Updates from: 02/08/2021 04:05:56
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/add-api-connector https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/add-api-connector.md
@@ -32,7 +32,7 @@ To use an [API connector](api-connectors-overview.md), you first create the API
6. Provide the **Endpoint URL** for the API call. 7. Provide the authentication information for the API.
- - Only Basic Authentication is currently supported. If you wish to use an API without Basic Authentication for development purposes, simply enter a 'dummy' **Username** and **Password** that your API can ignore. For use with an Azure Function with an API key, you can include the code as a query parameter in the **Endpoint URL** (for example, https[]()://contoso.azurewebsites.net/api/endpoint<b>?code=0123456789</b>).
+ - Only Basic Authentication is currently supported. If you wish to use an API without Basic Authentication for development purposes, simply enter a 'dummy' **Username** and **Password** that your API can ignore. For use with an Azure Function with an API key, you can include the code as a query parameter in the **Endpoint URL** (for example, `https://contoso.azurewebsites.net/api/endpoint?code=0123456789`).
![Configure a new API connector](./media/add-api-connector/api-connector-config.png) 8. Select **Save**.
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/technicalprofiles https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/technicalprofiles.md
@@ -444,14 +444,14 @@ The **IncludeTechnicalProfile** element contains the following attribute:
The following example illustrates the use of the inclusion: - *REST-API-Common* - a common technical profile with the basic configuration.-- *REST-ValidateProfile* - includes the *REST-API-Commom* technical profile, and specifies the input and output claims.-- *REST-UpdateProfile* - includes the *REST-API-Commom* technical profile, specifies the input claims, and overwrites the `ServiceUrl` metadata.
+- *REST-ValidateProfile* - includes the *REST-API-Common* technical profile, and specifies the input and output claims.
+- *REST-UpdateProfile* - includes the *REST-API-Common* technical profile, specifies the input claims, and overwrites the `ServiceUrl` metadata.
```xml <ClaimsProvider> <DisplayName>REST APIs</DisplayName> <TechnicalProfiles>
- <TechnicalProfile Id="REST-API-Commom">
+ <TechnicalProfile Id="REST-API-Common">
<DisplayName>Base REST API configuration</DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> <Metadata>
@@ -476,7 +476,7 @@ The following example illustrates the use of the inclusion:
<OutputClaims> <OutputClaim ClaimTypeReferenceId="promoCode" /> </OutputClaims>
- <IncludeTechnicalProfile ReferenceId="REST-API-Commom" />
+ <IncludeTechnicalProfile ReferenceId="REST-API-Common" />
</TechnicalProfile> <TechnicalProfile Id="REST-UpdateProfile">
@@ -488,7 +488,7 @@ The following example illustrates the use of the inclusion:
<InputClaim ClaimTypeReferenceId="objectId" /> <InputClaim ClaimTypeReferenceId="email" /> </InputClaims>
- <IncludeTechnicalProfile ReferenceId="REST-API-Commom" />
+ <IncludeTechnicalProfile ReferenceId="REST-API-Common" />
</TechnicalProfile> </TechnicalProfiles> </ClaimsProvider>
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-troubleshoot.md
@@ -160,7 +160,7 @@ Cloud sync monitors the health of your configuration and places unhealthy object
By selecting the status, you can see additional information about the quarantine. You can also obtain the error code and message.
-![Quarantine status information](media/how-to-troubleshoot/quarantine-2.png)
+![Screenshot that shows additional information about the quarantine.](media/how-to-troubleshoot/quarantine-2.png)
Right clicking on the status will bring up additional options:
@@ -168,7 +168,7 @@ Right clicking on the status will bring up additional options:
- view agent - clear quarantine
-![Quarantine status information](media/how-to-troubleshoot/quarantine-4.png)
+![Screenshot that shows the right-click menu options.](media/how-to-troubleshoot/quarantine-4.png)
### Resolve a quarantine
@@ -182,7 +182,7 @@ To clear the watermark and run a delta sync on the provisioning job once you hav
You should see an notice that the quarantine is clearing.
-![Quarantine status information](media/how-to-troubleshoot/quarantine-5.png)
+![Screenshot that shows the notice that the quarantine is clearing.](media/how-to-troubleshoot/quarantine-5.png)
Then you should see the status on your agent as healthy.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/external-identities/self-service-sign-up-add-api-connector https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/self-service-sign-up-add-api-connector.md
@@ -34,7 +34,7 @@ To use an [API connector](api-connectors-overview.md), you first create the API
6. Provide the **Endpoint URL** for the API call. 7. Provide the authentication information for the API.
- - Only Basic Authentication is currently supported. If you wish to use an API without Basic Authentication for development purposes, simply enter a dummy **Username** and **Password** that your API can ignore. For use with an Azure Function with an API key, you can include the code as a query parameter in the **Endpoint URL** (for example, https[]()://contoso.azurewebsites.net/api/endpoint<b>?code=0123456789</b>).
+ - Only Basic Authentication is currently supported. If you wish to use an API without Basic Authentication for development purposes, simply enter a dummy **Username** and **Password** that your API can ignore. For use with an Azure Function with an API key, you can include the code as a query parameter in the **Endpoint URL** (for example, `https://contoso.azurewebsites.net/api/endpoint?code=0123456789`).
![Configure a new API connector](./media/self-service-sign-up-add-api-connector/api-connector-config.png) 8. Select **Save**.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-authenticator-app-import-passwords https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/user-help/user-help-authenticator-app-import-passwords.md
@@ -35,21 +35,21 @@ Google Chrome users on Android and Apple phones can import their passwords direc
1. Tap the ![Google Chrome ellipsis menu](./media/user-help-authenticator-app-import-passwords/ellipsis-chrome.png) at the top right for Android phones or at bottom right for iOS devices, and then tap **Settings.**
- &nbsp; | &nbsp;
+ Platform | Link
- | -- Android | ![Google Chrome Settings menu location](./media/user-help-authenticator-app-import-passwords/android-settings-menu.png) iOS | ![Google Chrome Settings menu icon](./media/user-help-authenticator-app-import-passwords/apple-settings-menu.png) 1. In **Settings**, open **Passwords**.
- &nbsp; | &nbsp;
+ Platform | Link
- | -- Android | ![Andoid Chrome Passwords command location](./media/user-help-authenticator-app-import-passwords/android-passwords-location.png) iOS | ![Apple Chrome Passwords command location](./media/user-help-authenticator-app-import-passwords/apple-passwords-location.png) 1. On Android devices, tap the ![Google Chrome ellipsis menu](./media/user-help-authenticator-app-import-passwords/ellipsis-chrome.png) at the top right for Android phones, or at bottom right for iOS devices, and then tap **Export passwords**.
- &nbsp; | &nbsp;
+ Platform | Link
- | -- Android | ![Android Chrome Export passwords location](./media/user-help-authenticator-app-import-passwords/android-export-passwords-location.png) iOS | ![Apple Chrome Export passwords location](./media/user-help-authenticator-app-import-passwords/apple-export-passwords-location.png)
@@ -58,7 +58,7 @@ Google Chrome users on Android and Apple phones can import their passwords direc
1. After the passwords are exported, Chrome prompts you to choose which app you're importing into. Select **Authenticator** to start importing passwords.YouΓÇÖll be informed about import status when itΓÇÖs complete.
- &nbsp; | &nbsp;
+ Platform | Link
- | -- Android | ![Android Chrome import passwords location](./media/user-help-authenticator-app-import-passwords/android-chrome-import.png) iOS | ![Apple Chrome import passwords location](./media/user-help-authenticator-app-import-passwords/apple-chrome-import.png)
@@ -101,7 +101,7 @@ Firefox allows exporting of passwords from the desktop browser only, so ensure t
1. Transfer the exported CSV file on your Android or iOS phone using a preferred and safe way, and then download it. Next, share the CSV file with Authenticator app to start the import.
- &nbsp; | &nbsp;
+ Platform | Link
- | -- Android | ![Android Chrome import passwords location](./media/user-help-authenticator-app-import-passwords/android-chrome-import.png) iOS | ![Apple Chrome import passwords location](./media/user-help-authenticator-app-import-passwords/apple-chrome-import.png)
@@ -130,7 +130,7 @@ LastPass supports export passwords from a desktop browser only, so ensure you ha
1. Transfer the exported CSV file on your smartphone using a preferred and safe way, and then download it. Then share the CSV file with Authenticator app to start the import.
- &nbsp; | &nbsp;
+ Platform | Link
- | -- Android | ![Android LastPass import passwords location](./media/user-help-authenticator-app-import-passwords/android-chrome-import.png) iOS | ![Apple LastPass import passwords location](./media/user-help-authenticator-app-import-passwords/apple-chrome-import.png)
@@ -149,7 +149,7 @@ Bitwarden supports export passwords from a desktop browser only, so ensure you h
1. Transfer the exported CSV file on your smartphone using a preferred and safe way, and then download it. Then share the CSV file with Authenticator app to start the import.
- &nbsp; | &nbsp;
+ Platform | Link
- | -- Android | ![Android Bitwarden import passwords location](./media/user-help-authenticator-app-import-passwords/android-chrome-import.png) iOS | ![Apple Bitwarden import passwords location](./media/user-help-authenticator-app-import-passwords/apple-chrome-import.png)
@@ -182,7 +182,7 @@ Roboform allows exporting of passwords from its desktop app only, so ensure you
1. Transfer the exported CSV file on your smartphone using a preferred and safe way, and then download it. Then share the CSV file with Authenticator app to start the import.
- &nbsp; | &nbsp;
+ Platform | Link
- | -- Android | ![Android Roboform import passwords location](./media/user-help-authenticator-app-import-passwords/android-chrome-import.png) iOS | ![Apple Roboform import passwords location](./media/user-help-authenticator-app-import-passwords/apple-chrome-import.png)
@@ -205,7 +205,7 @@ If steps to import passwords from your password manager aren't listed in this ar
1. Transfer the exported CSV file on your smartphone using a preferred and safe way, and then download it. Then share the CSV file with Authenticator app to start the import.
- &nbsp; | &nbsp;
+ Platform | Link
- | -- Android | ![Android CSV import passwords location](./media/user-help-authenticator-app-import-passwords/android-chrome-import.png) iOS | ![Apple CSV import passwords location](./media/user-help-authenticator-app-import-passwords/apple-chrome-import.png)
app-service https://docs.microsoft.com/en-us/azure/app-service/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/security-baseline.md
@@ -1114,7 +1114,7 @@ Additionally, clearly mark subscriptions (for example, production, non-productio
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. Use the Security Center data connector to stream the alerts Sentinel as per business needs.
+**Guidance**: Export your Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. Use the Security Center data connector to stream the alerts to Azure Sentinel as per business needs.
- [How to configure continuous export](../security-center/continuous-export.md)
application-gateway https://docs.microsoft.com/en-us/azure/application-gateway/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/security-baseline.md
@@ -1075,7 +1075,7 @@ Additionally, clearly mark subscriptions (for ex. production, non-prod) and crea
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
* [How to configure continuous export](../security-center/continuous-export.md)
automanage https://docs.microsoft.com/en-us/azure/automanage/move-automanaged-vms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/move-automanaged-vms.md
@@ -0,0 +1,32 @@
+
+ Title: Move an Azure Automanage virtual machine across regions
+description: Learn how to move an Automanaged virtual machine across regions
+++++ Last updated : 02/05/2021++
+# Customer intent: As a sysadmin, I want move my Automanaged VM to a different region.
++
+# Move an Azure Automanage virtual machine to a different region
+This article describes how to keep Automanage enabled on a virtual machine (VM) when you move it to a different region. You might want to move your virtual machines to another region for a number of reasons. For example, to take advantage of a new Azure region, to meet internal policy and governance requirements, or in response to capacity planning requirements. Those VMs that you move may be currently Automanaged, and you may want them to remain Automanaged after your move.
+
+## Prerequisites
+* Ensure that your target region is [supported by Automanage](./automanage-virtual-machines.md#prerequisites).
+* Ensure that your Log Analytics workspace region, Automation account region, and your target region are all regions supported by the region mappings [here](https://docs.microsoft.com/azure/automation/how-to/region-mappings).
+
+## Prepare your Automanaged VMs for moving
+Disable Automanage on your Automanaged VMs. You can do this by selecting your VMs in the Automanage blade and clicking **Disable automanagement** in the Automanage blade.
+
+## Move your Automanaged VMs and re-enable Automanage
+For details on how to move your VMs, see this [article](https://docs.microsoft.com/azure/resource-mover/tutorial-move-region-virtual-machines).
+
+Once you have moved your VMs across regions, you may re-enable Automanage on them again. Details are available [here](./automanage-virtual-machines.md#enabling-automanage-for-vms-in-azure-portal).
+
+## Next steps
+* [Learn more about Azure Automanage](./automanage-virtual-machines.md)
+* [View frequently asked questions about Azure Automanage](./faq.md)
azure-app-configuration https://docs.microsoft.com/en-us/azure/azure-app-configuration/quickstart-feature-flag-aspnet-core https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/quickstart-feature-flag-aspnet-core.md
@@ -205,7 +205,7 @@ dotnet new mvc --no-https --output TestFeatureFlags
1. Open *_Layout.cshtml* in the *Views*\\*Shared* directory. Locate the `<nav>` bar code under `<body>` > `<header>`. Insert a new `<feature>` tag in between the *Home* and *Privacy* navbar items, as shown in the highlighted lines below.
- :::code language="html" source="../../includes/azure-app-configuration-navbar.md" range="15-38" highlight="13-17":::
+ :::code language="html" source="../../includes/azure-app-configuration-navbar.md" range="15-38" highlight="14-18":::
1. Create a *Views/Beta* directory and an *Index.cshtml* file containing the following markup:
azure-app-configuration https://docs.microsoft.com/en-us/azure/azure-app-configuration/use-feature-flags-dotnet-core https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/use-feature-flags-dotnet-core.md
@@ -20,11 +20,13 @@
# Tutorial: Use feature flags in an ASP.NET Core app
-The .NET Core Feature Management libraries provide idiomatic support for implementing feature flags in a .NET or ASP.NET Core application. These libraries allow you to declaratively add feature flags to your code so that you don't have to write all the `if` statements for them manually.
+The .NET Core Feature Management libraries provide idiomatic support for implementing feature flags in a .NET or ASP.NET Core application. These libraries allow you to declaratively add feature flags to your code so that you don't have to manually write code to enable or disable features with `if` statements.
The Feature Management libraries also manage feature flag lifecycles behind the scenes. For example, the libraries refresh and cache flag states, or guarantee a flag state to be immutable during a request call. In addition, the ASP.NET Core library offers out-of-the-box integrations, including MVC controller actions, views, routes, and middleware.
-The [Add feature flags to an ASP.NET Core app Quickstart](./quickstart-feature-flag-aspnet-core.md) shows several ways to add feature flags in an ASP.NET Core application. This tutorial explains these methods in more detail. For a complete reference, see the [ASP.NET Core feature management documentation](/dotnet/api/microsoft.featuremanagement).
+The [Add feature flags to an ASP.NET Core app Quickstart](./quickstart-feature-flag-aspnet-core.md) shows a simple example of how to use feature flags in an ASP.NET Core application. This tutorial shows additional setup options and capabilities of the Feature Management libraries. You can use the sample app created in the quickstart to try out the sample code shown in this tutorial.
+
+For the ASP.NET Core feature management API reference documentation, see [Microsoft.FeatureManagement Namespace](/dotnet/api/microsoft.featuremanagement).
In this tutorial, you will learn how to:
@@ -34,8 +36,12 @@ In this tutorial, you will learn how to:
## Set up feature management
-Add a reference to the `Microsoft.FeatureManagement.AspNetCore` and `Microsoft.FeatureManagement` NuGet packages to utilize the .NET Core feature manager.
-The .NET Core feature manager `IFeatureManager` gets feature flags from the framework's native configuration system. As a result, you can define your application's feature flags by using any configuration source that .NET Core supports, including the local *appsettings.json* file or environment variables. `IFeatureManager` relies on .NET Core dependency injection. You can register the feature management services by using standard conventions:
+To access the .NET Core feature manager, your app must have references to the `Microsoft.FeatureManagement.AspNetCore` NuGet package.
+
+The .NET Core feature manager is configured from the framework's native configuration system. As a result, you can define your application's feature flag settings by using any configuration source that .NET Core supports, including the local *appsettings.json* file or environment variables.
+
+By default, the feature manager retrieves feature flag configuration from the `"FeatureManagement"` section of the .NET Core configuration data. To use the default configuration location, call the [AddFeatureManagement](/dotnet/api/microsoft.featuremanagement.servicecollectionextensions.addfeaturemanagement) method of the **IServiceCollection** passed into the **ConfigureServices** method of the **Startup** class.
+ ```csharp using Microsoft.FeatureManagement;
@@ -44,12 +50,13 @@ public class Startup
{ public void ConfigureServices(IServiceCollection services) {
+ ...
services.AddFeatureManagement(); } } ```
-By default, the feature manager retrieves feature flags from the `"FeatureManagement"` section of the .NET Core configuration data. The following example tells the feature manager to read from a different section called `"MyFeatureFlags"` instead:
+You can specify that feature management configuration should be retrieved from a different configuration section by calling [Configuration.GetSection](/dotnet/api/microsoft.web.administration.configuration.getsection) and passing in the name of the desired section. The following example tells the feature manager to read from a different section called `"MyFeatureFlags"` instead:
```csharp using Microsoft.FeatureManagement;
@@ -58,15 +65,18 @@ public class Startup
{ public void ConfigureServices(IServiceCollection services) {
- services.AddFeatureManagement(options =>
- {
- options.UseConfiguration(Configuration.GetSection("MyFeatureFlags"));
- });
+ ...
+ services.AddFeatureManagement(Configuration.GetSection("MyFeatureFlags"));
} } ```
-If you use filters in your feature flags, you need to include an additional library and register it. The following example shows how to use a built-in feature filter called `PercentageFilter`:
+
+If you use filters in your feature flags, you must include the [Microsoft.FeatureManagement.FeatureFilters](/dotnet/api/microsoft.featuremanagement.featurefilters) namespace and add a call to [AddFeatureFilters](/dotnet/api/microsoft.featuremanagement.ifeaturemanagementbuilder.addfeaturefilter) specifying the type name of the filter you want to use as the generic type of the method. For more information on using feature filters to dynamically enable and disable functionality, see [Enable staged rollout of features for targeted audiences](/azure/azure-app-configuration/howto-targetingfilter-aspnet-core).
+
+The following example shows how to use a built-in feature filter called `PercentageFilter`:
++ ```csharp using Microsoft.FeatureManagement;
@@ -76,42 +86,79 @@ public class Startup
{ public void ConfigureServices(IServiceCollection services) {
+ ...
services.AddFeatureManagement() .AddFeatureFilter<PercentageFilter>(); } } ```
-We recommend that you keep feature flags outside the application and manage them separately. Doing so allows you to modify flag states at any time and have those changes take effect in the application right away. App Configuration provides a centralized place for organizing and controlling all your feature flags through a dedicated portal UI. App Configuration also delivers the flags to your application directly through its .NET Core client libraries.
+Rather than hard coding your feature flags into your application, we recommend that you keep feature flags outside the application and manage them separately. Doing so allows you to modify flag states at any time and have those changes take effect in the application right away. The Azure App Configuration service provides a dedicated portal UI for managing all of your feature flags. The Azure App Configuration service also delivers the feature flags to your application directly through its .NET Core client libraries.
-The easiest way to connect your ASP.NET Core application to App Configuration is through the configuration provider `Microsoft.Azure.AppConfiguration.AspNetCore`. Follow these steps to use this NuGet package.
+The easiest way to connect your ASP.NET Core application to App Configuration is through the configuration provider included in the `Microsoft.Azure.AppConfiguration.AspNetCore` NuGet package. After including a reference to the package, follow these steps to use this NuGet package.
1. Open *Program.cs* file and add the following code.-
- ```csharp
- using Microsoft.Extensions.Configuration.AzureAppConfiguration;
-
- public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
- WebHost.CreateDefaultBuilder(args)
- .ConfigureAppConfiguration((hostingContext, config) => {
- var settings = config.Build();
- config.AddAzureAppConfiguration(options => {
- options.Connect(settings["ConnectionStrings:AppConfig"])
- .UseFeatureFlags();
- });
- })
- .UseStartup<Startup>();
- ```
+ > [!IMPORTANT]
+ > `CreateHostBuilder` replaces `CreateWebHostBuilder` in .NET Core 3.x. Select the correct syntax based on your environment.
+
+ ### [.NET 5.x](#tab/core5x)
+
+ ```csharp
+ using Microsoft.Extensions.Configuration.AzureAppConfiguration;
+
+ public static IHostBuilder CreateHostBuilder(string[] args) =>
+ Host.CreateDefaultBuilder(args)
+ .ConfigureWebHostDefaults(webBuilder =>
+ webBuilder.ConfigureAppConfiguration(config =>
+ {
+ var settings = config.Build();
+ config.AddAzureAppConfiguration(options =>
+ options.Connect(settings["ConnectionStrings:AppConfig"]).UseFeatureFlags());
+ }).UseStartup<Startup>());
+ ```
+
+ ### [.NET Core 3.x](#tab/core3x)
+
+ ```csharp
+ using Microsoft.Extensions.Configuration.AzureAppConfiguration;
+
+ public static IHostBuilder CreateHostBuilder(string[] args) =>
+ Host.CreateDefaultBuilder(args)
+ .ConfigureWebHostDefaults(webBuilder =>
+ webBuilder.ConfigureAppConfiguration(config =>
+ {
+ var settings = config.Build();
+ config.AddAzureAppConfiguration(options =>
+ options.Connect(settings["ConnectionStrings:AppConfig"]).UseFeatureFlags());
+ }).UseStartup<Startup>());
+ ```
+
+ ### [.NET Core 2.x](#tab/core2x)
+
+ ```csharp
+ using Microsoft.Extensions.Configuration.AzureAppConfiguration;
+
+ public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
+ WebHost.CreateDefaultBuilder(args)
+ .ConfigureAppConfiguration(config =>
+ {
+ var settings = config.Build();
+ config.AddAzureAppConfiguration(options =>
+ options.Connect(settings["ConnectionStrings:AppConfig"]).UseFeatureFlags());
+ }).UseStartup<Startup>();
+ ```
+
2. Open *Startup.cs* and update the `Configure` and `ConfigureServices` method to add the built-in middleware called `UseAzureAppConfiguration`. This middleware allows the feature flag values to be refreshed at a recurring interval while the ASP.NET Core web app continues to receive requests.
- ```csharp
- public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
- {
- app.UseAzureAppConfiguration();
- app.UseMvc();
- }
- ```
++
+ ```csharp
+ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+ {
+ app.UseAzureAppConfiguration();
+ }
+ ```
```csharp public void ConfigureServices(IServiceCollection services)
@@ -120,20 +167,22 @@ The easiest way to connect your ASP.NET Core application to App Configuration is
} ```
-Feature flag values are expected to change over time. By default, the feature flag values are cached for a period of 30 seconds, so a refresh operation triggered when the middleware receives a request would not update the value until the cached value expires. The following code shows how to change the cache expiration time or polling interval to 5 minutes in the `options.UseFeatureFlags()` call.
+In a typical scenario, you will update your feature flag values periodically as you deploy and enable and different features of your application. By default, the feature flag values are cached for a period of 30 seconds, so a refresh operation triggered when the middleware receives a request would not update the value until the cached value expires. The following code shows how to change the cache expiration time or polling interval to 5 minutes by setting the [CacheExpirationInterval](/dotnet/api/microsoft.extensions.configuration.azureappconfiguration.featuremanagement.featureflagoptions.cacheexpirationinterval) in the call to **UseFeatureFlags**.
+
+
```csharp
-config.AddAzureAppConfiguration(options => {
- options.Connect(settings["ConnectionStrings:AppConfig"])
- .UseFeatureFlags(featureFlagOptions => {
- featureFlagOptions.CacheExpirationTime = TimeSpan.FromMinutes(5);
- });
+config.AddAzureAppConfiguration(options =>
+ options.Connect(settings["ConnectionStrings:AppConfig"]).UseFeatureFlags(featureFlagOptions => {
+ featureFlagOptions.CacheExpirationInterval = TimeSpan.FromMinutes(5);
+ }));
}); ``` + ## Feature flag declaration
-Each feature flag has two parts: a name and a list of one or more filters that are used to evaluate if a feature's state is *on* (that is, when its value is `True`). A filter defines a use case for when a feature should be turned on.
+Each feature flag declaration has two parts: a name, and a list of one or more filters that are used to evaluate if a feature's state is *on* (that is, when its value is `True`). A filter defines a criterion for when a feature should be turned on.
When a feature flag has multiple filters, the filter list is traversed in order until one of the filters determines the feature should be enabled. At that point, the feature flag is *on*, and any remaining filter results are skipped. If no filter indicates the feature should be enabled, the feature flag is *off*.
@@ -160,37 +209,48 @@ By convention, the `FeatureManagement` section of this JSON document is used for
* `FeatureA` is *on*. * `FeatureB` is *off*.
-* `FeatureC` specifies a filter named `Percentage` with a `Parameters` property. `Percentage` is a configurable filter. In this example, `Percentage` specifies a 50-percent probability for the `FeatureC` flag to be *on*.
+* `FeatureC` specifies a filter named `Percentage` with a `Parameters` property. `Percentage` is a configurable filter. In this example, `Percentage` specifies a 50-percent probability for the `FeatureC` flag to be *on*. For a how-to guide on using feature filters, see [Use feature filters to enable conditional feature flags](/azure/azure-app-configuration/howto-feature-filters-aspnet-core).
-## Feature flag references
-So that you can easily reference feature flags in code, you should define them as `enum` variables:
+
+## Use dependency injection to access IFeatureManager
+
+For some operations, such as manually checking feature flag values, you need to get an instance of [IFeatureManager](/dotnet/api/microsoft.featuremanagement.ifeaturemanage). In ASP.NET Core MVC, you can access the feature manager `IFeatureManager` through dependency injection. In the following example, an argument of type `IFeatureManager` is added to the signature of the constructor for a controller. The runtime automatically resolves the reference and provides an of the interface when calling the constructor. If you're using an application template in which the controller already has one or more dependency injection arguments in the constructor, such as `ILogger`, you can just add `IFeatureManager` as an additional argument:
+
+### [.NET 5.x](#tab/core5x)
+
```csharp
-public enum MyFeatureFlags
+using Microsoft.FeatureManagement;
+
+public class HomeController : Controller
{
- FeatureA,
- FeatureB,
- FeatureC
+ private readonly IFeatureManager _featureManager;
+
+ public HomeController(ILogger<HomeController> logger, IFeatureManager featureManager)
+ {
+ _featureManager = featureManager;
+ }
} ```
-## Feature flag checks
-
-The basic pattern of feature management is to first check if a feature flag is set to *on*. If so, the feature manager then runs the actions that the feature contains. For example:
+### [.NET Core 3.x](#tab/core3x)
```csharp
-IFeatureManager featureManager;
-...
-if (await featureManager.IsEnabledAsync(nameof(MyFeatureFlags.FeatureA)))
+using Microsoft.FeatureManagement;
+
+public class HomeController : Controller
{
- // Run the following code
+ private readonly IFeatureManager _featureManager;
+
+ public HomeController(ILogger<HomeController> logger, IFeatureManager featureManager)
+ {
+ _featureManager = featureManager;
+ }
} ```-
-## Dependency injection
-
-In ASP.NET Core MVC, you can access the feature manager `IFeatureManager` through dependency injection:
+
+### [.NET Core 2.x](#tab/core2x)
```csharp using Microsoft.FeatureManagement;
@@ -206,9 +266,37 @@ public class HomeController : Controller
} ``` ++
+## Feature flag references
+
+Define feature flags as string variables in order to reference them from code:
+
+```csharp
+public static class MyFeatureFlags
+{
+ public const string FeatureA = "FeatureA";
+ public const string FeatureB = "FeatureB";
+ public const string FeatureC = "FeatureC";
+}
+```
+
+## Feature flag checks
+
+A common pattern of feature management is to check if a feature flag is set to *on* and if so, run a section of code. For example:
+
+```csharp
+IFeatureManager featureManager;
+...
+if (await featureManager.IsEnabledAsync(MyFeatureFlags.FeatureA))
+{
+ // Run the following code
+}
+```
+ ## Controller actions
-In MVC controllers, you use the `FeatureGate` attribute to control whether a whole controller class or a specific action is enabled. The following `HomeController` controller requires `FeatureA` to be *on* before any action the controller class contains can be executed:
+With MVC controllers, you can use the `FeatureGate` attribute to control whether a whole controller class or a specific action is enabled. The following `HomeController` controller requires `FeatureA` to be *on* before any action the controller class contains can be executed:
```csharp using Microsoft.FeatureManagement.Mvc;
@@ -232,7 +320,7 @@ public IActionResult Index()
} ```
-When an MVC controller or action is blocked because the controlling feature flag is *off*, a registered `IDisabledFeaturesHandler` interface is called. The default `IDisabledFeaturesHandler` interface returns a 404 status code to the client with no response body.
+When an MVC controller or action is blocked because the controlling feature flag is *off*, a registered [IDisabledFeaturesHandler](/dotnet/api/microsoft.featuremanagement.mvc.idisabledfeatureshandler?view=azure-dotnet-preview) interface is called. The default `IDisabledFeaturesHandler` interface returns a 404 status code to the client with no response body.
## MVC views
@@ -271,7 +359,7 @@ The feature `<feature>` tag can also be used to show content if any or all featu
## MVC filters
-You can set up MVC filters so that they're activated based on the state of a feature flag. The following code adds an MVC filter named `SomeMvcFilter`. This filter is triggered within the MVC pipeline only if `FeatureA` is enabled. This capability is limited to `IAsyncActionFilter`.
+You can set up MVC filters so that they're activated based on the state of a feature flag. This capability is limited to filters that implement [IAsyncActionFilter](/dotnet/api/microsoft.aspnetcore.mvc.filters.iasyncactionfilter). The following code adds an MVC filter named `ThirdPartyActionFilter`. This filter is triggered within the MVC pipeline only if `FeatureA` is enabled.
```csharp using Microsoft.FeatureManagement.FeatureFilters;
@@ -281,7 +369,7 @@ IConfiguration Configuration { get; set;}
public void ConfigureServices(IServiceCollection services) { services.AddMvc(options => {
- options.Filters.AddForFeature<SomeMvcFilter>(nameof(MyFeatureFlags.FeatureA));
+ options.Filters.AddForFeature<ThirdPartyActionFilter>(MyFeatureFlags.FeatureA);
}); } ```
@@ -291,7 +379,7 @@ public void ConfigureServices(IServiceCollection services)
You can also use feature flags to conditionally add application branches and middleware. The following code inserts a middleware component in the request pipeline only when `FeatureA` is enabled: ```csharp
-app.UseMiddlewareForFeature<ThirdPartyMiddleware>(nameof(MyFeatureFlags.FeatureA));
+app.UseMiddlewareForFeature<ThirdPartyMiddleware>(MyFeatureFlags.FeatureA);
``` This code builds off the more-generic capability to branch the entire application based on a feature flag:
azure-australia https://docs.microsoft.com/en-us/azure/azure-australia/system-monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-australia/system-monitor.md
@@ -87,7 +87,7 @@ Any logging solution should, wherever possible, consolidate captured logs into a
This requirement is met for all Azure customers with Azure Monitor. This offering not only provides a centralised logging repository in Azure for all Azure resources, it also enables you to stream your data to an Azure Event Hub. Azure Event Hubs provides a fully managed, real-time data ingestion service. Once Azure Monitor data is streamed to an Azure Event Hub, the data can also be easily connected to existing supported Security information and event management (SIEM) repositories and additional third party monitoring tools.
-Microsoft also offers its own Azure native SIEM solution, Azure Sentinel. Azure Sentinel supports a wide variety of data connectors and can be used to monitor security events across an entire enterprise. By combining the data from supported [data connectors](../sentinel/connect-data-sources.md), Azure Sentinel's built-in machine learning, and the Kusto query language, security administrators are provided with a single solution for alert detection, threat visibility, proactive hunting, and threat response. Sentinel also provides a hunting and notebook feature that allows security administrators to record all the steps undertaken as part of a security investigation in a reuseable playbook that can be shared within an organisation. Security Administrators can even use the built-in [User Analytics](../sentinel/overview.md) to investigate the actions of a single nominated user.
+Microsoft also offers its own Azure native SIEM solution, Azure Sentinel. Azure Sentinel supports a wide variety of data connectors and can be used to monitor security events across an entire enterprise. By combining the data from supported [data connectors](../sentinel/connect-data-sources.md), Azure Sentinel's built-in machine learning, and the Kusto query language, security administrators are provided with a single solution for alert detection, threat visibility, proactive hunting, and threat response. Azure Sentinel also provides a hunting and notebook feature that allows security administrators to record all the steps undertaken as part of a security investigation in a reuseable playbook that can be shared within an organisation. Security Administrators can even use the built-in [User Analytics](../sentinel/overview.md) to investigate the actions of a single nominated user.
### Logged events and log detail
azure-cache-for-redis https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/cache-event-grid-quickstart-cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-event-grid-quickstart-cli.md
@@ -1,6 +1,6 @@
Title: 'Quickstart: Route Azure Cache for Redis events to web endpoint with Azure CLI'
-description: Use Azure Event Grid to subscribe to Azure Cache for Redis events, send the events to a Webhook, and handle the events in a web application.
+description: Use Azure Event Grid to subscribe to Azure Cache for Redis events, trigger an event, and view the results.
Last updated 1/5/2021
azure-cache-for-redis https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/security-baseline.md
@@ -1184,7 +1184,7 @@ https://docs.microsoft.com/azure/security-center/security-center-provide-securit
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
How to configure continuous export:
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-other https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/create-first-function-vs-code-other.md
@@ -257,7 +257,7 @@ In this section, you publish your project to Azure in a function app running Lin
```cmd set GOOS=linux set GOARCH=amd64
- go build hello.go
+ go build handler.go
``` Change the `defaultExecutablePath` in *host.json* from `handler.exe` to `handler`. This instructs the function app to run the Linux binary.
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-enable-aks-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/containers/container-insights-enable-aks-policy.md
@@ -0,0 +1,79 @@
+
+ Title: Enable AKS Monitoring Addon using Azure Policy
+description: Describes how to enable AKS Monitoring Addon using Azure Custom Policy.
+ Last updated : 02/04/2021++
+# Enable AKS monitoring addon using Azure Policy
+This article describes how to enable AKS Monitoring Addon using Azure Custom Policy. Monitoring Addon Custom Policy can be assigned either at subscription or resource group scope. If Azure Log Analytics workspace and AKS cluster are in different subscriptions then the managed identity used by the policy assignment has to have the required role permissions on both the subscriptions or least on the resource of the Log Analytics workspace. Similarly, if the policy is scoped to the resource group, then the managed identity should have the required role permissions on the Log Analytics workspace if the workspace not in the selected resource group scope.
+
+Monitoring Addon require following roles on the managed identity used by Azure Policy:
+
+ - [azure-kubernetes-service-contributor-role](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#azure-kubernetes-service-contributor-role)
+ - [log-analytics-contributor](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#log-analytics-contributor)
+
+## Create and assign policy definition using Azure portal
+
+### Create policy definition
+
+1. Download the Azure Custom Policy definition to enable AKS Monitoring Addon.
+
+ ``` sh
+ curl -o azurepolicy.json -L https://aka.ms/aks-enable-monitoring-custom-policy
+ ```
+
+3. Navigate to https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Definitions and create policy definition with the following details in the Policy definition create dialogue box.
+
+ - **Definition location**: Choose the Azure subscription where the policy definition should be stored.
+ - **Name**: *(Preview)AKS-Monitoring-Addon*
+ - **Description**: *Azure Custom Policy to enable Monitoring Addon onto Azure Kubernetes Cluster(s) in specified scope*
+ - **Category**: Choose *use existing* and pick *Kubernetes* from drop-down.
+ - **Policy Rule**: Remove the existing sample rules and copy the contents of *azurepolicy.json* downloaded in step #1 above.
+
+### Assign policy definition to specified scope
+
+> [!NOTE]
+> Managed identity will be created automatically and assigned specified roles in the Policy definition.
+
+1. Select the policy definition *(Preview) AKS Monitoring Addon* that you just created.
+4. Click *Assign*** and specify a **Scope** of where the policy should be assigned.
+5. Click **Next** and provide the Resource ID of the Azure Log Analytics Workspace. The Resource ID should be in this format `/subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroup>/providers/Microsoft.OperationalInsights/workspaces/<workspaceName>`.
+6. Create a remediation task in case if you want to apply to policy to existing AKS clusters in the selected scope.
+7. Click **Review + Create** option to create the policy assignment.
+
+## Create and assign policy definition using Azure CLI
+
+### Create policy definition
+
+1. Download the Azure custom policy definition rules and parameters files with the following commands:
+
+ ``` sh
+ curl -o azurepolicy.rules.json -L https://aka.ms/aks-enable-monitoring-custom-policy-rules
+ curl -o azurepolicy.parameters.json -L https://aka.ms/aks-enable-monitoring-custom-policy-parameters
+ ```
+
+2. Create the policy definition with the following command:
+
+ ``` sh
+ az cloud set -n <AzureCloud | AzureChinaCloud | AzureUSGovernment> # set the Azure cloud
+ az login # login to cloud environment
+ az account set -s <subscriptionId>
+ az policy definition create --name "(Preview)AKS-Monitoring-Addon" --display-name "(Preview)AKS-Monitoring-Addon" --mode Indexed --metadata version=1.0.0 category=Kubernetes --rules azurepolicy.rules.json --params azurepolicy.parameters.json
+ ```
+
+### Assign policy definition to specified scope
+
+- Create the policy assignment with the following command:
+
+ ``` sh
+ az policy assignment create --name aks-monitoring-addon --policy "(Preview)AKS-Monitoring-Addon" --assign-identity --identity-scope /subscriptions/<subscriptionId> --role Contributor --scope /subscriptions/<subscriptionId> --location <locatio> --role Contributor --scope /subscriptions/<subscriptionId> -p "{ \"workspaceResourceId\": { \"value\": \"/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/microsoft.operationalinsights/workspaces/<workspaceName>\" } }"
+ ```
+
+## Next steps
+
+- Learn more about [Azure Policy](../../governance/policy/overview.md).
+- Learn how [remediation security works](../../governance/policy/how-to/remediate-resources.md#how-remediation-security-works).
+- Learn more about [Azure Monitor for Containers](../insights/container-insights-overview.md).
+- Install the [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli).
+
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-onboard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/insights/container-insights-onboard.md
@@ -33,6 +33,13 @@ You can enable Azure Monitor for containers for a new deployment or for one or m
Before you start, make sure that you've met the following requirements:
+> [!IMPORTANT]
+> Log Analytics Containerized Linux Agent (replicaset pod) makes API calls to all the Windows nodes on Kubelet Secure Port (10250) within the cluster to collect Node and Container Performance related Metrics.
+Kubelet secure port (:10250) should be opened in the cluster's virtual network for both inbound and outbound for Windows Node and container performance related metrics collection to work.
+>
+> If you have a Kubernetes cluster with Windows nodes, then please review and configure the Network Security Group and Network Policies to make sure the Kubelet secure port (:10250) is opened for both inbound and outbound in cluster's virtual network.
++ - You have a Log Analytics workspace. Azure Monitor for containers supports a Log Analytics workspace in the regions that are listed in [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?regions=all&products=monitor).
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/insights/solution-office-365 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/insights/solution-office-365.md
@@ -105,7 +105,7 @@ Last updated 03/30/2020
> - If you don't offboard your solution manually by October 31, your data will be disconnected automatically, and the **OfficeActivity** table removed. Even so, you will still be able to restore the table when you enable the Office 365 connector in Azure Sentinel, as explained below. > > ### Q: Will my data transfer to the new solution?
-> Yes. When you remove the **Office 365** solution from your workspace, its data will become temporarily unavailable because the schema is removed. When you enable the new **Office 365** connector in Sentinel, the schema is restored to the workspace and any data already collected will become available.
+> Yes. When you remove the **Office 365** solution from your workspace, its data will become temporarily unavailable because the schema is removed. When you enable the new **Office 365** connector in Azure Sentinel, the schema is restored to the workspace and any data already collected will become available.
The Office 365 management solution allows you to monitor your Office 365 environment in Azure Monitor.
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/logs-data-export https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/logs-data-export.md
@@ -6,7 +6,7 @@
Previously updated : 10/14/2020 Last updated : 02/07/2021
@@ -24,8 +24,7 @@ All data from included tables is exported without a filter. For example, when yo
## Other export options Log Analytics workspace data export continuously exports data from a Log Analytics workspace. Other options to export data for particular scenarios include the following: -- Scheduled export from a log query using a Logic App. This is similar to the data export feature but allows you to send filtered or aggregated data to Azure storage. This method though is subject to [log query limits](../service-limits.md#log-analytics-workspaces) See [Archive data from Log Analytics workspace to Azure storage using Logic App](logs-export-logic-app.md).-- One time export using a Logic App. See [Azure Monitor Logs connector for Logic Apps and Power Automate](logicapp-flow-connector.md).
+- Scheduled export from a log query using a Logic App. This is similar to the data export feature but allows you to send filtered or aggregated data to Azure storage. This method though is subject to [log query limits](../service-limits.md#log-analytics-workspaces), see [Archive data from Log Analytics workspace to Azure storage using Logic App](logs-export-logic-app.md).
- One time export to local machine using PowerShell script. See [Invoke-AzOperationalInsightsQueryExport](https://www.powershellgallery.com/packages/Invoke-AzOperationalInsightsQueryExport).
@@ -43,16 +42,7 @@ Log Analytics workspace data export continuously exports data from a Log Analyti
- You can create two export rules in a workspace -- in can be one rule to event hub and one rule to storage account. - The destination storage account or event hub must be in the same region as the Log Analytics workspace. - Names of tables to be exported can be no longer than 60 characters for a storage account and no more than 47 characters to an event hub. Tables with longer names will not be exported.-
-> [!NOTE]
-> Log Analytics data export writes data as append blob which is currently in preview for Azure Data Lake Storage Gen2. You must open a support request before configuring export to this storage. Use the following details for this request.
-> - Issue type: Technical
-> - Subscription: Your subscription
-> - Service: Data Lake Storage Gen2
-> - Resource: Your resource name
-> - Summary: Requesting subscription registration to accept data from Log Analytics Data Export.
-> - Problem type: Connectivity
-> - Problem subtype: Connectivity issue
+- Append blob support for Azure Data Lake Storage is now in [limited public preview](https://azure.microsoft.com/updates/append-blob-support-for-azure-data-lake-storage-preview/)
## Data completeness Data export will continue to retry sending data for up to 30 minutes in the event that the destination is unavailable. If it's still unavailable after 30 minutes then data will be discarded until the destination becomes available.
@@ -73,6 +63,9 @@ The storage account data format is [JSON lines](./resource-logs-blob-format.md).
Log Analytics data export can write append blobs to immutable storage accounts when time-based retention policies have the *allowProtectedAppendWrites* setting enabled. This allows writing new blocks to an append blob, while maintaining immutability protection and compliance. See [Allow protected append blobs writes](../../storage/blobs/storage-blob-immutable-storage.md#allow-protected-append-blobs-writes).
+> [!NOTE]
+> Append blob support for Azure Data Lake storage is now available in preview in all Azure regions. [Enroll to the limited public preview](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4mEEwKhLjlBjU3ziDwLH-pURDk2NjMzUTVEVzU5UU1XUlRXSTlHSlkxQS4u) before you create an export rule to Azure Data Lake storage. Export will not operate without this enrollment.
+ ### Event hub Data is sent to your event hub in near-real-time as it reaches Azure Monitor. An event hub is created for each data type that you export with the name *am-* followed by the name of the table. For example, the table *SecurityEvent* would sent to an event hub named *am-SecurityEvent*. If you want the exported data to reach a specific event hub, or if you have a table with a name that exceeds the 47 character limit, you can provide your own event hub name and export all data for defined tables to it.
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/metrics-supported.md
@@ -4,7 +4,7 @@ description: List of metrics available for each resource type with Azure Monitor
Previously updated : 01/04/2021 Last updated : 02/06/2021
@@ -51,6 +51,13 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
> [!IMPORTANT] > This latest update adds a new column and reordered the metrics to be alphabetic. The addition information means that the tables below may have a horizontal scroll bar at the bottom, depending on the width of your browser window. If you believe you are missing information, use the scroll bar to see the entirety of the table.
+## microsoft.aadiam/azureADMetrics
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|ThrottledRequests|No|ThrottledRequests|Count|Average|azureADMetrics type metric|No Dimensions|
++ ## Microsoft.AnalysisServices/servers |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -141,6 +148,21 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
+|active-timer-count|Yes|System.Runtime|active-timer-count|Count|Average|Number of timers that are currently active|Deployment, AppName, Pod|
+|alloc-rate|Yes|System.Runtime|alloc-rate|Bytes|Average|Number of bytes allocated in the managed heap|Deployment, AppName, Pod|
+|AppCpuUsage|Yes|App CPU Usage (preview)|Percent|Average|The recent CPU usage for the app|Deployment, AppName, Pod|
+|assembly-count|Yes|System.Runtime|assembly-count|Count|Average|Number of Assemblies Loaded|Deployment, AppName, Pod|
+|cpu-usage|Yes|System.Runtime|cpu-usage|Percent|Average|% time the process has utilized the CPU|Deployment, AppName, Pod|
+|current-requests|Yes|Microsoft.AspNetCore.Hosting|current-requests|Count|Average|Total number of requests in processing in the lifetime of the process|Deployment, AppName, Pod|
+|exception-count|Yes|System.Runtime|exception-count|Count|Total|Number of Exceptions|Deployment, AppName, Pod|
+|failed-requests|Yes|Microsoft.AspNetCore.Hosting|failed-requests|Count|Average|Total number of failed requests in the lifetime of the process|Deployment, AppName, Pod|
+|gc-heap-size|Yes|System.Runtime|gc-heap-size|Count|Average|Total heap size reported by the GC (MB)|Deployment, AppName, Pod|
+|gen-0-gc-count|Yes|System.Runtime|gen-0-gc-count|Count|Average|Number of Gen 0 GCs|Deployment, AppName, Pod|
+|gen-0-size|Yes|System.Runtime|gen-0-size|Bytes|Average|Gen 0 Heap Size|Deployment, AppName, Pod|
+|gen-1-gc-count|Yes|System.Runtime|gen-1-gc-count|Count|Average|System.Runtime|Number of Gen 1 GCs|Deployment, AppName, Pod|
+|gen-1-size|Yes|System.Runtime|gen-1-size|Bytes|Average|Gen 1 Heap Size|Deployment, AppName, Pod|
+|gen-2-gc-count|Yes|System.Runtime|gen-2-gc-count|Count|Average|Number of Gen 2 GCs|Deployment, AppName, Pod|
+|gen-2-size|Yes|System.Runtime|gen-2-size|Bytes|Average|Gen 2 Heap Size|Deployment, AppName, Pod|
|jvm.gc.live.data.size|Yes|jvm.gc.live.data.size|Bytes|Average|Size of old generation memory pool after a full GC|Deployment, AppName, Pod| |jvm.gc.max.data.size|Yes|jvm.gc.max.data.size|Bytes|Average|Max size of old generation memory pool|Deployment, AppName, Pod| |jvm.gc.memory.allocated|Yes|jvm.gc.memory.allocated|Bytes|Maximum|Incremented for an increase in the size of the young generation memory pool after one GC to before the next|Deployment, AppName, Pod|
@@ -150,8 +172,15 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|jvm.memory.committed|Yes|jvm.memory.committed|Bytes|Average|Memory assigned to JVM in bytes|Deployment, AppName, Pod| |jvm.memory.max|Yes|jvm.memory.max|Bytes|Maximum|The maximum amount of memory in bytes that can be used for memory management|Deployment, AppName, Pod| |jvm.memory.used|Yes|jvm.memory.used|Bytes|Average|App Memory Used in bytes|Deployment, AppName, Pod|
+|loh-size|Yes|System.Runtime|loh-size|Bytes|Average|LOH Heap Size|Deployment, AppName, Pod|
+|monitor-lock-contention-count|Yes|System.Runtime|monitor-lock-contention-count|Count|Average|Number of times there were contention when trying to take the monitor lock|Deployment, AppName, Pod|
|process.cpu.usage|Yes|process.cpu.usage|Percent|Average|The recent CPU usage for the JVM process|Deployment, AppName, Pod|
+|requests-per-second|Yes|Microsoft.AspNetCore.Hosting|requests-rate|Count|Average|Request rate|Deployment, AppName, Pod|
|system.cpu.usage|Yes|system.cpu.usage|Percent|Average|The recent CPU usage for the whole system|Deployment, AppName, Pod|
+|threadpool-completed-items-count|Yes|System.Runtime|threadpool-completed-items-count|Count|Average|ThreadPool Completed Work Items Count|Deployment, AppName, Pod|
+|threadpool-queue-length|Yes|System.Runtime|threadpool-queue-length|Count|Average|ThreadPool Work Items Queue Length|Deployment, AppName, Pod|
+|threadpool-thread-count|Yes|System.Runtime|threadpool-thread-count|Count|Average|Number of ThreadPool Threads|Deployment, AppName, Pod|
+|time-in-gc|Yes|System.Runtime|time-in-gc|Percent|Average|% time in GC since the last GC|Deployment, AppName, Pod|
|tomcat.global.error|Yes|tomcat.global.error|Count|Total|Tomcat Global Error|Deployment, AppName, Pod| |tomcat.global.received|Yes|tomcat.global.received|Bytes|Total|Tomcat Total Received Bytes|Deployment, AppName, Pod| |tomcat.global.request.avg.time|Yes|tomcat.global.request.avg.time|Milliseconds|Average|Tomcat Request Average Time|Deployment, AppName, Pod|
@@ -167,6 +196,8 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|tomcat.sessions.rejected|Yes|tomcat.sessions.rejected|Count|Total|Tomcat Session Rejected Count|Deployment, AppName, Pod| |tomcat.threads.config.max|Yes|tomcat.threads.config.max|Count|Total|Tomcat Config Max Thread Count|Deployment, AppName, Pod| |tomcat.threads.current|Yes|tomcat.threads.current|Count|Total|Tomcat Current Thread Count|Deployment, AppName, Pod|
+|total-requests|Yes|Microsoft.AspNetCore.Hosting|total-requests|Count|Average|Total number of requests in the lifetime of the process|Deployment, AppName, Pod|
+|working-set|Yes|System.Runtime|working-set|Count|Average|Amount of working set used by the process (MB)|Deployment, AppName, Pod|
## Microsoft.Automation/automationAccounts
@@ -178,6 +209,20 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|TotalUpdateDeploymentRuns|Yes|Total Update Deployment Runs|Count|Total|Total software update deployment runs|SoftwareUpdateConfigurationName, Status|
+## Microsoft.AVS/privateClouds
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|CapacityLatest|Yes|Datastore Disk Total Capacity|Bytes|Average|The total capacity of disk in the datastore|dsname|
+|DiskUsedPercentage|Yes| Percentage Datastore Disk Used|Percent|Average|Percent of available disk used in Datastore|dsname|
+|EffectiveCpuAverage|Yes|Percentage CPU|Percent|Average|Percentage of Used CPU resources in Cluster|clustername|
+|EffectiveMemAverage|Yes|Average Effective Memory|Bytes|Average|Total available amount of machine memory in cluster|clustername|
+|OverheadAverage|Yes|Average Memory Overhead|Bytes|Average|Host physical memory consumed by the virtualization infrastructure|clustername|
+|TotalMbAverage|Yes|Average Total Memory|Bytes|Average|Total memory in cluster|clustername|
+|UsageAverage|Yes|Average Memory Usage|Percent|Average|Memory usage as percentage of total configured or available memory|clustername|
+|UsedLatest|Yes|Datastore Disk Used|Bytes|Average|The total amount of disk used in the datastore|dsname|
++ ## Microsoft.Batch/batchAccounts |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -241,18 +286,76 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| |||||||| |BroadcastProcessedCount|Yes|BroadcastProcessedCountDisplayName|Count|Average|The number of transactions processed.|Node, channel, type, status|
+|ChaincodeExecuteTimeouts|Yes|ChaincodeExecuteTimeoutsDisplayName|Count|Average|The number of chaincode executions (Init or Invoke) that have timed out.|Node, chaincode|
+|ChaincodeLaunchFailures|Yes|ChaincodeLaunchFailuresDisplayName|Count|Average|The number of chaincode launches that have failed.|Node, chaincode|
+|ChaincodeLaunchTimeouts|Yes|ChaincodeLaunchTimeoutsDisplayName|Count|Average|The number of chaincode launches that have timed out.|Node, chaincode|
+|ChaincodeShimRequestsCompleted|Yes|ChaincodeShimRequestsCompletedDisplayName|Count|Average|The number of chaincode shim requests completed.|Node, type, channel, chaincode, success|
+|ChaincodeShimRequestsReceived|Yes|ChaincodeShimRequestsReceivedDisplayName|Count|Average|The number of chaincode shim requests received.|Node, type, channel, chaincode|
+|ClusterCommEgressQueueCapacity|Yes|ClusterCommEgressQueueCapacityDisplayName|Count|Average|Capacity of the egress queue.|Node, host, msg_type, channel|
+|ClusterCommEgressQueueLength|Yes|ClusterCommEgressQueueLengthDisplayName|Count|Average|Length of the egress queue.|Node, host, msg_type, channel|
+|ClusterCommEgressQueueWorkers|Yes|ClusterCommEgressQueueWorkersDisplayName|Count|Average|Count of egress queue workers.|Node, channel|
+|ClusterCommEgressStreamCount|Yes|ClusterCommEgressStreamCountDisplayName|Count|Average|Count of streams to other nodes.|Node, channel|
+|ClusterCommEgressTlsConnectionCount|Yes|ClusterCommEgressTlsConnectionCountDisplayName|Count|Average|Count of TLS connections to other nodes.|Node|
+|ClusterCommIngressStreamCount|Yes|ClusterCommIngressStreamCountDisplayName|Count|Average|Count of streams from other nodes.|Node|
+|ClusterCommMsgDroppedCount|Yes|ClusterCommMsgDroppedCountDisplayName|Count|Average|Count of messages dropped.|Node, host, channel|
|ConnectionAccepted|Yes|Accepted Connections|Count|Total|Accepted Connections|Node| |ConnectionActive|Yes|Active Connections|Count|Average|Active Connections|Node| |ConnectionHandled|Yes|Handled Connections|Count|Total|Handled Connections|Node|
+|ConsensusEtcdraftActiveNodes|Yes|ConsensusEtcdraftActiveNodesDisplayName|Count|Average|Number of active nodes in this channel.|Node, channel|
+|ConsensusEtcdraftClusterSize|Yes|ConsensusEtcdraftClusterSizeDisplayName|Count|Average|Number of nodes in this channel.|Node, channel|
|ConsensusEtcdraftCommittedBlockNumber|Yes|ConsensusEtcdraftCommittedBlockNumberDisplayName|Count|Average|The block number of the latest block committed.|Node, channel|
+|ConsensusEtcdraftConfigProposalsReceived|Yes|ConsensusEtcdraftConfigProposalsReceivedDisplayName|Count|Average|The total number of proposals received for config type transactions.|Node, channel|
+|ConsensusEtcdraftIsLeader|Yes|ConsensusEtcdraftIsLeaderDisplayName|Count|Average|The leadership status of the current node: 1 if it is the leader else 0.|Node, channel|
+|ConsensusEtcdraftLeaderChanges|Yes|ConsensusEtcdraftLeaderChangesDisplayName|Count|Average|The number of leader changes since process start.|Node, channel|
+|ConsensusEtcdraftNormalProposalsReceived|Yes|ConsensusEtcdraftNormalProposalsReceivedDisplayName|Count|Average|The total number of proposals received for normal type transactions.|Node, channel|
+|ConsensusEtcdraftProposalFailures|Yes|ConsensusEtcdraftProposalFailuresDisplayName|Count|Average|The number of proposal failures.|Node, channel|
+|ConsensusEtcdraftSnapshotBlockNumber|Yes|ConsensusEtcdraftSnapshotBlockNumberDisplayName|Count|Average|The block number of the latest snapshot.|Node, channel|
+|ConsensusKafkaBatchSize|Yes|ConsensusKafkaBatchSizeDisplayName|Count|Average|The mean batch size in bytes sent to topics.|Node, topic|
+|ConsensusKafkaCompressionRatio|Yes|ConsensusKafkaCompressionRatioDisplayName|Count|Average|The mean compression ratio (as percentage) for topics.|Node, topic|
+|ConsensusKafkaIncomingByteRate|Yes|ConsensusKafkaIncomingByteRateDisplayName|Count|Average|Bytes/second read off brokers.|Node, broker_id|
+|ConsensusKafkaLastOffsetPersisted|Yes|ConsensusKafkaLastOffsetPersistedDisplayName|Count|Average|The offset specified in the block metadata of the most recently committed block.|Node, channel|
+|ConsensusKafkaOutgoingByteRate|Yes|ConsensusKafkaOutgoingByteRateDisplayName|Count|Average|Bytes/second written to brokers.|Node, broker_id|
+|ConsensusKafkaRecordSendRate|Yes|ConsensusKafkaRecordSendRateDisplayName|Count|Average|The number of records per second sent to topics.|Node, topic|
+|ConsensusKafkaRecordsPerRequest|Yes|ConsensusKafkaRecordsPerRequestDisplayName|Count|Average|The mean number of records sent per request to topics.|Node, topic|
+|ConsensusKafkaRequestLatency|Yes|ConsensusKafkaRequestLatencyDisplayName|Count|Average|The mean request latency in ms to brokers.|Node, broker_id|
+|ConsensusKafkaRequestRate|Yes|ConsensusKafkaRequestRateDisplayName|Count|Average|Requests/second sent to brokers.|Node, broker_id|
+|ConsensusKafkaRequestSize|Yes|ConsensusKafkaRequestSizeDisplayName|Count|Average|The mean request size in bytes to brokers.|Node, broker_id|
+|ConsensusKafkaResponseRate|Yes|ConsensusKafkaResponseRateDisplayName|Count|Average|Requests/second sent to brokers.|Node, broker_id|
+|ConsensusKafkaResponseSize|Yes|ConsensusKafkaResponseSizeDisplayName|Count|Average|The mean response size in bytes from brokers.|Node, broker_id|
|CpuUsagePercentageInDouble|Yes|CPU Usage Percentage|Percent|Maximum|CPU Usage Percentage|Node|
