProofOfNinjaNinja"
- ],
+ ]
} } ```
advisor Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/resource-graph-samples.md
Title: Azure Resource Graph sample queries for Azure Advisor description: Sample Azure Resource Graph queries for Azure Advisor showing use of resource types and tables to access Azure Advisor related resources and properties. Previously updated : 01/20/2022 Last updated : 02/16/2022
aks Kubernetes Walkthrough Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubernetes-walkthrough-portal.md
Once the **EXTERNAL-IP** address changes from *pending* to an actual public IP a
azure-vote-front LoadBalancer 10.0.37.27 52.179.23.131 80:30572/TCP 2m ```
-To see the Azure Vote app in action, open a web browser to the external IP address of you
+To see the Azure Vote app in action, open a web browser to the external IP address of your service.
:::image type="content" source="media/container-service-kubernetes-walkthrough/azure-voting-application.png" alt-text="Image of browsing to Azure Vote sample application":::
aks Nat Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/nat-gateway.md
To use Managed NAT gateway, you must have the following:
* The `aks-preview` extension version 0.5.31 or later * Kubernetes version 1.20.x or above
+### Install aks-preview CLI extension
+
+You also need the *aks-preview* Azure CLI extension version 0.5.31 or later. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command. Or install any available updates by using the [az extension update][az-extension-update] command.
+
+```azurecli-interactive
+# Install the aks-preview extension
+az extension add --name aks-preview
+
+# Update the extension to make sure you have the latest version installed
+az extension update --name aks-preview
+```
### Register the `AKS-NATGatewayPreview` feature flag
To create an AKS cluster with a user-assigned NAT Gateway, use `--outbound-type
[az-feature-list]: /cli/azure/feature#az_feature_list [az-provider-register]: /cli/azure/provider#az_provider_register [byo-vnet-azure-cni]: configure-azure-cni.md
-[byo-vnet-kubenet]: configure-kubenet.md
+[byo-vnet-kubenet]: configure-kubenet.md
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
aks Uptime Sla https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/uptime-sla.md
Create a new cluster, and don't use Uptime SLA:
```azurecli-interactive # Create a new cluster without uptime SLA
-az aks create --resource-group myResourceGroup --name myAKSCluster--node-count 1
+az aks create --resource-group myResourceGroup --name myAKSCluster --node-count 1
``` Use the [`az aks update`][az-aks-update] command to update the existing cluster:
aks Use Azure Dedicated Hosts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-azure-dedicated-hosts.md
The following limitations apply when you integrate Azure Dedicated Host with Azu
* An existing agent pool can't be converted from non-ADH to ADH or ADH to non-ADH. * It is not supported to update agent pool from host group A to host group B.
+* Fault domain count can only be 1.
## Add a Dedicated Host Group to an AKS cluster
Not all host SKUs are available in all regions, and availability zones. You can
az vm list-skus -l eastus2 -r hostGroups/hosts -o table ```
-## Add Dedicated Hosts to the Host Group
+## Create a Host Group
Now create a dedicated host in the host group. In addition to a name for the host, you are required to provide the SKU for the host. Host SKU captures the supported VM series as well as the hardware generation for your dedicated host.
az vm host group create \
--name myHostGroup \ -g myDHResourceGroup \ -z 1\platform-fault-domain-count 2
+--platform-fault-domain-count 1
+```
+
+## Create a Dedicated Host
+
+Now create a dedicated host in the host group. In addition to a name for the host, you are required to provide the SKU for the host. Host SKU captures the supported VM series as well as the hardware generation for your dedicated host.
+
+If you set a fault domain count for your host group, you will need to specify the fault domain for your host.
+
+```azurecli-interactive
+az vm host create \
+--host-group myHostGroup \
+--name myHost \
+--sku DSv3-Type1 \
+--platform-fault-domain 1 \
+-g myDHResourceGroup
+```
+
+## Use a user-assigned Identity
+
+> [!IMPORTANT]
+> A user-assigned Identity with "contributor" role on the Resource Group of the Host Group is required.
+>
+
+First, create a Managed Identity
+
+```azurecli-interactive
+az identity create -g <Resource Group> -n <Managed Identity name>
+```
+
+Assign Managed Identity
+
+```azurecli-interactive
+az role assignment create --assignee <id> --role "Storage Account Key Operator Service Role" --scope <Resource id>
``` ## Create an AKS cluster using the Host Group
aks Use Multiple Node Pools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-multiple-node-pools.md
It takes a few minutes for the scale operation to complete.
AKS offers a separate feature to automatically scale node pools with a feature called the [cluster autoscaler](cluster-autoscaler.md). This feature can be enabled per node pool with unique minimum and maximum scale counts per node pool. Learn how to [use the cluster autoscaler per node pool](cluster-autoscaler.md#use-the-cluster-autoscaler-with-multiple-node-pools-enabled).
+## Resize a node pool
+
+To increase of number of deployments or run a larger workload, you may want to change the virtual machine scale set plan or resize AKS instances. However, you should not do any direct customizations to these nodes using the IaaS APIs or resources, as any custom changes that are not done via the AKS API will not persist through an upgrade, scale, update or reboot. This means resizing your AKS instances in this manner is not supported.
+
+The recommended method to resize a node pool to the desired SKU size is as follows:
+
+* Create a new node pool with the new SKU size
+* Cordon and drain the nodes in the old node pool in order to move workloads to the new nodes
+* Remove the old node pool.
+
+> [!IMPORTANT]
+> This method is specific to virtual machine scale set-based AKS clusters. When using virtual machine availability sets, you are limited to only one node pool per cluster.
+
+### Create a new node pool with the desired SKU
+
+The following command creates a new node pool with 2 nodes using the `Standard_DS3_v2` VM SKU:
+
+> [!NOTE]
+> Every AKS cluster must contain at least one system node pool with at least one node. In the below example, we are using a `--mode` of `System`, as the cluster is assumed to have only one node pool, necessitating a `System` node pool to replace it. A node pool's mode can be [updated at any time][update-node-pool-mode].
+
+```azurecli-interactive
+az aks nodepool add \
+ --resource-group myResourceGroup \
+ --cluster-name myAKSCluster \
+ --name mynodepool \
+ --node-count 2 \
+ --node-vm-size Standard_DS3_v2 \
+ --mode System \
+ --no-wait
+```
+
+Be sure to consider other requirements and configure your node pool accordingly. You may need to modify the above command. For a full list of the configuration options, please see the [az aks nodepool add][az-aks-nodepool-add] reference page.
+
+### Cordon the existing nodes
+
+Cordoning marks specified nodes as unschedulable and prevents any additional pods from being added to the nodes.
+
+First, obtain the names of the nodes you'd like to cordon with `kubectl get nodes`. Your output should look similar to the following:
+
+```bash
+NAME STATUS ROLES AGE VERSION
+aks-nodepool1-31721111-vmss000000 Ready agent 7d21h v1.21.9
+aks-nodepool1-31721111-vmss000001 Ready agent 7d21h v1.21.9
+aks-nodepool1-31721111-vmss000002 Ready agent 7d21h v1.21.9
+```
+
+Next, using `kubectl cordon <node-names>`, specify the desired nodes in a space-separated list:
+
+```bash
+kubectl cordon aks-nodepool1-31721111-vmss000000 aks-nodepool1-31721111-vmss000001 aks-nodepool1-31721111-vmss000002
+```
+
+If succesful, your output should look similar to the following:
+
+```bash
+node/aks-nodepool1-31721111-vmss000000 cordoned
+node/aks-nodepool1-31721111-vmss000001 cordoned
+node/aks-nodepool1-31721111-vmss000002 cordoned
+```
+
+### Drain the existing nodes
+
+> [!IMPORTANT]
+> To successfully drain nodes and evict running pods, ensure that any PodDisruptionBudgets (PDBs) allow for at least 1 pod replica to be moved at a time, otherwise the drain/evict operation will fail. To check this, you can run `kubectl get pdb -A` and make sure `ALLOWED DISRUPTIONS` is at least 1 or higher.
+
+Draining nodes will cause pods running on them to be evicted and recreated on the other, schedulable nodes.
+
+To drain nodes, use `kubectl drain <node-names> --ignore-daemonsets --delete-emptydir-data`, again using a space-separated list of node names:
+
+> [!IMPORTANT]
+> Using `--delete-emptydir-data` is required to evict the AKS-created `coredns` and `metrics-server` pods. If this flag isn't used, an error is expected. Please see the [documentation on emptydir][empty-dir] for more information.
+
+```bash
+kubectl drain aks-nodepool1-31721111-vmss000000 aks-nodepool1-31721111-vmss000001 aks-nodepool1-31721111-vmss000002 --ignore-daemonsets --delete-emptydir-data
+```
+
+> [!TIP]
+> By default, your cluster has AKS_managed pod disruption budgets (such as `coredns-pdb` or `konnectivity-agent`) with a `MinAvailable` of 1. If, for example, there are two `coredns` pods running, while one of them is getting recreated and is unavailable, the other is unable to be affected due to the pod disruption budget. This resolves itself after the initial `coredns` pod is scheduled and running, allowing the second pod to be properly evicted and recreated.
+>
+> Consider draining nodes one-by-one for a smoother eviction experience and to avoid throttling. For more information, see [plan for availability using a pod disruption budget][pod-disruption-budget].
+
+After the drain operation finishes, verify pods are running on the new nodepool:
+
+```bash
+kubectl get pods -o wide -A
+```
+
+### Remove the existing node pool
+
+To delete the existing node pool, see the section on [Deleting a node pool](#delete-a-node-pool).
+
+After completion, the final result is the AKS cluster having a single, new node pool with the new, desired SKU size and all the applications and pods properly running.
+ ## Delete a node pool If you no longer need a pool, you can delete it and remove the underlying VM nodes. To delete a node pool, use the [az aks node pool delete][az-aks-nodepool-delete] command and specify the node pool name. The following example deletes the *mynoodepool* created in the previous steps:
Use [proximity placement groups][reduce-latency-ppg] to reduce latency for your
[kubernetes-labels]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ [kubernetes-label-syntax]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set [capacity-reservation-groups]:/azure/virtual-machines/capacity-reservation-associate-virtual-machine-scale-set
+[empty-dir]: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir
<!-- INTERNAL LINKS --> [aks-windows]: windows-container-cli.md
Use [proximity placement groups][reduce-latency-ppg] to reduce latency for your
[node-image-upgrade]: node-image-upgrade.md [fips]: /azure/compliance/offerings/offering-fips-140-2 [use-tags]: use-tags.md
+[update-node-pool-mode]: use-system-pools.md#update-existing-cluster-system-and-user-node-pools
+[pod-disruption-budget]: operator-best-practices-scheduler.md#plan-for-availability-using-pod-disruption-budgets
api-management Api Management Revisions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-revisions.md
description: Learn about the concept of revisions in Azure API Management.
documentationcenter: ''
-
Previously updated : 06/12/2020 Last updated : 02/22/2022
Each revision to your API can be accessed using a specially formed URL. Append `
By default, each revision has the same security settings as the current revision. You can deliberately change the policies for a specific revision if you want to have different security applied for each revision. For example, you might want to add a [IP filtering policy](./api-management-access-restriction-policies.md#RestrictCallerIPs) to prevent external callers from accessing a revision that is still under development.
-A revision can be taken offline, which makes it inaccessible to callers even if they try to access the revision through its URL. You can mark a revision as offline using the Azure portal. If you use PowerShell, you can use the `Set-AzApiManagementApiRevision` cmdlet and set the `Path` argument to `$null`.
-
-> [!NOTE]
-> We suggest taking revisions offline when you aren't using them for testing.
- ## Current revision A single revision can be set as the *current* revision. This revision will be the one used for all API requests that don't specify an explicit revision number in the URL. You can roll back to a previous revision by setting that revision as current.
When you set a revision as current you can also optionally specify a public chan
> These properties can only be changed in the current revision. If your edits change any of the above > properties of a non-current revision, the error message `Can't change property for non-current revision` will be displayed.
+## Take a revision offline
+
+A revision can be taken offline, which makes it inaccessible to callers even if they try to access the revision through its URL. You can mark a revision as offline using the Azure portal.
+
+> [!NOTE]
+> We suggest taking revisions offline when you aren't using them for testing.
+ ## Versions and revisions Versions and revisions are distinct features. Each version can have multiple revisions, just like a non-versioned API. You can use revisions without using versions, or the other way around. Typically versions are used to separate API versions with breaking changes, while revisions can be used for minor and non-breaking changes to an API.
api-management Developer Portal Implement Widgets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-implement-widgets.md
Use a `widget` scaffold from the `/scaffolds` folder as a starting point to buil
## Rename exported module classes
-Rename the exported module classes by replacing the `Widget` prefix with `ConferenceSession` in these files:
+Rename the exported module classes by replacing the `Widget` prefix with `ConferenceSession` and change the binding name to avoid name collision, in these files:
- `widget.design.module.ts`
For example, in the `widget.design.module.ts` file, change `WidgetDesignModule`
```typescript export class WidgetDesignModule implements IInjectorModule {
+ public register(injector: IInjector): void {
+ injector.bind("widget", WidgetViewModel);
+ injector.bind("widgetEditor", WidgetEditorViewModel);
``` to ```typescript export class ConferenceSessionDesignModule implements IInjectorModule {
+ public register(injector: IInjector): void {
+ injector.bind("conferenceSession", WidgetViewModel);
+ injector.bind("conferenceSessionEditor", WidgetEditorViewModel);
```
From the design-time perspective, any runtime component is just an HTML tag with
```typescript ... createModel: async () => {
- var model = new ConferenceSessionModel();
+ var model = new WidgetModel();
model.sessionNumber = "107"; return model; }
api-management Graphql Validation Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/graphql-validation-policies.md
documentationcenter: ''
Previously updated : 10/21/2021 Last updated : 01/21/2022 # API Management policy to validate and authorize GraphQL requests (preview)
-This article provides a reference for a new API Management policy to validate and authorize requests to a [GraphQL API](graphql-api.md) imported to API Management.
+This article provides a reference for an API Management policy to validate and authorize requests to a [GraphQL API](graphql-api.md) imported to API Management.
For more information on adding and configuring policies, see [Policies in API Management](./api-management-policies.md).
Because GraphQL queries use a flattened schema:
* Interfaces * The schema element
-**Authorization elements**
-You can use multiple authorization elements. The most specific path is used to select the appropriate authorization rule for each leaf node in the query.
-* Each authorization can optionally provide a different action.
-* `if` clauses allow the admin to specify conditional actions.
+**Authorize element**
+Configure the `authorize` element to set an appropriate authorization rule for one or more paths.
+* Each rule can optionally provide a different action.
+* Use policy expressions to specify conditional actions.
**Introspection system** The policy for path=`/__*` is the [introspection](https://graphql.org/learn/introspection/) system. You can use it to reject introspection requests (`__schema`, `__type`, etc.).
The policy for path=`/__*` is the [introspection](https://graphql.org/learn/intr
### Policy statement ```xml
-<validate-graphql-request error-variable-name="variable name" max-size="size in bytes" max-depth="query depth">
- <authorize-path="query path, for example: /Query/list Users or /__*" action="allow|remove|reject" />
- <if condition="policy expression" action="allow|remove|reject" />
+<validate-graphql-request error-variable-name="variable name" max-size="size in bytes" max-depth="query depth">
+ <authorize>
+ <rule path="query path, for example: '/listUsers' or '/__*'" action="string or policy expression that evaluates to 'allow|remove|reject|ignore'" />
+ </authorize>
</validate-graphql-request> ```
-### Example
+### Example: Query validation
-In the following example, we validate a GraphQL query and reject:
-* Requests larger than 100 kb or with query depth greater than 4.
-* Access to the introspection system and the `list Users` query.
+This example applies the following validation and authorization rules to a GraphQL query:
+* Requests larger than 100 kb or with query depth greater than 4 are rejected.
+* Requests to the introspection system are rejected.
+* The `/Missions/name` field is removed from requests containing more than two headers.
```xml <validate-graphql-request error-variable-name="name" max-size="102400" max-depth="4">
- <authorize path="/" action="allow" />
- <authorize path="/__*" action="reject" />
- <authorize path="/Query/list Users" action="reject" />
+ <authorize>
+ <rule path="/__*" action="reject" />
+ <rule path="/Missions/name" action="@(context.Request.Headers.Count > 2 ? "remove" : "allow")" />
+ </authorize>
+</validate-graphql-request>
+```
+
+### Example: Mutation validation
+
+This example applies the following validation and authorization rules to a GraphQL mutation:
+* Requests larger than 100 kb or with query depth greater than 4 are rejected.
+* Requests to mutate the `deleteUser` field are denied except when the request is from IP address `198.51.100.1`.
+
+```xml
+<validate-graphql-request error-variable-name="name" max-size="102400" max-depth="4">
+ <authorize>
+ <rule path="/Mutation/deleteUser" action="@(context.Request.IpAddress <> "198.51.100.1" ? "deny" : "allow")" />
+ </authorize>
</validate-graphql-request> ```
In the following example, we validate a GraphQL query and reject:
| Name | Description | Required | | | | -- | | `validate-graphql-request` | Root element. | Yes |
-| `authorize` | Add one or more of these elements to provides field-level authorization with both request- and field-level errors. | Yes |
-| `if` | Add one or more of these elements for conditional changes to the action for a field-level authorization. | No |
+| `authorize` | Add this element to provide field-level authorization with both request- and field-level errors. | No |
+| `rule` | Add one or more of these elements to authorize specific query paths. Each rule can optionally specify a different [action](#request-actions). | No |
### Attributes
In the following example, we validate a GraphQL query and reject:
| `error-variable-name` | Name of the variable in `context.Variables` to log validation errors to. | No | N/A | | `max-size` | Maximum size of the request payload in bytes. Maximum allowed value: 102,400 bytes (100 KB). (Contact [support](https://azure.microsoft.com/support/options/) if you need to increase this limit.) | Yes | N/A | | `max-depth` | An integer. Maximum query depth. | No | 6 |
-| `path` | Query path to execute authorization validation on. | Yes | N/A |
-| `action` | [Action](#request-actions) to perform for the matching field. May be changed if a matching condition is specified. | Yes | N/A |
-| `condition` | Boolean value that determines if the [policy expression](api-management-policy-expressions.md) matches. The first matching condition is used. | No | N/A |
+| `path` | Path to execute authorization validation on. It must follow the pattern: `/type/field`. | Yes | N/A |
+| `action` | [Action](#request-actions) to perform if the rule applies. May be specified conditionally using a policy expression. | No | allow |
### Request actions
Available actions are described in the following table.
|Action |Description | |||
-|`reject` | A request error happens, and the request is not sent to the back end. |
+|`reject` | A request error happens, and the request is not sent to the back end. Additional rules if configured are not applied. |
|`remove` | A field error happens, and the field is removed from the request. | |`allow` | The field is passed to the back end. |
+|`ignore` | The rule is not valid for this case and the next rule is applied. |
### Usage
api-management Validation Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validation-policies.md
documentationcenter: ''
Previously updated : 10/21/2021 Last updated : 02/22/2022 - # API Management policies to validate requests and responses This article provides a reference for the following API Management policies. For information on adding and configuring policies, see [Policies in API Management](./api-management-policies.md).
-Use validation policies to validate API requests and responses against an OpenAPI schema and protect from vulnerabilities such as injection of headers or payload. While not a replacement for a Web Application Firewall, validation policies provide flexibility to respond to another class of threats that are not covered by security products that rely on static, predefined rules.
+Use validation policies to validate REST or SOAP API requests and responses against schemas defined in the API definition or supplementary JSON or XML schemas. Validation policies protect from vulnerabilities such as injection of headers or payload or leaking sensitive data.
+
+While not a replacement for a Web Application Firewall, validation policies provide flexibility to respond to an additional class of threats that arenΓÇÖt covered by security products that rely on static, predefined rules.
## Validation policies -- [Validate content](#validate-content) - Validates the size or JSON schema of a request or response body against the API schema.
+- [Validate content](#validate-content) - Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML.
- [Validate parameters](#validate-parameters) - Validates the request header, query, or path parameters against the API schema. - [Validate headers](#validate-headers) - Validates the response headers against the API schema. - [Validate status code](#validate-status-code) - Validates the HTTP status codes in responses against the API schema.
Use validation policies to validate API requests and responses against an OpenAP
## Actions
-Each validation policy includes an attribute that specifies an action, which API Management takes when validating an entity in an API request or response against the API schema. An action may be specified for elements that are represented in the API schema and, depending on the policy, for elements that aren't represented in the API schema. An action specified in a policy's child element overrides an action specified for its parent.
+Each validation policy includes an attribute that specifies an action, which API Management takes when validating an entity in an API request or response against the API schema.
+
+* An action may be specified for elements that are represented in the API schema and, depending on the policy, for elements that aren't represented in the API schema.
+
+* An action specified in a policy's child element overrides an action specified for its parent.
Available actions:
We recommend performing load tests with your expected production workloads to as
## Validate content
-The `validate-content` policy validates the size or JSON schema of a request or response body against the API schema. Formats other than JSON aren't supported.
+The `validate-content` policy validates the size or content of a request or response body against one or more [supported schemas](#schemas-for-content-validation).
+
+The following table shows the schema formats and request or response content types that the policy supports. Content type values are case insensitive.
+
+| Format | Content types |
+|||
+|JSON | Examples: `application/json`<br/>`application/hal+json` |
+|XML | Example: `application/xml` |
+|SOAP | Allowed values: `application/soap+xml` for SOAP 1.2 APIs<br/>`text/xml` for SOAP 1.1 APIs|
### Policy statement ```xml
-<validate-content unspecified-content-type-action="ignore|prevent|detect" max-size="size in bytes" size-exceeded-action="ignore|prevent|detect" errors-variable-name="variable name">
- <content type="content type string, for example: application/json, application/hal+json" validate-as="json" action="ignore|prevent|detect" />
+<validate-content unspecified-content-type-action="ignore|prevent|detect" max-size="size in bytes" size-exceeded-action="ignore|prevent|detect" errors-variable-name="variable name">
+ <content-type-map any-content-type-value="content type string" missing-content-type-value="content type string">
+ <type from|when="content type string" to="content type string" />
+ </content-type-map>
+ <content type="content type string" validate-as="json|xml|soap" schema-id="schema id" schema-ref="#/local/reference/path" action="ignore|prevent|detect" />
</validate-content> ```
-### Example
+### Examples
-In the following example, the JSON payload in requests and responses is validated in detection mode. Messages with payloads larger than 100 KB are blocked.
+#### JSON schema validation
+
+In the following example, API Management interprets requests with an empty content type header or requests with a content type header `application/hal+json` as requests with the content type `application/json`. Then, API Management performs the validation in the detection mode against a schema defined for the `application/json` content type in the API definition. Messages with payloads larger than 100 KB are blocked.
```xml <validate-content unspecified-content-type-action="prevent" max-size="102400" size-exceeded-action="prevent" errors-variable-name="requestBodyValidation">
+ <content-type-map missing-content-type-value="application/json">
+ <type from="application/hal+json" to="application/json" />
+ </content-type-map>
<content type="application/json" validate-as="json" action="detect" />
- <content type="application/hal+json" validate-as="json" action="detect" />
</validate-content>
+```
+#### SOAP schema validation
+
+In the following example, API Management interprets any request as a request with the content type `application/soap+xml` (the content type that's used by SOAP 1.2 APIs), regardless of the incoming content type. The request could arrive with an empty content type header, content type header of `text/xml` (used by SOAP 1.1 APIs), or another content type header. Then, API Management extracts the XML payload from the SOAP envelope and performs the validation in prevention mode against the schema named "myschema". Messages with payloads larger than 100 KB are blocked.
+
+```xml
+<validate-content unspecified-content-type-action="prevent" max-size="102400" size-exceeded-action="prevent" errors-variable-name="requestBodyValidation">
+ <content-type-map any-content-type-value="application/soap+xml" />
+ <content type="application/soap+xml" validate-as="soap" schema-id="myschema" action="prevent" />
+</validate-content>
``` ### Elements
In the following example, the JSON payload in requests and responses is validate
| Name | Description | Required | | | | -- | | `validate-content` | Root element. | Yes |
-| `content` | Add one or more of these elements to validate the content type in the request or response, and perform the specified action. | No |
+| `content-type-map` | Add this element to map the content type of the incoming request or response to another content type that is used to trigger validation. | No |
+| `content` | Add one or more of these elements to validate the content type in the request or response, or the mapped content type, and perform the specified action. | No |
### Attributes | Name | Description | Required | Default | | -- | - | -- | - |
-| `unspecified-content-type-action` | [Action](#actions) to perform for requests or responses with a content type that isnΓÇÖt specified in the API schema. | Yes | N/A |
-| `max-size` | Maximum length of the body of the request or response in bytes, checked against the `Content-Length` header. If the request body or response body is compressed, this value is the decompressed length. Maximum allowed value: 102,400 bytes (100 KB). (Contact [support](https://azure.microsoft.com/support/options/) if you need to increase this limit.) | Yes | N/A |
-| `size-exceeded-action` | [Action](#actions) to perform for requests or responses whose body exceeds the size specified in `max-size`. | Yes | N/A |
-| `errors-variable-name` | Name of the variable in `context.Variables` to log validation errors to. | No | N/A |
-| `type` | Content type to execute body validation for, checked against the `Content-Type` header. This value is case insensitive. If empty, it applies to every content type specified in the API schema. | No | N/A |
-| `validate-as` | Validation engine to use for validation of the body of a request or response with a matching content type. Currently, the only supported value is "json". | Yes | N/A |
-| `action` | [Action](#actions) to perform for requests or responses whose body doesn't match the specified content type. | Yes | N/A |
+| unspecified-content-type-action | [Action](#actions) to perform for requests or responses with a content type that isnΓÇÖt specified in the API schema. | Yes | N/A |
+| max-size | Maximum length of the body of the request or response in bytes, checked against the `Content-Length` header. If the request body or response body is compressed, this value is the decompressed length. Maximum allowed value: 102,400 bytes (100 KB). (Contact [support](https://azure.microsoft.com/support/options/) if you need to increase this limit.) | Yes | N/A |
+| size-exceeded-action | [Action](#actions) to perform for requests or responses whose body exceeds the size specified in `max-size`. | Yes | N/A |
+| errors-variable-name | Name of the variable in `context.Variables` to log validation errors to. | No | N/A |
+| any-content-type-value | Content type used for validation of the body of a request or response, regardless of the incoming content type. | No | N/A |
+| missing-content-type-value | Content type used for validation of the body of a request or response, when the incoming content type is missing or empty. | No | N/A |
+| content-type-map \ type | Add one or more of these elements to map an incoming content type to a content type used for validation of the body of a request or response. Use `from` to specify a known incoming content type, or use `when` with a policy expression to specify any incoming content type that matches a condition. Overrides the mapping in `any-content-type-value` and `missing-content-type-value`, if specified. | No | N/A |
+| content \ type | Content type to execute body validation for, checked against the content type header or the value mapped in `content-type-mapping`, if specified. If empty, it applies to every content type specified in the API schema.<br/><br/>To validate SOAP requests and responses (`validate-as` attribute set to "soap"), set `type` to `application/soap+xml` for SOAP 1.2 APIs or `text/xml` for SOAP 1.1 APIs. | No | N/A |
+| validate-as | Validation engine to use for validation of the body of a request or response with a matching `type`. Supported values: "json", "xml", "soap".<br/><br/>When "soap" is specified, the XML from the request or response is extracted from the SOAP envelope and validated against an XML schema. | Yes | N/A |
+| schema-id | Name of an existing schema that was [added](#schemas-for-content-validation) to the API Management instance for content validation. If not specified, the default schema from the API definition is used. | No | N/A |
+| schema-ref| For a JSON schema specified in `schema-id`, optional reference to a valid local reference path in the JSON document. Example: `#/components/schemas/address`. The attribute should return a JSON object that API Management handles as a valid JSON schema.<br/><br/> For an XML schema, `schema-ref` isn't supported, and any top-level schema element can be used as the root of the XML request or response payload. The validation checks that all elements starting from the XML request or response payload root adhere to the provided XML schema. | No | N/A |
+| action | [Action](#actions) to perform for requests or responses whose body doesn't match the specified content type. | Yes | N/A |
+
+### Schemas for content validation
+
+By default, validation of request or response content uses JSON or XML schemas from the API definition. These schemas can be specified manually or generated automatically when importing an API from an OpenAPI or WSDL specification into API Management.