+|DeliverBlocksSent|Yes|DeliverBlocksSentDisplayName|Count|Average|The number of blocks sent by the deliver service.|Node, channel, filtered, data_type|
+|DeliverRequestsCompleted|Yes|DeliverRequestsCompletedDisplayName|Count|Average|The number of deliver requests that have been completed.|Node, channel, filtered, data_type, success|
+|DeliverRequestsReceived|Yes|DeliverRequestsReceivedDisplayName|Count|Average|The number of deliver requests that have been received.|Node, channel, filtered, data_type|
+|DeliverStreamsClosed|Yes|DeliverStreamsClosedDisplayName|Count|Average|The number of GRPC streams that have been closed for the deliver service.|Node|
+|DeliverStreamsOpened|Yes|DeliverStreamsOpenedDisplayName|Count|Average|The number of GRPC streams that have been opened for the deliver service.|Node|
+|EndorserChaincodeInstantiationFailures|Yes|EndorserChaincodeInstantiationFailuresDisplayName|Count|Average|The number of chaincode instantiations or upgrade that have failed.|Node, channel, chaincode|
+|EndorserDuplicateTransactionFailures|Yes|EndorserDuplicateTransactionFailuresDisplayName|Count|Average|The number of failed proposals due to duplicate transaction ID.|Node, channel, chaincode|
|EndorserEndorsementFailures|Yes|EndorserEndorsementFailuresDisplayName|Count|Average|The number of failed endorsements.|Node, channel, chaincode, chaincodeerror|
+|EndorserProposalAclFailures|Yes|EndorserProposalAclFailuresDisplayName|Count|Average|The number of proposals that failed ACL checks.|Node, channel, chaincode|
+|EndorserProposalSimulationFailures|Yes|EndorserProposalSimulationFailuresDisplayName|Count|Average|The number of failed proposal simulations.|Node, channel, chaincode|
+|EndorserProposalsReceived|Yes|EndorserProposalsReceivedDisplayName|Count|Average|The number of proposals received.|Node|
+|EndorserProposalValidationFailures|Yes|EndorserProposalValidationFailuresDisplayName|Count|Average|The number of proposals that have failed initial validation.|Node|
+|EndorserSuccessfulProposals|Yes|EndorserSuccessfulProposalsDisplayName|Count|Average|The number of successful proposals.|Node|
+|FabricVersion|Yes|FabricVersionDisplayName|Count|Average|The active version of Fabric.|Node, version|
+|GossipCommMessagesReceived|Yes|GossipCommMessagesReceivedDisplayName|Count|Average|Number of messages received.|Node|
+|GossipCommMessagesSent|Yes|GossipCommMessagesSentDisplayName|Count|Average|Number of messages sent.|Node|
+|GossipCommOverflowCount|Yes|GossipCommOverflowCountDisplayName|Count|Average|Number of outgoing queue buffer overflows.|Node|
|GossipLeaderElectionLeader|Yes|GossipLeaderElectionLeaderDisplayName|Count|Average|Peer is leader (1) or follower (0).|Node, channel| |GossipMembershipTotalPeersKnown|Yes|GossipMembershipTotalPeersKnownDisplayName|Count|Average|Total known peers.|Node, channel|
+|GossipPayloadBufferSize|Yes|GossipPayloadBufferSizeDisplayName|Count|Average|Size of the payload buffer.|Node, channel|
|GossipStateHeight|Yes|GossipStateHeightDisplayName|Count|Average|Current ledger height.|Node, channel|
+|GrpcCommConnClosed|Yes|GrpcCommConnClosedDisplayName|Count|Average|gRPC connections closed. Open minus closed is the active number of connections.|Node|
+|GrpcCommConnOpened|Yes|GrpcCommConnOpenedDisplayName|Count|Average|gRPC connections opened. Open minus closed is the active number of connections.|Node|
+|GrpcServerStreamMessagesReceived|Yes|GrpcServerStreamMessagesReceivedDisplayName|Count|Average|The number of stream messages received.|Node, service, method|
+|GrpcServerStreamMessagesSent|Yes|GrpcServerStreamMessagesSentDisplayName|Count|Average|The number of stream messages sent.|Node, service, method|
+|GrpcServerStreamRequestsCompleted|Yes|GrpcServerStreamRequestsCompletedDisplayName|Count|Average|The number of stream requests completed.|Node, service, method, code|
+|GrpcServerUnaryRequestsReceived|Yes|GrpcServerUnaryRequestsReceivedDisplayName|Count|Average|The number of unary requests received.|Node, service, method|
|IOReadBytes|Yes|IO Read Bytes|Bytes|Total|IO Read Bytes|Node| |IOWriteBytes|Yes|IO Write Bytes|Bytes|Total|IO Write Bytes|Node|
+|LedgerBlockchainHeight|Yes|LedgerBlockchainHeightDisplayName|Count|Average|Height of the chain in blocks.|Node, channel|
|LedgerTransactionCount|Yes|LedgerTransactionCountDisplayName|Count|Average|Number of transactions processed.|Node, channel, transaction_type, chaincode, validation_code|
+|LoggingEntriesChecked|Yes|LoggingEntriesCheckedDisplayName|Count|Average|Number of log entries checked against the active logging level.|Node, level|
+|LoggingEntriesWritten|Yes|LoggingEntriesWrittenDisplayName|Count|Average|Number of log entries that are written.|Node, level|
|MemoryLimit|Yes|Memory Limit|Bytes|Average|Memory Limit|Node| |MemoryUsage|Yes|Memory Usage|Bytes|Average|Memory Usage|Node| |MemoryUsagePercentageInDouble|Yes|Memory Usage Percentage|Percent|Average|Memory Usage Percentage|Node|
@@ -264,6 +367,14 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|StorageUsage|Yes|Storage Usage|Bytes|Average|Storage Usage|Node|
+## microsoft.botservice/botservices
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|RequestLatency|Yes|Request Latency|Milliseconds|Total|Time taken by the server to process the request|Operation, Authentication, Protocol|
+|RequestsTraffic|Yes|Requests Traffic|Percent|Count|Number of Requests Made|Operation, Authentication, Protocol, StatusCode, StatusCodeClass|
++ ## Microsoft.Cache/redis |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -466,6 +577,31 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|usedmemoryRss9|Yes|Used Memory RSS (Shard 9)|Bytes|Maximum||No Dimensions|
+## Microsoft.Cache/redisEnterprise
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|cachehits|Yes|Cache Hits|Count|Total||No Dimensions|
+|cacheLatency|Yes|Cache Latency Microseconds (Preview)|Count|Average||InstanceId|
+|cachemisses|Yes|Cache Misses|Count|Total||InstanceId|
+|cacheRead|Yes|Cache Read|BytesPerSecond|Maximum||InstanceId|
+|cacheWrite|Yes|Cache Write|BytesPerSecond|Maximum||InstanceId|
+|connectedclients|Yes|Connected Clients|Count|Maximum||InstanceId|
+|errors|Yes|Errors|Count|Maximum||InstanceId, ErrorType|
+|evictedkeys|Yes|Evicted Keys|Count|Total||No Dimensions|
+|expiredkeys|Yes|Expired Keys|Count|Total||No Dimensions|
+|getcommands|Yes|Gets|Count|Total||No Dimensions|
+|operationsPerSecond|Yes|Operations Per Second|Count|Maximum||No Dimensions|
+|percentProcessorTime|Yes|CPU|Percent|Maximum||InstanceId|
+|serverLoad|Yes|Server Load|Percent|Maximum||No Dimensions|
+|setcommands|Yes|Sets|Count|Total||No Dimensions|
+|totalcommandsprocessed|Yes|Total Operations|Count|Total||No Dimensions|
+|totalkeys|Yes|Total Keys|Count|Maximum||No Dimensions|
+|usedmemory|Yes|Used Memory|Bytes|Maximum||No Dimensions|
+|usedmemorypercentage|Yes|Used Memory Percentage|Percent|Maximum||InstanceId|
+|usedmemoryRss|Yes|Used Memory RSS|Bytes|Maximum||InstanceId|
++ ## Microsoft.Cdn/cdnwebapplicationfirewallpolicies |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -473,6 +609,23 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|WebApplicationFirewallRequestCount|Yes|Web Application Firewall Request Count|Count|Total|The number of client requests processed by the Web Application Firewall|PolicyName, RuleName, Action|
+## Microsoft.Cdn/profiles
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|ByteHitRatio|Yes|Byte Hit Ratio|Percent|Average|This is the ratio of the total bytes served from the cache compared to the total response bytes|Endpoint|
+|OriginHealthPercentage|Yes|Origin Health Percentage|Percent|Average|The percentage of successful health probes from AFDX to backends.|Origin, OriginPool|
+|OriginLatency|Yes|Origin Latency|MilliSeconds|Average|The time calculated from when the request was sent by AFDX edge to the backend until AFDX received the last response byte from the backend.|Origin, Endpoint|
+|OriginRequestCount|Yes|Origin Request Count|Count|Total|The number of requests sent from AFDX to origin.|HttpStatus, HttpStatusGroup, Origin, Endpoint|
+|Percentage4XX|Yes|Percentage of 4XX|Percent|Average|The percentage of all the client requests for which the response status code is 4XX|Endpoint, ClientRegion, ClientCountry|
+|Percentage5XX|Yes|Percentage of 5XX|Percent|Average|The percentage of all the client requests for which the response status code is 5XX|Endpoint, ClientRegion, ClientCountry|
+|RequestCount|Yes|Request Count|Count|Total|The number of client requests served by the HTTP/S proxy|HttpStatus, HttpStatusGroup, ClientRegion, ClientCountry, Endpoint|
+|RequestSize|Yes|Request Size|Bytes|Total|The number of bytes sent as requests from clients to AFDX.|HttpStatus, HttpStatusGroup, ClientRegion, ClientCountry, Endpoint|
+|ResponseSize|Yes|Response Size|Bytes|Total|The number of bytes sent as responses from HTTP/S proxy to clients|HttpStatus, HttpStatusGroup, ClientRegion, ClientCountry, Endpoint|
+|TotalLatency|Yes|Total Latency|MilliSeconds|Average|The time calculated from when the client request was received by the HTTP/S proxy until the client acknowledged the last response byte from the HTTP/S proxy|HttpStatus, HttpStatusGroup, ClientRegion, ClientCountry, Endpoint|
+|WebApplicationFirewallRequestCount|Yes|Web Application Firewall Request Count|Count|Total|The number of client requests processed by the Web Application Firewall|PolicyName, RuleName, Action|
++ ## Microsoft.ClassicCompute/domainNames/slots/roles |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -587,7 +740,11 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|DataIn|Yes|Data In|Bytes|Total|Size of incoming data in bytes.|ApiName, OperationName, Region| |DataOut|Yes|Data Out|Bytes|Total|Size of outgoing data in bytes.|ApiName, OperationName, Region| |Latency|Yes|Latency|MilliSeconds|Average|Latency in milliseconds.|ApiName, OperationName, Region|
-|ProcessedImages|Yes|Processed Images|Count|Total|Number of Transactions for image processing.|ApiName, FeatureName, UsageChannel, Region|
+|LearnedEvents|Yes|Learned Events|Count|Total|Number of Learned Events.|IsMatchBaseline, Mode, RunId|
+|MatchedRewards|Yes|Matched Rewards|Count|Total| Number of Matched Rewards.|IsMatchBaseline, Mode, RunId|
+|ObservedRewards|Yes|Observed Rewards|Count|Total|Number of Observed Rewards.|IsMatchBaseline, Mode, RunId|
+|ProcessedCharacters|Yes|Processed Characters|Count|Total|Number of Characters.|ApiName, FeatureName, UsageChannel, Region|
+|ProcessedTextRecords|Yes|Processed Text Records|Count|Total|Count of Text Records.|ApiName, FeatureName, UsageChannel, Region|
|ServerErrors|Yes|Server Errors|Count|Total|Number of calls with service internal error (HTTP response code 5xx).|ApiName, OperationName, Region| |SpeechSessionDuration|Yes|Speech Session Duration|Seconds|Total|Total duration of speech session in seconds.|ApiName, OperationName, Region| |SuccessfulCalls|Yes|Successful Calls|Count|Total|Number of successful calls.|ApiName, OperationName, Region|
@@ -597,30 +754,66 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|TotalTransactions|Yes|Total Transactions|Count|Total|Total number of transactions.|No Dimensions|
+## Microsoft.Communication/CommunicationServices
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|APIRequestAuthentication|No|Authentication API Requests|Count|Count|Count of all requests against the Communication Services Authentication endpoint.|Operation, StatusCode, StatusCodeClass|
+|APIRequestChat|Yes|Chat API Requests|Count|Count|Count of all requests against the Communication Services Chat endpoint.|Operation, StatusCode, StatusCodeClass|
+|APIRequestSMS|Yes|SMS API Requests|Count|Count|Count of all requests against the Communication Services SMS endpoint.|Operation, StatusCode, StatusCodeClass|
++ ## Microsoft.Compute/cloudServices |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|Disk Read Bytes|Yes|Disk Read Bytes|Bytes|Total|Bytes read from disk during monitoring period|RoleInstanceId|
-|Disk Read Operations/Sec|Yes|Disk Read Operations/Sec|CountPerSecond|Average|Disk Read IOPS|RoleInstanceId|
-|Disk Write Bytes|Yes|Disk Write Bytes|Bytes|Total|Bytes written to disk during monitoring period|RoleInstanceId|
-|Disk Write Operations/Sec|Yes|Disk Write Operations/Sec|CountPerSecond|Average|Disk Write IOPS|RoleInstanceId|
-|Percentage CPU|Yes|Percentage CPU|Percent|Average|The percentage of allocated compute units that are currently in use by the Virtual Machine(s)|RoleInstanceId|
+|Disk Read Bytes|Yes|Disk Read Bytes|Bytes|Total|Bytes read from disk during monitoring period|RoleInstanceId, RoleId|
+|Disk Read Operations/Sec|Yes|Disk Read Operations/Sec|CountPerSecond|Average|Disk Read IOPS|RoleInstanceId, RoleId|
+|Disk Write Bytes|Yes|Disk Write Bytes|Bytes|Total|Bytes written to disk during monitoring period|RoleInstanceId, RoleId|
+|Disk Write Operations/Sec|Yes|Disk Write Operations/Sec|CountPerSecond|Average|Disk Write IOPS|RoleInstanceId, RoleId|
+|Percentage CPU|Yes|Percentage CPU|Percent|Average|The percentage of allocated compute units that are currently in use by the Virtual Machine(s)|RoleInstanceId, RoleId|
++
+## Microsoft.Compute/cloudServices/roles
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|Disk Read Bytes|Yes|Disk Read Bytes|Bytes|Total|Bytes read from disk during monitoring period|RoleInstanceId, RoleId|
+|Disk Read Operations/Sec|Yes|Disk Read Operations/Sec|CountPerSecond|Average|Disk Read IOPS|RoleInstanceId, RoleId|
+|Disk Write Bytes|Yes|Disk Write Bytes|Bytes|Total|Bytes written to disk during monitoring period|RoleInstanceId, RoleId|
+|Disk Write Operations/Sec|Yes|Disk Write Operations/Sec|CountPerSecond|Average|Disk Write IOPS|RoleInstanceId, RoleId|
+|Percentage CPU|Yes|Percentage CPU|Percent|Average|The percentage of allocated compute units that are currently in use by the Virtual Machine(s)|RoleInstanceId, RoleId|
++
+## microsoft.compute/disks
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|Composite Disk Read Bytes/sec|No|Disk Read Bytes/sec(Preview)|Bytes|Average|Bytes/sec read from disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available||
+|Composite Disk Read Operations/sec|No|Disk Read Operations/sec(Preview)|Bytes|Average|Number of read IOs performed on a disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available||
+|Composite Disk Write Bytes/sec|No|Disk Write Bytes/sec(Preview)|Bytes|Average|Bytes/sec written to disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available||
+|Composite Disk Write Operations/sec|No|Disk Write Operations/sec(Preview)|Bytes|Average|Number of Write IOs performed on a disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available||
## Microsoft.Compute/virtualMachines |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|CPU Credits Consumed|Yes|CPU Credits Consumed|Count|Average|Total number of credits consumed by the Virtual Machine. Only available on [B-series burstable VMs](../../virtual-machines/sizes-b-series-burstable.md). See |No Dimensions|
-|CPU Credits Remaining|Yes|CPU Credits Remaining|Count|Average|Total number of credits available to burst. Only available on [B-series burstable VMs](../../virtual-machines/sizes-b-series-burstable.md).|No Dimensions|
+|CPU Credits Consumed|Yes|CPU Credits Consumed|Count|Average|Total number of credits consumed by the Virtual Machine|No Dimensions|
+|CPU Credits Remaining|Yes|CPU Credits Remaining|Count|Average|Total number of credits available to burst|No Dimensions|
|Data Disk Bandwidth Consumed Percentage|Yes|Data Disk Bandwidth Consumed Percentage|Percent|Average|Percentage of data disk bandwidth consumed per minute|LUN| |Data Disk IOPS Consumed Percentage|Yes|Data Disk IOPS Consumed Percentage|Percent|Average|Percentage of data disk I/Os consumed per minute|LUN|
-|Data Disk Queue Depth|Yes|Data Disk Queue Depth (Preview)|Count|Average|Data Disk Queue Depth(or Queue Length)|LUN|
-|Data Disk Read Bytes/sec|Yes|Data Disk Read Bytes/Sec (Preview)|CountPerSecond|Average|Bytes/Sec read from a single disk during monitoring period|LUN|
-|Data Disk Read Operations/Sec|Yes|Data Disk Read Operations/Sec (Preview)|CountPerSecond|Average|Read IOPS from a single disk during monitoring period|LUN|
-|Data Disk Write Bytes/sec|Yes|Data Disk Write Bytes/Sec (Preview)|CountPerSecond|Average|Bytes/Sec written to a single disk during monitoring period|LUN|
-|Data Disk Write Operations/Sec|Yes|Data Disk Write Operations/Sec (Preview)|CountPerSecond|Average|Write IOPS from a single disk during monitoring period|LUN|
+|Data Disk Max Burst Bandwidth|Yes|Data Disk Max Burst Bandwidth|Count|Average|Maximum bytes per second throughput Data Disk can achieve with bursting|LUN|
+|Data Disk Max Burst IOPS|Yes|Data Disk Max Burst IOPS|Count|Average|Maximum IOPS Data Disk can achieve with bursting|LUN|
+|Data Disk Queue Depth|Yes|Data Disk Queue Depth|Count|Average|Data Disk Queue Depth(or Queue Length)|LUN|
+|Data Disk Read Bytes/sec|Yes|Data Disk Read Bytes/Sec|BytesPerSecond|Average|Bytes/Sec read from a single disk during monitoring period|LUN|
+|Data Disk Read Operations/Sec|Yes|Data Disk Read Operations/Sec|CountPerSecond|Average|Read IOPS from a single disk during monitoring period|LUN|
+|Data Disk Target Bandwidth|Yes|Data Disk Target Bandwidth|Count|Average|Baseline bytes per second throughput Data Disk can achieve without bursting|LUN|
+|Data Disk Target IOPS|Yes|Data Disk Target IOPS|Count|Average|Baseline IOPS Data Disk can achieve without bursting|LUN|
+|Data Disk Used Burst BPS Credits Percentage|Yes|Data Disk Used Burst BPS Credits Percentage|Percent|Average|Percentage of Data Disk burst bandwidth credits used so far|LUN|
+|Data Disk Used Burst IO Credits Percentage|Yes|Data Disk Used Burst IO Credits Percentage|Percent|Average|Percentage of Data Disk burst I/O credits used so far|LUN|
+|Data Disk Write Bytes/sec|Yes|Data Disk Write Bytes/Sec|BytesPerSecond|Average|Bytes/Sec written to a single disk during monitoring period|LUN|
+|Data Disk Write Operations/Sec|Yes|Data Disk Write Operations/Sec|CountPerSecond|Average|Write IOPS from a single disk during monitoring period|LUN|
|Disk Read Bytes|Yes|Disk Read Bytes|Bytes|Total|Bytes read from disk during monitoring period|No Dimensions| |Disk Read Operations/Sec|Yes|Disk Read Operations/Sec|CountPerSecond|Average|Disk Read IOPS|No Dimensions| |Disk Write Bytes|Yes|Disk Write Bytes|Bytes|Total|Bytes written to disk during monitoring period|No Dimensions|
@@ -633,28 +826,24 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Network Out Total|Yes|Network Out Total|Bytes|Total|The number of bytes out on all network interfaces by the Virtual Machine(s) (Outgoing Traffic)|No Dimensions| |OS Disk Bandwidth Consumed Percentage|Yes|OS Disk Bandwidth Consumed Percentage|Percent|Average|Percentage of operating system disk bandwidth consumed per minute|LUN| |OS Disk IOPS Consumed Percentage|Yes|OS Disk IOPS Consumed Percentage|Percent|Average|Percentage of operating system disk I/Os consumed per minute|LUN|
-|OS Disk Queue Depth|Yes|OS Disk Queue Depth (Preview)|Count|Average|OS Disk Queue Depth(or Queue Length)|No Dimensions|
-|OS Disk Read Bytes/sec|Yes|OS Disk Read Bytes/Sec (Preview)|CountPerSecond|Average|Bytes/Sec read from a single disk during monitoring period for OS disk|No Dimensions|
-|OS Disk Read Operations/Sec|Yes|OS Disk Read Operations/Sec (Preview)|CountPerSecond|Average|Read IOPS from a single disk during monitoring period for OS disk|No Dimensions|
-|OS Disk Write Bytes/sec|Yes|OS Disk Write Bytes/Sec (Preview)|CountPerSecond|Average|Bytes/Sec written to a single disk during monitoring period for OS disk|No Dimensions|
-|OS Disk Write Operations/Sec|Yes|OS Disk Write Operations/Sec (Preview)|CountPerSecond|Average|Write IOPS from a single disk during monitoring period for OS disk|No Dimensions|
-|OS Per Disk QD|Yes|OS Disk QD (Deprecated)|Count|Average|OS Disk Queue Depth(or Queue Length)|No Dimensions|
-|OS Per Disk Read Bytes/sec|Yes|OS Disk Read Bytes/Sec (Deprecated)|CountPerSecond|Average|Bytes/Sec read from a single disk during monitoring period for OS disk|No Dimensions|
-|OS Per Disk Read Operations/Sec|Yes|OS Disk Read Operations/Sec (Deprecated)|CountPerSecond|Average|Read IOPS from a single disk during monitoring period for OS disk|No Dimensions|
-|OS Per Disk Write Bytes/sec|Yes|OS Disk Write Bytes/Sec (Deprecated)|CountPerSecond|Average|Bytes/Sec written to a single disk during monitoring period for OS disk|No Dimensions|
-|OS Per Disk Write Operations/Sec|Yes|OS Disk Write Operations/Sec (Deprecated)|CountPerSecond|Average|Write IOPS from a single disk during monitoring period for OS disk|No Dimensions|
+|OS Disk Max Burst Bandwidth|Yes|OS Disk Max Burst Bandwidth|Count|Average|Maximum bytes per second throughput OS Disk can achieve with bursting|LUN|
+|OS Disk Max Burst IOPS|Yes|OS Disk Max Burst IOPS|Count|Average|Maximum IOPS OS Disk can achieve with bursting|LUN|
+|OS Disk Queue Depth|Yes|OS Disk Queue Depth|Count|Average|OS Disk Queue Depth(or Queue Length)|No Dimensions|
+|OS Disk Read Bytes/sec|Yes|OS Disk Read Bytes/Sec|BytesPerSecond|Average|Bytes/Sec read from a single disk during monitoring period for OS disk|No Dimensions|
+|OS Disk Read Operations/Sec|Yes|OS Disk Read Operations/Sec|CountPerSecond|Average|Read IOPS from a single disk during monitoring period for OS disk|No Dimensions|
+|OS Disk Target Bandwidth|Yes|OS Disk Target Bandwidth|Count|Average|Baseline bytes per second throughput OS Disk can achieve without bursting|LUN|
+|OS Disk Target IOPS|Yes|OS Disk Target IOPS|Count|Average|Baseline IOPS OS Disk can achieve without bursting|LUN|
+|OS Disk Used Burst BPS Credits Percentage|Yes|OS Disk Used Burst BPS Credits Percentage|Percent|Average|Percentage of OS Disk burst bandwidth credits used so far|LUN|
+|OS Disk Used Burst IO Credits Percentage|Yes|OS Disk Used Burst IO Credits Percentage|Percent|Average|Percentage of OS Disk burst I/O credits used so far|LUN|
+|OS Disk Write Bytes/sec|Yes|OS Disk Write Bytes/Sec|BytesPerSecond|Average|Bytes/Sec written to a single disk during monitoring period for OS disk|No Dimensions|
+|OS Disk Write Operations/Sec|Yes|OS Disk Write Operations/Sec|CountPerSecond|Average|Write IOPS from a single disk during monitoring period for OS disk|No Dimensions|
|Outbound Flows|Yes|Outbound Flows|Count|Average|Outbound Flows are number of current flows in the outbound direction (traffic going out of the VM)|No Dimensions| |Outbound Flows Maximum Creation Rate|Yes|Outbound Flows Maximum Creation Rate|CountPerSecond|Average|The maximum creation rate of outbound flows (traffic going out of the VM)|No Dimensions|
-|Per Disk QD|Yes|Data Disk QD (Deprecated)|Count|Average|Data Disk Queue Depth(or Queue Length)|SlotId|
-|Per Disk Read Bytes/sec|Yes|Data Disk Read Bytes/Sec (Deprecated)|CountPerSecond|Average|Bytes/Sec read from a single disk during monitoring period|SlotId|
-|Per Disk Read Operations/Sec|Yes|Data Disk Read Operations/Sec (Deprecated)|CountPerSecond|Average|Read IOPS from a single disk during monitoring period|SlotId|
-|Per Disk Write Bytes/sec|Yes|Data Disk Write Bytes/Sec (Deprecated)|CountPerSecond|Average|Bytes/Sec written to a single disk during monitoring period|SlotId|
-|Per Disk Write Operations/Sec|Yes|Data Disk Write Operations/Sec (Deprecated)|CountPerSecond|Average|Write IOPS from a single disk during monitoring period|SlotId|
|Percentage CPU|Yes|Percentage CPU|Percent|Average|The percentage of allocated compute units that are currently in use by the Virtual Machine(s)|No Dimensions|
-|Premium Data Disk Cache Read Hit|Yes|Premium Data Disk Cache Read Hit (Preview)|Percent|Average|Premium Data Disk Cache Read Hit|LUN|
-|Premium Data Disk Cache Read Miss|Yes|Premium Data Disk Cache Read Miss (Preview)|Percent|Average|Premium Data Disk Cache Read Miss|LUN|
-|Premium OS Disk Cache Read Hit|Yes|Premium OS Disk Cache Read Hit (Preview)|Percent|Average|Premium OS Disk Cache Read Hit|No Dimensions|
-|Premium OS Disk Cache Read Miss|Yes|Premium OS Disk Cache Read Miss (Preview)|Percent|Average|Premium OS Disk Cache Read Miss|No Dimensions|
+|Premium Data Disk Cache Read Hit|Yes|Premium Data Disk Cache Read Hit|Percent|Average|Premium Data Disk Cache Read Hit|LUN|
+|Premium Data Disk Cache Read Miss|Yes|Premium Data Disk Cache Read Miss|Percent|Average|Premium Data Disk Cache Read Miss|LUN|
+|Premium OS Disk Cache Read Hit|Yes|Premium OS Disk Cache Read Hit|Percent|Average|Premium OS Disk Cache Read Hit|No Dimensions|
+|Premium OS Disk Cache Read Miss|Yes|Premium OS Disk Cache Read Miss|Percent|Average|Premium OS Disk Cache Read Miss|No Dimensions|
|VM Cached Bandwidth Consumed Percentage|Yes|VM Cached Bandwidth Consumed Percentage|Percent|Average|Percentage of cached disk bandwidth consumed by the VM|No Dimensions| |VM Cached IOPS Consumed Percentage|Yes|VM Cached IOPS Consumed Percentage|Percent|Average|Percentage of cached disk IOPS consumed by the VM|No Dimensions| |VM Uncached Bandwidth Consumed Percentage|Yes|VM Uncached Bandwidth Consumed Percentage|Percent|Average|Percentage of uncached disk bandwidth consumed by the VM|No Dimensions|
@@ -665,13 +854,21 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|CPU Credits Consumed|Yes|CPU Credits Consumed|Count|Average|Total number of credits consumed by the Virtual Machine. Only available on [B-series burstable VMs](../../virtual-machines/sizes-b-series-burstable.md).|No Dimensions|
-|CPU Credits Remaining|Yes|CPU Credits Remaining|Count|Average|Total number of credits available to burst. Only available on [B-series burstable VMs](../../virtual-machines/sizes-b-series-burstable.md).|No Dimensions|
-|Data Disk Queue Depth|Yes|Data Disk Queue Depth (Preview)|Count|Average|Data Disk Queue Depth(or Queue Length)|LUN, VMName|
-|Data Disk Read Bytes/sec|Yes|Data Disk Read Bytes/Sec (Preview)|CountPerSecond|Average|Bytes/Sec read from a single disk during monitoring period|LUN, VMName|
-|Data Disk Read Operations/Sec|Yes|Data Disk Read Operations/Sec (Preview)|CountPerSecond|Average|Read IOPS from a single disk during monitoring period|LUN, VMName|
-|Data Disk Write Bytes/sec|Yes|Data Disk Write Bytes/Sec (Preview)|CountPerSecond|Average|Bytes/Sec written to a single disk during monitoring period|LUN, VMName|
-|Data Disk Write Operations/Sec|Yes|Data Disk Write Operations/Sec (Preview)|CountPerSecond|Average|Write IOPS from a single disk during monitoring period|LUN, VMName|
+|CPU Credits Consumed|Yes|CPU Credits Consumed|Count|Average|Total number of credits consumed by the Virtual Machine|No Dimensions|
+|CPU Credits Remaining|Yes|CPU Credits Remaining|Count|Average|Total number of credits available to burst|No Dimensions|
+|Data Disk Bandwidth Consumed Percentage|Yes|Data Disk Bandwidth Consumed Percentage|Percent|Average|Percentage of data disk bandwidth consumed per minute|LUN, VMName|
+|Data Disk IOPS Consumed Percentage|Yes|Data Disk IOPS Consumed Percentage|Percent|Average|Percentage of data disk I/Os consumed per minute|LUN, VMName|
+|Data Disk Max Burst Bandwidth|Yes|Data Disk Max Burst Bandwidth|Count|Average|Maximum bytes per second throughput Data Disk can achieve with bursting|LUN, VMName|
+|Data Disk Max Burst IOPS|Yes|Data Disk Max Burst IOPS|Count|Average|Maximum IOPS Data Disk can achieve with bursting|LUN, VMName|
+|Data Disk Queue Depth|Yes|Data Disk Queue Depth|Count|Average|Data Disk Queue Depth(or Queue Length)|LUN, VMName|
+|Data Disk Read Bytes/sec|Yes|Data Disk Read Bytes/Sec|BytesPerSecond|Average|Bytes/Sec read from a single disk during monitoring period|LUN, VMName|
+|Data Disk Read Operations/Sec|Yes|Data Disk Read Operations/Sec|CountPerSecond|Average|Read IOPS from a single disk during monitoring period|LUN, VMName|
+|Data Disk Target Bandwidth|Yes|Data Disk Target Bandwidth|Count|Average|Baseline bytes per second throughput Data Disk can achieve without bursting|LUN, VMName|
+|Data Disk Target IOPS|Yes|Data Disk Target IOPS|Count|Average|Baseline IOPS Data Disk can achieve without bursting|LUN, VMName|
+|Data Disk Used Burst BPS Credits Percentage|Yes|Data Disk Used Burst BPS Credits Percentage|Percent|Average|Percentage of Data Disk burst bandwidth credits used so far|LUN, VMName|
+|Data Disk Used Burst IO Credits Percentage|Yes|Data Disk Used Burst IO Credits Percentage|Percent|Average|Percentage of Data Disk burst I/O credits used so far|LUN, VMName|
+|Data Disk Write Bytes/sec|Yes|Data Disk Write Bytes/Sec|BytesPerSecond|Average|Bytes/Sec written to a single disk during monitoring period|LUN, VMName|
+|Data Disk Write Operations/Sec|Yes|Data Disk Write Operations/Sec|CountPerSecond|Average|Write IOPS from a single disk during monitoring period|LUN, VMName|
|Disk Read Bytes|Yes|Disk Read Bytes|Bytes|Total|Bytes read from disk during monitoring period|VMName| |Disk Read Operations/Sec|Yes|Disk Read Operations/Sec|CountPerSecond|Average|Disk Read IOPS|VMName| |Disk Write Bytes|Yes|Disk Write Bytes|Bytes|Total|Bytes written to disk during monitoring period|VMName|
@@ -682,28 +879,30 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Network In Total|Yes|Network In Total|Bytes|Total|The number of bytes received on all network interfaces by the Virtual Machine(s) (Incoming Traffic)|VMName| |Network Out|Yes|Network Out Billable (Deprecated)|Bytes|Total|The number of billable bytes out on all network interfaces by the Virtual Machine(s) (Outgoing Traffic) (Deprecated)|VMName| |Network Out Total|Yes|Network Out Total|Bytes|Total|The number of bytes out on all network interfaces by the Virtual Machine(s) (Outgoing Traffic)|VMName|
-|OS Disk Queue Depth|Yes|OS Disk Queue Depth (Preview)|Count|Average|OS Disk Queue Depth(or Queue Length)|VMName|
-|OS Disk Read Bytes/sec|Yes|OS Disk Read Bytes/Sec (Preview)|CountPerSecond|Average|Bytes/Sec read from a single disk during monitoring period for OS disk|VMName|
-|OS Disk Read Operations/Sec|Yes|OS Disk Read Operations/Sec (Preview)|CountPerSecond|Average|Read IOPS from a single disk during monitoring period for OS disk|VMName|
-|OS Disk Write Bytes/sec|Yes|OS Disk Write Bytes/Sec (Preview)|CountPerSecond|Average|Bytes/Sec written to a single disk during monitoring period for OS disk|VMName|
-|OS Disk Write Operations/Sec|Yes|OS Disk Write Operations/Sec (Preview)|CountPerSecond|Average|Write IOPS from a single disk during monitoring period for OS disk|VMName|
-|OS Per Disk QD|Yes|OS Disk QD (Deprecated)|Count|Average|OS Disk Queue Depth(or Queue Length)|No Dimensions|
-|OS Per Disk Read Bytes/sec|Yes|OS Disk Read Bytes/Sec (Deprecated)|CountPerSecond|Average|Bytes/Sec read from a single disk during monitoring period for OS disk|No Dimensions|
-|OS Per Disk Read Operations/Sec|Yes|OS Disk Read Operations/Sec (Deprecated)|CountPerSecond|Average|Read IOPS from a single disk during monitoring period for OS disk|No Dimensions|
-|OS Per Disk Write Bytes/sec|Yes|OS Disk Write Bytes/Sec (Deprecated)|CountPerSecond|Average|Bytes/Sec written to a single disk during monitoring period for OS disk|No Dimensions|
-|OS Per Disk Write Operations/Sec|Yes|OS Disk Write Operations/Sec (Deprecated)|CountPerSecond|Average|Write IOPS from a single disk during monitoring period for OS disk|No Dimensions|
+|OS Disk Bandwidth Consumed Percentage|Yes|OS Disk Bandwidth Consumed Percentage|Percent|Average|Percentage of operating system disk bandwidth consumed per minute|LUN, VMName|
+|OS Disk IOPS Consumed Percentage|Yes|OS Disk IOPS Consumed Percentage|Percent|Average|Percentage of operating system disk I/Os consumed per minute|LUN, VMName|
+|OS Disk Max Burst Bandwidth|Yes|OS Disk Max Burst Bandwidth|Count|Average|Maximum bytes per second throughput OS Disk can achieve with bursting|LUN, VMName|
+|OS Disk Max Burst IOPS|Yes|OS Disk Max Burst IOPS|Count|Average|Maximum IOPS OS Disk can achieve with bursting|LUN, VMName|
+|OS Disk Queue Depth|Yes|OS Disk Queue Depth|Count|Average|OS Disk Queue Depth(or Queue Length)|VMName|
+|OS Disk Read Bytes/sec|Yes|OS Disk Read Bytes/Sec|BytesPerSecond|Average|Bytes/Sec read from a single disk during monitoring period for OS disk|VMName|
+|OS Disk Read Operations/Sec|Yes|OS Disk Read Operations/Sec|CountPerSecond|Average|Read IOPS from a single disk during monitoring period for OS disk|VMName|
+|OS Disk Target Bandwidth|Yes|OS Disk Target Bandwidth|Count|Average|Baseline bytes per second throughput OS Disk can achieve without bursting|LUN, VMName|
+|OS Disk Target IOPS|Yes|OS Disk Target IOPS|Count|Average|Baseline IOPS OS Disk can achieve without bursting|LUN, VMName|
+|OS Disk Used Burst BPS Credits Percentage|Yes|OS Disk Used Burst BPS Credits Percentage|Percent|Average|Percentage of OS Disk burst bandwidth credits used so far|LUN, VMName|
+|OS Disk Used Burst IO Credits Percentage|Yes|OS Disk Used Burst IO Credits Percentage|Percent|Average|Percentage of OS Disk burst I/O credits used so far|LUN, VMName|
+|OS Disk Write Bytes/sec|Yes|OS Disk Write Bytes/Sec|BytesPerSecond|Average|Bytes/Sec written to a single disk during monitoring period for OS disk|VMName|
+|OS Disk Write Operations/Sec|Yes|OS Disk Write Operations/Sec|CountPerSecond|Average|Write IOPS from a single disk during monitoring period for OS disk|VMName|
|Outbound Flows|Yes|Outbound Flows|Count|Average|Outbound Flows are number of current flows in the outbound direction (traffic going out of the VM)|VMName| |Outbound Flows Maximum Creation Rate|Yes|Outbound Flows Maximum Creation Rate|CountPerSecond|Average|The maximum creation rate of outbound flows (traffic going out of the VM)|VMName|
-|Per Disk QD|Yes|Data Disk QD (Deprecated)|Count|Average|Data Disk Queue Depth(or Queue Length)|SlotId|
-|Per Disk Read Bytes/sec|Yes|Data Disk Read Bytes/Sec (Deprecated)|CountPerSecond|Average|Bytes/Sec read from a single disk during monitoring period|SlotId|
-|Per Disk Read Operations/Sec|Yes|Data Disk Read Operations/Sec (Deprecated)|CountPerSecond|Average|Read IOPS from a single disk during monitoring period|SlotId|
-|Per Disk Write Bytes/sec|Yes|Data Disk Write Bytes/Sec (Deprecated)|CountPerSecond|Average|Bytes/Sec written to a single disk during monitoring period|SlotId|
-|Per Disk Write Operations/Sec|Yes|Data Disk Write Operations/Sec (Deprecated)|CountPerSecond|Average|Write IOPS from a single disk during monitoring period|SlotId|
|Percentage CPU|Yes|Percentage CPU|Percent|Average|The percentage of allocated compute units that are currently in use by the Virtual Machine(s)|VMName|
-|Premium Data Disk Cache Read Hit|Yes|Premium Data Disk Cache Read Hit (Preview)|Percent|Average|Premium Data Disk Cache Read Hit|LUN, VMName|
-|Premium Data Disk Cache Read Miss|Yes|Premium Data Disk Cache Read Miss (Preview)|Percent|Average|Premium Data Disk Cache Read Miss|LUN, VMName|
-|Premium OS Disk Cache Read Hit|Yes|Premium OS Disk Cache Read Hit (Preview)|Percent|Average|Premium OS Disk Cache Read Hit|VMName|
-|Premium OS Disk Cache Read Miss|Yes|Premium OS Disk Cache Read Miss (Preview)|Percent|Average|Premium OS Disk Cache Read Miss|VMName|
+|Premium Data Disk Cache Read Hit|Yes|Premium Data Disk Cache Read Hit|Percent|Average|Premium Data Disk Cache Read Hit|LUN, VMName|
+|Premium Data Disk Cache Read Miss|Yes|Premium Data Disk Cache Read Miss|Percent|Average|Premium Data Disk Cache Read Miss|LUN, VMName|
+|Premium OS Disk Cache Read Hit|Yes|Premium OS Disk Cache Read Hit|Percent|Average|Premium OS Disk Cache Read Hit|VMName|
+|Premium OS Disk Cache Read Miss|Yes|Premium OS Disk Cache Read Miss|Percent|Average|Premium OS Disk Cache Read Miss|VMName|
+|VM Cached Bandwidth Consumed Percentage|Yes|VM Cached Bandwidth Consumed Percentage|Percent|Average|Percentage of cached disk bandwidth consumed by the VM|VMName|
+|VM Cached IOPS Consumed Percentage|Yes|VM Cached IOPS Consumed Percentage|Percent|Average|Percentage of cached disk IOPS consumed by the VM|VMName|
+|VM Uncached Bandwidth Consumed Percentage|Yes|VM Uncached Bandwidth Consumed Percentage|Percent|Average|Percentage of uncached disk bandwidth consumed by the VM|VMName|
+|VM Uncached IOPS Consumed Percentage|Yes|VM Uncached IOPS Consumed Percentage|Percent|Average|Percentage of uncached disk IOPS consumed by the VM|VMName|
## Microsoft.Compute/virtualMachineScaleSets/virtualMachines
@@ -712,11 +911,19 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|||||||| |CPU Credits Consumed|Yes|CPU Credits Consumed|Count|Average|Total number of credits consumed by the Virtual Machine|No Dimensions| |CPU Credits Remaining|Yes|CPU Credits Remaining|Count|Average|Total number of credits available to burst|No Dimensions|
-|Data Disk Queue Depth|Yes|Data Disk Queue Depth (Preview)|Count|Average|Data Disk Queue Depth(or Queue Length)|LUN|
-|Data Disk Read Bytes/sec|Yes|Data Disk Read Bytes/Sec (Preview)|CountPerSecond|Average|Bytes/Sec read from a single disk during monitoring period|LUN|
-|Data Disk Read Operations/Sec|Yes|Data Disk Read Operations/Sec (Preview)|CountPerSecond|Average|Read IOPS from a single disk during monitoring period|LUN|
-|Data Disk Write Bytes/sec|Yes|Data Disk Write Bytes/Sec (Preview)|CountPerSecond|Average|Bytes/Sec written to a single disk during monitoring period|LUN|
-|Data Disk Write Operations/Sec|Yes|Data Disk Write Operations/Sec (Preview)|CountPerSecond|Average|Write IOPS from a single disk during monitoring period|LUN|
+|Data Disk Bandwidth Consumed Percentage|Yes|Data Disk Bandwidth Consumed Percentage|Percent|Average|Percentage of data disk bandwidth consumed per minute|LUN|
+|Data Disk IOPS Consumed Percentage|Yes|Data Disk IOPS Consumed Percentage|Percent|Average|Percentage of data disk I/Os consumed per minute|LUN|
+|Data Disk Max Burst Bandwidth|Yes|Data Disk Max Burst Bandwidth|Count|Average|Maximum bytes per second throughput Data Disk can achieve with bursting|LUN|
+|Data Disk Max Burst IOPS|Yes|Data Disk Max Burst IOPS|Count|Average|Maximum IOPS Data Disk can achieve with bursting|LUN|
+|Data Disk Queue Depth|Yes|Data Disk Queue Depth|Count|Average|Data Disk Queue Depth(or Queue Length)|LUN|
+|Data Disk Read Bytes/sec|Yes|Data Disk Read Bytes/Sec|BytesPerSecond|Average|Bytes/Sec read from a single disk during monitoring period|LUN|
+|Data Disk Read Operations/Sec|Yes|Data Disk Read Operations/Sec|CountPerSecond|Average|Read IOPS from a single disk during monitoring period|LUN|
+|Data Disk Target Bandwidth|Yes|Data Disk Target Bandwidth|Count|Average|Baseline bytes per second throughput Data Disk can achieve without bursting|LUN|
+|Data Disk Target IOPS|Yes|Data Disk Target IOPS|Count|Average|Baseline IOPS Data Disk can achieve without bursting|LUN|
+|Data Disk Used Burst BPS Credits Percentage|Yes|Data Disk Used Burst BPS Credits Percentage|Percent|Average|Percentage of Data Disk burst bandwidth credits used so far|LUN|
+|Data Disk Used Burst IO Credits Percentage|Yes|Data Disk Used Burst IO Credits Percentage|Percent|Average|Percentage of Data Disk burst I/O credits used so far|LUN|
+|Data Disk Write Bytes/sec|Yes|Data Disk Write Bytes/Sec|BytesPerSecond|Average|Bytes/Sec written to a single disk during monitoring period|LUN|
+|Data Disk Write Operations/Sec|Yes|Data Disk Write Operations/Sec|CountPerSecond|Average|Write IOPS from a single disk during monitoring period|LUN|
|Disk Read Bytes|Yes|Disk Read Bytes|Bytes|Total|Bytes read from disk during monitoring period|No Dimensions| |Disk Read Operations/Sec|Yes|Disk Read Operations/Sec|CountPerSecond|Average|Disk Read IOPS|No Dimensions| |Disk Write Bytes|Yes|Disk Write Bytes|Bytes|Total|Bytes written to disk during monitoring period|No Dimensions|
@@ -727,28 +934,30 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Network In Total|Yes|Network In Total|Bytes|Total|The number of bytes received on all network interfaces by the Virtual Machine(s) (Incoming Traffic)|No Dimensions| |Network Out|Yes|Network Out Billable (Deprecated)|Bytes|Total|The number of billable bytes out on all network interfaces by the Virtual Machine(s) (Outgoing Traffic) (Deprecated)|No Dimensions| |Network Out Total|Yes|Network Out Total|Bytes|Total|The number of bytes out on all network interfaces by the Virtual Machine(s) (Outgoing Traffic)|No Dimensions|
-|OS Disk Queue Depth|Yes|OS Disk Queue Depth (Preview)|Count|Average|OS Disk Queue Depth(or Queue Length)|No Dimensions|
-|OS Disk Read Bytes/sec|Yes|OS Disk Read Bytes/Sec (Preview)|CountPerSecond|Average|Bytes/Sec read from a single disk during monitoring period for OS disk|No Dimensions|
-|OS Disk Read Operations/Sec|Yes|OS Disk Read Operations/Sec (Preview)|CountPerSecond|Average|Read IOPS from a single disk during monitoring period for OS disk|No Dimensions|
-|OS Disk Write Bytes/sec|Yes|OS Disk Write Bytes/Sec (Preview)|CountPerSecond|Average|Bytes/Sec written to a single disk during monitoring period for OS disk|No Dimensions|
-|OS Disk Write Operations/Sec|Yes|OS Disk Write Operations/Sec (Preview)|CountPerSecond|Average|Write IOPS from a single disk during monitoring period for OS disk|No Dimensions|
-|OS Per Disk QD|Yes|OS Disk QD (Deprecated)|Count|Average|OS Disk Queue Depth(or Queue Length)|No Dimensions|
-|OS Per Disk Read Bytes/sec|Yes|OS Disk Read Bytes/Sec (Deprecated)|CountPerSecond|Average|Bytes/Sec read from a single disk during monitoring period for OS disk|No Dimensions|
-|OS Per Disk Read Operations/Sec|Yes|OS Disk Read Operations/Sec (Deprecated)|CountPerSecond|Average|Read IOPS from a single disk during monitoring period for OS disk|No Dimensions|
-|OS Per Disk Write Bytes/sec|Yes|OS Disk Write Bytes/Sec (Deprecated)|CountPerSecond|Average|Bytes/Sec written to a single disk during monitoring period for OS disk|No Dimensions|
-|OS Per Disk Write Operations/Sec|Yes|OS Disk Write Operations/Sec (Deprecated)|CountPerSecond|Average|Write IOPS from a single disk during monitoring period for OS disk|No Dimensions|
+|OS Disk Bandwidth Consumed Percentage|Yes|OS Disk Bandwidth Consumed Percentage|Percent|Average|Percentage of operating system disk bandwidth consumed per minute|LUN|
+|OS Disk IOPS Consumed Percentage|Yes|OS Disk IOPS Consumed Percentage|Percent|Average|Percentage of operating system disk I/Os consumed per minute|LUN|
+|OS Disk Max Burst Bandwidth|Yes|OS Disk Max Burst Bandwidth|Count|Average|Maximum bytes per second throughput OS Disk can achieve with bursting|LUN|
+|OS Disk Max Burst IOPS|Yes|OS Disk Max Burst IOPS|Count|Average|Maximum IOPS OS Disk can achieve with bursting|LUN|
+|OS Disk Queue Depth|Yes|OS Disk Queue Depth|Count|Average|OS Disk Queue Depth(or Queue Length)|No Dimensions|
+|OS Disk Read Bytes/sec|Yes|OS Disk Read Bytes/Sec|BytesPerSecond|Average|Bytes/Sec read from a single disk during monitoring period for OS disk|No Dimensions|
+|OS Disk Read Operations/Sec|Yes|OS Disk Read Operations/Sec|CountPerSecond|Average|Read IOPS from a single disk during monitoring period for OS disk|No Dimensions|
+|OS Disk Target Bandwidth|Yes|OS Disk Target Bandwidth|Count|Average|Baseline bytes per second throughput OS Disk can achieve without bursting|LUN|
+|OS Disk Target IOPS|Yes|OS Disk Target IOPS|Count|Average|Baseline IOPS OS Disk can achieve without bursting|LUN|
+|OS Disk Used Burst BPS Credits Percentage|Yes|OS Disk Used Burst BPS Credits Percentage|Percent|Average|Percentage of OS Disk burst bandwidth credits used so far|LUN|
+|OS Disk Used Burst IO Credits Percentage|Yes|OS Disk Used Burst IO Credits Percentage|Percent|Average|Percentage of OS Disk burst I/O credits used so far|LUN|
+|OS Disk Write Bytes/sec|Yes|OS Disk Write Bytes/Sec|BytesPerSecond|Average|Bytes/Sec written to a single disk during monitoring period for OS disk|No Dimensions|
+|OS Disk Write Operations/Sec|Yes|OS Disk Write Operations/Sec|CountPerSecond|Average|Write IOPS from a single disk during monitoring period for OS disk|No Dimensions|
|Outbound Flows|Yes|Outbound Flows|Count|Average|Outbound Flows are number of current flows in the outbound direction (traffic going out of the VM)|No Dimensions| |Outbound Flows Maximum Creation Rate|Yes|Outbound Flows Maximum Creation Rate|CountPerSecond|Average|The maximum creation rate of outbound flows (traffic going out of the VM)|No Dimensions|
-|Per Disk QD|Yes|Data Disk QD (Deprecated)|Count|Average|Data Disk Queue Depth(or Queue Length)|SlotId|
-|Per Disk Read Bytes/sec|Yes|Data Disk Read Bytes/Sec (Deprecated)|CountPerSecond|Average|Bytes/Sec read from a single disk during monitoring period|SlotId|
-|Per Disk Read Operations/Sec|Yes|Data Disk Read Operations/Sec (Deprecated)|CountPerSecond|Average|Read IOPS from a single disk during monitoring period|SlotId|
-|Per Disk Write Bytes/sec|Yes|Data Disk Write Bytes/Sec (Deprecated)|CountPerSecond|Average|Bytes/Sec written to a single disk during monitoring period|SlotId|
-|Per Disk Write Operations/Sec|Yes|Data Disk Write Operations/Sec (Deprecated)|CountPerSecond|Average|Write IOPS from a single disk during monitoring period|SlotId|
|Percentage CPU|Yes|Percentage CPU|Percent|Average|The percentage of allocated compute units that are currently in use by the Virtual Machine(s)|No Dimensions|
-|Premium Data Disk Cache Read Hit|Yes|Premium Data Disk Cache Read Hit (Preview)|Percent|Average|Premium Data Disk Cache Read Hit|LUN|
-|Premium Data Disk Cache Read Miss|Yes|Premium Data Disk Cache Read Miss (Preview)|Percent|Average|Premium Data Disk Cache Read Miss|LUN|
-|Premium OS Disk Cache Read Hit|Yes|Premium OS Disk Cache Read Hit (Preview)|Percent|Average|Premium OS Disk Cache Read Hit|No Dimensions|
-|Premium OS Disk Cache Read Miss|Yes|Premium OS Disk Cache Read Miss (Preview)|Percent|Average|Premium OS Disk Cache Read Miss|No Dimensions|
+|Premium Data Disk Cache Read Hit|Yes|Premium Data Disk Cache Read Hit|Percent|Average|Premium Data Disk Cache Read Hit|LUN|
+|Premium Data Disk Cache Read Miss|Yes|Premium Data Disk Cache Read Miss|Percent|Average|Premium Data Disk Cache Read Miss|LUN|
+|Premium OS Disk Cache Read Hit|Yes|Premium OS Disk Cache Read Hit|Percent|Average|Premium OS Disk Cache Read Hit|No Dimensions|
+|Premium OS Disk Cache Read Miss|Yes|Premium OS Disk Cache Read Miss|Percent|Average|Premium OS Disk Cache Read Miss|No Dimensions|
+|VM Cached Bandwidth Consumed Percentage|Yes|VM Cached Bandwidth Consumed Percentage|Percent|Average|Percentage of cached disk bandwidth consumed by the VM|No Dimensions|
+|VM Cached IOPS Consumed Percentage|Yes|VM Cached IOPS Consumed Percentage|Percent|Average|Percentage of cached disk IOPS consumed by the VM|No Dimensions|
+|VM Uncached Bandwidth Consumed Percentage|Yes|VM Uncached Bandwidth Consumed Percentage|Percent|Average|Percentage of uncached disk bandwidth consumed by the VM|No Dimensions|
+|VM Uncached IOPS Consumed Percentage|Yes|VM Uncached IOPS Consumed Percentage|Percent|Average|Percentage of uncached disk IOPS consumed by the VM|No Dimensions|
## Microsoft.ContainerInstance/containerGroups
@@ -777,8 +986,9 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|kube_node_status_allocatable_cpu_cores|No|Total number of available cpu cores in a managed cluster|Count|Average|Total number of available cpu cores in a managed cluster|No Dimensions|
-|kube_node_status_allocatable_memory_bytes|No|Total amount of available memory in a managed cluster|Bytes|Average|Total amount of available memory in a managed cluster|No Dimensions|
+|apiserver_current_inflight_requests|No|Inflight Requests|Count|Average|Maximum number of currently used inflight requests on the apiserver per request kind in the last second|requestKind|
+|kube_node_status_allocatable_cpu_cores|No|Total number of available cpu cores in a managed cluster|Count|Average|Total number of available cpu cores in a managed cluster||
+|kube_node_status_allocatable_memory_bytes|No|Total amount of available memory in a managed cluster|Bytes|Average|Total amount of available memory in a managed cluster||
|kube_node_status_condition|No|Statuses for various node conditions|Count|Average|Statuses for various node conditions|condition, status, status2, node| |kube_pod_status_phase|No|Number of pods by phase|Count|Average|Number of pods by phase|phase, namespace, pod| |kube_pod_status_ready|No|Number of pods in Ready state|Count|Average|Number of pods in Ready state|namespace, pod, condition|
@@ -810,6 +1020,16 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|TotalCapacity|Yes|Total Capacity|Bytes|Average|Total Capacity|No Dimensions|
+## Microsoft.DataCollaboration/workspaces
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|DataAssetCount|Yes|Created Data Assets|Count|Maximum|Number of created data assets|DataAssetName|
+|PipelineCount|Yes|Created Pipelines|Count|Maximum|Number of created pipelines|PipelineName|
+|ProposalCount|Yes|Created Proposals|Count|Maximum|Number of created proposals|ProposalName|
+|ScriptCount|Yes|Created Scripts|Count|Maximum|Number of created scripts|ScriptName|
++ ## Microsoft.DataFactory/datafactories |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -834,14 +1054,36 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|MaxAllowedFactorySizeInGbUnits|Yes|Maximum allowed factory size (GB unit)|Count|Maximum||No Dimensions| |MaxAllowedResourceCount|Yes|Maximum allowed entities count|Count|Maximum||No Dimensions| |PipelineCancelledRuns|Yes|Cancelled pipeline runs metrics|Count|Total||FailureType, Name|
+|PipelineElapsedTimeRuns|Yes|Elapsed Time Pipeline Runs Metrics|Count|Total||RunId, Name|
|PipelineFailedRuns|Yes|Failed pipeline runs metrics|Count|Total||FailureType, Name| |PipelineSucceededRuns|Yes|Succeeded pipeline runs metrics|Count|Total||FailureType, Name| |ResourceCount|Yes|Total entities count|Count|Maximum||No Dimensions|
+|SSISIntegrationRuntimeStartCancel|Yes|Cancelled SSIS integration runtime start metrics|Count|Total||IntegrationRuntimeName|
+|SSISIntegrationRuntimeStartFailed|Yes|Failed SSIS integration runtime start metrics|Count|Total||IntegrationRuntimeName|
+|SSISIntegrationRuntimeStartSucceeded|Yes|Succeeded SSIS integration runtime start metrics|Count|Total||IntegrationRuntimeName|
+|SSISIntegrationRuntimeStopStuck|Yes|Stuck SSIS integration runtime stop metrics|Count|Total||IntegrationRuntimeName|
+|SSISIntegrationRuntimeStopSucceeded|Yes|Succeeded SSIS integration runtime stop metrics|Count|Total||IntegrationRuntimeName|
+|SSISPackageExecutionCancel|Yes|Cancelled SSIS package execution metrics|Count|Total||IntegrationRuntimeName|
+|SSISPackageExecutionFailed|Yes|Failed SSIS package execution metrics|Count|Total||IntegrationRuntimeName|
+|SSISPackageExecutionSucceeded|Yes|Succeeded SSIS package execution metrics|Count|Total||IntegrationRuntimeName|
|TriggerCancelledRuns|Yes|Cancelled trigger runs metrics|Count|Total||Name, FailureType| |TriggerFailedRuns|Yes|Failed trigger runs metrics|Count|Total||Name, FailureType| |TriggerSucceededRuns|Yes|Succeeded trigger runs metrics|Count|Total||Name, FailureType|
+## Microsoft.DataLakeAnalytics/accounts
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|JobAUEndedCancelled|Yes|Cancelled AU Time|Seconds|Total|Total AU time for cancelled jobs.|No Dimensions|
+|JobAUEndedFailure|Yes|Failed AU Time|Seconds|Total|Total AU time for failed jobs.|No Dimensions|
+|JobAUEndedSuccess|Yes|Successful AU Time|Seconds|Total|Total AU time for successful jobs.|No Dimensions|
+|JobEndedCancelled|Yes|Cancelled Jobs|Count|Total|Count of cancelled jobs.|No Dimensions|
+|JobEndedFailure|Yes|Failed Jobs|Count|Total|Count of failed jobs.|No Dimensions|
+|JobEndedSuccess|Yes|Successful Jobs|Count|Total|Count of successful jobs.|No Dimensions|
+|JobStage|Yes|Jobs in Stage|Count|Total|Number of jobs in each stage.|No Dimensions|
++ ## Microsoft.DataLakeStore/accounts |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -853,6 +1095,18 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|WriteRequests|Yes|Write Requests|Count|Total|Count of data write requests to the account.|No Dimensions|
+## Microsoft.DataShare/accounts
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|FailedShareSubscriptionSynchronizations|Yes|Received Share Failed Snapshots|Count|Count|Number of received share failed snapshots in the account|No Dimensions|
+|FailedShareSynchronizations|Yes|Sent Share Failed Snapshots|Count|Count|Number of sent share failed snapshots in the account|No Dimensions|
+|ShareCount|Yes|Sent Shares|Count|Maximum|Number of sent shares in the account|ShareName|
+|ShareSubscriptionCount|Yes|Received Shares|Count|Maximum|Number of received shares in the account|ShareSubscriptionName|
+|SucceededShareSubscriptionSynchronizations|Yes|Received Share Succeeded Snapshots|Count|Count|Number of received share succeeded snapshots in the account|No Dimensions|
+|SucceededShareSynchronizations|Yes|Sent Share Succeeded Snapshots|Count|Count|Number of sent share succeeded snapshots in the account|No Dimensions|
++ ## Microsoft.DBforMariaDB/servers |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -866,7 +1120,7 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|network_bytes_egress|Yes|Network Out|Bytes|Total|Network Out across active connections|No Dimensions| |network_bytes_ingress|Yes|Network In|Bytes|Total|Network In across active connections|No Dimensions| |seconds_behind_master|Yes|Replication lag in seconds|Count|Maximum|Replication lag in seconds|No Dimensions|
-|serverlog_storage_limit|Yes|Server Log storage limit|Bytes|Average|Server Log storage limit|No Dimensions|
+|serverlog_storage_limit|Yes|Server Log storage limit|Bytes|Maximum|Server Log storage limit|No Dimensions|
|serverlog_storage_percent|Yes|Server Log storage percent|Percent|Average|Server Log storage percent|No Dimensions| |serverlog_storage_usage|Yes|Server Log storage used|Bytes|Average|Server Log storage used|No Dimensions| |storage_limit|Yes|Storage limit|Bytes|Maximum|Storage limit|No Dimensions|
@@ -874,6 +1128,26 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|storage_used|Yes|Storage used|Bytes|Average|Storage used|No Dimensions|
+## Microsoft.DBforMySQL/flexibleServers
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|aborted_connections|Yes|Aborted Connections|Count|Total|Aborted Connections|No Dimensions|
+|active_connections|Yes|Active Connections|Count|Maximum|Active Connections|No Dimensions|
+|backup_storage_used|Yes|Backup Storage Used|Bytes|Maximum|Backup Storage Used|No Dimensions|
+|cpu_percent|Yes|Host CPU Percent|Percent|Maximum|Host CPU Percent|No Dimensions|
+|io_consumption_percent|Yes|IO Percent|Percent|Maximum|IO Percent|No Dimensions|
+|memory_percent|Yes|Host Memory Percent|Percent|Maximum|Host Memory Percent|No Dimensions|
+|network_bytes_egress|Yes|Host Network Out|Bytes|Total|Host Network egress in bytes|No Dimensions|
+|network_bytes_ingress|Yes|Host Network In|Bytes|Total|Host Network ingress in bytes|No Dimensions|
+|Queries|Yes|Queries|Count|Total|Queries|No Dimensions|
+|replication_lag|Yes|Replication Lag In Seconds|Seconds|Maximum|Replication lag in seconds|No Dimensions|
+|storage_limit|Yes|Storage Limit|Bytes|Maximum|Storage Limit|No Dimensions|
+|storage_percent|Yes|Storage Percent|Percent|Maximum|Storage Percent|No Dimensions|
+|storage_used|Yes|Storage Used|Bytes|Maximum|Storage Used|No Dimensions|
+|total_connections|Yes|Total Connections|Count|Total|Total Connections|No Dimensions|
++ ## Microsoft.DBforMySQL/servers |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -958,6 +1232,88 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|storage_used|Yes|Storage used|Bytes|Average|Storage used|No Dimensions|
+## Microsoft.Devices/ElasticPools
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|elasticPool.requestedUsageRate|Yes|requested usage rate|Percent|Average|requested usage rate|No Dimensions|
++
+## Microsoft.Devices/ElasticPools/IotHubTenants
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|c2d.commands.egress.abandon.success|Yes|C2D messages abandoned|Count|Total|Number of cloud-to-device messages abandoned by the device|No Dimensions|
+|c2d.commands.egress.complete.success|Yes|C2D message deliveries completed|Count|Total|Number of cloud-to-device message deliveries completed successfully by the device|No Dimensions|
+|c2d.commands.egress.reject.success|Yes|C2D messages rejected|Count|Total|Number of cloud-to-device messages rejected by the device|No Dimensions|
+|c2d.methods.failure|Yes|Failed direct method invocations|Count|Total|The count of all failed direct method calls.|No Dimensions|
+|c2d.methods.requestSize|Yes|Request size of direct method invocations|Bytes|Average|The average, min, and max of all successful direct method requests.|No Dimensions|
+|c2d.methods.responseSize|Yes|Response size of direct method invocations|Bytes|Average|The average, min, and max of all successful direct method responses.|No Dimensions|
+|c2d.methods.success|Yes|Successful direct method invocations|Count|Total|The count of all successful direct method calls.|No Dimensions|
+|c2d.twin.read.failure|Yes|Failed twin reads from back end|Count|Total|The count of all failed back-end-initiated twin reads.|No Dimensions|
+|c2d.twin.read.size|Yes|Response size of twin reads from back end|Bytes|Average|The average, min, and max of all successful back-end-initiated twin reads.|No Dimensions|
+|c2d.twin.read.success|Yes|Successful twin reads from back end|Count|Total|The count of all successful back-end-initiated twin reads.|No Dimensions|
+|c2d.twin.update.failure|Yes|Failed twin updates from back end|Count|Total|The count of all failed back-end-initiated twin updates.|No Dimensions|
+|c2d.twin.update.size|Yes|Size of twin updates from back end|Bytes|Average|The average, min, and max size of all successful back-end-initiated twin updates.|No Dimensions|
+|c2d.twin.update.success|Yes|Successful twin updates from back end|Count|Total|The count of all successful back-end-initiated twin updates.|No Dimensions|
+|C2DMessagesExpired|Yes|C2D Messages Expired|Count|Total|Number of expired cloud-to-device messages|No Dimensions|
+|configurations|Yes|Configuration Metrics|Count|Total|Metrics for Configuration Operations|No Dimensions|
+|connectedDeviceCount|Yes|Connected devices|Count|Average|Number of devices connected to your IoT hub|No Dimensions|
+|d2c.endpoints.egress.builtIn.events|Yes|Routing: messages delivered to messages/events|Count|Total|The number of times IoT Hub routing successfully delivered messages to the built-in endpoint (messages/events).|No Dimensions|
+|d2c.endpoints.egress.eventHubs|Yes|Routing: messages delivered to Event Hub|Count|Total|The number of times IoT Hub routing successfully delivered messages to Event Hub endpoints.|No Dimensions|
+|d2c.endpoints.egress.serviceBusQueues|Yes|Routing: messages delivered to Service Bus Queue|Count|Total|The number of times IoT Hub routing successfully delivered messages to Service Bus queue endpoints.|No Dimensions|
+|d2c.endpoints.egress.serviceBusTopics|Yes|Routing: messages delivered to Service Bus Topic|Count|Total|The number of times IoT Hub routing successfully delivered messages to Service Bus topic endpoints.|No Dimensions|
+|d2c.endpoints.egress.storage|Yes|Routing: messages delivered to storage|Count|Total|The number of times IoT Hub routing successfully delivered messages to storage endpoints.|No Dimensions|
+|d2c.endpoints.egress.storage.blobs|Yes|Routing: blobs delivered to storage|Count|Total|The number of times IoT Hub routing delivered blobs to storage endpoints.|No Dimensions|
+|d2c.endpoints.egress.storage.bytes|Yes|Routing: data delivered to storage|Bytes|Total|The amount of data (bytes) IoT Hub routing delivered to storage endpoints.|No Dimensions|
+|d2c.endpoints.latency.builtIn.events|Yes|Routing: message latency for messages/events|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into the built-in endpoint (messages/events).|No Dimensions|
+|d2c.endpoints.latency.eventHubs|Yes|Routing: message latency for Event Hub|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and message ingress into an Event Hub endpoint.|No Dimensions|
+|d2c.endpoints.latency.serviceBusQueues|Yes|Routing: message latency for Service Bus Queue|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into a Service Bus queue endpoint.|No Dimensions|
+|d2c.endpoints.latency.serviceBusTopics|Yes|Routing: message latency for Service Bus Topic|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into a Service Bus topic endpoint.|No Dimensions|
+|d2c.endpoints.latency.storage|Yes|Routing: message latency for storage|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into a storage endpoint.|No Dimensions|
+|d2c.telemetry.egress.dropped|Yes|Routing: telemetry messages dropped |Count|Total|The number of times messages were dropped by IoT Hub routing due to dead endpoints. This value does not count messages delivered to fallback route as dropped messages are not delivered there.|No Dimensions|
+|d2c.telemetry.egress.fallback|Yes|Routing: messages delivered to fallback|Count|Total|The number of times IoT Hub routing delivered messages to the endpoint associated with the fallback route.|No Dimensions|
+|d2c.telemetry.egress.invalid|Yes|Routing: telemetry messages incompatible|Count|Total|The number of times IoT Hub routing failed to deliver messages due to an incompatibility with the endpoint. This value does not include retries.|No Dimensions|
+|d2c.telemetry.egress.orphaned|Yes|Routing: telemetry messages orphaned |Count|Total|The number of times messages were orphaned by IoT Hub routing because they didn't match any routing rules (including the fallback rule). |No Dimensions|
+|d2c.telemetry.egress.success|Yes|Routing: telemetry messages delivered|Count|Total|The number of times messages were successfully delivered to all endpoints using IoT Hub routing. If a message is routed to multiple endpoints, this value increases by one for each successful delivery. If a message is delivered to the same endpoint multiple times, this value increases by one for each successful delivery.|No Dimensions|
+|d2c.telemetry.ingress.allProtocol|Yes|Telemetry message send attempts|Count|Total|Number of device-to-cloud telemetry messages attempted to be sent to your IoT hub|No Dimensions|
+|d2c.telemetry.ingress.sendThrottle|Yes|Number of throttling errors|Count|Total|Number of throttling errors due to device throughput throttles|No Dimensions|
+|d2c.telemetry.ingress.success|Yes|Telemetry messages sent|Count|Total|Number of device-to-cloud telemetry messages sent successfully to your IoT hub|No Dimensions|
+|d2c.twin.read.failure|Yes|Failed twin reads from devices|Count|Total|The count of all failed device-initiated twin reads.|No Dimensions|
+|d2c.twin.read.size|Yes|Response size of twin reads from devices|Bytes|Average|The average, min, and max of all successful device-initiated twin reads.|No Dimensions|
+|d2c.twin.read.success|Yes|Successful twin reads from devices|Count|Total|The count of all successful device-initiated twin reads.|No Dimensions|
+|d2c.twin.update.failure|Yes|Failed twin updates from devices|Count|Total|The count of all failed device-initiated twin updates.|No Dimensions|
+|d2c.twin.update.size|Yes|Size of twin updates from devices|Bytes|Average|The average, min, and max size of all successful device-initiated twin updates.|No Dimensions|
+|d2c.twin.update.success|Yes|Successful twin updates from devices|Count|Total|The count of all successful device-initiated twin updates.|No Dimensions|
+|dailyMessageQuotaUsed|Yes|Total number of messages used|Count|Maximum|Number of total messages used today|No Dimensions|
+|deviceDataUsage|Yes|Total device data usage|Bytes|Total|Bytes transferred to and from any devices connected to IotHub|No Dimensions|
+|deviceDataUsageV2|Yes|Total device data usage (preview)|Bytes|Total|Bytes transferred to and from any devices connected to IotHub|No Dimensions|