+
+Using the `validate-content` policy, you may optionally validate against one or more JSON or XML schemas that youΓÇÖve added to your API Management instance and that aren't part of the API definition. A schema that you add to API Management can be reused across many APIs.
+
+To add a schema to your API Management instance using the Azure portal:
+
+1. In the [portal](https://portal.azure.com), navigate to your API Management instance.
+1. In the **APIs** section of the left-hand menu, select **Schemas** > **+ Add**.
+1. In the **Create schema** window, do the following:
+ 1. Enter a **Name** for the schema.
+ 1. In **Schema type**, select **JSON** or **XML**.
+ 1. Enter a **Description**.
+ 1. In **Create method**, do one of the following:
+ * Select **Create new** and enter or paste the schema.
+ * Select **Import from file** or **Import from URL** and enter a schema location.
+ > [!NOTE]
+ > To import a schema from URL, the schema needs to be accessible over the internet from the browser.
+ 1. Select **Save**.
++
+ :::image type="content" source="media/validation-policies/add-schema.png" alt-text="Create schema":::
+
+After the schema is created, it appears in the list on the **Schemas** page. Select a schema to view its properties or to edit in a schema editor.
+
+> [!NOTE]
+> * A schema may cross-reference another schema that is added to the API Management instance.
+> * Open-source tools to resolve WSDL and XSD schema references and to batch-import generated schemas to API Management are available on [GitHub](https://github.com/Azure-Samples/api-management-schema-import).
+ ### Usage
In this example, all query and path parameters are validated in the prevention m
| Name | Description | Required | Default | | -- | - | -- | - | | `specified-parameter-action` | [Action](#actions) to perform for request parameters specified in the API schema. <br/><br/> When provided in a `headers`, `query`, or `path` element, the value overrides the value of `specified-parameter-action` in the `validate-parameters` element. | Yes | N/A |
-| `unspecified-parameter-action` | [Action](#actions) to perform for request parameters that are not specified in the API schema. <br/><br/>When provided in a `headers`or `query` element, the value overrides the value of `unspecified-parameter-action` in the `validate-parameters` element. | Yes | N/A |
+| `unspecified-parameter-action` | [Action](#actions) to perform for request parameters that arenΓÇÖt specified in the API schema. <br/><br/>When provided in a `headers`or `query` element, the value overrides the value of `unspecified-parameter-action` in the `validate-parameters` element. | Yes | N/A |
| `errors-variable-name` | Name of the variable in `context.Variables` to log validation errors to. | No | N/A | | `name` | Name of the parameter to override validation action for. This value is case insensitive. | Yes | N/A | | `action` | [Action](#actions) to perform for the parameter with the matching name. If the parameter is specified in the API schema, this value overrides the higher-level `specified-parameter-action` configuration. If the parameter isnΓÇÖt specified in the API schema, this value overrides the higher-level `unspecified-parameter-action` configuration.| Yes | N/A |
The `validate-headers` policy validates the response headers against the API sch
| Name | Description | Required | Default | | -- | - | -- | - | | `specified-header-action` | [Action](#actions) to perform for response headers specified in the API schema. | Yes | N/A |
-| `unspecified-header-action` | [Action](#actions) to perform for response headers that are not specified in the API schema. | Yes | N/A |
+| `unspecified-header-action` | [Action](#actions) to perform for response headers that arenΓÇÖt specified in the API schema. | Yes | N/A |
| `errors-variable-name` | Name of the variable in `context.Variables` to log validation errors to. | No | N/A | | `name` | Name of the header to override validation action for. This value is case insensitive. | Yes | N/A | | `action` | [Action](#actions) to perform for header with the matching name. If the header is specified in the API schema, this value overrides value of `specified-header-action` in the `validate-headers` element. Otherwise, it overrides value of `unspecified-header-action` in the validate-headers element. | Yes | N/A |
The `validate-status-code` policy validates the HTTP status codes in responses a
| Name | Description | Required | Default | | -- | - | -- | - |
-| `unspecified-status-code-action` | [Action](#actions) to perform for HTTP status codes in responses that are not specified in the API schema. | Yes | N/A |
+| `unspecified-status-code-action` | [Action](#actions) to perform for HTTP status codes in responses that arenΓÇÖt specified in the API schema. | Yes | N/A |
| `errors-variable-name` | Name of the variable in `context.Variables` to log validation errors to. | No | N/A | | `code` | HTTP status code to override validation action for. | Yes | N/A |
-| `action` | [Action](#actions) to perform for the matching status code, which is not specified in the API schema. If the status code is specified in the API schema, this override does not take effect. | Yes | N/A |
+| `action` | [Action](#actions) to perform for the matching status code, which isnΓÇÖt specified in the API schema. If the status code is specified in the API schema, this override doesnΓÇÖt take effect. | Yes | N/A |
### Usage
This policy can be used in the following policy [sections](./api-management-howt
## Validation errors+
+API Management generates validation errors in the following format:
+
+```
+{
+ "Name": string,
+ "Type": string,
+ "ValidationRule": string,
+ "Details": string,
+ "Action": string
+}
+
+```
+ The following table lists all possible errors of the validation policies. * **Details**: Can be used to investigate errors. Not meant to be shared publicly.
api-management Websocket Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/websocket-api.md
Below are the current restrictions of WebSocket support in API Management:
* WebSocket APIs are not supported yet in the Consumption tier. * WebSocket APIs are not supported yet in the [self-hosted gateway](./self-hosted-gateway-overview.md). * Azure CLI, PowerShell, and SDK currently do not support management operations of WebSocket APIs.
+* 200 active connections limit per unit.
### Unsupported policies
app-service Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/overview.md
Title: App Service Environment overview
-description: Overview on the App Service Environment
+description: This article discusses the Azure App Service Environment feature of Azure App Service.
Last updated 01/26/2022 + # App Service Environment overview
-The Azure App Service Environment is an Azure App Service feature that provides a fully isolated and dedicated environment for securely running App Service apps at high scale. This capability can host your:
+An App Service Environment is an Azure App Service feature that provides a fully isolated and dedicated environment for running App Service apps securely at high scale.
+
+> [!NOTE]
+> This article covers the features, benefits, and use cases of App Service Environment v3, which is used with App Service Isolated v2 plans.
+>
+
+An App Service Environment can host your:
- Windows web apps - Linux web apps - Docker containers (Windows and Linux) - Functions-- Logic Apps (Standard)-
-> [!NOTE]
-> This article is about the App Service Environment v3 which is used with Isolated v2 App Service plans
->
+- Logic apps (Standard)
App Service Environments are appropriate for application workloads that require: - High scale. - Isolation and secure network access. - High memory utilization.-- High requests per second (RPS). You can make multiple App Service Environments in a single Azure region or across multiple Azure regions. This flexibility makes an App Service Environment ideal for horizontally scaling stateless applications with a high RPS requirement.
+- High requests per second (RPS). You can create multiple App Service Environments in a single Azure region or across multiple Azure regions. This flexibility makes an App Service Environment ideal for horizontally scaling stateless applications with a high RPS requirement.
-App Service Environment host applications from only one customer and do so in one of their virtual networks. Customers have fine-grained control over inbound and outbound application network traffic. Applications can establish high-speed secure connections over VPNs to on-premises corporate resources.
+An App Service Environment can host applications from only one customer, and they do so on one of their virtual networks. Customers have fine-grained control over inbound and outbound application network traffic. Applications can establish high-speed secure connections over VPNs to on-premises corporate resources.
## Usage scenarios
-The App Service Environment has many use cases including:
+App Service Environments have many use cases, including:
-- Internal line-of-business applications-- Applications that need more than 30 App Service plan instances-- Single tenant system to satisfy internal compliance or security requirements-- Network isolated application hosting-- Multi-tier applications
+- Internal line-of-business applications.
+- Applications that need more than 30 App Service plan instances.
+- Single-tenant systems to satisfy internal compliance or security requirements.
+- Network-isolated application hosting.
+- Multi-tier applications.
-There are many networking features that enable apps in the multi-tenant App Service to reach network isolated resources or become network isolated themselves. These features are enabled at the application level. With an App Service Environment, there's no added configuration required for the apps to be in the virtual network. The apps are deployed into a network-isolated environment that is already in a virtual network. If you really need a complete isolation story, you can also get your App Service Environment deployed onto dedicated hardware.
+There are many networking features that enable apps in a multi-tenant App Service to reach network-isolated resources or become network-isolated themselves. These features are enabled at the application level. With an App Service Environment, no added configuration is required for the apps to be on a virtual network. The apps are deployed into a network-isolated environment that's already on a virtual network. If you really need a complete isolation story, you can also deploy your App Service Environment onto dedicated hardware.
## Dedicated environment
-The App Service Environment is a single tenant deployment of the Azure App Service that runs in your virtual network.
+An App Service Environment is a single-tenant deployment of Azure App Service that runs on your virtual network.
-Applications are hosted in App Service plans, which are created in an App Service Environment. The App Service plan is essentially a provisioning profile for an application host. As you scale your App Service plan out, you create more application hosts with all of the apps in that App Service plan on each host. A single App Service Environment v3 can have up to 200 total App Service plan instances across all of the App Service plans combined. A single Isolated v2 App Service plan can have up to 100 instances by itself.
+Applications are hosted in App Service plans, which are created in an App Service Environment. An App Service plan is essentially a provisioning profile for an application host. As you scale out your App Service plan, you create more application hosts with all the apps in that App Service plan on each host. A single App Service Environment v3 can have up to 200 total App Service plan instances across all the App Service plans combined. A single App Service Isolated v2 (Iv2) plan can have up to 100 instances by itself.
-When you're deploying on dedicated hardware (hosts), you're limited in scaling across all App Service plans to the amount of cores in this type of environment. An App Service Environment deployed on dedicated hosts has 132 vCores available. I1v2 uses 2 vCores, I2v2 uses 4 vCores, and I3v2 uses 8 vCores per instance.
+When you're deploying onto dedicated hardware (hosts), you're limited in scaling across all App Service plans to the number of cores in this type of environment. An App Service Environment that's deployed on dedicated hosts has 132 vCores available. I1v2 uses two vCores, I2v2 uses four vCores, and I3v2 uses eight vCores per instance.
## Virtual network support
-The App Service Environment feature is a deployment of the Azure App Service into a single subnet in a customer's virtual network. When you deploy an app into an App Service Environment, the app will be exposed on the inbound address assigned to the App Service Environment. If your App Service Environment is deployed with an internal virtual IP (VIP), then the inbound address for all of the apps will be an address in the App Service Environment subnet. If your App Service Environment is deployed with an external VIP, then the inbound address will be an internet-addressable address and your apps will be in public DNS.
+The App Service Environment feature is a deployment of Azure App Service into a single subnet on a virtual network. When you deploy an app into an App Service Environment, the app is exposed on the inbound address that's assigned to the App Service Environment. If your App Service Environment is deployed with an internal virtual IP (VIP) address, the inbound address for all the apps will be an address in the App Service Environment subnet. If your App Service Environment is deployed with an external VIP address, the inbound address will be an internet-addressable address, and your apps will be in a public Domain Name System.
+
+The number of addresses that are used by an App Service Environment v3 in its subnet will vary, depending on the number of instances and the amount of traffic. Some infrastructure roles are automatically scaled, depending on the number of App Service plans and the load. The recommended size for your App Service Environment v3 subnet is a `/24` Classless Inter-Domain Routing (CIDR) block with 256 addresses in it, because that size can host an App Service Environment v3 that's scaled out to its limit.
-The number of addresses used by an App Service Environment v3 in its subnet will vary based on how many instances you have along with how much traffic. There are infrastructure roles that are automatically scaled depending on the number of App Service plans and the load. The recommended size for your App Service Environment v3 subnet is a `/24` CIDR block with 256 addresses in it as that can host an App Service Environment v3 scaled out to its limit.
+The apps in an App Service Environment don't need any features enabled to access resources on the same virtual network that the App Service Environment is in. If the App Service Environment virtual network is connected to another network, the apps in the App Service Environment can access resources in those extended networks. Traffic can be blocked by user configuration on the network.
-The apps in an App Service Environment don't need any features enabled to access resources in the same virtual network that the App Service Environment is in. If the App Service Environment virtual network is connected to another network, then the apps in the App Service Environment can access resources in those extended networks. Traffic can be blocked by user configuration on the network.
+The multi-tenant version of Azure App Service contains numerous features to enable your apps to connect to your various networks. With those networking features, your apps can act as though they're deployed on a virtual network. The apps in an App Service Environment v3 don't need any added configuration to be on the virtual network.
-The multi-tenant version of Azure App Service contains numerous features to enable your apps to connect to your various networks. Those networking features enable your apps to act as if they were deployed in a virtual network. The apps in an App Service Environment v3 don't need any configuration to be in the virtual network. A benefit of using an App Service Environment over the multi-tenant service is that any network access controls to the App Service Environment hosted apps is external to the application configuration. With the apps in the multi-tenant service, you must enable the features on an app-by-app basis and use Role-based access control or policy to prevent any configuration changes.
+A benefit of using an App Service Environment instead of a multi-tenant service is that any network access controls for the App Service Environment-hosted apps are external to the application configuration. With the apps in the multi-tenant service, you must enable the features on an app-by-app basis and use role-based access control or a policy to prevent any configuration changes.
## Feature differences
-Compared to earlier versions of the App Service Environment, there are some differences with App Service Environment v3:
+App Service Environment v3 differs from earlier versions in the following ways:
-- There are no networking dependencies in the customer virtual network. You can secure all inbound and outbound as desired. Outbound traffic can be routed also as desired. -- You can deploy it enabled for zone redundancy. Zone redundancy can only be set during creation and only in regions where all App Service Environment v3 dependencies are zone redundant. -- You can deploy it on a dedicated host group. Host group deployments aren't zone redundant. -- Scaling is much faster than with App Service Environment v2. While scaling still isn't immediate as in the multi-tenant service, it's a lot faster.-- Front end scaling adjustments are no longer required. The App Service Environment v3 front ends automatically scale to meet needs and are deployed on better hosts.-- Scaling no longer blocks other scale operations within the App Service Environment v3 instance. Only one scale operation can be in effect for a combination of OS and size. For example, while your Windows small App Service plan was scaling, you could kick off a scale operation to run at the same time on a Windows medium or anything else other than Windows small. -- Apps in an internal VIP App Service Environment v3 can be reached across global peering. Access across global peering was not possible with previous versions.
+- There are no networking dependencies on the customer's virtual network. You can secure all inbound and outbound traffic and route outbound traffic as you want.
+- You can deploy an App Service Environment v3 that's enabled for zone redundancy. You set zone redundancy only during creation and only in regions where all App Service Environment v3 dependencies are zone redundant.
+- You can deploy an App Service Environment v3 on a dedicated host group. Host group deployments aren't zone redundant.
+- Scaling is much faster than with an App Service Environment v2. Although scaling still isn't immediate, as in the multi-tenant service, it's a lot faster.
+- Front-end scaling adjustments are no longer required. App Service Environment v3 front ends automatically scale to meet your needs and are deployed on better hosts.
+- Scaling no longer blocks other scale operations within the App Service Environment v3. Only one scale operation can be in effect for a combination of OS and size. For example, while your Windows small App Service plan is scaling, you could kick off a scale operation to run at the same time on a Windows medium or anything else other than Windows small.
+- You can reach apps in an internal-VIP App Service Environment v3 across global peering. Such access wasn't possible in earlier versions.
-There are a few features that are not available in App Service Environment v3 that were available in earlier versions of the App Service Environment. In App Service Environment v3, you can't:
+A few features that were available in earlier versions of App Service Environment aren't available in App Service Environment v3. For example, you can no longer do the following:
-- send SMTP traffic. You can still have email triggered alerts but your app can't send outbound traffic on port 25-- deploy your apps with FTP-- use remote debug with your apps-- monitor your traffic with Network Watcher or NSG Flow-- configure a IP-based TLS/SSL binding with your apps-- configure custom domain suffix-- backup/restore operation on a storage account behind a firewall
+- Send SMTP traffic. You can still have email triggered alerts but your app can't send outbound traffic on port 25.
+- Deploy your apps by using FTP.
+- Use remote debugging with your apps.
+- Monitor your traffic with Network Watcher or network security group (NSG) flow logs.
+- Configure an IP-based Transport Layer Security (TLS) or Secure Sockets Layer (SSL) binding with your apps.
+- Configure a custom domain suffix.
+- Perform a backup and restore operation on a storage account behind a firewall.
## Pricing
-With App Service Environment v3, there is a different pricing model depending on the type of App Service Environment deployment you have. The three pricing models are:
+With App Service Environment v3, the pricing model varies depending on the type of App Service Environment deployment you have. The three pricing models are:
-- **App Service Environment v3**: If App Service Environment is empty, there is a charge as if you had one instance of Windows I1v2. The one instance charge isn't an additive charge but is only applied if the App Service Environment is empty.-- **Zone redundant App Service Environment v3**: There's a minimum charge of nine instances. There's no added charge for availability zone support if you have nine or more App Service plan instances. If you've fewer than nine instances (of any size) across App Service plans in the zone redundant App Service Environment, the difference between nine and the running instance count is charged as additional Windows I1v2 instances.-- **Dedicated host App Service Environment v3**: With a dedicated host deployment, you're charged for two dedicated hosts per our pricing at App Service Environment v3 creation then a small percentage of the Isolated v2 rate per core charge as you scale.
+- **App Service Environment v3**: If the App Service Environment is empty, there's a charge as though you have one instance of Windows I1v2. The one instance charge isn't an additive charge but is applied only if the App Service Environment is empty.
+- **Zone redundant App Service Environment v3**: There's a minimum charge of nine instances. There's no added charge for availability zone support if you have nine or more App Service plan instances. If you have fewer than nine instances (of any size) across App Service plans in the zone redundant App Service Environment, the difference between nine and the running instance count is charged as additional Windows I1v2 instances.
+- **Dedicated host App Service Environment v3**: With a dedicated host deployment, you're charged for two dedicated hosts per our pricing when you create the App Service Environment v3 and then, as you scale, you're charged a small percentage of the Isolated v2 rate per core.
-Reserved Instance pricing for Isolated v2 is available and is described in [How reservation discounts apply to Azure App Service](../../cost-management-billing/reservations/reservation-discount-app-service.md). The pricing, along with reserved instance pricing, is available at [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/windows/) under **Isolated v2 plan**.
+Reserved Instance pricing for Isolated v2 is available and is described in [How reservation discounts apply to Azure App Service](../../cost-management-billing/reservations/reservation-discount-app-service.md). The pricing, along with Reserved Instance pricing, is available at [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/windows/) under the Isolated v2 plan.
## Regions
-The App Service Environment v3 is available in the following regions.
+App Service Environment v3 is available in the following regions:
| Normal and dedicated host regions | Availability zone regions | |||
The App Service Environment v3 is available in the following regions.
## App Service Environment v2
-App Service Environment has three versions: App Service Environment v1, App Service Environment v2, and App Service Environment v3. The preceding information was based on App Service Environment v3. To learn more about App Service Environment v2, see [App Service Environment v2 introduction](./intro.md).
+App Service Environment has three versions: App Service Environment v1, App Service Environment v2, and App Service Environment v3. The information in this article is based on App Service Environment v3. To learn more about App Service Environment v2, see [App Service Environment v2 introduction](./intro.md).
app-service Overview Vnet Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-vnet-integration.md
Learn [how to configure application routing](./configure-vnet-integration-routin
We recommend that you use the **Route All** configuration setting to enable routing of all traffic. Using the configuration setting allows you to audit the behavior with [a built-in policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F33228571-70a4-4fa1-8ca1-26d0aba8d6ef). The existing WEBSITE_VNET_ROUTE_ALL app setting can still be used, and you can enable all traffic routing with either setting.
+#### Configuration routing
+
+When you are using virtual network integration, you can configure how parts of the configuration traffic is managed. By default, the mentioned configurations will go directly to the internet unless you actively configure it to be routed through the virtual network integration.
+
+##### Content storage
+
+Bringing you own storage for content in often used in Functions where [content storage](./../azure-functions/configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network) is configured as part of the Functions app.
+
+To route content storage traffic through the virtual network integration, you need to add an app setting named `WEBSITE_CONTENTOVERVNET` with the value `1`. In addition to adding the app setting, you must also ensure that any firewall or Network Security Group configured on traffic from the subnet allow traffic to port 443 and 445.
+
+##### Container image pull
+
+When using custom containers for Linux, you can pull the container over the virtual network integration. To route the container pull traffic through the virtual network integration, you must add an app setting named `WEBSITE_PULL_IMAGE_OVER_VNET` with the value `true`.
+ #### Network routing You can use route tables to route outbound traffic from your app to wherever you want. Route tables affect your destination traffic. When **Route All** is disabled in [application routing](#application-routing), only private traffic (RFC1918) is affected by your route tables. Common destinations can include firewall devices or gateways. Routes that are set on your integration subnet won't affect replies to inbound app requests.
app-service Quickstart Dotnetcore https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-dotnetcore.md
Title: "Quickstart: Deploy an ASP.NET web app"
description: Learn how to run web apps in Azure App Service by deploying your first ASP.NET app. ms.assetid: b1e6bd58-48d1-4007-9d6c-53fd6db061e3 Previously updated : 11/08/2021- Last updated : 02/08/2022+ zone_pivot_groups: app-service-ide adobe-target: true adobe-target-activity: DocsExpΓÇô386541ΓÇôA/BΓÇôEnhanced-Readability-QuickstartsΓÇô2.19.2021
In this quickstart, you'll learn how to create and deploy your first ASP.NET web
### [.NET Framework 4.8](#tab/netframework48) - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/dotnet).-- <a href="https://www.visualstudio.com/downloads" target="_blank">Visual Studio 2022</a> with the **ASP.NET and web development** workload (make sure the optional checkbox **.NET Framework project and item templates** is selected).
+- <a href="https://www.visualstudio.com/downloads" target="_blank">Visual Studio 2022</a> with the **ASP.NET and web development** workload (ensure the optional checkbox **.NET Framework project and item templates** is selected).
--
If you've already installed Visual Studio 2022:
</a> > [!NOTE]
-> Visual Studio Code is cross-platform, however; .NET Framework is not. If you're developing .NET Framework apps with Visual Studio Code, consider using a Windows machine to satisfy the build dependencies.
+> Visual Studio Code is cross-platform code editor, however; .NET Framework is not. If you're developing .NET Framework apps with Visual Studio Code, consider using a Windows machine to satisfy the build dependencies.
If you've already installed Visual Studio 2022:
### [.NET 6.0](#tab/net60) 1. Open Visual Studio and then select **Create a new project**.
-1. In **Create a new project**, find, and choose **ASP.NET Core Web App**, then select **Next**.
+1. In **Create a new project**, find, and select **ASP.NET Core Web App**, then select **Next**.
1. In **Configure your new project**, name the application _MyFirstAzureWebApp_, and then select **Next**. :::image type="content" source="./media/quickstart-dotnet/configure-webapp-net.png" alt-text="Visual Studio - Configure ASP.NET 6.0 web app." lightbox="media/quickstart-dotnet/configure-webapp-net.png" border="true"::: 1. Select **.NET Core 6.0 (Long-term support)**.
-1. Make sure **Authentication Type** is set to **None**. Select **Create**.
+1. Ensure **Authentication Type** is set to **None**. Select **Create**.
:::image type="content" source="media/quickstart-dotnet/vs-additional-info-net60.png" alt-text="Visual Studio - Additional info when selecting .NET Core 6.0." lightbox="media/quickstart-dotnet/vs-additional-info-net60.png" border="true":::
If you've already installed Visual Studio 2022:
### [.NET Framework 4.8](#tab/netframework48) 1. Open Visual Studio and then select **Create a new project**.
-1. In **Create a new project**, find, and choose **ASP.NET Web Application (.NET Framework)**, then select **Next**.
+1. In **Create a new project**, find, and select **ASP.NET Web Application (.NET Framework)**, then select **Next**.
1. In **Configure your new project**, name the application _MyFirstAzureWebApp_, and then select **Create**. :::image type="content" source="media/quickstart-dotnet/configure-webapp-netframework48.png" alt-text="Visual Studio - Configure ASP.NET Framework 4.8 web app." lightbox="media/quickstart-dotnet/configure-webapp-netframework48.png" border="true"::: 1. Select the **MVC** template.
-1. Make sure **Authentication** is set to **No Authentication**. Select **Create**.
+1. Ensure **Authentication** is set to **No Authentication**. Select **Create**.
:::image type="content" source="media/quickstart-dotnet/vs-mvc-no-auth-netframework48.png" alt-text="Visual Studio - Select the MVC template." lightbox="media/quickstart-dotnet/vs-mvc-no-auth-netframework48.png" border="true":::
If you've already installed Visual Studio 2022:
1. In Visual Studio Code, open the <a href="https://code.visualstudio.com/docs/editor/integrated-terminal" target="_blank">Terminal</a> window by typing `Ctrl` + `` ` ``.
-1. In the terminal in Visual Studio Code, create a new .NET web app using the [`dotnet new webapp`](/dotnet/core/tools/dotnet-new#web-options) command.
+1. In Visual Studio Code terminal, create a new .NET web app using the [`dotnet new webapp`](/dotnet/core/tools/dotnet-new#web-options) command.