+|devices.connectedDevices.allProtocol|Yes|Connected devices (deprecated) |Count|Total|Number of devices connected to your IoT hub|No Dimensions|
+|devices.totalDevices|Yes|Total devices (deprecated)|Count|Total|Number of devices registered to your IoT hub|No Dimensions|
+|EventGridDeliveries|Yes|Event Grid deliveries|Count|Total|The number of IoT Hub events published to Event Grid. Use the Result dimension for the number of successful and failed requests. EventType dimension shows the type of event (https://aka.ms/ioteventgrid).|Result, EventType|
+|EventGridLatency|Yes|Event Grid latency|Milliseconds|Average|The average latency (milliseconds) from when the Iot Hub event was generated to when the event was published to Event Grid. This number is an average between all event types. Use the EventType dimension to see latency of a specific type of event.|EventType|
+|jobs.cancelJob.failure|Yes|Failed job cancellations|Count|Total|The count of all failed calls to cancel a job.|No Dimensions|
+|jobs.cancelJob.success|Yes|Successful job cancellations|Count|Total|The count of all successful calls to cancel a job.|No Dimensions|
+|jobs.completed|Yes|Completed jobs|Count|Total|The count of all completed jobs.|No Dimensions|
+|jobs.createDirectMethodJob.failure|Yes|Failed creations of method invocation jobs|Count|Total|The count of all failed creation of direct method invocation jobs.|No Dimensions|
+|jobs.createDirectMethodJob.success|Yes|Successful creations of method invocation jobs|Count|Total|The count of all successful creation of direct method invocation jobs.|No Dimensions|
+|jobs.createTwinUpdateJob.failure|Yes|Failed creations of twin update jobs|Count|Total|The count of all failed creation of twin update jobs.|No Dimensions|
+|jobs.createTwinUpdateJob.success|Yes|Successful creations of twin update jobs|Count|Total|The count of all successful creation of twin update jobs.|No Dimensions|
+|jobs.failed|Yes|Failed jobs|Count|Total|The count of all failed jobs.|No Dimensions|
+|jobs.listJobs.failure|Yes|Failed calls to list jobs|Count|Total|The count of all failed calls to list jobs.|No Dimensions|
+|jobs.listJobs.success|Yes|Successful calls to list jobs|Count|Total|The count of all successful calls to list jobs.|No Dimensions|
+|jobs.queryJobs.failure|Yes|Failed job queries|Count|Total|The count of all failed calls to query jobs.|No Dimensions|
+|jobs.queryJobs.success|Yes|Successful job queries|Count|Total|The count of all successful calls to query jobs.|No Dimensions|
+|RoutingDataSizeInBytesDelivered|Yes|Routing Delivery Message Size in Bytes (preview)|Bytes|Total|The total size in bytes of messages delivered by IoT hub to an endpoint. You can use the EndpointName and EndpointType dimensions to view the size of the messages in bytes delivered to your different endpoints. The metric value increases for every message delivered, including if the message is delivered to multiple endpoints or if the message is delivered to the same endpoint multiple times.|EndpointType, EndpointName, RoutingSource|
+|RoutingDeliveries|Yes|Routing Deliveries (preview)|Count|Total|The number of times IoT Hub attempted to deliver messages to all endpoints using routing. To see the number of successful or failed attempts, use the Result dimension. To see the reason of failure, like invalid, dropped, or orphaned, use the FailureReasonCategory dimension. You can also use the EndpointName and EndpointType dimensions to understand how many messages were delivered to your different endpoints. The metric value increases by one for each delivery attempt, including if the message is delivered to multiple endpoints or if the message is delivered to the same endpoint multiple times.|EndpointType, EndpointName, FailureReasonCategory, Result, RoutingSource|
+|RoutingDeliveryLatency|Yes|Routing Delivery Latency (preview)|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into an endpoint. You can use the EndpointName and EndpointType dimensions to understand the latency to your different endpoints.|EndpointType, EndpointName, RoutingSource|
+|tenantHub.requestedUsageRate|Yes|requested usage rate|Percent|Average|requested usage rate|No Dimensions|
+|totalDeviceCount|Yes|Total devices|Count|Average|Number of devices registered to your IoT hub|No Dimensions|
+|twinQueries.failure|Yes|Failed twin queries|Count|Total|The count of all failed twin queries.|No Dimensions|
+|twinQueries.resultSize|Yes|Twin queries result size|Bytes|Average|The average, min, and max of the result size of all successful twin queries.|No Dimensions|
+|twinQueries.success|Yes|Successful twin queries|Count|Total|The count of all successful twin queries.|No Dimensions|
++ ## Microsoft.Devices/IotHubs |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -1041,6 +1397,26 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|RegistrationAttempts|Yes|Registration attempts|Count|Total|Number of device registrations attempted|ProvisioningServiceName, IotHubName, Status|
+## Microsoft.DigitalTwins/digitalTwinsInstances
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|ApiRequests|Yes|API Requests|Count|Total|The number of API requests made for Digital Twins read, write, delete and query operations.|Operation, Authentication, Protocol, StatusCode, StatusCodeClass, StatusText|
+|ApiRequestsFailureRate|Yes|API Requests Failure Rate|Percent|Average|The percentage of API requests that the service receives for your instance that return an internal error (500) response code for Digital Twins read, write, delete and query operations.|Operation, Authentication, Protocol|
+|ApiRequestsLatency|Yes|API Requests Latency|Milliseconds|Average|The response time for API requests, i.e. from when the request is received by Azure Digital Twins until the service sends a success/fail result for Digital Twins read, write, delete and query operations.|Operation, Authentication, Protocol, StatusCode, StatusCodeClass, StatusText|
+|BillingApiOperations|Yes|Billing API Operations|Count|Total|Billing metric for the count of all API requests made against the Azure Digital Twins service.|MeterId|
+|BillingMessagesProcessed|Yes|Billing Messages Processed|Count|Total|Billing metric for the number of messages sent out from Azure Digital Twins to external endpoints.|MeterId|
+|BillingQueryUnits|Yes|Billing Query Units|Count|Total|The number of Query Units, an internally computed measure of service resource usage, consumed to execute queries.|MeterId|
+|IngressEvents|Yes|Ingress Events|Count|Total|The number of incoming telemetry events into Azure Digital Twins.|Result|
+|IngressEventsFailureRate|Yes|Ingress Events Failure Rate|Percent|Average|The percentage of incoming telemetry events for which the service returns an internal error (500) response code.|No Dimensions|
+|IngressEventsLatency|Yes|Ingress Events Latency|Milliseconds|Average|The time from when an event arrives to when it is ready to be egressed by Azure Digital Twins, at which point the service sends a success/fail result.|Result|
+|ModelCount|Yes|Model Count|Count|Total|Total number of models in the Azure Digital Twins instance. Use this metric to determine if you are approaching the service limit for max number of models allowed per instance.|No Dimensions|
+|Routing|Yes|Messages Routed|Count|Total|The number of messages routed to an endpoint Azure service such as Event Hub, Service Bus or Event Grid.|EndpointType, Result|
+|RoutingFailureRate|Yes|Routing Failure Rate|Percent|Average|The percentage of events that result in an error as they are routed from Azure Digital Twins to an endpoint Azure service such as Event Hub, Service Bus or Event Grid.|EndpointType|
+|RoutingLatency|Yes|Routing Latency|Milliseconds|Average|Time elapsed between an event getting routed from Azure Digital Twins to when it is posted to the endpoint Azure service such as Event Hub, Service Bus or Event Grid.|EndpointType, Result|
+|TwinCount|Yes|Twin Count|Count|Total|Total number of twins in the Azure Digital Twins instance. Use this metric to determine if you are approaching the service limit for max number of twins allowed per instance.|No Dimensions|
++ ## Microsoft.DocumentDB/databaseAccounts |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -1075,6 +1451,10 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|GremlinGraphThroughputUpdate|No|Gremlin Graph Throughput Updated|Count|Count|Gremlin Graph Throughput Updated|ResourceName, ChildResourceName, | |GremlinGraphUpdate|No|Gremlin Graph Updated|Count|Count|Gremlin Graph Updated|ResourceName, ChildResourceName, | |IndexUsage|No|Index Usage|Bytes|Total|Total index usage reported at 5 minutes granularity|CollectionName, DatabaseName, Region|
+|IntegratedCacheEvictedEntriesSize|No|IntegratedCacheEvictedEntriesSize|Bytes|Average|Size of the entries evicted from the integrated cache|CacheType, Region|
+|IntegratedCacheHitRate|No|IntegratedCacheHitRate|Percent|Average|Cache hit rate for integrated caches|CacheType, Region|
+|IntegratedCacheSize|No|IntegratedCacheSize|Bytes|Average|Size of the integrated caches for dedicated gateway requests|CacheType, Region|
+|IntegratedCacheTTLExpirationCount|No|IntegratedCacheTTLExpirationCount|Count|Average|Number of entries removed from the integrated cache due to TTL expiration|CacheType, Region|
|MetadataRequests|No|Metadata Requests|Count|Count|Count of metadata requests. Cosmos DB maintains system metadata collection for each account, that allows you to enumerate collections, databases, etc, and their configurations, free of charge.|DatabaseName, CollectionName, Region, StatusCode, | |MongoCollectionCreate|No|Mongo Collection Created|Count|Count|Mongo Collection Created|ResourceName, ChildResourceName, | |MongoCollectionDelete|No|Mongo Collection Deleted|Count|Count|Mongo Collection Deleted|ResourceName, ChildResourceName, |
@@ -1084,7 +1464,13 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|MongoDatabaseThroughputUpdate|No|Mongo Database Throughput Updated|Count|Count|Mongo Database Throughput Updated|ResourceName, | |MongoDBDatabaseCreate|No|Mongo Database Created|Count|Count|Mongo Database Created|ResourceName, | |MongoDBDatabaseUpdate|No|Mongo Database Updated|Count|Count|Mongo Database Updated|ResourceName, |
+|MongoRequestCharge|Yes|Mongo Request Charge|Count|Total|Mongo Request Units Consumed|DatabaseName, CollectionName, Region, CommandName, ErrorCode, Status|
|MongoRequests|Yes|Mongo Requests|Count|Count|Number of Mongo Requests Made|DatabaseName, CollectionName, Region, CommandName, ErrorCode, Status|
+|MongoRequestsCount|No|(deprecated) Mongo Request Rate|CountPerSecond|Average|Mongo request Count per second|DatabaseName, CollectionName, Region, ErrorCode|
+|MongoRequestsDelete|No|(deprecated) Mongo Delete Request Rate|CountPerSecond|Average|Mongo Delete request per second|DatabaseName, CollectionName, Region, ErrorCode|
+|MongoRequestsInsert|No|(deprecated) Mongo Insert Request Rate|CountPerSecond|Average|Mongo Insert count per second|DatabaseName, CollectionName, Region, ErrorCode|
+|MongoRequestsQuery|No|(deprecated) Mongo Query Request Rate|CountPerSecond|Average|Mongo Query request per second|DatabaseName, CollectionName, Region, ErrorCode|
+|MongoRequestsUpdate|No|(deprecated) Mongo Update Request Rate|CountPerSecond|Average|Mongo Update request per second|DatabaseName, CollectionName, Region, ErrorCode|
|NormalizedRUConsumption|No|Normalized RU Consumption|Percent|Maximum|Max RU consumption percentage per minute|CollectionName, DatabaseName, Region, PartitionKeyRangeId| |ProvisionedThroughput|No|Provisioned Throughput|Count|Maximum|Provisioned Throughput|DatabaseName, CollectionName| |RegionFailover|Yes|Region Failed Over|Count|Count|Region Failed Over|No Dimensions|
@@ -1116,6 +1502,7 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
+|AdvancedFilterEvaluationCount|Yes|Advanced Filter Evaluations|Count|Total|Total advanced filters evaluated across event subscriptions for this topic.|Topic, EventSubscriptionName, DomainEventSubscriptionName|
|DeadLetteredCount|Yes|Dead Lettered Events|Count|Total|Total dead lettered events matching to this event subscription|Topic, EventSubscriptionName, DomainEventSubscriptionName, DeadLetterReason| |DeliveryAttemptFailCount|No|Delivery Failed Events|Count|Total|Total events failed to deliver to this event subscription|Topic, EventSubscriptionName, DomainEventSubscriptionName, Error, ErrorType| |DeliverySuccessCount|Yes|Delivered Events|Count|Total|Total events delivered to this event subscription|Topic, EventSubscriptionName, DomainEventSubscriptionName|
@@ -1149,10 +1536,43 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|UnmatchedEventCount|Yes|Unmatched Events|Count|Total|Total events not matching any of the event subscriptions for this topic|No Dimensions|
+## Microsoft.EventGrid/partnerNamespaces
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|DeadLetteredCount|Yes|Dead Lettered Events|Count|Total|Total dead lettered events matching to this event subscription|DeadLetterReason, EventSubscriptionName|
+|DeliveryAttemptFailCount|No|Delivery Failed Events|Count|Total|Total events failed to deliver to this event subscription|Error, ErrorType, EventSubscriptionName|
+|DeliverySuccessCount|Yes|Delivered Events|Count|Total|Total events delivered to this event subscription|EventSubscriptionName|
+|DestinationProcessingDurationInMs|No|Destination Processing Duration|Milliseconds|Average|Destination processing duration in milliseconds|EventSubscriptionName|
+|DroppedEventCount|Yes|Dropped Events|Count|Total|Total dropped events matching to this event subscription|DropReason, EventSubscriptionName|
+|MatchedEventCount|Yes|Matched Events|Count|Total|Total events matched to this event subscription|EventSubscriptionName|
+|PublishFailCount|Yes|Publish Failed Events|Count|Total|Total events failed to publish to this topic|ErrorType, Error|
+|PublishSuccessCount|Yes|Published Events|Count|Total|Total events published to this topic|No Dimensions|
+|PublishSuccessLatencyInMs|Yes|Publish Success Latency|Milliseconds|Total|Publish success latency in milliseconds|No Dimensions|
+|UnmatchedEventCount|Yes|Unmatched Events|Count|Total|Total events not matching any of the event subscriptions for this topic|No Dimensions|
++
+## Microsoft.EventGrid/partnerTopics
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|AdvancedFilterEvaluationCount|Yes|Advanced Filter Evaluations|Count|Total|Total advanced filters evaluated across event subscriptions for this topic.|EventSubscriptionName|
+|DeadLetteredCount|Yes|Dead Lettered Events|Count|Total|Total dead lettered events matching to this event subscription|DeadLetterReason, EventSubscriptionName|
+|DeliveryAttemptFailCount|No|Delivery Failed Events|Count|Total|Total events failed to deliver to this event subscription|Error, ErrorType, EventSubscriptionName|
+|DeliverySuccessCount|Yes|Delivered Events|Count|Total|Total events delivered to this event subscription|EventSubscriptionName|
+|DestinationProcessingDurationInMs|No|Destination Processing Duration|Milliseconds|Average|Destination processing duration in milliseconds|EventSubscriptionName|
+|DroppedEventCount|Yes|Dropped Events|Count|Total|Total dropped events matching to this event subscription|DropReason, EventSubscriptionName|
+|MatchedEventCount|Yes|Matched Events|Count|Total|Total events matched to this event subscription|EventSubscriptionName|
+|PublishFailCount|Yes|Publish Failed Events|Count|Total|Total events failed to publish to this topic|ErrorType, Error|
+|PublishSuccessCount|Yes|Published Events|Count|Total|Total events published to this topic|No Dimensions|
+|UnmatchedEventCount|Yes|Unmatched Events|Count|Total|Total events not matching any of the event subscriptions for this topic|No Dimensions|
++ ## Microsoft.EventGrid/systemTopics |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
+|AdvancedFilterEvaluationCount|Yes|Advanced Filter Evaluations|Count|Total|Total advanced filters evaluated across event subscriptions for this topic.|EventSubscriptionName|
|DeadLetteredCount|Yes|Dead Lettered Events|Count|Total|Total dead lettered events matching to this event subscription|DeadLetterReason, EventSubscriptionName| |DeliveryAttemptFailCount|No|Delivery Failed Events|Count|Total|Total events failed to deliver to this event subscription|Error, ErrorType, EventSubscriptionName| |DeliverySuccessCount|Yes|Delivered Events|Count|Total|Total events delivered to this event subscription|EventSubscriptionName|
@@ -1169,6 +1589,7 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
+|AdvancedFilterEvaluationCount|Yes|Advanced Filter Evaluations|Count|Total|Total advanced filters evaluated across event subscriptions for this topic.|EventSubscriptionName|
|DeadLetteredCount|Yes|Dead Lettered Events|Count|Total|Total dead lettered events matching to this event subscription|DeadLetterReason, EventSubscriptionName| |DeliveryAttemptFailCount|No|Delivery Failed Events|Count|Total|Total events failed to deliver to this event subscription|Error, ErrorType, EventSubscriptionName| |DeliverySuccessCount|Yes|Delivered Events|Count|Total|Total events delivered to this event subscription|EventSubscriptionName|
@@ -1185,65 +1606,65 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|ActiveConnections|No|ActiveConnections|Count|Average|Total Active Connections for Microsoft.EventHub.|No Dimensions|
+|ActiveConnections|No|ActiveConnections|Count|Average|Total Active Connections for Microsoft.EventHub.||
|AvailableMemory|No|Available Memory|Percent|Maximum|Available memory for the Event Hub Cluster as a percentage of total memory.|Role|
-|CaptureBacklog|No|Capture Backlog.|Count|Total|Capture Backlog for Microsoft.EventHub.|No Dimensions|
-|CapturedBytes|No|Captured Bytes.|Bytes|Total|Captured Bytes for Microsoft.EventHub.|No Dimensions|
-|CapturedMessages|No|Captured Messages.|Count|Total|Captured Messages for Microsoft.EventHub.|No Dimensions|
-|ConnectionsClosed|No|Connections Closed.|Count|Average|Connections Closed for Microsoft.EventHub.|No Dimensions|
-|ConnectionsOpened|No|Connections Opened.|Count|Average|Connections Opened for Microsoft.EventHub.|No Dimensions|
+|CaptureBacklog|No|Capture Backlog.|Count|Total|Capture Backlog for Microsoft.EventHub.||
+|CapturedBytes|No|Captured Bytes.|Bytes|Total|Captured Bytes for Microsoft.EventHub.||
+|CapturedMessages|No|Captured Messages.|Count|Total|Captured Messages for Microsoft.EventHub.||
+|ConnectionsClosed|No|Connections Closed.|Count|Average|Connections Closed for Microsoft.EventHub.||
+|ConnectionsOpened|No|Connections Opened.|Count|Average|Connections Opened for Microsoft.EventHub.||
|CPU|No|CPU|Percent|Maximum|CPU utilization for the Event Hub Cluster as a percentage|Role|
-|IncomingBytes|Yes|Incoming Bytes.|Bytes|Total|Incoming Bytes for Microsoft.EventHub.|No Dimensions|
-|IncomingMessages|Yes|Incoming Messages|Count|Total|Incoming Messages for Microsoft.EventHub.|No Dimensions|
-|IncomingRequests|Yes|Incoming Requests|Count|Total|Incoming Requests for Microsoft.EventHub.|No Dimensions|
-|OutgoingBytes|Yes|Outgoing Bytes.|Bytes|Total|Outgoing Bytes for Microsoft.EventHub.|No Dimensions|
-|OutgoingMessages|Yes|Outgoing Messages|Count|Total|Outgoing Messages for Microsoft.EventHub.|No Dimensions|
-|QuotaExceededErrors|No|Quota Exceeded Errors.|Count|Total|Quota Exceeded Errors for Microsoft.EventHub.|No Dimensions|
-|ServerErrors|No|Server Errors.|Count|Total|Server Errors for Microsoft.EventHub.|No Dimensions|
+|IncomingBytes|Yes|Incoming Bytes.|Bytes|Total|Incoming Bytes for Microsoft.EventHub.||
+|IncomingMessages|Yes|Incoming Messages|Count|Total|Incoming Messages for Microsoft.EventHub.||
+|IncomingRequests|Yes|Incoming Requests|Count|Total|Incoming Requests for Microsoft.EventHub.||
+|OutgoingBytes|Yes|Outgoing Bytes.|Bytes|Total|Outgoing Bytes for Microsoft.EventHub.||
+|OutgoingMessages|Yes|Outgoing Messages|Count|Total|Outgoing Messages for Microsoft.EventHub.||
+|QuotaExceededErrors|No|Quota Exceeded Errors.|Count|Total|Quota Exceeded Errors for Microsoft.EventHub.|OperationResult|
+|ServerErrors|No|Server Errors.|Count|Total|Server Errors for Microsoft.EventHub.|OperationResult|
|Size|No|Size|Bytes|Average|Size of an EventHub in Bytes.|Role|
-|SuccessfulRequests|No|Successful Requests|Count|Total|Successful Requests for Microsoft.EventHub.|No Dimensions|
-|ThrottledRequests|No|Throttled Requests.|Count|Total|Throttled Requests for Microsoft.EventHub.|No Dimensions|
-|UserErrors|No|User Errors.|Count|Total|User Errors for Microsoft.EventHub.|No Dimensions|
+|SuccessfulRequests|No|Successful Requests|Count|Total|Successful Requests for Microsoft.EventHub.|OperationResult|
+|ThrottledRequests|No|Throttled Requests.|Count|Total|Throttled Requests for Microsoft.EventHub.|OperationResult|
+|UserErrors|No|User Errors.|Count|Total|User Errors for Microsoft.EventHub.|OperationResult|
## Microsoft.EventHub/namespaces |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|ActiveConnections|No|ActiveConnections|Count|Average|Total Active Connections for Microsoft.EventHub.|No Dimensions|
+|ActiveConnections|No|ActiveConnections|Count|Average|Total Active Connections for Microsoft.EventHub.||
|CaptureBacklog|No|Capture Backlog.|Count|Total|Capture Backlog for Microsoft.EventHub.|EntityName| |CapturedBytes|No|Captured Bytes.|Bytes|Total|Captured Bytes for Microsoft.EventHub.|EntityName| |CapturedMessages|No|Captured Messages.|Count|Total|Captured Messages for Microsoft.EventHub.|EntityName| |ConnectionsClosed|No|Connections Closed.|Count|Average|Connections Closed for Microsoft.EventHub.|EntityName| |ConnectionsOpened|No|Connections Opened.|Count|Average|Connections Opened for Microsoft.EventHub.|EntityName|
-|EHABL|Yes|Archive backlog messages (Deprecated)|Count|Total|Event Hub archive messages in backlog for a namespace (Deprecated)|No Dimensions|
-|EHAMBS|Yes|Archive message throughput (Deprecated)|Bytes|Total|Event Hub archived message throughput in a namespace (Deprecated)|No Dimensions|
-|EHAMSGS|Yes|Archive messages (Deprecated)|Count|Total|Event Hub archived messages in a namespace (Deprecated)|No Dimensions|
-|EHINBYTES|Yes|Incoming bytes (Deprecated)|Bytes|Total|Event Hub incoming message throughput for a namespace (Deprecated)|No Dimensions|
-|EHINMBS|Yes|Incoming bytes (obsolete) (Deprecated)|Bytes|Total|Event Hub incoming message throughput for a namespace. This metric is deprecated. Please use Incoming bytes metric instead (Deprecated)|No Dimensions|
-|EHINMSGS|Yes|Incoming Messages (Deprecated)|Count|Total|Total incoming messages for a namespace (Deprecated)|No Dimensions|
-|EHOUTBYTES|Yes|Outgoing bytes (Deprecated)|Bytes|Total|Event Hub outgoing message throughput for a namespace (Deprecated)|No Dimensions|
-|EHOUTMBS|Yes|Outgoing bytes (obsolete) (Deprecated)|Bytes|Total|Event Hub outgoing message throughput for a namespace. This metric is deprecated. Please use Outgoing bytes metric instead (Deprecated)|No Dimensions|
-|EHOUTMSGS|Yes|Outgoing Messages (Deprecated)|Count|Total|Total outgoing messages for a namespace (Deprecated)|No Dimensions|
-|FAILREQ|Yes|Failed Requests (Deprecated)|Count|Total|Total failed requests for a namespace (Deprecated)|No Dimensions|
+|EHABL|Yes|Archive backlog messages (Deprecated)|Count|Total|Event Hub archive messages in backlog for a namespace (Deprecated)||
+|EHAMBS|Yes|Archive message throughput (Deprecated)|Bytes|Total|Event Hub archived message throughput in a namespace (Deprecated)||
+|EHAMSGS|Yes|Archive messages (Deprecated)|Count|Total|Event Hub archived messages in a namespace (Deprecated)||
+|EHINBYTES|Yes|Incoming bytes (Deprecated)|Bytes|Total|Event Hub incoming message throughput for a namespace (Deprecated)||
+|EHINMBS|Yes|Incoming bytes (obsolete) (Deprecated)|Bytes|Total|Event Hub incoming message throughput for a namespace. This metric is deprecated. Please use Incoming bytes metric instead (Deprecated)||
+|EHINMSGS|Yes|Incoming Messages (Deprecated)|Count|Total|Total incoming messages for a namespace (Deprecated)||
+|EHOUTBYTES|Yes|Outgoing bytes (Deprecated)|Bytes|Total|Event Hub outgoing message throughput for a namespace (Deprecated)||
+|EHOUTMBS|Yes|Outgoing bytes (obsolete) (Deprecated)|Bytes|Total|Event Hub outgoing message throughput for a namespace. This metric is deprecated. Please use Outgoing bytes metric instead (Deprecated)||
+|EHOUTMSGS|Yes|Outgoing Messages (Deprecated)|Count|Total|Total outgoing messages for a namespace (Deprecated)||
+|FAILREQ|Yes|Failed Requests (Deprecated)|Count|Total|Total failed requests for a namespace (Deprecated)||
|IncomingBytes|Yes|Incoming Bytes.|Bytes|Total|Incoming Bytes for Microsoft.EventHub.|EntityName| |IncomingMessages|Yes|Incoming Messages|Count|Total|Incoming Messages for Microsoft.EventHub.|EntityName| |IncomingRequests|Yes|Incoming Requests|Count|Total|Incoming Requests for Microsoft.EventHub.|EntityName|
-|INMSGS|Yes|Incoming Messages (obsolete) (Deprecated)|Count|Total|Total incoming messages for a namespace. This metric is deprecated. Please use Incoming Messages metric instead (Deprecated)|No Dimensions|
-|INREQS|Yes|Incoming Requests (Deprecated)|Count|Total|Total incoming send requests for a namespace (Deprecated)|No Dimensions|
-|INTERR|Yes|Internal Server Errors (Deprecated)|Count|Total|Total internal server errors for a namespace (Deprecated)|No Dimensions|
-|MISCERR|Yes|Other Errors (Deprecated)|Count|Total|Total failed requests for a namespace (Deprecated)|No Dimensions|
+|INMSGS|Yes|Incoming Messages (obsolete) (Deprecated)|Count|Total|Total incoming messages for a namespace. This metric is deprecated. Please use Incoming Messages metric instead (Deprecated)||
+|INREQS|Yes|Incoming Requests (Deprecated)|Count|Total|Total incoming send requests for a namespace (Deprecated)||
+|INTERR|Yes|Internal Server Errors (Deprecated)|Count|Total|Total internal server errors for a namespace (Deprecated)||
+|MISCERR|Yes|Other Errors (Deprecated)|Count|Total|Total failed requests for a namespace (Deprecated)||
|OutgoingBytes|Yes|Outgoing Bytes.|Bytes|Total|Outgoing Bytes for Microsoft.EventHub.|EntityName| |OutgoingMessages|Yes|Outgoing Messages|Count|Total|Outgoing Messages for Microsoft.EventHub.|EntityName|
-|OUTMSGS|Yes|Outgoing Messages (obsolete) (Deprecated)|Count|Total|Total outgoing messages for a namespace. This metric is deprecated. Please use Outgoing Messages metric instead (Deprecated)|No Dimensions|
-|QuotaExceededErrors|No|Quota Exceeded Errors.|Count|Total|Quota Exceeded Errors for Microsoft.EventHub.|EntityName, |
-|ServerErrors|No|Server Errors.|Count|Total|Server Errors for Microsoft.EventHub.|EntityName, |
+|OUTMSGS|Yes|Outgoing Messages (obsolete) (Deprecated)|Count|Total|Total outgoing messages for a namespace. This metric is deprecated. Please use Outgoing Messages metric instead (Deprecated)||
+|QuotaExceededErrors|No|Quota Exceeded Errors.|Count|Total|Quota Exceeded Errors for Microsoft.EventHub.|EntityName, OperationResult|
+|ServerErrors|No|Server Errors.|Count|Total|Server Errors for Microsoft.EventHub.|EntityName, OperationResult|
|Size|No|Size|Bytes|Average|Size of an EventHub in Bytes.|EntityName|
-|SuccessfulRequests|No|Successful Requests|Count|Total|Successful Requests for Microsoft.EventHub.|EntityName, |
-|SUCCREQ|Yes|Successful Requests (Deprecated)|Count|Total|Total successful requests for a namespace (Deprecated)|No Dimensions|
-|SVRBSY|Yes|Server Busy Errors (Deprecated)|Count|Total|Total server busy errors for a namespace (Deprecated)|No Dimensions|
-|ThrottledRequests|No|Throttled Requests.|Count|Total|Throttled Requests for Microsoft.EventHub.|EntityName, |
-|UserErrors|No|User Errors.|Count|Total|User Errors for Microsoft.EventHub.|EntityName, |
+|SuccessfulRequests|No|Successful Requests|Count|Total|Successful Requests for Microsoft.EventHub.|EntityName, OperationResult|
+|SUCCREQ|Yes|Successful Requests (Deprecated)|Count|Total|Total successful requests for a namespace (Deprecated)||
+|SVRBSY|Yes|Server Busy Errors (Deprecated)|Count|Total|Total server busy errors for a namespace (Deprecated)||
+|ThrottledRequests|No|Throttled Requests.|Count|Total|Throttled Requests for Microsoft.EventHub.|EntityName, OperationResult|
+|UserErrors|No|User Errors.|Count|Total|User Errors for Microsoft.EventHub.|EntityName, OperationResult|
## Microsoft.HDInsight/clusters
@@ -1252,15 +1673,61 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|||||||| |CategorizedGatewayRequests|Yes|Categorized Gateway Requests|Count|Total|Number of gateway requests by categories (1xx/2xx/3xx/4xx/5xx)|HttpStatus| |GatewayRequests|Yes|Gateway Requests|Count|Total|Number of gateway requests|HttpStatus|
+|KafkaRestProxy.ConsumerRequest.m1_delta|Yes|REST proxy Consumer RequestThroughput|CountPerSecond|Total|Number of consumer requests to Kafka REST proxy|Machine, Topic|
+|KafkaRestProxy.ConsumerRequestTime.p95|Yes|REST proxy Consumer RequestLatency|Milliseconds|Average|Message Latency in a consumer request through Kafka REST proxy|Machine, Topic|
+|KafkaRestProxy.MessagesIn.m1_delta|Yes|REST proxy Producer MessageThroughput|CountPerSecond|Total|Number of producer messages through Kafka REST proxy|Machine, Topic|
+|KafkaRestProxy.MessagesOut.m1_delta|Yes|REST proxy Consumer MessageThroughput|CountPerSecond|Total|Number of consumer messages through Kafka REST proxy|Machine, Topic|
+|KafkaRestProxy.OpenConnections|Yes|REST proxy ConcurrentConnections|Count|Total|Number of concurrent connections through Kafka REST proxy|Machine, Topic|
+|KafkaRestProxy.ProducerRequest.m1_delta|Yes|REST proxy Producer RequestThroughput|CountPerSecond|Total|Number of producer requests to Kafka REST proxy|Machine, Topic|
+|KafkaRestProxy.ProducerRequestTime.p95|Yes|REST proxy Producer RequestLatency|Milliseconds|Average|Message Latency in a producer request through Kafka REST proxy|Machine, Topic|
|NumActiveWorkers|Yes|Number of Active Workers|Count|Maximum|Number of Active Workers|MetricName|
-## Microsoft.Insights/AutoscaleSettings
+## Microsoft.HealthcareApis/services
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|Availability|Yes|Availability|Percent|Average|The availability rate of the service.|No Dimensions|
+|CosmosDbCollectionSize|Yes|Cosmos DB Collection Size|Bytes|Total|The size of the backing Cosmos DB collection, in bytes.|No Dimensions|
+|CosmosDbIndexSize|Yes|Cosmos DB Index Size|Bytes|Total|The size of the backing Cosmos DB collection's index, in bytes.|No Dimensions|
+|CosmosDbRequestCharge|Yes|Cosmos DB RU usage|Count|Total|The RU usage of requests to the service's backing Cosmos DB.|Operation, ResourceType|
+|CosmosDbRequests|Yes|Service Cosmos DB requests|Count|Sum|The total number of requests made to a service's backing Cosmos DB.|Operation, ResourceType|
+|CosmosDbThrottleRate|Yes|Service Cosmos DB throttle rate|Count|Sum|The total number of 429 responses from a service's backing Cosmos DB.|Operation, ResourceType|
+|IoTConnectorDeviceEvent|Yes|Number of Incoming Messages|Count|Sum|The total number of messages received by the Azure IoT Connector for FHIR prior to any normalization.|Operation, ConnectorName|
+|IoTConnectorDeviceEventProcessingLatencyMs|Yes|Average Normalize Stage Latency|Milliseconds|Average|The average time between an event's ingestion time and the time the event is processed for normalization.|Operation, ConnectorName|
+|IoTConnectorMeasurement|Yes|Number of Measurements|Count|Sum|The number of normalized value readings received by the FHIR conversion stage of the Azure IoT Connector for FHIR.|Operation, ConnectorName|
+|IoTConnectorMeasurementGroup|Yes|Number of Message Groups|Count|Sum|The total number of unique groupings of measurements across type, device, patient, and configured time period generated by the FHIR conversion stage.|Operation, ConnectorName|
+|IoTConnectorMeasurementIngestionLatencyMs|Yes|Average Group Stage Latency|Milliseconds|Average|The time period between when the IoT Connector received the device data and when the data is processed by the FHIR conversion stage.|Operation, ConnectorName|
+|IoTConnectorNormalizedEvent|Yes|Number of Normalized Messages|Count|Sum|The total number of mapped normalized values outputted from the normalization stage of the the Azure IoT Connector for FHIR.|Operation, ConnectorName|
+|IoTConnectorTotalErrors|Yes|Total Error Count|Count|Sum|The total number of errors logged by the Azure IoT Connector for FHIR|Name, Operation, ErrorType, ErrorSeverity, ConnectorName|
+|ServiceApiErrors|Yes|Service Errors|Count|Sum|The total number of internal server errors generated by the service.|Protocol, Authentication, Operation, ResourceType, StatusCode, StatusCodeClass, StatusCodeText|
+|ServiceApiLatency|Yes|Service Latency|Milliseconds|Average|The response latency of the service.|Protocol, Authentication, Operation, ResourceType, StatusCode, StatusCodeClass, StatusCodeText|
+|ServiceApiRequests|Yes|Service Requests|Count|Sum|The total number of requests received by the service.|Protocol, Authentication, Operation, ResourceType, StatusCode, StatusCodeClass, StatusCodeText|
+|TotalErrors|Yes|Total Errors|Count|Sum|The total number of internal server errors encountered by the service.|Protocol, StatusCode, StatusCodeClass, StatusCodeText|
+|TotalLatency|Yes|Total Latency|Milliseconds|Average|The response latency of the service.|Protocol|
+|TotalRequests|Yes|Total Requests|Count|Sum|The total number of requests received by the service.|Protocol|
++
+## microsoft.hybridnetwork/networkfunctions
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|HyperVVirtualProcessorUtilization|Yes|Average CPU Utilization|Percent|Average|Total average percentage of virtual CPU utilization at one minute interval. The total number of virtual CPU is based on user configured value in SKU definition. Further filter can be applied based on RoleName defined in SKU.|InstanceName|
++
+## microsoft.hybridnetwork/virtualnetworkfunctions
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|HyperVVirtualProcessorUtilization|Yes|Average CPU Utilization|Percent|Average|Total average percentage of virtual CPU utilization at one minute interval. The total number of virtual CPU is based on user configured value in SKU definition. Further filter can be applied based on RoleName defined in SKU.|InstanceName|
++
+## microsoft.insights/autoscalesettings
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| |||||||| |MetricThreshold|Yes|Metric Threshold|Count|Average|The configured autoscale threshold when autoscale ran.|MetricTriggerRule|
-|ObservedCapacity|Yes|Observed Capacity|Count|Average|The capacity reported to autoscale when it executed.|No Dimensions|
+|ObservedCapacity|Yes|Observed Capacity|Count|Average|The capacity reported to autoscale when it executed.||
|ObservedMetricValue|Yes|Observed Metric Value|Count|Average|The value computed by autoscale when executed|MetricTriggerSource| |ScaleActionsInitiated|Yes|Scale Actions Initiated|Count|Total|The direction of the scale operation.|ScaleDirection|
@@ -1314,6 +1781,32 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|d2c.property.read.success|Yes|Successful Device Property Reads from Devices|Count|Total|The count of all successful property reads initiated from devices|No Dimensions| |d2c.property.update.failure|Yes|Failed Device Property Updates from Devices|Count|Total|The count of all failed property updates initiated from devices|No Dimensions| |d2c.property.update.success|Yes|Successful Device Property Updates from Devices|Count|Total|The count of all successful property updates initiated from devices|No Dimensions|
+|dataExport.error|Yes|Data Export Errors|Count|Total|Number of errors encountered for data export|exportId, exportDisplayName, destinationId, destinationDisplayName|
+|dataExport.messages.filtered|Yes|Data Export Messages Filtered|Count|Total|Number of messages that have passed through filters in data export|exportId, exportDisplayName, destinationId, destinationDisplayName|
+|dataExport.messages.received|Yes|Data Export Messages Received|Count|Total|Number of messages incoming to data export, before filtering and enrichment processing|exportId, exportDisplayName, destinationId, destinationDisplayName|
+|dataExport.messages.written|Yes|Data Export Messages Written|Count|Total|Number of messages written to a destination|exportId, exportDisplayName, destinationId, destinationDisplayName|
++
+## Microsoft.IoTSpaces/Graph
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|ApiLatency|No|ApiLatency|6|0|Measures latency of API requests made to Microsoft.IoTSpaces in Milliseconds|No Dimensions|
+|FunctionExecutionLatency|No|FunctionExecutionLatency|6|0|Measures latency of user-defined function execution in Milliseconds for Microsoft.IoTSpaces|No Dimensions|
+|MessageEgressFailure|No|MessageEgressFailure|2|3|Looks up a localized string similar to Measures Failed count event in Count for Microsoft.IoTSpaces|No Dimensions|
+|MessageEgressLatency|No|MessageEgressLatency|6|0|Measures the latency from dispatcher to other endpoints in Milliseconds for Microsoft.IoTSpaces|No Dimensions|
+|MessageEgressSuccess|No|MessageEgressSuccess|2|3|Looks up a localized string similar to Measures completed count event in Count for Microsoft.IoTSpaces|No Dimensions|
+|ProcessingLatency|No|ProcessingLatency|6|0|Measures latency from message ingested to dispatched event in Milliseconds for Microsoft.IoTSpaces|No Dimensions|
++
+## microsoft.keyvault/managedhsms
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|Availability|No|Overall Service Availability|Percent|Average|Service requests availability|ActivityType, ActivityName, StatusCode, StatusCodeClass|
+|ServiceApiHit|Yes|Total Service Api Hits|Count|Count|Number of total service api hits|ActivityType, ActivityName|
+|ServiceApiLatency|No|Overall Service Api Latency|Milliseconds|Average|Overall latency of service api requests|ActivityType, ActivityName, StatusCode, StatusCodeClass|
+|ServiceApiResult|Yes|Total Service Api Results|Count|Count|Number of total service api results|ActivityType, ActivityName, StatusCode, StatusCodeClass|
## Microsoft.KeyVault/vaults
@@ -1327,31 +1820,40 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|ServiceApiResult|Yes|Total Service Api Results|Count|Count|Number of total service api results|ActivityType, ActivityName, StatusCode, StatusCodeClass|
+## microsoft.kubernetes/connectedClusters
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|capacity_cpu_cores|Yes|Total number of cpu cores in a connected cluster|Count|Total|Total number of cpu cores in a connected cluster||
++ ## Microsoft.Kusto/Clusters |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| |||||||| |BatchBlobCount|Yes|Batch Blob Count|Count|Average|Number of data sources in an aggregated batch for ingestion.|Database| |BatchDuration|Yes|Batch Duration|Seconds|Average|The duration of the aggregation phase in the ingestion flow.|Database|
-|BatchesProcessed|Yes|Batches Processed|Count|Average|Number of batches aggregated for ingestion. Batching Type: whether the batch reached batching time, data size or number of files limit set by batching policy|Database, SealReason|
+|BatchesProcessed|Yes|Batches Processed|Count|Total|Number of batches aggregated for ingestion. Batching Type: whether the batch reached batching time, data size or number of files limit set by batching policy|Database, SealReason|
|BatchSize|Yes|Batch Size|Bytes|Average|Uncompressed expected data size in an aggregated batch for ingestion.|Database|
-|BlobsProcessed|Yes|Blobs Processed|Count|Average|Number of blobs processed by a component.|Database, ComponentType, ComponentName|
-|BlobsReceived|Yes|Blobs Received|Count|Average|Number of blobs received from input stream by a component.|Database, ComponentType, ComponentName|
-|BlobsRejected|Yes|Blobs Rejected|Count|Average|Number of blobs permanently rejected by a component.|Database, ComponentType, ComponentName|
+|BlobsDropped|Yes|Blobs Dropped|Count|Total|Number of blobs permanently rejected by a component.|Database, ComponentType, ComponentName|
+|BlobsProcessed|Yes|Blobs Processed|Count|Total|Number of blobs processed by a component.|Database, ComponentType, ComponentName|
+|BlobsReceived|Yes|Blobs Received|Count|Total|Number of blobs received from input stream by a component.|Database, ComponentType, ComponentName|
|CacheUtilization|Yes|Cache utilization|Percent|Average|Utilization level in the cluster scope|No Dimensions| |ContinuousExportMaxLatenessMinutes|Yes|Continuous Export Max Lateness|Count|Maximum|The lateness (in minutes) reported by the continuous export jobs in the cluster|No Dimensions| |ContinuousExportNumOfRecordsExported|Yes|Continuous export ΓÇô num of exported records|Count|Total|Number of records exported, fired for every storage artifact written during the export operation|ContinuousExportName, Database| |ContinuousExportPendingCount|Yes|Continuous Export Pending Count|Count|Maximum|The number of pending continuous export jobs ready for execution|No Dimensions| |ContinuousExportResult|Yes|Continuous Export Result|Count|Count|Indicates whether Continuous Export succeeded or failed|ContinuousExportName, Result, Database| |CPU|Yes|CPU|Percent|Average|CPU utilization level|No Dimensions|
-|CumulativeLatency|Yes|Cumulative Latency|Seconds|Average|Cumulative time from when a message is discovered until it is received by the reporting component for processing (discovery time is set when message is enqueued for ingestion queue, or when discovered by data connection).|Database, ComponentType|
|DiscoveryLatency|Yes|Discovery Latency|Seconds|Average|Reported by data connections (if exist). Time in seconds from when a message is enqueued or event is created until it is discovered by data connection. This time is not included in the Azure Data Explorer total ingestion duration.|ComponentType, ComponentName|
-|EventsProcessedForEventHubs|Yes|Events processed (for Event/IoT Hubs)|Count|Total|Number of events processed by the cluster when ingesting from Event/IoT Hub|EventStatus|
+|EventsDropped|Yes|Events Dropped|Count|Total|Number of events dropped permanently by data connection. An Ingestion result metric with a failure reason will be sent.|ComponentType, ComponentName|
+|EventsProcessed|Yes|Events Processed|Count|Total|Number of events processed by the cluster|ComponentType, ComponentName|
+|EventsProcessedForEventHubs|Yes|Events Processed (for Event/IoT Hubs)|Count|Total|Number of events processed by the cluster when ingesting from Event/IoT Hub|EventStatus|
+|EventsReceived|Yes|Events Received|Count|Total|Number of events received by data connection.|ComponentType, ComponentName|
|ExportUtilization|Yes|Export Utilization|Percent|Maximum|Export utilization|No Dimensions|
-|IngestionLatencyInSeconds|Yes|Ingestion latency|Seconds|Average|Ingestion time from the source (e.g. message is in EventHub) to the cluster in seconds|No Dimensions|
-|IngestionResult|Yes|Ingestion result|Count|Count|Number of ingestion operations|IngestionResultDetails|
+|IngestionLatencyInSeconds|Yes|Ingestion Latency|Seconds|Average|Latency of data ingested, from the time the data was received in the cluster until it's ready for query. The ingestion latency period depends on the ingestion scenario.|No Dimensions|
+|IngestionResult|Yes|Ingestion result|Count|Total|Number of ingestion operations|IngestionResultDetails|
|IngestionUtilization|Yes|Ingestion utilization|Percent|Average|Ratio of used ingestion slots in the cluster|No Dimensions|
-|IngestionVolumeInMB|Yes|Ingestion volume (in MB)|Bytes|Total|Overall volume of ingested data to the cluster (in MB)|No Dimensions|
+|IngestionVolumeInMB|Yes|Ingestion Volume|Bytes|Total|Overall volume of ingested data to the cluster|Database|
|InstanceCount|Yes|Instance Count|Count|Average|Total instance count|No Dimensions| |KeepAlive|Yes|Keep alive|Count|Average|Sanity check indicates the cluster responds to queries|No Dimensions| |MaterializedViewAgeMinutes|Yes|Materialized View Age|Count|Average|The materialized view age in minutes|Database, MaterializedViewName|
@@ -1361,15 +1863,19 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|MaterializedViewRecordsInDelta|Yes|Materialized View Records In Delta|Count|Average|The number of records in the non-materialized part of the view|Database, MaterializedViewName| |MaterializedViewResult|Yes|Materialized View Result|Count|Average|The result of the materialization process|Database, MaterializedViewName, Result| |QueryDuration|Yes|Query duration|Milliseconds|Average|QueriesΓÇÖ duration in seconds|QueryStatus|
-|QueryResult|No|Query Result|Count|Count|Total number of queries.|Status|
+|QueryResult|No|Query Result|Count|Count|Total number of queries.|QueryStatus|
+|QueueLength|Yes|Queue Length|Count|Average|Number of pending messages in a component's queue.|ComponentType|
+|QueueOldestMessage|Yes|Queue Oldest Message|Count|Average|Time in seconds from when the oldest message in queue was inserted.|ComponentType|
+|ReceivedDataSizeBytes|Yes|Received Data Size Bytes|Bytes|Average|Size of data received by data connection. This is the size of the data stream, or of raw data size if provided.|ComponentType, ComponentName|
+|StageLatency|Yes|Stage Latency|Seconds|Average|Cumulative time from when a message is discovered until it is received by the reporting component for processing (discovery time is set when message is enqueued for ingestion queue, or when discovered by data connection).|Database, ComponentType|
|SteamingIngestRequestRate|Yes|Streaming Ingest Request Rate|Count|RateRequestsPerSecond|Streaming ingest request rate (requests per second)|No Dimensions| |StreamingIngestDataRate|Yes|Streaming Ingest Data Rate|Count|Average|Streaming ingest data rate (MB per second)|No Dimensions| |StreamingIngestDuration|Yes|Streaming Ingest Duration|Milliseconds|Average|Streaming ingest duration in milliseconds|No Dimensions| |StreamingIngestResults|Yes|Streaming Ingest Result|Count|Average|Streaming ingest result|Result|
-|TotalNumberOfConcurrentQueries|Yes|Total number of concurrent queries|Count|Total|Total number of concurrent queries|No Dimensions|
+|TotalNumberOfConcurrentQueries|Yes|Total number of concurrent queries|Count|Maximum|Total number of concurrent queries|No Dimensions|
|TotalNumberOfExtents|Yes|Total number of extents|Count|Total|Total number of data extents|No Dimensions| |TotalNumberOfThrottledCommands|Yes|Total number of throttled commands|Count|Total|Total number of throttled commands|CommandType|
-|TotalNumberOfThrottledQueries|Yes|Total number of throttled queries|Count|Total|Total number of throttled queries|No Dimensions|
+|TotalNumberOfThrottledQueries|Yes|Total number of throttled queries|Count|Maximum|Total number of throttled queries|No Dimensions|
## Microsoft.Logic/integrationServiceEnvironments
@@ -1463,6 +1969,7 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Errors|Yes|Errors|Count|Total|Number of run errors in this workspace. Count is updated whenever run encounters an error.|Scenario| |Failed Runs|Yes|Failed Runs|Count|Total|Number of runs failed for this workspace. Count is updated when a run fails.|Scenario, RunType, PublishedPipelineId, ComputeType, PipelineStepType, ExperimentName| |Finalizing Runs|Yes|Finalizing Runs|Count|Total|Number of runs entered finalizing state for this workspace. Count is updated when a run has completed but output collection still in progress.|Scenario, RunType, PublishedPipelineId, ComputeType, PipelineStepType, ExperimentName|
+|GpuMemoryUtilization|Yes|GpuMemoryUtilization|Count|Average|Percentage of memory utilization on a GPU node. Utilization is reported at one minute intervals.|Scenario, runId, NodeId, DeviceId, ClusterName|
|GpuUtilization|Yes|GpuUtilization|Count|Average|Percentage of utilization on a GPU node. Utilization is reported at one minute intervals.|Scenario, runId, NodeId, DeviceId, ClusterName| |Idle Cores|Yes|Idle Cores|Count|Average|Number of idle cores|Scenario, ClusterName| |Idle Nodes|Yes|Idle Nodes|Count|Average|Number of idle nodes. Idle nodes are the nodes which are not running any jobs but can accept new job if available.|Scenario, ClusterName|
@@ -1505,29 +2012,65 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|AssetCount|Yes|Asset count|Count|Average|How many assets are already created in current media service account|No Dimensions| |AssetQuota|Yes|Asset quota|Count|Average|How many assets are allowed for current media service account|No Dimensions| |AssetQuotaUsedPercentage|Yes|Asset quota used percentage|Percent|Average|Asset used percentage in current media service account|No Dimensions|
+|ChannelsAndLiveEventsCount|Yes|Live event count|Count|Average|The total number of live events in the current media services account|No Dimensions|
|ContentKeyPolicyCount|Yes|Content Key Policy count|Count|Average|How many content key policies are already created in current media service account|No Dimensions| |ContentKeyPolicyQuota|Yes|Content Key Policy quota|Count|Average|How many content key polices are allowed for current media service account|No Dimensions| |ContentKeyPolicyQuotaUsedPercentage|Yes|Content Key Policy quota used percentage|Percent|Average|Content Key Policy used percentage in current media service account|No Dimensions|
+|RunningChannelsAndLiveEventsCount|Yes|Running live event count|Count|Average|The total number of running live events in the current media services account|No Dimensions|
|StreamingPolicyCount|Yes|Streaming Policy count|Count|Average|How many streaming policies are already created in current media service account|No Dimensions| |StreamingPolicyQuota|Yes|Streaming Policy quota|Count|Average|How many streaming policies are allowed for current media service account|No Dimensions| |StreamingPolicyQuotaUsedPercentage|Yes|Streaming Policy quota used percentage|Percent|Average|Streaming Policy used percentage in current media service account|No Dimensions|
+## Microsoft.Media/mediaservices/liveEvents
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|IngestBitrate|Yes|Live Event ingest bitrate|BitsPerSecond|Average|The incoming bitrate ingested for a live event, in bits per second.|TrackName|
+|IngestDriftValue|Yes|Live Event ingest drift value|Seconds|Maximum|Drift between the timestamp of the ingested content and the system clock, measured in seconds per minute. A non zero value indicates that the ingested content is arriving slower than system clock time.|TrackName|
+|IngestLastTimestamp|Yes|Live Event ingest last timestamp|Milliseconds|Maximum|Last timestamp ingested for a live event.|TrackName|
+|LiveOutputLastTimestamp|Yes|Last output timestamp|Milliseconds|Maximum|Timestamp of the last fragment uploaded to storage for a live event output.|TrackName|
++ ## Microsoft.Media/mediaservices/streamingEndpoints |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
+|CPU|Yes|CPU usage|Percent|Average|CPU usage for premium streaming endpoints. This data is not available for standard streaming endpoints.|VmId|
|Egress|Yes|Egress|Bytes|Total|The amount of Egress data, in bytes.|OutputFormat|
+|EgressBandwidth|No|Egress bandwidth|BitsPerSecond|Average|Egress bandwidth in bits per second.|VmId|
|Requests|Yes|Requests|Count|Total|Requests to a Streaming Endpoint.|OutputFormat, HttpStatusCode, ErrorCode| |SuccessE2ELatency|Yes|Success end to end Latency|Milliseconds|Average|The average latency for successful requests in milliseconds.|OutputFormat|
+## Microsoft.MixedReality/remoteRenderingAccounts
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|ActiveRenderingSessions|Yes|Active Rendering Sessions|Count|Average|Total number of active rendering sessions|SessionType, SDKVersion|
+|AssetsConverted|Yes|Assets Converted|Count|Total|Total number of assets converted|SDKVersion|
++
+## Microsoft.MixedReality/spatialAnchorsAccounts
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|AnchorsCreated|Yes|Anchors Created|Count|Total|Number of Anchors created|DeviceFamily, SDKVersion|
+|AnchorsDeleted|Yes|Anchors Deleted|Count|Total|Number of Anchors deleted|DeviceFamily, SDKVersion|
+|AnchorsQueried|Yes|Anchors Queried|Count|Total|Number of Spatial Anchors queried|DeviceFamily, SDKVersion|
+|AnchorsUpdated|Yes|Anchors Updated|Count|Total|Number of Anchors updated|DeviceFamily, SDKVersion|
+|PosesFound|Yes|Poses Found|Count|Total|Number of Poses returned|DeviceFamily, SDKVersion|
+|TotalDailyAnchors|Yes|Total Daily Anchors|Count|Average|Total number of Anchors - Daily|DeviceFamily, SDKVersion|
++ ## Microsoft.NetApp/netAppAccounts/capacityPools |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| |||||||| |VolumePoolAllocatedSize|Yes|Pool Allocated Size|Bytes|Average|Provisioned size of this pool|No Dimensions|
+|VolumePoolAllocatedToVolumeThroughput|Yes|Pool allocated throughput|BytesPerSecond|Average|Sum of the throughput of all the volumes belonging to the pool|No Dimensions|
|VolumePoolAllocatedUsed|Yes|Pool Allocated To Volume Size|Bytes|Average|Allocated used size of the pool|No Dimensions|
+|VolumePoolProvisionedThroughput|Yes|Provisioned throughput for the pool|BytesPerSecond|Average|Provisioned throughput of this pool|No Dimensions|
|VolumePoolTotalLogicalSize|Yes|Pool Consumed Size|Bytes|Average|Sum of the logical size of all the volumes belonging to the pool|No Dimensions| |VolumePoolTotalSnapshotSize|Yes|Total Snapshot size for the pool|Bytes|Average|Sum of snapshot size of all volumes in this pool|No Dimensions|
@@ -1538,16 +2081,21 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|||||||| |AverageReadLatency|Yes|Average read latency|MilliSeconds|Average|Average read latency in milliseconds per operation|No Dimensions| |AverageWriteLatency|Yes|Average write latency|MilliSeconds|Average|Average write latency in milliseconds per operation|No Dimensions|
-|CbsVolumeBackupActive|Yes|Volume backup active state|Count|Average|Is backup currently suspended for the volume.|No Dimensions|
-|CbsVolumeLogicalBackupBytes|Yes|Logical bytes backed up|Bytes|Average|Total un-compressed/un-encrypted bytes backed up for this Volume.|No Dimensions|
-|CbsVolumeOperationComplete|Yes|Operation state|Count|Average|Is last backup/restore operation successful.|No Dimensions|
-|CbsVolumeOperationTransferredBytes|Yes|Bytes transferred for operation|Bytes|Average|Total bytes transferred for last backup/restore operation.|No Dimensions|
-|CbsVolumeProtected|Yes|Volume protected state|Count|Average|Is volume protected by cloud backup service.|No Dimensions|
+|CbsVolumeBackupActive|Yes|Is Volume Backup suspended|Count|Average|Is the backup policy suspended for the volume? 1 if yes, 0 if no.|No Dimensions|
+|CbsVolumeLogicalBackupBytes|Yes|Volume Backup Bytes|Bytes|Average|Total bytes backed up for this Volume.|No Dimensions|
+|CbsVolumeOperationComplete|Yes|Is Volume Backup Operation Complete|Count|Average|Did the last volume backup or restore operation complete successfully? 1 if yes, 0 if no.|No Dimensions|
+|CbsVolumeOperationTransferredBytes|Yes|Volume Backup Last Transferred Bytes|Bytes|Average|Total bytes transferred for last backup or restore operation.|No Dimensions|
+|CbsVolumeProtected|Yes|Is Volume Backup Enabled|Count|Average|Is backup enabled for the volume? 1 if yes, 0 if no.|No Dimensions|
+|OtherThroughput|Yes|Other throughput|BytesPerSecond|Average|Other throughput (that is not read or write) in bytes per second|No Dimensions|
|ReadIops|Yes|Read iops|CountPerSecond|Average|Read In/out operations per second|No Dimensions|
+|ReadThroughput|Yes|Read throughput|BytesPerSecond|Average|Read throughput in bytes per second|No Dimensions|
+|TotalThroughput|Yes|Total throughput|BytesPerSecond|Average|Sum of all throughput in bytes per second|No Dimensions|
|VolumeAllocatedSize|Yes|Volume allocated size|Bytes|Average|The provisioned size of a volume|No Dimensions|
+|VolumeConsumedSizePercentage|Yes|Percentage Volume Consumed Size|Percent|Average|The percentage of the volume consumed including snapshots.|No Dimensions|
|VolumeLogicalSize|Yes|Volume Consumed Size|Bytes|Average|Logical size of the volume (used bytes)|No Dimensions| |VolumeSnapshotSize|Yes|Volume snapshot size|Bytes|Average|Size of all snapshots in volume|No Dimensions| |WriteIops|Yes|Write iops|CountPerSecond|Average|Write In/out operations per second|No Dimensions|
+|WriteThroughput|Yes|Write throughput|BytesPerSecond|Average|Write throughput in bytes per second|No Dimensions|
|XregionReplicationHealthy|Yes|Is volume replication status healthy|Count|Average|Condition of the relationship, 1 or 0.|No Dimensions| |XregionReplicationLagTime|Yes|Volume replication lag time|Seconds|Average|The amount of time in seconds by which the data on the mirror lags behind the source.|No Dimensions| |XregionReplicationLastTransferDuration|Yes|Volume replication last transfer duration|Seconds|Average|The amount of time in seconds it took for the last transfer to complete.|No Dimensions|
@@ -1646,6 +2194,12 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|||||||| |ErGatewayConnectionBitsInPerSecond|No|BitsInPerSecond|BitsPerSecond|Average|Bits ingressing Azure per second|ConnectionName| |ErGatewayConnectionBitsOutPerSecond|No|BitsOutPerSecond|BitsPerSecond|Average|Bits egressing Azure per second|ConnectionName|
+|ExpressRouteGatewayCountOfRoutesAdvertisedToPeer|Yes|Count Of Routes Advertised to Peer(Preview)|Count|Maximum|Count Of Routes Advertised To Peer by ExpressRouteGateway|roleInstance|
+|ExpressRouteGatewayCountOfRoutesLearnedFromPeer|Yes|Count Of Routes Learned from Peer (Preview)|Count|Maximum|Count Of Routes Learned From Peer by ExpressRouteGateway|roleInstance|
+|ExpressRouteGatewayCpuUtilization|Yes|CPU utilization (Preview)|Count|Average|CPU Utilization of the ExpressRoute Gateway|roleInstance|
+|ExpressRouteGatewayFrequencyOfRoutesChanged|No|Frequency of Routes change (Preview)|Count|Total|Frequency of Routes change in ExpressRoute Gateway|roleInstance|
+|ExpressRouteGatewayNumberOfVmInVnet|No|Number of VMs in the Virtual Network(Preview)|Count|Maximum|Number of VMs in the Virtual Network|No Dimensions|
+|ExpressRouteGatewayPacketsPerSecond|No|Packets per second (Preview)|CountPerSecond|Average|Packet count of ExpressRoute Gateway|roleInstance|
## Microsoft.Network/expressRoutePorts
@@ -1689,6 +2243,18 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|VipAvailability|Yes|Data Path Availability|Count|Average|Average Load Balancer data path availability per time duration|FrontendIPAddress, FrontendPort|
+## Microsoft.Network/natGateways
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|ByteCount|Yes|Bytes|Bytes|Total|Total number of Bytes transmitted within time period|Protocol, Direction|
+|DatapathAvailability|Yes|Datapath Availability (Preview)|Count|Average|NAT Gateway Datapath Availability|No Dimensions|
+|PacketCount|Yes|Packets|Count|Total|Total number of Packets transmitted within time period|Protocol, Direction|
+|PacketDropCount|Yes|Dropped Packets|Count|Total|Count of dropped packets|No Dimensions|
+|SNATConnectionCount|Yes|SNAT Connection Count|Count|Total|Total concurrent active connections|Protocol, ConnectionState|
+|TotalConnectionCount|Yes|Total SNAT Connection Count|Count|Total|Total number of active SNAT connections|Protocol|
++ ## Microsoft.Network/networkInterfaces |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -1703,10 +2269,49 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|AverageRoundtripMs|Yes|Avg. Round-trip Time (ms)|MilliSeconds|Average|Average network round-trip time (ms) for connectivity monitoring probes sent between source and destination|No Dimensions|
-|ChecksFailedPercent|Yes|Checks Failed Percent (Preview)|Percent|Average|% of connectivity monitoring checks failed|SourceAddress, SourceName, SourceResourceId, SourceType, Protocol, DestinationAddress, DestinationName, DestinationResourceId, DestinationType, DestinationPort, TestGroupName, TestConfigurationName, SourceIP, DestinationIP, SourceSubnet, DestinationSubnet|
-|ProbesFailedPercent|Yes|% Probes Failed|Percent|Average|% of connectivity monitoring probes failed|No Dimensions|
-|RoundTripTimeMs|Yes|Round-Trip Time (ms) (Preview)|MilliSeconds|Average|Round-trip time in milliseconds for the connectivity monitoring checks|SourceAddress, SourceName, SourceResourceId, SourceType, Protocol, DestinationAddress, DestinationName, DestinationResourceId, DestinationType, DestinationPort, TestGroupName, TestConfigurationName, SourceIP, DestinationIP, SourceSubnet, DestinationSubnet|
+|AverageRoundtripMs|Yes|Avg. Round-trip Time (ms) (classic)|MilliSeconds|Average|Average network round-trip time (ms) for connectivity monitoring probes sent between source and destination|No Dimensions|
+|ChecksFailedPercent|Yes|Checks Failed Percent|Percent|Average|% of connectivity monitoring checks failed|SourceAddress, SourceName, SourceResourceId, SourceType, Protocol, DestinationAddress, DestinationName, DestinationResourceId, DestinationType, DestinationPort, TestGroupName, TestConfigurationName, SourceIP, DestinationIP, SourceSubnet, DestinationSubnet|
+|ProbesFailedPercent|Yes|% Probes Failed (classic)|Percent|Average|% of connectivity monitoring probes failed|No Dimensions|
+|RoundTripTimeMs|Yes|Round-Trip Time (ms)|MilliSeconds|Average|Round-trip time in milliseconds for the connectivity monitoring checks|SourceAddress, SourceName, SourceResourceId, SourceType, Protocol, DestinationAddress, DestinationName, DestinationResourceId, DestinationType, DestinationPort, TestGroupName, TestConfigurationName, SourceIP, DestinationIP, SourceSubnet, DestinationSubnet|
+|TestResult|Yes|Test Result|Count|Average|Connection monitor test result|SourceAddress, SourceName, SourceResourceId, SourceType, Protocol, DestinationAddress, DestinationName, DestinationResourceId, DestinationType, DestinationPort, TestGroupName, TestConfigurationName, TestResultCriterion, SourceIP, DestinationIP, SourceSubnet, DestinationSubnet|
++
+## Microsoft.Network/p2sVpnGateways
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|P2SBandwidth|Yes|Gateway P2S Bandwidth|BytesPerSecond|Average|Average point-to-site bandwidth of a gateway in bytes per second|No Dimensions|
+|P2SConnectionCount|Yes|P2S Connection Count|Count|Total|Point-to-site connection count of a gateway|Protocol|
++
+## Microsoft.Network/privateDnsZones
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|QueryVolume|Yes|Query Volume|Count|Total|Number of queries served for a Private DNS zone|No Dimensions|
+|RecordSetCapacityUtilization|No|Record Set Capacity Utilization|Percent|Maximum|Percent of Record Set capacity utilized by a Private DNS zone|No Dimensions|
+|RecordSetCount|Yes|Record Set Count|Count|Maximum|Number of Record Sets in a Private DNS zone|No Dimensions|
+|VirtualNetworkLinkCapacityUtilization|No|Virtual Network Link Capacity Utilization|Percent|Maximum|Percent of Virtual Network Link capacity utilized by a Private DNS zone|No Dimensions|
+|VirtualNetworkLinkCount|Yes|Virtual Network Link Count|Count|Maximum|Number of Virtual Networks linked to a Private DNS zone|No Dimensions|
+|VirtualNetworkWithRegistrationCapacityUtilization|No|Virtual Network Registration Link Capacity Utilization|Percent|Maximum|Percent of Virtual Network Link with auto-registration capacity utilized by a Private DNS zone|No Dimensions|
+|VirtualNetworkWithRegistrationLinkCount|Yes|Virtual Network Registration Link Count|Count|Maximum|Number of Virtual Networks linked to a Private DNS zone with auto-registration enabled|No Dimensions|
++
+## Microsoft.Network/privateEndpoints
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|PEBytesIn|Yes|Bytes In|Count|Total|Total number of Bytes Out|PrivateEndpointId|