### [.NET 6.0](#tab/net60)
Follow these steps to create your App Service resources and publish your project
:::image type="content" source="media/quickstart-dotnet/vs-publish-target-Azure.png" alt-text="Visual Studio - Publish the web app and target Azure." lightbox="media/quickstart-dotnet/vs-publish-target-Azure.png" border="true":::
-1. Choose the **Specific target**, either **Azure App Service (Linux)** or **Azure App Service (Windows)**. Then, click **Next**.
+1. Choose the **Specific target**, either **Azure App Service (Linux)** or **Azure App Service (Windows)**. Then, select **Next**.
> [!IMPORTANT] > When targeting ASP.NET Framework 4.8, use **Azure App Service (Windows)**.
Follow these steps to create your App Service resources and publish your project
:::image type="content" source="media/quickstart-dotnet/web-app-name.png" border="true" alt-text="Visual Studio - Create app resources dialog." lightbox="media/quickstart-dotnet/web-app-name.png" :::
- Once the wizard completes, the Azure resources are created for you and you are ready to publish your ASP.NET Core project.
+ Once the wizard completes, the Azure resources are created for you and you're ready to publish your ASP.NET Core project.
-1. In the **Publish** dialog, make sure your new App Service app is selected in **App Service instance**, then select **Finish**. Visual Studio creates a publish profile for you for the selected App Service app.
-1. In the **Publish** page, select **Publish**. If you see a warning message, click **Continue**.
+1. In the **Publish** dialog, ensure your new App Service app is selected in **App Service instance**, then select **Finish**. Visual Studio creates a publish profile for you for the selected App Service app.
+1. In the **Publish** page, select **Publish**. If you see a warning message, select **Continue**.
Visual Studio builds, packages, and publishes the app to Azure, and then launches the app in the default browser.
Follow these steps to create your App Service resources and publish your project
1. Select **Create a new App Service plan**, provide a name, and select the **F1 Free** [pricing tier][app-service-pricing-tier]. 1. Select **Skip for now** for the Application Insights resource.
-1. In the popup **Always deploy the workspace "MyFirstAzureWebApp" to \<app-name>"**, select **Yes**. This way, as long as you're in the same workspace, Visual Studio Code deploys to the same App Service app each time.
+1. In the popup **Always deploy the workspace "MyFirstAzureWebApp" to \<app-name>"**, select **Yes** so that Visual Studio Code deploys to the same App Service app every time you're in that workspace.
1. When publishing completes, select **Browse Website** in the notification and select **Open** when prompted. ### [.NET 6.0](#tab/net60)
Follow these steps to create your App Service resources and publish your project
az webapp up --sku F1 --name <app-name> --os-type <os> ```
- - If the `az` command isn't recognized, be sure you have the Azure CLI installed as described in [Prerequisites](#prerequisites).
+ - If the `az` command isn't recognized, ensure you have the Azure CLI installed as described in [Prerequisites](#prerequisites).
- Replace `<app-name>` with a name that's unique across all of Azure (*valid characters are `a-z`, `0-9`, and `-`*). A good pattern is to use a combination of your company name and an app identifier. - The `--sku F1` argument creates the web app on the **Free** [pricing tier][app-service-pricing-tier]. Omit this argument to use a faster premium tier, which incurs an hourly cost. - Replace `<os>` with either `linux` or `windows`. You must use `windows` when targeting *ASP.NET Framework 4.8*. - You can optionally include the argument `--location <location-name>` where `<location-name>` is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the [`az account list-locations`](/cli/azure/appservice#az_appservice_list_locations) command.
- The command may take a few minutes to complete. While running, it provides messages about creating the resource group, the App Service plan, and hosting app, configuring logging, then performing ZIP deployment. It then outputs a message with the app's URL:
+ The command might take a few minutes to complete. While running, it provides messages about creating the resource group, the App Service plan, and hosting app, configuring logging, then performing ZIP deployment. Then it shows a message with the app's URL:
```azurecli You can launch the app at http://<app-name>.azurewebsites.net
Follow these steps to create your App Service resources and publish your project
New-AzWebApp -Name <app-name> -Location westeurope ```
- - Replace `<app-name>` with a name that's unique across all of Azure (*valid characters are `a-z`, `0-9`, and `-`*). A good pattern is to use a combination of your company name and an app identifier.
+ - Replace `<app-name>` with a name that's unique across all of Azure (*valid characters are `a-z`, `0-9`, and `-`*). A combination of your company name and an app identifier is a good pattern.
- You can optionally include the parameter `-Location <location-name>` where `<location-name>` is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the [`Get-AzLocation`](/powershell/module/az.resources/get-azlocation) command.
- The command may take a few minutes to complete. While running, it creates a resource group, an App Service plan, and the App Service resource.
+ The command might take a few minutes to complete. While running, it creates a resource group, an App Service plan, and the App Service resource.
<!-- ### [Deploy to Linux](#tab/linux)
Follow these steps to update and redeploy your web app:
Save your changes. 1. In Visual Studio Code, open the [**Command Palette**](https://code.visualstudio.com/docs/getstarted/userinterface#_command-palette), <kbd>Ctrl</kbd>+<kbd>Shift</kbd>+<kbd>P</kbd>.
-1. Search for and select "Azure App Service: Deploy to Web App". Remember that your told Visual Studio Code to remember the app to deploy your workspace to in an earlier step.
+1. Search for and select "Azure App Service: Deploy to Web App".
1. Select **Deploy** when prompted. 1. When publishing completes, select **Browse Website** in the notification and select **Open** when prompted.
application-gateway Application Gateway Autoscaling Zone Redundant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/application-gateway-autoscaling-zone-redundant.md
Application Gateway and WAF can be configured to scale in two modes: -- **Autoscaling** - With autoscaling enabled, the Application Gateway and WAF v2 SKUs scale up or down based on application traffic requirements. This mode offers better elasticity to your application and eliminates the need to guess the application gateway size or instance count. This mode also allows you to save cost by not requiring the gateway to run at peak-provisioned capacity for expected maximum traffic load. You must specify a minimum and optionally maximum instance count. Minimum capacity ensures that Application Gateway and WAF v2 don't fall below the minimum instance count specified, even without traffic. Each instance is roughly equivalent to 10 more reserved Capacity Units. Zero signifies no reserved capacity and is purely autoscaling in nature. You can also optionally specify a maximum instance count, which ensures that the Application Gateway doesn't scale beyond the specified number of instances. You'll only be billed for the amount of traffic served by the Gateway. The instance counts can range from 0 to 125. The default value for maximum instance count is 20 if not specified.
+- **Autoscaling** - With autoscaling enabled, the Application Gateway and WAF v2 SKUs scale up or down based on application traffic requirements. This mode offers better elasticity to your application and eliminates the need to guess the application gateway size or instance count. This mode also allows you to save cost by not requiring the gateway to run at peak-provisioned capacity for expected maximum traffic load. You must specify a minimum and optionally maximum instance count. Minimum capacity ensures that Application Gateway and WAF v2 don't fall below the minimum instance count specified, even without traffic. Each instance is roughly equivalent to 10 more reserved Capacity Units. Zero signifies no reserved capacity and is purely autoscaling in nature. You can also optionally specify a maximum instance count, which ensures that the Application Gateway doesn't scale beyond the specified number of instances. You'll only be billed for the amount of traffic served by the Gateway. The instance counts can range from 0 to 125. The default value for maximum instance count is 20 if not specified.
- **Manual** - You can also choose Manual mode where the gateway won't autoscale. In this mode, if there's more traffic than what Application Gateway or WAF can handle, it could result in traffic loss. With manual mode, specifying instance count is mandatory. Instance count can vary from 1 to 125 instances. ## Autoscaling and High Availability
Even if you configure autoscaling with zero minimum instances the service will s
However, creating a new instance can take some time (around six or seven minutes). If you don't want to have this downtime, you can configure a minimum instance count of two, ideally with Availability Zone support. This way you'll have at least two instances in your Azure Application Gateway under normal circumstances. So if one of them had a problem the other will try to handle the traffic while a new instance is being created. An Azure Application Gateway instance can support around 10 Capacity Units, so depending on how much traffic you typically have you might want to configure your minimum instance autoscaling setting to a value higher than two.
+For scale-in events, Application Gateway will drain existing connections for 5 minutes on the instance that is subject for removal. After 5 minutes, existing connections will be closed and the instance removed. Any new connections during or after the 5 minute scale-in time will be established to other existing instances on the same gateway.
## Next steps
applied-ai-services Concept Accuracy Confidence https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-accuracy-confidence.md
Last updated 02/15/2022-+ # Interpret and improve accuracy and confidence for custom models
applied-ai-services Concept Composed Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-composed-models.md
Last updated 02/15/2022-+ recommendations: false
applied-ai-services Concept Custom Neural https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-custom-neural.md
Last updated 02/15/2022-+ recommendations: false
applied-ai-services Concept Custom Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-custom-template.md
Last updated 02/15/2022-+ recommendations: false
applied-ai-services Concept Custom https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-custom.md
Previously updated : 02/15/2022- Last updated : 02/23/2022+ recommendations: false # Form Recognizer custom models
Custom models can be one of two types, [**custom template**](concept-custom-temp
### Custom neural model
-The custom neural (custom document) model is a deep learning model type that relies on a base model trained on a large collection of documents. This model is then fine-tuned or adapted to your data when you train the model with a labeled dataset. Custom neural models support structured, semi-structured, and unstructured documents to extract fields. Custom neural models currently support English-language documents. When choosing between the two model types, start with a neural model if it meets your functional needs. See [neural models](concept-custom-neural.md) to learn more about custom document models.
+The custom neural (custom document) model is a deep learning model type that relies on a base model trained on a large collection of documents. This model is then fine-tuned or adapted to your data when you train the model with a labeled dataset. Custom neural models support structured, semi-structured, and unstructured documents to extract fields. Custom neural models currently support English-language documents. When you're choosing between the two model types, start with a neural model if it meets your functional needs. See [neural models](concept-custom-neural.md) to learn more about custom document models.
+
+### Build mode
+
+The build custom model operation has added support for the *template* and *neural* custom models. Previous versions of the REST API and SDKs only supported a single build mode that is now known as the *template* mode.
+
+* Template models only accept documents that have the same basic page structureΓÇöa uniform visual appearanceΓÇöor the same relative positioning of elements within the document.
+
+* Neural models support documents that have the same information, but different page structures. Examples of these documents include United States W2 forms, which share the same information, but may vary in appearance by the company that created the document. Neural models currently only support English text.
+
+This table provides links to the build mode programming language SDK references and code samples on GitHub:
+
+|Programming language | SDK reference | Code sample |
+||||
+| C#/.NET | [DocumentBuildMode Struct](/dotnet/api/azure.ai.formrecognizer.documentanalysis.documentbuildmode?view=azure-dotnet-preview&preserve-view=true#properties) | [Sample_BuildCustomModelAsync.cs](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/tests/samples/Sample_BuildCustomModelAsync.cs)
+|Java| [DocumentBuildMode Class](/java/api/com.azure.ai.formrecognizer.administration.models.documentbuildmode?view=azure-java-preview&preserve-view=true#fields) | [BuildModel.java](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/src/samples/java/com/azure/ai/formrecognizer/administration/BuildModel.java)|
+|JavaScript | [DocumentBuildMode type](/javascript/api/@azure/ai-form-recognizer/documentbuildmode?view=azure-node-preview&preserve-view=true)| [buildModel.js](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/formrecognizer/ai-form-recognizer/samples/v4-beta/javascript/buildModel.js)|
+|Python | [DocumentBuildMode Enum](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.documentbuildmode?view=azure-python-preview&preserve-view=true#fields)| [sample_build_model.py](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-formrecognizer_3.2.0b3/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2-beta/sample_build_model.py)|
## Model features
This table compares the supported data extraction areas:
|Custom template| Γ£ö | Γ£ö | Γ£ö |&#10033; | Γ£ö | |Custom neural| Γ£ö| Γ£ö |**n/a**| **n/a** | **n/a** |
-**Table symbols**: Γ£ö ΓÇö supported; &#10033; ΓÇö preview; **n/a** ΓÇö currently unavailable
+**Table symbols**: ✔—supported; ✱—preview; **n/a—currently unavailable
> [!TIP] > When choosing between the two model types, start with a custom neural model if it meets your functional needs. See [custom neural](concept-custom-neural.md ) to learn more about custom neural models.
applied-ai-services Concept General Document https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-general-document.md
Last updated 02/15/2022-+ recommendations: false <!-- markdownlint-disable MD033 -->
applied-ai-services Build Custom Model V3 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/how-to-guides/build-custom-model-v3.md
Last updated 02/16/2022-+ # Build your training dataset for a custom model
You now have all the documents in your dataset labeled. If you look at the stora
With your dataset labeled, you're now ready to train your model. Select the train button in the upper-right corner.
-1. On the train model dialog, provide a unique model ID and, optionally, a description.
+1. On the train model dialog, provide a unique model ID and, optionally, a description. The model ID accepts a string data type.
1. For the build mode, select the type of model you want to train. Learn more about the [model types and capabilities](../concept-custom.md).
applied-ai-services Managed Identities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/managed-identities.md
Previously updated : 01/26/2022 Last updated : 02/22/2022
-# Create and use managed identities with Form Recognizer
+# Managed identities for Form Recognizer
-> [!IMPORTANT]
-> Azure RBAC (Azure role-based access control) assignment is currently in preview and not recommended for production workloads. Certain features may not be supported or have constrained capabilities. Azure RBAC assignments are used to grant permissions for managed identity.
+Managed identities for Azure resources are service principals that create an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources:
-## What is managed identity?
+* You can use managed identities to grant access to any resource that supports Azure AD authentication, including your own applications. Unlike security keys and authentication tokens, managed identities eliminate the need for developers to manage credentials.
-Azure managed identity is a service principal. It creates an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources. You can use a managed identity to grant access to any resource that supports Azure AD authentication. To grant access, assign a role to a managed identity using [Azure RBAC](../../role-based-access-control/overview.md) (Azure role-based access control). There's no added cost to use managed identity in Azure.
+* To grant access to an Azure resource, assign an Azure role to a managed identity using [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md).
-Managed identity supports both privately and publicly accessible Azure blob storage accounts. For storage accounts with public access, you can opt to use a shared access signature (SAS) to grant limited access. In this article, you'll learn to enable a system-assigned managed identity for your Form Recognizer instance.
+* There's no added cost to use managed identities in Azure.
-## Private storage account access
-> [!NOTE]
->
-> Form Recognizer only supports system-assigned managed identities today. User-assigned managed identities is on the roadmap and will be enabled in the near future.
+> [!TIP]
+> Managed identities eliminate the need for you to manage credentials, including Shared Access Signature (SAS) tokens. Managed identities are a safer way to grant access to data without having credentials in your code.
+## Private storage account access
Private Azure storage account access and authentication are supported by [managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). If you have an Azure storage account, protected by a Virtual Network (VNet) or firewall, Form Recognizer can't directly access your storage account data. However, once a managed identity is enabled, Form Recognizer can access your storage account using an assigned managed identity credential.
To get started, you'll need:
* A [**Form Recognizer**](https://portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation) or [**Cognitive Services**](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource in the Azure portal. For detailed steps, _see_ [Create a Cognitive Services resource using the Azure portal](../../cognitive-services/cognitive-services-apis-create-account.md?tabs=multiservice%2cwindows).
-* An [**Azure blob storage account**](https://portal.azure.com/#create/Microsoft.StorageAccount-ARM) in the same region as your Form Recognizer resource. You'll create containers to store and organize your blob data within your storage account.
+* An [**Azure blob storage account**](https://portal.azure.com/#create/Microsoft.StorageAccount-ARM) in the same region as your Form Recognizer resource. You'll create containers to store and organize your blob data within your storage account.
* If your storage account is behind a firewall, **you must enable the following configuration**: </br></br>
To get started, you'll need:
## Managed identity assignments
-There are two types of managed identity: **system-assigned** and **user-assigned**. Currently, Form Recognizer is supported by system-assigned managed identity. A system-assigned managed identity is **enabled** directly on a service instance. It isn't enabled by default; you have to go to your resource and update the identity setting. The system-assigned managed identity is tied to your resource throughout its lifecycle. If you delete your resource, the managed identity will be deleted as well.
+There are two types of managed identity: **system-assigned** and **user-assigned**. Currently, Form Recognizer supports system-assigned managed identity:
+
+* A system-assigned managed identity is **enabled** directly on a service instance. It isn't enabled by default; you must go to your resource and update the identity setting.
+
+* The system-assigned managed identity is tied to your resource throughout its lifecycle. If you delete your resource, the managed identity will be deleted as well.
In the following steps, we'll enable a system-assigned managed identity and grant Form Recognizer limited access to your Azure blob storage account.
In the following steps, we'll enable a system-assigned managed identity and gran
1. In the main window, toggle the **System assigned Status** tab to **On**.
+## Grant access to your storage account
+
+You need to grant Form Recognizer access to your storage account before it can create, read, or delete blobs. Now that you've enabled Form Recognizer with a system-assigned managed identity, you can use Azure role-based access control (Azure RBAC), to give Form Recognizer access to Azure storage. The **Storage Blob Data Reader** role gives Form Recognizer (represented by the system-assigned managed identity) read and list access to the blob container and data.
+ 1. Under **Permissions** select **Azure role assignments**: :::image type="content" source="media/managed-identities/enable-system-assigned-managed-identity-portal.png" alt-text="Screenshot: enable system-assigned managed identity in Azure portal.":::
In the following steps, we'll enable a system-assigned managed identity and gran
> > If you're unable to assign a role in the Azure portal because the Add > Add role assignment option is disabled or you get the permissions error, "you do not have permissions to add role assignment at this scope", check that you're currently signed in as a user with an assigned a role that has Microsoft.Authorization/roleAssignments/write permissions such as Owner or User Access Administrator at the Storage scope for the storage resource.
- 7. Next, you're going to assign a **Storage Blob Data Reader** role to your Form Recognizer service resource. In the **Add role assignment** pop-up window complete the fields as follows and select **Save**:
+1. Next, you're going to assign a **Storage Blob Data Reader** role to your Form Recognizer service resource. In the **Add role assignment** pop-up window complete the fields as follows and select **Save**:
| Field | Value| ||--|
- |**Scope**| ***Storage***|
- |**Subscription**| ***The subscription associated with your storage resource***.|
- |**Resource**| ***The name of your storage resource***|
- |**Role** | ***Storage Blob Data Reader***ΓÇöallows for read access to Azure Storage blob containers and data.|
+ |**Scope**| **_Storage_**|
+ |**Subscription**| **_The subscription associated with your storage resource_**.|
+ |**Resource**| **_The name of your storage resource_**|
+ |**Role** | **_Storage Blob Data Reader_**ΓÇöallows for read access to Azure Storage blob containers and data.|
:::image type="content" source="media/managed-identities/add-role-assignment-window.png" alt-text="Screenshot: add role assignments page in the Azure portal.":::
In the following steps, we'll enable a system-assigned managed identity and gran
:::image type="content" source="media/managed-identities/assigned-roles-window.png" alt-text="Screenshot: Azure role assignments window.":::
- That's it! You've completed the steps to enable a system-assigned managed identity. With this identity credential, you can grant Form Recognizer-specific access rights to documents and files stored in your BYOS account.
+ That's it! You've completed the steps to enable a system-assigned managed identity. With managed identity and Azure RBAC, you granted Form Recognizer specific access rights to your storage resource without having to manage credentials such as SAS tokens.
## Learn more about managed identity > [!div class="nextstepaction"]
-> [Managed identities for Azure resources: frequently asked questions - Azure AD](../../active-directory/managed-identities-azure-resources/managed-identities-faq.md)
+> [Access Azure Storage form a web app using managed identities](/azure/app-service/scenario-secure-app-access-storage?toc=/azure/applied-ai-services/form-recognizer/toc.json&bc=/azure/applied-ai-services/form-recognizer/breadcrumb/toc.json )
applied-ai-services Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/service-limits.md
Last updated 02/15/2022-+ # Form Recognizer service Quotas and Limits
applied-ai-services V3 Migration Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/v3-migration-guide.md
Last updated 02/15/2022-+ recommendations: false
automation Extension Based Hybrid Runbook Worker Install https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/extension-based-hybrid-runbook-worker-install.md
Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/hybridRunbookW
Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/hybridRunbookWorkers/delete | Deletes a Hybrid Runbook Worker. - ## Next steps
-* To learn how to configure your runbooks to automate processes in your on-premises datacenter or other cloud environment, see [Run runbooks on a Hybrid Runbook Worker](automation-hrw-run-runbooks.md).
+To learn about Azure VM extensions, see:
+
+ - [Azure VM extensions and features for Windows](/azure/virtual-machines/extensions/features-windows).
+ - [Azure VM extensions and features for Linux](/azure/virtual-machines/extensions/features-linux).
-* To learn how to troubleshoot your Hybrid Runbook Workers, see [Troubleshoot Hybrid Runbook Worker issues](troubleshoot/extension-based-hybrid-runbook-worker.md).
+To learn about VM extensions for Arc-enabled servers, see:
+- [VM extension management with Azure Arc-enabled servers](/azure/azure-arc/servers/manage-vm-extensions).
automation Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/whats-new.md
This page is updated monthly, so revisit it regularly. If you're looking for ite
To strengthen the overall Azure Automation security posture, the built-in RBAC Reader role would not have access to Automation account keys through the API call - `GET /automationAccounts/agentRegistrationInformation`. Read [here](/azure/automation/automation-role-based-access-control#reader) for more information. +
+### Restore deleted Automation Accounts
+
+**Type:** New change
+
+Users can now restore an Automation account deleted within 30 days. Read [here](/azure/automation/delete-account?tabs=azure-portal#restore-a-deleted-automation-account) for more information.
++ ## December 2021 ### New scripts added for Azure VM management based on Azure Monitor Alert
azure-arc Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/resource-graph-samples.md
Title: Azure Resource Graph sample queries for Azure Arc-enabled Kubernetes description: Sample Azure Resource Graph queries for Azure Arc-enabled Kubernetes showing use of resource types and tables to access Azure Arc-enabled Kubernetes related resources and properties. Previously updated : 01/20/2022 Last updated : 02/16/2022
azure-arc Tutorial Use Gitops Flux2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/tutorial-use-gitops-flux2.md
description: "This tutorial shows how to use GitOps with Flux v2 to manage confi
keywords: "GitOps, Flux, Kubernetes, K8s, Azure, Arc, AKS, Azure Kubernetes Service, containers, devops" Previously updated : 1/24/2022 Last updated : 2/22/2022 --
GitOps with Flux v2 can be enabled in Azure Kubernetes Service (AKS) managed clu
This tutorial describes how to use GitOps in a Kubernetes cluster. Before you dive in, take a moment to [learn how GitOps with Flux works conceptually](./conceptual-gitops-flux2.md).
-General availability of Azure Arc-enabled Kubernetes includes GitOps with Flux v1. The public preview of GitOps with Flux v2, documented here, is available in both Azure Arc-enabled Kubernetes and AKS. Flux v2 is the way forward, and Flux v1 will eventually be deprecated.
+General availability of Azure Arc-enabled Kubernetes includes GitOps with Flux v1. The public preview of GitOps with Flux v2, documented here, is available in both AKS and Azure Arc-enabled Kubernetes. Flux v2 is the way forward, and Flux v1 will eventually be deprecated.
+
+>[!IMPORTANT]
+>GitOps with Flux v2 is in public preview. In preparation for general availability, features are still being added to the preview. One important feature, multi-tenancy, could be a breaking change for some users. To prepare yourself for the release of multi-tenancy, [please review these details](#multi-tenancy).
## Prerequisites
To manage GitOps through the Azure CLI or the Azure portal, you need the followi
* Read and write permissions on the `Microsoft.ContainerService/managedClusters` resource type. * Registration of your subscription with the `AKS-ExtensionManager` feature flag. Use the following command:
- ```azurecli
+ ```console
az feature register --namespace Microsoft.ContainerService --name AKS-ExtensionManager ```
To manage GitOps through the Azure CLI or the Azure portal, you need the followi
* Azure CLI version 2.15 or later. [Install the Azure CLI](/cli/azure/install-azure-cli) or use the following commands to update to the latest version:
- ```azurecli
+ ```console
az version az upgrade ``` * Registration of the following Azure service providers. (It's OK to re-register an existing provider.)
- ```azurecli
+ ```console
az provider register --namespace Microsoft.Kubernetes az provider register --namespace Microsoft.ContainerService az provider register --namespace Microsoft.KubernetesConfiguration
To manage GitOps through the Azure CLI or the Azure portal, you need the followi
Registration is an asynchronous process and should finish within 10 minutes. Use the following code to monitor the registration process:
- ```azurecli
+ ```console
az provider show -n Microsoft.KubernetesConfiguration -o table
- ```
- ```output
Namespace RegistrationPolicy RegistrationState -- - Microsoft.KubernetesConfiguration RegistrationRequired Registered
The GitOps agents require TCP on port 443 (`https://:443`) to function. The agen
Install the latest `k8s-configuration` and `k8s-extension` CLI extension packages:
-```azurecli
+```console
az extension add -n k8s-configuration az extension add -n k8s-extension ``` To update these packages, use the following commands:
-```azurecli
+```console
az extension update -n k8s-configuration az extension update -n k8s-extension ``` To see the list of az CLI extensions installed and their versions, use the following command:
-```azurecli
+```console
az extension list -o table
-```
-```output
Experimental ExtensionType Name Path Preview Version - -- -- -- -- -- False whl connectedk8s C:\Users\somename\.azure\cliextensions\connectedk8s False 1.2.0
In the following example:
If the `microsoft.flux` extension isn't already installed in the cluster, it will be installed.
-```azurecli
+```console
az k8s-configuration flux create -g flux-demo-rg -c flux-demo-arc -n gitops-demo --namespace gitops-demo -t connectedClusters --scope cluster -u https://github.com/fluxcd/flux2-kustomize-helm-example --branch main --kustomization name=infra path=./infrastructure prune=true --kustomization name=apps path=./apps/staging prune=true dependsOn=["infra"]
-```
-```output
Command group 'k8s-configuration flux' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus Warning! https url is being used without https auth params, ensure the repository url provided is not a private repo 'Microsoft.Flux' extension not found on the cluster, installing it now. This may take a few minutes...
Creating the flux configuration 'gitops-demo' in the cluster. This may take a fe
Show the configuration after time to finish reconciliations.
-```azurecli
+```console
az k8s-configuration flux show -g flux-demo-rg -c flux-demo-arc -n gitops-demo -t connectedClusters
-```
-```output
Command group 'k8s-configuration flux' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus { "complianceState": "Compliant",
statefulset.apps/redis-master 1/1 95m
You can delete the Flux configuration by using the following command. This action deletes both the `fluxConfigurations` resource in Azure and the Flux configuration objects in the cluster. Because the Flux configuration was originally created with the `prune=true` parameter for the kustomization, all of the objects created in the cluster based on manifests in the Git repository will be removed when the Flux configuration is removed.