+|PEBytesOut|Yes|Bytes Out|Count|Total|Total number of Bytes Out|PrivateEndpointId|
++
+## Microsoft.Network/privateLinkServices
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|PLSBytesIn|Yes|Bytes In|Count|Total|Total number of Bytes Out|PrivateLinkServiceId|
+|PLSBytesOut|Yes|Bytes Out|Count|Total|Total number of Bytes Out|PrivateLinkServiceId|
+|PLSNatPortsUsage|Yes|Nat Ports Usage|Percent|Average|Nat Ports Usage|PrivateLinkServiceId, PrivateLinkServiceIPAddress|
## Microsoft.Network/publicIPAddresses
@@ -1754,6 +2359,12 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| |||||||| |AverageBandwidth|Yes|Gateway S2S Bandwidth|BytesPerSecond|Average|Average site-to-site bandwidth of a gateway in bytes per second|No Dimensions|
+|ExpressRouteGatewayCountOfRoutesAdvertisedToPeer|Yes|Count Of Routes Advertised to Peer(Preview)|Count|Maximum|Count Of Routes Advertised To Peer by ExpressRouteGateway|roleInstance|
+|ExpressRouteGatewayCountOfRoutesLearnedFromPeer|Yes|Count Of Routes Learned from Peer (Preview)|Count|Maximum|Count Of Routes Learned From Peer by ExpressRouteGateway|roleInstance|
+|ExpressRouteGatewayCpuUtilization|Yes|CPU utilization (Preview)|Count|Average|CPU Utilization of the ExpressRoute Gateway|roleInstance|
+|ExpressRouteGatewayFrequencyOfRoutesChanged|No|Frequency of Routes change (Preview)|Count|Total|Frequency of Routes change in ExpressRoute Gateway|roleInstance|
+|ExpressRouteGatewayNumberOfVmInVnet|No|Number of VMs in the Virtual Network(Preview)|Count|Maximum|Number of VMs in the Virtual Network|No Dimensions|
+|ExpressRouteGatewayPacketsPerSecond|No|Packets per second (Preview)|CountPerSecond|Average|Packet count of ExpressRoute Gateway|roleInstance|
|P2SBandwidth|Yes|Gateway P2S Bandwidth|BytesPerSecond|Average|Average point-to-site bandwidth of a gateway in bytes per second|No Dimensions| |P2SConnectionCount|Yes|P2S Connection Count|Count|Maximum|Point-to-site connection count of a gateway|Protocol| |TunnelAverageBandwidth|Yes|Tunnel Bandwidth|BytesPerSecond|Average|Average bandwidth of a tunnel in bytes per second|ConnectionName, RemoteIP|
@@ -1773,6 +2384,27 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|PingMeshProbesFailedPercent|Yes|Failed Pings to a VM|Percent|Average|Percent of number of failed Pings to total sent Pings of a destination VM|SourceCustomerAddress, DestinationCustomerAddress|
+## Microsoft.Network/virtualRouters
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|PeeringAvailability|Yes|Bgp Availability|Percent|Average|BGP Availability between VirtualRouter and remote peers|Peer|
++
+## Microsoft.Network/vpnGateways
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|AverageBandwidth|Yes|Gateway S2S Bandwidth|BytesPerSecond|Average|Average site-to-site bandwidth of a gateway in bytes per second|No Dimensions|
+|TunnelAverageBandwidth|Yes|Tunnel Bandwidth|BytesPerSecond|Average|Average bandwidth of a tunnel in bytes per second|ConnectionName, RemoteIP|
+|TunnelEgressBytes|Yes|Tunnel Egress Bytes|Bytes|Total|Outgoing bytes of a tunnel|ConnectionName, RemoteIP|
+|TunnelEgressPacketDropTSMismatch|Yes|Tunnel Egress TS Mismatch Packet Drop|Count|Total|Outgoing packet drop count from traffic selector mismatch of a tunnel|ConnectionName, RemoteIP|
+|TunnelEgressPackets|Yes|Tunnel Egress Packets|Count|Total|Outgoing packet count of a tunnel|ConnectionName, RemoteIP|
+|TunnelIngressBytes|Yes|Tunnel Ingress Bytes|Bytes|Total|Incoming bytes of a tunnel|ConnectionName, RemoteIP|
+|TunnelIngressPacketDropTSMismatch|Yes|Tunnel Ingress TS Mismatch Packet Drop|Count|Total|Incoming packet drop count from traffic selector mismatch of a tunnel|ConnectionName, RemoteIP|
+|TunnelIngressPackets|Yes|Tunnel Ingress Packets|Count|Total|Incoming packet count of a tunnel|ConnectionName, RemoteIP|
++ ## Microsoft.NotificationHubs/Namespaces/NotificationHubs |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -1916,6 +2548,7 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|||||||| |EgressTrafficRate|Yes|Egress Traffic Rate|BitsPerSecond|Average|Egress traffic rate in bits per second|ConnectionId, SessionIp, TrafficClass| |IngressTrafficRate|Yes|Ingress Traffic Rate|BitsPerSecond|Average|Ingress traffic rate in bits per second|ConnectionId, SessionIp, TrafficClass|
+|SessionAvailability|Yes|Session Availability|Count|Average|Availability of the peering session|ConnectionId, SessionIp|
## Microsoft.Peering/peeringServices
@@ -1929,11 +2562,31 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|memory_metric|Yes|Memory|Bytes|Average|Memory. Range 0-3 GB for A1, 0-5 GB for A2, 0-10 GB for A3, 0-25 GB for A4, 0-50 GB for A5 and 0-100 GB for A6|No Dimensions|
-|memory_thrashing_metric|Yes|Memory Thrashing (Datasets)|Percent|Average|Average memory thrashing.|No Dimensions|
-|qpu_high_utilization_metric|Yes|QPU High Utilization|Count|Total|QPU High Utilization In Last Minute, 1 For High QPU Utilization, Otherwise 0|No Dimensions|
-|QueryDuration|Yes|Query Duration (Datasets)|Milliseconds|Average|DAX Query duration in last interval|No Dimensions|
-|QueryPoolJobQueueLength|Yes|Query Pool Job Queue Length (Datasets)|Count|Average|Number of jobs in the queue of the query thread pool.|No Dimensions|
+|memory_metric|Yes|Memory (Gen1)|Bytes|Average|Memory. Range 0-3 GB for A1, 0-5 GB for A2, 0-10 GB for A3, 0-25 GB for A4, 0-50 GB for A5 and 0-100 GB for A6. Supported only for Power BI Embedded Generation 1 resources.|No Dimensions|
+|memory_thrashing_metric|Yes|Memory Thrashing (Datasets) (Gen1)|Percent|Average|Average memory thrashing. Supported only for Power BI Embedded Generation 1 resources.|No Dimensions|
+|qpu_high_utilization_metric|Yes|QPU High Utilization (Gen1)|Count|Total|QPU High Utilization In Last Minute, 1 For High QPU Utilization, Otherwise 0. Supported only for Power BI Embedded Generation 1 resources.|No Dimensions|
+|QueryDuration|Yes|Query Duration (Datasets) (Gen1)|Milliseconds|Average|DAX Query duration in last interval. Supported only for Power BI Embedded Generation 1 resources.|No Dimensions|
+|QueryPoolJobQueueLength|Yes|Query Pool Job Queue Length (Datasets) (Gen1)|Count|Average|Number of jobs in the queue of the query thread pool. Supported only for Power BI Embedded Generation 1 resources.|No Dimensions|
++
+## Microsoft.ProjectBabylon/accounts
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|ScanCancelled|Yes|Scan Cancelled|Count|Total|Indicates the number of scans cancelled.|ResourceId|
+|ScanCompleted|Yes|Scan Completed|Count|Total|Indicates the number of scans completed successfully.|ResourceId|
+|ScanFailed|Yes|Scan Failed|Count|Total|Indicates the number of scans failed.|ResourceId|
+|ScanTimeTaken|Yes|Scan time taken|Seconds|Total|Indicates the total scan time in seconds.|ResourceId|
++
+## microsoft.purview/accounts
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|ScanCancelled|Yes|Scan Cancelled|Count|Total|Indicates the number of scans cancelled.||
+|ScanCompleted|Yes|Scan Completed|Count|Total|Indicates the number of scans completed successfully.||
+|ScanFailed|Yes|Scan Failed|Count|Total|Indicates the number of scans failed.||
+|ScanTimeTaken|Yes|Scan time taken|Seconds|Total|Indicates the total scan time in seconds.||
## Microsoft.Relay/namespaces
@@ -1943,18 +2596,26 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|ActiveConnections|No|ActiveConnections|Count|Total|Total ActiveConnections for Microsoft.Relay.|EntityName| |ActiveListeners|No|ActiveListeners|Count|Total|Total ActiveListeners for Microsoft.Relay.|EntityName| |BytesTransferred|Yes|BytesTransferred|Bytes|Total|Total BytesTransferred for Microsoft.Relay.|EntityName|
-|ListenerConnections-ClientError|No|ListenerConnections-ClientError|Count|Total|ClientError on ListenerConnections for Microsoft.Relay.|EntityName, |
-|ListenerConnections-ServerError|No|ListenerConnections-ServerError|Count|Total|ServerError on ListenerConnections for Microsoft.Relay.|EntityName, |
-|ListenerConnections-Success|No|ListenerConnections-Success|Count|Total|Successful ListenerConnections for Microsoft.Relay.|EntityName, |
+|ListenerConnections-ClientError|No|ListenerConnections-ClientError|Count|Total|ClientError on ListenerConnections for Microsoft.Relay.|EntityName, OperationResult|
+|ListenerConnections-ServerError|No|ListenerConnections-ServerError|Count|Total|ServerError on ListenerConnections for Microsoft.Relay.|EntityName, OperationResult|
+|ListenerConnections-Success|No|ListenerConnections-Success|Count|Total|Successful ListenerConnections for Microsoft.Relay.|EntityName, OperationResult|
|ListenerConnections-TotalRequests|No|ListenerConnections-TotalRequests|Count|Total|Total ListenerConnections for Microsoft.Relay.|EntityName| |ListenerDisconnects|No|ListenerDisconnects|Count|Total|Total ListenerDisconnects for Microsoft.Relay.|EntityName|
-|SenderConnections-ClientError|No|SenderConnections-ClientError|Count|Total|ClientError on SenderConnections for Microsoft.Relay.|EntityName, |
-|SenderConnections-ServerError|No|SenderConnections-ServerError|Count|Total|ServerError on SenderConnections for Microsoft.Relay.|EntityName, |
-|SenderConnections-Success|No|SenderConnections-Success|Count|Total|Successful SenderConnections for Microsoft.Relay.|EntityName, |
+|SenderConnections-ClientError|No|SenderConnections-ClientError|Count|Total|ClientError on SenderConnections for Microsoft.Relay.|EntityName, OperationResult|
+|SenderConnections-ServerError|No|SenderConnections-ServerError|Count|Total|ServerError on SenderConnections for Microsoft.Relay.|EntityName, OperationResult|
+|SenderConnections-Success|No|SenderConnections-Success|Count|Total|Successful SenderConnections for Microsoft.Relay.|EntityName, OperationResult|
|SenderConnections-TotalRequests|No|SenderConnections-TotalRequests|Count|Total|Total SenderConnections requests for Microsoft.Relay.|EntityName| |SenderDisconnects|No|SenderDisconnects|Count|Total|Total SenderDisconnects for Microsoft.Relay.|EntityName|
+## microsoft.resources/subscriptions
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|Latency|Yes|Http Incoming Requests Latency data|Count|Average|Http Incoming Requests latency data|Method, Namespace, RequestRegion, ResourceType, Microsoft.SubscriptionId|
+|Traffic|Yes|Traffic|Count|Average|Http traffic|RequestRegion, StatusCode, StatusCodeClass, ResourceType, Namespace, Microsoft.SubscriptionId|
++ ## Microsoft.Search/searchServices |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -1968,25 +2629,25 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|ActiveConnections|No|ActiveConnections|Count|Total|Total Active Connections for Microsoft.ServiceBus.|No Dimensions|
+|ActiveConnections|No|ActiveConnections|Count|Total|Total Active Connections for Microsoft.ServiceBus.||
|ActiveMessages|No|Count of active messages in a Queue/Topic.|Count|Average|Count of active messages in a Queue/Topic.|EntityName| |ConnectionsClosed|No|Connections Closed.|Count|Average|Connections Closed for Microsoft.ServiceBus.|EntityName| |ConnectionsOpened|No|Connections Opened.|Count|Average|Connections Opened for Microsoft.ServiceBus.|EntityName|
-|CPUXNS|No|CPU (Deprecated)|Percent|Maximum|Service bus premium namespace CPU usage metric. This metric is depricated. Please use the CPU metric (NamespaceCpuUsage) instead.|No Dimensions|
+|CPUXNS|No|CPU (Deprecated)|Percent|Maximum|Service bus premium namespace CPU usage metric. This metric is depricated. Please use the CPU metric (NamespaceCpuUsage) instead.|Replica|
|DeadletteredMessages|No|Count of dead-lettered messages in a Queue/Topic.|Count|Average|Count of dead-lettered messages in a Queue/Topic.|EntityName| |IncomingMessages|Yes|Incoming Messages|Count|Total|Incoming Messages for Microsoft.ServiceBus.|EntityName| |IncomingRequests|Yes|Incoming Requests|Count|Total|Incoming Requests for Microsoft.ServiceBus.|EntityName| |Messages|No|Count of messages in a Queue/Topic.|Count|Average|Count of messages in a Queue/Topic.|EntityName|
-|NamespaceCpuUsage|No|CPU|Percent|Maximum|Service bus premium namespace CPU usage metric.|No Dimensions|
-|NamespaceMemoryUsage|No|Memory Usage|Percent|Maximum|Service bus premium namespace memory usage metric.|No Dimensions|
+|NamespaceCpuUsage|No|CPU|Percent|Maximum|Service bus premium namespace CPU usage metric.|Replica|
+|NamespaceMemoryUsage|No|Memory Usage|Percent|Maximum|Service bus premium namespace memory usage metric.|Replica|
|OutgoingMessages|Yes|Outgoing Messages|Count|Total|Outgoing Messages for Microsoft.ServiceBus.|EntityName| |ScheduledMessages|No|Count of scheduled messages in a Queue/Topic.|Count|Average|Count of scheduled messages in a Queue/Topic.|EntityName|
-|ServerErrors|No|Server Errors.|Count|Total|Server Errors for Microsoft.ServiceBus.|EntityName, |
+|ServerErrors|No|Server Errors.|Count|Total|Server Errors for Microsoft.ServiceBus.|EntityName, OperationResult|
|Size|No|Size|Bytes|Average|Size of an Queue/Topic in Bytes.|EntityName|
-|SuccessfulRequests|No|Successful Requests|Count|Total|Total successful requests for a namespace|EntityName, |
-|ThrottledRequests|No|Throttled Requests.|Count|Total|Throttled Requests for Microsoft.ServiceBus.|EntityName, |
-|UserErrors|No|User Errors.|Count|Total|User Errors for Microsoft.ServiceBus.|EntityName, |
-|WSXNS|No|Memory Usage (Deprecated)|Percent|Maximum|Service bus premium namespace memory usage metric. This metric is deprecated. Please use the Memory Usage (NamespaceMemoryUsage) metric instead.|No Dimensions|
+|SuccessfulRequests|No|Successful Requests|Count|Total|Total successful requests for a namespace|EntityName, OperationResult|
+|ThrottledRequests|No|Throttled Requests.|Count|Total|Throttled Requests for Microsoft.ServiceBus.|EntityName, OperationResult|
+|UserErrors|No|User Errors.|Count|Total|User Errors for Microsoft.ServiceBus.|EntityName, OperationResult|
+|WSXNS|No|Memory Usage (Deprecated)|Percent|Maximum|Service bus premium namespace memory usage metric. This metric is deprecated. Please use the Memory Usage (NamespaceMemoryUsage) metric instead.|Replica|
## Microsoft.ServiceFabricMesh/applications
@@ -2201,6 +2862,35 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Transactions|Yes|Transactions|Count|Total|The number of requests made to a storage service or the specified API operation. This number includes successful and failed requests, as well as requests which produced errors. Use ResponseType dimension for the number of different type of response.|ResponseType, GeoType, ApiName, Authentication|
+## Microsoft.StorageCache/caches
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|ClientIOPS|Yes|Total Client IOPS|Count|Average|The rate of client file operations processed by the Cache.|No Dimensions|
+|ClientLatency|Yes|Average Client Latency|Milliseconds|Average|Average latency of client file operations to the Cache.|No Dimensions|
+|ClientLockIOPS|Yes|Client Lock IOPS|CountPerSecond|Average|Client file locking operations per second.|No Dimensions|
+|ClientMetadataReadIOPS|Yes|Client Metadata Read IOPS|CountPerSecond|Average|The rate of client file operations sent to the Cache, excluding data reads, that do not modify persistent state.|No Dimensions|
+|ClientMetadataWriteIOPS|Yes|Client Metadata Write IOPS|CountPerSecond|Average|The rate of client file operations sent to the Cache, excluding data writes, that modify persistent state.|No Dimensions|
+|ClientReadIOPS|Yes|Client Read IOPS|CountPerSecond|Average|Client read operations per second.|No Dimensions|
+|ClientReadThroughput|Yes|Average Cache Read Throughput|BytesPerSecond|Average|Client read data transfer rate.|No Dimensions|
+|ClientWriteIOPS|Yes|Client Write IOPS|CountPerSecond|Average|Client write operations per second.|No Dimensions|
+|ClientWriteThroughput|Yes|Average Cache Write Throughput|BytesPerSecond|Average|Client write data transfer rate.|No Dimensions|
+|StorageTargetAsyncWriteThroughput|Yes|StorageTarget Asynchronous Write Throughput|BytesPerSecond|Average|The rate the Cache asynchronously writes data to a particular StorageTarget. These are opportunistic writes that do not cause clients to block.|StorageTarget|
+|StorageTargetFillThroughput|Yes|StorageTarget Fill Throughput|BytesPerSecond|Average|The rate the Cache reads data from the StorageTarget to handle a cache miss.|StorageTarget|
+|StorageTargetHealth|Yes|Storage Target Health|Count|Average|Boolean results of connectivity test between the Cache and Storage Targets.|No Dimensions|
+|StorageTargetIOPS|Yes|Total StorageTarget IOPS|Count|Average|The rate of all file operations the Cache sends to a particular StorageTarget.|StorageTarget|
+|StorageTargetLatency|Yes|StorageTarget Latency|Milliseconds|Average|The average round trip latency of all the file operations the Cache sends to a partricular StorageTarget.|StorageTarget|
+|StorageTargetMetadataReadIOPS|Yes|StorageTarget Metadata Read IOPS|CountPerSecond|Average|The rate of file operations that do not modify persistent state, and excluding the read operation, that the Cache sends to a particular StorageTarget.|StorageTarget|
+|StorageTargetMetadataWriteIOPS|Yes|StorageTarget Metadata Write IOPS|CountPerSecond|Average|The rate of file operations that do modify persistent state and excluding the write operation, that the Cache sends to a particular StorageTarget.|StorageTarget|
+|StorageTargetReadAheadThroughput|Yes|StorageTarget Read Ahead Throughput|BytesPerSecond|Average|The rate the Cache opportunisticly reads data from the StorageTarget.|StorageTarget|
+|StorageTargetReadIOPS|Yes|StorageTarget Read IOPS|CountPerSecond|Average|The rate of file read operations the Cache sends to a particular StorageTarget.|StorageTarget|
+|StorageTargetSyncWriteThroughput|Yes|StorageTarget Synchronous Write Throughput|BytesPerSecond|Average|The rate the Cache synchronously writes data to a particular StorageTarget. These are writes that do cause clients to block.|StorageTarget|
+|StorageTargetTotalReadThroughput|Yes|StorageTarget Total Read Throughput|BytesPerSecond|Average|The total rate that the Cache reads data from a particular StorageTarget.|StorageTarget|
+|StorageTargetTotalWriteThroughput|Yes|StorageTarget Total Write Throughput|BytesPerSecond|Average|The total rate that the Cache writes data to a particular StorageTarget.|StorageTarget|
+|StorageTargetWriteIOPS|Yes|StorageTarget Write IOPS|Count|Average|The rate of the file write operations the Cache sends to a particular StorageTarget.|StorageTarget|
+|Uptime|Yes|Uptime|Count|Average|Boolean results of connectivity test between the Cache and monitoring system.|No Dimensions|
++ ## microsoft.storagesync/storageSyncServices |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
@@ -2282,8 +2972,8 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|||||||| |BigDataPoolAllocatedCores|No|vCores allocated|Count|Maximum|Allocated vCores for an Apache Spark Pool|SubmitterId| |BigDataPoolAllocatedMemory|No|Memory allocated (GB)|Count|Maximum|Allocated Memory for Apach Spark Pool (GB)|SubmitterId|
-|BigDataPoolApplicationsActive|No|Active Apache Spark applications|Count|Count|Total Active Apache Spark Pool Applications|JobState|
-|BigDataPoolApplicationsEnded|No|Ended Apache Spark applications|Count|Count|Count of Apache Spark pool applications ended|JobType, JobResult|
+|BigDataPoolApplicationsActive|No|Active Apache Spark applications|Count|Maximum|Total Active Apache Spark Pool Applications|JobState|
+|BigDataPoolApplicationsEnded|No|Ended Apache Spark applications|Count|Total|Count of Apache Spark pool applications ended|JobType, JobResult|
## Microsoft.Synapse/workspaces/sqlPools
@@ -2302,12 +2992,12 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|LocalTempDBUsedPercent|No|Local tempdb used percentage|Percent|Maximum|Local tempdb utilization across all compute nodes - values are emitted every five minute|No Dimensions| |MemoryUsedPercent|No|Memory used percentage|Percent|Maximum|Memory utilization across all nodes in the SQL pool|No Dimensions| |QueuedQueries|No|Queued queries|Count|Total|Cumulative count of requests queued after the max concurrency limit was reached|IsUserDefined|
-|wlg_effective_min_resource_percent|Yes|Effective min resource percent|Percent|Minimum|The effective min resource percentage setting allowed considering the service level and the workload group settings. The effective min_percentage_resource can be adjusted higher on lower service levels|IsUserDefined, WorkloadGroup|
|WLGActiveQueries|No|Workload group active queries|Count|Total|The active queries within the workload group. Using this metric unfiltered and unsplit displays all active queries running on the system|IsUserDefined, WorkloadGroup| |WLGActiveQueriesTimeouts|No|Workload group query timeouts|Count|Total|Queries for the workload group that have timed out. Query timeouts reported by this metric are only once the query has started executing (it does not include wait time due to locking or resource waits)|IsUserDefined, WorkloadGroup|
-|WLGAllocationByMaxResourcePercent|No|Workload group allocation by max resource percent|Percent|Maximum|Displays the percentage allocation of resources relative to the Effective cap resource percent per workload group. This metric provides the effective utilization of the workload group|IsUserDefined, WorkloadGroup|
+|WLGAllocationByEffectiveCapResourcePercent|No|Workload group allocation by max resource percent|Percent|Maximum|Displays the percentage allocation of resources relative to the Effective cap resource percent per workload group. This metric provides the effective utilization of the workload group|IsUserDefined, WorkloadGroup|
|WLGAllocationBySystemPercent|No|Workload group allocation by system percent|Percent|Maximum|The percentage allocation of resources relative to the entire system|IsUserDefined, WorkloadGroup| |WLGEffectiveCapResourcePercent|No|Effective cap resource percent|Percent|Maximum|The effective cap resource percent for the workload group. If there are other workload groups with min_percentage_resource > 0, the effective_cap_percentage_resource is lowered proportionally|IsUserDefined, WorkloadGroup|
+|WLGEffectiveMinResourcePercent|No|Effective min resource percent|Percent|Maximum|The effective min resource percentage setting allowed considering the service level and the workload group settings. The effective min_percentage_resource can be adjusted higher on lower service levels|IsUserDefined, WorkloadGroup|
|WLGQueuedQueries|No|Workload group queued queries|Count|Total|Cumulative count of requests queued after the max concurrency limit was reached|IsUserDefined, WorkloadGroup|
@@ -2386,6 +3076,7 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|Http4xx|Yes|Http 4xx|Count|Total|The count of requests resulting in an HTTP status code = 400 but < 500.|Instance| |Http5xx|Yes|Http Server Errors|Count|Total|The count of requests resulting in an HTTP status code = 500 but < 600.|Instance| |HttpQueueLength|Yes|Http Queue Length|Count|Average|The average number of HTTP requests that had to sit on the queue before being fulfilled. A high or increasing HTTP Queue length is a symptom of a plan under heavy load.|Instance|
+|HttpResponseTime|Yes|Response Time|Seconds|Average|The time taken for the front end to serve requests, in seconds.|Instance|
|LargeAppServicePlanInstances|Yes|Large App Service Plan Workers|Count|Average|Large App Service Plan Workers|No Dimensions| |MediumAppServicePlanInstances|Yes|Medium App Service Plan Workers|Count|Average|Medium App Service Plan Workers|No Dimensions| |MemoryPercentage|Yes|Memory Percentage|Percent|Average|The average memory used across all instances of front end.|Instance|
@@ -2519,6 +3210,17 @@ For important additional information, see [Monitoring Agents Overview](agents-ov
|TotalAppDomainsUnloaded|Yes|Total App Domains Unloaded|Count|Average|The total number of AppDomains unloaded since the start of the application.|Instance|
+## Microsoft.Web/staticSites
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|BytesSent|Yes|Data Out|Bytes|Total|BytesSent|Instance|
+|FunctionErrors|Yes|FunctionErrors|Count|Total|FunctionErrors|Instance|
+|FunctionHits|Yes|FunctionHits|Count|Total|FunctionHits|Instance|
+|SiteErrors|Yes|SiteErrors|Count|Total|SiteErrors|Instance|
+|SiteHits|Yes|SiteHits|Count|Total|SiteHits|Instance|
++ ## Next steps - [Read about metrics in Azure Monitor](data-platform.md)
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-data-collection-rules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/samples/resource-manager-data-collection-rules.md
@@ -78,7 +78,7 @@ The following sample creates an association between an Azure virtual machine and
## Create association with Azure Arc
-The following sample installs the Azure Monitor agent on a Windows Azure virtual machine. An association is created between an Azure Arc-enabled server machine and a data collection rule.
+The following sample creates an association between an Azure Arc-enabled server and a data collection rule.
### Template file
azure-netapp-files https://docs.microsoft.com/en-us/azure/azure-netapp-files/volume-hard-quota-guidelines https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/volume-hard-quota-guidelines.md
@@ -0,0 +1,276 @@
+
+ Title: What changing to volume hard quota means for your Azure NetApp Files service | Microsoft Docs
+description: Describes the change to using volume hard quota, how to plan for the change, and how to monitor and manage capacities.
+
+documentationcenter: ''
++
+editor: ''
+
+ms.assetid:
++
+ na
+ms.devlang: na
+ Last updated : 02/05/2021++
+# What changing to volume hard quota means for your Azure NetApp Files service
+
+From the beginning of the service, Azure NetApp Files has been using a capacity-pool provisioning and automatic growth mechanism. Azure NetApp Files volumes are thinly provisioned on an underlaying, customer-provisioned capacity pool of a selected tier and size. Volume sizes (quotas) are used to provide performance and capacity, and the quotas can be adjusted on-the-fly at any time. This behavior means that, currently, the volume quota is a performance lever used to control bandwidth to the volume. Currently, underlaying capacity pools automatically grow when the capacity fills up.
+
+> [!IMPORTANT]
+> The Azure NetApp Files behavior of volume and capacity pool provisioning will change to a *manual* and *controllable* mechanism. **Starting from March 15th, 2021, volume sizes (quota) will manage bandwidth performance, as well as provisioned capacity, and underlying capacity pools will no longer grow automatically.**
+
+## Reasons for the change to volume hard quota
+
+Many customers have indicated three main challenges with the *initial* behavior:
+* VM clients would see the thinly provisioned (100 TiB) capacity of any given volume when using OS space or capacity monitoring tools, giving inaccurate client or application side capacity visibility.
+* Application owners would have no control over provisioned capacity pool space (and associated cost), because of the capacity pool auto-grow behavior. This situation is cumbersome in environments where ΓÇ£run-away processesΓÇ¥ could rapidly fill up and grow the provisioned capacity and cost.
+* Customers want to see and maintain a direct correlation between volume size (quota) and performance. With the current behavior of (implicit) oversubscribing a volume (capacity-wise) and pool auto-grow, customers do not have a direct correlation, until volume quota has been actively set or reset.
+
+Many customers have requested direct control over provisioned capacity. They want to control and balance storage capacity and utilization. They also want to control cost along with application-side and client-side visibility of available, used, and provisioned capacity and performance of their application volumes.
+
+## What is the volume hard quota change
+
+With the volume hard quota change, Azure NetApp Files volumes will no longer be thin provisioned at (the maximum) 100 TiB. The volumes will be provisioned at the actual configured size (quota). Also, the underlaying capacity pools will no longer automatically grow upon reaching full-capacity consumption. This change will reflect the behavior like Azure managed disks, which are also provisioned as-is, without automatic capacity increase.
+
+For example, consider an Azure NetApp Files volume configured at 1-TiB size (quota) on a 4-TiB Ultra service level capacity pool. An application is continuously writing data to the volume.
+
+The *initial* behavior:
+* Expected bandwidth: 128 MiB/s
+* Total usable (and client visible) capacity: 100 TiB
+ You will not be able to write more data on the volume beyond this size.
+* Capacity pool: Automatically grows with 1 TiB increments when it is full.
+* Volume quota change: Only changes performance (bandwidth) of the volume. It does not change client visible or usable capacity.
+
+The *changed* behavior:
+* Expected bandwidth: 128 MiB/s
+* Total usable (and client visible) capacity: 1 TiB
+ You will not be able to write more data on the volume beyond this size.
+* Capacity pool: Remains 4 TiB in size and does not automatically grow.
+* Volume quota change: Changes performance (bandwidth) and client visible or usable capacity of the volume.
+
+You need to proactively monitor the utilization of Azure NetApp Files volumes and capacity pools. You need to purposely change the volume and pool utilization for close-to-full consumption. Azure NetApp Files will continue to allow for [on-the-fly volume and capacity pool resize operations](azure-netapp-files-resize-capacity-pools-or-volumes.md).
+
+## How to operationalize the volume hard quota change
+
+This section provides guidance on how to operationalize the change to volume hard quota for a smooth transition. It also provides insights for handling currently provisioned volumes and capacity pools, on-going monitoring, and alerting and capacity management options.
+
+### Currently provisioned volumes and capacity pools
+
+Because of the volume hard quota change, you should change your operating model. The provisioned volumes and capacity pools will require ongoing capacity management. Because the changed behavior will happen instantly, the Azure NetApp Files team recommends a series of one-time corrective measures for existing, previously provisioned volumes and capacity pools, as described in this section.
+
+#### One-time corrective or preventative measures recommendations
+
+The volume hard quota change will result in changes in provisioned and available capacity for previously provisioned volumes and pools. As a result, some capacity allocation challenges might happen. To avoid short-term out-of-space situations for customers, the Azure NetApp Files team recommends the following, one-time corrective/preventative measures:
+
+* **Provisioned volume sizes**:
+ Resize every provisioned volume to have appropriate buffer based on change rate and alerting or resize turnaround time (for example, 20% based on typical workload considerations), with a maximum of 100 TiB (which is the [volume size limit](azure-netapp-files-resource-limits.md#resource-limits)). This new volume size, including buffer capacity, should be based on the following factors:
+ * **Provisioned** volume capacity, in case the used capacity is less than the provisioned volume quota.
+ * **Used** volume capacity, in case the used capacity is more than the provisioned volume quota.
+ There is no additional charge for volume-level capacity increase if the underlaying capacity pool does not need to be grown. As an effect of this change, you might observe a bandwidth limit *increase* for the volume (in case the [auto QoS capacity pool type](azure-netapp-files-understand-storage-hierarchy.md#qos_types) is used).
+
+* **Provisioned capacity pool sizes**:
+ After the volume sizes adjustments, if the sum of volumes sizes becomes larger than the size of the hosting capacity pool, the capacity pool will have to be increased to a size equal to or larger than the sum of the volumes, with a maximum of 500 TiB (which is the [capacity pool size limit](azure-netapp-files-resource-limits.md#resource-limits)). Additional capacity pool capacity will be subject to ACR charge as normal.
+
+You should work with your Azure NetApp Files specialists to validate your environment, if you need help with setting up monitoring or alerting as described in the sections below.
+
+### Ongoing capacity management
+
+After performing the one-time corrective measures, you should put together ongoing processes to monitor and manage capacity. The following sections provide suggestions and alternatives about capacity monitoring and management.
+
+### Monitor capacity utilization
+
+You can monitor capacity utilization at various levels.
+
+#### VM-level monitoring
+
+The highest level of monitoring (closest to the application) is from within the application virtual machine. You will observe a change in behavior in capacity reporting from within the VM client OS.
+
+In the following two scenarios, consider an Azure NetApp Files volume configured at 1-TiB size (quota) on a 4-TiB, Ultra service-level capacity pool.
+
+##### Windows
+
+Windows clients can check the used and available capacity of a volume by using the network mapped drive properties. You can use the **Explorer** -> **Drive** -> **Properties** option.
+
+The following examples show the volume capacity reporting in Windows *before* the changed behavior:
+
+![Screenshots that show example storage capacity of a volume before behavior change.](../media/azure-netapp-files/hard-quota-windows-capacity-before.png)
+
+You can also use the `dir` command at the command prompt as shown below:
+
+![Screenshot that shows using a command to display storage capacity for a volume before behavior change.](../media/azure-netapp-files/hard-quota-command-capacity-before.png)
+
+The following examples show the volume capacity reporting in Windows *after* the changed behavior:
+
+![Screenshots that show example storage capacity of a volume after behavior change.](../media/azure-netapp-files/hard-quota-windows-capacity-after.png)
+
+The following example shows the `dir` command output:
+
+![Screenshot that shows using a command to display storage capacity for a volume after behavior change.](../media/azure-netapp-files/hard-quota-command-capacity-after.png)
+
+##### Linux
+
+Linux clients can check the used and available capacity of a volume by using the [`df` command](https://linux.die.net/man/1/df). The `-h` option will show the size, used space, and available space in human-readable format, using M, G, and T unit sizes.
+
+The following example shows volume capacity reporting in Linux *before* the changed behavior:
+
+![Screenshot that shows using Linux to display storage capacity for a volume before behavior change.](../media/azure-netapp-files/hard-quota-linux-capacity-before.png)
+
+The following example shows volume capacity reporting in Linux *after* the changed behavior:
+
+![Screenshot that shows using Linux to display storage capacity for a volume after behavior change.](../media/azure-netapp-files/hard-quota-linux-capacity-after.png)
++
+### Configure alerts using ANFCapacityManager
+
+You can use the community-supported Logic Apps ANFCapacityManager tool to monitor Azure NetApp Files capacity and receive tailored alerting. The ANFCapacityManager tool is available on the [ANFCapacityManager GitHub page](https://github.com/ANFTechTeam/ANFCapacityManager).
+
+ANFCapacityManager is an Azure Logic App that manages capacity-based alert rules. It automatically increases volume sizes to prevent your Azure NetApp Files volumes from running out of space. It is easy to deploy and provides the following Alert Management capabilities:
+
+* When an Azure NetApp Files capacity pool or volume is created, ANFCapacityManager creates a metric alert rule based on the specified percent consumed threshold.
+* When an Azure NetApp Files capacity pool or volume is resized, ANFCapacityManager modifies the metric alert rule based on the specified percent capacity consumed threshold. If the alert rule does not exist, it will be created.
+* When an Azure NetApp Files capacity pool or volume is deleted, the corresponding metric alert rule will be deleted.
+
+You can configure the following key alerting settings:
+
+* **Capacity Pool % Full Threshold** - This setting determines the consumed threshold that triggers an alert for capacity pools. A value of 90 would cause an alert to be triggered when the capacity pool reaches 90% consumed.
+* **Volume % Full Threshold** - This setting determines the consumed threshold that triggers an alert for volumes. A value of 80 would cause an alert to be triggered when the volume reaches 80% consumed.
+* **Existing Action Group for Capacity Notifications** - This setting is the action group that will be triggered for capacity-based alerting. This setting should be pre-created by you. The action group can send email, SMS, or other formats.
+
+The following illustration shows the alert configuration:
+
+![Illustration that shows alert configuration by using ANFCapacityManager.](../media/azure-netapp-files/hard-quota-anfcapacitymanager-configuration.png)
+
+After installing ANFCapacityManager, you can expect the following behavior: When an Azure NetApp Files capacity pool or volume is created, modified, or deleted, the Logic App will automatically create, modify, or delete a capacity-based Metric Alert rule with the name `ANF_Pool_poolname` or `ANF_Volume_poolname_volname`.
+
+### Manage capacity
+
+In addition to monitoring and alerting, you should also incorporate an application-capacity management practice to manage Azure NetApp Files (increased) capacity consumption. When an Azure NetApp Files volume or capacity pool fills up, [extra capacity can be provided on-the-fly without application disruption](azure-netapp-files-resize-capacity-pools-or-volumes.md). This section describes various manual and automated ways to increase volume and capacity pool provisioned space as needed.
+
+#### Manual
+
+You can use the portal or the CLI to manually increase the volume or capacity pool sizes.
+
+##### Portal
+
+You can [change the size of a volume](azure-netapp-files-resize-capacity-pools-or-volumes.md#resize-a-volume) as necessary. A volume's capacity consumption counts against its pool's provisioned capacity.
+
+1. From the Manage NetApp Account blade, click **Volumes**.
+2. Right-click the name of the volume that you want to resize or click the `…` icon at the end of the volume's row to display the context menu.
+3. Use the context menu options to resize or delete the volume.
+
+ ![Screenshot that shows context menu options for a volume.](../media/azure-netapp-files/hard-quota-volume-options.png)
+
+ ![Screenshot that shows the Update Volume Quota window.](../media/azure-netapp-files/hard-quota-update-volume-quota.png)
+
+In some cases, the hosting capacity pool does not have sufficient capacity to resize the volumes. However, you can [change the capacity pool size](azure-netapp-files-resize-capacity-pools-or-volumes.md#resize-the-capacity-pool) in 1-TiB increments or decrements. The capacity pool size cannot be smaller than 4 TiB. *Resizing the capacity pool changes the purchased Azure NetApp Files capacity.*
+
+1. From the Manage NetApp Account blade, click the capacity pool that you want to resize.
+2. Right-click the capacity pool name or click the `…` icon at the end of the capacity pool’s row to display the context menu.
+3. Use the context menu options to resize or delete the capacity pool.
+
+ ![Screenshot that shows context menu options for a capacity pool.](../media/azure-netapp-files/hard-quota-pool-options.png)
+
+ ![Screenshot that shows the Resize Pool window.](../media/azure-netapp-files/hard-quota-update-resize-pool.png)
++
+##### CLI or PowerShell
+
+You can use the [Azure NetApp Files CLI tools](azure-netapp-files-sdk-cli.md#cli-tools), including the Azure CLI and Azure PowerShell, to manually change the volume or capacity pool size. The following two commands can be used to manage Azure NetApp Files volume and pool resources:
+
+* [`az netappfiles pool`](https://docs.microsoft.com/cli/azure/netappfiles/pool?view=azure-cli-latest&preserve-view=true)
+* [`az netappfiles volume`](https://docs.microsoft.com/cli/azure/netappfiles/volume?view=azure-cli-latest&preserve-view=true)
+
+To manage Azure NetApp Files resources using Azure CLI, you can open the Azure portal and select the Azure **Cloud Shell** link in the top of the menu bar:
+
+[ ![Screenshot that shows how to access Cloud Shell link.](../media/azure-netapp-files/hard-quota-update-cloud-shell-link.png) ](../media/azure-netapp-files/hard-quota-update-cloud-shell-link.png#lightbox)
+
+This action will open the Azure Cloud Shell:
+
+[ ![Screenshot that shows Cloud Shell window.](../media/azure-netapp-files/hard-quota-update-cloud-shell-window.png) ](../media/azure-netapp-files/hard-quota-update-cloud-shell-window.png#lightbox)
+
+The following examples use the commands to [show](https://docs.microsoft.com/cli/azure/netappfiles/volume?view=azure-cli-latest#az-netappfiles-volume-show&preserve-view=true) and [update](https://docs.microsoft.com/cli/azure/netappfiles/volume?view=azure-cli-latest#az-netappfiles-volume-update&preserve-view=true) the size of a volume:
+
+[ ![Screenshot that shows using PowerShell to show volume size.](../media/azure-netapp-files/hard-quota-update-powershell-volume-show.png) ](../media/azure-netapp-files/hard-quota-update-powershell-volume-show.png#lightbox)
+
+[ ![Screenshot that shows using PowerShell to update volume size.](../media/azure-netapp-files/hard-quota-update-powershell-volume-update.png) ](../media/azure-netapp-files/hard-quota-update-powershell-volume-update.png#lightbox)
+
+The following examples use the commands to [show](https://docs.microsoft.com/cli/azure/netappfiles/pool?view=azure-cli-latest#az-netappfiles-pool-show&preserve-view=true) and [update](https://docs.microsoft.com/cli/azure/netappfiles/pool?view=azure-cli-latest#az-netappfiles-pool-update&preserve-view=true) the size of a capacity pool:
+
+[ ![Screenshot that shows using PowerShell to show capacity pool size.](../media/azure-netapp-files/hard-quota-update-powershell-pool-show.png) ](../media/azure-netapp-files/hard-quota-update-powershell-pool-show.png#lightbox)
+
+[ ![Screenshot that shows using PowerShell to update capacity pool size.](../media/azure-netapp-files/hard-quota-update-powershell-pool-update.png) ](../media/azure-netapp-files/hard-quota-update-powershell-pool-update.png#lightbox)
+
+#### Automated
+
+You can build an automated process to manage the changed behavior.
+
+##### REST API
+
+The REST API for the Azure NetApp Files service defines HTTP operations against resources such as the NetApp account, the capacity pool, the volumes, and snapshots. The REST API specification for Azure NetApp Files is published through the [Azure NetApp Files Resource Manager GitHub page](https://github.com/Azure/azure-rest-api-specs/tree/master/specification/netapp/resource-manager)]. You can find [example code for use with REST APIs](https://github.com/Azure/azure-rest-api-specs/tree/master/specification/netapp/resource-manager/Microsoft.NetApp/stable/2020-06-01/examples) in GitHub.
+
+See [Develop for Azure NetApp Files with REST API](azure-netapp-files-develop-with-rest-api.md).
+
+##### REST API using PowerShell
+
+The REST API for the Azure NetApp Files service defines HTTP operations against resources such as the NetApp account, the capacity pool, the volumes, and snapshots. The [REST API specification for Azure NetApp Files](https://github.com/Azure/azure-rest-api-specs/tree/master/specification/netapp/resource-manager) is published through GitHub.
+
+See [Develop for Azure NetApp Files with REST API using PowerShell](develop-rest-api-powershell.md).
+
+##### Capacity management using ANFCapacityManager
+
+ANFCapacityManager is an Azure Logic App that manages capacity-based alert rules. It automatically increases volume sizes to prevent your Azure NetApp Files volumes from running out of space. In addition to sending alerts, it can enable the automatic increase of volume and capacity pool sizes to prevent your Azure NetApp Files volumes from running out of space:
+
+* Optionally, when an Azure NetApp Files Volume reaches the specified percent consumed threshold, the volume quota (size) will be increased by the percent specified between 10-100.
+* If increasing the volume size exceeds the capacity of the containing capacity pool, the capacity pool size will also be increased to accommodate the new volume size.
+
+You can configure the following key capacity management setting:
+
+* **AutoGrow Percent Increase** - Percent of the existing volume size to automatically grow a volume if it reaches the specified **% Full Threshold**. A value of 0 (zero) will disable the AutoGrow feature. A value between 10 and 100 is recommended.
+
+ ![Screenshot that shows Set Volume Auto Growth Percent window.](../media/azure-netapp-files/hard-quota-volume-anfcapacitymanager-auto-grow-percent.png)
+
+## FAQ
+
+This section answers some questions about the volume hard quota change.
+
+### Does snapshot space count towards the usable or provisioned capacity of a volume?
+
+Yes, the consumed snapshot capacity counts towards the provisioned space in the volume. In case the volume runs full, consider two remediation options:
+
+* Resize the volume as described in this article.
+* Remove older snapshots to free up space in the hosting volume.
+
+### Does this change mean the volume auto-grow behavior will disappear from Azure NetApp Files?
+
+A common misconception is that Azure NetApp Files *volumes* would automatically grow upon filling up. Volumes were thinly provisioned with a size of 100 TiB, regardless of the actual set quota, while the underlaying *capacity pool* would automatically grow with 1-TiB increments. This change will address the (visible and usable) *volume* size to the set quota, and *capacity pools* will no longer automatically grow. This change results in commonly desired accurate client-side space and capacity reporting. It avoids "runaway" capacity consumption.
+
+### Does this change have any effect on volumes replicated with cross-region-replication (preview)?
+
+The hard volume quota is not enforced on replication destination volumes.
+
+### Does this change have any effect on metrics currently available in Azure Monitor?
+
+Portal metrics and Azure Monitor statistics will accurately reflect the new allocation and utilization model.
+
+### Does this change have any effect on the resource limits for Azure NetApp Files?
+
+There is no change in resource limits for Azure NetApp Files beyond the quota changes described in this article.
+
+### Is there an example ANFCapacityManager workflow?
+
+Yes. See the [Volume AutoGrow Workflow Example GitHub page](https://github.com/ANFTechTeam/ANFCapacityManager/blob/master/ResizeWorkflow.md).
+
+### Is ANFCapacityManager Microsoft supported?
+
+[The ANFCapacityManager logic app is provided as-is and is not supported by NetApp or Microsoft](https://github.com/ANFTechTeam/ANFCapacityManager#disclaimer). You are encouraged to modify to fit your specific environment or requirements. You should test the functionality before deploying it to any business critical or production environments.
+
+### How can I report a bug or submit a feature request for ANFCapacityManger?
+You can submit bugs and feature requests by clicking **New Issue** on the [ANFCapacityManager GitHub page](https://github.com/ANFTechTeam/ANFCapacityManager/issues).
+
+## Next steps
+* [Resize a capacity pool or a volume](azure-netapp-files-resize-capacity-pools-or-volumes.md)
+* [Metrics for Azure NetApp Files](azure-netapp-files-metrics.md)
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/security-baseline.md
@@ -1165,7 +1165,7 @@ https://docs.microsoft.com/azure/security-center/security-center-provide-securit
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
How to configure continuous export:
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules-changelog https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/sql-database-vulnerability-assessment-rules-changelog.md
@@ -1,19 +1,19 @@
Title: SQL Vulnerability Assessment rules changelog
-description: "Changelog for SQL Vulnerability Assessment rules with SQL Server, Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics"
+ Title: SQL Vulnerability assessment rules changelog
+description: "Changelog for SQL Vulnerability assessment rules with SQL Server, Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics"
--++ Last updated 12/14/2020
-# SQL Vulnerability Assessment rules changelog
+# SQL Vulnerability assessment rules changelog
-This article details the changes made to the SQL Vulnerability Assessment service rules. Rules that are updated, removed, or added will be outlined below. For an updated list of SQL Vulnerability Assessment rules, see [SQL Vulnerability Assessment rules](sql-database-vulnerability-assessment-rules.md).
+This article details the changes made to the SQL Vulnerability Assessment service rules. Rules that are updated, removed, or added will be outlined below. For an updated list of SQL Vulnerability assessment rules, see [SQL Vulnerability Assessment rules](sql-database-vulnerability-assessment-rules.md).
## December 2020
@@ -77,4 +77,4 @@ This article details the changes made to the SQL Vulnerability Assessment servic
- [SQL Vulnerability Assessment rules](sql-database-vulnerability-assessment-rules.md) - [SQL Vulnerability Assessment overview](sql-vulnerability-assessment.md)-- [Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets](sql-database-vulnerability-assessment-storage.md)
+- [Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets](sql-database-vulnerability-assessment-storage.md)
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/sql-database-vulnerability-assessment-rules.md
@@ -5,8 +5,8 @@
--++ Last updated 12/14/2020
@@ -18,7 +18,7 @@ This article lists the set of built-in rules that are used to flag security vuln
The rules shown in your database scans depend on the SQL version and platform that was scanned.
-To learn about how to implement Vulnerability Assessment in Azure, see [Implement Vulnerability Assessment](./sql-vulnerability-assessment.md#implement-vulnerability-assessment).
+To learn about how to implement Vulnerability Assessment in Azure, see [Implement Vulnerability Assessment](./sql-vulnerability-assessment.md#configure-vulnerability-assessment).
For a list of changes to these rules, see [SQL Vulnerability Assessment rules changelog](sql-database-vulnerability-assessment-rules-changelog.md).
@@ -197,4 +197,4 @@ SQL Vulnerability Assessment rules have five categories, which are in the follow
## Next steps - [Vulnerability Assessment](sql-vulnerability-assessment.md)-- [SQL Vulnerability Assessment rules changelog](sql-database-vulnerability-assessment-rules-changelog.md)
+- [SQL Vulnerability Assessment rules changelog](sql-database-vulnerability-assessment-rules-changelog.md)
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/sql-database-vulnerability-assessment-storage.md
@@ -12,7 +12,7 @@ Last updated 12/01/2020
# Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets If you are limiting access to your storage account in Azure for certain VNets or services, you'll need to enable the appropriate configuration so that Vulnerability Assessment (VA) scanning for SQL Databases or Managed Instances have access to that storage account.
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/sql-vulnerability-assessment.md
@@ -8,14 +8,14 @@
ms.devlang: --++ Last updated 09/21/2020 tags: azure-synapse # SQL Vulnerability Assessment helps you identify database vulnerabilities SQL Vulnerability Assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. Use it to proactively improve your database security.
@@ -24,17 +24,13 @@ Vulnerability Assessment is part of the [Azure Defender for SQL](azure-defender-
> [!NOTE] > Vulnerability Assessment is supported for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. Databases in Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics are referred to collectively in the remainder of this article as databases, and the server is referring to the [server](logical-servers.md) that hosts databases for Azure SQL Database and Azure Synapse.
-## Vulnerability Assessment
+## What is SQL Vulnerability Assessment?
-SQL Vulnerability Assessment is a service that provides visibility into your security state. Vulnerability Assessment includes actionable steps to resolve security issues and enhance your database security. It can help you:
--- Meet compliance requirements that require database scan reports.-- Meet data privacy standards.-- Monitor a dynamic database environment where changes are difficult to track.
+SQL Vulnerability Assessment is a service that provides visibility into your security state. Vulnerability Assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.
Vulnerability Assessment is a scanning service built into Azure SQL Database. The service employs a knowledge base of rules that flag security vulnerabilities. It highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.
-The rules are based on Microsoft's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover database-level issues and server-level security issues, like server firewall settings and server-level permissions. These rules also represent many of the requirements from various regulatory bodies to meet their compliance standards.
+The rules are based on Microsoft's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover database-level issues and server-level security issues, like server firewall settings and server-level permissions.
Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. You can customize an assessment report for your environment by setting an acceptable baseline for:
@@ -42,71 +38,66 @@ Results of the scan include actionable steps to resolve each issue and provide c
- Feature configurations - Database settings
-## Implement Vulnerability Assessment
-
-The following steps implement the vulnerability assessment:
+## Configure Vulnerability Assessment
-### 1. Run a scan
+The following steps configure the vulnerability assessment:
1. Go to your Azure SQL Database, SQL Managed Instance Database, or Azure Synapse resource in the [Azure portal](https://portal.azure.com).
-1. Under the **Security** heading, select **Security center**.
+2. Under the **Security** heading, select **Security Center**.
+
+3. Then click **Configure** on the link to open the Azure Defender for SQL settings pane for either the entire server or managed instance.
-1. Then click **Configure** on the **Vulnerability Assessment** pane to open the Vulnerability Assessment settings pane for either the entire server or managed instance.
+ > [!NOTE]
+ > SQL Vulnerability Assessment requires **Azure Defender for SQL** plan to be able to run scans. For more information about how to enable Azure Defender for SQL, see [Azure Defender for SQL](azure-defender-for-sql.md).
+
+4. Configure a storage account where your scan results for all databases on the server or managed instance will be stored. For information about storage accounts, see [About Azure storage accounts](../../storage/common/storage-account-create.md).
> [!NOTE] > For more information about storing Vulnerability Assessment scans behind firewalls and VNets, see [Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets](sql-database-vulnerability-assessment-storage.md).
-1. Configure a storage account where your scan results for all databases on the server or managed instance will be stored. For information about storage accounts, see [About Azure storage accounts](../../storage/common/storage-account-create.md). After storage is configured, select **Scan** to scan your database for vulnerabilities.
+5. Configure SQL Vulnerability Assessment to automatically run periodic recurring scans once a week to detect any change security misconfiguration automatically. To do so, enable **Periodic recurring scans** under the storage account selection. A scan result summary is sent to the email addresses you provide in **Send scan reports to**. You can also send email notification to admins and subscription owners by enabling **Also send email notification to admins and subscription owners**.
+
+6. SQL Vulnerability Assessment can run scan on demand. After you configured SQL Vulnerability Assessment, select **Scan** to scan your database for vulnerabilities.
![Scan a database](./media/sql-vulnerability-assessment/pp_va_initialize.png) > [!NOTE] > The scan is lightweight and safe. It takes a few seconds to run and is entirely read-only. It doesn't make any changes to your database.
-### 2. View the report
+## Remediate vulnerabilities
-When your scan is finished, your scan report is automatically displayed in the Azure portal. The report presents an overview of your security state. It lists how many issues were found and their respective severities. Results include warnings on deviations from best practices and a snapshot of your security-related settings, such as database principals and roles and their associated permissions. The scan report also provides a map of sensitive data discovered in your database. It includes recommendations to classify that data by using [data discovery and classification](data-discovery-and-classification-overview.md).
+1. When your scan is finished, your scan report is automatically displayed in the Azure portal. The report presents an overview of your security state. It lists how many issues were found and their respective severities. Results include warnings on deviations from best practices and a snapshot of your security-related settings, such as database principals and roles, and their associated permissions.
![View the report](./media/sql-vulnerability-assessment/pp_main_getstarted.png)
-### 3. Analyze the results and resolve issues
-
-Review your results and determine the findings in the report that are true security issues in your environment. Drill down to each failed result to understand the impact of the finding and why each security check failed. Use the actionable remediation information provided by the report to resolve the issue.
+2. Review your results and determine the findings in the report that are true security issues in your environment. Drill down to each failed result to understand the impact of the findings and why each security check failed. Use the actionable remediation information provided by the report to resolve issues.
![Analyze the report](./media/sql-vulnerability-assessment/pp_fail_rule_show_remediation.png)
-### 4. Set your baseline
-
-As you review your assessment results, you can mark specific results as being an acceptable *baseline* in your environment. The baseline is essentially a customization of how the results are reported. Results that match the baseline are considered as passing in subsequent scans. After you've established your baseline security state, Vulnerability Assessment only reports on deviations from the baseline. In this way, you can focus your attention on the relevant issues.
+3. As you review your assessment results, you can mark specific results as being an acceptable *baseline* in your environment. The baseline is essentially a customization of how the results are reported. Results that match the baseline are considered as passing in subsequent scans. After you've established your baseline security state, Vulnerability Assessment only reports on deviations from the baseline. In this way, you can focus your attention on the relevant issues.
![Set your baseline](./media/sql-vulnerability-assessment/pp_fail_rule_show_baseline.png)
-### 5. Run a new scan to see your customized tracking report
-
-After you finish setting up your **Rule Baselines**, run a new scan to view the customized report. Vulnerability Assessment now reports only the security issues that deviate from your approved baseline state.
+4. After you finish setting up your **Rule Baselines**, run a new scan to view the customized report. Vulnerability Assessment now reports only the security issues that deviate from your approved baseline state.
![View your customized report](./media/sql-vulnerability-assessment/pp_pass_main_with_baselines.png)
-Vulnerability Assessment can now be used to monitor that your database maintains a high level of security at all times, and that your organizational policies are met. If compliance reports are required, Vulnerability Assessment reports can be helpful to facilitate the compliance process.
-
-### 6. Set up periodic recurring scans
-
-Go to the Vulnerability Assessment settings to turn on **Periodic recurring scans**. This setting configures Vulnerability Assessment to automatically run a scan on your database once per week. A scan result summary is sent to the email addresses you provide.
+Vulnerability Assessment can now be used to monitor that your database maintains a high level of security at all times, and that your organizational policies are met.
-![recurring scans setting](./media/sql-vulnerability-assessment/pp_recurring_scans.png)
+## Advanced capabilities
-### 7. Export an assessment report
+### Export an assessment report
Select **Export Scan Results** to create a downloadable Excel report of your scan result. This report contains a summary tab that displays a summary of the assessment. The report includes all failed checks. It also includes a **Results** tab that contains the full set of results from the scan. The results include all checks that were run and the result details for each.
-### 8. View scan history
+### View scan history
Select **Scan History** in the Vulnerability Assessment pane to view a history of all scans previously run on this database. Select a particular scan in the list to view the detailed results of that scan.
-Vulnerability Assessment can now be used to monitor that your database maintains a high level of security at all times, and that your organizational policies are met. If compliance reports are required, Vulnerability Assessment reports can be helpful to facilitate the compliance process.
+## Manage vulnerability assessments programmatically
-## Manage vulnerability assessments by using Azure PowerShell
+### Using Azure PowerShell
[!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)] > [!IMPORTANT]
@@ -140,7 +131,7 @@ You can use Azure PowerShell cmdlets to programmatically manage your vulnerabili
For a script example, see [Azure SQL Vulnerability Assessment PowerShell support](/archive/blogs/sqlsecurity/azure-sql-vulnerability-assessment-now-with-powershell-support).
-## Manage Vulnerability Assessment baseline rules by using Resource Manager templates
+### Using Resource Manager templates
To configure Vulnerability Assessment baselines by using Azure Resource Manager templates, use the `Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines` type.
backup https://docs.microsoft.com/en-us/azure/backup/disk-backup-support-matrix https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/disk-backup-support-matrix.md
@@ -17,7 +17,7 @@ You can use [Azure Backup](./backup-overview.md) to protect Azure Disks. This ar
## Supported regions
-Azure Disk Backup is available in preview in the following regions: West US, West Central US, East US2, Canada Central, UK West, Australia Central, Korea Central, Korea South, Japan West, East Asia, UAE North, Brazil South, Central India.