-```azurecli
+```console
az k8s-configuration flux delete -g flux-demo-rg -c flux-demo-arc -n gitops-demo -t connectedClusters --yes ```
If the Flux extension was created automatically when the Flux configuration was
For an Azure Arc-enabled Kubernetes cluster, use this command:
-```azurecli
+```console
az k8s-extension delete -g flux-demo-rg -c flux-demo-arc -n flux -t connectedClusters --yes ```
The `source`, `helm`, `kustomize`, and `notification` Flux controllers are insta
Here's an example for including the [Flux image-reflector and image-automation controllers](https://fluxcd.io/docs/components/image/). If the Flux extension was created automatically when a Flux configuration was first created, the extension name will be `flux`.
-```azurecli
+```console
az k8s-extension create -g <cluster_resource_group> -c <cluster_name> -t <connectedClusters or managedClusters> --name flux --extension-type microsoft.flux --config image-automation-controller.enabled=true image-reflector-controller.enabled=true ```
For a description of all parameters that Flux supports, see the [official Flux d
You can see the full list of parameters that the `k8s-configuration flux` CLI command supports by using the `-h` parameter:
-```azurecli
+```console
az k8s-configuration flux -h
-```
-```output
Group az k8s-configuration flux : Commands to manage Flux v2 Kubernetes configurations. This command group is in preview and under development. Reference and support levels:
Commands:
Here are the parameters for the `k8s-configuration flux create` CLI command:
-```azurecli
+```console
az k8s-configuration flux create -h
-```
-```output
This command is from the following extension: k8s-configuration Command
kubectl create secret generic -n flux-config my-custom-secret --from-file=identi
For both cases, when you create the Flux configuration, use `--local-auth-ref my-custom-secret` in place of the other authentication parameters:
-```azurecli
+```console
az k8s-configuration flux create -g <cluster_resource_group> -c <cluster_name> -n <config_name> -t connectedClusters --scope cluster --namespace flux-config -u <git-repo-url> --kustomization name=kustomization1 --local-auth-ref my-custom-secret ``` Learn more about using a local Kubernetes secret with these authentication methods:
Learn more about using a local Kubernetes secret with these authentication metho
* [Bucket static authentication](https://fluxcd.io/docs/components/source/buckets/#static-authentication) >[!NOTE]
->If you need Flux to access the source through your proxy, you'll need to update the Azure Arc agents with the proxy settings. For more information, see [Connect using an outbound proxy server](./quickstart-connect-cluster.md?tabs=azure-cli#connect-using-an-outbound-proxy-server).
+>If you need Flux to access the source through your proxy, you'll need to update the Azure Arc agents with the proxy settings. For more information, see [Connect using an outbound proxy server](./quickstart-connect-cluster.md?tabs=azure-cli-connect-using-an-outbound-proxy-server).
### Git implementation
By using `az k8s-configuration flux create`, you can create one or more kustomiz
You can also use `az k8s-configuration flux kustomization` to create, update, list, show, and delete kustomizations in a Flux configuration:
-```azurecli
+```console
az k8s-configuration flux kustomization -h
-```
-```output
Group az k8s-configuration flux kustomization : Commands to manage Kustomizations associated with Flux v2 Kubernetes configurations.
Commands:
Here are the kustomization creation options:
-```azurecli
+```console
az k8s-configuration flux kustomization create -h
-```
-```output
This command is from the following extension: k8s-configuration Command
spec:
By using this annotation, the HelmRelease that is deployed will be patched with the reference to the configured source. Note that only GitRepository source is supported for this currently.
+## Multi-tenancy
+
+Flux v2 supports [multi-tenancy](https://github.com/fluxcd/flux2-multi-tenancy). This capability will be integrated into Azure GitOps with Flux v2 prior to general availability.
+
+>[!NOTE]
+>This will be a breaking change if you have any cross-namespace sourceRef for HelmRelease, Kustomization, ImagePolicy, or other objects. To prepare for the release of this multi-tenancy feature, take one of these actions:
+>
+>* (Recommended) Assure that all sourceRef are to objects within the same namespace as the GitOps configuration.
+>* If you need time to migrate, you can opt-out of multi-tenancy.
+
+### Update manifests for multi-tenancy
+
+LetΓÇÖs say we deploy a `fluxConfiguration` to one of our Kubernetes clusters in the **cluster-config** namespace with cluster scope. We configure the source to sync the https://github.com/fluxcd/flux2-kustomize-helm-example repo. This is the same sample Git repo used in the tutorial earlier in this doc. After Flux syncs the repo, it will deploy the resources described in the manifests (yamls). Two of the manifests describe HelmRelease and HelmRepository objects.
+
+```yaml
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: nginx
+ namespace: nginx
+spec:
+ releaseName: nginx-ingress-controller
+ chart:
+ spec:
+ chart: nginx-ingress-controller
+ sourceRef:
+ kind: HelmRepository
+ name: bitnami
+ namespace: flux-system
+ version: "5.6.14"
+ interval: 1h0m0s
+ install:
+ remediation:
+ retries: 3
+ # Default values
+ # https://github.com/bitnami/charts/blob/master/bitnami/nginx-ingress-controller/values.yaml
+ values:
+ service:
+ type: NodePort
+```
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+ name: bitnami
+ namespace: flux-system
+spec:
+ interval: 30m
+ url: https://charts.bitnami.com/bitnami
+```
+
+By default, the Flux extension will deploy the `fluxConfigurations` by impersonating the **flux-applier** service account that is deployed only in the **cluster-config** namespace. Using the above manifests, when multi-tenancy is enabled the HelmRelease would be blocked. This is because the HelmRelease is in the **nginx** namespace and is referencing a HelmRepository in the **flux-system** namespace. Also, the Flux helm-controller cannot apply the HelmRelease, because there is no **flux-applier** service account in the **nginx** namespace.
+
+To work with multi-tenancy, the correct approach is to deploy all Flux objects into the same namespace as the `fluxConfigurations`. This avoids the cross-namespace reference issue, and allows the Flux controllers to get the permissions to apply the objects. Thus, for a GitOps configuration created in the **cluster-config** namespace, the above manifests would change to these:
+
+```yaml
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: nginx
+ namespace: cluster-config
+spec:
+ releaseName: nginx-ingress-controller
+ targetNamespace: nginx
+ chart:
+ spec:
+ chart: nginx-ingress-controller
+ sourceRef:
+ kind: HelmRepository
+ name: bitnami
+ namespace: cluster-config
+ version: "5.6.14"
+ interval: 1h0m0s
+ install:
+ remediation:
+ retries: 3
+ # Default values
+ # https://github.com/bitnami/charts/blob/master/bitnami/nginx-ingress-controller/values.yaml
+ values:
+ service:
+ type: NodePort
+```
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+ name: bitnami
+ namespace: cluster-config
+spec:
+ interval: 30m
+ url: https://charts.bitnami.com/bitnami
+```
+
+### Opt out of multi-tenancy
+
+Multi-tenancy will be enabled by default to assure security by default in your clusters. However, if you need to disable multi-tenancy, you can opt out by creating or updating the `microsoft.flux` extension in your clusters with "--configuration-settings multiTenancy.enforce=false".
+
+```console
+az k8s-extension create --extension-type microsoft.flux --configuration-settings multiTenancy.enforce=false -c CLUSTER_NAME -g RESOURCE_GROUP -n flux -t <managedClusters or connectedClusters>
+
+or
+
+az k8s-extension update --configuration-settings multiTenancy.enforce=false -c CLUSTER_NAME -g RESOURCE_GROUP -n flux -t <managedClusters or connectedClusters>
+```
+ ## Migrate from Flux v1 If you've been using Flux v1 in Azure Arc-enabled Kubernetes or AKS clusters and want to migrate to using Flux v2 in the same clusters, you first need to delete the Flux v1 `sourceControlConfigurations` from the clusters. The `microsoft.flux` cluster extension won't be installed if there are `sourceControlConfigurations` resources installed in the cluster. Use these az CLI commands to find and then delete existing `sourceControlConfigurations` in a cluster:
-```azurecli
+```console
az k8s-configuration list --cluster-name <Arc or AKS cluster name> --cluster-type <connectedClusters OR managedClusters> --resource-group <resource group name> az k8s-configuration delete --name <configuration name> --cluster-name <Arc or AKS cluster name> --cluster-type <connectedClusters OR managedClusters> --resource-group <resource group name> ```
azure-arc Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/resource-graph-samples.md
Title: Azure Resource Graph sample queries for Azure Arc description: Sample Azure Resource Graph queries for Azure Arc showing use of resource types and tables to access Azure Arc related resources and properties. Previously updated : 01/20/2022 Last updated : 02/16/2022
azure-arc Agent Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/agent-overview.md
Title: Overview of the Azure Connected Machine agent description: This article provides a detailed overview of the Azure Arc-enabled servers agent available, which supports monitoring virtual machines hosted in hybrid environments. Previously updated : 01/19/2022 Last updated : 02/23/2022
The following versions of the Windows and Linux operating system are officially
* Oracle Linux 7 (x64) > [!WARNING]
-> The Linux hostname or Windows computer name cannot use one of the reserved words or trademarks in the name, otherwise attempting to register the connected machine with Azure will fail. See [Resolve reserved resource name errors](../../azure-resource-manager/templates/error-reserved-resource-name.md) for a list of the reserved words.
+> The Linux hostname or Windows computer name cannot use one of the reserved words or trademarks in the name, otherwise attempting to register the connected machine with Azure will fail. For a list of reserved words, see [Resolve reserved resource name errors](../../azure-resource-manager/templates/error-reserved-resource-name.md).
> [!NOTE]
-> While Azure Arc-enabled servers supports Amazon Linux, the following do not support this distro:
+> While Azure Arc-enabled servers supports Amazon Linux, the following do not support this distribution:
> > * The Dependency agent used by Azure Monitor VM insights > * Azure Automation Update Management
Azure Arc-enabled servers depend on the following Azure resource providers in yo
* **Microsoft.GuestConfiguration** * **Microsoft.HybridConnectivity**
-If they are not registered, you can register them using the following commands:
+If these resource providers are not already registered, you can register them using the following commands:
Azure PowerShell:
az provider register --namespace 'Microsoft.GuestConfiguration'
az provider register --namespace 'Microsoft.HybridConnectivity' ```
-You can also register the resource providers in the Azure portal by following the steps under [Azure portal](../../azure-resource-manager/management/resource-providers-and-types.md#azure-portal).
+You can also register the resource providers in the [Azure portal](../../azure-resource-manager/management/resource-providers-and-types.md#azure-portal).
### Transport Layer Security 1.2 protocol
URLs:
|`dc.services.visualstudio.com`|Agent telemetry| |`guestnotificationservice.azure.com`, `*.guestnotificationservice.azure.com`|Notification service|
-For a list of IP addresses for each service tag/region, see the JSON file - [Azure IP Ranges and Service Tags ΓÇô Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). Microsoft publishes weekly updates containing each Azure Service and the IP ranges it uses. This information in the JSON file is the current point-in-time list of the IP ranges that correspond to each service tag. The IP addresses are subject to change. If IP address ranges are required for your firewall configuration, then the **AzureCloud** Service Tag should be used to allow access to all Azure services. Do not disable security monitoring or inspection of these URLs, allow them as you would other Internet traffic.
+For a list of IP addresses for each service tag/region, see the JSON file [Azure IP Ranges and Service Tags ΓÇô Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). Microsoft publishes weekly updates containing each Azure Service and the IP ranges it uses. This information in the JSON file is the current point-in-time list of the IP ranges that correspond to each service tag. The IP addresses are subject to change. If IP address ranges are required for your firewall configuration, then the **AzureCloud** Service Tag should be used to allow access to all Azure services. Do not disable security monitoring or inspection of these URLs, allow them as you would other Internet traffic.
-For more information, review [Service tags overview](../../virtual-network/service-tags-overview.md).
+For more information, see [Virtual network service tags](../../virtual-network/service-tags-overview.md).
## Installation and configuration
-Connecting machines in your hybrid environment directly with Azure can be accomplished using different methods depending on your requirements. The following table highlights each method to determine which works best for your organization.
-
-> [!IMPORTANT]
-> The Connected Machine agent cannot be installed on an Azure Windows virtual machine. If you attempt to, the installation detects this and rolls back.
+Connecting machines in your hybrid environment directly with Azure can be accomplished using different methods, depending on your requirements and the tools you prefer to use. The following table highlights each method so that you can determine which works best for your deployment.
| Method | Description | |--|-|
-| Interactively | Manually install the agent on a single or small number of machines following the steps in [Connect machines from Azure portal](onboard-portal.md).<br> From the Azure portal, you can generate a script and execute it on the machine to automate the install and configuration steps of the agent.|
-| At scale | Install and configure the agent for multiple machines following the [Connect machines using a Service Principal](onboard-service-principal.md).<br> This method creates a service principal to connect machines non-interactively.|
-| At scale | Install and configure the agent for multiple machines following the method [Connect hybrid machines to Azure from Automation Update Management](onboard-update-management-machines.md).<br> This method creates a service principal, and installs and configures the agent for multiple machines managed with Azure Automation Update Management to connect machines non-interactively. |
-| At scale | Install and configure the agent for multiple machines following the method [Using Windows PowerShell DSC](onboard-dsc.md).<br> This method uses a service principal to connect machines non-interactively with PowerShell DSC. |
+| Interactively | Manually install the agent on a single or small number of machines by [connecting machines using a deployment script](onboard-portal.md).<br> From the Azure portal, you can generate a script and execute it on the machine to automate the install and configuration steps of the agent.|
+| Interactively | [Connect machines from Windows Admin Center](onboard-windows-admin-center.md) |
+| Interactively or at scale | [Connect machines using PowerShell](onboard-powershell.md) |
+| Interactively or at scale | [Connect machines using Windows PowerShell Desired State Configuration (DSC)](onboard-dsc.md) |
+| At scale | [Connect machines using a service principal](onboard-service-principal.md) to install the agent at scale non-interactively.|
+| At scale | [Connect machines by running PowerShell scripts with Configuration Manager](onboard-configuration-manager-powershell.md)
+| At scale | [Connect machines with a Configuration Manager custom task sequence](onboard-configuration-manager-custom-task.md)
+| At scale | [Connect machines from Automation Update Management](onboard-update-management-machines.md) to create a service principal that installs and configures the agent for multiple machines managed with Azure Automation Update Management to connect machines non-interactively. |
++++
+> [!IMPORTANT]
+> The Connected Machine agent cannot be installed on an Azure Windows virtual machine. If you attempt to, the installation detects this and rolls back.
## Connected Machine agent technical overview
Connecting machines in your hybrid environment directly with Azure can be accomp
The Connected Machine agent for Windows can be installed by using one of the following three methods:
-* Double-click the file `AzureConnectedMachineAgent.msi`.
+* Running the file `AzureConnectedMachineAgent.msi`.
* Manually by running the Windows Installer package `AzureConnectedMachineAgent.msi` from the Command shell. * From a PowerShell session using a scripted method.
azure-arc Onboard Service Principal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/onboard-service-principal.md
Title: Connect hybrid machines to Azure at scale description: In this article, you learn how to connect machines to Azure using Azure Arc-enabled servers using a service principal. Previously updated : 02/16/2022 Last updated : 02/23/2022
If you don't have an Azure subscription, create a [free account](https://azure.m
You can create a service principal in the Azure portal or by using Azure PowerShell. > [!NOTE]
-> To create a service principal and assign roles, your account must be a member of the **Owner** or **User Access Administrator** role in the subscription that you want to use for onboarding.
+> To assign Arc-enabled server roles, your account must be a member of the **Owner** or **User Access Administrator** role in the subscription that you want to use for onboarding.
### Azure portal
azure-arc Plan At Scale Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/plan-at-scale-deployment.md
Title: How to plan and deploy Azure Arc-enabled servers description: Learn how to enable a large number of machines to Azure Arc-enabled servers to simplify configuration of essential security, management, and monitoring capabilities in Azure. Previously updated : 08/27/2021 Last updated : 02/22/2022
Next, we add to the foundation laid in phase 1 by preparing for and deploying th
|Task |Detail |Duration | |--|-||
-| Download the pre-defined installation script | Review and customize the pre-defined installation script for at-scale deployment of the Connected Machine agent to support your automated deployment requirements.<br><br> Sample at-scale onboarding resources:<br><br> <ul><li> [At-scale basic deployment script](onboard-service-principal.md)</ul></li> <ul><li>[At-scale onboarding VMware vSphere Windows Server VMs](https://github.com/microsoft/azure_arc/blob/main/docs/azure_arc_jumpstart/azure_arc_servers/scaled_deployment/vmware_scaled_powercli_win/_index.md)</ul></li> <ul><li>[At-scale onboarding VMware vSphere Linux VMs](https://github.com/microsoft/azure_arc/blob/main/docs/azure_arc_jumpstart/azure_arc_servers/scaled_deployment/vmware_scaled_powercli_linux/_index.md)</ul></li> <ul><li>[At-scale onboarding AWS EC2 instances using Ansible](https://github.com/microsoft/azure_arc/blob/main/docs/azure_arc_jumpstart/azure_arc_servers/scaled_deployment/aws_scaled_ansible/_index.md)</ul></li> <ul><li>[At-scale deployment using PowerShell remoting](./onboard-powershell.md) (Windows only)</ul></li>| One or more days depending on requirements, organizational processes (for example, Change and Release Management), and automation method used. |
+| Download the pre-defined installation script | Review and customize the pre-defined installation script for at-scale deployment of the Connected Machine agent to support your automated deployment requirements.<br><br> Sample at-scale onboarding resources:<br><br> <ul><li> [At-scale basic deployment script](onboard-service-principal.md)</ul></li> <ul><li>[At-scale onboarding VMware vSphere Windows Server VMs](https://github.com/microsoft/azure_arc/blob/main/docs/azure_arc_jumpstart/azure_arc_servers/scaled_deployment/vmware_scaled_powercli_win/_index.md)</ul></li> <ul><li>[At-scale onboarding VMware vSphere Linux VMs](https://github.com/microsoft/azure_arc/blob/main/docs/azure_arc_jumpstart/azure_arc_servers/scaled_deployment/vmware_scaled_powercli_linux/_index.md)</ul></li> <ul><li>[At-scale onboarding AWS EC2 instances using Ansible](https://github.com/microsoft/azure_arc/blob/main/docs/azure_arc_jumpstart/azure_arc_servers/scaled_deployment/aws_scaled_ansible/_index.md)</ul></li> | One or more days depending on requirements, organizational processes (for example, Change and Release Management), and automation method used. |
| [Create service principal](onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale) |Create a service principal to connect machines non-interactively using Azure PowerShell or from the portal.| One hour | | Deploy the Connected Machine agent to your target servers and machines |Use your automation tool to deploy the scripts to your servers and connect them to Azure.| One or more days depending on your release plan and if following a phased rollout. |
azure-arc Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/resource-graph-samples.md
Title: Azure Resource Graph sample queries for Azure Arc-enabled servers description: Sample Azure Resource Graph queries for Azure Arc-enabled servers showing use of resource types and tables to access Azure Arc-enabled servers related resources and properties. Previously updated : 01/20/2022 Last updated : 02/16/2022
azure-functions Functions Reference Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-reference-python.md
Update the Python code file `init.py`, depending on the interface used by your f
# [ASGI](#tab/asgi) ```python
-app=FastAPI("Test")
+app=fastapi.FastAPI()
-@app.route("/api/HandleApproach")
-def test():
- return "Hello!"
+@app.get("/hello/{name}")
+async def get_name(
+ name: str,):
+ return {
+ "name": name,}
-def main(req: func.HttpRequest, context) -> func.HttpResponse:
- logging.info('Python HTTP trigger function processed a request.')
- return func.AsgiMiddleware(app).handle(req, context)
+def main(req: func.HttpRequest, context: func.Context) -> func.HttpResponse:
+ return AsgiMiddleware(app).handle(req, context)
``` # [WSGI](#tab/wsgi)
def main(req: func.HttpRequest, context) -> func.HttpResponse:
```python app=Flask("Test")
-@app.route("/api/WrapperApproach")
-def test():
- return "Hello!"
+@app.route("/hello/<name>", methods=['GET'])
+def hello(name: str):
+ return f"hello {name}"
def main(req: func.HttpRequest, context) -> func.HttpResponse: logging.info('Python HTTP trigger function processed a request.') return func.WsgiMiddleware(app).handle(req, context) ```
+For a full example, see [Using Flask Framework with Azure Functions](/samples/azure-samples/flask-app-on-azure-functions/azure-functions-python-create-flask-app/).
azure-maps Azure Maps Event Grid Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/azure-maps-event-grid-integration.md
Azure Maps integrates with Azure Event Grid, so that users can send event notifications to other services and trigger downstream processes. The purpose of this article is to help you configure your business applications to listen to Azure Maps events. This allows users to react to critical events in a reliable, scalable, and secure manner. For example, users can build an application to update a database, create a ticket, and deliver an email notification, every time a device enters a geofence.
-Azure Event Grid is a fully managed event routing service, which uses a publish-subscribe model. Event Grid has built-in support for Azure services like [Azure Functions](../azure-functions/functions-overview.md) and [Azure Logic Apps](../azure-functions/functions-overview.md). It can deliver event alerts to non-Azure services using webhooks. For a complete list of the event handlers that Event Grid supports, see [An introduction to Azure Event Grid](../event-grid/overview.md).
+> [!NOTE]
+> The Geofence API async event requires the region property of your Azure Maps account be set to ***Global***. When creating an Azure Maps account in the Azure portal, this isn't given as an option. For more information, see [Create an Azure Maps account with a global region](tutorial-geofence.md#create-an-azure-maps-account-with-a-global-region).
+Azure Event Grid is a fully managed event routing service, which uses a publish-subscribe model. Event Grid has built-in support for Azure services like [Azure Functions](../azure-functions/functions-overview.md) and [Azure Logic Apps](../azure-functions/functions-overview.md). It can deliver event alerts to non-Azure services using webhooks. For a complete list of the event handlers that Event Grid supports, see [An introduction to Azure Event Grid](../event-grid/overview.md).
![Azure Event Grid functional model](./media/azure-maps-event-grid-integration/azure-event-grid-functional-model.png) - ## Azure Maps events types
-Event grid uses [event subscriptions](../event-grid/concepts.md#event-subscriptions) to route event messages to subscribers. An Azure Maps account emits the following event types:
+Event grid uses [event subscriptions](../event-grid/concepts.md#event-subscriptions) to route event messages to subscribers. An Azure Maps account emits the following event types:
| Event type | Description | | - | -- |
The following example shows the schema for GeofenceResult:
Applications that handle Azure Maps geofence events should follow a few recommended practices:
+* The Geofence API async event requires the region property of your Azure Maps account be set to ***Global***. When creating an Azure Maps account in the Azure portal, this isn't given as an option. For more information, see [Create an Azure Maps account with a global region](tutorial-geofence.md#create-an-azure-maps-account-with-a-global-region).
* Configure multiple subscriptions to route events to the same event handler. It's important not to assume that events are from a particular source. Always check the message topic to ensure that the message came from the source that you expect. * Use the `X-Correlation-id` field in the response header to understand if your information about objects is up to date. Messages can arrive out of order or after a delay. * When a GET or a POST request in the Geofence API is called with the mode parameter set to `EnterAndExit`, then an Enter or Exit event is generated for each geometry in the geofence for which the status has changed from the previous Geofence API call.
Applications that handle Azure Maps geofence events should follow a few recommen
To learn more about how to use geofencing to control operations at a construction site, see: > [!div class="nextstepaction"]
-> [Set up a geofence by using Azure Maps](tutorial-geofence.md)
+> [Set up a geofence by using Azure Maps](tutorial-geofence.md)
azure-maps Tutorial Geofence https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/tutorial-geofence.md
Title: 'Tutorial: Create a geofence and track devices on a Microsoft Azure Map'
description: Tutorial on how to set up a geofence. See how to track devices relative to the geofence by using the Azure Maps Spatial service Previously updated : 10/28/2021 Last updated : 02/28/2021
Azure Maps provides a number of services to support the tracking of equipment en
> [!div class="checklist"] >
+> * Create an Azure Maps account with a global region.
> * Upload [Geofencing GeoJSON data](geofence-geojson.md) that defines the construction site areas you want to monitor. You'll use the [Data Upload API](/rest/api/maps/data-v2/upload-preview) to upload geofences as polygon coordinates to your Azure Maps account. > * Set up two [logic apps](../event-grid/handler-webhooks.md#logic-apps) that, when triggered, send email notifications to the construction site operations manager when equipment enters and exits the geofence area. > * Use [Azure Event Grid](../event-grid/overview.md) to subscribe to enter and exit events for your Azure Maps geofence. You set up two webhook event subscriptions that call the HTTP endpoints defined in your two logic apps. The logic apps then send the appropriate email notifications of equipment moving beyond or entering the geofence.
Azure Maps provides a number of services to support the tracking of equipment en
## Prerequisites
-1. [Create an Azure Maps account](quick-demo-map-app.md#create-an-azure-maps-account).
-2. [Obtain a primary subscription key](quick-demo-map-app.md#get-the-primary-key-for-your-account), also known as the primary key or the subscription key.
+* This tutorial uses the [Postman](https://www.postman.com/) application, but you can use a different API development environment.
-This tutorial uses the [Postman](https://www.postman.com/) application, but you can use a different API development environment.
+## Create an Azure Maps account with a global region
+
+The Geofence API async event requires the region property of your Azure Maps account be set to ***Global***. This isn't given as an option when creating an Azure Maps account in the Azure portal, however you do have several other options for creating a new Azure Maps account with the *global* region setting. This section lists the three methods that can be used to create an Azure Maps account with the region set to *global*.
+
+> [!NOTE]
+> The `location` property in both the ARM template and PowerShell `New-AzMapsAccount` command refer to the same property as the `Region` field in the Azure portal.
+
+### Use an ARM template to create an Azure Maps account with a global region
+
+You will need to [Create your Azure Maps account using an ARM template](how-to-create-template.md), making sure to set `location` to `global` in the `resources` section of the ARM template.
+
+### Use PowerShell to create an Azure Maps account with a global region
+
+```powershell
+New-AzMapsAccount -ResourceGroupName your-Resource-Group -Name name-of-maps-account -SkuName g2 -Location global
+```
+
+### Use Azure CLI to create an Azure Maps account with a global region
+
+The Azure CLI command [az maps account create](/cli/azure/maps/account?view=azure-cli-latest#az-maps-account-create) doesnΓÇÖt have a location property, but defaults to ΓÇ£globalΓÇ¥, making it useful for creating an Azure Maps account with a global region setting for use with the Geofence API async event.
## Upload geofencing GeoJSON data
azure-monitor Agents Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/agents-overview.md
The following tables provide a quick comparison of the Azure Monitor agents for
## Azure Monitor agent
-The [Azure Monitor agent](azure-monitor-agent-overview.md) is meant to replace the Log Analytics agent, Azure Diagnostic extension and Telegraf agent for both Windows and Linux machines. It can send data to both Azure Monitor Logs and Azure Monitor Metrics and uses [Data Collection Rules (DCR)](data-collection-rule-overview.md) which provide a more scalable method of configuring data collection and destinations for each agent.