+Azure Disk Backup is available in preview in the following regions: West US, West Central US, East US2, Canada Central, UK West, Switzerland North, Switzerland West, Australia Central, Australia Central 2, Korea Central, Korea South, Japan West, East Asia, UAE North, Brazil South, Central India.
More regions will be announced when they become available.
backup https://docs.microsoft.com/en-us/azure/backup/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/security-baseline.md
@@ -985,7 +985,7 @@ Additionally, clearly mark subscriptions (for ex. production, non-prod) and crea
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
- [How to configure continuous export](../security-center/continuous-export.md)
cloud-services https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-guestos-msrc-releases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services/cloud-services-guestos-msrc-releases.md
@@ -10,7 +10,7 @@
na Previously updated : 1/26/2021 Last updated : 2/5/2021
@@ -18,33 +18,31 @@
The following tables show the Microsoft Security Response Center (MSRC) updates applied to the Azure Guest OS. Search this article to determine if a particular update applies to the Guest OS you are using. Updates always carry forward for the particular [family][family-explain] they were introduced in. ## January 2021 Guest OS
->[!NOTE]
->The January Guest OS is currently being rolled out to Cloud Service VMs that are configured for automatic updates. When the rollout is complete, this version will be made available for manual updates through the Azure portal and configuration files. The following patches are included in the January Guest OS. This list is subject to change."
| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced | | | | | | |
-| Rel 21-01 | [4598230] | Latest Cumulative Update (LCU) | 6.27 | Jan 12, 2021 |
-| Rel 21-01 | [4580325] | Flash update | 3.93, 4.86, 5.51, 6.27 | Oct 13, 2020 |
-| Rel 21-01 | [4586768] | IE Cumulative Updates | 2.106, 3.93, 4.86 | Nov 10, 2020 |
-| Rel 21-01 | [4598243] | Latest Cumulative Update (LCU) | 5.51 | Jan 12, 2021 |
-| Rel 21-01 | [4578952] | .NET Framework 3.5 Security and Quality Rollup | 2.106 | Jan 12, 2021 |
-| Rel 21-01 | [4578955] | .NET Framework 4.5.2 Security and Quality Rollup | 2.106 | Jan 12, 2021 |
-| Rel 21-01 | [4578953] | .NET Framework 3.5 Security and Quality Rollup | 4.86 | Jan 12, 2021 |
-| Rel 21-01 | [4578956] | .NET Framework 4.5.2 Security and Quality Rollup | 4.86 | Jan 12, 2021 |
-| Rel 21-01 | [4578950] | .NET Framework 3.5 Security and Quality Rollup | 3.93 | Jan 12, 2021 |
-| Rel 21-01 | [4578954] | .NET Framework 4.5.2 Security and Quality Rollup | 3.93 | Jan 12, 2021 |
-| Rel 21-01 | [4578966] | .NET Framework 3.5 and 4.7.2 Cumulative Update | 6.27 | Oct 13, 2020 |
-| Rel 21-01 | [4598279] | Monthly Rollup | 2.106 | Jan 12, 2020 |
-| Rel 21-01 | [4598278] | Monthly Rollup | 3.93 | Jan 12, 2020 |
-| Rel 21-01 | [4598285] | Monthly Rollup | 4.86 | Jan 12, 2020 |
-| Rel 21-01 | [4566426] | Servicing Stack update | 3.93 | Jul 14, 2020 |
-| Rel 21-01 | [4566425] | Servicing Stack update | 4.86 | Jul 14, 2020 |
-| Rel 21-01 OOB | [4578013] | Standalone Security Update | 4.86 | Aug 19, 2020 |
-| Rel 21-01 | [4576750] | Servicing Stack update | 5.51 | Sep 8, 2020 |
-| Rel 21-01 | [4592510] | Servicing Stack update | 2.106 | Dec 8, 2020 |
-| Rel 21-01 | [4598480] | Servicing Stack update | 6.27 | Jan 12, 2021 |
-| Rel 21-01 | [4494175] | Microcode | 5.51 | Sep 1, 2020 |
-| Rel 21-01 | [4494174] | Microcode | 6.27 | Sep 3, 2020 |
+| Rel 21-01 | [4598230] | Latest Cumulative Update (LCU) | [6.27] | Jan 12, 2021 |
+| Rel 21-01 | [4580325] | Flash update | [3.93], [4.86], [5.51], [6.27] | Oct 13, 2020 |
+| Rel 21-01 | [4586768] | IE Cumulative Updates | [2.106], [3.93], [4.86] | Nov 10, 2020 |
+| Rel 21-01 | [4598243] | Latest Cumulative Update (LCU) | [5.51] | Jan 12, 2021 |
+| Rel 21-01 | [4578952] | .NET Framework 3.5 Security and Quality Rollup | [2.106] | Jan 12, 2021 |
+| Rel 21-01 | [4578955] | .NET Framework 4.5.2 Security and Quality Rollup | [2.106] | Jan 12, 2021 |
+| Rel 21-01 | [4578953] | .NET Framework 3.5 Security and Quality Rollup | [4.86] | Jan 12, 2021 |
+| Rel 21-01 | [4578956] | .NET Framework 4.5.2 Security and Quality Rollup | [4.86] | Jan 12, 2021 |
+| Rel 21-01 | [4578950] | .NET Framework 3.5 Security and Quality Rollup | [3.93] | Jan 12, 2021 |
+| Rel 21-01 | [4578954] | .NET Framework 4.5.2 Security and Quality Rollup | [3.93] | Jan 12, 2021 |
+| Rel 21-01 | [4578966] | .NET Framework 3.5 and 4.7.2 Cumulative Update | [6.27] | Oct 13, 2020 |
+| Rel 21-01 | [4598279] | Monthly Rollup | [2.106] | Jan 12, 2020 |
+| Rel 21-01 | [4598278] | Monthly Rollup | [3.93] | Jan 12, 2020 |
+| Rel 21-01 | [4598285] | Monthly Rollup | [4.86] | Jan 12, 2020 |
+| Rel 21-01 | [4566426] | Servicing Stack update | [3.93] | Jul 14, 2020 |
+| Rel 21-01 | [4566425] | Servicing Stack update | [4.86] | Jul 14, 2020 |
+| Rel 21-01 OOB | [4578013] | Standalone Security Update | [4.86] | Aug 19, 2020 |
+| Rel 21-01 | [4576750] | Servicing Stack update | [5.51] | Sep 8, 2020 |
+| Rel 21-01 | [4592510] | Servicing Stack update | [2.106] | Dec 8, 2020 |
+| Rel 21-01 | [4598480] | Servicing Stack update | [6.27] | Jan 12, 2021 |
+| Rel 21-01 | [4494175] | Microcode | [5.51] | Sep 1, 2020 |
+| Rel 21-01 | [4494174] | Microcode | [6.27] | Sep 3, 2020 |
[4598230]: https://support.microsoft.com/kb/4598230 [4580325]: https://support.microsoft.com/kb/4580325
@@ -68,7 +66,11 @@ The following tables show the Microsoft Security Response Center (MSRC) updates
[4598480]: https://support.microsoft.com/kb/4598480 [4494175]: https://support.microsoft.com/kb/4494175 [4494174]: https://support.microsoft.com/kb/4494174-
+[2.106]: ./cloud-services-guestos-update-matrix.md#family-2-releases
+[3.93]: ./cloud-services-guestos-update-matrix.md#family-3-releases
+[4.86]: ./cloud-services-guestos-update-matrix.md#family-4-releases
+[5.51]: ./cloud-services-guestos-update-matrix.md#family-5-releases
+[6.27]: ./cloud-services-guestos-update-matrix.md#family-6-releases
## December 2020 Guest OS
cloud-services https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-guestos-update-matrix https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services/cloud-services-guestos-update-matrix.md
@@ -10,7 +10,7 @@
na Previously updated : 1/15/2021 Last updated : 2/5/2021 # Azure Guest OS releases and SDK compatibility matrix
@@ -36,6 +36,9 @@ Unsure about how to update your Guest OS? Check [this][cloud updates] out.
## News updates
+###### **February 5, 2021**
+The January Guest OS has released.
+ ###### **January 15, 2021** The December Guest OS has released.
@@ -146,8 +149,9 @@ The September Guest OS has released.
| Configuration string | Release date | Disable date | | | | |
+| WA-GUEST-OS-6.27_202101-01 | February 5, 2021 | Post 6.29 |
| WA-GUEST-OS-6.26_202012-01 | January 15, 2021 | Post 6.28 |
-| WA-GUEST-OS-6.25_202011-01 | December 19, 2020 | Post 6.27 |
+|~~WA-GUEST-OS-6.25_202011-01~~| December 19, 2020 | February 5, 2021 |
|~~WA-GUEST-OS-6.24_202010-02~~| November 17, 2020 | January 15, 2021 | |~~WA-GUEST-OS-6.23_202009-01~~| October 10, 2020 | December 19, 2020 | |~~WA-GUEST-OS-6.22_202008-02~~| September 5, 2020 | November 17, 2020 |
@@ -185,8 +189,9 @@ The September Guest OS has released.
| Configuration string | Release date | Disable date | | | | |
+| WA-GUEST-OS-5.51_202101-01 | February 5, 2021 | Post 5.53 |
| WA-GUEST-OS-5.50_202012-01 | January 15, 2021 | Post 5.52 |
-| WA-GUEST-OS-5.49_202011-01 | December 19, 2020 | Post 5.51 |
+|~~WA-GUEST-OS-5.49_202011-01~~| December 19, 2020 | February 5, 2021 |
|~~WA-GUEST-OS-5.48_202010-02~~| November 17, 2020 | January 15, 2021 | |~~WA-GUEST-OS-5.47_202009-01~~| October 10, 2020 | December 19, 2020 | |~~WA-GUEST-OS-5.46_202008-02~~| September 5, 2020 | November 17, 2020 |
@@ -221,8 +226,9 @@ The September Guest OS has released.
| Configuration string | Release date | Disable date | | | | |
+| WA-GUEST-OS-4.86_202101-01 | February 5, 2021 | Post 4.88 |
| WA-GUEST-OS-4.85_202012-01 | January 15, 2021 | Post 4.87 |
-| WA-GUEST-OS-4.84_202011-01 | December 19, 2020 | Post 4.86 |
+|~~WA-GUEST-OS-4.84_202011-01~~| December 19, 2020 | February 5, 2021 |
|~~WA-GUEST-OS-4.83_202010-02~~| November 17, 2020 | January 15, 2021 | |~~WA-GUEST-OS-4.82_202009-01~~| October 10, 2020 | December 19, 2020 | |~~WA-GUEST-OS-4.81_202008-02~~| September 5, 2020 | November 17, 2020 |
@@ -257,8 +263,9 @@ The September Guest OS has released.
| Configuration string | Release date | Disable date | | | | |
+| WA-GUEST-OS-3.93_202101-01 | February 5, 2021 | Post 3.95 |
| WA-GUEST-OS-3.92_202012-01 | January 15, 2021 | Post 3.94 |
-| WA-GUEST-OS-3.91_202011-01 | December 19, 2020 | Post 3.93 |
+|~~WA-GUEST-OS-3.91_202011-01~~| December 19, 2020 | February 5, 2021 |
|~~WA-GUEST-OS-3.90_202010-02~~| November 17, 2020 | January 15, 2021 | |~~WA-GUEST-OS-3.89_202009-01~~| October 10, 2020 | December 19, 2020 | |~~WA-GUEST-OS-3.88_202008-02~~| September 5, 2020 | November 17, 2020 |
@@ -293,8 +300,9 @@ The September Guest OS has released.
| Configuration string | Release date | Disable date | | | | |
+| WA-GUEST-OS-2.106_202101-01 | February 5, 2021 | Post 2.108 |
| WA-GUEST-OS-2.105_202012-01 | January 15, 2021 | Post 2.107 |
-| WA-GUEST-OS-2.104_202011-01 | December 19, 2020 | Post 2.106 |
+|~~WA-GUEST-OS-2.104_202011-01~~| December 19, 2020 | February 5, 2021 |
|~~WA-GUEST-OS-2.103_202010-02~~| November 17, 2020 | January 15, 2021 | |~~WA-GUEST-OS-2.102_202009-01~~| October 10, 2020 | December 19, 2020 | |~~WA-GUEST-OS-2.101_202008-02~~| September 5, 2020 | November 17, 2020 |
cloud-shell https://docs.microsoft.com/en-us/azure/cloud-shell/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-shell/security-baseline.md
@@ -284,7 +284,7 @@ Security incident contact information will be used by Microsoft to contact you i
### 10.5: Incorporate security alerts into your incident response system **Guidance**:
-Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
- [How to configure continuous export](../security-center/continuous-export.md) - [How to stream alerts into Azure Sentinel](../sentinel/connect-azure-security-center.md)
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/form-recognizer/includes/quickstarts/rest-api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/includes/quickstarts/rest-api.md
@@ -33,24 +33,19 @@ You can use Form Recognizer to analyze and extract tables, selection marks, text
1. Replace `{Endpoint}` with the endpoint that you obtained with your Form Recognizer subscription. 1. Replace `{subscription key}` with the subscription key you copied from the previous step.
-1. Replace the URL in the request body with one of the example URLs.
+1. Replace `\"{your-document-url}` with one of the example URLs.
# [v2.0](#tab/v2-0) + ```bash
-curl -v -X POST "https://{Endpoint}/formrecognizer/v2.0/layout/analyze"
--H "Content-Type: application/json"--H "Ocp-Apim-Subscription-Key: {subscription key}"data-ascii "{\"source\": \"http://example.com/test.jpg\"}"
+curl -v -i POST "https://{Endpoint}/formrecognizer/v2.0/layout/analyze" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ΓÇïΓÇïΓÇïΓÇïΓÇïΓÇïΓÇï'source': '{your-document-url}'}ΓÇïΓÇïΓÇïΓÇïΓÇïΓÇïΓÇïΓÇï"
``` # [v2.1 preview](#tab/v2-1) ```bash
-curl -v -X POST "https://{Endpoint}/formrecognizer/v2.1-preview.2/layout/analyze"
--H "Content-Type: application/json"--H "Ocp-Apim-Subscription-Key: {subscription key}"data-ascii "{\"source\": \"http://example.com/test.jpg\"}"
+curl -v -i POST "https://{Endpoint}/formrecognizer/v2.1-preview.2/layout/analyze" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ΓÇïΓÇïΓÇïΓÇïΓÇïΓÇïΓÇï'source': '{your-document-url}'}ΓÇïΓÇïΓÇïΓÇïΓÇïΓÇïΓÇïΓÇï"
```
@@ -71,14 +66,13 @@ After you've called the **[Analyze Layout](https://westcentralus.dev.cognitive.m
# [v2.0](#tab/v2-0) ```bash
-curl -v -X GET "https://{Endpoint}/formrecognizer/v2.0/layout/analyzeResults/{resultId}"
--H "Ocp-Apim-Subscription-Key: {subscription key}"
+curl -v -X GET "https://{Endpoint}/formrecognizer/v2.0/layout/analyzeResults/{resultId}" -H "Ocp-Apim-Subscription-Key: {subscription key}"
``` + # [v2.1 preview](#tab/v2-1) ```bash
-curl -v -X GET "https://{Endpoint}/formrecognizer/v2.1-preview.2/layout/analyzeResults/{resultId}"
--H "Ocp-Apim-Subscription-Key: {subscription key}"
+curl -v -X GET "https://{Endpoint}/formrecognizer/v2.1-preview.2/layout/analyzeResults/{resultId}" -H "Ocp-Apim-Subscription-Key: {subscription key}"
```
@@ -331,11 +325,9 @@ To start analyzing an invoice, use the cURL command below. For more information
1. Replace `{your invoice URL}` with the URL address of an invoice document. 1. Replace `{subscription key}` with your subscription key. + ```bash
-curl -v -X POST "https://{Endpoint}/formrecognizer/v2.1-preview.2/prebuilt/invoice/analyze"
--H "Content-Type: application/json"--H "Ocp-Apim-Subscription-Key: {subscription key}"data-ascii "{ \"source\": \"{your invoice URL}\"}"
+curl -v -i POST "https://{Endpoint}/formrecognizer/v2.1-preview.2/prebuilt/invoice/analyze" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ΓÇïΓÇïΓÇïΓÇïΓÇïΓÇïΓÇï'source': '{your invoice URL}'}ΓÇïΓÇïΓÇïΓÇïΓÇïΓÇïΓÇïΓÇï"
``` You'll receive a `202 (Success)` response that includes am **Operation-Location** header. The value of this header contains an operation ID that you can use to query the status of the asynchronous operation and get the results.
@@ -353,8 +345,7 @@ After you've called the **[Analyze Invoice](https://westcentralus.dev.cognitive.
1. Replace `{subscription key}` with your subscription key. ```bash
-curl -v -X GET "https://{Endpoint}/formrecognizer/v2.1-preview.2/prebuilt/invoice/analyzeResults/{resultId}"
--H "Ocp-Apim-Subscription-Key: {subscription key}"
+curl -v -X GET "https://{Endpoint}/formrecognizer/v2.1-preview.2/prebuilt/invoice/analyzeResults/{resultId}" -H "Ocp-Apim-Subscription-Key: {subscription key}"
``` ### Examine the response
@@ -525,8 +516,13 @@ See the following invoice document and its corresponding JSON output. The JSON c
To train a custom model, you'll need a set of training data in an Azure Storage blob. You need a minimum of five filled-in forms (PDF documents and/or images) of the same type/structure. See [Build a training data set for a custom model](../../build-training-data-set.md) for tips and options for putting together your training data.
+Training without labeled data is the default operation and is simpler. Alternatively, you can manually label some or all of your training data beforehand. This is a more complex process but results in a better trained model.
+ > [!NOTE]
-> For high-accuracy models, you can train with manually labeled data. See the [Train with labels](../../quickstarts/label-tool.md) getting started guide.
+> You can also train models with a graphical user interface such as the [Form Recognizer sample labeling tool](../../quickstarts/label-tool.md).
++
+### Train a model without labels
To train a Form Recognizer model with the documents in your Azure blob container, call the **[Train Custom Model](https://westus2.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2/operations/TrainCustomModelAsync)** API by running the following cURL command. Before you run the command, make these changes:
@@ -536,13 +532,40 @@ To train a Form Recognizer model with the documents in your Azure blob container
:::image type="content" source="../../media/quickstarts/get-sas-url.png" alt-text="SAS URL retrieval":::
-# [v2.0](#tab/v2-0)
+# [v2.0](#tab/v2-0)
+```bash
+curl -i -X POST "https://{Endpoint}/formrecognizer/v2.0/custom/models" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ 'source': '{SAS URL}'}"
+```
+
+# [v2.1 preview](#tab/v2-1)
+```bash
+curl -i -X POST "https://{Endpoint}/formrecognizer/v2.1-preview.2/custom/models" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ 'source': '{SAS URL}'}"
+```
++++
+You'll receive a `201 (Success)` response with a **Location** header. The value of this header is the ID of the new model being trained.
+
+### Train a model with labels
+
+To train with labels, you need to have special label information files (`\<filename\>.pdf.labels.json`) in your blob storage container alongside the training documents. The [Form Recognizer sample labeling tool](../../quickstarts/label-tool.md) provides a UI to help you create these label files. Once you have them, you can call the **[Train Custom Model](https://westus2.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2/operations/TrainCustomModelAsync)** API, with the `"useLabelFile"` parameter set to `true` in the JSON body.
+
+Before you run the command, make these changes:
+
+1. Replace `{Endpoint}` with the endpoint that you obtained with your Form Recognizer subscription.
+1. Replace `{subscription key}` with the subscription key you copied from the previous step.
+1. Replace `{SAS URL}` with the Azure Blob storage container's shared access signature (SAS) URL. [!INCLUDE [get SAS URL](../sas-instructions.md)]
+
+ :::image type="content" source="../../media/quickstarts/get-sas-url.png" alt-text="SAS URL retrieval":::
+
+# [v2.0](#tab/v2-0)
```bash
-curl -i -X POST "https://{Endpoint}/formrecognizer/v2.0/custom/models" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ \"source\": \""{SAS URL}"\"}"
+curl -i -X POST "https://{Endpoint}/formrecognizer/v2.0/custom/models" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ 'source': '{SAS URL}', 'useLabelFile':true }"
``` # [v2.1 preview](#tab/v2-1) ```bash
-curl -i -X POST "https://{Endpoint}/formrecognizer/v2.1-preview.2/custom/models" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ \"source\": \""{SAS URL}"\"}"
+curl -i -X POST "https://{Endpoint}/formrecognizer/v2.1-preview.2/custom/models" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ 'source': '{SAS URL}', 'useLabelFile':true}"
```
@@ -652,12 +675,12 @@ Next, you'll use your newly trained model to analyze a document and extract key-
# [v2.0](#tab/v2-0) ```bash
-curl -v "https://{Endpoint}/formrecognizer/v2.0/custom/models/{model ID}/analyze?includeTextDetails=true" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" -d "{ \"source\": \""{SAS URL}"\" } "
+curl -v "https://{Endpoint}/formrecognizer/v2.0/custom/models/{model ID}/analyze?includeTextDetails=true" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" -d "{ 'source': '{SAS URL}' } "
``` # [v2.1 preview](#tab/v2-1) ```bash
-curl -v "https://{Endpoint}/formrecognizer/v2.1-preview.2/custom/models/{model ID}/analyze?includeTextDetails=true" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" -d "{ \"source\": \""{SAS URL}"\" } "
+curl -v "https://{Endpoint}/formrecognizer/v2.1-preview.2/custom/models/{model ID}/analyze?includeTextDetails=true" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" -d "{ 'source': '{SAS URL}' } "
```
@@ -977,13 +1000,13 @@ This section demonstrates how to analyze and extract common fields from US recei
# [v2.0](#tab/v2-0) ```bash
-curl -i -X POST "https://{Endpoint}/formrecognizer/v2.0/prebuilt/receipt/analyze" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ \"source\": \"{your receipt URL}\"}"
+curl -i -X POST "https://{Endpoint}/formrecognizer/v2.0/prebuilt/receipt/analyze" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ 'source': '{your receipt URL}'}"
``` # [v2.1 preview](#tab/v2-1) ```bash
-curl -i -X POST "https://{Endpoint}/formrecognizer/v2.1-preview.2/prebuilt/receipt/analyze" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ \"source\": \"{your receipt URL}\"}"
+curl -i -X POST "https://{Endpoint}/formrecognizer/v2.1-preview.2/prebuilt/receipt/analyze" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ 'source': '{your receipt URL}'}"
```
@@ -1362,7 +1385,7 @@ This section demonstrates how to analyze and extract common fields from English
1. Replace `{subscription key}` with the subscription key you copied from the previous step. ```bash
-curl -i -X POST "https://{Endpoint}/formrecognizer/v2.1-preview.2/prebuilt/businessCard/analyze" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ \"source\": \"{your receipt URL}\"}"
+curl -i -X POST "https://{Endpoint}/formrecognizer/v2.1-preview.2/prebuilt/businessCard/analyze" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {subscription key}" --data-ascii "{ 'source': '{your receipt URL}'}"
``` You'll receive a `202 (Success)` response that includes am **Operation-Location** header. The value of this header contains an operation ID that you can use to query the status of the asynchronous operation and get the results.
@@ -1563,15 +1586,13 @@ To retrieve detailed information about a specific custom model, use the **[Get C
# [v2.0](#tab/v2-0) ```bash
-curl -v -X GET "https://{Endpoint}/formrecognizer/v2.0/custom/models/{modelId}"
--H "Ocp-Apim-Subscription-Key: {subscription key}"
+curl -v -X GET "https://{Endpoint}/formrecognizer/v2.0/custom/models/{modelId}" -H "Ocp-Apim-Subscription-Key: {subscription key}"
``` # [v2.1 preview](#tab/v2-1) ```bash
-curl -v -X GET "https://{Endpoint}/formrecognizer/v2.1-preview.2/custom/models/{modelId}"
--H "Ocp-Apim-Subscription-Key: {subscription key}"
+curl -v -X GET "https://{Endpoint}/formrecognizer/v2.1-preview.2/custom/models/{modelId}" -H "Ocp-Apim-Subscription-Key: {subscription key}"
```
@@ -1626,15 +1647,13 @@ You can also delete a model from your account by referencing its ID. This comman
# [v2.0](#tab/v2-0) ```bash
-curl -v -X DELETE "https://{Endpoint}/formrecognizer/v2.0/custom/models/{modelId}"
--H "Ocp-Apim-Subscription-Key: {subscription key}"
+curl -v -X DELETE "https://{Endpoint}/formrecognizer/v2.0/custom/models/{modelId}" -H "Ocp-Apim-Subscription-Key: {subscription key}"
``` # [v2.1 preview](#tab/v2-1) ```bash
-curl -v -X DELETE "https://{Endpoint}/formrecognizer/v2.1-preview.2/custom/models/{modelId}"
--H "Ocp-Apim-Subscription-Key: {subscription key}"
+curl -v -X DELETE "https://{Endpoint}/formrecognizer/v2.1-preview.2/custom/models/{modelId}" -H "Ocp-Apim-Subscription-Key: {subscription key}"
```
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/security-baseline.md
@@ -1054,7 +1054,7 @@ Additionally, clearly mark subscriptions (for ex. production, non-prod) and crea
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
* [How to configure continuous export](../security-center/continuous-export.md)
container-instances https://docs.microsoft.com/en-us/azure/container-instances/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-instances/security-baseline.md
@@ -1164,7 +1164,7 @@ Additionally, clearly mark subscriptions (for example. production, non-productio
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
* [How to configure continuous export](../security-center/continuous-export.md)
container-registry https://docs.microsoft.com/en-us/azure/container-registry/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/security-baseline.md
@@ -1160,7 +1160,7 @@ How to set the Azure Security Center security contact: https://docs.microsoft.c
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
How to configure continuous export: https://docs.microsoft.com/azure/security-center/continuous-export
cosmos-db https://docs.microsoft.com/en-us/azure/cosmos-db/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/security-baseline.md
@@ -1074,7 +1074,7 @@ How to set the Azure Security Center Security Contact: https://docs.microsoft.co
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
How to configure continuous export: https://docs.microsoft.com/azure/security-center/continuous-export
data-factory https://docs.microsoft.com/en-us/azure/data-factory/copy-activity-fault-tolerance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/copy-activity-fault-tolerance.md
@@ -56,7 +56,8 @@ When you copy binary files between storage stores, you can enable fault toleranc
"skipErrorFile": { "fileMissing": true, "fileForbidden": true,
- "dataInconsistency": true
+ "dataInconsistency": true,
+ "invalidFileName": true
}, "validateDataConsistency": true, "logSettings": {
@@ -81,6 +82,7 @@ skipErrorFile | A group of properties to specify the types of failures you want
fileMissing | One of the key-value pairs within skipErrorFile property bag to determine if you want to skip files, which are being deleted by other applications when ADF is copying in the meanwhile. <br/> -True: you want to copy the rest by skipping the files being deleted by other applications. <br/> - False: you want to abort the copy activity once any files are being deleted from source store in the middle of data movement. <br/>Be aware this property is set to true as default. | True(default) <br/>False | No fileForbidden | One of the key-value pairs within skipErrorFile property bag to determine if you want to skip the particular files, when the ACLs of those files or folders require higher permission level than the connection configured in ADF. <br/> -True: you want to copy the rest by skipping the files. <br/> - False: you want to abort the copy activity once getting the permission issue on folders or files. | True <br/>False(default) | No dataInconsistency | One of the key-value pairs within skipErrorFile property bag to determine if you want to skip the inconsistent data between source and destination store. <br/> -True: you want to copy the rest by skipping inconsistent data. <br/> - False: you want to abort the copy activity once inconsistent data found. <br/>Be aware this property is only valid when you set validateDataConsistency as True. | True <br/>False(default) | No
+invalidFileName | One of the key-value pairs within skipErrorFile property bag to determine if you want to skip the particular files, when the file names are invalid for the destination store. <br/> -True: you want to copy the rest by skipping the files having invalid file names. <br/> - False: you want to abort the copy activity once any files have invalid file names. <br/>Be aware this property works when copying binary files from any storage store to ADLS Gen2 or copying binary files from AWS S3 to any storage store only. | True <br/>False(default) | No
logSettings | A group of properties that can be specified when you want to log the skipped object names. | &nbsp; | No linkedServiceName | The linked service of [Azure Blob Storage](connector-azure-blob-storage.md#linked-service-properties) or [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#linked-service-properties) to store the session log files. | The names of an `AzureBlobStorage` or `AzureBlobFS` type linked service, which refers to the instance that you use to store the log file. | No path | The path of the log files. | Specify the path that you use to store the log files. If you do not provide a path, the service creates a container for you. | No
data-factory https://docs.microsoft.com/en-us/azure/data-factory/data-flow-reserved-capacity-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-reserved-capacity-overview.md
@@ -0,0 +1,54 @@
+
+ Title: Save compute costs with reserved capacity
+description: Learn how to buy Azure Data Factory data flow reserved capacity to save on your compute costs.
++++ Last updated : 02/05/2021+
+# Save costs for resources with reserved capacity - Azure Data Factory data flows
+
+Save money with Azure Data Factory data flow costs by committing to a reservation for compute resources compared to pay-as-you-go prices. With reserved capacity, you make a commitment for ADF data flow usage for a period of one or three years to get a significant discount on the compute costs. To purchase reserved capacity, you need to specify the Azure region, compute type, core count quantity, and term.
+
+You do not need to assign the reservation to a specific factory or integration runtime. Existing factories or newly deployed factories automatically get the benefit. By purchasing a reservation, you commit to usage for the data flow compute costs for a period of one or three years. As soon as you buy a reservation, the compute charges that match the reservation attributes are no longer charged at the pay-as-you go rates.
+
+You can buy [reserved capacity](https://portal.azure.com) by choosing reservations [up front or with monthly payments](https://docs.microsoft.com/azure/cost-management-billing/reservations/prepare-buy-reservation.md). To buy reserved capacity:
+
+- You must be in the owner role for at least one Enterprise or individual subscription with pay-as-you-go rates.
+- For Enterprise subscriptions, **Add Reserved Instances** must be enabled in the [EA portal](https://ea.azure.com). Or, if that setting is disabled, you must be an EA Admin on the subscription. Reserved capacity.
+
+For more information about how enterprise customers and Pay-As-You-Go customers are charged for reservation purchases, see [Understand Azure reservation usage for your Enterprise enrollment](https://docs.microsoft.com/azure/cost-management-billing/reservations/understand-reserved-instance-usage-ea) and [Understand Azure reservation usage for your Pay-As-You-Go subscription](https://docs.microsoft.com/azure/cost-management-billing/reservations/understand-reserved-instance-usage).
+
+> [!NOTE]
+> Purchasing reserved capacity does not pre-allocate or reserve specific infrastructure resources (virtual machines or clusters) for your use.
+
+## Determine proper Azure IR sizes needed before purchase
+
+The size of reservation should be based on the total amount of compute used by the existing or soon-to-be-deployed data flows using the same compute tier.
+
+For example, let's suppose that you are executing a pipeline hourly using memory optimized with 32 cores. Further, let's supposed that you plan to deploy within the next month an additional pipeline that uses general purpose 64 cores. Also, let's suppose that you know that you will need these resources for at least 1 year. In this case, enter the number of cores needed for each compute type for 1 hour. In the Azure Portal, search for Reservations. Choose Data Factory > Data Flows, then enter 32 for memory optimized and 64 for general purpose.
+
+## Buy reserved capacity
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+2. Select **All services** > **Reservations**.
+3. Select **Add** and then in the **Purchase Reservations** pane, select **ADF Data Flows** to purchase a new reservation for ADF data flows.
+4. Fill in the required fields and attributes you select qualify to get the reserved capacity discount. The actual number of data flows that get the discount depends on the scope and quantity selected.
+5. Review the cost of the capacity reservation in the **Costs** section.
+6. Select **Purchase**.
+7. Select **View this Reservation** to see the status of your purchase.
+
+## Cancel, exchange, or refund reservations
+
+You can cancel, exchange, or refund reservations with certain limitations. For more information, see [Self-service exchanges and refunds for Azure Reservations](https://docs.microsoft.com/azure/cost-management-billing/reservations/exchange-and-refund-azure-reservations).
+
+## Need help? Contact us
+
+If you have questions or need help, [create a support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).
+
+## Next steps
+
+To learn more about Azure Reservations, see the following articles:
+
+- [Understand Azure Reservations discount](data-flow-understand-reservation-charges.md)
data-factory https://docs.microsoft.com/en-us/azure/data-factory/data-flow-understand-reservation-charges https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-understand-reservation-charges.md
@@ -0,0 +1,40 @@
+
+ Title: Understand reservations discount for Azure Data Factory data flows | Microsoft Docs
+description: Learn how a reservation discount is applied to running ADF data flows. The discount is applied to these data flows on an hourly basis.
+++ Last updated : 02/05/2021+++
+# How a reservation discount is applied to Azure Data Factory data flows
+
+After you buy ADF data flow reserved capacity, the reservation discount is automatically applied to data flows using an Azure integration runtime that match the compute type and core count of the reservation.
+
+## How reservation discount is applied
+
+A reservation discount is "*use-it-or-lose-it*". So, if you don't have matching Azure integration resources used for any hour, then you lose a reservation quantity for that hour. You can't carry forward unused reserved hours.
+
+When you stop using the integration runtime for data flows, the reservation discount automatically applies to another matching resource in the specified scope. If no matching resources are found in the specified scope, then the reserved hours are *lost*.
+
+## Discount applied to ADF data flows
+
+The ADF data flow reserved capacity discount is applied to executing integration runtimes on an hourly basis. The reservation that you buy is matched to the compute type being used by the integration runtimes for your data flows. For data flows that don't run the full hour, the reservation is automatically applied to other data flows matching the reservation attributes. The discount can also apply to data flows that are running concurrently. If you don't have data flows that run for the full hour that match the reservation attributes, you don't get the full benefit of the reservation discount for that hour.
+
+The following examples show how the ADF data flow reserved capacity discount applies depending on the number of cores you bought, and when they're running.
+
+- Scenario 1: You buy an ADF data flow reservation for 1 hour of 80 cores of memory optimized compute by entering 80 as the quantity for memory optimized compute type. You run a data flow with an Azure integration runtime set to 144 cores of memory optimized for one hour. You're charged the pay-as-you-go price for 64 cores of data flow usage for one hour. You get the reservation discount for one hour of 80 cores of memory optimized usage.
+- Scenario 2: You buy an ADF data flow reservation for 1 hour of 32 cores of general purpose compute by entering 32 as the quantity for general purpose compute type. You debug your data flows for 1 hour using 32 cores of general compute Azure integration runtime. You get the reservation discount for that entire hour of usage.
+
+To understand and view the application of your Azure Reservations in billing usage reports, see [Understand Azure reservation usage](https://docs.microsoft.com/azure/cost-management-billing/reservations/understand-reserved-instance-usage-ea).
+
+## Need help? Contact us
+
+If you have questions or need help, [create a support request](https://go.microsoft.com/fwlink/?linkid=2083458).
+
+## Next steps
+
+To learn more about Azure Reservations, see the following article:
+
+- [What are Azure Reservations?](https://docs.microsoft.com/azure/cost-management-billing/reservations/save-compute-costs-reservations)
data-factory https://docs.microsoft.com/en-us/azure/data-factory/frequently-asked-questions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/frequently-asked-questions.md
@@ -17,42 +17,51 @@ Last updated 02/10/2020
This article provides answers to frequently asked questions about Azure Data Factory.
-## What is Azure Data Factory?
+## What is Azure Data Factory?
+ Data Factory is a fully managed, cloud-based, data-integration ETL service that automates the movement and transformation of data. Like a factory that runs equipment to transform raw materials into finished goods, Azure Data Factory orchestrates existing services that collect raw data and transform it into ready-to-use information.
-By using Azure Data Factory, you can create data-driven workflows to move data between on-premises and cloud data stores. And you can process and transform data with Data Flows. ADF also supports external compute engines for hand-coded transformations by using compute services such as Azure HDInsight, Azure Databricks, and the SQL Server Integration Services (SSIS) integration runtime.
+By using Azure Data Factory, you can create data-driven workflows to move data between on-premises and cloud data stores. And you can process and transform data with Data Flows. ADF also supports external compute engines for hand-coded transformations by using compute services such as Azure HDInsight, Azure Databricks, and the SQL Server Integration Services (SSIS) integration runtime.
With Data Factory, you can execute your data processing either on an Azure-based cloud service or in your own self-hosted compute environment, such as SSIS, SQL Server, or Oracle. After you create a pipeline that performs the action you need, you can schedule it to run periodically (hourly, daily, or weekly, for example), time window scheduling, or trigger the pipeline from an event occurrence. For more information, see [Introduction to Azure Data Factory](introduction.md).
-### Control flows and scale
+## Compliance and Security Considerations
+
+Azure Data Factory is certified for a range of compliance certifications, including _SOC 1, 2, 3_, _HIPAA BAA_, and _HITRUST_. Full and growing list of certifications can be found [here](data-movement-security-considerations.md). Digital copies for audit reports and compliance certifications can be found in [Service Trust Center](https://servicetrust.microsoft.com/)
+
+### Control flows and scale
+ To support the diverse integration flows and patterns in the modern data warehouse, Data Factory enables flexible data pipeline modeling. This entails full control flow programming paradigms, which include conditional execution, branching in data pipelines, and the ability to explicitly pass parameters within and across these flows. Control flow also encompasses transforming data through activity dispatch to external execution engines and data flow capabilities, including data movement at scale, via the Copy activity.
-Data Factory provides freedom to model any flow style that's required for data integration and that can be dispatched on demand or repeatedly on a schedule. A few common flows that this model enables are:
+Data Factory provides freedom to model any flow style that's required for data integration and that can be dispatched on demand or repeatedly on a schedule. A few common flows that this model enables are:
- Control flows: - Activities can be chained together in a sequence within a pipeline. - Activities can be branched within a pipeline. - Parameters:
- - Parameters can be defined at the pipeline level and arguments can be passed while you invoke the pipeline on demand or from a trigger.
- - Activities can consume the arguments that are passed to the pipeline.
+ * Parameters can be defined at the pipeline level and arguments can be passed while you invoke the pipeline on demand or from a trigger.
+ * Activities can consume the arguments that are passed to the pipeline.
- Custom state passing:
- - Activity outputs, including state, can be consumed by a subsequent activity in the pipeline.
+ * Activity outputs, including state, can be consumed by a subsequent activity in the pipeline.
- Looping containers:
- - The foreach activity will iterate over a specified collection of activities in a loop.
+ * The foreach activity will iterate over a specified collection of activities in a loop.
- Trigger-based flows: - Pipelines can be triggered on demand or by wall-clock time. - Delta flows:
- - Parameters can be used to define your high-water mark for delta copy while moving dimension or reference tables from a relational store, either on-premises or in the cloud, to load the data into the lake.
+ - Parameters can be used to define your high-water mark for delta copy while moving dimension or reference tables from a relational store, either on-premises or in the cloud, to load the data into the lake.
For more information, see [Tutorial: Control flows](tutorial-control-flow.md). ### Data transformed at scale with code-free pipelines+ The new browser-based tooling experience provides code-free pipeline authoring and deployment with a modern, interactive web-based experience. For visual data developers and data engineers, the Data Factory web UI is the code-free design environment that you will use to build pipelines. It's fully integrated with Visual Studio Online Git and provides integration for CI/CD and iterative development with debugging options. ### Rich cross-platform SDKs for advanced users+ Data Factory V2 provides a rich set of SDKs that can be used to author, manage, and monitor pipelines by using your favorite IDE, including:+ * Python SDK * PowerShell CLI * C# SDK
@@ -60,20 +69,25 @@ Data Factory V2 provides a rich set of SDKs that can be used to author, manage,
Users can also use the documented REST APIs to interface with Data Factory V2. ### Iterative development and debugging by using visual tools
-Azure Data Factory visual tools enable iterative development and debugging. You can create your pipelines and do test runs by using the **Debug** capability in the pipeline canvas without writing a single line of code. You can view the results of your test runs in the **Output** window of your pipeline canvas. After your test run succeeds, you can add more activities to your pipeline and continue debugging in an iterative manner. You can also cancel your test runs after they are in progress.
-You are not required to publish your changes to the data factory service before selecting **Debug**. This is helpful in scenarios where you want to make sure that the new additions or changes will work as expected before you update your data factory workflows in development, test, or production environments.
+Azure Data Factory visual tools enable iterative development and debugging. You can create your pipelines and do test runs by using the **Debug** capability in the pipeline canvas without writing a single line of code. You can view the results of your test runs in the **Output** window of your pipeline canvas. After your test run succeeds, you can add more activities to your pipeline and continue debugging in an iterative manner. You can also cancel your test runs after they are in progress.
+
+You are not required to publish your changes to the data factory service before selecting **Debug**. This is helpful in scenarios where you want to make sure that the new additions or changes will work as expected before you update your data factory workflows in development, test, or production environments.
+
+### Ability to deploy SSIS packages to Azure
-### Ability to deploy SSIS packages to Azure
If you want to move your SSIS workloads, you can create a Data Factory and provision an Azure-SSIS integration runtime. An Azure-SSIS integration runtime is a fully managed cluster of Azure VMs (nodes) that are dedicated to run your SSIS packages in the cloud. For step-by-step instructions, see the [Deploy SSIS packages to Azure](./tutorial-deploy-ssis-packages-azure.md) tutorial.
-
+ ### SDKs+ If you are an advanced user and looking for a programmatic interface, Data Factory provides a rich set of SDKs that you can use to author, manage, or monitor pipelines by using your favorite IDE. Language support includes .NET, PowerShell, Python, and REST. ### Monitoring
-You can monitor your Data Factories via PowerShell, SDK, or the Visual Monitoring Tools in the browser user interface. You can monitor and manage on-demand, trigger-based, and clock-driven custom flows in an efficient and effective manner. Cancel existing tasks, see failures at a glance, drill down to get detailed error messages, and debug the issues, all from a single pane of glass without context switching or navigating back and forth between screens.
+
+You can monitor your Data Factories via PowerShell, SDK, or the Visual Monitoring Tools in the browser user interface. You can monitor and manage on-demand, trigger-based, and clock-driven custom flows in an efficient and effective manner. Cancel existing tasks, see failures at a glance, drill down to get detailed error messages, and debug the issues, all from a single pane of glass without context switching or navigating back and forth between screens.
### New features for SSIS in Data Factory+ Since the initial public preview release in 2017, Data Factory has added the following features for SSIS: - Support for three more configurations/variants of Azure SQL Database to host the SSIS database (SSISDB) of projects/packages:
@@ -86,37 +100,44 @@ Since the initial public preview release in 2017, Data Factory has added the fol
- Support for Enterprise Edition of the Azure-SSIS integration runtime that lets you use advanced/premium features, a custom setup interface to install additional components/extensions, and a partner ecosystem. For more information, see also [Enterprise Edition, Custom Setup, and 3rd Party Extensibility for SSIS in ADF](https://blogs.msdn.microsoft.com/ssis/2018/04/27/enterprise-edition-custom-setup-and-3rd-party-extensibility-for-ssis-in-adf/). - Deeper integration of SSIS in Data Factory that lets you invoke/trigger first-class Execute SSIS Package activities in Data Factory pipelines and schedule them via SSMS. For more information, see also [Modernize and extend your ETL/ELT workflows with SSIS activities in ADF pipelines](https://blogs.msdn.microsoft.com/ssis/2018/05/23/modernize-and-extend-your-etlelt-workflows-with-ssis-activities-in-adf-pipelines/). - ## What is the integration runtime?+ The integration runtime is the compute infrastructure that Azure Data Factory uses to provide the following data integration capabilities across various network environments: - **Data movement**: For data movement, the integration runtime moves the data between the source and destination data stores, while providing support for built-in connectors, format conversion, column mapping, and performant and scalable data transfer. - **Dispatch activities**: For transformation, the integration runtime provides capability to natively execute SSIS packages. - **Execute SSIS packages**: The integration runtime natively executes SSIS packages in a managed Azure compute environment. The integration runtime also supports dispatching and monitoring transformation activities running on a variety of compute services, such as Azure HDInsight, Azure Machine Learning, SQL Database, and SQL Server.
-You can deploy one or many instances of the integration runtime as required to move and transform data. The integration runtime can run on an Azure public network or on a private network (on-premises, Azure Virtual Network, or Amazon Web Services virtual private cloud [VPC]).
+You can deploy one or many instances of the integration runtime as required to move and transform data. The integration runtime can run on an Azure public network or on a private network (on-premises, Azure Virtual Network, or Amazon Web Services virtual private cloud [VPC]).
For more information, see [Integration runtime in Azure Data Factory](concepts-integration-runtime.md). ## What is the limit on the number of integration runtimes?+ There is no hard limit on the number of integration runtime instances you can have in a data factory. There is, however, a limit on the number of VM cores that the integration runtime can use per subscription for SSIS package execution. For more information, see [Data Factory limits](../azure-resource-manager/management/azure-subscription-service-limits.md#data-factory-limits). ## What are the top-level concepts of Azure Data Factory?+ An Azure subscription can have one or more Azure Data Factory instances (or data factories). Azure Data Factory contains four key components that work together as a platform on which you can compose data-driven workflows with steps to move and transform data. ### Pipelines+ A data factory can have one or more pipelines. A pipeline is a logical grouping of activities to perform a unit of work. Together, the activities in a pipeline perform a task. For example, a pipeline can contain a group of activities that ingest data from an Azure blob and then run a Hive query on an HDInsight cluster to partition the data. The benefit is that you can use a pipeline to manage the activities as a set instead of having to manage each activity individually. You can chain together the activities in a pipeline to operate them sequentially, or you can operate them independently, in parallel. ### Data flows+ Data flows are objects that you build visually in Data Factory which transform data at scale on backend Spark services. You do not need to understand programming or Spark internals. Just design your data transformation intent using graphs (Mapping) or spreadsheets (Wrangling). ### Activities+ Activities represent a processing step in a pipeline. For example, you can use a Copy activity to copy data from one data store to another data store. Similarly, you can use a Hive activity, which runs a Hive query on an Azure HDInsight cluster to transform or analyze your data. Data Factory supports three types of activities: data movement activities, data transformation activities, and control activities. ### Datasets+ Datasets represent data structures within the data stores, which simply point to or reference the data you want to use in your activities as inputs or outputs. ### Linked services+ Linked services are much like connection strings, which define the connection information needed for Data Factory to connect to external resources. Think of it this way: A linked service defines the connection to the data source, and a dataset represents the structure of the data. For example, an Azure Storage linked service specifies the connection string to connect to the Azure Storage account. And an Azure blob dataset specifies the blob container and the folder that contains the data. Linked services have two purposes in Data Factory:
@@ -125,12 +146,15 @@ Linked services have two purposes in Data Factory:
- To represent a *compute resource* that can host the execution of an activity. For example, the HDInsight Hive activity runs on an HDInsight Hadoop cluster. For a list of transformation activities and supported compute environments, see [Transform data in Azure Data Factory](transform-data.md). ### Triggers+ Triggers represent units of processing that determine when a pipeline execution is kicked off. There are different types of triggers for different types of events. ### Pipeline runs+ A pipeline run is an instance of a pipeline execution. You usually instantiate a pipeline run by passing arguments to the parameters that are defined in the pipeline. You can pass the arguments manually or within the trigger definition. ### Parameters+ Parameters are key-value pairs in a read-only configuration. You define parameters in a pipeline, and you pass the arguments for the defined parameters during execution from a run context. The run context is created by a trigger or from a pipeline that you execute manually. Activities within the pipeline consume the parameter values. A dataset is a strongly typed parameter and an entity that you can reuse or reference. An activity can reference datasets, and it can consume the properties that are defined in the dataset definition.
@@ -138,6 +162,7 @@ A dataset is a strongly typed parameter and an entity that you can reuse or refe
A linked service is also a strongly typed parameter that contains connection information to either a data store or a compute environment. It's also an entity that you can reuse or reference. ### Control flows+ Control flows orchestrate pipeline activities that include chaining activities in a sequence, branching, parameters that you define at the pipeline level, and arguments that you pass as you invoke the pipeline on demand or from a trigger. Control flows also include custom state passing and looping containers (that is, foreach iterators).
@@ -148,34 +173,42 @@ For more information about Data Factory concepts, see the following articles:
- [Integration runtime](concepts-integration-runtime.md) ## What is the pricing model for Data Factory?+ For Azure Data Factory pricing details, see [Data Factory pricing details](https://azure.microsoft.com/pricing/details/data-factory/). ## How can I stay up-to-date with information about Data Factory?+ For the most up-to-date information about Azure Data Factory, go to the following sites: - [Blog](https://azure.microsoft.com/blog/tag/azure-data-factory/) - [Documentation home page](./index.yml) - [Product home page](https://azure.microsoft.com/services/data-factory/)
-## Technical deep dive
+## Technical deep dive
+
+### How can I schedule a pipeline?
-### How can I schedule a pipeline?
You can use the scheduler trigger or time window trigger to schedule a pipeline. The trigger uses a wall-clock calendar schedule, which can schedule pipelines periodically or in calendar-based recurrent patterns (for example, on Mondays at 6:00 PM and Thursdays at 9:00 PM). For more information, see [Pipeline execution and triggers](concepts-pipeline-execution-triggers.md). ### Can I pass parameters to a pipeline run?+ Yes, parameters are a first-class, top-level concept in Data Factory. You can define parameters at the pipeline level and pass arguments as you execute the pipeline run on demand or by using a trigger.
-### Can I define default values for the pipeline parameters?
-Yes. You can define default values for the parameters in the pipelines.
+### Can I define default values for the pipeline parameters?
+
+Yes. You can define default values for the parameters in the pipelines.
+
+### Can an activity in a pipeline consume arguments that are passed to a pipeline run?
-### Can an activity in a pipeline consume arguments that are passed to a pipeline run?
Yes. Each activity within the pipeline can consume the parameter value that's passed to the pipeline and run with the `@parameter` construct.
-### Can an activity output property be consumed in another activity?
+### Can an activity output property be consumed in another activity?
+ Yes. An activity output can be consumed in a subsequent activity with the `@activity` construct.
-### How do I gracefully handle null values in an activity output?
-You can use the `@coalesce` construct in the expressions to handle null values gracefully.
+### How do I gracefully handle null values in an activity output?
+
+You can use the `@coalesce` construct in the expressions to handle null values gracefully.
## Mapping data flows
@@ -194,6 +227,7 @@ Use the Copy activity to stage data from any of the other connectors, and then e
Self-hosted IR is an ADF pipeline construct that you can use with the Copy Activity to acquire or move data to and from on-prem or VM-based data sources and sinks. Stage the data first with a Copy, then Data Flow for transformation, and then a subsequent copy if you need to move that transformed data back to the on-prem store. ### Does the data flow compute engine serve multiple tenants?+ Clusters are never shared. We guarantee isolation for each job run in production runs. In case of debug scenario one person gets one cluster, and all debugs will go to that cluster which are initiated by that user. ## Wrangling data flows
@@ -272,7 +306,8 @@ Wrangling data flow supports the following data types in SQL. You will get a val
Other data types will be supported in the future. ## Next steps+ For step-by-step instructions to create a data factory, see the following tutorials: -- [Quickstart: Create a data factory](quickstart-create-data-factory-dot-net.md)-- [Tutorial: Copy data in the cloud](tutorial-copy-data-dot-net.md)
+- [Quick-start: Create a data factory](quickstart-create-data-factory-dot-net.md)
+- [Tutorial: Copy data in the cloud](tutorial-copy-data-dot-net.md)
data-factory https://docs.microsoft.com/en-us/azure/data-factory/how-to-discover-explore-purview-data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/how-to-discover-explore-purview-data.md
@@ -42,7 +42,7 @@ To discover data registered and scanned by Azure Purview, you can use the Search
### Actions that you can perform over datasets with Data Factory resources You can directly create Linked Service, Dataset, or dataflow over the data you search by Azure Purview. ##  Next steps
data-factory https://docs.microsoft.com/en-us/azure/data-factory/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/security-baseline.md
@@ -1232,7 +1232,7 @@ Additionally, clearly mark subscriptions (for ex. production, non-prod) and crea
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
* [How to configure continuous export](../security-center/continuous-export.md)
ddos-protection https://docs.microsoft.com/en-us/azure/ddos-protection/alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/ddos-protection/alerts.md
@@ -36,13 +36,13 @@ In this tutorial, you'll learn how to:
With these templates, you will be able to configure alerts for all public IP addresses that you have enabled diagnostic logging on. Hence in order to use these alert templates, you will first need a Log Analytics Workspace with diagnostic settings enabled. See [View and configure DDoS diagnostic logging](diagnostic-logging.md). ### Azure Monitor alert rule
-This [Azure Monitor alert rule](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20DDoS%20Protection/Azure%20Monitor%20Alert%20-%20DDoS%20Mitigation%20Started) will run a simple query to detect when an active DDoS mitigation is occurring. This indicates a potential attack. Action groups can be used to invoke actions as a result of the alert.
+This [Azure Monitor alert rule](https://aka.ms/ddosmitigationstatus) will run a simple query to detect when an active DDoS mitigation is occurring. This indicates a potential attack. Action groups can be used to invoke actions as a result of the alert.
[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Network-Security%2Fmaster%2FAzure%2520DDoS%2520Protection%2FAzure%2520Monitor%2520Alert%2520-%2520DDoS%2520Mitigation%2520Started%2FDDoSMitigationStarted.json) ### Azure Monitor alert rule with Logic App
-This [template](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20DDoS%20Protection/DDoS%20Mitigation%20Alert%20Enrichment) deploys the necessary components of an enriched DDoS mitigation alert: Azure Monitor alert rule, action group, and Logic App. The result of the process is an email alert with details about the IP address under attack, including information about the resource associated with the IP. The owner of the resource is added as a recipient of the email, along with the security team. A basic application availability test is also performed and the results are included in the email alert.
+This [template](https://aka.ms/ddosalert) deploys the necessary components of an enriched DDoS mitigation alert: Azure Monitor alert rule, action group, and Logic App. The result of the process is an email alert with details about the IP address under attack, including information about the resource associated with the IP. The owner of the resource is added as a recipient of the email, along with the security team. A basic application availability test is also performed and the results are included in the email alert.
[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Network-Security%2Fmaster%2FAzure%2520DDoS%2520Protection%2FDDoS%2520Mitigation%2520Alert%2520Enrichment%2FEnrich-DDoSAlert.json)
ddos-protection https://docs.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/ddos-protection/diagnostic-logging.md
@@ -124,7 +124,7 @@ The following table lists the field names and descriptions:
## Enable diagnostic logging on all public IPs
-This [template](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20DDoS%20Protection/Enable%20Diagnostic%20Logging/Azure%20Policy) creates an Azure Policy definition to automatically enable diagnostic logging on all public IP logs in a defined scope.
+This [template](https://aka.ms/ddosdiaglogs) creates an Azure Policy definition to automatically enable diagnostic logging on all public IP logs in a defined scope.
[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Network-Security%2Fmaster%2FAzure%2520DDoS%2520Protection%2FEnable%2520Diagnostic%2520Logging%2FAzure%2520Policy%2FDDoSLogs.json)
@@ -138,7 +138,7 @@ You can connect logs to Azure Sentinel, view and analyze your data in workbooks,
### Azure DDoS Protection Workbook
-You can use this Azure Resource Manager (ARM) template to deploy an attack analytics workbook. This workbook allows you to visualize attack data across several filterable panels to easily understand whatΓÇÖs at stake.
+You can use [this Azure Resource Manager (ARM) template](https://aka.ms/ddosworkbook) to deploy an attack analytics workbook. This workbook allows you to visualize attack data across several filterable panels to easily understand whatΓÇÖs at stake.
[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Network-Security%2Fmaster%2FAzure%2520DDoS%2520Protection%2FAzure%2520DDoS%2520Protection%2520Workbook%2FAzureDDoSWorkbook_ARM.json)
ddos-protection https://docs.microsoft.com/en-us/azure/ddos-protection/manage-permissions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/ddos-protection/manage-permissions.md
@@ -39,7 +39,7 @@ To enable DDoS protection for a virtual network, your account must also be assig
Creation of more than one plan is not required for most organizations. A plan cannot be moved between subscriptions. If you want to change the subscription a plan is in, you have to delete the existing plan and create a new one.
-For customers who have various subscriptions, and who want to ensure a single plan is deployed across their tenant for cost control, you can use Azure Policy to [restrict creation of Azure DDoS Protection Standard plans](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20DDoS%20Protection/Restrict%20creation%20of%20Azure%20DDoS%20Protection%20Standard%20Plans%20with%20Azure%20Policy). This policy will block the creation of any DDoS plans, unless the subscription has been previously marked as an exception. This policy will also show a list of all subscriptions that have a DDoS plan deployed but should not, marking them as out of compliance.
+For customers who have various subscriptions, and who want to ensure a single plan is deployed across their tenant for cost control, you can use Azure Policy to [restrict creation of Azure DDoS Protection Standard plans](https://aka.ms/ddosrestrictplan). This policy will block the creation of any DDoS plans, unless the subscription has been previously marked as an exception. This policy will also show a list of all subscriptions that have a DDoS plan deployed but should not, marking them as out of compliance.
## Next steps
@@ -47,4 +47,4 @@ For customers who have various subscriptions, and who want to ensure a single pl
To learn how to view and configure telemetry for your DDoS protection plan, continue to the tutorials. > [!div class="nextstepaction"]
-> [View and configure DDoS protection telemetry](telemetry.md)
+> [View and configure DDoS protection telemetry](telemetry.md)
ddos-protection https://docs.microsoft.com/en-us/azure/ddos-protection/test-through-simulations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/ddos-protection/test-through-simulations.md
@@ -59,7 +59,7 @@ Once the resource is under attack, you should see that the value changes from **
### BreakingPoint Cloud API Script
-This [API script](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20DDoS%20Protection/Breaking%20Point%20SDK) can be used to automate DDoS testing by running once or using cron to schedule regular tests. This is useful to validate that your logging is configured properly and that detection and response procedures are effective. The scripts require a Linux OS (tested with Ubuntu 18.04 LTS) and Python 3. Install prerequisites and API client using the included script or by using the documentation on the [BreakingPoint Cloud](http://breakingpoint.cloud/) website.
+This [API script](https://aka.ms/ddosbreakingpoint) can be used to automate DDoS testing by running once or using cron to schedule regular tests. This is useful to validate that your logging is configured properly and that detection and response procedures are effective. The scripts require a Linux OS (tested with Ubuntu 18.04 LTS) and Python 3. Install prerequisites and API client using the included script or by using the documentation on the [BreakingPoint Cloud](http://breakingpoint.cloud/) website.
## Next steps
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/architecture-agent-based https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/architecture-agent-based.md
@@ -0,0 +1,47 @@
+
+ Title: Agent-based solution architecture
+description: Learn about Azure Defender for IoT agent-based architecture and information flow.
++
+documentationcenter: na
++
+editor: ''
+
+ms.devlang: na
+
+ na
+ Last updated : 1/25/2021+++
+# Agent-based solution for device builders
+
+This article describes the functional system architecture of the Defender for IoT agent-based solution. Azure Defender for IoT offers two sets of capabilities to fit your environment's needs, agentless solution for organizations, and agent-based solution for device builders.
+
+## IoT hub built-in security
+
+Defender for IoT is enabled by default in every new IoT Hub that is created. Defender for IoT provides real-time monitoring, recommendations, and alerts, without requiring agent installation on any devices and uses advanced analytics on logged IoT Hub meta data to analyze and protect your field devices and IoT hubs.
+
+## Defender for IoT micro agent
+
+Defender for IoT micro agent provides depth security protection and visibility into device behavior. collects, aggregates, and analyze raw security events from your devices. Raw security events can include IP connections, process creation, user logins, and other security-relevant information. Defender for IoT device agents also handles event aggregation to help avoid high network throughput. The agents are highly customizable, allowing you to use them for specific tasks, such as sending only important information at the fastest SLA, or for aggregating extensive security information and context into larger segments, avoiding higher service costs.
+
+Device agents, and other applications use the **Azure send security message SDK** to send security information into Azure IoT hub. IoT hub gets this information and forwards it to the Defender for IoT service.
+
+Once the Defender for IoT service is enabled, in addition to the forwarded data, IoT hub also sends out all of its internal data for analysis by Defender for IoT. This data includes device-cloud operation logs, device identities, and hub configuration. All of this information helps to create the Defender for IoT analytics pipeline.
+
+Defender for IoT analytics pipeline also receives other threat intelligence streams from various sources within Microsoft and Microsoft partners. The Defender for IoT entire analytics pipeline works with every customer configuration made on the service (such as custom alerts and use of the send security message SDK).
+
+Using the analytics pipeline, Defender for IoT combines all of the streams of information to generate actionable recommendations and alerts. The pipeline contains both custom rules created by security researchers and experts as well as machine learning models searching for deviation from standard device behavior and risk analysis.
+
+Defender for IoT recommendations and alerts (analytics pipeline output) is written to the Log Analytics workspace of each customer. Including the raw events in the workspace and the alerts and recommendations enables deep dive investigations and queries using the exact details of the suspicious activities detected.
++
+## See also
+
+[Defender for IoT FAQ](resources-frequently-asked-questions.md)
+
+[System prerequisites](quickstart-system-prerequisites.md)
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/architecture.md
@@ -1,6 +1,6 @@
Title: Azure Defender for IoT architecture
-description: Learn about Azure Defender for IoT architecture and information flow.
+ Title: Agentless solution architecture
+description: Learn about Azure Defender for IoT agentless architecture and information flow.
documentationcenter: na
@@ -12,18 +12,18 @@ ms.devlang: na
na Previously updated : 1/13/2021 Last updated : 1/25/2021 # Azure Defender for IoT architecture
-This article describes the functional system architecture of the Defender for IoT solution. Azure Defender for IoT offers two sets of capabilities to fit your environment's needs, agentless solution for organizations, and agent-based solution for device builders.
+This article describes the functional system architecture of the Defender for IoT agentless solution. Azure Defender for IoT offers two sets of capabilities to fit your environment's needs, agentless solution for organizations, and agent-based solution for device builders.
## Agentless solution for organizations ### Defender for IoT components
-Defender for IoT connects both to the Azure cloud as well as to on-premises components. The solution is designed for scalability in large and geographically distributed environments with multiple remote locations. This solution enables a multi-layered distributed architecture by country, region, business unit, or zone.
+Defender for IoT connects both to the Azure cloud and to on-premises components. The solution is designed for scalability in large and geographically distributed environments with multiple remote locations. This solution enables a multi-layered distributed architecture by country, region, business unit, or zone.
Azure Defender for IoT includes the following components:
@@ -43,15 +43,15 @@ Azure Defender for IoT includes the following components:
### Azure Defender for IoT sensors
-Defender for IoT sensors discovers and continuously monitor network devices. Sensors collect ICS network traffic using passive (agentless) monitoring on IoT and OT devices.
+The Defender for IoT sensors discover, and continuously monitor network devices. Sensors collect ICS network traffic using passive (agentless) monitoring on IoT and OT devices.
Purpose-built for IoT and OT networks, the agentless technology delivers deep visibility into IoT and OT risk within minutes of being connected to the network. It has zero performance impact on the network and network devices due to its non-invasive, Network Traffic Analysis (NTA) approach.
-Leveraging patented, IoT and OT-aware behavioral analytics and Layer-7 Deep Packet Inspection (DPI), it allows you to analyze beyond traditional signature-based solutions to immediately detect advanced IoT and OT threats (such as fileless malware) based on anomalous or unauthorized activity.
+Applying patented, IoT and OT-aware behavioral analytics and Layer-7 Deep Packet Inspection (DPI), it allows you to analyze beyond traditional signature-based solutions to immediately detect advanced IoT and OT threats (such as fileless malware) based on anomalous or unauthorized activity.