+The [Azure Monitor agent](azure-monitor-agent-overview.md) is meant to replace the Log Analytics agent, Azure Diagnostic extension and Telegraf agent for both Windows and Linux machines. It can send data to both Azure Monitor Logs and Azure Monitor Metrics and uses [Data Collection Rules (DCR)](../essentials/data-collection-rule-overview.md) which provide a more scalable method of configuring data collection and destinations for each agent.
Use the Azure Monitor agent if you need to: - Collect guest logs and metrics from any machine in Azure, in other clouds, or on-premises. ([Azure Arc-enabled servers](../../azure-arc/servers/overview.md) required for machines outside of Azure.) -- Manage data collection configuration centrally, using [data collection rules](./data-collection-rule-overview.md) and use Azure Resource Manager (ARM) templates or policies for management overall.
+- Manage data collection configuration centrally, using [data collection rules](../essentials/data-collection-rule-overview.md) and use Azure Resource Manager (ARM) templates or policies for management overall.
- Send data to Azure Monitor Logs and Azure Monitor Metrics (preview) for analysis with Azure Monitor. - Use Windows event filtering or multi-homing for logs on Windows and Linux.
azure-monitor Azure Monitor Agent Data Collection Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-data-collection-endpoint.md
+
+ Title: Using data collection endpoints with Azure Monitor agent (preview)
+description: Use data collection endpoints to uniquely configure ingestion settings for your machines.
+++ Last updated : 1/5/2022++++
+# Using data collection endpoints with Azure Monitor agent (preview)
+[Data Collection Endpoints (DCEs)](../essentials/data-collection-endpoint-overview.md) allow you to uniquely configure ingestion settings for your machines, giving you greater control over your networking requirements.
+
+## Create data collection endpoint
+See [Data collection endpoints in Azure Monitor (preview)](../essentials/data-collection-endpoint-overview.md) for details on data collection endpoints and how to create them.
+
+## Create endpoint association in Azure portal
+Use **Data collection rules** in the portal to associate endpoints with a resource (e.g. a virtual machine) or a set of resources. Create a new rule or open an existing rule. In the **Resources** tab, click on the **Data collection endpoint** drop-down to associate an existing endpoint for your resource in the same region (or select multiple resources in the same region to bulk-assign an endpoint for them). Doing this creates an association per resource which links the endpoint to the resource. The Azure Monitor agent running on these resources will now start using the endpoint instead for uploading data to Azure Monitor.
+
+[![Data Collection Rule virtual machines](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-with-endpoint.png)](../agents/media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-with-endpoint.png#lightbox)
++
+> [!NOTE]
+> The data collection endpoint should be created in the **same region** where your virtual machines exist.
++
+## Create endpoint and association using REST API
+
+> [!NOTE]
+> The data collection endpoint should be created in the **same region** where your virtual machines exist.
+
+1. Create data collection endpoint(s) using these [DCE REST APIs](/cli/azure/monitor/data-collection/endpoint).
+2. Create association(s) to link the endpoint(s) to your target machines or resources, using these [DCRA REST APIs](/rest/api/monitor/datacollectionruleassociations/create#examples).
++
+## Sample data collection endpoint
+The sample data collection endpoint below is for virtual machines with Azure Monitor agent, with public network access disabled so that agent only uses private links to communicate and send data to Azure Monitor/Log Analytics.
+
+```json
+{
+ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionEndpoints/myCollectionEndpoint",
+ "name": "myCollectionEndpoint",
+ "type": "Microsoft.Insights/dataCollectionEndpoints",
+ "location": "eastus",
+ "tags": {
+ "tag1": "A",
+ "tag2": "B"
+ },
+ "properties": {
+ "configurationAccess": {
+ "endpoint": "https://mycollectionendpoint-abcd.eastus-1.control.monitor.azure.com"
+ },
+ "logsIngestion": {
+ "endpoint": "https://mycollectionendpoint-abcd.eastus-1.ingest.monitor.azure.com"
+ },
+ "networkAcls": {
+ "publicNetworkAccess": "Disabled"
+ }
+ },
+ "systemData": {
+ "createdBy": "user1",
+ "createdByType": "User",
+ "createdAt": "yyyy-mm-ddThh:mm:ss.sssssssZ",
+ "lastModifiedBy": "user2",
+ "lastModifiedByType": "User",
+ "lastModifiedAt": "yyyy-mm-ddThh:mm:ss.sssssssZ"
+ },
+ "etag": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+```
+
+## Enable network isolation for the Azure Monitor Agent
+You can use data collection endpoints to enable the Azure Monitor agent to communicate to the internet via private links. To do so, you must:
+1. Create data collection endpoint(s), at least one per region, as shown above
+2. Add the data collection endpoints to a new or existing [Azure Monitor Private Link Scopes (AMPLS)](../logs/private-link-configure.md#connect-azure-monitor-resources) resource. This adds the DCE endpoints to your private DNS zone (see [how to validate](../logs/private-link-configure.md#review-and-validate-your-private-link-setup)) and allows communication via private links. You can do this from either the AMPLS resource or from within an existing DCE resource's 'Network Isolation' tab.
+ > [!NOTE]
+ > Other Azure Monitor resources like the Log Analytics workspace(s) configured in your data collection rules that you wish to send data to, must be part of this same AMPLS resource.
+3. For your data collection endpoint(s), ensure **Accept access from public networks not connected through a Private Link Scope** option is set to **No** under the 'Network Isolation' tab of your endpoint resource in Azure portal, as shown below. This ensures that public internet access is disabled, and network communication only happen via private links.
+4. Associate the data collection endpoints to the target resources, using the data collection rules experience in Azure portal. This results in the agent using the configured the data collection endpoint(s) for network communications. See [Configure data collection for the Azure Monitor agent](../agents/data-collection-rule-azure-monitor-agent.md).
+
+ ![Data collection endpoint network isolation](media/azure-monitor-agent-dce/data-collection-endpoint-network-isolation.png)
+
+## Next steps
+- [Associate endpoint to machines](../agents/data-collection-rule-azure-monitor-agent.md#create-rule-and-association-in-azure-portal)
+- [Add endpoint to AMPLS resource](../logs/private-link-configure.md#connect-azure-monitor-resources)
azure-monitor Azure Monitor Agent Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-overview.md
The methods for defining data collection for the existing agents are distinctly
- The Log Analytics agent gets its configuration from a Log Analytics workspace. It's easy to centrally configure but difficult to define independent definitions for different virtual machines. It can only send data to a Log Analytics workspace. - Diagnostic extension has a configuration for each virtual machine. It's easy to define independent definitions for different virtual machines but difficult to centrally manage. It can only send data to Azure Monitor Metrics, Azure Event Hubs, or Azure Storage. For Linux agents, the open-source Telegraf agent is required to send data to Azure Monitor Metrics.
-The Azure Monitor agent uses [data collection rules](data-collection-rule-overview.md) to configure data to collect from each agent. Data collection rules enable manageability of collection settings at scale while still enabling unique, scoped configurations for subsets of machines. They're independent of the workspace and independent of the virtual machine, which allows them to be defined once and reused across machines and environments. See [Configure data collection for the Azure Monitor agent](data-collection-rule-azure-monitor-agent.md).
+The Azure Monitor agent uses [data collection rules](../essentials/data-collection-rule-overview.md) to configure data to collect from each agent. Data collection rules enable manageability of collection settings at scale while still enabling unique, scoped configurations for subsets of machines. They're independent of the workspace and independent of the virtual machine, which allows them to be defined once and reused across machines and environments. See [Configure data collection for the Azure Monitor agent](data-collection-rule-azure-monitor-agent.md).
## Should I switch to the Azure Monitor agent? The Azure Monitor agent replaces the [legacy agents for Azure Monitor](agents-overview.md). To start transitioning your VMs off the current agents to the new agent, consider the following factors:
The following table shows the current support for the Azure Monitor agent with A
| Azure Monitor feature | Current support | More information | |:|:|:| | [VM insights](../vm/vminsights-overview.md) | Private preview | [Sign-up link](https://aka.ms/amadcr-privatepreviews) |
-| [Connect using private links](data-collection-endpoint-overview.md#enable-network-isolation-for-the-azure-monitor-agent) | Public preview | No sign-up needed |
+| [Connect using private links](azure-monitor-agent-data-collection-endpoint.md) | Public preview | No sign-up needed |
| [VM insights guest health](../vm/vminsights-health-overview.md) | Public preview | Available only on the new agent | | [SQL insights](../insights/sql-insights-overview.md) | Public preview | Available only on the new agent |
There's no cost for the Azure Monitor agent, but you might incur charges for the
The Azure Monitor agent doesn't require any keys but instead requires a [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#system-assigned-managed-identity). You must have a system-assigned managed identity enabled on each virtual machine before you deploy the agent. ## Networking
-The Azure Monitor agent supports Azure service tags (both AzureMonitor and AzureResourceManager tags are required). It supports connecting via private links, direct proxies and Log Analytics gateway as described below.
+The Azure Monitor agent supports Azure service tags (both AzureMonitor and AzureResourceManager tags are required). It supports connecting via **direct proxies, Log Analytics gateway and private links** as described below.
### Proxy configuration If the machine connects through a proxy server to communicate over the internet, review requirements below to understand the network configuration required.
The Azure Monitor agent extensions for Windows and Linux can communicate either
> [!IMPORTANT] > Proxy configuration is not supported for [Azure Monitor Metrics (preview)](../essentials/metrics-custom-overview.md) as a destination. As such, if you are sending metrics to this destination, it will use the public internet without any proxy.
-1. Use this flowchart to determine the values of the *setting* and *protectedSetting* parameters first.
+1. Use this flowchart to determine the values of the *settings* and *protectedSettings* parameters first.
- ![Flowchart to determine the values of setting and protectedSetting parameters when you enable the extension.](media/azure-monitor-agent-overview/proxy-flowchart.png)
+ ![Flowchart to determine the values of settings and protectedSettings parameters when you enable the extension.](media/azure-monitor-agent-overview/proxy-flowchart.png)
-2. After the values for the *setting* and *protectedSetting* parameters are determined, provide these additional parameters when you deploy the Azure Monitor agent by using PowerShell commands. The following examples are for Azure virtual machines.
+2. After the values for the *settings* and *protectedSettings* parameters are determined, provide these additional parameters when you deploy the Azure Monitor agent by using PowerShell commands. The following examples are for Azure virtual machines.
| Parameter | Value | |:|:|
- | Setting | A JSON object from the preceding flowchart converted to a string. Skip if not applicable. An example is {"proxy":{"mode":"application","address":"http://[address]:[port]","auth": false}}. |
- | ProtectedSetting | A JSON object from the preceding flowchart converted to a string. Skip if not applicable. An example is {"proxy":{"username": "[username]","password": "[password]"}}. |
+ | settingsHashtable | A JSON object from the preceding flowchart converted to a hashtable. Skip if not applicable. An example is {"proxy":{"mode":"application","address":"http://[address]:[port]","auth": false}}. |
+ | protectedSettingsHashtable | A JSON object from the preceding flowchart converted to a hashtable. Skip if not applicable. An example is {"proxy":{"username": "[username]","password": "[password]"}}. |
# [Windows VM](#tab/PowerShellWindows) ```powershell
-Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion 1.0 -Setting <settingString> -ProtectedSetting <protectedSettingString>
+$settingsHashtable = @{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": false}};
+$protectedSettingsHashtable = @{"proxy":{"username": "[username]","password": "[password]"}};
+
+Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion 1.0 -Settings <settingsHashtable> -ProtectedSettings <protectedSettingsHashtable>
``` # [Linux VM](#tab/PowerShellLinux) ```powershell
-Set-AzVMExtension -ExtensionName AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion 1.5 -Setting <settingString> -ProtectedSetting <protectedSettingString>
+$settingsHashtable = @{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": false}};
+$protectedSettingsHashtable = @{"proxy":{"username": "[username]","password": "[password]"}};
+
+Set-AzVMExtension -ExtensionName AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion 1.5 -Settings <settingsHashtable> -ProtectedSettings <protectedSettingsHashtable>
``` # [Windows Arc enabled server](#tab/PowerShellWindowsArc) ```powershell
-New-AzConnectedMachineExtension -Name AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -MachineName <arc-server-name> -Location <arc-server-location> -Setting <settingString> -ProtectedSetting <protectedSettingString>
+$settingsHashtable = @{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": false}};
+$protectedSettingsHashtable = @{"proxy":{"username": "[username]","password": "[password]"}};
+
+New-AzConnectedMachineExtension -Name AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -MachineName <arc-server-name> -Location <arc-server-location> -Settings <settingsHashtable> -ProtectedSettings <protectedSettingsHashtable>
``` # [Linux Arc enabled server](#tab/PowerShellLinuxArc) ```powershell
-New-AzConnectedMachineExtension -Name AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -MachineName <arc-server-name> -Location <arc-server-location> -Setting <settingString> -ProtectedSetting <protectedSettingString>
+$settingsHashtable = @{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": false}};
+$protectedSettingsHashtable = @{"proxy":{"username": "[username]","password": "[password]"}};
+
+New-AzConnectedMachineExtension -Name AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -MachineName <arc-server-name> -Location <arc-server-location> -Settings <settingsHashtable> -ProtectedSettings <protectedSettingsHashtable>
```
-### Log Analytics gateway configuration
-1. Follow the instructions above to configure proxy settings on the agent and provide the IP address and port number corresponding to the gateway server. If you have deployed multiple gateway servers behind a load balancer, the agent proxy configuration is the virtual IP address of the load balancer instead.
-2. Add the **configuration endpoint URL** to fetch data collection rules to the allow list for the gateway
- `Add-OMSGatewayAllowedHost -Host global.handler.control.monitor.azure.com`
- `Add-OMSGatewayAllowedHost -Host <gateway-server-region-name>.handler.control.monitor.azure.com`
- (If using private links on the agent, you must also add the [dce endpoints](./data-collection-endpoint-overview.md#components-of-a-data-collection-endpoint))
-3. Add the **data ingestion endpoint URL** to the allow list for the gateway
- `Add-OMSGatewayAllowedHost -Host <log-analytics-workspace-id>.ods.opinsights.azure.com`
-3. Restart the **OMS Gateway** service to apply the changes
- `Stop-Service -Name <gateway-name>`
- `Start-Service -Name <gateway-name>`
--
-### Private link configuration
-To configure the agent to use private links for network communications with Azure Monitor, you can use [Azure Monitor Private Links Scopes (AMPLS)](../logs/private-link-security.md) and [data collection endpoints](./data-collection-endpoint-overview.md) to enable required network isolation. [View steps to configure network isolation for the agent](./data-collection-endpoint-overview.md#enable-network-isolation-for-the-azure-monitor-agent)
+## Private link configuration
+To configure the agent to use private links for network communications with Azure Monitor, you can use [Azure Monitor Private Links Scopes (AMPLS)](../logs/private-link-security.md) and [data collection endpoints](azure-monitor-agent-data-collection-endpoint.md) to enable required network isolation.
## Next steps
azure-monitor Data Collection Rule Azure Monitor Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/data-collection-rule-azure-monitor-agent.md
Title: Configure data collection for the Azure Monitor agent description: Describes how to create a data collection rule to collect data from virtual machines using the Azure Monitor agent. -- Last updated 07/16/2021
Last updated 07/16/2021
Data Collection Rules (DCR) define data coming into Azure Monitor and specify where it should be sent. This article describes how to create a data collection rule to collect data from virtual machines using the Azure Monitor agent.
-For a complete description of data collection rules, see [Data collection rules in Azure Monitor](data-collection-rule-overview.md).
+For a complete description of data collection rules, see [Data collection rules in Azure Monitor](../essentials/data-collection-rule-overview.md).
> [!NOTE] > This article describes how to configure data for virtual machines with the Azure Monitor agent only.
For example, consider an environment with a set of virtual machines running a li
![Diagram shows virtual machines hosting line of business application and SQL Server associated with data collection rules named central-i t-default and lob-app for line of business application and central-i t-default and s q l for SQL Server.](media/data-collection-rule-azure-monitor-agent/associations.png)
-## Permissions required to create data collection rules and associations
-When using programmatic methods to create data collection rules and associations (i.e. mehtods other than Azure portal), you require the below permissions:
-
-| Built-in Role | Scope(s) | Reason |
-|:|:|:|
-| [Monitoring Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) | <ul><li>Subscription and/or</li><li>Resource group and/or </li><li>An existing data collection rule</li></ul> | To create or edit data collection rules |
-| <ul><li>[Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor)</li><li>[Azure Connected Machine Resource Administrator](../../role-based-access-control/built-in-roles.md#azure-connected-machine-resource-administrator)</li></ul> | <ul><li>Virtual machines, virtual machine scale sets</li><li>Arc-enabled servers</li></ul> | To deploy associations (i.e. to assign rules to the machine) |
-| Any role that includes the action *Microsoft.Resources/deployments/** | <ul><li>Subscription and/or</li><li>Resource group and/or </li><li>An existing data collection rule</li></ul> | To deploy ARM templates |
## Create rule and association in Azure portal
Additionally, choose the appropriate **Platform Type** which specifies the type
In the **Resources** tab, add the resources (virtual machines, virtual machine scale sets, Arc for servers) that should have the Data Collection Rule applied. The Azure Monitor Agent will be installed on resources that don't already have it installed, and will enable Azure Managed Identity as well. ### Private link configuration using data collection endpoints (preview)
-If you need network isolation using private links for collecting data using agents from your resources, simply select existing endpoints (or create a new endpoint) from the same region for the respective resource(s) as shown below. See [how to create data collection endpoint](./data-collection-endpoint-overview.md).
+If you need network isolation using private links for collecting data using agents from your resources, simply select existing endpoints (or create a new endpoint) from the same region for the respective resource(s) as shown below. See [how to create data collection endpoint](../essentials/data-collection-endpoint-overview.md).
[![Data Collection Rule virtual machines](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-with-endpoint.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-with-endpoint.png#lightbox)
On the **Collect and deliver** tab, click **Add data source** to add a data sour
[![Data source basic](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-basic-updated.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-basic-updated.png#lightbox)
-To specify other logs and performance counters from the [currently supported data sources](azure-monitor-agent-overview.md#data-sources-and-destinations) or to filter events using XPath queries, select **Custom**. You can then specify an [XPath ](https://www.w3schools.com/xml/xpath_syntax.asp) for any specific values to collect. See [Sample DCR](data-collection-rule-overview.md#sample-data-collection-rule) for examples.
+To specify other logs and performance counters from the [currently supported data sources](azure-monitor-agent-overview.md#data-sources-and-destinations) or to filter events using XPath queries, select **Custom**. You can then specify an [XPath ](https://www.w3schools.com/xml/xpath_syntax.asp) for any specific values to collect. See [Sample DCR](data-collection-rule-sample-agent.md) for an example.
[![Data source custom](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-custom-updated.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-custom-updated.png#lightbox)
Follow the steps below to create a data collection rule and association
> [!NOTE] > If you wish to send data to Log Analytics, you must create the data collection rule in the **same region** where your Log Analytics workspace resides. The rule can be associated to machines in other supported region(s).
-1. Manually create the DCR file using the JSON format shown in [Sample DCR](data-collection-rule-overview.md#sample-data-collection-rule).
+1. Manually create the DCR file using the JSON format shown in [Sample DCR](data-collection-rule-sample-agent.md).
2. Create the rule using the [REST API](/rest/api/monitor/datacollectionrules/create#examples).
This is enabled as part of Azure CLI **monitor-control-service** Extension. [Vie
## Next steps - Learn more about the [Azure Monitor Agent](azure-monitor-agent-overview.md).-- Learn more about [data collection rules](data-collection-rule-overview.md).
+- Learn more about [data collection rules](../essentials/data-collection-rule-overview.md).
azure-monitor Data Collection Rule Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/data-collection-rule-overview.md
- Title: Data Collection Rules in Azure Monitor
-description: Overview of data collection rules (DCRs) in Azure Monitor including their contents and structure and how you can create and work with them.
--- Previously updated : 02/08/2022----
-# Data collection rules in Azure Monitor
-Data Collection Rules (DCR) define data coming into Azure Monitor and specify where that data should be sent or stored. This article provides an overview of data collection rules including their contents and structure and how you can create and work with them.
-
-## Input sources
-Data collection rules currently support the following input sources:
--- Azure Monitor Agent running on virtual machines, virtual machine scale sets and Azure Arc for servers. See [Configure data collection for the Azure Monitor agent (preview)](../agents/data-collection-rule-azure-monitor-agent.md).---
-## Components of a data collection rule
-A data collection rule includes the following components.
-
-| Component | Description |
-|:|:|
-| Data sources | Unique source of monitoring data with its own format and method of exposing its data. Examples of a data source include Windows event log, performance counters, and syslog. Each data source matches a particular data source type as described below. |
-| Streams | Unique handle that describes a set of data sources that will be transformed and schematized as one type. Each data source requires one or more streams, and one stream may be used by multiple data sources. All data sources in a stream share a common schema. Use multiple streams for example, when you want to send a particular data source to multiple tables in the same Log Analytics workspace. |
-| Destinations | Set of destinations where the data should be sent. Examples include Log Analytics workspace and Azure Monitor Metrics. |
-| Data flows | Definition of which streams should be sent to which destinations. |
-
-The following diagram shows the components of a data collection rule and their relationship
-
-[![Diagram of DCR](media/data-collection-rule-overview/data-collection-rule-components.png)](media/data-collection-rule-overview/data-collection-rule-components.png#lightbox)
-
-### Data source types
-Each data source has a data source type. Each type defines a unique set of properties that must be specified for each data source. The data source types currently available are shown in the following table.
-
-| Data source type | Description |
-|:|:|
-| extension | VM extension-based data source, used exclusively by Log Analytics solutions and Azure services ([View agent supported services and solutions](./azure-monitor-agent-overview.md#supported-services-and-features)) |
-| performanceCounters | Performance counters for both Windows and Linux |
-| syslog | Syslog events on Linux |
-| windowsEventLogs | Windows event log |
-
-## Supported regions
-Data collection rules are stored regionally, and are available in all public regions where Log Analytics is supported, as well as the Azure Government and China clouds. Air-gapped clouds are not yet supported.
-
-## Limits
-For limits that apply to each data collection rule, see [Azure Monitor service limits](../service-limits.md#data-collection-rules).
-
-## Data resiliency and high availability
-Data Collection Rules as a service is deployed regionally. A rule gets created and stored in the region you specify, and is backed up to the [paired-region](../../availability-zones/cross-region-replication-azure.md#azure-cross-region-replication-pairings-for-all-geographies) within the same Geo.
-Additionally, the service is deployed to all 3 [availability zones](../../availability-zones/az-overview.md#availability-zones) within the region, making it a **zone-redundant service** which further adds to high availability.
--
-**Single region data residency**: The previewed feature to enable storing customer data in a single region is currently only available in the Southeast Asia Region (Singapore) of the Asia Pacific Geo and Brazil South (Sao Paulo State) Region of Brazil Geo. Single region residency is enabled by default in these regions.
-
-## Create a DCR
-You can currently use any of the following methods to create a DCR:
--- [Use the Azure portal](../agents/data-collection-rule-azure-monitor-agent.md) to create a data collection rule and have it associated with one or more virtual machines.-- Directly edit the data collection rule in JSON and [submit using the REST API](/rest/api/monitor/datacollectionrules).-- Create DCR and associations with [Azure CLI](https://github.com/Azure/azure-cli-extensions/blob/master/src/monitor-control-service/README.md).-- Create DCR and associations with Azure PowerShell.
- - [Get-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Get-AzDataCollectionRule.md)
- - [New-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/New-AzDataCollectionRule.md)
- - [Set-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Set-AzDataCollectionRule.md)
- - [Update-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Update-AzDataCollectionRule.md)
- - [Remove-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Remove-AzDataCollectionRule.md)
- - [Get-AzDataCollectionRuleAssociation](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Get-AzDataCollectionRuleAssociation.md)
- - [New-AzDataCollectionRuleAssociation](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/New-AzDataCollectionRuleAssociation.md)
- - [Remove-AzDataCollectionRuleAssociation](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Remove-AzDataCollectionRuleAssociation.md)
-
-## Sample data collection rule
-The sample data collection rule below is for virtual machines with Azure Monitor agent and has the following details:
--- Performance data
- - Collects specific Processor, Memory, Logical Disk, and Physical Disk counters every 15 seconds and uploads every minute.
- - Collects specific Process counters every 30 seconds and uploads every 5 minutes.
-- Windows events
- - Collects Windows security events and uploads every minute.
- - Collects Windows application and system events and uploads every 5 minutes.
-- Syslog
- - Collects Debug, Critical, and Emergency events from cron facility.
- - Collects Alert, Critical, and Emergency events from syslog facility.
-- Destinations
- - Sends all data to a Log Analytics workspace named centralWorkspace.
-
-> [!NOTE]
-> For an explanation of XPaths that are used to specify event collection in data collection rules, see [Limit data collection with custom XPath queries](data-collection-rule-azure-monitor-agent.md#limit-data-collection-with-custom-xpath-queries)
--
-```json
-{
- "location": "eastus",
- "properties": {
- "dataSources": {
- "performanceCounters": [
- {
- "name": "cloudTeamCoreCounters",
- "streams": [
- "Microsoft-Perf"
- ],
- "scheduledTransferPeriod": "PT1M",
- "samplingFrequencyInSeconds": 15,
- "counterSpecifiers": [
- "\\Processor(_Total)\\% Processor Time",
- "\\Memory\\Committed Bytes",
- "\\LogicalDisk(_Total)\\Free Megabytes",
- "\\PhysicalDisk(_Total)\\Avg. Disk Queue Length"
- ]
- },
- {
- "name": "appTeamExtraCounters",
- "streams": [
- "Microsoft-Perf"
- ],
- "scheduledTransferPeriod": "PT5M",
- "samplingFrequencyInSeconds": 30,
- "counterSpecifiers": [
- "\\Process(_Total)\\Thread Count"
- ]
- }
- ],
- "windowsEventLogs": [
- {
- "name": "cloudSecurityTeamEvents",
- "streams": [
- "Microsoft-Event"
- ],
- "scheduledTransferPeriod": "PT1M",
- "xPathQueries": [
- "Security!*"
- ]
- },
- {
- "name": "appTeam1AppEvents",
- "streams": [
- "Microsoft-Event"
- ],
- "scheduledTransferPeriod": "PT5M",
- "xPathQueries": [
- "System!*[System[(Level = 1 or Level = 2 or Level = 3)]]",
- "Application!*[System[(Level = 1 or Level = 2 or Level = 3)]]"
- ]
- }
- ],
- "syslog": [
- {
- "name": "cronSyslog",
- "streams": [
- "Microsoft-Syslog"
- ],
- "facilityNames": [
- "cron"
- ],
- "logLevels": [
- "Debug",
- "Critical",
- "Emergency"
- ]
- },
- {
- "name": "syslogBase",
- "streams": [
- "Microsoft-Syslog"
- ],
- "facilityNames": [
- "syslog"
- ],
- "logLevels": [
- "Alert",
- "Critical",
- "Emergency"
- ]
- }
- ]
- },
- "destinations": {
- "logAnalytics": [
- {
- "workspaceResourceId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-resource-group/providers/Microsoft.OperationalInsights/workspaces/my-workspace",
- "name": "centralWorkspace"
- }
- ]
- },
- "dataFlows": [
- {
- "streams": [
- "Microsoft-Perf",
- "Microsoft-Syslog",
- "Microsoft-Event"
- ],
- "destinations": [
- "centralWorkspace"
- ]
- }
- ]
- }
- }
-```
--
-## Next steps
--- [Create a data collection rule](data-collection-rule-azure-monitor-agent.md) and an association to it from a virtual machine using the Azure Monitor agent.
azure-monitor Data Collection Rule Sample Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/data-collection-rule-sample-agent.md
+
+ Title: Sample data collection rule - agent
+description: Sample data collection rule for Azure Monitor agent
+ Last updated : 02/15/2022++++
+# Sample data collection rule - agent
+The sample [data collection rule](../essentials/data-collection-rule-overview.md) below is for virtual machines with Azure Monitor agent and has the following details:
+
+- Performance data
+ - Collects specific Processor, Memory, Logical Disk, and Physical Disk counters every 15 seconds and uploads every minute.
+ - Collects specific Process counters every 30 seconds and uploads every 5 minutes.
+- Windows events
+ - Collects Windows security events and uploads every minute.
+ - Collects Windows application and system events and uploads every 5 minutes.
+- Syslog
+ - Collects Debug, Critical, and Emergency events from cron facility.
+ - Collects Alert, Critical, and Emergency events from syslog facility.
+- Destinations
+ - Sends all data to a Log Analytics workspace named centralWorkspace.
+
+> [!NOTE]
+> For an explanation of XPaths that are used to specify event collection in data collection rules, see [Limit data collection with custom XPath queries](../agents/data-collection-rule-azure-monitor-agent.md#limit-data-collection-with-custom-xpath-queries)
+
+## Sample DCR
+
+```json
+{
+ "location": "eastus",
+ "properties": {
+ "dataSources": {
+ "performanceCounters": [
+ {
+ "name": "cloudTeamCoreCounters",
+ "streams": [
+ "Microsoft-Perf"
+ ],
+ "scheduledTransferPeriod": "PT1M",
+ "samplingFrequencyInSeconds": 15,
+ "counterSpecifiers": [
+ "\\Processor(_Total)\\% Processor Time",
+ "\\Memory\\Committed Bytes",
+ "\\LogicalDisk(_Total)\\Free Megabytes",
+ "\\PhysicalDisk(_Total)\\Avg. Disk Queue Length"
+ ]
+ },
+ {
+ "name": "appTeamExtraCounters",
+ "streams": [
+ "Microsoft-Perf"
+ ],
+ "scheduledTransferPeriod": "PT5M",
+ "samplingFrequencyInSeconds": 30,
+ "counterSpecifiers": [
+ "\\Process(_Total)\\Thread Count"
+ ]
+ }
+ ],
+ "windowsEventLogs": [
+ {
+ "name": "cloudSecurityTeamEvents",
+ "streams": [
+ "Microsoft-Event"
+ ],
+ "scheduledTransferPeriod": "PT1M",
+ "xPathQueries": [
+ "Security!*"
+ ]
+ },
+ {
+ "name": "appTeam1AppEvents",
+ "streams": [
+ "Microsoft-Event"
+ ],
+ "scheduledTransferPeriod": "PT5M",
+ "xPathQueries": [
+ "System!*[System[(Level = 1 or Level = 2 or Level = 3)]]",
+ "Application!*[System[(Level = 1 or Level = 2 or Level = 3)]]"
+ ]
+ }
+ ],
+ "syslog": [
+ {
+ "name": "cronSyslog",
+ "streams": [
+ "Microsoft-Syslog"
+ ],
+ "facilityNames": [
+ "cron"
+ ],
+ "logLevels": [
+ "Debug",
+ "Critical",
+ "Emergency"
+ ]
+ },
+ {
+ "name": "syslogBase",
+ "streams": [
+ "Microsoft-Syslog"
+ ],
+ "facilityNames": [
+ "syslog"
+ ],
+ "logLevels": [
+ "Alert",
+ "Critical",
+ "Emergency"
+ ]
+ }
+ ]
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-resource-group/providers/Microsoft.OperationalInsights/workspaces/my-workspace",
+ "name": "centralWorkspace"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Microsoft-Perf",
+ "Microsoft-Syslog",
+ "Microsoft-Event"
+ ],
+ "destinations": [
+ "centralWorkspace"
+ ]
+ }
+ ]
+ }
+ }
+```
++
+## Next steps
+
+- [Create a data collection rule](../agents/data-collection-rule-azure-monitor-agent.md) and an association to it from a virtual machine using the Azure Monitor agent.
azure-monitor Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/gateway.md
To provide high availability for directly connected or Operations Management gro
The computer that runs the Log Analytics gateway requires the agent to identify the service endpoints that the gateway needs to communicate with. The agent also needs to direct the gateway to report to the same workspaces that the agents or Operations Manager management group behind the gateway are configured with. This configuration allows the gateway and the agent to communicate with their assigned workspace.
-A gateway can be multihomed to up to ten workspaces using the Azure Monitor Agent and [data dollection rules](./data-collection-rule-azure-monitor-agent.md). Using the legacy Microsoft Monitor Agent, you can only multihome up to four workspaces as that is the total number of workspaces the legacy Windows agent supports.
+A gateway can be multihomed to up to ten workspaces using the Azure Monitor Agent and [data collection rules](./data-collection-rule-azure-monitor-agent.md). Using the legacy Microsoft Monitor Agent, you can only multihome up to four workspaces as that is the total number of workspaces the legacy Windows agent supports.
Each agent must have network connectivity to the gateway so that agents can automatically transfer data to and from the gateway. Avoid installing the gateway on a domain controller. Linux computers that are behind a gateway server cannot use the [wrapper script installation](../agents/agent-linux.md#install-the-agent-using-wrapper-script) method to install the Log Analytics agent for Linux. The agent must be downloaded manually, copied to the computer, and installed manually because the gateway only supports communicating with the Azure services mentioned earlier.
To configure the Azure Monitor agent (installed on the gateway server) to use th
2. Add the **configuration endpoint URL** to fetch data collection rules to the allow list for the gateway `Add-OMSGatewayAllowedHost -Host global.handler.control.monitor.azure.com` `Add-OMSGatewayAllowedHost -Host <gateway-server-region-name>.handler.control.monitor.azure.com`
- (If using private links on the agent, you must also add the [dce endpoints](./data-collection-endpoint-overview.md#components-of-a-data-collection-endpoint))
+ (If using private links on the agent, you must also add the [dce endpoints](../essentials/data-collection-endpoint-overview.md#components-of-a-data-collection-endpoint))
3. Add the **data ingestion endpoint URL** to the allow list for the gateway `Add-OMSGatewayAllowedHost -Host <log-analytics-workspace-id>.ods.opinsights.azure.com` 3. Restart the **OMS Gateway** service to apply the changes
azure-monitor Resource Manager Data Collection Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/resource-manager-data-collection-rules.md
Last updated 02/07/2022
# Resource Manager template samples for data collection rules in Azure Monitor
-This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to create an association between a [data collection rule](data-collection-rule-overview.md) and the [Azure Monitor agent](./azure-monitor-agent-overview.md). Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to create an association between a [data collection rule](../essentials/data-collection-rule-overview.md) and the [Azure Monitor agent](./azure-monitor-agent-overview.md). Each sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
azure-monitor Action Groups Create Resource Manager Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/action-groups-create-resource-manager-template.md
Previously updated : 12/14/2021 Last updated : 2/23/2022
azure-monitor Action Groups Logic App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/action-groups-logic-app.md
description: Learn how to create a logic app action to process Azure Monitor ale
Previously updated : 02/19/2021 Last updated : 2/23/2022 # How to trigger complex actions with Azure Monitor alerts
azure-monitor Action Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/action-groups.md
Title: Create and manage action groups in the Azure portal
description: Learn how to create and manage action groups in the Azure portal. Previously updated : 02/10/2022 Last updated : 2/23/2022
azure-monitor Alerts Action Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-action-rules.md
Title: Alert processing rules for Azure Monitor alerts description: Understanding what alert processing rules in Azure Monitor are and how to configure and manage them. Previously updated : 02/02/2022 Last updated : 2/23/2022
azure-monitor Alerts Activity Log https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-activity-log.md
Title: Create, view, and manage activity log alerts in Azure Monitor
description: Create activity log alerts by using the Azure portal, an Azure Resource Manager template, and Azure PowerShell. Previously updated : 11/08/2021 Last updated : 2/23/2022
azure-monitor Alerts Automatic Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-automatic-migration.md
Title: Understand how the automatic migration process for your Azure Monitor classic alerts works description: Learn how the automatic migration process works. Previously updated : 02/14/2021 Last updated : 2/23/2022 # Understand the automatic migration process for your classic alert rules
azure-monitor Alerts Classic Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-classic-portal.md
description: Learn how to use Azure portal, CLI or PowerShell to create, view an
Previously updated : 09/06/2021 Last updated : 2/23/2022 # Create, view, and manage classic metric alerts using Azure Monitor
azure-monitor Alerts Classic.Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-classic.overview.md
Title: Overview of classic alerts in Azure Monitor description: Classic alerts are being deprecated. Alerts enable you to monitor Azure resource metrics, events, or logs and be notified when a condition you specify is met. Previously updated : 02/14/2021 Last updated : 2/23/2022 # What are classic alerts in Microsoft Azure?
azure-monitor Alerts Dynamic Thresholds https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-dynamic-thresholds.md
description: Create Alerts with machine learning based Dynamic Thresholds
Previously updated : 01/12/2021 Last updated : 2/23/2022 # Metric Alerts with Dynamic Thresholds in Azure Monitor
azure-monitor Alerts Log Api Switch https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-log-api-switch.md
description: Learn how to switch to the log alerts management to ScheduledQueryR
Previously updated : 02/22/2022 Last updated : 2/23/2022 # Upgrade legacy rules management to the current Log Alerts API from legacy Log Analytics Alert API
azure-monitor Alerts Log Create Templates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-log-create-templates.md
description: Learn how to use a Resource Manager template to create a log alert
Previously updated : 07/12/2021 Last updated : 2/23/2022 # Create a log alert with a Resource Manager template
azure-monitor Alerts Log Query https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-log-query.md
description: Recommendations for writing efficient alert queries
Previously updated : 09/22/2020 Last updated : 2/23/2022 # Optimizing log alert queries This article describes how to write and convert [Log Alert](./alerts-unified-log.md) queries to achieve optimal performance. Optimized queries reduce latency and load of alerts, which run frequently.
azure-monitor Alerts Log Webhook https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-log-webhook.md
Previously updated : 09/22/2020 Last updated : 2/23/2022 # Webhook actions for log alert rules
azure-monitor Alerts Log https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-log.md
description: Use Azure Monitor to create, view, and manage log alert rules
Previously updated : 01/25/2022 Last updated : 2/23/2022 # Create, view, and manage log alerts using Azure Monitor
azure-monitor Alerts Manage Alerts Previous Version https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-manage-alerts-previous-version.md
Title: View and manage log alert rules created in previous versions| Microsoft D
description: Use the Azure Monitor portal to manage log alert rules created in earlier versions Previously updated : 12/14/2021 Last updated : 2/23/2022 # Manage alert rules created in previous versions
azure-monitor Alerts Managing Alert Instances https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-managing-alert-instances.md
Title: Manage alert instances in Azure Monitor description: Managing alert instances across Azure Previously updated : 09/24/2018 Last updated : 2/23/2022
azure-monitor Alerts Managing Alert States https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-managing-alert-states.md
Title: Manage alert and smart group states
description: Managing the states of the alert and smart group instances Previously updated : 09/24/2018 Last updated : 2/23/2022
azure-monitor Alerts Managing Smart Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-managing-smart-groups.md
Title: Manage smart groups (preview) description: Managing Smart Groups created over your alert instances Previously updated : 09/24/2018 Last updated : 2/23/2022
azure-monitor Alerts Metric Create Templates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-metric-create-templates.md
Previously updated : 8/02/2021 Last updated : 2/23/2022 # Create a metric alert with a Resource Manager template
azure-monitor Alerts Metric Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-metric-logs.md
description: Tutorial on creating near-real time metric alerts on popular log an
Previously updated : 06/15/2021 Last updated : 2/23/2022
azure-monitor Alerts Metric Multiple Time Series Single Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-metric-multiple-time-series-single-rule.md
description: Alert at scale using a single alert rule for multiple time series
Previously updated : 01/11/2021 Last updated : 2/23/2022 # Monitor multiple time-series in a single metric alert rule
azure-monitor Alerts Metric Near Real Time https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-metric-near-real-time.md
Previously updated : 10/14/2021 Last updated : 2/23/2022 # Supported resources for metric alerts in Azure Monitor
azure-monitor Alerts Metric https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-metric.md
description: Learn how to use Azure portal or CLI to create, view, and manage me
Previously updated : 11/07/2021 Last updated : 2/23/2022 # Create, view, and manage metric alerts using Azure Monitor
azure-monitor Alerts Prepare Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-prepare-migration.md
description: Learn how to modify your webhooks, logic apps, and runbooks to prep
Previously updated : 02/14/2021 Last updated : 2/23/2022 # Prepare your logic apps and runbooks for migration of classic alert rules
azure-monitor Alerts Rate Limiting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-rate-limiting.md
description: Understand how Azure limits the number of possible SMS, email, Azur
Previously updated : 3/12/2018 Last updated : 2/23/2022 # Rate limiting for Voice, SMS, emails, Azure App push notifications and webhook posts
azure-monitor Alerts Resource Move https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-resource-move.md
Previously updated : 02/14/2021 Last updated : 2/23/2022 # How to update alert rules or alert processing rules when their target resource moves to a different Azure region
azure-monitor Alerts Smart Detections Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-smart-detections-migration.md
Title: Upgrade Azure Monitor Application Insights smart detection to alerts (Preview) | Microsoft Docs description: Learn about the steps required to upgrade your Azure Monitor Application Insights smart detection to alert rules Previously updated : 05/30/2021 Last updated : 2/23/2022 # Migrate Azure Monitor Application Insights smart detection to alerts (Preview)
azure-monitor Alerts Smartgroups Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-smartgroups-overview.md
Title: Smart groups (preview) description: Smart Groups are aggregations of alerts that help you reduce alert noise Previously updated : 05/15/2018 Last updated : 2/23/2022 # Smart groups (preview)
azure-monitor Alerts Sms Behavior https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-sms-behavior.md
Previously updated : 02/16/2018 Last updated : 2/23/2022 # SMS Alert Behavior in Action Groups
azure-monitor Alerts Troubleshoot Log https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-troubleshoot-log.md
description: Common issues, errors, and resolutions for log alert rules in Azure
Previously updated : 01/25/2022 Last updated : 2/23/2022
azure-monitor Alerts Troubleshoot Metric https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-troubleshoot-metric.md
description: Common issues with Azure Monitor metric alerts and possible solutio
Previously updated : 2/15/2022 Last updated : 2/23/2022 # Troubleshooting problems in Azure Monitor metric alerts
azure-monitor Alerts Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-troubleshoot.md
description: Common issues with Azure Monitor alerts and possible solutions.
Previously updated : 03/16/2020 Last updated : 2/23/2022 # Troubleshooting problems in Azure Monitor alerts
azure-monitor Alerts Understand Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-understand-migration.md
Title: Understand migration for Azure Monitor alerts description: Understand how the alerts migration works and troubleshoot problems. Previously updated : 09/06/2021 Last updated : 2/23/2022
azure-monitor Alerts Unified Log https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-unified-log.md
description: Trigger emails, notifications, call websites URLs (webhooks), or au
Previously updated : 01/25/2022 Last updated : 2/23/2022 # Log alerts in Azure Monitor
azure-monitor Alerts Using Migration Tool https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-using-migration-tool.md
description: Learn how to use the voluntary migration tool to migrate your class
Previously updated : 02/14/2020 Last updated : 2/23/2022 # Use the voluntary migration tool to migrate your classic alert rules
azure-monitor Alerts Webhooks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-webhooks.md
description: Learn how to reroute Azure metric alerts to other, non-Azure system
Previously updated : 09/06/2021 Last updated : 2/23/2022 # Call a webhook with a classic metric alert in Azure Monitor
azure-monitor Api Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/api-alerts.md
Title: Using Log Analytics Alert REST API description: The Log Analytics Alert REST API allows you to create and manage alerts in Log Analytics, which is part of Log Analytics. This article provides details of the API and several examples for performing different operations. Previously updated : 09/22/2020 Last updated : 2/23/2022
azure-monitor It Service Management Connector Secure Webhook Connections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/it-service-management-connector-secure-webhook-connections.md
Title: IT Service Management Connector - Secure Export in Azure Monitor description: This article shows you how to connect your ITSM products/services with Secure Export in Azure Monitor to centrally monitor and manage ITSM work items. Previously updated : 09/08/2020 Last updated : 2/23/2022
azure-monitor Itsm Connector Secure Webhook Connections Azure Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsm-connector-secure-webhook-connections-azure-configuration.md
Title: IT Service Management Connector - Secure Export in Azure Monitor - Azure Configurations description: This article shows you how to configure Azure in order to connect your ITSM products/services with Secure Export in Azure Monitor to centrally monitor and manage ITSM work items. Previously updated : 01/03/2021 Last updated : 2/23/2022
azure-monitor Itsmc Connections Cherwell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-connections-cherwell.md
Title: Connect Cherwell with IT Service Management Connector description: This article provides information about how to Cherwell with the IT Service Management Connector (ITSMC) in Azure Monitor to centrally monitor and manage the ITSM work items. Previously updated : 12/21/2020 Last updated : 2/23/2022
azure-monitor Itsmc Connections Provance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-connections-provance.md
Title: Connect Provance with IT Service Management Connector description: This article provides information about how to Provance with the IT Service Management Connector (ITSMC) in Azure Monitor to centrally monitor and manage the ITSM work items. Previously updated : 12/21/2020 Last updated : 2/23/2022
azure-monitor Itsmc Connections Scsm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-connections-scsm.md
Title: Connect SCSM with IT Service Management Connector description: This article provides information about how to SCSM with the IT Service Management Connector (ITSMC) in Azure Monitor to centrally monitor and manage the ITSM work items. Previously updated : 12/21/2020 Last updated : 2/23/2022
azure-monitor Itsmc Connections Servicenow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-connections-servicenow.md
Title: Connect ServiceNow with IT Service Management Connector description: Learn how to connect ServiceNow with the IT Service Management Connector (ITSMC) in Azure Monitor to centrally monitor and manage ITSM work items. Previously updated : 12/21/2020 Last updated : 2/23/2022
azure-monitor Itsmc Connections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-connections.md
Title: IT Service Management Connector in Azure Monitor description: This article provides information about how to connect your ITSM products/services with the IT Service Management Connector (ITSMC) in Azure Monitor to centrally monitor and manage the ITSM work items. Previously updated : 05/12/2020 Last updated : 2/23/2022
azure-monitor Itsmc Connector Deletion https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-connector-deletion.md
Title: Delete unused ITSM connectors description: This article provides an explanation of how to delete ITSM connectors and the action groups that are associated with it. Previously updated : 12/29/2020 Last updated : 2/23/2022
azure-monitor Itsmc Dashboard Errors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-dashboard-errors.md
description: Learn about common errors that exist in the IT Service Management C
Previously updated : 01/18/2021 Last updated : 2/23/2022
azure-monitor Itsmc Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-dashboard.md
description: Learn how to use the IT Service Management Connector dashboard to i
Previously updated : 01/15/2021 Last updated : 2/23/2022
azure-monitor Itsmc Definition https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-definition.md
Title: IT Service Management Connector in Log Analytics description: This article provides an overview of IT Service Management Connector (ITSMC) and information about using it to monitor and manage ITSM work items in Log Analytics and resolve problems quickly. Previously updated : 05/24/2018 Last updated : 2/23/2022
azure-monitor Itsmc Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-overview.md
Title: IT Service Management Connector overview description: This article provides an overview of IT Service Management Connector (ITSMC). Previously updated : 12/16/2020 Last updated : 2/23/2022
azure-monitor Itsmc Resync Servicenow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-resync-servicenow.md
description: Reset the connection to ServiceNow so alerts in Microsoft Azure can
Previously updated : 01/17/2021 Last updated : 2/23/2022 # How to manually fix sync problems
azure-monitor Itsmc Secure Webhook Connections Bmc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-secure-webhook-connections-bmc.md
Title: IT Service Management Connector - Secure Export in Azure Monitor - Configuration with BMC description: This article shows you how to connect your ITSM products/services with BMC on Secure Export in Azure Monitor. Previously updated : 12/31/2020 Last updated : 2/23/2022
azure-monitor Itsmc Secure Webhook Connections Servicenow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-secure-webhook-connections-servicenow.md
Title: IT Service Management Connector - Secure Export in Azure Monitor - Configuration with ServiceNow description: This article shows you how to connect your ITSM products/services with ServiceNow on Secure Export in Azure Monitor. Previously updated : 12/31/2020 Last updated : 2/23/2022
azure-monitor Itsmc Service Manager Script https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-service-manager-script.md
Title: Create web app for Service Management Connector description: Create a Service Manager Web app using an automated script to connect with IT Service Management Connector in Azure, and centrally monitor and manage the ITSM work items. Previously updated : 12/06/2021 Last updated : 2/23/2022
azure-monitor Itsmc Synced Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-synced-data.md
Title: Data synced from your ITSM product to LA Workspace description: This article provides an overview of Data synced from your ITSM product to LA Workspace. Previously updated : 12/29/2020 Last updated : 2/23/2022
azure-monitor Itsmc Troubleshoot Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-troubleshoot-overview.md
description: Learn how to resolve common problems in IT Service Management Conne
Previously updated : 04/12/2020 Last updated : 2/23/2022 # Troubleshoot problems in IT Service Management Connector
azure-monitor Monitoring Classic Retirement https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/monitoring-classic-retirement.md
description: Description of the retirement of classic monitoring services and fu
Previously updated : 02/14/2021 Last updated : 2/23/2022 # Unified alerting & monitoring in Azure Monitor replaces classic alerting & monitoring
azure-monitor Resource Manager Alerts Log https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/resource-manager-alerts-log.md
description: Sample Azure Resource Manager templates to deploy Azure Monitor log
Previously updated : 07/12/2021 Last updated : 2/23/2022
azure-monitor Resource Manager Alerts Metric https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/resource-manager-alerts-metric.md
Previously updated : 02/10/2022 Last updated : 2/23/2022 # Resource Manager template samples for metric alert rules in Azure Monitor
azure-monitor Annotations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/annotations.md
Title: Release annotations for Application Insights | Microsoft Docs
description: Learn how to create annotations to track deployment or other significant events with Application Insights. Last updated 07/20/2021- # Release annotations for Application Insights
azure-monitor Apm Tables https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/apm-tables.md
Title: Azure Monitor Application Insights workspace-based resource schema
description: Learn about the new table structure and schema for Azure Monitor Application Insights workspace-based resources. Last updated 05/09/2020- # Workspace-based resource changes
-Prior to the introduction of [workspace-based Application Insights resources](create-workspace-resource.md), Application Insights data was stored separate from other log data in Azure Monitor. Both are based on Azure Data Explorer and use the same Kusto Query Language (KQL). This is described in [Logs in Azure Monitor](../logs/data-platform-logs.md).
+Prior to the introduction of [workspace-based Application Insights resources](create-workspace-resource.md), Application Insights data was stored separate from other log data in Azure Monitor. Both are based on Azure Data Explorer and use the same Kusto Query Language (KQL). With workspace-based Application Insights resources data is stored in a Log Analytics workspace with other monitoring data and application data. This simplifies your configuration by allowing you to more easily analyze data across multiple solutions and to leverage the capabilities of workspaces.
+
+## Classic data structure
+The structure of a Log Analytics workspace is described in [Log Analytics workspace overview](../logs/log-analytics-workspace-overview.md). For a classic application, the data is not stored in a Log Analytics workspace. It uses the same query language, and you create and run queries by using the same Log Analytics tool in the Azure portal. Data items for classic applications are stored separately from each other. The general structure is the same as for workspace-based applications, although the table and column names are different.
+
+> [!NOTE]
+> The classic Application Insights experience includes backward compatibility for your resource queries, workbooks, and log-based alerts. To query or view against the [new workspace-based table structure or schema](../app/apm-tables.md), you must first go to your Log Analytics workspace. During the preview, selecting **Logs** from within the Application Insights panes will give you access to the classic Application Insights query experience. For more information, see [Query scope](../logs/scope.md).
-With workspace-based Application Insights resources data is stored in a Log Analytics workspace with other monitoring data and application data. This simplifies your configuration by allowing you to more easily analyze data across multiple solutions and to leverage the capabilities of workspaces.