Defender for IoT sensors connects to a SPAN port or network TAP and immediately begins performing DPI on IoT and OT network traffic.
-Data collection, processing, analysis, and alerting takes place directly on the sensor. This makes it ideally suited for locations with low bandwidth or high latency connectivity, because only metadata is transferred to the management console.
+Data collection, processing, analysis, and alerting takes place directly on the sensor. This process makes it ideally suited for locations with low bandwidth or high latency connectivity, because only metadata is transferred to the management console.
The sensor includes five analytics detection engines. The engines trigger alerts based on analysis of both real-time and pre-recorded traffic. The following engines are available:
@@ -86,13 +86,13 @@ The on-premises management console enables security operations center (SOC) oper
This architecture provides a comprehensive unified view of the network at a SOC level, optimized alert handling, and the control of operational network security, ensuring that decision-making and risk management remain flawless.
-In addition to multi-tenancy, monitoring, data analysis, and centralized sensor remote control, the management console provides additional system maintenance tools (such as alert exclusion) and fully customized reporting features for each of the remote appliances. This scalable architecture supports both local management at a site level, zone level, and global management within the SOC.
+In addition to multi-tenancy, monitoring, data analysis, and centralized sensor remote control, the management console provides extra system maintenance tools (such as alert exclusion) and fully customized reporting features for each of the remote appliances. This architecture supports both local management at a site level, zone level, and global management within the SOC.
The management console can be deployed for high-availability configuration, which provides a backup console that periodically receives backups of all configuration files required for recovery. If the primary console fails, the local site management appliances will automatically fail over to synchronize with the backup console to maintain availability without interruption. Tightly integrated with your SOC workflows and run books, it enables easy prioritization of mitigation activities and cross-site correlation of threats. -- Holistic - reduce complexity with a single unified platform for device management, risk and vulnerability management, as well as threat monitoring with incident response.
+- Holistic - reduce complexity with a single unified platform for device management, risk and vulnerability management, and threat monitoring with incident response.
- Aggregation and correlation ΓÇô display, aggregate, and analyze data and alerts collected from all sites.
@@ -107,30 +107,10 @@ The Defender for IoT portal in Azure is used to help you:
- Purchase solution appliances - Install and update software-- Onboard sensors to Azure-- Update Threat Intelligence packages-
-## Agent-based solution for device builders
-
-### Embedded security agent: Built-in mode
-
-In **Built-in** mode, Defender for IoT is enabled when you elect to turn on the **Security** option in your IoT hub. Offering real-time monitoring, recommendations and alerts, built-in mode offers single-step device visibility and unmatched security. Build-in mode does not require agent installation on any devices and uses advanced analytics on logged activities to analyze and protect your field device and IoT hub.
-
-### Embedded security agent: Enhanced mode
-
-In **Enhanced** mode, after turning on the **Security** option in your IoT hub and installing Defender for IoT device agents on your devices, the agents collect, aggregate, and analyze raw security events from your devices. Raw security events can include IP connections, process creation, user logins, and other security-relevant information. Defender for IoT device agents also handles event aggregation to help avoid high network throughput. The agents are highly customizable, allowing you to use them for specific tasks, such as sending only important information at the fastest SLA, or for aggregating extensive security information and context into larger segments, avoiding higher service costs.
-Device agents, and other applications use the **Azure send security message SDK** to send security information into Azure IoT hub. IoT hub gets this information and forwards it to the Defender for IoT service.
-
-Once the Defender for IoT service is enabled, in addition to the forwarded data, IoT hub also sends out all of its internal data for analysis by Defender for IoT. This data includes device-cloud operation logs, device identities, and hub configuration. All of this information helps to create the Defender for IoT analytics pipeline.
-
-Defender for IoT analytics pipeline also receives additional threat intelligence streams from various sources within Microsoft and Microsoft partners. The Defender for IoT entire analytics pipeline works with every customer configuration made on the service (such as custom alerts and use of the send security message SDK).
-
-Using the analytics pipeline, Defender for IoT combines all of the streams of information to generate actionable recommendations and alerts. The pipeline contains both custom rules created by security researchers and experts as well as machine learning models searching for deviation from standard device behavior and risk analysis.
-
-Defender for IoT recommendations and alerts (analytics pipeline output) is written to the Log Analytics workspace of each customer. Including the raw events in the workspace as well as the alerts and recommendations enables deep dive investigations and queries using the exact details of the suspicious activities detected.
+- Onboard sensors to Azure
+- Update Threat Intelligence packages
## See also
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/concept-agent-portfolio-overview-os-support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/concept-agent-portfolio-overview-os-support.md
@@ -0,0 +1,36 @@
+
+ Title: Agent portfolio overview and OS support (Preview)
+description: Azure Defender for IoT provides a large portfolio of agents based on the device type.
+++ Last updated : 1/20/2021++++
+# Agent portfolio overview and OS support (Preview)
+
+Azure Defender for IoT provides a large portfolio of agents based on the device type.
+
+## Standalone agent
+
+The standalone agent covers most of the Linux operating systems, which can be deployed as a binary package or as a source code that can be incorporated as part of the firmware and allow modification and customization based on customer needs. An example of OS support:
+
+| Operating system | AMD64 | ARM32v7 |
+|--|--|--|
+| Debian 9 | Γ£ô | Γ£ô |
+| Ubuntu 18.04 | Γ£ô | |
+| Ubuntu 20.04 | Γ£ô | |
+
+For more details, operating system support, or to request access to the source code so you can incorporate it as a part of the device's firmware, contact your account manager, or send an email to <defender_micro_agent@microsoft.com>.
+
+## Azure RTOS micro agent
+
+The Azure Defender for IoT micro agent provides a comprehensive and lightweight security solution for devices that use Azure RTOS. Azure Defender for IoT micro agent provides coverage for common threats, and potential malicious activities on real-time operating system (RTOS) devices. The micro agent comes built in as part of the Azure RTOS NetX Duo component, and monitors the device's network activity.
+
+The Azure Defender for IoT micro agent comes built in as part of the Azure RTOS NetX Duo component, and monitors the device's network activity. The micro agent consists of a comprehensive and lightweight security solution that provides coverage for common threats, and potential malicious activities on a real-time operating system (RTOS) devices.
+
+## Next steps
+
+Learn more about the [Standalone micro agent overview (Preview)](concept-standalone-micro-agent-overview.md).
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/concept-customizable-security-alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/concept-customizable-security-alerts.md
@@ -1,5 +1,5 @@
Title: Customizable security alerts
+ Title: Custom security alerts
description: Learn about customizable security alerts and recommended remediation using Defender for IoT features and service.
@@ -16,43 +16,43 @@ Last updated 03/04/2020
-# Defender for IoT customizable security alerts
+# Defender for IoT custom security alerts
Defender for IoT continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to malicious activity. We encourage you to create custom alerts based on your knowledge of expected device behavior to ensure alerts act as the most efficient indicators of potential compromise in your unique organizational deployment and landscape.
-The following list of Defender for IoT alerts are definable by you based on your expected IoT Hub and/or device behavior. For more details about how to customize each alert, see [create custom alerts](quickstart-create-custom-alerts.md).
-
-## IoT Hub alerts available for customization
-
-| Severity | Alert name | Data source | Description | Suggested remediation|
-||||||
-| Low | Custom alert - number of cloud to device messages in AMQP protocol is outside the allowed range | IoT Hub | Number of cloud to device messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range.||
-| Low | Custom alert - number of rejected cloud to device messages in AMQP protocol is outside the allowed range | IoT Hub | Number of cloud to device messages (AMQP protocol) rejected by the device, within a specific time window is outside the currently configured and allowable range.||
-| Low | Custom alert - number of device to cloud messages in AMQP protocol is outside the allowed range | IoT Hub | The amount of device to cloud messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range.| |
-| Low | Custom alert - number of direct method invokes is outside the allowed range | IoT Hub | The amount of direct method invokes within a specific time window is outside the currently configured and allowable range.||
-| Low | Custom alert - number of file uploads is outside the allowed range | IoT Hub | The amount of file uploads within a specific time window is outside the currently configured and allowable range.| |
-| Low | Custom alert - number of cloud to device messages in HTTP protocol is outside the allowed range | IoT Hub | The amount of cloud to device messages (HTTP protocol) in a time window is not in the configured allowed range |
-| Low | Custom alert - number of rejected cloud to device messages in HTTP protocol is not in the allowed range | IoT Hub | The amount of cloud to device messages (HTTP protocol) within a specific time window is outside the currently configured and allowable range. |
-| Low | Custom alert - number of device to cloud messages in HTTP protocol is outside the allowed range | IoT Hub| The amount of device to cloud messages (HTTP protocol)within a specific time window is outside the currently configured and allowable range.| |
-| Low | Custom alert - number of cloud to device messages in MQTT protocol is outside the allowed range | IoT Hub | The amount of cloud to device messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range.| |
-| Low | Custom alert - number of rejected cloud to device messages in MQTT protocol is outside the allowed range | IoT Hub | The amount of cloud to device messages (MQTT protocol) rejected by the device within a specific time window is outside the currently configured and allowable range. |
-| Low | Custom alert - number of device to cloud messages in MQTT protocol is outside the allowed range | IoT Hub | The amount of device to cloud messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range.|
-| Low | Custom alert - number of command queue purges is outside the allowed range | IoT Hub | The amount of command queue purges within a specific time window is outside the currently configured and allowable range.||
-| Low | Custom alert - number of module twin updates is outside the allowed range | IoT Hub | The amount of module twin updates within a specific time window is outside the currently configured and allowable range.|
-| Low | Custom alert - number of unauthorized operations is outside the allowed range | IoT Hub | The amount of unauthorized operations within a specific time window is outside the currently configured and allowable range.|
-|
-
-## Agent alerts available for customization
-
-| Severity | Alert name | Data source | Description | Suggested remediation|
-||||||
-| Low | Custom alert - number of active connections is outside the allowed range | Agent | Number of active connections within a specific time window is outside the currently configured and allowable range.| Investigate the device logs. Learn where the connection originated and determine if it is benign or malicious. If malicious, remove possible malware and understand source. If benign, add the source to the allowed connection list. |
-| Low | Custom alert - outbound connection created to an IP that isn't allowed | Agent | An outbound connection was created to an IP that is outside your allowed IP list. |Investigate the device logs. Learn where the connection originated and determine if it is benign or malicious. If malicious, remove possible malware and understand source. If benign, add the source to the allowed IP list. |
-| Low | Custom alert - number of failed local logins is outside the allowed range | Agent | The amount of failed local logins within a specific time window is outside the currently configured and allowable range. | |
-| Low | Custom alert - login of a user that is not on the allowed user list | Agent | A local user outside your allowed user list, logged in to the device.| If you are saving raw data, navigate to your log analytics account and use the data to investigate the device, identify the source and then fix the allow/block list for those settings. If you are not currently saving raw data, go to the device and fix the allow/block list for those settings.|
-| Low | Custom alert - a process was executed that is not allowed | Agent | A process that is not allowed was executed on the device. |If you are saving raw data, navigate to your log analytics account and use the data to investigate the device, identify the source and then fix the allow/block list for those settings. If you are not currently saving raw data, go to the device and fix the allow/block list for those settings. |
+The following lists of Defender for IoT alerts are definable by you based on your expected IoT Hub and/or device behavior. For more information about how to customize each alert, see [create custom alerts](quickstart-create-custom-alerts.md).
+
+## Built-in custom alerts in the IoT Hub
+
+| Severity | Alert name | Data source | Description | Suggested remediation |
+|--|--|--|--|--|
+| Low | Custom alert - The number of cloud to device messages in AMQP protocol is outside the allowed range | IoT Hub | The number of cloud to device messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of rejected cloud to device messages in AMQP protocol is outside the allowed range | IoT Hub | The number of cloud to device messages (AMQP protocol) rejected by the device, within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of device to cloud messages in AMQP protocol is outside the allowed range | IoT Hub | The amount of device to cloud messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of direct method invokes is outside the allowed range | IoT Hub | The amount of direct method invokes within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of file uploads is outside the allowed range | IoT Hub | The amount of file uploads within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of cloud to device messages in HTTP protocol is outside the allowed range | IoT Hub | The amount of cloud to device messages (HTTP protocol) in a time window is not in the configured allowed range |
+| Low | Custom alert - The number of rejected cloud to device messages in HTTP protocol is not in the allowed range | IoT Hub | The amount of cloud to device messages (HTTP protocol) within a specific time window is outside the currently configured and allowable range. |
+| Low | Custom alert - The number of device to cloud messages in HTTP protocol is outside the allowed range | IoT Hub | The amount of device to cloud messages (HTTP protocol) within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of cloud to device messages in MQTT protocol is outside the allowed range | IoT Hub | The amount of cloud to device messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of rejected cloud to device messages in MQTT protocol is outside the allowed range | IoT Hub | The amount of cloud to device messages (MQTT protocol) rejected by the device within a specific time window is outside the currently configured and allowable range. |
+| Low | Custom alert - The number of device to cloud messages in MQTT protocol is outside the allowed range | IoT Hub | The amount of device to cloud messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range. |
+| Low | Custom alert - The number of command queue purges that are outside of the allowed range | IoT Hub | The amount of command queue purges within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of module twin updates is outside the allowed range | IoT Hub | The amount of module twin updates within a specific time window is outside the currently configured and allowable range. |
+| Low | Custom alert - The number of unauthorized operations is outside the allowed range | IoT Hub | The amount of unauthorized operations within a specific time window is outside the currently configured and allowable range. |
++
+## Agent-based security custom alerts
+
+| Severity | Alert name | Data source | Description | Suggested remediation |
+|--|--|--|--|--|
+| Low | Custom alert - The number of active connections is outside the allowed range | Classic security module, Azure RTOS | Number of active connections within a specific time window is outside the currently configured and allowable range. | Investigate the device logs. Learn where the connection originated and determine if it is benign or malicious. If malicious, remove possible malware and understand source. If benign, add the source to the allowed connection list. |
+| Low | Custom alert - The outbound connection created to an IP that isn't allowed | Classic security module, Azure RTOS | An outbound connection was created to an IP that is outside your allowed IP list. | Investigate the device logs. Learn where the connection originated and determine if it is benign or malicious. If malicious, remove possible malware and understand source. If benign, add the source to the allowed IP list. |
+| Low | Custom alert - The number of failed local logins is outside the allowed range | Classic security module, Azure RTOS | The number of failed local logins within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The sign in of a user that is not on the allowed user list | Classic security module, Azure RTOS | A local user outside your allowed user list, logged in to the device. | If you are saving raw data, navigate to your log analytics account and use the data to investigate the device, identify the source, and then fix the allow/block list for those settings. If you are not currently saving raw data, go to the device and fix the allow/block list for those settings. |
+| Low | Custom alert - A process was executed that is not allowed | Classic security module, Azure RTOS | A process that is not allowed was executed on the device. | If you are saving raw data, navigate to your log analytics account and use the data to investigate the device, identify the source, and then fix the allow/block list for those settings. If you are not currently saving raw data, go to the device and fix the allow/block list for those settings. |
| ## Next steps
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/concept-event-aggregation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/concept-event-aggregation.md
@@ -0,0 +1,47 @@
+
+ Title: Event aggregation (Preview)
+
+description: Defender for IoT security agents collects data and system events from your local device, and sends the data to the Azure cloud for processing, and analytics.
+++ Last updated : 1/20/2021++++
+# Event aggregation (Preview)
+
+Defender for IoT security agents collects data and system events from your local device, and sends the data to the Azure cloud for processing, and analytics. The Defender for IoT micro agent collects many types of device events including new processes, and all new connection events. Both the new process, and new connection events may occur frequently on a device within a second. This ability is important for comprehensive security, however, the number of messages security agents send may quickly meet, or exceed your IoT Hub quota and cost limits. Nevertheless, these events contain highly valuable security information that is crucial to protecting your device.
+
+To reduce the extra quota, and costs while keeping your devices protected, Defender for IoT agents aggregates these types of events:
+
+- ProcessCreate (Linux only)
+
+- ConnectionCreate (Azure RTOS only)
+
+## How does event aggregation work?
+
+Defender for IoT agents aggregate events for the interval period, or time window. Once the interval period has passed, the agent sends the aggregated events to the Azure cloud for further analysis. The aggregated events are stored in memory until being sent to the Azure cloud.
+
+When the agent collects an identical event to one that is already kept in memory, the agent increases the hit count of this specific event, in order to reduce the memory footprint of the agent. When the aggregation time window passes, the agent sends the hit count of each type of event that occurred. Event aggregation is simply the aggregation of the hit counts of each collected type of event.
+
+## Process events
+
+Process events are currently only supported on Linux operating systems.
+
+Process events are considered identical when the *command line*, and *userid* are identical.
+
+The default buffer for process events is 32 processes, after which the buffer will cycle, and the oldest process events are discarded in order to make room for new process events.
+
+## Network Connection events
+
+Network Connection events are currently only supported on Azure RTOS.
+
+Network Connection events are considered identical when the *local port*, *remote port*, *transport protocol*, *local address*, and *remote address* are identical.
+
+The default buffer for network connection events is 64. No new network events will be cached until the next collection cycle. A warning to increase the cache size will be logged.
+
+## Next steps
+
+Check your [Defender for IoT security alerts](concept-security-alerts.md).
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/concept-recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/concept-recommendations.md
@@ -4,7 +4,7 @@ description: Learn about the concept of security recommendations and how they ar
documentationcenter: na-+ editor: ''
@@ -12,51 +12,51 @@ ms.devlang: na
na Previously updated : 09/09/2020- Last updated : 01/25/2021+ # Security recommendations Defender for IoT scans your Azure resources and IoT devices and provides security recommendations to reduce your attack surface.
-Security recommendations are actionable and aim to aid customers in complying to security best practices.
+Security recommendations are actionable and aim to aid customers in complying with security best practices.
-In this article, you will find a list of recommendations which can be triggered on your IoT Hub and/or IoT devices.
+In this article, you will find a list of recommendations, which can be triggered on your IoT Hub and/or IoT devices.
-## Recommendations for IoT devices
+## Agent-based recommendations
Device recommendations provide insights and suggestions to improve device security posture.
-| Severity | Name | Data Source | Description |
-|-|--|-|-|
-| Medium | Open Ports on device | Agent | A listening endpoint was found on the device . |
-| Medium | Permissive firewall policy found in one of the chains. | Agent | Allowed firewall policy found (INPUT/OUTPUT). Firewall policy should deny all traffic by default, and define rules to allow necessary communication to/from the device. |
-| Medium | Permissive firewall rule in the input chain was found | Agent | A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports. |
-| Medium | Permissive firewall rule in the output chain was found | Agent | A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports. |
-| Medium | Operation system baseline validation has failed | Agent | Device doesn't comply with [CIS Linux benchmarks](https://www.cisecurity.org/cis-benchmarks/). |
+| Severity | Name | Data Source | Description |
+|--|--|--|--|
+| Medium | Open Ports on device | Classic security module | A listening endpoint was found on the device. |
+| Medium | Permissive firewall policy found in one of the chains. | Classic security module | Allowed firewall policy found (INPUT/OUTPUT). Firewall policy should deny all traffic by default, and define rules to allow necessary communication to/from the device. |
+| Medium | Permissive firewall rule in the input chain was found | Classic security module | A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports. |
+| Medium | Permissive firewall rule in the output chain was found | Classic security module | A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports. |
+| Medium | Operation system baseline validation has failed | Classic security module | Device doesn't comply with [CIS Linux benchmarks](https://www.cisecurity.org/cis-benchmarks/). |
-### Operational recommendations for IoT devices
+### Agent-based operational recommendations
Operational recommendations provide insights and suggestions to improve security agent configuration.
-| Severity | Name | Data Source | Description |
-|-|--|-|--|
-| Low | Agent sends unutilized messages | Agent | 10% or more of security messages were smaller than 4 KB during the last 24 hours. |
-| Low | Security twin configuration not optimal | Agent | Security twin configuration is not optimal. |
-| Low | Security twin configuration conflict | Agent | Conflicts were identified in the security twin configuration. | |
-|
+| Severity | Name | Data Source | Description |
+|--|--|--|--|
+| Low | Agent sends unutilized messages | Classic security module | 10% or more of security messages were smaller than 4 KB during the last 24 hours. |
+| Low | Security twin configuration not optimal | Classic security module | Security twin configuration is not optimal. |
+| Low | Security twin configuration conflict | Classic security module | Conflicts were identified in the security twin configuration. | |
-## Recommendations for IoT Hub
+
+## Built in recommendations in IoT Hub
Recommendation alerts provide insight and suggestions for actions to improve the security posture of your environment.
-| Severity | Name | Data Source | Description |
-|-|-|-|-|
-| High | Identical authentication credentials used by multiple devices | IoT Hub | IoT Hub authentication credentials are used by multiple devices. This may indicate an illegitimate device impersonating a legitimate device. Duplicate credential use increases the risk of device impersonation by a malicious actor. |
-| Medium | Default IP filter policy should be deny | IoT Hub | IP filter configuration should have rules defined for allowed traffic, and should by default, deny all other traffic by default. |
-| Medium | IP filter rule includes large IP range | IoT Hub | An allow IP filter rule source IP range is too large. Overly permissive rules can expose your IoT hub to malicious actors. |
-| Low | Enable diagnostics logs in IoT Hub | IoT Hub | Enable logs and retain them for up to a year. Retaining logs enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. |
-|
+| Severity | Name | Data Source | Description |
+|--|--|--|--|
+| High | Identical authentication credentials used by multiple devices | IoT Hub | IoT Hub authentication credentials are used by multiple devices. This process may indicate an illegitimate device impersonating a legitimate device. Duplicate credential use increases the risk of device impersonation by a malicious actor. |
+| Medium | Default IP filter policy should be deny | IoT Hub | IP filter configuration should have rules defined for allowed traffic, and should by default, deny all other traffic by default. |
+| Medium | IP filter rule includes large IP range | IoT Hub | An allow IP filter rule source IP range is too large. Overly permissive rules can expose your IoT hub to malicious actors. |
+| Low | Enable diagnostics logs in IoT Hub | IoT Hub | Enable logs and retain them for up to a year. Retaining logs enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. |
+ ## Next steps
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/concept-security-agent-authentication-methods https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/concept-security-agent-authentication-methods.md
@@ -4,7 +4,7 @@ description: Learn about the different authentication methods available when usi
documentationcenter: na-+ editor: ''
@@ -12,8 +12,8 @@ ms.devlang: na
na Previously updated : 09/09/2020- Last updated : 01/24/2021+ # Security agent authentication methods
@@ -28,7 +28,7 @@ For each device onboarded to Defender for IoT in the IoT Hub, a security module
## Authentication methods
-The two methods for the AzureIoTSecurity agent to perform authentication:
+The two methods for the Defender for IoT AzureIoTSecurity agent to perform authentication:
- **SecurityModule** authentication mode<br> The agent is authenticated using the security module identity independently of the device identity.
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/concept-security-agent-authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/concept-security-agent-authentication.md
@@ -0,0 +1,68 @@
+
+ Title: Security agent authentication (Preview)
+
+description: Perform micro agent authentication with two possible methods.
+++ Last updated : 1/20/2021++++
+# Micro agent authentication methods (Preview)
+
+There are two options for authentication with the Defender for IoT Micro Agent:
+
+- Connection string
+
+- Certificate
+
+## Authentication using a connection string
+
+In order to use a connection string, you need to add a file that uses the connection string encoded in utf-8 in the defender agent directory in a file named `connection_string.txt`. For example,
+
+```azurecli
+echo ΓÇ£<connection string>ΓÇ¥ > connection_string.txt
+```
+
+Once you have done that, you should then restart the service using this command.
+
+```azurecli
+sudo systemctl restart defender-iot-micro-agent.service
+```
+
+## Authentication using a certificate
++
+To perform authentication using a certificate:
+
+1. Place the PEM-encoded public part of a certificate into the defender agent directory, in a file called `certificate_public.pem`.
+1. Place the PEM-encoded private key, into the defender agent directory, in a file called `certificate_private.pem`.
+1. Place the appropriate connection string in a file named `connection_string.txt`. For example,
+
+ ```azurecli
+ HostName=<the host name of the iot hub>;DeviceId=<the id of the device>;ModuleId=<the id of the module>;x509=true
+ ```
+
+ This action indicates that the defender agent will expect a certificate to be provided for authentication.
+
+1. restart the service using the following code:
+
+ ```azurecli
+ sudo systemctl restart defender-iot-micro-agent.service
+ ```
+
+## Ensure the micro agent is running correctly
+
+1. Run the following command:
+ ```azurecli
+ systemctl status defender-iot-micro-agent.service
+ ```
+1. Check that the service is stable by making sure it is **active** and that the uptime of the process is appropriate:
+
+ :::image type="content" source="media/concept-security-agent-authentication/active.png" alt-text="Ensure your service is stable by making sure it is active.":::
+
+## Next steps
+
+Check your [Security posture ΓÇô CIS benchmark](concept-security-posture.md).
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/concept-security-alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/concept-security-alerts.md
@@ -4,7 +4,7 @@ description: Learn about security alerts and recommended remediation using Defen
documentationcenter: na-+ editor: ''
@@ -12,8 +12,8 @@ ms.devlang: na
na Previously updated : 10/08/2020- Last updated : 1/25/2021+ # Defender for IoT security alerts
@@ -22,74 +22,74 @@ Defender for IoT continuously analyzes your IoT solution using advanced analytic
In addition, you can create custom alerts based on your knowledge of expected device behavior. An alert acts as an indicator of potential compromise, and should be investigated and remediated.
-In this article, you will find a list of built-in alerts, which can be triggered on your IoT Hub and/or IoT devices.
+In this article, you will find a list of built-in alerts, which can be triggered on your IoT Hub and IoT devices.
In addition to built-in alerts, Defender for IoT allows you to define custom alerts based on expected IoT Hub and/or device behavior. For more information, see [customizable alerts](concept-customizable-security-alerts.md).
-## Built-in alerts for IoT devices
+## Agent based security alerts
-| Name | Severity | Data Source | Description | Suggested remediation steps|
-|-||-|--|--|
-|**High** severity| | | |
-| Binary Command Line | High | Agent | LA Linux binary being called/executed from the command line was detected. This process may be legitimate activity, or an indication that your device is compromised.| Review the command with the user that ran it and check if this is something legitimately expected to run on the device. If not, escalate the alert to your information security team. |
-| Disable firewall | High | Agent | Possible manipulation of on-host firewall detected. Malicious actors often disable the on-host firewall in an attempt to exfiltrate data.| Review with the user that ran the command to confirm if this was legitimate expected activity on the device. If not, escalate the alert to your information security team. |
-| Port forwarding detection | High| Agent | Initiation of port forwarding to an external IP address detected.| Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
-| Possible attempt to disable Auditd logging detected | High | Agent | Linux Auditd system provides a way to track security-relevant information on the system. The system records as much information about the events that are happening on your system as possible. This information is crucial for mission-critical environments to determine who violated the security policy and the actions they performed. Disabling Auditd logging may prevent your ability to discover violations of security policies used on the system. |Check with the device owner if this was legitimate activity with business reasons. If not, this event may be hiding activity by malicious actors. Immediately escalated the incident to your information security team.|
-| Reverse shells | High | Agent | Analysis of host data on a device detected a potential reverse shell. Reverse shells are often used to get a compromised machine to call back into a machine controlled by a malicious actor.| Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
-| Successful Bruteforce attempt | High | Agent | Multiple unsuccessful login attempts were identified, followed by a successful login. Attempted Bruteforce attack may have succeeded on the device. | Review SSH Bruteforce alert and the activity on the devices. <br>If the activity was malicious:<br> Roll out password reset for compromised accounts.<br> Investigate and remediate (if found) devices for malware. |
-| Successful local login | High | Agent | Successful local sign in to the device detected | Make sure the signed in user is an authorized party. |
-| Web shell | High | Agent | Possible web shell detected. Malicious actors commonly upload a web shell to a compromised machine to gain persistence or for further exploitation.| Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
-|**Medium** severity| | | |
-| Behavior similar to common Linux bots detected | Medium| Agent | Execution of a process normally associated with common Linux botnets detected.| Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
-| Behavior similar to Fairware ransomware detected | Medium | Agent | Execution of rm -rf commands applied to suspicious locations detected using analysis of host data. Because rm -rf recursively deletes files, it is normally only used on discrete folders. In this case, it is being used in a location that could remove a large amount of data. Fairware ransomware is known to execute rm -rf commands in this folder. |Review with the user that ran the command this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
-| Behavior similar to ransomware detected | Medium | Agent | Execution of files similar to known ransomware that may prevent users from accessing their system, or personal files, and may demand ransom payment to regain access.|Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
-| Crypto coin miner container image detected | Medium | Agent | Container detecting running known digital currency mining images. | 1. If this behavior is not intended, delete the relevant container image.<br> 2. Make sure that the Docker daemon is not accessible via an unsafe TCP socket.<br> 3. Escalate the alert to the information security team.|
-| Crypto coin miner image | Medium| Agent | Execution of a process normally associated with digital currency mining detected.| Verify with the user that ran the command if this was legitimate activity on the device. If not, escalate the alert to the information security team.|
-| Detected suspicious use of the nohup command | Medium | Agent | Suspicious use of the nohup command on host detected. Malicious actors commonly run the nohup command from a temporary directory, effectively allowing their executables to run in the background. Seeing this command run on files located in a temporary directory is not expected or usual behavior. |Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
-| Detected suspicious use of the useradd command | Medium | Agent | Suspicious use of the useradd command detected on the device. |Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
-| Exposed Docker daemon by TCP socket | Medium | Agent | Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. By default, Docker configuration, does not use encryption or authentication when a TCP socket is enabled. Default Docker configuration enables full access to the Docker daemon, by anyone with access to the relevant port.|Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
-| Failed local login | Medium | Agent | A failed local login attempt to the device was detected. |Make sure no unauthorized party has physical access to the device.|
-| File downloads from a known malicious source detected | Medium | Agent | Download of a file from a known malware source detected.|Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
-| htaccess file access detected | Medium | Agent | Analysis of host data detected possible manipulation of an htaccess file. Htaccess is a powerful configuration file that allows you to make multiple changes to a web server running Apache Web software, including basic redirect functionality, and more advanced functions, such as basic password protection. Malicious actors often modify htaccess files on compromised machines to gain persistence. |Confirm this is legitimate expected activity on the host. If not, escalate the alert to your information security team.|
-| Known attack tool | Medium | Agent | A tool often associated with malicious users attacking other machines in some way was detected. |Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.|
-| IoT agent attempted and failed to parse the module twin configuration | Medium | Agent | The Defender for IoT security agent failed to parse the module twin configuration due to type mismatches in the configuration object|Validate your module twin configuration against the IoT agent configuration schema, fix all mismatches.
-| Local host reconnaissance detected | Medium | Agent | Execution of a command normally associated with common Linux bot reconnaissance detected. |Review the suspicious command line to confirm that it was executed by a legitimate user. If not, escalate the alert to your information security team.
-| Mismatch between script interpreter and file extension | Medium | Agent | Mismatch between the script interpreter and the extension of the script file provided as input detected. This type of mismatch is commonly associated with attacker script executions. |Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
-| Possible backdoor detected | Medium | Agent |A suspicious file was downloaded and then run on a host in your subscription. This type of activity is commonly associated with the installation of a backdoor. |Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
-| Potential loss of data detected | Medium | Agent | Possible data egress condition detected using analysis of host data. Malicious actors often egress data from compromised machines.|Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
-| Potential overriding of common files | Medium | Agent | Common executable overwritten on the device. Malicious actors are known to overwrite common files as a way to hide their actions or as a way to gain persistence. |Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
-| Privileged container detected | Medium | Agent | Machine logs indicate that a privileged Docker container is running. A privileged container has full access to host resources. If compromised, a malicious actor can use the privileged container to gain access to the host machine.|If the container doesn't need to run in privileged mode, remove the privileges from the container.
-| Removal of system logs files detected | Medium | Agent | Suspicious removal of log files on the host detected. |Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
-| Space after filename | Medium| Agent | Execution of a process with a suspicious extension detected using analysis of host data. Suspicious extensions may trick users into thinking files are safe to be opened and can indicate the presence of malware on the system. |Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
-| Suspected malicious credentials access tools detected | Medium | Agent | Detection usage of a tool commonly associated with malicious attempts to access credentials. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.|
-| Suspicious compilation detected | Medium | Agent | Suspicious compilation detected. Malicious actors often compile exploits on a compromised machine to escalate privileges. |Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
-| Suspicious file download followed by file run activity | Medium| Agent| Analysis of host data detected a file that was downloaded and run in the same command. This technique is commonly used by malicious actors to get infected files onto victim machines. |Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.|
-| Suspicious IP address communication | Medium | Agent | Communication with a suspicious IP address detected. |Verify if the connection is legitimate. Consider blocking communication with the suspicious IP. |
-|**LOW** severity| | | |
-| Bash history cleared | Low | Agent | Bash history log cleared. Malicious actors commonly erase bash history to hide their own commands from appearing in the logs. |Review with the user that ran the command that the activity in this alert to see if you recognize this as legitimate administrative activity. If not, escalate the alert to the information security team.
-| Device silent | Low | Agent | Device has not sent any telemetry data in the last 72 hours.|Make sure device is online and sending data. Check that the Azure Security Agent is running on the device.|
-| Failed Bruteforce attempt | Low | Agent | Multiple unsuccessful login attempts identified. Potential Bruteforce attack attempt failed on the device. |Review SSH Bruteforce alerts and the activity on the device. No further action required.|
-| Local user added to one or more groups | Low | Agent | New local user added to a group on this device. Changes to user groups are uncommon, and can indicate a malicious actor may be collecting additional permissions.| Verify if the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team. |
-| Local user deleted from one or more groups | Low | Agent | A local user was deleted from one or more groups. Malicious actors are known to use this method in an attempt to deny access to legitimate users or to delete the history of their actions.| Verify if the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team. |
-| Local user deletion detected | Low | Agent | Deletion of a local user detected. Local user deletion is uncommon, a malicious actor may be trying to deny access to legitimate users or to delete the history of their actions.| Verify if the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team. |
+| Name | Severity | Data Source | Description | Suggested remediation steps |
+|--|--|--|--|--|
+| **High** severity | | | |
+| Binary Command Line | High | Classic security module | LA Linux binary being called/executed from the command line was detected. This process may be legitimate activity, or an indication that your device is compromised. | Review the command with the user that ran it and check if this is something legitimately expected to run on the device. If not, escalate the alert to your information security team. |
+| Disable firewall | High | Classic security module | Possible manipulation of on-host firewall detected. Malicious actors often disable the on-host firewall in an attempt to exfiltrate data. | Review with the user that ran the command to confirm if this was legitimate expected activity on the device. If not, escalate the alert to your information security team. |
+| Port forwarding detection | High | Classic security module | Initiation of port forwarding to an external IP address detected. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Possible attempt to disable Auditd logging detected | High | Classic security module | Linux Auditd system provides a way to track security-relevant information on the system. The system records as much information about the events that are happening on your system as possible. This information is crucial for mission-critical environments to determine who violated the security policy and the actions they performed. Disabling Auditd logging may prevent your ability to discover violations of security policies used on the system. | Check with the device owner if this was legitimate activity with business reasons. If not, this event may be hiding activity by malicious actors. Immediately escalated the incident to your information security team. |
+| Reverse shells | High | Classic security module | Analysis of host data on a device detected a potential reverse shell. Reverse shells are often used to get a compromised machine to call back into a machine controlled by a malicious actor. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Successful Bruteforce attempt | High | Classic security module | Multiple unsuccessful login attempts were identified, followed by a successful login. Attempted Bruteforce attack may have succeeded on the device. | Review SSH Bruteforce alert and the activity on the devices. <br>If the activity was malicious:<br> Roll out password reset for compromised accounts.<br> Investigate and remediate (if found) devices for malware. |
+| Successful local login | High | Classic security module | Successful local sign in to the device detected | Make sure the signed in user is an authorized party. |
+| Web shell | High | Classic security module | Possible web shell detected. Malicious actors commonly upload a web shell to a compromised machine to gain persistence or for further exploitation. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| **Medium** severity | | | |
+| Behavior similar to common Linux bots detected | Medium | Classic security module | Execution of a process normally associated with common Linux botnets detected. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Behavior similar to Fairware ransomware detected | Medium | Classic security module | Execution of rm -rf commands applied to suspicious locations detected using analysis of host data. Because rm -rf recursively deletes files, it is normally only used on discrete folders. In this case, it is being used in a location that could remove a large amount of data. Fairware ransomware is known to execute rm -rf commands in this folder. | Review with the user that ran the command this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Behavior similar to ransomware detected | Medium | Classic security module | Execution of files similar to known ransomware that may prevent users from accessing their system, or personal files, and may demand ransom payment to regain access. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Crypto coin miner container image detected | Medium | Classic security module | Container detecting running known digital currency mining images. | 1. If this behavior is not intended, delete the relevant container image.<br> 2. Make sure that the Docker daemon is not accessible via an unsafe TCP socket.<br> 3. Escalate the alert to the information security team. |
+| Crypto coin miner image | Medium | Classic security module | Execution of a process normally associated with digital currency mining detected. | Verify with the user that ran the command if this was legitimate activity on the device. If not, escalate the alert to the information security team. |
+| Detected suspicious use of the nohup command | Medium | Classic security module | Suspicious use of the nohup command on host detected. Malicious actors commonly run the nohup command from a temporary directory, effectively allowing their executables to run in the background. Seeing this command run on files located in a temporary directory is not expected or usual behavior. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Detected suspicious use of the useradd command | Medium | Classic security module | Suspicious use of the useradd command detected on the device. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Exposed Docker daemon by TCP socket | Medium | Classic security module | Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. By default, Docker configuration, does not use encryption or authentication when a TCP socket is enabled. Default Docker configuration enables full access to the Docker daemon, by anyone with access to the relevant port. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Failed local login | Medium | Classic security module | A failed local login attempt to the device was detected. | Make sure no unauthorized party has physical access to the device. |
+| File downloads from a known malicious source detected | Medium | Classic security module | Download of a file from a known malware source detected. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| htaccess file access detected | Medium | Classic security module | Analysis of host data detected possible manipulation of an htaccess file. Htaccess is a powerful configuration file that allows you to make multiple changes to a web server running Apache Web software, including basic redirect functionality, and more advanced functions, such as basic password protection. Malicious actors often modify htaccess files on compromised machines to gain persistence. | Confirm this is legitimate expected activity on the host. If not, escalate the alert to your information security team. |
+| Known attack tool | Medium | Classic security module | A tool often associated with malicious users attacking other machines in some way was detected. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| IoT agent attempted and failed to parse the module twin configuration | Medium | Classic security module | The Defender for IoT security agent failed to parse the module twin configuration due to type mismatches in the configuration object | Validate your module twin configuration against the IoT agent configuration schema, fix all mismatches. |
+| Local host reconnaissance detected | Medium | Classic security module | Execution of a command normally associated with common Linux bot reconnaissance detected. | Review the suspicious command line to confirm that it was executed by a legitimate user. If not, escalate the alert to your information security team. |
+| Mismatch between script interpreter and file extension | Medium | Classic security module | Mismatch between the script interpreter and the extension of the script file provided as input detected. This type of mismatch is commonly associated with attacker script executions. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Possible backdoor detected | Medium | Classic security module | A suspicious file was downloaded and then run on a host in your subscription. This type of activity is commonly associated with the installation of a backdoor. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Potential loss of data detected | Medium | Classic security module | Possible data egress condition detected using analysis of host data. Malicious actors often egress data from compromised machines. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Potential overriding of common files | Medium | Classic security module | Common executable overwritten on the device. Malicious actors are known to overwrite common files as a way to hide their actions or as a way to gain persistence. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Privileged container detected | Medium | Classic security module | Machine logs indicate that a privileged Docker container is running. A privileged container has full access to host resources. If compromised, a malicious actor can use the privileged container to gain access to the host machine. | If the container doesn't need to run in privileged mode, remove the privileges from the container. |
+| Removal of system logs files detected | Medium | Classic security module | Suspicious removal of log files on the host detected. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Space after filename | Medium | Classic security module | Execution of a process with a suspicious extension detected using analysis of host data. Suspicious extensions may trick users into thinking files are safe to be opened and can indicate the presence of malware on the system. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Suspected malicious credentials access tools detected | Medium | Classic security module | Detection usage of a tool commonly associated with malicious attempts to access credentials. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Suspicious compilation detected | Medium | Classic security module | Suspicious compilation detected. Malicious actors often compile exploits on a compromised machine to escalate privileges. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Suspicious file download followed by file run activity | Medium | Classic security module | Analysis of host data detected a file that was downloaded and run in the same command. This technique is commonly used by malicious actors to get infected files onto victim machines. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Suspicious IP address communication | Medium | Classic security module | Communication with a suspicious IP address detected. | Verify if the connection is legitimate. Consider blocking communication with the suspicious IP. |
+| **LOW** severity | | | |
+| Bash history cleared | Low | Classic security module | Bash history log cleared. Malicious actors commonly erase bash history to hide their own commands from appearing in the logs. | Review with the user that ran the command that the activity in this alert to see if you recognize this as legitimate administrative activity. If not, escalate the alert to the information security team. |
+| Device silent | Low | Classic security module | Device has not sent any telemetry data in the last 72 hours. | Make sure device is online and sending data. Check that the Azure Security Agent is running on the device. |
+| Failed Bruteforce attempt | Low | Classic security module | Multiple unsuccessful login attempts identified. Potential Bruteforce attack attempt failed on the device. | Review SSH Bruteforce alerts and the activity on the device. No further action required. |
+| Local user added to one or more groups | Low | Classic security module | New local user added to a group on this device. Changes to user groups are uncommon, and can indicate a malicious actor may be collecting additional permissions. | Verify if the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team. |
+| Local user deleted from one or more groups | Low | Classic security module | A local user was deleted from one or more groups. Malicious actors are known to use this method in an attempt to deny access to legitimate users or to delete the history of their actions. | Verify if the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team. |
+| Local user deletion detected | Low | Classic security module | Deletion of a local user detected. Local user deletion is uncommon, a malicious actor may be trying to deny access to legitimate users or to delete the history of their actions. | Verify if the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team. |
## Built-in alerts for IoT Hub
-| Severity | Name | Description | Suggested remediation|
-|-||-|-|
-|**Medium** severity| | | |
-| New certificate added to an IoT Hub | Medium |A certificate named \'%{DescCertificateName}\' was added to IoT Hub \'%{DescIoTHubName}\'. If this action was made by an unauthorized party, it may indicate malicious activity.| 1. Make sure the certificate was added by an authorized party. <br> 2. If it was not added by an authorized party, remove the certificate and escalate the alert to the organizational security team. |
-| Certificate deleted from an IoT Hub | Medium | A certificate named \'%{DescCertificateName}\' was deleted from IoT Hub \'%{DescIoTHubName}\'. If this action was made by an unauthorized party, it may indicate a malicious activity.| 1. Make sure the certificate was removed by an authorized party. <br> 2. If the certificate was not removed by an authorized party, add the certificate back, and escalate the alert to the organizational security team. |
-| Unsuccessful attempt detected to add a certificate to an IoT Hub | Medium | There was an unsuccessful attempt to add certificate \'%{DescCertificateName}\' to IoT Hub \'%{DescIoTHubName}\'. If this action was made by an unauthorized party, it may indicate malicious activity.| Make sure permissions to change certificates are only granted to authorized parties. |
-| Unsuccessful attempt detected to delete a certificate from an IoT Hub | Medium | There was an unsuccessful attempt to delete certificate \'%{DescCertificateName}\' from IoT Hub \'%{DescIoTHubName}\'. If this action was made by an unauthorized party, it may indicate malicious activity. |Make sure permissions to change certificates are only granted to an authorized party.|
-| x.509 device certificate thumbprint mismatch | Medium | x.509 device certificate thumbprint did not match configuration. |Review alerts on the devices. No further action required. |
-| x.509 certificate expired | Medium |X.509 device certificate has expired. | This could be a legitimate device with an expired certificate or an attempt to impersonate a legitimate device. If the legitimate device is currently communicating correctly this is likely an impersonation attempt. |
-|**Low** severity| | | |
-| Attempt to add or edit a diagnostic setting of an IoT Hub detected | Low | Attempt to add or edit the diagnostic settings of an IoT Hub has been detected. Diagnostic settings enable you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate malicious activity. |1. Make sure the certificate was removed by an authorized party.<br> 2. If the certificate was not removed by an authorized party, add the certificate back and escalate the alert to your information security team.
-| Attempt to delete a diagnostic setting from an IoT Hub detected | Low | There was %{DescAttemptStatusMessage}\' attempt to add or edit diagnostic setting \'%{DescDiagnosticSettingName}\' of IoT Hub \'%{DescIoTHubName}\'. Diagnostic setting enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate a malicious activity. |Make sure permissions to change diagnostics settings are granted only to an authorized party.|
-| Expired SAS Token | Low | Expired SAS token used by a device |May be a legitimate device with an expired token, or an attempt to impersonate a legitimate device. If the legitimate device is currently communicating correctly, this is likely an impersonation attempt.|
-| Invalid SAS token signature | Low | A SAS token used by a device has an invalid signature. The signature does not match either the primary or secondary key.| Review the alerts on the devices. No further action required. |
-|
+| Severity | Name | Description | Suggested remediation |
+|--|--|--|--|
+| **Medium** severity | | | |
+| New certificate added to an IoT Hub | Medium | A certificate named \'%{DescCertificateName}\' was added to IoT Hub \'%{DescIoTHubName}\'. If this action was made by an unauthorized party, it may indicate malicious activity. | 1. Make sure the certificate was added by an authorized party. <br> 2. If it was not added by an authorized party, remove the certificate and escalate the alert to the organizational security team. |
+| Certificate deleted from an IoT Hub | Medium | A certificate named \'%{DescCertificateName}\' was deleted from IoT Hub \'%{DescIoTHubName}\'. If this action was made by an unauthorized party, it may indicate a malicious activity. | 1. Make sure the certificate was removed by an authorized party. <br> 2. If the certificate was not removed by an authorized party, add the certificate back, and escalate the alert to the organizational security team. |
+| Unsuccessful attempt detected to add a certificate to an IoT Hub | Medium | There was an unsuccessful attempt to add certificate \'%{DescCertificateName}\' to IoT Hub \'%{DescIoTHubName}\'. If this action was made by an unauthorized party, it may indicate malicious activity. | Make sure permissions to change certificates are only granted to authorized parties. |
+| Unsuccessful attempt detected to delete a certificate from an IoT Hub | Medium | There was an unsuccessful attempt to delete certificate \'%{DescCertificateName}\' from IoT Hub \'%{DescIoTHubName}\'. If this action was made by an unauthorized party, it may indicate malicious activity. | Make sure permissions to change certificates are only granted to an authorized party. |
+| x.509 device certificate thumbprint mismatch | Medium | x.509 device certificate thumbprint did not match configuration. | Review alerts on the devices. No further action required. |
+| x.509 certificate expired | Medium | X.509 device certificate has expired. | This could be a legitimate device with an expired certificate or an attempt to impersonate a legitimate device. If the legitimate device is currently communicating correctly this is likely an impersonation attempt. |
+| **Low** severity | | | |
+| Attempt to add or edit a diagnostic setting of an IoT Hub detected | Low | Attempt to add or edit the diagnostic settings of an IoT Hub has been detected. Diagnostic settings enable you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate malicious activity. | 1. Make sure the certificate was removed by an authorized party.<br> 2. If the certificate was not removed by an authorized party, add the certificate back and escalate the alert to your information security team. |
+| Attempt to delete a diagnostic setting from an IoT Hub detected | Low | There was %{DescAttemptStatusMessage}\' attempt to add or edit diagnostic setting \'%{DescDiagnosticSettingName}\' of IoT Hub \'%{DescIoTHubName}\'. Diagnostic setting enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate a malicious activity. | Make sure permissions to change diagnostics settings are granted only to an authorized party. |
+| Expired SAS Token | Low | Expired SAS token used by a device | May be a legitimate device with an expired token, or an attempt to impersonate a legitimate device. If the legitimate device is currently communicating correctly, this is likely an impersonation attempt. |
+| Invalid SAS token signature | Low | A SAS token used by a device has an invalid signature. The signature does not match either the primary or secondary key. | Review the alerts on the devices. No further action required. |
+ ## Next steps
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/concept-security-posture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/concept-security-posture.md
@@ -0,0 +1,27 @@
+
+ Title: Security posture - CIS benchmark
+
+description: Improve your security compliance and posture by using Defender for IoT micro agent.
+++ Last updated : 1/20/2021++++
+# Security posture ΓÇô CIS benchmark
+
+Defender for IoT micro agent enables organizations to improve their security compliance and posture. CIS benchmark-based OS baseline recommendations help identify issues with device security hygiene, and prioritize changes for security hardening.
+
+## Best practices for secure configuration
+
+CIS benchmarks, are the best practices to the secure the configuration of a target system. CIS benchmarks are developed through a unique consensus-based process comprised of cybersecurity professionals and subject matter experts around the world.
+
+CIS Benchmarks are the only consensus-based, best-practice security configuration guides that are both developed, and accepted by government, business, industry, and academia.
+
+Azure Defender for IoT micro agent enables you to quickly improve your organizationΓÇÖs device security and defense capabilities by offering CIS best practice configurations, along with constant identification of any existing weak links in your OS security posture.
+
+## Next steps
+
+Review your [Event aggregation (Preview)](concept-event-aggregation.md).
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/concept-standalone-micro-agent-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/concept-standalone-micro-agent-overview.md
@@ -0,0 +1,45 @@
+
+ Title: Standalone micro agent overview (Preview)
+
+description: The Azure Defender for IoT security agents allows you to build security directly into your new IoT devices and Azure IoT projects.
+++ Last updated : 1/19/2021++++
+# Standalone micro agent overview (Preview)
+
+Security is a near-universal concern for IoT implementers. IoT devices have unique needs for endpoint monitoring, security posture management, and threat detection ΓÇô all with highly specific performance requirements.
+
+The Azure Defender for IoT security agents allows you to build security directly into your new IoT devices and Azure IoT projects. The micro agent has flexible deployment options, including the ability to deploy as a binary package or modify source code. And the micro agent is available for standard IoT operating systems like Linux and Azure RTOS.
+
+The Azure Defender for IoT micro agent provides endpoint visibility into security posture management, threat detection, and integration into Microsoft's other security tools for unified security management.
+
+## Security posture management
+
+Proactively monitor the security posture of your IoT devices. Azure Defender for IoT provides security posture recommendations based on the CIS benchmark, along with device-specific recommendations. Get visibility into operating system security, including OS configuration, firewall configuration, and permissions.
+
+## Endpoint IoT and OT threat detection
+
+Detect threats like botnets, brute force attempts, crypto miners, and suspicious network activity. Create custom alerts to target the most important threats in your unique organization.
+
+## Flexible distribution and deployment models
+
+The Azure Defender for IoT micro agent includes source code, allowing you to incorporate the micro agent into firmware, or customize it to include only what you need. Micro agent is also available as a binary package, or integrated directly into other Azure IoT solutions.
+
+## Meets the needs of your IoT devices, with minimal impact
+
+The Azure Defender for IoT micro agent is easy to deploy, and has minimal performance impact on the endpoint. With Defender for IoT micro agent you can:
+
+- **Optimize for performance**: The Azure Defender for IoT micro agent has a small footprint and low CPU consumption.
+
+- **Plug and Play**: There are no specific OS kernel dependencies, or support necessary for all major IoT operating systems. Azure Defender for IoT micro agent meets your devices where they are.
+
+- **Flexible deployment**: As a standalone agent, Azure Defender for IoTΓÇÖs micro agent supports different distribution models and flexible deployment.
+
+## Next steps
+
+Check your [Micro agent authentication methods (Preview)](concept-security-agent-authentication.md).
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/edge-security-module-deprecation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/edge-security-module-deprecation.md
@@ -0,0 +1,41 @@
+
+ Title: Feature support and retirement
+
+description: Defender for IoT will continue to support C, C#, and Edge until March 1, 2022.
+++ Last updated : 1/21/2021++++
+# Feature support and retirement
+
+This article describes Azure Defender for IoT features and support for different capabilities within Defender for IoT.
+
+## Defender for IoT C, C#, and Edge security module deprecation
+
+The new micro agent will replace the current C, C#, and Edge security module.ΓÇ»
+
+The new micro agent is based on the knowledge, and experience gathered from the exiting security module development, customers, and partners feedback with four important improvements:
+
+- **Depth security value**: The new agent will run on the host level, which will provide more visibility to the underlying operations of the device, and to allow for better security coverage.
+
+- **Improved device performance and reduced footprint**: Achieved by a small RAM, and ROM memory footprint as well as low CPU consumption. 
+
+- **Plug and play**: The new micro agent has no kernel level dependencies anymore, and all of its software dependencies are provided as part of its package. The micro agent supports common CPU architecture.
+
+- **Easy to deploy**: The micro agent supports different distribution models, through source code, and as a binary package.
+
+### Timeline
+
+Defender for IoT will continue to support C, C#, and Edge until March 1, 2022.
+
+## Micro agent preview support
+
+During the preview the micro agent may experience breaking changes without notice.
+
+## Next steps
+
+Check out [Defender for IoT sensor and management console APIs](references-work-with-defender-for-iot-apis.md).
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/event-aggregation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/event-aggregation.md
@@ -1,10 +1,10 @@
Title: Event aggregation
+ Title: Security module classic event aggregation
description: Learn about Defender for IoT event aggregation. documentationcenter: na-+ editor: ''
@@ -12,15 +12,15 @@ ms.devlang: na
na Previously updated : 12/03/2020- Last updated : 1/20/2021+
-# Defender for IoT event aggregation
+# Security module classic event aggregation
-Defender for IoT security agents collect data and system events from your local device and send this data to the Azure cloud for processing and analytics. The security agent collects many types of device events including new process and new connection events. Both new process and new connection events may legitimately occur frequently on a device within a second, and while important for robust and comprehensive security, the number of messages security agents are forced to send may quickly reach or exceed your IoT Hub quota and cost limits. However, these events contain highly valuable security information that is crucial to protecting your device.
+Defender for IoT security agents collects data and system events from your local device and send this data to the Azure cloud for processing and analytics. The security agent collects many types of device events including new process and new connection events. Both new process and new connection events may legitimately occur frequently on a device within a second, and while important for robust and comprehensive security, the number of messages security agents are forced to send may quickly reach or exceed your IoT Hub quota and cost limits. However, these events contain highly valuable security information that is crucial to protecting your device.
-To reduce the additional quota and costs while keeping your devices protected, Defender for IoT Agents aggregate these types of events.
+To reduce the extra quota, and costs while keeping your devices protected, Defender for IoT Agents aggregates these types of events.
Event aggregation is **On** by default, and although not recommended, can be manually turned **Off** at any time.
@@ -41,7 +41,7 @@ To reduce the memory footprint of the agent, whenever the agent collects an iden
Events are considered identical only when the following conditions are met: * ProcessCreate events - when **commandLine**, **executable**, **username**, and **userid** are identical
-* ConnectionCreate events - when **commandLine**, **userId**, **direction**, **local address**, **remote address**, **protocol, and **destination port** are identical
+* ConnectionCreate events - when **commandLine**, **userId**, **direction**, **local address**, **remote address**, **protocol**, and **destination port** are identical.
* ProcessTerminate events - when **executable** and **exit status** are identical ### Working with aggregated events
@@ -51,7 +51,7 @@ During aggregation, event properties that are not aggregated are discarded, and
* ProcessCreate events - **processId**, and **parentProcessId** are set to 0 * ConnectionCreate events - **processId**, and **source port** are set to 0
-## Event aggregation based alerts
+## Event aggregation-based alerts
After analysis, Defender for IoT creates security alerts for suspicious aggregated events. Alerts created from aggregated events appear only once for each aggregated event.
@@ -66,11 +66,11 @@ Make changes to the configuration of Defender for IoT event aggregation inside t
| Configuration name | Possible values | Details | Remarks | |:--|:|:--|:--| | aggregationEnabledProcessCreate | boolean | Enable / disable event aggregation for process create events |
-| aggregationIntervalProcessCreate | ISO8601 Timespan string | Aggregation interval for process create events |
+| aggregationIntervalProcessCreate | ISO8601 Timespan string | Aggregation interval for process creates events |
| aggregationEnabledConnectionCreate | boolean| Enable / disable event aggregation for connection create events |
-| aggregationIntervalConnectionCreate | ISO8601 Timespan string | Aggregation interval for connection create events |
+| aggregationIntervalConnectionCreate | ISO8601 Timespan string | Aggregation interval for connection creates events |
| aggregationEnabledProcessTerminate | boolean | Enable / disable event aggregation for process terminate events | Windows only|
-| aggregationIntervalProcessTerminate | ISO8601 Timespan string | Aggregation interval for process terminate events | Windows only|
+| aggregationIntervalProcessTerminate | ISO8601 Timespan string | Aggregation interval for process terminates events | Windows only|
| ## Default configurations settings
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/how-to-activate-and-set-up-your-sensor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/how-to-activate-and-set-up-your-sensor.md
@@ -199,7 +199,7 @@ You access console tools from the side menu.
| Window | Icon | Description | |||| | Users | :::image type="icon" source="media/concept-sensor-console-overview/users-icon-azure.png" border="false"::: | Define users and roles with various access levels. |
-| Forwarding | :::image type="icon" source="medi) for details. |
+| Forwarding | :::image type="icon" source="medi) for details. |
| System settings | :::image type="icon" source="media/concept-sensor-console-overview/system-settings-icon-azure.png" border="false"::: | Configure the system settings. For example, define DHCP settings, provide mail server details, or create port aliases. | | Import settings | :::image type="icon" source="medi) for details. |
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/how-to-azure-rtos-security-module https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/how-to-azure-rtos-security-module.md
@@ -69,7 +69,7 @@ The Security Module for Azure RTOS supports specific security alerts and recomme
## Log Analytics (optional)
-While optional and not required, enabling and configuring Log Analytics can be helpful when you wish to further investigate device events and activities. Read about how to setting up and use [Log Analytics with the Defender for IoT service](how-to-security-data-access.md#log-analytics) to learn more.
+While optional and not required, enabling and configuring Log Analytics can be helpful when you wish to further investigate device events and activities. Read about how to setup and use [Log Analytics with the Defender for IoT service](how-to-security-data-access.md#log-analytics) to learn more.
## Next steps
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/how-to-configure-agent-based-solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/how-to-configure-agent-based-solution.md
@@ -0,0 +1,97 @@
+
+ Title: Configure Azure Defender for IoT agent-based solution
+description: Learn how to configure data collection in Azure Defender for IoT agent-based solution
+++ Last updated : 1/21/2021++++
+# Configure Azure Defender for IoT agent-based solution
+
+This article describes how to configure data collection in Azure Defender for IoT agent-based solution.
+
+## Configure data collection
+
+To configure data collection in Azure Defender for IoT agent-based solution:
+
+1. Navigate to the Azure portal, and select the IoT Hub that the Defender for IoT is attached to
+
+1. Under the **Security** menu, select **Settings**.
+
+1. SelectΓÇ»**Data Collection**.
+
+ :::image type="content" source="media/how-to-configure-agent-based-solution/data-collection.png" alt-text="Select data collection from the security menu settings.":::
+
+## Geolocation and IP address handling
+
+In order to secure your IoT solution, the IP addresses of the incoming, and outgoing connections for your IoT devices, IoT Edge, and IoT Hub(s) are collected and stored by default. This information is essential, and used to detect abnormal connectivity from suspicious IP address sources. For example, when there are attempts made that try to establish connections from an IP address source of a known botnet, or from an IP address source outside your geolocation. The Defender for IoT service, offers the flexibility to enable and disable the collection of the IP address data at any time.
+
+To enable, or disable the collection of IP address data:
+
+1. Open your IoT Hub, and then select **Settings** from the **Security** menu.
+
+1. Select the **Data Collection** screen and modify the geolocation, and IP address handling settings to suit your needs.
+
+## Log Analytics creation
+
+Defender for IoT allows you to store security alerts, recommendations, and raw security data, in your Log Analytics workspace. Log Analytics ingestion in IoT Hub is set to **off** by default in the Defender for IoT solution. It is possible, to attach Defender for IoT to a Log Analytic workspace, and to store the security data there as well.
+
+There are two types of information stored by default in your Log Analytics workspace by Defender for IoT:
+ΓÇ»
+- Security alerts.
+
+- Recommendations.
+
+You can choose to add storage of an additional information type as `raw events`.
+
+> [!Note]
+> Storing `raw events` in Log Analytics carries additional storage costs.
+
+To enable Log Analytics to work with micro agent:
+
+1. Navigate to **Workspace configuration** > **Data Collection**, and switch the toggle toΓÇ»**On**.
+
+1. Create a new Log Analytics workspace, or attach an existing one.
+
+1. Verify that the **Access to raw security data** option is selected.
+
+ :::image type="content" source="media/how-to-configure-agent-based-solution/data-settings.png" alt-text="Ensure Access to raw security data is selected.":::
+
+1. SelectΓÇ»**Save**.
+
+Every month, the first 5 gigabytes of data ingested, per customer to the Azure Log Analytics service, is free. Every gigabyte of data ingested into your Azure Log Analytics workspace, is retained at no charge for the first 31 days. For more information on pricing, see, [Log Analytics pricing](https://azure.microsoft.com/pricing/details/monitor/).
+
+To change the workspace configuration of Log Analytics:
+
+1. In your IoT Hub, in the **Security** menu, selectΓÇ»**Settings**.
+
+1. Select the **Data Collection** screen, and modify the workspace configuration of Log Analytics settings to suit your needs.
+
+To access your alerts in your Log Analytics workspace after configuration:
+
+1. Select an alert in Defender for IoT.
+
+1. Select **Investigate alerts in Log Analytics workspace**.
+
+To access your alerts in your Log Analytics workspace after configuration:
+
+1. Select a recommendation in Defender for IoT.
+
+1. Select **Investigate recommendations in Log Analytics workspace**.
+
+For more information on querying data from Log Analytics, seeΓÇ»[Get started with queries in Log Analytics](../azure-monitor/log-query/get-started-queries.md).
+
+## Turn off Defender for IoT
+
+To turn a Defender for IoT service on, or off on a specific IoT Hub:
+
+1. In your IoT Hub, in the **Security** menu, selectΓÇ»**Settings**.
+
+1. Select the **Data Collection** screen, and modify the workspace configuration of Log Analytics settings to suit your needs.
+
+## Next steps
+
+Advance to the next article to [configure your solution](quickstart-configure-your-solution.md).
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/how-to-customize-solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/how-to-customize-solution.md
@@ -1,52 +0,0 @@
- Title: Customize settings
-description: This how to guide explains how to customize settings in your Defender for IoT solution.
-------- Previously updated : 09/06/2020---
-# Customize your Defender for IoT solution
-
-In this guide, learn how to customize different settings in Defender for IoT.
-
-> [!div class="checklist"]
-> * Configure solution recommendations
-> * Change settings
-
-## Configure solution recommendations
-
-To configure your Defender for IoT solution recommendations, do the following:
-
-1. Open your **IoT Hub** in Azure portal.
-1. Select and open **Settings** under **Security** in the left menu.
-1. Under **Settings**, select **Recommended Configurations**.
-1. Disable/enable the solution recommendations relevant for your organization and workflows.
-
-## Change settings
-
-Manage your Defender for IoT setting:
-
-To configure your Defender for IoT settings, do the following:
-
-1. Open your **IoT Hub** in Azure portal.