+[![Diagram that shows the Azure Monitor Logs structure for Application Insights.](../logs/media/data-platform-logs/logs-structure-ai.png)](../logs/media/data-platform-logs/logs-structure-ai.png#lightbox)
## Table structure
azure-monitor App Insights Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/app-insights-overview.md
Title: Application Insights overview description: Learn how Application Insights in Azure Monitor provides performance management and usage tracking of your live web application.-- Last updated 01/10/2022
azure-monitor App Map https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/app-map.md
Last updated 03/15/2019 ms.devlang: csharp, java, javascript, python -
azure-monitor Asp Net Core https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/asp-net-core.md
ms.devlang: csharp Last updated 10/12/2021- # Application Insights for ASP.NET Core applications
azure-monitor Asp Net Exceptions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/asp-net-exceptions.md
ms.devlang: csharp Last updated 05/19/2021- # Diagnose exceptions in web apps with Application Insights
azure-monitor Asp Net Trace Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/asp-net-trace-logs.md
ms.devlang: csharp Last updated 05/08/2019- # Explore .NET/.NET Core and Python trace logs in Application Insights
azure-monitor Asp Net Troubleshoot No Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/asp-net-troubleshoot-no-data.md
ms.devlang: csharp Last updated 05/21/2020- # Troubleshooting no data - Application Insights for .NET/.NET Core
azure-monitor Asp Net https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/asp-net.md
Last updated 10/12/2021 ms.devlang: csharp - # Configure Application Insights for your ASP.NET website
azure-monitor Auto Collect Dependencies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/auto-collect-dependencies.md
ms.devlang: csharp, java, javascript Last updated 05/06/2020- # Dependency auto-collection
azure-monitor Automate Custom Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/automate-custom-reports.md
Title: Automate custom reports with Application Insights data
description: Automate custom daily/weekly/monthly reports with Azure Monitor Application Insights data Last updated 05/20/2019-
azure-monitor Automate With Logic Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/automate-with-logic-apps.md
Title: Automate Azure Application Insights processes by using Logic Apps
description: Learn how you can quickly automate repeatable processes by adding the Application Insights connector to your logic app. Last updated 03/11/2019- # Automate Application Insights processes by using Logic Apps
azure-monitor Availability Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/availability-alerts.md
Title: Set up availability alerts with Azure Application Insights | Microsoft Do
description: Learn how to set up web tests in Application Insights. Get alerts if a website becomes unavailable or responds slowly. Last updated 06/19/2019-
azure-monitor Availability Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/availability-overview.md
Title: Application Insights availability tests
description: Set up recurring web tests to monitor availability and responsiveness of your app or website. Last updated 07/13/2021- # Application Insights availability tests
azure-monitor Availability Private Test https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/availability-private-test.md
Title: Private availability testing - Azure Monitor Application Insights
description: Learn how to use availability tests on internal servers that run behind a firewall with private testing. Last updated 05/14/2021- # Private testing
azure-monitor Azure Functions Supported Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-functions-supported-features.md
Title: Azure Application Insights - Azure Functions Supported Features description: Application Insights Supported Features for Azure Functions -- Last updated 4/23/2019- ms.devlang: csharp
azure-monitor Azure Vm Vmss Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-vm-vmss-apps.md
Last updated 08/26/2019 ms.devlang: csharp, java, javascript, python - # Deploy the Azure Monitor Application Insights Agent on Azure virtual machines and Azure virtual machine scale sets
$publicCfgHashtable =
@{ "appFilter"= ".*"; "machineFilter"= ".*";
- "virtualPathFilter": ".*",
- "instrumentationSettings" : {
- "connectionString": "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/" # Application Insights connection string, create new Application Insights resource if you don't have one. https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.insights%2Fcomponents
+ "virtualPathFilter"= ".*";
+ "instrumentationSettings" = @{
+ "connectionString"= "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/" # Application Insights connection string, create new Application Insights resource if you don't have one. https://ms.portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.insights%2Fcomponents
} } )
azure-monitor Change Analysis Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/change-analysis-troubleshoot.md
Title: Troubleshoot Application Change Analysis - Azure Monitor description: Learn how to troubleshoot problems in Application Change Analysis. -- Last updated 02/17/2022 - # Troubleshoot Application Change Analysis (preview)
azure-monitor Change Analysis Visualizations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/change-analysis-visualizations.md
Title: Visualizations for Application Change Analysis - Azure Monitor description: Learn how to use visualizations in Application Change Analysis in Azure Monitor. -- Last updated 01/11/2022- # Visualizations for Application Change Analysis (preview)
azure-monitor Change Analysis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/change-analysis.md
Title: Use Application Change Analysis in Azure Monitor to find web-app issues | Microsoft Docs description: Use Application Change Analysis in Azure Monitor to troubleshoot application issues on live sites on Azure App Service. -- Last updated 01/11/2022 - # Use Application Change Analysis in Azure Monitor (preview)
azure-monitor Cloudservices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/cloudservices.md
ms.devlang: csharp Last updated 09/05/2018- # Application Insights for Azure cloud services
azure-monitor Codeless Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/codeless-overview.md
Title: Monitor your apps without code changes - auto-instrumentation for Azure M
description: Overview of auto-instrumentation for Azure Monitor Application Insights - codeless application performance management Last updated 08/31/2021- # What is auto-instrumentation for Azure Monitor application insights?
azure-monitor Configuration With Applicationinsights Config https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/configuration-with-applicationinsights-config.md
Last updated 05/22/2019 ms.devlang: csharp -
azure-monitor Console https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/console.md
Last updated 05/21/2020 ms.devlang: csharp -
azure-monitor Continuous Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/continuous-monitoring.md
Title: Continuous monitoring of your DevOps release pipeline with Azure Pipeline
description: Provides instructions to quickly set up continuous monitoring with Application Insights Last updated 05/01/2020- # Add continuous monitoring to your release pipeline
azure-monitor Convert Classic Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/convert-classic-resource.md
description: Learn about the steps required to upgrade your Azure Monitor Applic
Last updated 09/23/2020 - # Migrate to workspace-based Application Insights resources
azure-monitor Create New Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/create-new-resource.md
description: Manually set up Application Insights monitoring for a new live appl
Last updated 02/10/2021 - # Create an Application Insights resource
azure-monitor Custom Data Correlation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/custom-data-correlation.md
Title: Azure Application Insights | Microsoft Docs description: Correlate data from Application Insights to other datasets, such as data enrichment or lookup tables, non-Application Insights data sources, and custom data. -- Last updated 08/08/2018-
azure-monitor Custom Operations Tracking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/custom-operations-tracking.md
ms.devlang: csharp Last updated 11/26/2019-
azure-monitor Data Model Context https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-context.md
Title: Azure Application Insights Telemetry Data Model - Telemetry Context | Mic
description: Application Insights telemetry context data model Last updated 05/15/2017-
azure-monitor Data Model Dependency Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-dependency-telemetry.md
Title: Azure Monitor Application Insights Dependency Data Model
description: Application Insights data model for dependency telemetry Last updated 04/17/2017-
azure-monitor Data Model Event Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-event-telemetry.md
Title: Azure Application Insights Telemetry Data Model - Event Telemetry | Micro
description: Application Insights data model for event telemetry Last updated 04/25/2017-
azure-monitor Data Model Exception Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-exception-telemetry.md
Title: Azure Application Insights Exception Telemetry Data model
description: Application Insights data model for exception telemetry Last updated 04/25/2017-
azure-monitor Data Model Metric Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-metric-telemetry.md
Title: Data model for metric telemetry - Azure Application Insights
description: Application Insights data model for metric telemetry Last updated 04/25/2017-
azure-monitor Data Model Request Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-request-telemetry.md
Title: Data model for request telemetry - Azure Application Insights
description: Application Insights data model for request telemetry Last updated 01/07/2019-
azure-monitor Data Model Trace Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-trace-telemetry.md
Title: Azure Application Insights Data Model - Trace Telemetry
description: Application Insights data model for trace telemetry Last updated 04/25/2017-
azure-monitor Data Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model.md
Title: Azure Application Insights Telemetry Data Model | Microsoft Docs
description: Application Insights data model overview documentationcenter: .net- - ibiza Last updated 10/14/2019 - # Application Insights telemetry data model
azure-monitor Devops https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/devops.md
Title: Web app performance monitoring - Azure Application Insights
description: How Application Insights fits into the DevOps cycle Last updated 12/21/2018- # Deep diagnostics for web apps and services with Application Insights
azure-monitor Diagnostic Search https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/diagnostic-search.md
Title: Using Search in Azure Application Insights | Microsoft Docs
description: Search and filter raw telemetry sent by your web app. Last updated 07/30/2019- # Using Search in Application Insights
azure-monitor Distributed Tracing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/distributed-tracing.md
Title: Distributed Tracing in Azure Application Insights | Microsoft Docs
description: Provides information about Microsoft's support for distributed tracing through our partnership in the OpenCensus project -- Last updated 09/17/2018-
azure-monitor Eventcounters https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/eventcounters.md
description: Monitor system and custom .NET/.NET Core EventCounters in Applicati
Last updated 09/20/2019 - # EventCounters introduction
azure-monitor Export Data Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/export-data-model.md
Title: Azure Application Insights Data Model | Microsoft Docs
description: Describes properties exported from continuous export in JSON, and used as filters. Last updated 01/08/2019- # Application Insights Export Data Model
azure-monitor Export Power Bi https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/export-power-bi.md
Title: Export to Power BI from Azure Application Insights | Microsoft Docs
description: Analytics queries can be displayed in Power BI. Last updated 08/10/2018- # Feed Power BI from Application Insights
azure-monitor Get Metric https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/get-metric.md
Title: Get-Metric in Azure Monitor Application Insights description: Learn how to effectively use the GetMetric() call to capture locally pre-aggregated metrics for .NET and .NET Core applications with Azure Monitor Application Insights - Last updated 04/28/2020 ms.devlang: csharp
azure-monitor Ip Addresses https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/ip-addresses.md
Title: IP addresses used by Azure Monitor
description: Server firewall exceptions required by Application Insights Last updated 01/27/2020- # IP addresses used by Azure Monitor
azure-monitor Java 2X Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-2x-agent.md
Last updated 01/10/2019 ms.devlang: java -- # Monitor dependencies, caught exceptions, and method execution times in Java web apps
azure-monitor Java 2X Collectd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-2x-collectd.md
Last updated 03/14/2019 ms.devlang: java --- # collectd: Linux performance metrics in Application Insights [Deprecated]
azure-monitor Java 2X Filter Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-2x-filter-telemetry.md
Last updated 3/14/2019 ms.devlang: java -- # Filter telemetry in your Java web app
azure-monitor Java 2X Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-2x-get-started.md
Last updated 11/22/2020 ms.devlang: java -- # Get started with Application Insights in a Java web project
azure-monitor Java 2X Micrometer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-2x-micrometer.md
ms.devlang: java Last updated 11/01/2018-- # How to use Micrometer with Azure Application Insights Java SDK (not recommended)
azure-monitor Java 2X Trace Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-2x-trace-logs.md
Last updated 05/18/2019 ms.devlang: java -- # Explore Java trace logs in Application Insights
azure-monitor Java 2X Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-2x-troubleshoot.md
Last updated 03/14/2019 ms.devlang: java -- # Troubleshooting and Q and A for Application Insights for Java SDK
azure-monitor Java In Process Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-in-process-agent.md
Last updated 06/24/2021 ms.devlang: java -- # Azure Monitor OpenTelemetry-based auto-instrumentation for Java applications
azure-monitor Java Jmx Metrics Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-jmx-metrics-configuration.md
Last updated 03/16/2021 ms.devlang: java -- # Configuring JMX metrics
azure-monitor Java On Premises https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-on-premises.md
ms.devlang: java Last updated 04/16/2020--- # Java codeless application monitoring on-premises - Azure Monitor Application Insights
azure-monitor Java Standalone Arguments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-arguments.md
Last updated 04/16/2020 ms.devlang: java -- # Tips for updating your JVM args - Azure Monitor Application Insights for Java
azure-monitor Java Standalone Config https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-config.md
Last updated 11/04/2020 ms.devlang: java -- # Configuration options - Azure Monitor Application Insights for Java
azure-monitor Java Standalone Sampling Overrides https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-sampling-overrides.md
Title: Sampling overrides (preview) - Azure Monitor Application Insights for Jav
description: Learn to configure sampling overrides in Azure Monitor Application Insights for Java. Last updated 03/22/2021- ms.devlang: java - # Sampling overrides (preview) - Azure Monitor Application Insights for Java
azure-monitor Java Standalone Telemetry Processors Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-telemetry-processors-examples.md
Title: Telemetry processor examples - Azure Monitor Application Insights for Jav
description: Explore examples that show telemetry processors in Azure Monitor Application Insights for Java. Last updated 12/29/2020- ms.devlang: java - # Telemetry processor examples - Azure Monitor Application Insights for Java
azure-monitor Java Standalone Telemetry Processors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-telemetry-processors.md
Title: Telemetry processors (preview) - Azure Monitor Application Insights for J
description: Learn to configure telemetry processors in Azure Monitor Application Insights for Java. Last updated 10/29/2020- ms.devlang: java - # Telemetry processors (preview) - Azure Monitor Application Insights for Java
azure-monitor Java Standalone Upgrade From 2X https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-upgrade-from-2x.md
Last updated 11/25/2020 ms.devlang: java -- # Upgrading from Application Insights Java 2.x SDK
azure-monitor Javascript Angular Plugin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-angular-plugin.md
ibiza Last updated 10/07/2020-- ms.devlang: javascript
azure-monitor Javascript Click Analytics Plugin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-click-analytics-plugin.md
ibiza Last updated 01/14/2021-- ms.devlang: javascript
azure-monitor Javascript React Native Plugin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-react-native-plugin.md
Title: React Native plugin for Application Insights JavaScript SDK description: How to install and use the React Native plugin for Application Insights JavaScript SDK. - ibiza
azure-monitor Javascript React Plugin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-react-plugin.md
Title: React plugin for Application Insights JavaScript SDK description: How to install and use React plugin for Application Insights JavaScript SDK. - ibiza
azure-monitor Javascript Sdk Load Failure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-sdk-load-failure.md
Title: Troubleshooting SDK load failure for JavaScript web applications - Azure Application Insights description: How to troubleshoot SDK load failure for JavaScript web applications -- Last updated 06/05/2020 ms.devlang: javascript
azure-monitor Kubernetes Codeless https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/kubernetes-codeless.md
Title: Monitor applications on Azure Kubernetes Service (AKS) with Application I
description: Azure Monitor seamlessly integrates with your application running on Kubernetes, and allows you to spot the problems with your apps in no time. Last updated 05/13/2020- # Zero instrumentation application monitoring for Kubernetes - Azure Monitor Application Insights
azure-monitor Live Stream https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/live-stream.md
Title: Diagnose with Live Metrics Stream - Azure Application Insights
description: Monitor your web app in real time with custom metrics, and diagnose issues with a live feed of failures, traces, and events. Last updated 10/12/2021- ms.devlang: csharp
azure-monitor Monitor Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/monitor-functions.md
Title: Monitor applications running on Azure Functions with Application Insights
description: Azure Monitor seamlessly integrates with your application running on Azure Functions, and allows you to monitor the performance and spot the problems with your apps in no time. Last updated 08/27/2021- # Monitoring Azure Functions with Azure Monitor Application Insights
azure-monitor Monitor Web App Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/monitor-web-app-availability.md
Title: Monitor availability with URL ping tests - Azure Monitor
description: Set up ping tests in Application Insights. Get alerts if a website becomes unavailable or responds slowly. Last updated 07/13/2021-
azure-monitor Opencensus Python Dependency https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opencensus-python-dependency.md
Title: Dependency Tracking in Azure Application Insights with OpenCensus Python | Microsoft Docs description: Monitor dependency calls for your Python apps via OpenCensus Python. -- Last updated 10/15/2019 ms.devlang: python - # Track dependencies with OpenCensus Python
azure-monitor Opencensus Python Request https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opencensus-python-request.md
Title: Incoming Request Tracking in Azure Application Insights with OpenCensus Python | Microsoft Docs description: Monitor request calls for your Python apps via OpenCensus Python. -- Last updated 10/15/2019 ms.devlang: python - # Track incoming requests with OpenCensus Python
azure-monitor Opencensus Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opencensus-python.md
Last updated 10/12/2021
ms.devlang: python -- # Set up Azure Monitor for your Python application
azure-monitor Opentelemetry Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-enable.md
Title: Enable Azure Monitor OpenTelemetry for .NET, Node.js, and Python applicat
description: This article provides guidance on how to enable Azure Monitor on applications by using OpenTelemetry. Last updated 10/11/2021-- ms.devlang: csharp, javascript, python
azure-monitor Opentelemetry Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-overview.md
Title: OpenTelemetry with Azure Monitor overview
description: Provides an overview of how to use OpenTelemetry with Azure Monitor. Last updated 10/11/2021-- # OpenTelemetry overview
azure-monitor Overview Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/overview-dashboard.md
Title: Azure Application Insights Overview Dashboard | Microsoft Docs
description: Monitor applications with Azure Application Insights and Overview Dashboard functionality. Last updated 06/03/2019- # Application Insights Overview dashboard
azure-monitor Performance Counters https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/performance-counters.md
Last updated 12/13/2018 ms.devlang: csharp - # System performance counters in Application Insights
azure-monitor Platforms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/platforms.md
Title: 'Application Insights: languages, platforms, and integrations | Microsoft
description: Languages, platforms, and integrations available for Application Insights Last updated 10/29/2021-
azure-monitor Powershell Azure Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/powershell-azure-diagnostics.md
description: Automate configuring Azure Diagnostics to pipe data to Application
Last updated 08/06/2019 - # Using PowerShell to set up Application Insights for Azure Cloud Services
azure-monitor Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/powershell.md
description: Automate creating and managing resources, alerts, and availability
Last updated 05/02/2020 - # Manage Application Insights resources using PowerShell
azure-monitor Pre Aggregated Metrics Log Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/pre-aggregated-metrics-log-metrics.md
Title: Log-based and pre-aggregated metrics in Azure Application Insights | Microsoft Docs description: Why to use log-based versus pre-aggregated metrics in Azure Application Insights -- Last updated 09/18/2018-
azure-monitor Pricing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/pricing.md
Title: Manage usage and costs for Azure Application Insights | Microsoft Docs
description: Manage telemetry volumes and monitor costs in Application Insights. -- Last updated 02/17/2021
azure-monitor Proactive Application Security Detection Pack https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-application-security-detection-pack.md
Title: Security detection Pack with Azure Application Insights
description: Monitor application with Azure Application Insights and smart detection for potential security issues. Last updated 12/12/2017- # Application security detection pack (preview)
azure-monitor Proactive Arm Config https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-arm-config.md
Title: Smart detection rule settings - Azure Application Insights description: Automate management and configuration of Azure Application Insights smart detection rules with Azure Resource Manager Templates -- Last updated 02/14/2021- # Manage Application Insights smart detection rules using Azure Resource Manager templates
azure-monitor Proactive Cloud Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-cloud-services.md
Title: Alert on issues in Azure Cloud Services using the Azure Diagnostics integ
description: Monitor for issues like startup failures, crashes, and role recycle loops in Azure Cloud Services with Azure Application Insights Last updated 06/07/2018-
azure-monitor Proactive Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-diagnostics.md
Title: Smart detection in Azure Application Insights | Microsoft Docs
description: Application Insights performs automatic deep analysis of your app telemetry and warns you of potential problems. Last updated 02/07/2019- # Smart detection in Application Insights
azure-monitor Proactive Email Notification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-email-notification.md
Title: Smart Detection notification change - Azure Application Insights description: Change to the default notification recipients from Smart Detection. Smart Detection lets you monitor application traces with Azure Application Insights for unusual patterns in trace telemetry. -- Last updated 02/14/2021- # Smart Detection e-mail notification change
azure-monitor Proactive Exception Volume https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-exception-volume.md
Title: Abnormal rise in exception volume - Azure Application Insights
description: Monitor application exceptions with smart detection in Azure Application Insights for unusual patterns in exception volume. Last updated 12/08/2017- # Abnormal rise in exception volume (preview)
azure-monitor Proactive Failure Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-failure-diagnostics.md
Title: Smart Detection - failure anomalies, in Application Insights | Microsoft
description: Alerts you to unusual changes in the rate of failed requests to your web app, and provides diagnostic analysis. No configuration is needed. Last updated 12/18/2018-
azure-monitor Proactive Performance Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-performance-diagnostics.md
Title: Smart detection - performance anomalies | Microsoft Docs
description: Smart detection analyzes your app telemetry and warns you of potential problems. This feature needs no setup. Last updated 05/04/2017-
azure-monitor Proactive Potential Memory Leak https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-potential-memory-leak.md
Title: Detect memory leak - Azure Application Insights smart detection
description: Monitor applications with Azure Application Insights for potential memory leaks. Last updated 12/12/2017- # Memory leak detection (preview)
azure-monitor Proactive Trace Severity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-trace-severity.md
Title: Degradation in trace severity ratio - Azure Application Insights
description: Monitor application traces with Azure Application Insights for unusual patterns in trace telemetry with smart detection. Last updated 11/27/2017- # Degradation in trace severity ratio (preview)
azure-monitor Profiler Aspnetcore Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/profiler-aspnetcore-linux.md
description: A conceptual overview and step-by-step tutorial on how to use Appli
ms.devlang: csharp -- Last updated 02/23/2018-
azure-monitor Profiler Bring Your Own Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/profiler-bring-your-own-storage.md
Title: Configure BYOS (Bring Your Own Storage) for Profiler & Snapshot Debugger description: Configure BYOS (Bring Your Own Storage) for Profiler & Snapshot Debugger -- Last updated 01/14/2021-
azure-monitor Profiler Cloudservice https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/profiler-cloudservice.md
Title: Profile live Azure Cloud Services with Application Insights | Microsoft D
description: Enable Application Insights Profiler for Azure Cloud Services. -- Last updated 08/06/2018-
azure-monitor Profiler Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/profiler-overview.md
Title: Profile production apps in Azure with Application Insights Profiler description: Identify the hot path in your web server code with a low-footprint profiler. -- Last updated 08/06/2018-
azure-monitor Profiler Servicefabric https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/profiler-servicefabric.md
Title: Profile live Azure Service Fabric apps with Application Insights
description: Enable Profiler for a Service Fabric application -- Last updated 08/06/2018-
azure-monitor Profiler Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/profiler-settings.md
Title: Use the Azure Application Insights Profiler settings pane | Microsoft Docs description: See Profiler status and start profiling sessions -- Last updated 12/08/2021-
azure-monitor Profiler Trackrequests https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/profiler-trackrequests.md
Title: Write code to track requests with Azure Application Insights | Microsoft Docs description: Write code to track requests with Application Insights so you can get profiles for your requests. -- Last updated 08/06/2018-
azure-monitor Profiler Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/profiler-troubleshooting.md
Title: Troubleshoot problems with Azure Application Insights Profiler description: This article presents troubleshooting steps and information to help developers enable and use Application Insights Profiler. -- Last updated 08/06/2018-
azure-monitor Profiler Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/profiler-vm.md
Title: Profile web apps on an Azure VM - Application Insights Profiler description: Profile web apps on an Azure VM by using Application Insights Profiler. -- Last updated 11/08/2019-
azure-monitor Profiler https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/profiler.md
Title: Profile live Azure App Service apps with Application Insights | Microsoft Docs description: Profile live apps on Azure App Service with Application Insights Profiler. -- Last updated 08/06/2018
azure-monitor Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/release-notes.md
description: The latest updates for Application Insights SDKs.
Last updated 07/27/2020- # Release Notes - Application Insights
azure-monitor Remove Application Insights https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/remove-application-insights.md
Title: Remove Application Insights in Visual Studio - Azure Monitor
description: How to remove Application Insights SDK for ASP.NET and ASP.NET Core in Visual Studio. Last updated 04/06/2020- # How to remove Application Insights in Visual Studio
azure-monitor Resource Manager Function App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/resource-manager-function-app.md
Title: Resource Manager template samples for Azure Function App + Application In
description: Sample Azure Resource Manager templates to deploy an Azure Function App with an Application Insights resource. Last updated 08/06/2020- # Resource Manager template sample for creating Azure Function apps with Application Insights monitoring
azure-monitor Resource Manager Web App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/resource-manager-web-app.md
description: Sample Azure Resource Manager templates to deploy an Azure App Serv
Last updated 08/06/2020- # Resource Manager template samples for creating Azure App Services web apps with Application Insights monitoring
azure-monitor Resources Roles Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/resources-roles-access-control.md
description: Owners, contributors and readers of your organization's insights.