-1. From the left menu under **Security**, select and open **Settings**.
-1. Under **Data Collection****, select the solution setting you'd like to change.
-1. Remember to always click **Save** at the top of any setting screen to save your setting changes.
-
-## Next steps
--- Defender for IoT service [Overview](overview.md)-- Learn how to [Access your security data](how-to-security-data-access.md)-- Learn more about [Investigating a device](how-to-investigate-device.md)
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/how-to-investigate-cis-benchmark https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/how-to-investigate-cis-benchmark.md
@@ -0,0 +1,144 @@
+
+ Title: Investigate CIS benchmark recommendation
+
+description: Perform basic and advanced investigations based on OS baseline recommendations.
+++ Last updated : 1/21/2021++++
+# Investigate OS baseline (based on CIS benchmark) recommendation
+
+Perform basic and advanced investigations based on OS baseline recommendations.
+
+## Basic OS baseline security recommendation investigation
+
+You can investigate OS baseline recommendations by navigating to your Azure Defender for IoT portal, under the **IoT Hub**. For more information, see how to [Investigate security recommendations](quickstart-investigate-security-recommendations.md).
+
+## Advanced OS baseline security recommendation investigation
+
+This section describes how to better understand the OS baseline test results, and querying events in Azure Log Analytics.
+
+The advanced OS baseline security recommendation investigation is only supported by using log analytics. Connect Defender for IoT to a Log Analytics workspace before continuing. For more information on advanced OS baseline security recommendations, see how to [Configure Azure Defender for IoT agent-based solution](how-to-configure-agent-based-solution.md).
+
+To query your IoT security events in Log Analytics for alerts:
+
+1. Navigate to the **Alerts** page.
+
+1. Select **Investigate recommendations in Log Analytics workspace**.
+
+To query your IoT security events in Log Analytics for recommendations:
+
+1. Navigate to the **Recommendations** page.
+
+1. Select **Investigate recommendations in Log Analytics workspace**.
+
+1. Select **Show Operation system (OS) baseline rules details** from the **Recommendation details** quick view page to see the details of a specific device.
+
+ :::image type="content" source="media/how-to-investigate-cis-benchmark/recommendation-details.png" alt-text="See the details of a specific device.":::
+
+To query your IoT security events in Log Analytics workspace directly:
+
+1. Navigate to the **Logs** page.
+
+ :::image type="content" source="media/how-to-investigate-cis-benchmark/logs.png" alt-text="Select logs from the left side pane.":::
+
+1. Select **Investigate the alerts** or, select the **Investigate the alerts in Log Analytics** option from any security recommendation, or alert.
+
+## Useful queries to investigate the OS baseline resources:
+
+> [!Note]
+> Make sure to Replace `<device-id>` with the name(s) you gave your device in each of the following queries.
++
+### Retrieve the latest information
+
+- **Device fleet failure**: Run the following query to retrieve the latest information about checks that failed across the device fleet:
+
+ ```azurecli
+ let lastDates = SecurityIoTRawEvent |
+
+ where RawEventName == "OSBaseline" |
+
+ summarize TimeStamp=max(TimeStamp) by DeviceId;
+
+ lastDates | join kind=inner (SecurityIoTRawEvent) on TimeStamp, DeviceId |
+
+ extend event = parse_json(EventDetails) |
+
+ where event.Result == "FAIL" |
+
+ project DeviceId, event.CceId, event.Description
+ ```
+
+- **Specific device failure** - Run the following query to retrieve the latest information about checks that failed on a specific device:
+
+ ```azurecli
+ let LastEvents = SecurityIoTRawEvent |
+
+ where RawEventName == "OSBaseline" |
+
+ where DeviceId == "<device-id>" |
+
+ top 1 by TimeStamp desc |
+
+ project IoTRawEventId;
+
+ LastEvents | join kind=leftouter SecurityIoTRawEvent on IoTRawEventId |
+
+ extend event = parse_json(EventDetails) |
+
+ where event.Result == "FAIL" |
+
+ project DeviceId, event.CceId, event.Description
+ ```
+
+- **Specific device error** - Run this query to retrieve the latest information about checks that have an error on a specific device:
+
+ ```azurecli
+ let LastEvents = SecurityIoTRawEvent |
+
+ where RawEventName == "OSBaseline" |
+
+ where DeviceId == "<device-id>" |
+
+ top 1 by TimeStamp desc |
+
+ project IoTRawEventId;
+
+ LastEvents | join kind=leftouter SecurityIoTRawEvent on IoTRawEventId |
+
+ extend event = parse_json(EventDetails) |
+
+ where event.Result == "ERROR" |
+
+ project DeviceId, event.CceId, event.Description
+ ```
+
+- **Update device list for device fleet that failed a specific check** - Run this query to retrieve updated list of devices (across the device fleet) that failed a specific check: 
+
+ ```azurecli
+ let lastDates = SecurityIoTRawEvent |
+
+ where RawEventName == "OSBaseline" |
+
+ summarize TimeStamp=max(TimeStamp) by DeviceId;
+
+ lastDates | join kind=inner (SecurityIoTRawEvent) on TimeStamp, DeviceId |
+
+ extend event = parse_json(EventDetails) |
+
+ where event.Result == "FAIL" |
+
+ where event.CceId contains "6.2.8" |
+
+ project DeviceId;
+ ```
+
+## Next steps
+
+[Investigate security recommendations](quickstart-investigate-security-recommendations.md).
+
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/iot-security-azure-rtos https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/iot-security-azure-rtos.md
@@ -5,7 +5,7 @@ description: Learn more about the security module for Azure RTOS support and imp
documentationcenter: na-+ editor: ''
@@ -14,18 +14,18 @@ ms.devlang: na
na Previously updated : 09/07/2020- Last updated : 01/14/2021+ # Overview: Defender for IoT security module for Azure RTOS (preview)
-The Azure Defender for IoT security module provides a comprehensive security solution for devices that use Azure RTOS. It provides coverage for common threats and potential malicious activities on real-time operating system (RTOS) devices. Azure RTOS now ships with the Azure IoT security module built in.
+The Azure Defender for IoT micro module provides a comprehensive security solution for devices that use Azure RTOS. It provides coverage for common threats and potential malicious activities on real-time operating system (RTOS) devices. Azure RTOS now ships with the Azure IoT security module built in.
:::image type="content" source="./media/architecture/azure-rtos-security-monitoring.png" alt-text="Visualization of Defender for IoT Azure RTOS.":::
-The security module for Azure RTOS offers the following features:
+The micro module for Azure RTOS offers the following features:
- Malicious network activity detection - Custom alert-based device behavior baselining
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/overview-security-agents https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/overview-security-agents.md
@@ -1,6 +1,6 @@
Title: Security agent overview
-description: Get started with understanding, configuring, deploying and using Azure Defender for IoT security service agents on your IoT devices.
+ Title: Security agents
+description: Get started with understanding, configuring, deploying, and using Azure Defender for IoT security service agents on your IoT devices.
documentationcenter: na
@@ -13,28 +13,31 @@ ms.devlang: na
na Previously updated : 12/27/2019 Last updated : 1/24/2021
-# Get started with Azure Defender for IoT device security agents
+# Get started with Azure Defender for IoT device micro agents
-Defender for IoT security agents offer enhanced security capabilities, such as monitoring remote connections, active applications, login events, and operating system configuration best practices. Take control of your device field threat protection and security posture with a single service.
+Defender for IoT security agents offers enhanced security capabilities, such as monitoring operating system configuration best practices. Take control of your device field threat protection and security posture with a single service.
-Reference architecture for Linux and Windows security agents, both in C# and C are provided.
-
-The Defender for IoT security agents handle raw event collection from the device operating system, event aggregation to reduce cost, and configuration through a device module twin. Security messages are sent through your IoT Hub, into Defender for IoT analytics services.
+The Defenders for IoT security agents handle raw event collection from the device operating system, event aggregation to reduce cost, and configuration through a device module twin. Security messages are sent through your IoT Hub, into Defender for IoT analytics services.
Use the following workflow to deploy and test your Defender for IoT security agents:
-1. [Enable Defender for IoT service to your IoT Hub](quickstart-onboard-iot-hub.md)
+1. [Enable Defender for IoT service to your IoT Hub](quickstart-onboard-iot-hub.md).
+ 1. If your IoT Hub has no registered devices, [Register a new device](../iot-accelerators/iot-accelerators-device-simulation-overview.md).
-1. [Create an azureiotsecurity security module](quickstart-create-security-twin.md) for your devices.
+
+1. [Create an DefenderIotMicroAgent module twin](quickstart-create-micro-agent-module-twin.md) for your devices.
+ 1. To install the agent on an Azure simulated device instead of installing on an actual device, [spin up a new Azure Virtual Machine (VM)](../virtual-machines/linux/quick-create-portal.md) in an available zone.
-1. [Deploy an Defender for IoT security agent](how-to-deploy-linux-cs.md) on your IoT device, or new VM.
-1. Follow the instructions for [trigger_events](https://aka.ms/iot-security-github-trigger-events) to run a harmless simulation of an attack.
-1. Verify Defender for IoT alerts in response to the simulated attack in the previous step. Begin verification five minutes after running the script.
-1. Explore [alerts](concept-security-alerts.md), [recommendations](concept-recommendations.md), and [deep dive using Log Analytics](how-to-security-data-access.md) using IoT Hub.
+
+1. [Deploy a Defender for IoT security agent](how-to-deploy-linux-cs.md) on your IoT device, or new VM.
+
+1. Follow the instructions for [trigger_events](https://aka.ms/iot-security-github-trigger-events) to run an OS baseline event.
+
+1. Verify Defender for IoT recommendations in response to the simulated OS baseline check failure in the previous step. Begin verification 30 minutes after running the script.
## Next steps
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/quickstart-azure-rtos-security-module https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/quickstart-azure-rtos-security-module.md
@@ -4,7 +4,7 @@ description: Learn how to onboard and enable the Security Module for Azure RTOS
documentationcenter: na-+ editor: ''
@@ -12,17 +12,14 @@ ms.devlang: na
na Previously updated : 09/24/2020- Last updated : 01/24/2021+ # Quickstart: Security Module for Azure RTOS (preview) This article provides an explanation of the prerequisites before getting started and explains how to enable the Security Module for Azure RTOS service on an IoT Hub. If you don't currently have an IoT Hub, see [Create an IoT Hub using the Azure portal](../iot-hub/iot-hub-create-through-portal.md) to get started.
-> [!NOTE]
-> Security Module for Azure RTOS is only supported in standard tier IoT Hubs.
- ## Prerequisites ### Supported devices
@@ -42,28 +39,14 @@ The next stage for getting started is preparing your Azure resources. You'll nee
An IoT Hub connection is required to get started. 1. Open your **IoT Hub** in Azure portal.
+1. Navigate to **IoT Devices**.
+1. Select **Create**.
1. Copy the IoT connection string to the [configuration file](how-to-azure-rtos-security-module.md). -
-The connections credentials are taken from the user application configuration **HOST_NAME**, **DEVICE_ID**,and **DEVICE_SYMMETRIC_KEY**.
+The connections credentials are taken from the user application configuration **HOST_NAME**, **DEVICE_ID**, and **DEVICE_SYMMETRIC_KEY**.
The Security Module for Azure RTOS uses Azure IoT Middleware connections based on the **MQTT** protocol. -
-### Log Analytics workspace
-
-Log Analytics ingestion in IoT Hub is off by default Defender for IoT solution. To enable it for working with Security Module for Azure RTOS, do the following:
-1. In the Azure portal, go to your IoT Hub.
-1. Select **Settings** under the **Security** menu.
- :::image type="content" source="media/quickstart/azure-rtos-hub-settings.png" alt-text="Access data collection option for Azure RTOS":::
-1. Select **Data Collection**.
-1. From the **Workspace configuration** option, switch the toggle to **On**.
-1. Create a new Log Analytics workspace or attach an existing one. Make sure the **Access to raw security data** option is selected.
- :::image type="content" source="media/quickstart/azure-rtos-data-collection-on.png" alt-text="Azure RTOS configuration showing data collection option and raw security data options both selected":::
-1. Select **Save**
-1. Return to your Azure resources list and confirm you see the Log Analytics Workspace you created or attached is enabled for the IoT Hub.
- :::image type="content" source="media/quickstart/verify-azure-resource-list.png" alt-text="Check your Azure resource list to confirm the addition of the correct Log Analytics Workspace added for an IoT Hub":::
- ## Next steps Advance to the next article to finish configuring and customizing your solution.
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/quickstart-building-the-defender-micro-agent-from-source https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/quickstart-building-the-defender-micro-agent-from-source.md
@@ -0,0 +1,106 @@
+
+ Title: Build the Defender micro agent from source code (Preview)
+
+description: Micro Agent includes an infrastructure, which can be used to customize your distribution.
+++ Last updated : 1/18/2021++++
+# Build the Defender micro agent from source code
+
+The Micro Agent includes an infrastructure, which can be used to customize your distribution. To see a list of the available configuration parameters look at the `configs/LINUX_BASE.conf` file.
+
+For a single distribution, modify the base `.conf` file.
+
+If you require more than one distribution, you can inherit from the base configuration and override its values.
+
+To override the values:
+
+1. Create a new `.dist` file.
+
+1. Add `CONF_DEFINE_BASE(${g_plat_config_path} LINUX_BASE.conf)` to the top.
+
+1. Define new values to whatever you require, example:
+
+ `set(ASC_LOW_PRIORITY_INTERVAL 60*60*24)`
+
+1. Give the `.dist` file a reference when building. For example,
+
+ `cmake -DCMAKE_BUILD_TYPE=Debug -Dlog_level=DEBUG -Dlog_level_cmdline:BOOL=ON -DIOT_SECURITY_MODULE_DIST_TARGET=UBUNTU1804 ..`
+
+## Baseline Configuration signing
+
+The agent verifies the authenticity of configuration files that are placed on the disk to mitigate tampering, by default.
+
+You can stop this process by defining the preprocessor flag `ASC_BASELINE_CONF_SIGN_CHECK_DISABLE`.
+
+We don't recommend turning off the signature check for production environments.
+
+If you require a different configuration for production scenarios, contact the Defender for IoT team.
+
+## Prerequisites
+
+1. Contact your account manager to ask for access to Defender for IoT source code.
+
+1. Clone, or extract the source code to a folder on the disk.
+
+1. Navigate into that directory.
+
+1. Pull the submodules using the following code:
+
+ ```bash
+ git submodule update --init
+ ```
+
+1. Next, pull the submodules for the Azure IoT SDK with the following code:
+
+ ```bash
+ git -C deps/azure-iot-sdk-c/ submodule update ΓÇôinit
+ ```
+
+
+1. Add an execution permission, and run the developer environment setup script:
+
+ ```bash
+ chmod +x scripts/install_development_environment.sh && ./scripts/install_development_environment.sh
+ ```
+
+1. Create a directory for the build outputs:
+
+ ```bash
+ mkdir cmake
+ ```
+
+1. (Optional) Download and install [VSCode](https://code.visualstudio.com/download )
+
+1. (Optional) Install the [C/C++ extension](https://code.visualstudio.com/docs/languages/cpp ) for VSCode.
+
+## Building the Defender IoT Micro Agent
+
+1. Open the directory with VSCode
+
+1. Navigate to the `cmake` directory.
+
+1. Run the following command:
+
+ ```bash
+ cmake -DCMAKE_BUILD_TYPE=Debug -Dlog_level=DEBUG -Dlog_level_cmdline:BOOL=ON -DIOT_SECURITY_MODULE_DIST_TARGET<the appropriate distro configuration file name> ..
+
+ cmake --build . -- -j${env:NPROC}
+ ```
+
+ For example:
+
+ ```bash
+ cmake -DCMAKE_BUILD_TYPE=Debug -Dlog_level=DEBUG -Dlog_level_cmdline:BOOL=ON -DIOT_SECURITY_MODULE_DIST_TARGETUBUNTU1804 ..
+
+ cmake --build . -- -j${env:NPROC}
+ ```
+
+## Next steps
+
+[Configure your Azure Defender for IoT solution](quickstart-configure-your-solution.md).
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/quickstart-configure-your-solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/quickstart-configure-your-solution.md
@@ -1,10 +1,10 @@
Title: "Quickstart: Configure your solution"
+ Title: Add Azure resources to your IoT solution
description: In this quickstart, learn how to configure your end-to-end IoT solution using Azure Defender for IoT. documentationcenter: na-+ editor: ''
@@ -12,8 +12,8 @@ ms.devlang: na
na Previously updated : 09/06/2020- Last updated : 01/25/2021+ # Quickstart: Configure your Azure Defender for IoT solution
@@ -24,7 +24,7 @@ This article provides an explanation of how to perform initial configuration of
Defender for IoT provides comprehensive end-to-end security for Azure-based IoT solutions.
-With Defender for IoT, you can monitor your entire IoT solution in one dashboard, surfacing all of your IoT devices, IoT platforms and back-end resources in Azure.
+With Defender for IoT, you can monitor your entire IoT solution in one dashboard, surfacing all of your IoT devices, IoT platforms, and back-end resources in Azure.
Once enabled on your IoT Hub, Defender for IoT automatically identifies other Azure services, also connected to your IoT Hub and related to your IoT solution.
@@ -32,16 +32,19 @@ In addition to automatic relationship detection, you can also pick and choose wh
Your selections allow you to add entire subscriptions, resource groups, or single resources.
-After defining all of the resource relationships, Defender for IoT leverages Defender to provide you security recommendations and alerts for these resources.
+After defining all of the resource relationships, Defender for IoT uses Defender to provide you security recommendations and alerts for these resources.
## Add Azure resources to your IoT solution
-To add new resource to your IoT solution, do the following:
+To add new resource to your IoT solution:
1. Open your **IoT Hub** in Azure portal.+ 1. Under **Security** select **Overview** followed by **Settings**, and then select **Monitored Resources**.+ 1. Select **Edit** and select the monitored resources that belong to your IoT solution.
-1. Click **Add**.
+
+1. Select **Add**.
Congratulations! You've added a new resource group to your IoT solution.
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/quickstart-create-custom-alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/quickstart-create-custom-alerts.md
@@ -1,6 +1,6 @@
Title: "Quickstart: Create custom alerts"
-description: Understand, create and assign custom device alerts for the Azure Defender for IoT security service.
+ Title: Create custom alerts
+description: Understand, create, and assign custom device alerts for the Azure Defender for IoT security service.
documentationcenter: na
@@ -16,7 +16,7 @@ Last updated 09/04/2020
-# Quickstart: Create custom alerts
+# Create custom alerts
Using custom security groups and alerts, takes full advantage of the end-to-end security information and categorical device knowledge to ensure better security across your IoT solution.
@@ -61,17 +61,23 @@ Use security groups to group your devices into logical categories. After creatin
## Customize an alert
-1. Open your IoT Hub and select **Settings** from the **Security** menu.
-1. Click on **Custom alerts**.
+1. Open your IoT Hub and select **Settings** from the **Security** menu.
+
+1. Select on **Custom alerts**.
+ 1. Choose a security group you wish to apply the customization to.
-1. Click **Add a custom alert**.
+
+1. Select **Add a custom alert**.
+ 1. Select a custom alert from the dropdown list.
-1. Edit the required properties, click **OK**.
-1. Make sure to click **SAVE**. Without saving the new alert, the alert is deleted the next time you close IoT Hub.
+
+1. Edit the required properties, select **OK**.
+
+1. Make sure to select **SAVE**. Without saving the new alert, the alert is deleted the next time you close IoT Hub.
## Alerts available for customization
-Defender for IoT offers a large number of alerts which can be customized according to your specific needs. Review the [customizable alert table](concept-customizable-security-alerts.md) for alert severity, data source, description and our suggested remediation steps if and when each alert is received.
+Defender for IoT offers a large number of alerts, which can be customized according to your specific needs. Review the [customizable alert table](concept-customizable-security-alerts.md) for alert severity, data source, description, and our suggested remediation steps if and when each alert is received.
## Next steps
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/quickstart-create-micro-agent-module-twin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/quickstart-create-micro-agent-module-twin.md
@@ -0,0 +1,73 @@
+
+ Title: Create a Defender Iot micro agent module twin (Preview)
+
+description: Learn how to create individual DefenderIotMicroAgent module twins for new devices.
+++ Last updated : 1/20/2021++++
+# Create a Defender Iot micro agent module twin (Preview)
+
+You can create individualΓÇ»**DefenderIotMicroAgent** module twins for new devices. You can also batch create module twins for all devices in an IoT Hub.
+
+## Device twins
+
+For IoT solutions built in Azure, device twins play a key role in both device management and process automation.
+
+Defender for IoT has the ability to fully integrate with your existing IoT device management platform. Full integration, enables you to manage your device's security status, and allows you to make use of all existing device control capabilities. Integration is achieved by making use of the IoT Hub twin mechanism.
+
+Learn more about the concept of [device twins](../iot-hub/iot-hub-devguide-device-twins.md) in Azure IoT Hub.
+
+## Security module twins
+
+Defender for IoT uses a security module twin for each device. The security module twin holds all of the information that is relevant to device security, for each specific device in your solution. Device security properties are configured through a dedicated security module twin for safer communication, to enable updates, and maintenance that requires fewer resources.
+
+## Understanding DefenderIotMicroAgent module twins
+
+Device twins play a key role in both device management and process automation, for IoT solutions that are built in to Azure.
+
+Defender for IoT offers the capability to fully integrate your existing IoT device management platform, enabling you to manage your device security status and make use of the existing device control capabilities. You can integrate your Defender for IoT by using the IoT Hub twin mechanism.
+
+To learn more about the general concept of module twins in Azure IoT Hub, seeΓÇ»[IoT Hub module twins](../iot-hub/iot-hub-devguide-module-twins.md).
+
+Defender for IoT uses the module twin mechanism, and maintains a security module twin named `DefenderIotMicroAgent` for each of your devices.
+
+To take full advantage of all Defender for IoT feature's, you need to create, configure, and use the security module twins for every device in the service.
+
+## Create DefenderIotMicroAgent module twin
+
+**DefenderIotMicroAgent** module twins can be created by manually editing each module twin to include specific configurations for each device.
+
+To manually create a newΓÇ»**DefenderIotMicroAgent** module twin for a device:
+
+1. In your IoT Hub, locate and select the device on which to create a security module twin.
+
+1. SelectΓÇ»**Add module identity**.
+
+1. In the **Module Identity Name** field, and enter `DefenderIotMicroAgent`.
+
+1. SelectΓÇ»**Save**.
+
+## Verify the creation of a module twin
+
+To verify if a security module twin exists for a specific device:
+
+1. In your Azure IoT Hub, select **IoT devices** from the **Explorers** menu.
+
+1. Enter the device ID, or select an option in the **Query device** field and select **Query devices**. 
+
+ :::image type="content" source="media/quickstart-create-micro-agent-module-twin/iot-devices.png" alt-text="Select query devices to get a list of your devices.":::
+
+1. Select the device, and open the **Device details** page.
+
+1. Select the **Module identities** menu, and confirm the existence of the **DefenderIotMicroAgent** module in the list of module identities associated with the device. 
+
+ :::image type="content" source="media/quickstart-create-micro-agent-module-twin/device-details-module.png" alt-text="Select module identities from the tab.":::
+
+## Next steps
+
+Advance to the next article to learn how to [investigate security recommendations](quickstart-investigate-security-recommendations.md).
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/quickstart-create-security-twin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/quickstart-create-security-twin.md
@@ -1,10 +1,10 @@
Title: "Quickstart: Create a security module twin"
+ Title: Create a security module twin
description: In this quickstart, learn how to create a Defender for IoT module twin for use with Azure Defender for IoT. documentationcenter: na-+ editor: ''
@@ -13,11 +13,11 @@ ms.devlang: na
na Previously updated : 11/08/2019- Last updated : 1/21/2021+
-# Quickstart: Create an azureiotsecurity module twin
+# Create an azureiotsecurity module twin
This quickstart explains how to create individual _azureiotsecurity_ module twins for new devices, or batch create module twins for all devices in an IoT Hub.
@@ -25,7 +25,7 @@ This quickstart explains how to create individual _azureiotsecurity_ module twin
For IoT solutions built in Azure, device twins play a key role in both device management and process automation.
-Defender for IoT offers full integration with your existing IoT device management platform, enabling you to manage your device security status as well as make use of existing device control capabilities.
+Defender for IoT offers full integration with your existing IoT device management platform, enabling you to manage your device security status and make use of existing device control capabilities.
Defender for IoT integration is achieved by making use of the IoT Hub twin mechanism. See [IoT Hub module twins](../iot-hub/iot-hub-devguide-module-twins.md) to learn more about the general concept of module twins in Azure IoT Hub.
@@ -34,7 +34,7 @@ Defender for IoT makes use of the module twin mechanism and maintains a security
The security module twin holds all the information relevant to device security for each of your devices.
-To make full use of Defender for IoT features, you'll need to create, configure and use these security module twins for every device in the service.
+To make full use of Defender for IoT features, you'll need to create, configure, and use this security module twins for every device in the service.
## Create azureiotsecurity module twin
@@ -48,23 +48,30 @@ _azureiotsecurity_ module twins can be created in two ways:
See [agent configuration](how-to-agent-configuration.md) to learn how to modify or change the configuration of an existing module twin.
-To manually create a new _azureiotsecurity_ module twin for a device use the following instructions:
+To manually create a new _azureiotsecurity_ module twin for a device:
1. In your IoT Hub, locate and select the device you wish to create a security module twin for.
-1. Click on your device, and then on **Add module identity**.
+
+1. Select on your device, and then on **Add module identity**.
+ 1. In the **Module Identity Name** field, enter **azureiotsecurity**.
-1. Click **Save**.
+1. Select **Save**.
## Verify creation of a module twin To verify if a security module twin exists for a specific device: 1. In your Azure IoT Hub, select **IoT devices** from the **Explorers** menu.
-1. Enter the device ID, or select an option in the **Query device field** and click **Query devices**.
+
+1. Enter the device ID, or select an option in the **Query device field** and select **Query devices**.
+ :::image type="content" source="./media/quickstart/verify-security-module-twin.png" alt-text="Query devices":::
-1. Select the device or double click it to open the Device details page.
+
+1. Select the device or double select it to open the Device details page.
+ 1. Select the **Module identities** menu, and confirm existence of the **azureiotsecurity** module in the list of module identities associated with the device.+ :::image type="content" source="./media/quickstart/verify-security-module-twin-3.png" alt-text="Modules associated with a device"::: To learn more about customizing properties of Defender for IoT module twins, see [Agent configuration](how-to-agent-configuration.md).
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/quickstart-investigate-security-recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/quickstart-investigate-security-recommendations.md
@@ -1,10 +1,10 @@
Title: "Quickstart: Investigate security recommendations"
+ Title: Investigate security recommendations"
description: Investigate security recommendations with the Defender for IoT security service. documentationcenter: na-+ editor: ''
@@ -14,7 +14,7 @@
na Last updated 09/09/2020-+ # Quickstart: Investigate security recommendations
@@ -43,23 +43,20 @@ The IoT Hub recommendations list displays all of the aggregated security recomme
Open each aggregated recommendation to display the detailed recommendation description, remediation steps, device ID for each device that triggered a recommendation. It also displays recommendation severity and direct-investigation access using Log Analytics.
-1. Select and open any security recommendation from the **IoT Hub** \> **Security** \> **Recommendations** list.
+1. Select and open any security recommendation from the **IoT Hub** > **Security** > **Recommendations** list.
1. Review the recommendation **description**, **severity**, **device details** of all devices that issued this recommendation in the aggregation period. 1. After reviewing recommendation specifics, use the **manual remediation step** instructions to help remediate and resolve the issue that caused the recommendation.
- [ :::image type="content" source="media/quickstart/remediate-security-recommendations-expanded.png#lightbox" alt-text="Remediate security recommendations with ASC for IoT](media/quickstart/remediate-security-recommendations-inline.png)":::
-
+ :::image type="content" source="media/quickstart/remediate-security-recommendations-inline.png" alt-text="Remediate security recommendations with ASC for IoT" lightbox="media/quickstart/remediate-security-recommendations-expanded.png":::
1. Explore the recommendation details for a specific device by selecting the desired device in the drill-down page.
- [ :::image type="content" source="media/quickstart/explore-security-recommendation-detail-expanded.png#lightbox" alt-text="Investigate specific security recommendations for a device with ASC for IoT](media/quickstart/explore-security-recommendation-detail-inline.png)":::
-
+ :::image type="content" source="media/quickstart/explore-security-recommendation-detail-inline.png" alt-text="Investigate specific security recommendations for a device with ASC for IoT" lightbox="media/quickstart/explore-security-recommendation-detail-expanded.png":::
1. If further investigation is required, **Investigate the recommendation in Log Analytics** using the link. - ## Next steps Advance to the next article to learn how to create custom alerts...
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/quickstart-iot-hub-integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/quickstart-iot-hub-integration.md
@@ -1,37 +0,0 @@
- Title: Defender for IoT service without security agents
-description: Get started with the built-in workflow of the Defender for IoT service.
------- Previously updated : 12/14/2020---
-# Get started with built-in IoT Hub integration
-
-This option enables you to use the service without using Defender for IoT security agents.
-
-## Enable built-in IoT Hub integration
-
-To enable monitoring your device identity management, device to cloud, and cloud to device communication patterns, do the following to start the service:
-
-1. Open your **IoT Hub**.
-1. Select the **Security overview** menu.
-1. Click **Secure your IoT solution** and complete the onboarding form.
-
-Congratulations! You've completed enabling the Defender for IoT service on your IoT Hub.
-
-## Next steps
--- Configure your [solution](quickstart-configure-your-solution.md)-- [Create security modules](quickstart-create-security-twin.md)-- Configure [custom alerts](quickstart-create-custom-alerts.md)
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/quickstart-onboard-iot-hub https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/quickstart-onboard-iot-hub.md
@@ -1,10 +1,10 @@
Title: "Quickstart: Enable the service"
+ Title: Onboard to Defender for IoT agent-based solution
description: Learn how to onboard and enable the Defender for IoT security service in your Azure IoT Hub. documentationcenter: na-+ editor: ''
@@ -13,64 +13,57 @@ ms.devlang: na
na Previously updated : 09/06/2020- Last updated : 1/20/2021+
-# Quickstart: Onboard Azure Defender for IoT service in IoT Hub
+# Onboard to Defender for IoT agent-based solution
-This article provides an explanation of how to enable the Defender for IoT service on your existing IoT Hub. If you don't currently have an IoT Hub, see [Create an IoT Hub using the Azure portal](../iot-hub/iot-hub-create-through-portal.md) to get started.
+This article explains how to enable the Defender for IoT service on your existing IoT Hub. If you don't currently have an IoT Hub, see [Create an IoT Hub using the Azure portal](../iot-hub/iot-hub-create-through-portal.md) to get started.
-> [!NOTE]
-> Defender for IoT currently only supports standard tier IoT Hubs.
+You can manage your IoT security through the IoT Hub in Defender for IoT. The management portal located in the IoT Hub allows you to do the following:
+
+- Manage IoT Hub security.
-## Prerequisites for enabling the service
+- Basic management of an IoT device's security without installing an agent based on the IoT Hub telemetry.
-- Log Analytics workspace
- - Two types of information are stored by default in your Log Analytics workspace by Defender for IoT; **security alerts** and **recommendations**.
- - You can choose to add storage of an additional information type, **raw events**. Note that storing **raw events** in Log Analytics carries additional storage costs.
-- IoT Hub (standard tier)-- Meet all [System prerequisites](quickstart-system-prerequisites.md).
+- Advanced management for the security of an IoT device based on the micro agent.
-## Enable Defender for IoT on your IoT Hub
+> [!NOTE]
+> Defender for IoT currently only supports standard tier IoT Hubs.
-To enable security on your IoT Hub:
+## Onboard to Defender for IoT in IoT Hub
-1. Open your **IoT Hub** in Azure portal.
-1. Under the **Security** menu, click **Secure your IoT solution**.
+For all new IoT hubs, Defender for IoT is set to **On** by default. You can verify that Defender for IoT is toggled to **On** during the IoT Hub creation process.
-Congratulations! You've completed enabling Defender for IoT on your IoT Hub.
+To verify the toggle is set to **On**:
-### Geolocation and IP address handling
+1. Navigate to the Azure portal.
-To secure your IoT solution, IP addresses of incoming and outgoing connections to and from your IoT devices, IoT Edge, and IoT Hub(s) are collected and stored by default. This information is essential to detect abnormal connectivity from suspicious IP sources. For example, when attempts are made to establish connections from an IP source of a known botnet or from an IP source outside your geolocation. Defender for IoT service offers the flexibility to enable and disable collection of IP address data at any time.
+1. Select **IoT Hub** from the list of Azure services.
-To enable or disable collection of IP address data:
+1. Select **Create**.
-1. Open your IoT Hub and then select **Settings** from the **Security** menu.
-1. Choose the **Data Collection** screen and modify the geolocation and/or IP handling settings as you wish.
+ :::image type="content" source="media/quickstart-onboard-iot-hub/create-iot-hub.png" alt-text="Select the create button from the top toolbar." lightbox="media/quickstart-onboard-iot-hub/create-iot-hub-expanded.png":::
-### Log Analytics creation
+1. Select the **Management** tab, and verify that **Defender for IoT** toggle is set to **On**.
-When Defender for IoT is turned on, a default Azure Log Analytics workspace is created to store raw security events, alerts, and recommendations for your IoT devices, IoT Edge, and IoT Hub. Each month, the first five (5) GB of data ingested per customer to the Azure Log Analytics service is free. Every GB of data ingested into your Azure Log Analytics workspace is retained at no charge for the first 31 days. Learn more about [Log Analytics](https://azure.microsoft.com/pricing/details/monitor/) pricing.
+ :::image type="content" source="media/quickstart-onboard-iot-hub/management-tab.png" alt-text="Ensure the Defender for IoT toggle is set to on.":::
-To change the workspace configuration of Log Analytics:
+## Onboard Defender for IoT to an existing IoT Hub
-1. Open your IoT Hub and then select **Settings** from the **Security** menu.
-1. Choose the **Data Collection** screen and modify the workspace configuration of Log Analytics settings as you wish.
+You can monitor your device identity management, device to cloud, and cloud to device communication patterns, do the following to start the service:
-### Customize your IoT security solution
+1. Navigate to IoT Hub.
-By default, turning on the Defender for IoT solution automatically secures all IoT Hubs under your Azure subscription.
+1. Select the **Security overview** menu.
-To turn Defender for IoT service on a specific IoT Hub on or off:
+1. Click Secure your IoT solution and complete the onboarding form.
-1. Open your IoT Hub and then select **Settings** from the **Security** menu.
-1. Choose the **Data Collection** screen and modify the security settings of any IoT hub in your Azure subscription as you wish.
## Next steps Advance to the next article to configure your solution... > [!div class="nextstepaction"]
-> [Configure your solution](quickstart-configure-your-solution.md)
+> [Create a Defender Iot micro agent module twin (Preview)](quickstart-create-micro-agent-module-twin.md)
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/quickstart-standalone-agent-binary-installation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/quickstart-standalone-agent-binary-installation.md
@@ -0,0 +1,127 @@
+
+ Title: Install Defender for IoT micro agent (Preview)
+
+description: Learn how to install, and authenticate the Defender Micro Agent.
+++ Last updated : 1/18/2021++++
+# Install Defender for IoT micro agent (Preview)
+
+This article provides an explanation of how to install, and authenticate the Defender micro agent.
+
+## Prerequisites
+
+Prior to installing the Defender for IoT module you must create a module identity in the IoT Hub. For more information on how to create a module identity, see [Create an azureiotsecurity module twin](quickstart-create-security-twin.md)
+
+## Install the package
+
+Install, and configure the Microsoft package repository by following [these instructions](https://docs.microsoft.com/windows-server/administration/linux-package-repository-for-microsoft-software).
+
+For Debian 9, the instructions do not include the repository that needs to be added, use the following commands to add the repository:
+
+```azurecli
+curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
+
+sudo apt-get install software-properties-common
+
+sudo apt-add-repository https://packages.microsoft.com/debian/9/multiarch/prod
+
+sudo apt-get update
+```
+
+To install the Defender micro agent package on Debian, and Ubuntu based Linux distributions, use the following command:
+
+```azurecli
+sudo apt-get install defender-iot-micro-agent
+```
+
+## Micro agent authentication methods
+
+The two options used to authenticate the Defender for IoT micro agent are:
+
+- Connection string.
+
+- Certificate.
+
+### Authenticate using a connection string
+
+To authenticate using a connection string:
+
+1. Place a file named `connection_string.txt` containing the connection string encoded in utf-8 in the defender agent directory `/var/defender_iot_micro_agent` path by entering the following command:
+
+ ```azurecli
+ sudo bash -c 'echo "<connection string" > /var/defender_iot_micro_agent/connection_string.txt'
+ ```
+
+ The `connection_string.txt` should now be located in the following path location `/var/defender_iot_micro_agent/connection_string.txt`.
+
+1. Restart the service using this command:
+
+ ```azurecli
+ sudo systemctl restart defender-iot-micro-agent.service
+ ```
+
+### Authenticate using a certificate
+
+To authenticate using a certificate:
+
+1. Procure a certificate by following [these instructions](../iot-hub/iot-hub-security-x509-get-started.md).
+
+1. Place the PEM-encoded public part of the certificate, and the private key, in to the Defender Agent Directory in to the file called `certificate_public.pem`, and `certificate_private.pem`.
+
+1. Place the appropriate connection string in to the `connection_string.txt` file. the connection string should look like this:
+
+ `HostName=<the host name of the iot hub>;DeviceId=<the id of the device>;ModuleId=<the id of the module>;x509=true`
+
+ This string alerts the defender agent, to expect a certificate be provided for authentication.
+
+1. Restart the service using the following command:
+
+ ```azurecli
+ sudo systemctl restart defender-iot-micro-agent.service
+ ```
+
+### Validate your installation
+
+To validate your installation:
+
+1. Making sure the micro agent is running properly with the following command:
+
+ ```azurecli
+ systemctl status defender-iot-micro-agent.service
+ ```
+1. Ensure that the service is stable by making sure it is `active` and that the uptime of the process is appropriate
+
+ :::image type="content" source="media/quickstart-standalone-agent-binary-installation/active-running.png" alt-text="Check to make sure your service is stable and active.":::
+
+## Testing the system end-to-end
+
+You can test the system from end to end by creating a trigger file on the device. The trigger file will cause the baseline scan in the agent to detect the file as a baseline violation.
+
+Create a file on the file system with the following command:
+
+```azurecli
+sudo touch /tmp/DefenderForIoTOSBaselineTrigger.txt
+```
+A baseline validation failure recommendation will occur in the hub, with a `CceId` of CIS-debian-9-DEFENDER_FOR_IOT_TEST_CHECKS-0.0:
++
+Allow up to one hour for the recommendation to appear in the hub.
+
+## Micro agent versioning
+
+To install a specific version of the Defender IoT micro agent, run the following command:
+
+```azurecli
+sudo apt-get install defender-iot-micro-agent=<version>
+```
+
+## Next steps
+
+[Building the Defender micro agent from source code](quickstart-building-the-defender-micro-agent-from-source.md)
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/release-notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/release-notes.md
@@ -13,19 +13,53 @@ ms.devlang: na
na Previously updated : 01/06/2021 Last updated : 02/07/2021
-# What's new?
+# What's new in Azure Defender for IoT?
-Defender for IoT 10.0 provides feature enhancements that improve security, management, and usability.
+This article lists new features and feature enhancements for Defender for IoT.
-## Security
+Noted features are in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+## February 2021
+
+### Enhanced custom alert rules
+
+You can now create custom alert rules based on the day, group of days and time-period network activity was detected. Working with day and time rule conditions is useful, for example in cases where alert severity is derived by the time the alert event takes place. For example, create a custom rule that triggers a high severity alert when network activity is detected on a weekend or in the evening.
+
+This feature is available on the sensor with the release of version 10.1.
+
+### Export alerts from on-premises management console
+
+Alert information can now be exported to a .csv file from the on-premises management console. You can export information of all alerts detected or export information based on the filtered view.
+
+This feature is available on the on-premises management console with the release of version 10.1.
+### Device builder - new micro agent (Public preview)
+
+A new device builder module is available. The module, referred to as a micro-agent, allows:
+
+- **Integration with Azure IoT Hub and Azure Defender for IoT** - build stronger endpoint security directly into your IoT devices by integrating it with the monitoring option provided by both the Azure IoT Hub and Azure Defender for IoT.
+- **Flexible deployment options with support for standard IoT operating systems** - can be deployed either as a binary package or as modifiable source code, with support for standard IoT operating systems like Linux and Azure RTOS.
+- **Minimal resource requirements with no OS kernel dependencies** - small footprint, low CPU consumption, and no OS kernel dependencies.
+- **Security posture management** ΓÇô proactively monitor the security posture of your IoT devices.
+- **Continuous, real-time IoT/OT threat detection** - detect threats such as botnets, brute force attempts, crypto miners, and suspicious network activity
+
+The deprecated security module documentation will be moved to the Classic folder.
+
+This feature set is available with the current public preview cloud release.
+
+## January 2021
+
+- [Security](#security)
+- [Onboarding](#onboarding)
+- [Usability](#usability)
+- [Other updates](#other-updates)
+### Security
Certificate and password recovery enhancements were made for this release.
-### Certificates
+#### Certificates
This version lets you:
@@ -42,50 +76,50 @@ For Fresh Installations:
- During first-time login, users are required to either use an SSL Certificate (recommended) or a locally generated self-signed certificate (not recommended) - Certificate validation is turned on by default for fresh installations.
-### Password recovery
+#### Password recovery
Sensor and on-premises management console Administrative users can now recover passwords from the Azure Defender for IoT portal. Previously password recovery required intervention by the support team.
-## Onboarding
+### Onboarding
-### On-premises management console - committed devices
+#### On-premises management console - committed devices
Following initial sign-in to the on-premises management console, users are now required to upload an activation file. The file contains the aggregate number of devices to be monitored on the organizational network. This number is referred to as the number of committed devices. Committed devices are defined during the onboarding process on the Azure Defender for IoT portal, where the activation file is generated. First-time users and users upgrading are required to upload the activation file. After initial activation, the number of devices detected on the network might exceed the number of committed devices. This event might happen, for example, if you connect more sensors to the management console. If there is a discrepancy between the number of detected devices and the number of committed devices, a warning appears in the management console. If this event occurs, you should upload a new activation file.
-### Pricing page options
+#### Pricing page options
Pricing page lets you onboard new subscriptions to Azure Defender for IoT and define committed devices in your network. Additionally, the Pricing page now lets you manage existing subscriptions associated with a sensor and update device commitment.
-### View and manage onboarded sensors
+#### View and manage onboarded sensors
A new Site and Sensors portal page lets you: - Add descriptive information about the sensor. For example, a zone associated with the sensor, or free-text tags. - View and filter sensor information. For example, view details about sensors that are cloud connected or locally managed or view information about sensors in a specific zone.
-## Usability
+### Usability
-### Azure Sentinel new connector page
+#### Azure Sentinel new connector page
The Azure Defender for IoT data connector page in Azure Sentinel has been redesigned. The data connector is now based on subscriptions rather than IoT Hubs; allowing customers to better manage their configuration connection to Azure Sentinel.
-### Azure portal permission updates
+#### Azure portal permission updates
Security Reader and Security Administrator support has been added.
-## Other updates
+### Other updates
-### Access group - zone permissions
+#### Access group - zone permissions
The on-premises management console Access Group rules will not include the option to grant access to a specific zone. There is no change in defining rules that use sites, regions, and business units. Following upgrade, Access Groups that contained rules allowing access to specific zones will be modified to allow access to its parent site, including all its zones.
-### Terminology changes
+#### Terminology changes
-The term asset has been renamed device in the sensor and on-premises management console, reports and other solution interfaces.
+The term asset has been renamed device in the sensor and on-premises management console, reports, and other solution interfaces.
In sensor and on-premises management console Alerts, the term Manage this Event has been named Remediation Steps. ## Next steps
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/security-agent-architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/security-agent-architecture.md
@@ -1,10 +1,10 @@
Title: Security agent architecture
+ Title: Security agents overview
description: Understand security agent architecture for the agents used in the Azure Defender for IoT service. documentationcenter: na-+ editor: ''
@@ -13,8 +13,8 @@ ms.devlang: na
na Previously updated : 07/26/2019- Last updated : 01/24/2021+ # Security agent reference architecture
@@ -25,32 +25,32 @@ Security agents are designed to work in a constrained IoT environment, and are h
Security agents support the following features:
+- Authenticate with existing device identity, or a dedicated module identity. To learn more, seeΓÇ»[Security agent authentication methods](concept-security-agent-authentication-methods.md).
+ - Collect raw security events from the underlying Operating System (Linux, Windows). To learn more about available security data collectors, see [Defender for IoT agent configuration](how-to-agent-configuration.md). - Aggregate raw security events into messages sent through IoT Hub. -- Authenticate with existing device identity, or a dedicated module identity. See [Security agent authentication methods](concept-security-agent-authentication-methods.md) to learn more.- - Configure remotely through use of the **azureiotsecurity** module twin. To learn more, see [Configure an Defender for IoT agent](how-to-agent-configuration.md).
-Defender for IoT Security agents are developed as open-source projects, and are available from GitHub:
+Defender for IoT Security agents is developed as open-source projects, and are available from GitHub:
- [Defender for IoT C-based agent](https://github.com/Azure/Azure-IoT-Security-Agent-C) - [Defender for IoT C#-based agent](https://github.com/Azure/Azure-IoT-Security-Agent-CS) ## Agent supported platforms
-Defender for IoT offers different installer agents for 32bit and 64bit Windows, and the same for 32bit and 64bit Linux. Make sure you have the correct agent installer for each of your devices according to the following table:
+Defender for IoT offers different installer agents for 32 bit and 64-bit Windows, and the same for 32 bit and 64-bit Linux. Make sure you have the correct agent installer for each of your devices according to the following table:
| Architecture | Linux | Windows | Details | |--|--|--|--|
-| 32bit | C | C# | |
-| 64bit | C# or C | C# | We recommend using the C agent for devices with more restricted or minimal device resources. |
+| 32 bit | C | C# | |
+| 64 bit | C# or C | C# | We recommend using the C agent for devices with more restricted or minimal device resources. |
## Next steps
-In this article, you learned about Defender for IoT security agent architecture, and the available installers.
+In this article, you got a high-level overview about Defender for IoT security module architecture, and the available installers.
To continue getting started with Defender for IoT deployment, use the following articles:
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/troubleshoot-defender-micro-agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/troubleshoot-defender-micro-agent.md
@@ -0,0 +1,63 @@
+
+ Title: Defender IoT micro agent troubleshooting (Preview)
+
+description: Learn how to handle unexpected or unexplained errors.
+++ Last updated : 1/24/2021++++
+# Defender IoT micro agent troubleshooting (Preview)
+
+In the event you have unexpected or unexplained errors, use the following troubleshooting methods to attempt to resolve your issues. You can also reach out to the Azure Defender for IoT product team for assistance as needed.  
+
+## Service status
+
+To view the status of the service:
+
+1. Run the following command
+
+ ```azurecli
+ systemctl status defender-iot-micro-agent.service
+ ```
+
+1. Check that the service is stable by making sure it is `active`, and that the uptime in the process is appropriate.
+
+ :::image type="content" source="media/troubleshooting/active-running.png" alt-text="Ensure your service is stable by checking to see that it is active and the uptime is appropriate.":::
+
+If the service is listed as `inactive`, use the following command to start the service:
+
+```azurecli
+systemctl start defender-iot-micro-agent.service
+```
+
+You will know that the service is crashing if the process uptime is too short. To resolve this issue, you must review the logs.
+
+## Review logs
+
+Use the following command to verify that the Defender IoT micro agent service is running with root privileges.
+
+```azurecli
+ps -aux | grep " defender-iot-micro-agent"
+```
++
+To view the logs, use the following command: 
+
+```azurecli
+sudo journalctl -u defender-iot-micro-agent | tail -n 200 
+```
+
+To restart the service, use the following command:
+
+```azurecli
+sudo systemctl restart defender-iot-micro-agent  
+```
+
+## Next steps
+
+Check out the [Feature support and retirement](edge-security-module-deprecation.md).
event-hubs https://docs.microsoft.com/en-us/azure/event-hubs/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/security-baseline.md
@@ -1051,7 +1051,7 @@ How to set the Azure Security Center Security Contact: https://docs.microsoft.co
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
How to configure continuous export: https://docs.microsoft.com/azure/security-center/continuous-export
expressroute https://docs.microsoft.com/en-us/azure/expressroute/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/expressroute/security-baseline.md
@@ -949,7 +949,7 @@ Additionally, clearly mark subscriptions (for ex. production, non-prod) and crea
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
* [How to configure continuous export](../security-center/continuous-export.md)
hdinsight https://docs.microsoft.com/en-us/azure/hdinsight/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/security-baseline.md
@@ -1244,7 +1244,7 @@ https://docs.microsoft.com/azure/security-center/security-center-provide-securit
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
How to configure continuous export:
key-vault https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/backup-restore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/managed-hsm/backup-restore.md
@@ -93,7 +93,7 @@ skey=$(az storage account keys list --query '[0].value' -o tsv --account-name mh
sas=$(az storage container generate-sas -n mhsmdemobackupcontainer --account-name mhsmdemobackup --permissions rl --expiry $end --account-key $skey -o tsv --subscription a1ba9aaa-b7f6-4a33-b038-6e64553a6c7b) ```
-## Backup HSM
+## Restore HSM
``` az keyvault restore start --hsm-name mhsmdemo2 --storage-account-name mhsmdemobackup --blob-container-name mhsmdemobackupcontainer --storage-container-SAS-token $sas --backup-folder mhsm-mhsmdemo-2020083120161860
@@ -101,4 +101,4 @@ az keyvault restore start --hsm-name mhsmdemo2 --storage-account-name mhsmdemoba
## Next Steps - See [Manage a Managed HSM using the Azure CLI](key-management.md).-- Learn more about [Managed HSM Security Domain](security-domain.md)
+- Learn more about [Managed HSM Security Domain](security-domain.md)
key-vault https://docs.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/secrets/tutorial-rotation.md
@@ -210,7 +210,7 @@ Creating a secret with a short expiration date will publish a `SecretNearExpiry`
To verify that the secret has rotated, go to **Key Vault** > **Secrets**: Open the **sqlPassword** secret and view the original and rotated versions:
lighthouse https://docs.microsoft.com/en-us/azure/lighthouse/concepts/cross-tenant-management-experience https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/concepts/cross-tenant-management-experience.md
@@ -138,7 +138,7 @@ Most tasks and services can be performed on delegated resources across managed t
- Manage Azure Sentinel resources [in customer tenants](../../sentinel/multiple-tenants-service-providers.md) - [Track attacks and view security alerts across multiple tenants](https://techcommunity.microsoft.com/t5/azure-sentinel/using-azure-lighthouse-and-azure-sentinel-to-monitor-across/ba-p/1043899)-- [View incidents](../../sentinel/multiple-workspace-view.md) across multiple Sentinel workspaces spread across tenants
+- [View incidents](../../sentinel/multiple-workspace-view.md) across multiple Azure Sentinel workspaces spread across tenants
[Azure Service Health](../../service-health/index.yml):
logic-apps https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-azure-resource-manager-templates-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/logic-apps/logic-apps-azure-resource-manager-templates-overview.md
@@ -81,7 +81,7 @@ A logic app template has multiple `parameters` objects that exist at different l
* Connections that your logic uses to access other services and systems through [managed connectors](../connectors/apis-list.md) * Other resources that your logic app needs for deployment
- For example, if your logic app uses an [integration account](../logic-apps/logic-apps-enterprise-integration-create-integration-account.md) for business-to-business (B2B) scenarios, the template's top-level `parameters` object declares the parameter that accepts the resource ID for that integration account.
+ For example, if your logic app uses an [integration account](../logic-apps/logic-apps-enterprise-integration-create-integration-account.md) for business-to-business (B2B) scenarios, the template's top level `parameters` object declares the parameter that accepts the resource ID for that integration account.
Here is the general structure and syntax for a parameter definition, which is fully described by [Parameters - Resource Manager template structure and syntax](../azure-resource-manager/templates/template-syntax.md#parameters):
@@ -625,7 +625,7 @@ When your logic app creates and uses connections to other services and system by
} ```
-Connection resource definitions reference the template's top-level parameters for their values, which means you can provide these values at deployment by using a parameters file. Make sure that connections use the same Azure resource group and location as your logic app.
+Connection resource definitions reference the template's top-level parameters for their values so you can provide these values at deployment by using a parameters file. Make sure that connections use the same Azure resource group and location as your logic app.
Here is an example resource definition for an Office 365 Outlook connection and the corresponding template parameters:
@@ -744,12 +744,12 @@ This example shows the interactions between your logic app's resource definition
} } }
- },
- <other-logic-app-resource-information>,
- "dependsOn": [
- "[resourceId('Microsoft.Web/connections', parameters('office365_1_Connection_Name'))]"
- ]
- }
+ }
+ },
+ <other-logic-app-resource-information>,
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/connections', parameters('office365_1_Connection_Name'))]"
+ ]
// End logic app resource definition }, // Office 365 Outlook API connection resource definition
@@ -980,7 +980,7 @@ Some connections support using an Azure Active Directory (Azure AD) [service pri
**Template parameter definitions**
-The template's top-level `parameters` object declares these parameters for the example connection:
+The template's top level `parameters` object declares these parameters for the example connection:
```json {
logic-apps https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-limits-and-config https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/logic-apps/logic-apps-limits-and-config.md
@@ -5,7 +5,7 @@
ms.suite: integration Previously updated : 01/25/2021 Last updated : 02/05/2021 # Limits and configuration information for Azure Logic Apps
@@ -433,6 +433,18 @@ This section lists the inbound IP addresses for the Azure Logic Apps service onl
> inbound webhook callbacks to the Logic Apps service, rather than specify inbound managed > connector IP address prefixes for each region. These tags work across the regions where > the Logic Apps service is available.
+>
+> The following connectors make inbound webhook callbacks to the Logic Apps service:
+>
+> Adobe Creative Cloud, Adobe Sign, Adobe Sign Demo, Adobe Sign Preview, Adobe Sign Stage,
+> Azure Sentinel, Business Central, Calendly, Common Data Service, DocuSign, DocuSign Demo,
+> Dynamics 365 for Fin & Ops, LiveChat, Office 365 Outlook, Outlook.com, Parserr, SAP*,
+> Shifts for Microsoft Teams, Teamwork Projects, Typeform
+>
+> \* **SAP**: The return caller depends on whether the deployment environment is either
+> multi-tenant Azure or ISE. In the multi-tenant environment, the on-premises data gateway
+> makes the call back to the Logic Apps service. In an ISE, the SAP connector makes the
+> call back to the Logic Apps service.
<a name="multi-tenant-inbound"></a>
machine-learning https://docs.microsoft.com/en-us/azure/machine-learning/how-to-machine-learning-interpretability-automl https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-machine-learning-interpretability-automl.md
@@ -35,7 +35,7 @@ In this article, you learn how to:
Retrieve the explanation from the `best_run`, which includes explanations for both raw and engineered features.
-> [!Warning]
+> [!NOTE]
> Interpretability, best model explanation, is not available for Auto ML forecasting experiments that recommend the following algorithms as the best model: > * TCNForecaster > * AutoArima
media-services https://docs.microsoft.com/en-us/azure/media-services/latest/includes/reference-feature-availability-germany https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/includes/reference-feature-availability-germany.md
@@ -9,12 +9,12 @@
<!--Feature availability in region--> ## Germany
-| Feature | <!--Germany Central (Sovereign)--> | Germany North (Public) |<!-- Germany Northeast (Sovereign)--> | Germany West Central (Public) |
-| | :: | :: | :: | :: |
-| [Azure EventGrid](../reacting-to-media-services-events.md) |<!--Germany Central (Sovereign) --> |![Azure EventGrid Germany North (Public) general availability](../media/azure-clouds-regions/ga.svg) | <!--Germany Northeast (Sovereign) --> |![Azure EventGrid Germany West Central (Public) general availability](../media/azure-clouds-regions/ga.svg) |
-| [VideoAnalyzerPreset](../analyzing-video-audio-files-concept.md) |<!--Germany Central (Sovereign) --> |![Azure EventGrid Germany North (Public) general availability](../media/azure-clouds-regions/ga.svg) | <!--Germany Northeast (Sovereign) --> |![Azure EventGrid Germany West Central (Public) general availability](../media/azure-clouds-regions/ga.svg) |
-| [AudioAnalyzerPreset](../analyzing-video-audio-files-concept.md) |<!--Germany Central (Sovereign) --> |![AudioAnalyzerPreset Germany North (Public) general availability](../media/azure-clouds-regions/ga.svg) | <!--Germany Northeast (Sovereign) --> |![AudioAnalyzerPreset Germany West Central (Public) general availability](../media/azure-clouds-regions/ga.svg) |
-| [StandardEncoderPreset](../encoding-concept.md) |<!--![StandardEncoderPreset Germany Central (Sovereign) general availability](../media/azure-clouds-regions/ga.svg) --> | ![StandardEncoderPreset Germany North (Public) general availability](../media/azure-clouds-regions/ga.svg) |<!-- ![StandardEncoderPreset Germany Northeast (Sovereign) general availability](../media/azure-clouds-regions/ga.svg)--> |![StandardEncoderPreset Germany West Central (Public) general availability](../media/azure-clouds-regions/ga.svg) |
-| [LiveEvents](../live-streaming-overview.md) |<!--![LiveEvents Germany Central (Sovereign) general availability](../media/azure-clouds-regions/ga.svg)--> | ![LiveEvents Germany North (Public) general availability](../media/azure-clouds-regions/ga.svg) |<!-- ![LiveEvents Germany Northeast (Sovereign) general availability](../media/azure-clouds-regions/ga.svg)--> |![LiveEvents Germany West Central (Public) general availability](../media/azure-clouds-regions/ga.svg) |
-| [StreamingEndpoints](../streaming-endpoint-concept.md) |<!--![StreamingEndpoints Germany Central (Sovereign) general availability](../media/azure-clouds-regions/ga.svg)--> | ![StreamingEndpoints Germany North (Public) general availability](../media/azure-clouds-regions/ga.svg) |<!--![StreamingEndpoints Germany Northeast (Sovereign) general availability](../media/azure-clouds-regions/ga.svg)--> |![StreamingEndpoints Germany West Central (Public) general availability](../media/azure-clouds-regions/ga.svg) |
-| [LiveTranscription](../live-transcription.md) |<!--![LiveTranscription Germany Central (Sovereign) general availability](../media/azure-clouds-regions/ga.svg)--> |![LiveTranscription Germany North (Public) general availability](../media/azure-clouds-regions/ga.svg) |<!-- ![LiveTranscription Germany Northeast (Sovereign) general availability](../media/azure-clouds-regions/ga.svg)--> |![LiveTranscription Germany West Central (Public) general availability](../media/azure-clouds-regions/ga.svg) |
+| Feature | Germany North (Public) | Germany West Central (Public) |
+| | :: | :: |
+| [Azure EventGrid](../reacting-to-media-services-events.md) |![Azure EventGrid Germany North (Public) general availability](../media/azure-clouds-regions/ga.svg) |![Azure EventGrid Germany West Central (Public) general availability](../media/azure-clouds-regions/ga.svg) |
+| [VideoAnalyzerPreset](../analyzing-video-audio-files-concept.md) |![Azure EventGrid Germany North (Public) general availability](../media/azure-clouds-regions/ga.svg) | ![Azure EventGrid Germany West Central (Public) general availability](../media/azure-clouds-regions/ga.svg) |
+| [AudioAnalyzerPreset](../analyzing-video-audio-files-concept.md) |![AudioAnalyzerPreset Germany North (Public) general availability](../media/azure-clouds-regions/ga.svg) |![AudioAnalyzerPreset Germany West Central (Public) general availability](../media/azure-clouds-regions/ga.svg) |
+| [StandardEncoderPreset](../encoding-concept.md) | ![StandardEncoderPreset Germany North (Public) general availability](../media/azure-clouds-regions/ga.svg) |![StandardEncoderPreset Germany West Central (Public) general availability](../media/azure-clouds-regions/ga.svg) |
+| [LiveEvents](../live-streaming-overview.md) | ![LiveEvents Germany North (Public) general availability](../media/azure-clouds-regions/ga.svg) |![LiveEvents Germany West Central (Public) general availability](../media/azure-clouds-regions/ga.svg) |
+| [StreamingEndpoints](../streaming-endpoint-concept.md) | ![StreamingEndpoints Germany North (Public) general availability](../media/azure-clouds-regions/ga.svg) |![StreamingEndpoints Germany West Central (Public) general availability](../media/azure-clouds-regions/ga.svg) |
+| [LiveTranscription](../live-transcription.md) |![LiveTranscription Germany North (Public) general availability](../media/azure-clouds-regions/ga.svg) |![LiveTranscription Germany West Central (Public) general availability](../media/azure-clouds-regions/ga.svg) |
mysql https://docs.microsoft.com/en-us/azure/mysql/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/security-baseline.md
@@ -1066,7 +1066,7 @@ Additionally, clearly mark subscriptions (for ex. production, non-prod) and crea
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
- [How to configure continuous export](../security-center/continuous-export.md)
network-watcher https://docs.microsoft.com/en-us/azure/network-watcher/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/network-watcher/security-baseline.md
@@ -921,7 +921,7 @@ Additionally, clearly mark subscriptions (for ex. production, non-prod) and crea
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
* [How to configure continuous export](../security-center/continuous-export.md)
postgresql https://docs.microsoft.com/en-us/azure/postgresql/postgresql-hyperscale-security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/postgresql/postgresql-hyperscale-security-baseline.md
@@ -716,7 +716,7 @@ Additionally, clearly mark subscriptions (for ex. production, non-prod) and crea
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
- [How to configure continuous export](../security-center/continuous-export.md)
postgresql https://docs.microsoft.com/en-us/azure/postgresql/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/postgresql/security-baseline.md
@@ -1068,7 +1068,7 @@ Additionally, clearly mark subscriptions (for ex. production, non-prod) and crea
### 10.5: Incorporate security alerts into your incident response system
-**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts Sentinel.