Last updated 02/14/2019 - # Resources, roles, and access control in Application Insights
azure-monitor Sdk Connection String https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sdk-connection-string.md
Title: Connection strings in Azure Application Insights | Microsoft Docs description: How to use connection strings. -- Last updated 01/17/2020
azure-monitor Separate Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/separate-resources.md
Title: How to design your Application Insights deployment - One vs many resource
description: Direct telemetry to different resources for development, test, and production stamps. Last updated 05/11/2020- # How many Application Insights resources should I deploy
azure-monitor Sharepoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sharepoint.md
Title: Monitor a SharePoint site with Application Insights
description: Start monitoring a new application with a new instrumentation key Last updated 09/08/2020- # Monitor a SharePoint site with Application Insights
azure-monitor Sla Report https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sla-report.md
Title: Downtime, SLA, and outage workbook - Application Insights
description: Calculate and report SLA for Web Test through a single pane of glass across your Application Insights resources and Azure subscriptions. Last updated 05/4/2021- # Downtime, SLA, and outages workbook
azure-monitor Snapshot Collector Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/snapshot-collector-release-notes.md
Title: Release Notes for Microsoft.ApplicationInsights.SnapshotCollector NuGet package - Application Insights description: Release notes for the Microsoft.ApplicationInsights.SnapshotCollector NuGet package used by the Application Insights Snapshot Debugger. -- Last updated 11/10/2020
azure-monitor Snapshot Debugger Appservice https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/snapshot-debugger-appservice.md
Title: Enable Snapshot Debugger for .NET apps in Azure App Service | Microsoft Docs description: Enable Snapshot Debugger for .NET apps in Azure App Service -- Last updated 03/26/2019-
azure-monitor Snapshot Debugger Function App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/snapshot-debugger-function-app.md
Title: Enable Snapshot Debugger for .NET and .NET Core apps in Azure Functions | Microsoft Docs description: Enable Snapshot Debugger for .NET and .NET Core apps in Azure Functions -- Last updated 12/18/2020
azure-monitor Snapshot Debugger Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/snapshot-debugger-troubleshoot.md
Title: Troubleshoot Azure Application Insights Snapshot Debugger description: This article presents troubleshooting steps and information to help developers enable and use Application Insights Snapshot Debugger. -- Last updated 03/07/2019-
azure-monitor Snapshot Debugger Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/snapshot-debugger-upgrade.md
Title: Upgrading Azure Application Insights Snapshot Debugger description: How to upgrade Snapshot Debugger for .NET apps to the latest version on Azure App Services, or via Nuget packages -- Last updated 03/28/2019-
azure-monitor Snapshot Debugger Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/snapshot-debugger-vm.md
Title: Enable Snapshot Debugger for .NET apps in Azure Service Fabric, Cloud Service, and Virtual Machines | Microsoft Docs description: Enable Snapshot Debugger for .NET apps in Azure Service Fabric, Cloud Service, and Virtual Machines -- Last updated 03/07/2019-
azure-monitor Snapshot Debugger https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/snapshot-debugger.md
description: Debug snapshots are automatically collected when exceptions are thr
Last updated 10/12/2021---
azure-monitor Standard Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/standard-metrics.md
description: This article lists Azure Application Insights metrics with supporte
Last updated 07/03/2019- # Application Insights standard metrics
azure-monitor Status Monitor V2 Api Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/status-monitor-v2-api-reference.md
Title: Azure Application Insights .Net Agent API reference description: Application Insights Agent API reference. Monitor website performance without redeploying the website. Works with ASP.NET web apps hosted on-premises, in VMs, or on Azure. -- Last updated 04/23/2019- # Azure Monitor Application Insights Agent API Reference
azure-monitor Status Monitor V2 Detailed Instructions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/status-monitor-v2-detailed-instructions.md
Title: Azure Application Insights Agent detailed instructions | Microsoft Docs description: Detailed instructions for getting started with Application Insights Agent. Monitor website performance without redeploying the website. Works with ASP.NET web apps hosted on-premises, in VMs, or on Azure. -- Last updated 04/23/2019- # Application Insights Agent (formerly named Status Monitor v2): Detailed instructions
azure-monitor Status Monitor V2 Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/status-monitor-v2-get-started.md
Title: Azure Application Insights Agent - getting started | Microsoft Docs description: A quickstart guide for Application Insights Agent. Monitor website performance without redeploying the website. Works with ASP.NET web apps hosted on-premises, in VMs, or on Azure. -- Last updated 01/22/2021
azure-monitor Status Monitor V2 Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/status-monitor-v2-overview.md
Title: Azure Application Insights Agent overview | Microsoft Docs description: An overview of Application Insights Agent. Monitor website performance without redeploying the website. Works with ASP.NET web apps hosted on-premises, in VMs, or on Azure. -- Last updated 09/16/2019- # Deploy Azure Monitor Application Insights Agent for on-premises servers
azure-monitor Status Monitor V2 Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/status-monitor-v2-troubleshoot.md
Title: Azure Application Insights Agent troubleshooting and known issues | Microsoft Docs description: The known issues of Application Insights Agent and troubleshooting examples. Monitor website performance without redeploying the website. Works with ASP.NET web apps hosted on-premises, in VMs, or on Azure. -- Last updated 04/23/2019- # Troubleshooting Application Insights Agent (formerly named Status Monitor v2)
azure-monitor Telemetry Channels https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/telemetry-channels.md
Last updated 05/14/2019 ms.devlang: csharp -
azure-monitor Transaction Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/transaction-diagnostics.md
Title: Azure Application Insights Transaction Diagnostics | Microsoft Docs
description: Application Insights end-to-end transaction diagnostics Last updated 01/19/2018-
azure-monitor Tutorial Alert https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/tutorial-alert.md
Title: Send alerts from Azure Application Insights | Microsoft Docs
description: Tutorial to send alerts in response to errors in your application using Azure Application Insights. Last updated 04/10/2019-
azure-monitor Tutorial App Dashboards https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/tutorial-app-dashboards.md
Title: Create custom dashboards in Azure Application Insights | Microsoft Docs
description: Tutorial to create custom KPI dashboards using Azure Application Insights. Last updated 09/30/2020-
azure-monitor Tutorial Runtime Exceptions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/tutorial-runtime-exceptions.md
Title: Diagnose run-time exceptions using Azure Application Insights | Microsoft
description: Tutorial to find and diagnose run-time exceptions in your application using Azure Application Insights. Last updated 09/19/2017-
azure-monitor Usage Cohorts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-cohorts.md
Title: Application Insights usage cohorts | Microsoft Docs
description: Analyze different sets or users, sessions, events, or operations that have something in common Last updated 07/30/2021- # Application Insights cohorts
azure-monitor Usage Flows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-flows.md
Title: Application Insights User Flows analyzes navigation flows description: Analyze how users navigate between the pages and features of your web app. -- Last updated 07/30/2021- # Analyze user navigation patterns with User Flows in Application Insights
azure-monitor Usage Funnels https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-funnels.md
Title: Application Insights Funnels
description: Learn how you can use Funnels to discover how customers are interacting with your application. Last updated 07/30/2021- # Discover how customers are using your application with Application Insights Funnels
azure-monitor Usage Heart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-heart.md
Title: HEART analytics workbook
description: Product teams use the HEART Workbook to measure success across five user-centric dimensions to deliver better software. Last updated 11/11/2021- # Analyzing product usage with HEART
azure-monitor Usage Impact https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-impact.md
Title: Application Insights Usage Impact - Azure Monitor description: Analyze how different properties potentially impact conversion rates for parts of your apps. -- Last updated 07/30/2021- # Impact analysis with Application Insights
azure-monitor Usage Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-overview.md
Title: Usage analysis with Application Insights | Azure Monitor
description: Understand your users and what they do with your app. Last updated 07/30/2021- # Usage analysis with Application Insights
azure-monitor Usage Retention https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-retention.md
Title: Analyze web app user retention with Application Insights
description: How many users return to your app? Last updated 07/30/2021- # User retention analysis for web applications with Application Insights
azure-monitor Usage Segmentation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-segmentation.md
Title: User, session, and event analysis in Application Insights description: Demographic analysis of users of your web app. -- Last updated 07/30/2021- # Users, sessions, and events analysis in Application Insights
azure-monitor Usage Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-troubleshoot.md
Title: Troubleshoot user analytics tools - Application Insights
description: Troubleshooting guide - analyzing site and app usage with Application Insights. Last updated 07/30/2021- # Troubleshoot user behavior analytics tools in Application Insights
azure-monitor Web App Extension Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/web-app-extension-release-notes.md
Title: Release Notes for Azure web app extension - Application Insights
description: Releases notes for Azure Web Apps Extension for runtime instrumentation with Application Insights. Last updated 06/26/2020- # Release notes for Azure Web App extension for Application Insights
azure-monitor Work Item Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/work-item-integration.md
Title: Work Item Integration - Application Insights
description: Learn how to create work items in GitHub or Azure DevOps with Application Insights data embedded in them. Last updated 06/27/2021- # Work Item Integration
azure-monitor Worker Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/worker-service.md
ms.devlang: csharp Last updated 05/11/2020- # Application Insights for Worker Service applications (non-HTTP applications)
azure-monitor Azure Monitor Operations Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/azure-monitor-operations-manager.md
You enable Application Insights for each of your business applications. It ident
As you gain familiarity with Azure Monitor, you start to create alert rules that are able to replace some management pack functionality and start to evolve your business processes to use the new monitoring platform. This allows you to start removing machines and management packs from the Operations Manager management group. You continue to use management packs for critical server software and on-premises infrastructure but continue to watch for new features in Azure Monitor that will allow you to retire additional functionality. ## Monitor Azure services
-Azure services actually require Azure Monitor to collect telemetry, and it's enabled the moment that you create an Azure subscription. The [Activity log](essentials/activity-log.md) is automatically collected for the subscription, and [platform metrics](essentials/data-platform-metrics.md) are automatically collected from any Azure resources you create. You can immediately start using [metrics explorer](essentials/metrics-getting-started.md), which is similar to performance views in the Operations console, but it provides interactive analysis and [advanced aggregations](essentials/metrics-charts.md) of data. [Create a metric alert](alerts/alerts-metric.md) to be notified when a value crosses a threshold or [add a chart to an Azure dashboard](essentials/metrics-charts.md#pinning-to-dashboards) for visibility.
+Azure services actually require Azure Monitor to collect telemetry, and it's enabled the moment that you create an Azure subscription. The [Activity log](essentials/activity-log.md) is automatically collected for the subscription, and [platform metrics](essentials/data-platform-metrics.md) are automatically collected from any Azure resources you create. You can immediately start using [metrics explorer](essentials/metrics-getting-started.md), which is similar to performance views in the Operations console, but it provides interactive analysis and [advanced aggregations](essentials/metrics-charts.md) of data. [Create a metric alert](alerts/alerts-metric.md) to be notified when a value crosses a threshold or [save a chart to a dashboard or workbook](essentials/metrics-charts.md#saving-to-dashboards-or-workbooks) for visibility.
[![Metrics explorer](media/azure-monitor-operations-manager/metrics-explorer.png)](media/azure-monitor-operations-manager/metrics-explorer.png#lightbox)
azure-monitor Best Practices Data Collection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/best-practices-data-collection.md
Some monitoring of Azure resources is available automatically with no configurat
[![Deploy Azure resource monitoring](media/best-practices-data-collection/best-practices-azure-resources.png)](media/best-practices-data-collection/best-practices-azure-resources.png#lightbox) ### Collect tenant and subscription logs
-While the [Azure Active Directory logs](../active-directory/reports-monitoring/overview-reports.md) for your tenant and the [Activity log](essentials/platform-logs-overview.md) for your subscription are collected automatically, sending them to a Log Analytics workspace enables you to analyze these events with other log data using log queries in Log Analytics. This also allows you to create log query alerts which is the only way to alert on Azure Active Directory logs and provide more complex logic than Activity log alerts.
+While the [Azure Active Directory logs](../active-directory/reports-monitoring/overview-reports.md) for your tenant and the [Activity log](essentials/platform-logs-overview.md) for your subscription are collected automatically, sending them to a Log Analytics workspace enables you to analyze these events with other log data using log queries in Log Analytics. This also allows you to create log query alerts which are the only way to alert on Azure Active Directory logs and provide more complex logic than Activity log alerts.
There's no cost for sending the Activity log to a workspace, but there is a data ingestion and retention charge for Azure Active Directory logs.
Azure Monitor monitors your custom applications using [Application Insights](app
### Create an application resource Application Insights is the feature of Azure Monitor for monitoring your cloud native and hybrid applications.
-You must create a resource in Application Insights for each application that you're going to monitor. Log data collected by Application Insights is stored in Azure Monitor Logs for a workspace-based application. Log data for classic applications is stored separate from your Log Analytics workspace as described in [Data structure](logs/data-platform-logs.md#data-structure).
+You must create a resource in Application Insights for each application that you're going to monitor. Log data collected by Application Insights is stored in Azure Monitor Logs for a workspace-based application. Log data for classic applications is stored separate from your Log Analytics workspace as described in [Data structure](logs/log-analytics-workspace-overview.md#data-structure).
When you create the application, you must select whether to use classic or workspace-based. See [Create an Application Insights resource](app/create-new-resource.md) to create a classic application. See [Workspace-based Application Insights resources (preview)](app/create-workspace-resource.md) to create a workspace-based application.
To enable monitoring for an application, you must decide whether you will use co
- [Other platforms](app/platforms.md) ### Configure availability testing
-Availability tests in Application Insights are recurring tests that monitor the availability and responsiveness of your application at regular intervals from points around the world. You can create a simple ping test for free or create a sequence of web requests to simulate user transactions which has associated cost.
+Availability tests in Application Insights are recurring tests that monitor the availability and responsiveness of your application at regular intervals from points around the world. You can create a simple ping test for free or create a sequence of web requests to simulate user transactions which have associated cost.
See [Monitor the availability of any website](app/monitor-web-app-availability.md) for summary of the different kinds of test and details on creating them.
azure-monitor Data Collection Endpoint Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/data-collection-endpoint-overview.md
+
+ Title: Data collection endpoints in Azure Monitor (preview)
+description: Overview of data collection endpoints (DCEs) in Azure Monitor including their contents and structure and how you can create and work with them.
+ Last updated : 02/21/2022++++
+# Data collection endpoints in Azure Monitor (preview)
+Data Collection Endpoints (DCEs) allow you to uniquely configure ingestion settings for Azure Monitor. This article provides an overview of data collection endpoints including their contents and structure and how you can create and work with them.
+
+## Workflows that use DCEs
+The following workflows currently use DCEs:
+
+- [Azure Monitor agent](../agents/data-collection-rule-azure-monitor-agent.md))
+- [Custom logs](../logs/custom-logs-overview.md)
+
+## Components of a data collection endpoint
+A data collection endpoint includes the following components.
+
+| Component | Description |
+|:|:|
+| Configuration access endpoint | The endpoint used to access the configuration service to fetch associated data collection rules (DCR). Example: `<unique-dce-identifier>.<regionname>.handler.control` |
+| Logs ingestion endpoint | The endpoint used to ingest logs to Log Analytics workspace(s). Example: `<unique-dce-identifier>.<regionname>.ingest` |
+| Network Access Control Lists (ACLs) | Network access control rules for the endpoints
++
+## Regionality
+Data collection endpoints are ARM resources created within specific regions. An endpoint in a given region can only be **associated with machines in the same region**, although you can have more than one endpoint within the same region as per your needs.
+
+## Limitations
+Data collection endpoints only support Log Analytics as a destination for collected data. [Custom Metrics (preview)](../essentials/metrics-custom-overview.md) collected and uploaded via the Azure Monitor Agent are not currently controlled by DCEs nor can they be configured over private links.
+
+## Create endpoint in Azure portal
+
+1. In the **Azure Monitor** menu in the Azure portal, select **Data Collection Endpoint** from the **Settings** section. Click **Create** to create a new Data Collection Rule and assignment.
+
+ [![Data Collection Endpoints](media/data-collection-endpoint-overview/data-collection-endpoint-overview.png)](media/data-collection-endpoint-overview/data-collection-endpoint-overview.png#lightbox)
+
+2. Click **Create** to create a new endpoint. Provide a **Rule name** and specify a **Subscription**, **Resource Group** and **Region**. This specifies where the DCE will be created.
+
+ [![Data Collection Rule Basics](media/data-collection-endpoint-overview/data-collection-endpoint-basics.png)](media/data-collection-endpoint-overview/data-collection-endpoint-basics.png#lightbox)
+
+3. Click **Review + create** to review the details of the data collection endpoint. Click **Create** to create it.
+
+## Create endpoint and association using REST API
+
+> [!NOTE]
+> The data collection endpoint should be created in the **same region** where your virtual machines exist.
+
+1. Create data collection endpoint(s) using these [DCE REST APIs](/cli/azure/monitor/data-collection/endpoint).
+2. Create association(s) to link the endpoint(s) to your target machines or resources, using these [DCRA REST APIs](/rest/api/monitor/datacollectionruleassociations/create#examples).
++
+## Sample data collection endpoint
+The sample data collection endpoint below is for virtual machines with Azure Monitor agent, with public network access disabled so that agent only uses private links to communicate and send data to Azure Monitor/Log Analytics.
+
+```json
+{
+ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionEndpoints/myCollectionEndpoint",
+ "name": "myCollectionEndpoint",
+ "type": "Microsoft.Insights/dataCollectionEndpoints",
+ "location": "eastus",
+ "tags": {
+ "tag1": "A",
+ "tag2": "B"
+ },
+ "properties": {
+ "configurationAccess": {
+ "endpoint": "https://mycollectionendpoint-abcd.eastus-1.control.monitor.azure.com"
+ },
+ "logsIngestion": {
+ "endpoint": "https://mycollectionendpoint-abcd.eastus-1.ingest.monitor.azure.com"
+ },
+ "networkAcls": {
+ "publicNetworkAccess": "Disabled"
+ }
+ },
+ "systemData": {
+ "createdBy": "user1",
+ "createdByType": "User",
+ "createdAt": "yyyy-mm-ddThh:mm:ss.sssssssZ",
+ "lastModifiedBy": "user2",
+ "lastModifiedByType": "User",
+ "lastModifiedAt": "yyyy-mm-ddThh:mm:ss.sssssssZ"
+ },
+ "etag": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+```
+
+## Next steps
+- [Associate endpoint to machines](../agents/data-collection-rule-azure-monitor-agent.md#create-rule-and-association-in-azure-portal)
+- [Add endpoint to AMPLS resource](../logs/private-link-configure.md#connect-azure-monitor-resources)
azure-monitor Data Collection Rule Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/data-collection-rule-overview.md
+
+ Title: Data Collection Rules in Azure Monitor
+description: Overview of data collection rules (DCRs) in Azure Monitor including their contents and structure and how you can create and work with them.
+ Last updated : 02/21/2022+++
+# Data collection rules in Azure Monitor
+[Data Collection Rules (DCRs)](../essentials/data-collection-rule-overview.md) provide an [ETL](/azure/architecture/data-guide/relational-data/etl)-like pipeline in Azure Monitor, allowing you to define the way that data coming into Azure Monitor should be handled. Depending on the type of workflow, DCRs may specify where data should be sent and may filter or transform data before it's stored in Azure Monitor Logs. Some data collection rules will be created and managed by Azure Monitor, while you may create others to customize data collection for your particular requirements. This article describes DCRs including their contents and structure and how you can create and work with them.
+
+## Types of data collection rules
+There are currently two types of data collection rule in Azure Monitor:
+
+- **Standard DCR**. Used with different workflows that send data to Azure Monitor. Workflows currently supported are [Azure Monitor agent](../agents/azure-monitor-agent-overview.md) and [custom logs](../logs/custom-logs-overview.md).
+
+- **Workspace transformation DCR**. Used with a Log Analytics workspace to apply transformations to workflows that don't currently support DCRs.
+
+## Structure of a data collection rule
+Data collection rules are formatted in JSON. While you may not need to interact with them directly, there are scenarios where you may need to directly edit a data collection rule. See [Data collection rule structure](data-collection-rule-structure.md) for a description of this structure and different elements.
+
+## Permissions
+When using programmatic methods to create data collection rules and associations, you require the following permissions:
+
+| Built-in Role | Scope(s) | Reason |
+|:|:|:|
+| [Monitoring Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) | <ul><li>Subscription and/or</li><li>Resource group and/or </li><li>An existing data collection rule</li></ul> | Create or edit data collection rules |
+| [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor)<br>[Azure Connected Machine Resource Administrator](../../role-based-access-control/built-in-roles.md#azure-connected-machine-resource-administrator)</li></ul> | <ul><li>Virtual machines, virtual machine scale sets</li><li>Arc-enabled servers</li></ul> | Deploy associations (i.e. to assign rules to the machine) |
+| Any role that includes the action *Microsoft.Resources/deployments/** | <ul><li>Subscription and/or</li><li>Resource group and/or </li><li>An existing data collection rule</li></ul> | Deploy ARM templates |
+
+## Limits
+For limits that apply to each data collection rule, see [Azure Monitor service limits](../service-limits.md#data-collection-rules).
+
+## Creating a data collection rule
+The following articles describe different scenarios for creating data collection rules. In some cases, the data collection rule may be created for you, while in others you may need to create and edit it yourself.
+
+| Workflow | Resources |
+|:|:|
+| Azure Monitor agent | [Configure data collection for the Azure Monitor agent](../agents/data-collection-rule-azure-monitor-agent.md)<br>[Use Azure Policy to install Azure Monitor agent and associate with DCR](../agents/azure-monitor-agent-manage.md#using-azure-policy) |
+| Custom logs | [Configure custom logs using the Azure portal](../logs/tutorial-custom-logs.md)<br>[Configure custom logs using Resource Manager templates and REST API](../logs/tutorial-custom-logs-api.md) |
+| Workspace transformation | [Configure ingestion-time transformations using the Azure portal](../logs/tutorial-ingestion-time-transformations.md)<br>[Configure ingestion-time transformations using Resource Manager templates and REST API](../logs/tutorial-ingestion-time-transformations-api.md) |
++
+## Programmatically work with DCRs
+See the following resources for programmatically working with DCRs.
+
+- Directly edit the data collection rule in JSON and [submit using the REST API](/rest/api/monitor/datacollectionrules).
+- Create DCR and associations with [Azure CLI](https://github.com/Azure/azure-cli-extensions/blob/master/src/monitor-control-service/README.md).
+- Create DCR and associations with Azure PowerShell.
+ - [Get-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Get-AzDataCollectionRule.md)
+ - [New-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/New-AzDataCollectionRule.md)
+ - [Set-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Set-AzDataCollectionRule.md)
+ - [Update-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Update-AzDataCollectionRule.md)
+ - [Remove-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Remove-AzDataCollectionRule.md)
+ - [Get-AzDataCollectionRuleAssociation](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Get-AzDataCollectionRuleAssociation.md)
+ - [New-AzDataCollectionRuleAssociation](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/New-AzDataCollectionRuleAssociation.md)
+ - [Remove-AzDataCollectionRuleAssociation](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Remove-AzDataCollectionRuleAssociation.md)
+++
+## Data resiliency and high availability
+Data collection rules are stored regionally, and are available in all public regions where Log Analytics is supported. Government regions and clouds are not currently supported. A rule gets created and stored in the region you specify, and is backed up to the [paired-region](../../availability-zones/cross-region-replication-azure.md#azure-cross-region-replication-pairings-for-all-geographies) within the same geography. The service is deployed to all three [availability zones](../../availability-zones/az-overview.md#availability-zones) within the region, making it a **zone-redundant service** which further adds to high availability.
+
+### Single region data residency
+This is a preview feature to enable storing customer data in a single region is currently only available in the Southeast Asia Region (Singapore) of the Asia Pacific Geo and Brazil South (Sao Paulo State) Region of Brazil Geo. Single region residency is enabled by default in these regions.
++
+## Next steps
+
+- [Read about the detailed structure of a data collection rule.](data-collection-rule-structure.md)
+- [Get details on transformations in a data collection rule.](data-collection-rule-transformations.md)
azure-monitor Data Collection Rule Structure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/data-collection-rule-structure.md
+
+ Title: Structure of a data collection rule in Azure Monitor (preview)
+description: Details on the structure of different kinds of data collection rule in Azure Monitor.
+++ Last updated : 02/22/2022+++++
+# Structure of a data collection rule in Azure Monitor (preview)
+[Data Collection Rules (DCRs)](data-collection-rule-overview.md) in Azure Monitor define the way that data coming into Azure Monitor should be handled. Some data collection rules will be created and managed by Azure Monitor, while you may create others to customize data collection for your particular requirements. This article describes the structure of DCRs for creating and editing data collection rules in those cases where you need to work with them directly.
++
+## Custom logs
+A DCR for [custom logs](../logs/custom-logs-overview.md) contains the following sections:
+### streamDeclarations
+This section contains the declaration of all the different types of data that will be sent via the HTTP endpoint directly into Log Analytics. Each stream is an object whose key represents the stream name (Must begin with *Custom-*) and whose value is the full list of top-level properties that the JSON data that will be sent will contain. Note that the shape of the data you send to the endpoint doesn't need to match that of the destination table. Rather, the output of the transform that is applied on top of the input data needs to match the destination shape. The possible data types that can be assigned to the properties are `string`, `int`, `long`, `real`, `boolean`, `dynamic`, and `datetime`.
+
+### destinations
+This section contains a declaration of all the destinations where the data will be sent. Only Log Analytics is currently supported as a destination. Each Log Analytics destination will require the full Workspace Resource ID, as well as a friendly name that will be used elsewhere in the DCR to refer to this workspace.
+
+### dataFlows
+This section ties the other sections together. Defines the following for each stream declared in the `streamDeclarations` section:
+
+- `destination` from the `destinations` section where the data will be sent.
+- `transformKql` which is the [transformation](data-collection-rule-transformations.md) applied to the data that was sent in the input shape described in the `streamDeclarations` section to the shape of the target table.
+- `outputStream` section, which describes which table in the workspace specified under the `destination` property the data will be ingested into. The value of the outputStream will have the `Microsoft-[tableName]` shape when data is being ingested into a standard Log Analytics table, or `Custom-[tableName]` when ingesting data into a custom-created table. Only one destination is allowed per stream.
+
+## Azure Monitor agent
+ A DCR for [Azure Monitor agent](../agents/data-collection-rule-azure-monitor-agent.md) contains the following sections:
+
+### Data sources
+Unique source of monitoring data with its own format and method of exposing its data. Examples of a data source include Windows event log, performance counters, and syslog. Each data source matches a particular data source type as described below.
+
+Each data source has a data source type. Each type defines a unique set of properties that must be specified for each data source. The data source types currently available are shown in the following table.
+
+| Data source type | Description |
+|:|:|
+| extension | VM extension-based data source |
+| performanceCounters | Performance counters for both Windows and Linux |
+| syslog | Syslog events on Linux |
+| windowsEventLogs | Windows event log |
++
+### Streams
+Unique handle that describes a set of data sources that will be transformed and schematized as one type. Each data source requires one or more streams, and one stream may be used by multiple data sources. All data sources in a stream share a common schema. Use multiple streams for example, when you want to send a particular data source to multiple tables in the same Log Analytics workspace.
+
+### Destinations
+Set of destinations where the data should be sent. Examples include Log Analytics workspace and Azure Monitor Metrics. Multiple destinations are allowed for multi-homing scenario.
+
+### Data flows
+Definition of which streams should be sent to which destinations.
+
+### Endpoint
+HTTPS endpoint for DCR used for custom logs API. The DCR is applied to any data sent to that endpoint.
+++++
+## Next steps
+
+- [Overview of data collection rules including methods for creating them.](data-collection-rule-overview.md)
azure-monitor Data Collection Rule Transformations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/data-collection-rule-transformations.md
+
+ Title: Data collection rule transformations
+description: Use transformations in a data collection rule in Azure Monitor to filter and modify incoming data.
+ Last updated : 02/21/2022+++
+# Data collection rule transformations in Azure Monitor (preview)
+Transformations in a [data collection rule (DCR)](data-collection-rule-overview.md) allow you to filter or modify incoming data before it's stored in a Log Analytics workspace. This article describes how to build transformations in a DCR, including details and limitations of the Kusto Query Language (KQL) used for the transform statement.
+
+## Basic concepts
+Data transformations are defined using a Kusto Query Language (KQL) statement that is applied individually to each entry in the data source. It must understand the format of the incoming data and create output in the structure of the target table.
+
+## Transformation structure
+The input stream is represented by a virtual table named `source` with columns matching the input data stream definition. Following is a typical example of a transformation. This example includes the following functionality:
+
+- Filters the incoming data with a [where](/azure/data-explorer/kusto/query/whereoperator) statement
+- Adds a new column using the [extend](/azure/data-explorer/kusto/query/extendoperator) operator
+- Formats the output to match the columns of the target table using the [project](/azure/data-explorer/kusto/query/projectoperator) operator
+
+```kusto
+source
+| where severity == "Critical"
+| extend Properties = parse_json(properties)
+| project
+ TimeGenerated = todatetime(["time"]),
+ Category = category,
+ StatusDescription = StatusDescription,
+ EventName = name,
+ EventId = tostring(Properties.EventId)
+```
++
+## KQL limitations
+Since the transformation is applied to each record individually, it can't use any KQL operators that act on multiple records. Only operators that take a single row as input and return no more than one row are supported. For example, [summarize](/azure/data-explorer/kusto/query/summarizeoperator) isn't supported since it summarizes multiple records. See [Supported KQL features](#supported-kql-features) for a complete list of supported features.
+
+### Inline reference table
+The [datatable](/azure/data-explorer/kusto/query/datatableoperator?pivots=azuremonitor) operator isn't supported in the subset of KQL available to use in transformations. This would normally be used in KQL to define an inline query-time table. Use dynamic literals instead to work around this limitation.
+
+For example, the following isn't supported in a transformation:
+
+```kusto
+let galaxy = datatable (country:string,entity:string)['ES','Spain','US','United States'];
+source
+| join kind=inner (galaxy) on $left.Location == $right.country
+| extend Galaxy_CF = ['entity']
+```
+You can instead use the following statement which is supported and performs the same functionality:
+
+```kusto
+let galaxyDictionary = parsejson('{"ES": "Spain","US": "United States"}');
+source
+| extend Galaxy_CF = galaxyDictionary[Location]
+```
+
+### has operator
+Transformations don't currently support [has](/azure/data-explorer/kusto/query/has-operator). Use [contains](/azure/data-explorer/kusto/query/contains-operator) which is supported and performs similar functionality.
++
+### Handling dynamic data
+Since the properties of type [dynamic](/azure/data-explorer/kusto/query/scalar-data-types/dynamic) aren't supported in the input stream schema, you need alternate methods for strings containing JSON.
+
+Consider the following input:
+
+```json
+{
+ "TimeGenerated" : "2021-11-07T09:13:06.570354Z&quo