+**Guidance**: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
- [How to configure continuous export](../security-center/continuous-export.md)
private-link https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/private-link/create-private-endpoint-powershell.md
@@ -10,7 +10,7 @@ Last updated 11/02/2020
-# Quickstart: Create a Private Endpoint using Azure PowerShell
+# Use PowerShell to create a Private Endpoint
Get started with Azure Private Link by using a Private Endpoint to connect securely to an Azure web app.
purview https://docs.microsoft.com/en-us/azure/purview/how-to-link-azure-data-factory https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/purview/how-to-link-azure-data-factory.md
@@ -101,29 +101,29 @@ The integration between Data Factory and Purview supports only a subset of the d
### Data Factory Copy Data support
-| Data storage system | Supported as source | Supported as sink |
-| - | - | -- |
-| ADLS Gen1 | Yes | Yes (non-binary copy only) |
-| ADLS Gen2 | Yes | Yes |
-| Azure Blob | Yes | Yes |
-| Azure Cosmos DB (SQL API) | Yes | Yes |
-| Azure Cosmos DB (Mongo API) | Yes | Yes |
-| Azure Cognitive Search | Yes | Yes |
-| Azure Data Explorer | Yes | Yes |
-| Azure Database for Maria DB \* | Yes | Yes |
-| Azure Database for MYSQL \* | Yes | Yes |
-| Azure Database for PostgreSQL \* | Yes | Yes |
-| Azure File Storage | Yes | Yes |
-| Azure Table Storage | Yes | Yes |
-| Azure SQL Database \* | Yes | Yes |
-| Azure SQL MI \* | Yes | Yes |
-| Azure Synapse Analytics(formerly SQL DW) \* | Yes | Yes |
-| SQL Server On-prem (SHIR required) \* | Yes | Yes |
-| Amazon S3 | Yes | Yes |
-| Teradata | Yes | Yes |
-| SAP s4 Hana | Yes | Yes |
-| SAP ECC | Yes | Yes |
-| Hive | Yes | Yes |
+| Data storage system | Supported as source |
+| - | - |
+| ADLS Gen1 | Yes |
+| ADLS Gen2 | Yes |
+| Azure Blob | Yes |
+| Azure Cosmos DB (SQL API) | Yes |
+| Azure Cosmos DB (Mongo API) | Yes |
+| Azure Cognitive Search | Yes |
+| Azure Data Explorer | Yes |
+| Azure Database for Maria DB \* | Yes |
+| Azure Database for MYSQL \* | Yes |
+| Azure Database for PostgreSQL \* | Yes |
+| Azure File Storage | Yes |
+| Azure Table Storage | Yes |
+| Azure SQL Database \* | Yes |
+| Azure SQL MI \* | Yes |
+| Azure Synapse Analytics(formerly SQL DW) \* | Yes |
+| SQL Server On-prem \* | Yes |
+| Amazon S3 | Yes |
+| Teradata | Yes |
+| SAP Table connector | Yes |
+| SAP ECC | Yes |
+| Hive | Yes |
> [!Note] > The lineage feature has certain performance overhead in Data Factory copy activity. For those who setup data factory connections in Purview, you may observe certain copy jobs taking longer to complete. Mostly the impact is none to negligible. Please contact support with time comparison if the copy jobs take significantly longer to finish than usual.
@@ -131,7 +131,7 @@ The integration between Data Factory and Purview supports only a subset of the d
### Data Factory Data Flow support | Data storage system | Supported |
-| - | - | -- |
+| - | - |
| ADLS Gen1 | Yes | | ADLS Gen2 | Yes | | Azure Blob | Yes |
@@ -141,7 +141,7 @@ The integration between Data Factory and Purview supports only a subset of the d
### Data Factory Execute SSIS Package support | Data storage system | Supported |
-| - | - | -- |
+| - | - |
| Azure Blob | Yes | | ADLS Gen1 | Yes | | ADLS Gen2 | Yes |
purview https://docs.microsoft.com/en-us/azure/purview/register-scan-power-bi-tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/purview/register-scan-power-bi-tenant.md
@@ -79,7 +79,7 @@ First, add a special feature flag to your Purview URL
:::image type="content" source="media/setup-power-bi-scan-catalog-portal/select-power-bi-data-source.png" alt-text="Image showing the list of data sources available to choose":::
-1. Give your Power BI instance a friendly name.
+3. Give your Power BI instance a friendly name.
:::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-friendly-name.png" alt-text="Image showing Power BI data source-friendly name":::
@@ -89,17 +89,21 @@ First, add a special feature flag to your Purview URL
:::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-datasource-registered.png" alt-text="Power BI data source registered":::
-1. Give your scan a name. Notice that the only authentication method supported is **Managed Identity**.
+ > [!Note]
+ > For Power BI, data source registration and scan is allowed for only one instance.
++
+4. Give your scan a name. Notice that the only authentication method supported is **Managed Identity**.
:::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-setup.png" alt-text="Image showing Power BI scan setup"::: The scan name must be between 3-63 characters long and must contain only letters, numbers, underscores, and hyphens. Spaces aren't allowed.
-1. Set up a scan trigger. Your options are **Once**, **Every 7 days**, and **Every 30 days**.
+5. Set up a scan trigger. Your options are **Once**, **Every 7 days**, and **Every 30 days**.
:::image type="content" source="media/setup-power-bi-scan-catalog-portal/scan-trigger.png" alt-text="Scan trigger image":::
-1. On **Review new scan**, select **Save and Run** to launch your scan.
+6. On **Review new scan**, select **Save and Run** to launch your scan.
:::image type="content" source="media/setup-power-bi-scan-catalog-portal/save-run-power-bi-scan.png" alt-text="Save and run Power BI screen image":::
purview https://docs.microsoft.com/en-us/azure/purview/tutorial-scan-data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/purview/tutorial-scan-data.md
@@ -86,7 +86,9 @@ Before you run the PowerShell scripts to bootstrap the catalog, get the values o
1. Select the **Overview** section and save the GUID for the **Subscription ID**. > [!NOTE]
- > Make sure you're using the same subscription as the one in which you created the Azure Purview Account. This is the same subscription that was placed in the allow list.
+ > - Make sure you're using the same subscription as the one in which you created the Azure Purview Account. This is the same subscription that was placed in the allow list.
+ > - Lineage could be missing sometimes in Azure Purview after running the starter kit. This is because the Data Factory created by starter kit has missing permissions in Purview. Select [**this document link**](how-to-link-azure-data-factory.md#view-existing-data-factory-connections) to make sure the Data Factory is configured correct and assigned appropriate role in Purview
+ * CatalogName: The name of the Azure Purview account that you created in [Create an Azure Purview account](create-catalog-portal.md).
role-based-access-control https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/role-based-access-control/built-in-roles.md
@@ -70,6 +70,7 @@ The following table provides a brief description and the unique ID of each built
> | [Storage Queue Data Message Sender](#storage-queue-data-message-sender) | Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). | c6a89b2d-59bc-44d0-9896-0f6e12d7b80a | > | [Storage Queue Data Reader](#storage-queue-data-reader) | Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). | 19e7f393-937e-4f77-808e-94535e297925 | > | **Web** | | |
+> | [Azure Maps Data Contributor](#azure-maps-data-contributor) | Grants access to read, write, and delete access to map related data from an Azure maps account. | 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 |
> | [Azure Maps Data Reader](#azure-maps-data-reader) | Grants access to read map related data from an Azure maps account. | 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa | > | [Search Service Contributor](#search-service-contributor) | Lets you manage Search services, but not access to them. | 7ca78c08-252a-4471-8644-bb5ff32d4ba0 | > | [SignalR AccessKey Reader](#signalr-accesskey-reader) | Read SignalR Service Access Keys | 04165923-9d83-45d5-8227-78b77b0a687e |
@@ -124,7 +125,15 @@ The following table provides a brief description and the unique ID of each built
> | [Blockchain Member Node Access (Preview)](#blockchain-member-node-access-preview) | Allows for access to Blockchain Member nodes | 31a002a1-acaf-453e-8a5b-297c9ca1ea24 | > | **AI + machine learning** | | | > | [Cognitive Services Contributor](#cognitive-services-contributor) | Lets you create, read, update, delete and manage keys of Cognitive Services. | 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 |
+> | [Cognitive Services Custom Vision Contributor](#cognitive-services-custom-vision-contributor) | Full access to the project, including the ability to view, create, edit, or delete projects. | c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 |
+> | [Cognitive Services Custom Vision Deployment](#cognitive-services-custom-vision-deployment) | Publish, unpublish or export models. Deployment can view the project but can't update. | 5c4089e1-6d96-4d2f-b296-c1bc7137275f |
+> | [Cognitive Services Custom Vision Labeler](#cognitive-services-custom-vision-labeler) | View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. | 88424f51-ebe7-446f-bc41-7fa16989e96c |
+> | [Cognitive Services Custom Vision Reader](#cognitive-services-custom-vision-reader) | Read-only actions in the project. Readers can't create or update the project. | 93586559-c37d-4a6b-ba08-b9f0940c2d73 |
+> | [Cognitive Services Custom Vision Trainer](#cognitive-services-custom-vision-trainer) | View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. | 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b |
> | [Cognitive Services Data Reader (Preview)](#cognitive-services-data-reader-preview) | Lets you read Cognitive Services data. | b59867f0-fa02-499b-be73-45a86b5b3e1c |
+> | [Cognitive Services Metrics Advisor Administrator](#cognitive-services-metrics-advisor-administrator) | Full access to the project, including the system level configuration. | cb43c632-a144-4ec5-977c-e80c4affc34a |
+> | [Cognitive Services QnA Maker Editor](#cognitive-services-qna-maker-editor) | Let's you create, edit, import and export a KB. You cannot publish or delete a KB. | f4cc2bf9-21be-47a1-bdf1-5c5804381025 |
+> | [Cognitive Services QnA Maker Reader](#cognitive-services-qna-maker-reader) | Let's you read and test a KB only. | 466ccd10-b268-4a11-b098-b4849f024126 |
> | [Cognitive Services User](#cognitive-services-user) | Lets you read and list keys of Cognitive Services. | a97b65f3-24c7-4388-baec-2e87135dc908 | > | **Mixed reality** | | | > | [Remote Rendering Administrator](#remote-rendering-administrator) | Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering | 3df8b902-2a6f-47c7-8cc5-360e9b272a7e |
@@ -157,6 +166,8 @@ The following table provides a brief description and the unique ID of each built
> | [Managed Identity Contributor](#managed-identity-contributor) | Create, Read, Update, and Delete User Assigned Identity | e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 | > | [Managed Identity Operator](#managed-identity-operator) | Read and Assign User Assigned Identity | f1a07417-d97a-45cb-824c-7a7467783830 | > | **Security** | | |
+> | [Attestation Contributor](#attestation-contributor) | Can read write or delete the attestation provider instance | bbf86eb8-f7b4-4cce-96e4-18cddf81d86e |
+> | [Attestation Reader](#attestation-reader) | Can read the attestation provider properties | fd1bd22b-8476-40bc-a0bc-69b95687b9f3 |
> | [Azure Sentinel Contributor](#azure-sentinel-contributor) | Azure Sentinel Contributor | ab8e14d6-4a74-4a29-9ba8-549422addade | > | [Azure Sentinel Reader](#azure-sentinel-reader) | Azure Sentinel Reader | 8d289c81-5878-46d4-8554-54e1e3d8b5cb | > | [Azure Sentinel Responder](#azure-sentinel-responder) | Azure Sentinel Responder | 3e150937-b8fe-4cfb-8069-0eaf05ecd056 |
@@ -169,6 +180,7 @@ The following table provides a brief description and the unique ID of each built
> | [Key Vault Reader (preview)](#key-vault-reader-preview) | Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. | 21090545-7ca7-4776-b22c-e363652d74d2 | > | [Key Vault Secrets Officer (preview)](#key-vault-secrets-officer-preview) | Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | b86a8fe4-44ce-4948-aee5-eccb2c155cd7 | > | [Key Vault Secrets User (preview)](#key-vault-secrets-user-preview) | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | 4633458b-17de-408a-b874-0445c86b69e6 |
+> | [Managed HSM contributor](#managed-hsm-contributor) | Lets you manage managed HSM pools, but not access to them. | 18500a29-7fe2-46b2-a342-b16a415e101d |
> | [Security Admin](#security-admin) | View and update permissions for Security Center. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations. | fb1c8493-542b-48eb-b624-b4c8fea62acd | > | [Security Assessment Contributor](#security-assessment-contributor) | Lets you push assessments to Security Center | 612c2aa1-cb24-443b-ac28-3ab7272de6f5 | > | [Security Manager (Legacy)](#security-manager-legacy) | This is a legacy role. Please use Security Admin instead. | e3d13bf0-dd5a-482e-ba6b-9b8433878d10 |
@@ -205,6 +217,7 @@ The following table provides a brief description and the unique ID of each built
> | [Management Group Reader](#management-group-reader) | Management Group Reader Role | ac63b705-f282-497d-ac71-919bf39d939d | > | [New Relic APM Account Contributor](#new-relic-apm-account-contributor) | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. | 5d28c62d-5b37-4476-8438-e587778df237 | > | [Policy Insights Data Writer (Preview)](#policy-insights-data-writer-preview) | Allows read access to resource policies and write access to resource component policy events. | 66bb4e9e-b016-4a94-8249-4c0511c2be84 |
+> | [Reservation Purchaser](#reservation-purchaser) | Lets you purchase reservations | f7b75c60-3036-4b75-91c3-6b41c27c1689 |
> | [Resource Policy Contributor](#resource-policy-contributor) | Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. | 36243c78-bf99-498c-9df9-86d9f8d28608 | > | [Site Recovery Contributor](#site-recovery-contributor) | Lets you manage Site Recovery service except vault creation and role assignment | 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 | > | [Site Recovery Operator](#site-recovery-operator) | Lets you failover and failback but not perform other Site Recovery management operations | 494ae006-db33-4328-bf46-533a6560a3ca |
@@ -215,8 +228,22 @@ The following table provides a brief description and the unique ID of each built
> | [Azure Digital Twins Data Owner](#azure-digital-twins-data-owner) | Full access role for Digital Twins data-plane | bcd981a7-7f74-457b-83e1-cceb9e632ffe | > | [Azure Digital Twins Data Reader](#azure-digital-twins-data-reader) | Read-only role for Digital Twins data-plane properties | d57506d4-4c8d-48b1-8587-93c323f6a5a3 | > | [BizTalk Contributor](#biztalk-contributor) | Lets you manage BizTalk services, but not access to them. | 5e3c6656-6cfa-4708-81fe-0de47ac73342 |
+> | [Desktop Virtualization Application Group Contributor](#desktop-virtualization-application-group-contributor) | Contributor of the Desktop Virtualization Application Group. | 86240b0e-9422-4c43-887b-b61143f32ba8 |
+> | [Desktop Virtualization Application Group Reader](#desktop-virtualization-application-group-reader) | Reader of the Desktop Virtualization Application Group. | aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 |
+> | [Desktop Virtualization Contributor](#desktop-virtualization-contributor) | Contributor of Desktop Virtualization. | 082f0a83-3be5-4ba1-904c-961cca79b387 |
+> | [Desktop Virtualization Host Pool Contributor](#desktop-virtualization-host-pool-contributor) | Contributor of the Desktop Virtualization Host Pool. | e307426c-f9b6-4e81-87de-d99efb3c32bc |
+> | [Desktop Virtualization Host Pool Reader](#desktop-virtualization-host-pool-reader) | Reader of the Desktop Virtualization Host Pool. | ceadfde2-b300-400a-ab7b-6143895aa822 |
+> | [Desktop Virtualization Reader](#desktop-virtualization-reader) | Reader of Desktop Virtualization. | 49a72310-ab8d-41df-bbb0-79b649203868 |
+> | [Desktop Virtualization Session Host Operator](#desktop-virtualization-session-host-operator) | Operator of the Desktop Virtualization Session Host. | 2ad6aaab-ead9-4eaa-8ac5-da422f562408 |
> | [Desktop Virtualization User](#desktop-virtualization-user) | Allows user to use the applications in an application group. | 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 |
+> | [Desktop Virtualization User Session Operator](#desktop-virtualization-user-session-operator) | Operator of the Desktop Virtualization Uesr Session. | ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 |
+> | [Desktop Virtualization Workspace Contributor](#desktop-virtualization-workspace-contributor) | Contributor of the Desktop Virtualization Workspace. | 21efdde3-836f-432b-bf3d-3e8e734d4b2b |
+> | [Desktop Virtualization Workspace Reader](#desktop-virtualization-workspace-reader) | Reader of the Desktop Virtualization Workspace. | 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d |
+> | [Disk Backup Reader](#disk-backup-reader) | Provides permission to backup vault to perform disk backup. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
+> | [Disk Restore Operator](#disk-restore-operator) | Provides permission to backup vault to perform disk restore. | b50d9833-a0cb-478e-945f-707fcc997c13 |
+> | [Disk Snapshot Contributor](#disk-snapshot-contributor) | Provides permission to backup vault to manage disk snapshots. | 7efff54f-a5b4-42b5-a1c5-5411624893ce |
> | [Scheduler Job Collections Contributor](#scheduler-job-collections-contributor) | Lets you manage Scheduler job collections, but not access to them. | 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 |
+> | [Services Hub Operator](#services-hub-operator) | Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. | 82200a5b-e217-47a5-b665-6d8765ee745b |
## General
@@ -2607,9 +2634,52 @@ Read and list Azure Storage queues and queue messages. To learn which actions ar
## Web
+### Azure Maps Data Contributor
+
+Grants access to read, write, and delete access to map related data from an Azure maps account. [Learn more](../azure-maps/azure-maps-authentication.md)
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | | |
+> | *none* | |
+> | **NotActions** | |
+> | *none* | |
+> | **DataActions** | |
+> | [Microsoft.Maps](resource-provider-operations.md#microsoftmaps)/accounts/*/read | |
+> | [Microsoft.Maps](resource-provider-operations.md#microsoftmaps)/accounts/*/write | |
+> | [Microsoft.Maps](resource-provider-operations.md#microsoftmaps)/accounts/*/delete | |
+> | **NotDataActions** | |
+> | *none* | |
+
+```json
+{
+ "assignableScopes": [
+ "/"
+ ],
+ "description": "Grants access to read, write, and delete access to map related data from an Azure maps account.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
+ "name": "8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
+ "permissions": [
+ {
+ "actions": [],
+ "notActions": [],
+ "dataActions": [
+ "Microsoft.Maps/accounts/*/read",
+ "Microsoft.Maps/accounts/*/write",
+ "Microsoft.Maps/accounts/*/delete"
+ ],
+ "notDataActions": []
+ }
+ ],
+ "roleName": "Azure Maps Data Contributor",
+ "roleType": "BuiltInRole",
+ "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+ ### Azure Maps Data Reader
-Grants access to read map related data from an Azure maps account.
+Grants access to read map related data from an Azure maps account. [Learn more](../azure-maps/azure-maps-authentication.md)
> [!div class="mx-tableFixed"] > | Actions | Description |
@@ -5273,18 +5343,18 @@ Lets you create, read, update, delete and manage keys of Cognitive Services. [Le
} ```
-### Cognitive Services Data Reader (Preview)
+### Cognitive Services Custom Vision Contributor
-Lets you read Cognitive Services data.
+Full access to the project, including the ability to view, create, edit, or delete projects. [Learn more](../cognitive-services/custom-vision-service/role-based-access-control.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | *none* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/* | |
> | **NotDataActions** | | > | *none* | |
@@ -5293,245 +5363,232 @@ Lets you read Cognitive Services data.
"assignableScopes": [ "/" ],
- "description": "Lets you read Cognitive Services data.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c",
- "name": "b59867f0-fa02-499b-be73-45a86b5b3e1c",
+ "description": "Full access to the project, including the ability to view, create, edit, or delete projects.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
+ "name": "c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
"permissions": [ {
- "actions": [],
+ "actions": [
+ "Microsoft.CognitiveServices/*/read"
+ ],
"notActions": [], "dataActions": [
- "Microsoft.CognitiveServices/*/read"
+ "Microsoft.CognitiveServices/accounts/CustomVision/*"
], "notDataActions": [] } ],
- "roleName": "Cognitive Services Data Reader (Preview)",
+ "roleName": "Cognitive Services Custom Vision Contributor",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Cognitive Services User
+### Cognitive Services Custom Vision Deployment
-Lets you read and list keys of Cognitive Services. [Learn more](../cognitive-services/authentication.md)
+Publish, unpublish or export models. Deployment can view the project but can't update. [Learn more](../cognitive-services/custom-vision-service/role-based-access-control.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | | > | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | |
-> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/listkeys/action | List Keys |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/read | Read a classic metric alert |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/diagnosticSettings/read | Read a resource diagnostic setting |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/logDefinitions/read | Read log definitions |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricdefinitions/read | Read metric definitions |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metrics/read | Read metrics |
-> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/*/read | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/predictions/* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/iterations/publish/* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/iterations/export/* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/quicktest/* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/classify/* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/detect/* | |
> | **NotDataActions** | |
-> | *none* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/export/read | Exports a project. |
```json { "assignableScopes": [ "/" ],
- "description": "Lets you read and list keys of Cognitive Services.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908",
- "name": "a97b65f3-24c7-4388-baec-2e87135dc908",
+ "description": "Publish, unpublish or export models. Deployment can view the project but can't update.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f",
+ "name": "5c4089e1-6d96-4d2f-b296-c1bc7137275f",
"permissions": [ { "actions": [
- "Microsoft.CognitiveServices/*/read",
- "Microsoft.CognitiveServices/accounts/listkeys/action",
- "Microsoft.Insights/alertRules/read",
- "Microsoft.Insights/diagnosticSettings/read",
- "Microsoft.Insights/logDefinitions/read",
- "Microsoft.Insights/metricdefinitions/read",
- "Microsoft.Insights/metrics/read",
- "Microsoft.ResourceHealth/availabilityStatuses/read",
- "Microsoft.Resources/deployments/operations/read",
- "Microsoft.Resources/subscriptions/operationresults/read",
- "Microsoft.Resources/subscriptions/read",
- "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*"
+ "Microsoft.CognitiveServices/*/read"
], "notActions": [], "dataActions": [
- "Microsoft.CognitiveServices/*"
+ "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*",
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*",
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*",
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*",
+ "Microsoft.CognitiveServices/accounts/CustomVision/classify/*",
+ "Microsoft.CognitiveServices/accounts/CustomVision/detect/*"
],
- "notDataActions": []
+ "notDataActions": [
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
+ ]
} ],
- "roleName": "Cognitive Services User",
+ "roleName": "Cognitive Services Custom Vision Deployment",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-## Mixed reality
--
-### Remote Rendering Administrator
+### Cognitive Services Custom Vision Labeler
-Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering [Learn more](../remote-rendering/how-tos/authentication.md)
+View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. [Learn more](../cognitive-services/custom-vision-service/role-based-access-control.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | *none* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/convert/action | Start asset conversion |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/convert/read | Get asset conversion properties |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/convert/delete | Stop asset conversion |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/read | Get session properties |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/action | Start sessions |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/delete | Stop sessions |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/render/read | Connect to a session |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/diagnostic/read | Connect to the Remote Rendering inspector |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/*/read | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/predictions/query/action | Get images that were sent to your prediction endpoint. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/images/* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/tags/* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/images/suggested/* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/tagsandregions/suggestions/action | This API will get suggested tags and regions for an array/batch of untagged images along with confidences for the tags. It returns an empty array if no tags are found. |
> | **NotDataActions** | |
-> | *none* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/export/read | Exports a project. |
```json { "assignableScopes": [ "/" ],
- "description": "Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
- "name": "3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
+ "description": "View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c",
+ "name": "88424f51-ebe7-446f-bc41-7fa16989e96c",
"permissions": [ {
- "actions": [],
+ "actions": [
+ "Microsoft.CognitiveServices/*/read"
+ ],
"notActions": [], "dataActions": [
- "Microsoft.MixedReality/RemoteRenderingAccounts/convert/action",
- "Microsoft.MixedReality/RemoteRenderingAccounts/convert/read",
- "Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete",
- "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
- "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
- "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
- "Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
- "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
+ "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action",
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*",
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*",
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*",
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action"
],
- "notDataActions": []
+ "notDataActions": [
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
+ ]
} ],
- "roleName": "Remote Rendering Administrator",
+ "roleName": "Cognitive Services Custom Vision Labeler",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Remote Rendering Client
+### Cognitive Services Custom Vision Reader
-Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. [Learn more](../remote-rendering/how-tos/authentication.md)
+Read-only actions in the project. Readers can't create or update the project. [Learn more](../cognitive-services/custom-vision-service/role-based-access-control.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | *none* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/read | Get session properties |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/action | Start sessions |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/delete | Stop sessions |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/render/read | Connect to a session |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/diagnostic/read | Connect to the Remote Rendering inspector |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/*/read | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/predictions/query/action | Get images that were sent to your prediction endpoint. |
> | **NotDataActions** | |
-> | *none* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/export/read | Exports a project. |
```json { "assignableScopes": [ "/" ],
- "description": "Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a",
- "name": "d39065c4-c120-43c9-ab0a-63eed9795f0a",
+ "description": "Read-only actions in the project. Readers can't create or update the project.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73",
+ "name": "93586559-c37d-4a6b-ba08-b9f0940c2d73",
"permissions": [ {
- "actions": [],
+ "actions": [
+ "Microsoft.CognitiveServices/*/read"
+ ],
"notActions": [], "dataActions": [
- "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
- "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
- "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
- "Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
- "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
+ "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action"
],
- "notDataActions": []
+ "notDataActions": [
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
+ ]
} ],
- "roleName": "Remote Rendering Client",
+ "roleName": "Cognitive Services Custom Vision Reader",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Spatial Anchors Account Contributor
+### Cognitive Services Custom Vision Trainer
-Lets you manage spatial anchors in your account, but not delete them [Learn more](../spatial-anchors/concepts/authentication.md)
+View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. [Learn more](../cognitive-services/custom-vision-service/role-based-access-control.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | *none* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/create/action | Create spatial anchors |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/query/read | Locate spatial anchors |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/write | Update spatial anchors properties |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/* | |
> | **NotDataActions** | |
-> | *none* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/action | Create a project. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/delete | Delete a specific project. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/import/action | Imports a project. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/export/read | Exports a project. |
```json { "assignableScopes": [ "/" ],
- "description": "Lets you manage spatial anchors in your account, but not delete them",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
- "name": "8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
+ "description": "View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
+ "name": "0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
"permissions": [ {
- "actions": [],
+ "actions": [
+ "Microsoft.CognitiveServices/*/read"
+ ],
"notActions": [], "dataActions": [
- "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
- "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
- "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
- "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
- "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
- "Microsoft.MixedReality/SpatialAnchorsAccounts/write"
+ "Microsoft.CognitiveServices/accounts/CustomVision/*"
],
- "notDataActions": []
+ "notDataActions": [
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/action",
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/delete",
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action",
+ "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
+ ]
} ],
- "roleName": "Spatial Anchors Account Contributor",
+ "roleName": "Cognitive Services Custom Vision Trainer",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Spatial Anchors Account Owner
+### Cognitive Services Data Reader (Preview)
-Lets you manage spatial anchors in your account, including deleting them [Learn more](../spatial-anchors/concepts/authentication.md)
+Lets you read Cognitive Services data.
> [!div class="mx-tableFixed"] > | Actions | Description |
@@ -5540,13 +5597,7 @@ Lets you manage spatial anchors in your account, including deleting them [Learn
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/create/action | Create spatial anchors |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/delete | Delete spatial anchors |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/query/read | Locate spatial anchors |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/write | Update spatial anchors properties |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | |
> | **NotDataActions** | | > | *none* | |
@@ -5555,46 +5606,37 @@ Lets you manage spatial anchors in your account, including deleting them [Learn
"assignableScopes": [ "/" ],
- "description": "Lets you manage spatial anchors in your account, including deleting them",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c",
- "name": "70bbe301-9835-447d-afdd-19eb3167307c",
+ "description": "Lets you read Cognitive Services data.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c",
+ "name": "b59867f0-fa02-499b-be73-45a86b5b3e1c",
"permissions": [ { "actions": [], "notActions": [], "dataActions": [
- "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
- "Microsoft.MixedReality/SpatialAnchorsAccounts/delete",
- "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
- "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
- "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
- "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
- "Microsoft.MixedReality/SpatialAnchorsAccounts/write"
+ "Microsoft.CognitiveServices/*/read"
], "notDataActions": [] } ],
- "roleName": "Spatial Anchors Account Owner",
+ "roleName": "Cognitive Services Data Reader (Preview)",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Spatial Anchors Account Reader
+### Cognitive Services Metrics Advisor Administrator
-Lets you locate and read properties of spatial anchors in your account [Learn more](../spatial-anchors/concepts/authentication.md)
+Full access to the project, including the system level configuration. [Learn more](../cognitive-services/metrics-advisor/how-tos/alerts.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | *none* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/query/read | Locate spatial anchors |
-> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/MetricsAdvisor/* | |
> | **NotDataActions** | | > | *none* | |
@@ -5603,49 +5645,66 @@ Lets you locate and read properties of spatial anchors in your account [Learn mo
"assignableScopes": [ "/" ],
- "description": "Lets you locate and read properties of spatial anchors in your account",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413",
- "name": "5d51204f-eb77-4b1c-b86a-2ec626c49413",
+ "description": "Full access to the project, including the system level configuration.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a",
+ "name": "cb43c632-a144-4ec5-977c-e80c4affc34a",
"permissions": [ {
- "actions": [],
+ "actions": [
+ "Microsoft.CognitiveServices/*/read"
+ ],
"notActions": [], "dataActions": [
- "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
- "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
- "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
- "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read"
+ "Microsoft.CognitiveServices/accounts/MetricsAdvisor/*"
], "notDataActions": [] } ],
- "roleName": "Spatial Anchors Account Reader",
+ "roleName": "Cognitive Services Metrics Advisor Administrator",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-## Integration
--
-### API Management Service Contributor
+### Cognitive Services QnA Maker Editor
-Can manage service and the APIs [Learn more](../api-management/api-management-role-based-access-control.md)
+Let's you create, edit, import and export a KB. You cannot publish or delete a KB. [Learn more](../cognitive-services/qnamaker/reference-role-based-access-control.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/* | Create and manage API Management service |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | |
+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. |
+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | *none* | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/download/read | Download the knowledgebase. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/create/write | Asynchronous operation to create a new knowledgebase. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/write | Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/train/action | Train call to add suggestions to the knowledgebase. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/alterations/read | Download alterations from runtime. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/alterations/write | Replace alterations data. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointkeys/refreshkeys/action | Re-generates an endpoint key. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointsettings/write | Update endpoint seettings for an endpoint. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/operations/read | Gets details of a specific long running operation. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/download/read | Download the knowledgebase. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/create/write | Asynchronous operation to create a new knowledgebase. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/write | Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/train/action | Train call to add suggestions to the knowledgebase. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/alterations/read | Download alterations from runtime. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/alterations/write | Replace alterations data. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointkeys/read | Gets endpoint keys for an endpoint |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action | Re-generates an endpoint key. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointsettings/read | Gets endpoint settings for an endpoint |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointsettings/write | Update endpoint seettings for an endpoint. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/operations/read | Gets details of a specific long running operation. |
> | **NotDataActions** | | > | *none* | |
@@ -5654,57 +5713,79 @@ Can manage service and the APIs [Learn more](../api-management/api-management-ro
"assignableScopes": [ "/" ],
- "description": "Can manage service and the APIs",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c",
- "name": "312a565d-c81f-4fd8-895a-4e21e48d571c",
+ "description": "Let's you create, edit, import and export a KB. You cannot publish or delete a KB.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025",
+ "name": "f4cc2bf9-21be-47a1-bdf1-5c5804381025",
"permissions": [ { "actions": [
- "Microsoft.ApiManagement/service/*",
- "Microsoft.Authorization/*/read",
- "Microsoft.Insights/alertRules/*",
- "Microsoft.ResourceHealth/availabilityStatuses/read",
- "Microsoft.Resources/deployments/*",
- "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*"
+ "Microsoft.CognitiveServices/*/read",
+ "Microsoft.Authorization/roleAssignments/read",
+ "Microsoft.Authorization/roleDefinitions/read"
], "notActions": [],
- "dataActions": [],
+ "dataActions": [
+ "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/operations/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read"
+ ],
"notDataActions": [] } ],
- "roleName": "API Management Service Contributor",
+ "roleName": "Cognitive Services QnA Maker Editor",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### API Management Service Operator Role
+### Cognitive Services QnA Maker Reader
-Can manage service but not the APIs [Learn more](../api-management/api-management-role-based-access-control.md)
+Let's you read and test a KB only. [Learn more](../cognitive-services/qnamaker/reference-role-based-access-control.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/*/read | Read API Management Service instances |
-> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/backup/action | Backup API Management Service to the specified container in a user provided storage account |
-> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/delete | Delete API Management Service instance |
-> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/managedeployments/action | Change SKU/units, add/remove regional deployments of API Management Service |
-> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/read | Read metadata for an API Management Service instance |
-> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/restore/action | Restore API Management Service from the specified container in a user provided storage account |
-> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/updatecertificate/action | Upload TLS/SSL certificate for an API Management Service |
-> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/updatehostname/action | Setup, update or remove custom domain names for an API Management Service |
-> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/write | Create or Update API Management Service instance |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | |
+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. |
+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. |
> | **NotActions** | |
-> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/users/keys/read | Get keys associated with user |
-> | **DataActions** | |
> | *none* | |
+> | **DataActions** | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/download/read | Download the knowledgebase. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/alterations/read | Download alterations from runtime. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/download/read | Download the knowledgebase. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/alterations/read | Download alterations from runtime. |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointkeys/read | Gets endpoint keys for an endpoint |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointsettings/read | Gets endpoint settings for an endpoint |
> | **NotDataActions** | | > | *none* | |
@@ -5713,60 +5794,64 @@ Can manage service but not the APIs [Learn more](../api-management/api-managemen
"assignableScopes": [ "/" ],
- "description": "Can manage service but not the APIs",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61",
- "name": "e022efe7-f5ba-4159-bbe4-b44f577e9b61",
+ "description": "Let's you read and test a KB only.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126",
+ "name": "466ccd10-b268-4a11-b098-b4849f024126",
"permissions": [ { "actions": [
- "Microsoft.ApiManagement/service/*/read",
- "Microsoft.ApiManagement/service/backup/action",
- "Microsoft.ApiManagement/service/delete",
- "Microsoft.ApiManagement/service/managedeployments/action",
- "Microsoft.ApiManagement/service/read",
- "Microsoft.ApiManagement/service/restore/action",
- "Microsoft.ApiManagement/service/updatecertificate/action",
- "Microsoft.ApiManagement/service/updatehostname/action",
- "Microsoft.ApiManagement/service/write",
- "Microsoft.Authorization/*/read",
- "Microsoft.Insights/alertRules/*",
- "Microsoft.ResourceHealth/availabilityStatuses/read",
- "Microsoft.Resources/deployments/*",
- "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*"
+ "Microsoft.CognitiveServices/*/read",
+ "Microsoft.Authorization/roleAssignments/read",
+ "Microsoft.Authorization/roleDefinitions/read"
],
- "notActions": [
- "Microsoft.ApiManagement/service/users/keys/read"
+ "notActions": [],
+ "dataActions": [
+ "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
+ "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read"
],
- "dataActions": [],
"notDataActions": [] } ],
- "roleName": "API Management Service Operator Role",
+ "roleName": "Cognitive Services QnA Maker Reader",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### API Management Service Reader Role
+### Cognitive Services User
-Read-only access to service and APIs [Learn more](../api-management/api-management-role-based-access-control.md)
+Lets you read and list keys of Cognitive Services. [Learn more](../cognitive-services/authentication.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/*/read | Read API Management Service instances |
-> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/read | Read metadata for an API Management Service instance |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/listkeys/action | List Keys |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/read | Read a classic metric alert |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/diagnosticSettings/read | Read a resource diagnostic setting |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/logDefinitions/read | Read log definitions |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricdefinitions/read | Read metric definitions |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metrics/read | Read metrics |
> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | > | **NotActions** | |
-> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/users/keys/read | Get keys associated with user |
-> | **DataActions** | |
> | *none* | |
+> | **DataActions** | |
+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/* | |
> | **NotDataActions** | | > | *none* | |
@@ -5775,37 +5860,45 @@ Read-only access to service and APIs [Learn more](../api-management/api-manageme
"assignableScopes": [ "/" ],
- "description": "Read-only access to service and APIs",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d",
- "name": "71522526-b88f-4d52-b57f-d31fc3546d0d",
+ "description": "Lets you read and list keys of Cognitive Services.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908",
+ "name": "a97b65f3-24c7-4388-baec-2e87135dc908",
"permissions": [ { "actions": [
- "Microsoft.ApiManagement/service/*/read",
- "Microsoft.ApiManagement/service/read",
- "Microsoft.Authorization/*/read",
- "Microsoft.Insights/alertRules/*",
+ "Microsoft.CognitiveServices/*/read",
+ "Microsoft.CognitiveServices/accounts/listkeys/action",
+ "Microsoft.Insights/alertRules/read",
+ "Microsoft.Insights/diagnosticSettings/read",
+ "Microsoft.Insights/logDefinitions/read",
+ "Microsoft.Insights/metricdefinitions/read",
+ "Microsoft.Insights/metrics/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
- "Microsoft.Resources/deployments/*",
+ "Microsoft.Resources/deployments/operations/read",
+ "Microsoft.Resources/subscriptions/operationresults/read",
+ "Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" ],
- "notActions": [
- "Microsoft.ApiManagement/service/users/keys/read"
+ "notActions": [],
+ "dataActions": [
+ "Microsoft.CognitiveServices/*"
],
- "dataActions": [],
"notDataActions": [] } ],
- "roleName": "API Management Service Reader Role",
+ "roleName": "Cognitive Services User",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### App Configuration Data Owner
+## Mixed reality
-Allows full access to App Configuration data. [Learn more](../azure-app-configuration/concept-enable-rbac.md)
+
+### Remote Rendering Administrator
+
+Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering [Learn more](../remote-rendering/how-tos/authentication.md)
> [!div class="mx-tableFixed"] > | Actions | Description |
@@ -5814,9 +5907,14 @@ Allows full access to App Configuration data. [Learn more](../azure-app-configur
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.AppConfiguration](resource-provider-operations.md#microsoftappconfiguration)/configurationStores/*/read | |
-> | [Microsoft.AppConfiguration](resource-provider-operations.md#microsoftappconfiguration)/configurationStores/*/write | |
-> | [Microsoft.AppConfiguration](resource-provider-operations.md#microsoftappconfiguration)/configurationStores/*/delete | |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/convert/action | Start asset conversion |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/convert/read | Get asset conversion properties |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/convert/delete | Stop asset conversion |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/read | Get session properties |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/action | Start sessions |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/delete | Stop sessions |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/render/read | Connect to a session |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/diagnostic/read | Connect to the Remote Rendering inspector |
> | **NotDataActions** | | > | *none* | |
@@ -5825,30 +5923,35 @@ Allows full access to App Configuration data. [Learn more](../azure-app-configur
"assignableScopes": [ "/" ],
- "description": "Allows full access to App Configuration data.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
- "name": "5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
+ "description": "Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
+ "name": "3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
"permissions": [ { "actions": [], "notActions": [], "dataActions": [
- "Microsoft.AppConfiguration/configurationStores/*/read",
- "Microsoft.AppConfiguration/configurationStores/*/write",
- "Microsoft.AppConfiguration/configurationStores/*/delete"
+ "Microsoft.MixedReality/RemoteRenderingAccounts/convert/action",
+ "Microsoft.MixedReality/RemoteRenderingAccounts/convert/read",
+ "Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete",
+ "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
+ "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
+ "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
+ "Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
+ "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
], "notDataActions": [] } ],
- "roleName": "App Configuration Data Owner",
+ "roleName": "Remote Rendering Administrator",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### App Configuration Data Reader
+### Remote Rendering Client
-Allows read access to App Configuration data. [Learn more](../azure-app-configuration/concept-enable-rbac.md)
+Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. [Learn more](../remote-rendering/how-tos/authentication.md)
> [!div class="mx-tableFixed"] > | Actions | Description |
@@ -5857,7 +5960,11 @@ Allows read access to App Configuration data. [Learn more](../azure-app-configur
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.AppConfiguration](resource-provider-operations.md#microsoftappconfiguration)/configurationStores/*/read | |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/read | Get session properties |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/action | Start sessions |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/delete | Stop sessions |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/render/read | Connect to a session |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/diagnostic/read | Connect to the Remote Rendering inspector |
> | **NotDataActions** | | > | *none* | |
@@ -5866,37 +5973,46 @@ Allows read access to App Configuration data. [Learn more](../azure-app-configur
"assignableScopes": [ "/" ],
- "description": "Allows read access to App Configuration data.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071",
- "name": "516239f1-63e1-4d78-a4de-a74fb236a071",
+ "description": "Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a",
+ "name": "d39065c4-c120-43c9-ab0a-63eed9795f0a",
"permissions": [ { "actions": [], "notActions": [], "dataActions": [
- "Microsoft.AppConfiguration/configurationStores/*/read"
+ "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
+ "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
+ "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
+ "Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
+ "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
], "notDataActions": [] } ],
- "roleName": "App Configuration Data Reader",
+ "roleName": "Remote Rendering Client",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Azure Service Bus Data Owner
+### Spatial Anchors Account Contributor
-Allows for full access to Azure Service Bus resources. [Learn more](../service-bus-messaging/authenticate-application.md)
+Lets you manage spatial anchors in your account, but not delete them [Learn more](../spatial-anchors/concepts/authentication.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/* | |
+> | *none* | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/* | |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/create/action | Create spatial anchors |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/query/read | Locate spatial anchors |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/write | Update spatial anchors properties |
> | **NotDataActions** | | > | *none* | |
@@ -5905,41 +6021,48 @@ Allows for full access to Azure Service Bus resources. [Learn more](../service-b
"assignableScopes": [ "/" ],
- "description": "Allows for full access to Azure Service Bus resources.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419",
- "name": "090c5cfd-751d-490a-894a-3ce6f1109419",
+ "description": "Lets you manage spatial anchors in your account, but not delete them",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
+ "name": "8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
"permissions": [ {
- "actions": [
- "Microsoft.ServiceBus/*"
- ],
+ "actions": [],
"notActions": [], "dataActions": [
- "Microsoft.ServiceBus/*"
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/write"
], "notDataActions": [] } ],
- "roleName": "Azure Service Bus Data Owner",
+ "roleName": "Spatial Anchors Account Contributor",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Azure Service Bus Data Receiver
+### Spatial Anchors Account Owner
-Allows for receive access to Azure Service Bus resources. [Learn more](../service-bus-messaging/authenticate-application.md)
+Lets you manage spatial anchors in your account, including deleting them [Learn more](../spatial-anchors/concepts/authentication.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/queues/read | |
-> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/topics/read | |
-> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/topics/subscriptions/read | |
+> | *none* | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/receive/action | |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/create/action | Create spatial anchors |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/delete | Delete spatial anchors |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/query/read | Locate spatial anchors |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/write | Update spatial anchors properties |
> | **NotDataActions** | | > | *none* | |
@@ -5948,43 +6071,46 @@ Allows for receive access to Azure Service Bus resources. [Learn more](../servic
"assignableScopes": [ "/" ],
- "description": "Allows for receive access to Azure Service Bus resources.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
- "name": "4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
+ "description": "Lets you manage spatial anchors in your account, including deleting them",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c",
+ "name": "70bbe301-9835-447d-afdd-19eb3167307c",
"permissions": [ {
- "actions": [
- "Microsoft.ServiceBus/*/queues/read",
- "Microsoft.ServiceBus/*/topics/read",
- "Microsoft.ServiceBus/*/topics/subscriptions/read"
- ],
+ "actions": [],
"notActions": [], "dataActions": [
- "Microsoft.ServiceBus/*/receive/action"
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/delete",
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/write"
], "notDataActions": [] } ],
- "roleName": "Azure Service Bus Data Receiver",
+ "roleName": "Spatial Anchors Account Owner",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Azure Service Bus Data Sender
+### Spatial Anchors Account Reader
-Allows for send access to Azure Service Bus resources. [Learn more](../service-bus-messaging/authenticate-application.md)
+Lets you locate and read properties of spatial anchors in your account [Learn more](../spatial-anchors/concepts/authentication.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/queues/read | |
-> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/topics/read | |
-> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/topics/subscriptions/read | |
+> | *none* | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/send/action | |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/query/read | Locate spatial anchors |
+> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service |
> | **NotDataActions** | | > | *none* | |
@@ -5993,40 +6119,45 @@ Allows for send access to Azure Service Bus resources. [Learn more](../service-b
"assignableScopes": [ "/" ],
- "description": "Allows for send access to Azure Service Bus resources.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
- "name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
+ "description": "Lets you locate and read properties of spatial anchors in your account",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413",
+ "name": "5d51204f-eb77-4b1c-b86a-2ec626c49413",
"permissions": [ {
- "actions": [
- "Microsoft.ServiceBus/*/queues/read",
- "Microsoft.ServiceBus/*/topics/read",
- "Microsoft.ServiceBus/*/topics/subscriptions/read"
- ],
+ "actions": [],
"notActions": [], "dataActions": [
- "Microsoft.ServiceBus/*/send/action"
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
+ "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read"
], "notDataActions": [] } ],
- "roleName": "Azure Service Bus Data Sender",
+ "roleName": "Spatial Anchors Account Reader",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Azure Stack Registration Owner
+## Integration
-Lets you manage Azure Stack registrations.
+
+### API Management Service Contributor
+
+Can manage service and the APIs [Learn more](../api-management/api-management-role-based-access-control.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/edgeSubscriptions/read | Get the properties of an Azure Stack Edge Subscription |
-> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/registrations/products/*/action | |
-> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/registrations/products/read | Gets the properties of an Azure Stack Marketplace product |
-> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/registrations/read | Gets the properties of an Azure Stack registration |
+> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/* | Create and manage API Management service |
+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
+> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
@@ -6039,46 +6170,55 @@ Lets you manage Azure Stack registrations.
"assignableScopes": [ "/" ],
- "description": "Lets you manage Azure Stack registrations.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
- "name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
+ "description": "Can manage service and the APIs",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c",
+ "name": "312a565d-c81f-4fd8-895a-4e21e48d571c",
"permissions": [ { "actions": [
- "Microsoft.AzureStack/edgeSubscriptions/read",
- "Microsoft.AzureStack/registrations/products/*/action",
- "Microsoft.AzureStack/registrations/products/read",
- "Microsoft.AzureStack/registrations/read"
+ "Microsoft.ApiManagement/service/*",
+ "Microsoft.Authorization/*/read",
+ "Microsoft.Insights/alertRules/*",
+ "Microsoft.ResourceHealth/availabilityStatuses/read",
+ "Microsoft.Resources/deployments/*",
+ "Microsoft.Resources/subscriptions/resourceGroups/read",
+ "Microsoft.Support/*"
], "notActions": [], "dataActions": [], "notDataActions": [] } ],
- "roleName": "Azure Stack Registration Owner",
+ "roleName": "API Management Service Contributor",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### EventGrid EventSubscription Contributor
+### API Management Service Operator Role
-Lets you manage EventGrid event subscription operations. [Learn more](../event-grid/security-authorization.md)
+Can manage service but not the APIs [Learn more](../api-management/api-management-role-based-access-control.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
+> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/*/read | Read API Management Service instances |
+> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/backup/action | Backup API Management Service to the specified container in a user provided storage account |
+> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/delete | Delete API Management Service instance |
+> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/managedeployments/action | Change SKU/units, add/remove regional deployments of API Management Service |
+> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/read | Read metadata for an API Management Service instance |
+> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/restore/action | Restore API Management Service from the specified container in a user provided storage account |
+> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/updatecertificate/action | Upload TLS/SSL certificate for an API Management Service |
+> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/updatehostname/action | Setup, update or remove custom domain names for an API Management Service |
+> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/write | Create or Update API Management Service instance |
> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/* | |
-> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/topicTypes/eventSubscriptions/read | List global event subscriptions by topic type |
-> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/locations/eventSubscriptions/read | List regional event subscriptions |
-> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/locations/topicTypes/eventSubscriptions/read | List regional event subscriptions by topictype |
> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | > | **NotActions** | |
-> | *none* | |
+> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/users/keys/read | Get keys associated with user |
> | **DataActions** | | > | *none* | | > | **NotDataActions** | |
@@ -6089,48 +6229,58 @@ Lets you manage EventGrid event subscription operations. [Learn more](../event-g
"assignableScopes": [ "/" ],
- "description": "Lets you manage EventGrid event subscription operations.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
- "name": "428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
+ "description": "Can manage service but not the APIs",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61",
+ "name": "e022efe7-f5ba-4159-bbe4-b44f577e9b61",
"permissions": [ { "actions": [
+ "Microsoft.ApiManagement/service/*/read",
+ "Microsoft.ApiManagement/service/backup/action",
+ "Microsoft.ApiManagement/service/delete",
+ "Microsoft.ApiManagement/service/managedeployments/action",
+ "Microsoft.ApiManagement/service/read",
+ "Microsoft.ApiManagement/service/restore/action",
+ "Microsoft.ApiManagement/service/updatecertificate/action",
+ "Microsoft.ApiManagement/service/updatehostname/action",
+ "Microsoft.ApiManagement/service/write",
"Microsoft.Authorization/*/read",
- "Microsoft.EventGrid/eventSubscriptions/*",
- "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
- "Microsoft.EventGrid/locations/eventSubscriptions/read",
- "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
"Microsoft.Insights/alertRules/*",
+ "Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" ],
- "notActions": [],
+ "notActions": [
+ "Microsoft.ApiManagement/service/users/keys/read"
+ ],
"dataActions": [], "notDataActions": [] } ],
- "roleName": "EventGrid EventSubscription Contributor",
+ "roleName": "API Management Service Operator Role",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### EventGrid EventSubscription Reader
+### API Management Service Reader Role
-Lets you read EventGrid event subscriptions. [Learn more](../event-grid/security-authorization.md)
+Read-only access to service and APIs [Learn more](../api-management/api-management-role-based-access-control.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
+> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/*/read | Read API Management Service instances |
+> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/read | Read metadata for an API Management Service instance |
> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/read | Read an eventSubscription |
-> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/topicTypes/eventSubscriptions/read | List global event subscriptions by topic type |
-> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/locations/eventSubscriptions/read | List regional event subscriptions |
-> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/locations/topicTypes/eventSubscriptions/read | List regional event subscriptions by topictype |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
+> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
> | **NotActions** | |
-> | *none* | |
+> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/users/keys/read | Get keys associated with user |
> | **DataActions** | | > | *none* | | > | **NotDataActions** | |
@@ -6141,33 +6291,37 @@ Lets you read EventGrid event subscriptions. [Learn more](../event-grid/security
"assignableScopes": [ "/" ],
- "description": "Lets you read EventGrid event subscriptions.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405",
- "name": "2414bbcf-6497-4faf-8c65-045460748405",
+ "description": "Read-only access to service and APIs",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d",
+ "name": "71522526-b88f-4d52-b57f-d31fc3546d0d",
"permissions": [ { "actions": [
+ "Microsoft.ApiManagement/service/*/read",
+ "Microsoft.ApiManagement/service/read",
"Microsoft.Authorization/*/read",
- "Microsoft.EventGrid/eventSubscriptions/read",
- "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
- "Microsoft.EventGrid/locations/eventSubscriptions/read",
- "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
- "Microsoft.Resources/subscriptions/resourceGroups/read"
+ "Microsoft.Insights/alertRules/*",
+ "Microsoft.ResourceHealth/availabilityStatuses/read",
+ "Microsoft.Resources/deployments/*",
+ "Microsoft.Resources/subscriptions/resourceGroups/read",
+ "Microsoft.Support/*"
+ ],
+ "notActions": [
+ "Microsoft.ApiManagement/service/users/keys/read"
],
- "notActions": [],
"dataActions": [], "notDataActions": [] } ],
- "roleName": "EventGrid EventSubscription Reader",
+ "roleName": "API Management Service Reader Role",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### FHIR Data Contributor
+### App Configuration Data Owner
-Role allows user or principal full access to FHIR Data [Learn more](../healthcare-apis/configure-azure-rbac.md)
+Allows full access to App Configuration data. [Learn more](../azure-app-configuration/concept-enable-rbac.md)
> [!div class="mx-tableFixed"] > | Actions | Description |
@@ -6176,7 +6330,9 @@ Role allows user or principal full access to FHIR Data [Learn more](../healthcar
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | Microsoft.HealthcareApis/services/fhir/resources/* | |
+> | [Microsoft.AppConfiguration](resource-provider-operations.md#microsoftappconfiguration)/configurationStores/*/read | |
+> | [Microsoft.AppConfiguration](resource-provider-operations.md#microsoftappconfiguration)/configurationStores/*/write | |
+> | [Microsoft.AppConfiguration](resource-provider-operations.md#microsoftappconfiguration)/configurationStores/*/delete | |
> | **NotDataActions** | | > | *none* | |
@@ -6185,28 +6341,30 @@ Role allows user or principal full access to FHIR Data [Learn more](../healthcar
"assignableScopes": [ "/" ],
- "description": "Role allows user or principal full access to FHIR Data",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd",
- "name": "5a1fc7df-4bf1-4951-a576-89034ee01acd",
+ "description": "Allows full access to App Configuration data.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
+ "name": "5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
"permissions": [ { "actions": [], "notActions": [], "dataActions": [
- "Microsoft.HealthcareApis/services/fhir/resources/*"
+ "Microsoft.AppConfiguration/configurationStores/*/read",
+ "Microsoft.AppConfiguration/configurationStores/*/write",
+ "Microsoft.AppConfiguration/configurationStores/*/delete"
], "notDataActions": [] } ],
- "roleName": "FHIR Data Contributor",
+ "roleName": "App Configuration Data Owner",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### FHIR Data Exporter
+### App Configuration Data Reader
-Role allows user or principal to read and export FHIR Data [Learn more](../healthcare-apis/configure-azure-rbac.md)
+Allows read access to App Configuration data. [Learn more](../azure-app-configuration/concept-enable-rbac.md)
> [!div class="mx-tableFixed"] > | Actions | Description |
@@ -6215,8 +6373,7 @@ Role allows user or principal to read and export FHIR Data [Learn more](../healt
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | Microsoft.HealthcareApis/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). |
-> | Microsoft.HealthcareApis/services/fhir/resources/export/action | Export operation ($export). |
+> | [Microsoft.AppConfiguration](resource-provider-operations.md#microsoftappconfiguration)/configurationStores/*/read | |
> | **NotDataActions** | | > | *none* | |
@@ -6225,38 +6382,37 @@ Role allows user or principal to read and export FHIR Data [Learn more](../healt
"assignableScopes": [ "/" ],
- "description": "Role allows user or principal to read and export FHIR Data",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843",
- "name": "3db33094-8700-4567-8da5-1501d4e7e843",
+ "description": "Allows read access to App Configuration data.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071",
+ "name": "516239f1-63e1-4d78-a4de-a74fb236a071",
"permissions": [ { "actions": [], "notActions": [], "dataActions": [
- "Microsoft.HealthcareApis/services/fhir/resources/read",
- "Microsoft.HealthcareApis/services/fhir/resources/export/action"
+ "Microsoft.AppConfiguration/configurationStores/*/read"
], "notDataActions": [] } ],
- "roleName": "FHIR Data Exporter",
+ "roleName": "App Configuration Data Reader",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### FHIR Data Reader
+### Azure Service Bus Data Owner
-Role allows user or principal to read FHIR Data [Learn more](../healthcare-apis/configure-azure-rbac.md)
+Allows for full access to Azure Service Bus resources. [Learn more](../service-bus-messaging/authenticate-application.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | *none* | |
+> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/* | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | Microsoft.HealthcareApis/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). |
+> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/* | |
> | **NotDataActions** | | > | *none* | |
@@ -6265,80 +6421,86 @@ Role allows user or principal to read FHIR Data [Learn more](../healthcare-apis/
"assignableScopes": [ "/" ],
- "description": "Role allows user or principal to read FHIR Data",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508",
- "name": "4c8d0bbc-75d3-4935-991f-5f3c56d81508",
+ "description": "Allows for full access to Azure Service Bus resources.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419",
+ "name": "090c5cfd-751d-490a-894a-3ce6f1109419",
"permissions": [ {
- "actions": [],
+ "actions": [
+ "Microsoft.ServiceBus/*"
+ ],
"notActions": [], "dataActions": [
- "Microsoft.HealthcareApis/services/fhir/resources/read"
+ "Microsoft.ServiceBus/*"
], "notDataActions": [] } ],
- "roleName": "FHIR Data Reader",
+ "roleName": "Azure Service Bus Data Owner",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### FHIR Data Writer
+### Azure Service Bus Data Receiver
-Role allows user or principal to read and write FHIR Data [Learn more](../healthcare-apis/configure-azure-rbac.md)
+Allows for receive access to Azure Service Bus resources. [Learn more](../service-bus-messaging/authenticate-application.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | *none* | |
+> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/queues/read | |
+> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/topics/read | |
+> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/topics/subscriptions/read | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | Microsoft.HealthcareApis/services/fhir/resources/* | |
+> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/receive/action | |
> | **NotDataActions** | |
-> | Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action | Hard Delete (including version history). |
+> | *none* | |
```json { "assignableScopes": [ "/" ],
- "description": "Role allows user or principal to read and write FHIR Data",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913",
- "name": "3f88fce4-5892-4214-ae73-ba5294559913",
+ "description": "Allows for receive access to Azure Service Bus resources.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
+ "name": "4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
"permissions": [ {
- "actions": [],
+ "actions": [
+ "Microsoft.ServiceBus/*/queues/read",
+ "Microsoft.ServiceBus/*/topics/read",
+ "Microsoft.ServiceBus/*/topics/subscriptions/read"
+ ],
"notActions": [], "dataActions": [
- "Microsoft.HealthcareApis/services/fhir/resources/*"
+ "Microsoft.ServiceBus/*/receive/action"
],
- "notDataActions": [
- "Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action"
- ]
+ "notDataActions": []
} ],
- "roleName": "FHIR Data Writer",
+ "roleName": "Azure Service Bus Data Receiver",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Integration Service Environment Contributor
+### Azure Service Bus Data Sender
-Lets you manage integration service environments, but not access to them. [Learn more](../logic-apps/add-artifacts-integration-service-environment-ise.md)
+Allows for send access to Azure Service Bus resources. [Learn more](../service-bus-messaging/authenticate-application.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
-> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/integrationServiceEnvironments/* | |
+> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/queues/read | |
+> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/topics/read | |
+> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/topics/subscriptions/read | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | *none* | |
+> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/send/action | |
> | **NotDataActions** | | > | *none* | |
@@ -6347,38 +6509,40 @@ Lets you manage integration service environments, but not access to them. [Learn
"assignableScopes": [ "/" ],
- "description": "Lets you manage integration service environments, but not access to them.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
- "name": "a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
+ "description": "Allows for send access to Azure Service Bus resources.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
+ "name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
"permissions": [ { "actions": [
- "Microsoft.Authorization/*/read",
- "Microsoft.Support/*",
- "Microsoft.Logic/integrationServiceEnvironments/*"
+ "Microsoft.ServiceBus/*/queues/read",
+ "Microsoft.ServiceBus/*/topics/read",
+ "Microsoft.ServiceBus/*/topics/subscriptions/read"
], "notActions": [],
- "dataActions": [],
+ "dataActions": [
+ "Microsoft.ServiceBus/*/send/action"
+ ],
"notDataActions": [] } ],
- "roleName": "Integration Service Environment Contributor",
+ "roleName": "Azure Service Bus Data Sender",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Integration Service Environment Developer
+### Azure Stack Registration Owner
-Allows developers to create and update workflows, integration accounts and API connections in integration service environments. [Learn more](../logic-apps/add-artifacts-integration-service-environment-ise.md)
+Lets you manage Azure Stack registrations.
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
-> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/integrationServiceEnvironments/read | Reads the integration service environment. |
-> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/integrationServiceEnvironments/*/join/action | |
+> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/edgeSubscriptions/read | Get the properties of an Azure Stack Edge Subscription |
+> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/registrations/products/*/action | |
+> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/registrations/products/read | Gets the properties of an Azure Stack Marketplace product |
+> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/registrations/read | Gets the properties of an Azure Stack registration |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
@@ -6391,39 +6555,41 @@ Allows developers to create and update workflows, integration accounts and API c
"assignableScopes": [ "/" ],
- "description": "Allows developers to create and update workflows, integration accounts and API connections in integration service environments.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
- "name": "c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
+ "description": "Lets you manage Azure Stack registrations.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
+ "name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
"permissions": [ { "actions": [
- "Microsoft.Authorization/*/read",
- "Microsoft.Support/*",
- "Microsoft.Logic/integrationServiceEnvironments/read",
- "Microsoft.Logic/integrationServiceEnvironments/*/join/action"
+ "Microsoft.AzureStack/edgeSubscriptions/read",
+ "Microsoft.AzureStack/registrations/products/*/action",
+ "Microsoft.AzureStack/registrations/products/read",
+ "Microsoft.AzureStack/registrations/read"
], "notActions": [], "dataActions": [], "notDataActions": [] } ],
- "roleName": "Integration Service Environment Developer",
+ "roleName": "Azure Stack Registration Owner",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Intelligent Systems Account Contributor
+### EventGrid EventSubscription Contributor
-Lets you manage Intelligent Systems accounts, but not access to them.
+Lets you manage EventGrid event subscription operations. [Learn more](../event-grid/security-authorization.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | | > | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/* | |
+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/topicTypes/eventSubscriptions/read | List global event subscriptions by topic type |
+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/locations/eventSubscriptions/read | List regional event subscriptions |
+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/locations/topicTypes/eventSubscriptions/read | List regional event subscriptions by topictype |
> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | Microsoft.IntelligentSystems/accounts/* | Create and manage intelligent systems accounts |
-> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
@@ -6439,16 +6605,18 @@ Lets you manage Intelligent Systems accounts, but not access to them.
"assignableScopes": [ "/" ],
- "description": "Lets you manage Intelligent Systems accounts, but not access to them.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e",
- "name": "03a6d094-3444-4b3d-88af-7477090a9e5e",
+ "description": "Lets you manage EventGrid event subscription operations.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
+ "name": "428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
"permissions": [ { "actions": [ "Microsoft.Authorization/*/read",
+ "Microsoft.EventGrid/eventSubscriptions/*",
+ "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
+ "Microsoft.EventGrid/locations/eventSubscriptions/read",
+ "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
"Microsoft.Insights/alertRules/*",
- "Microsoft.IntelligentSystems/accounts/*",
- "Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*"
@@ -6458,40 +6626,25 @@ Lets you manage Intelligent Systems accounts, but not access to them.
"notDataActions": [] } ],
- "roleName": "Intelligent Systems Account Contributor",
+ "roleName": "EventGrid EventSubscription Contributor",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Logic App Contributor
+### EventGrid EventSubscription Reader
-Lets you manage logic apps, but not change access to them. [Learn more](../logic-apps/logic-apps-securing-a-logic-app.md)
+Lets you read EventGrid event subscriptions. [Learn more](../event-grid/security-authorization.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | | > | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.ClassicStorage](resource-provider-operations.md#microsoftclassicstorage)/storageAccounts/listKeys/action | Lists the access keys for the storage accounts. |
-> | [Microsoft.ClassicStorage](resource-provider-operations.md#microsoftclassicstorage)/storageAccounts/read | Return the storage account with the given account. |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricAlerts/* | |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/logdefinitions/* | This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log. |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/* | Read metric definitions (list of available metric types for a resource). |
-> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/* | Manages Logic Apps resources. |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. |
+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/read | Read an eventSubscription |
+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/topicTypes/eventSubscriptions/read | List global event subscriptions by topic type |
+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/locations/eventSubscriptions/read | List regional event subscriptions |
+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/locations/topicTypes/eventSubscriptions/read | List regional event subscriptions by topictype |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. |
-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
-> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/* | Create and manages a Connection Gateway. |
-> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/* | Create and manages a Connection. |
-> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/* | Creates and manages a Custom API. |
-> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/join/action | Joins an App Service Plan |
-> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan |
-> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/functions/listSecrets/action | List Function secrets. |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
@@ -6504,73 +6657,42 @@ Lets you manage logic apps, but not change access to them. [Learn more](../logic
"assignableScopes": [ "/" ],
- "description": "Lets you manage logic app, but not access to them.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e",
- "name": "87a39d53-fc1b-424a-814c-f7e04687dc9e",
+ "description": "Lets you read EventGrid event subscriptions.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405",
+ "name": "2414bbcf-6497-4faf-8c65-045460748405",
"permissions": [ { "actions": [ "Microsoft.Authorization/*/read",
- "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
- "Microsoft.ClassicStorage/storageAccounts/read",
- "Microsoft.Insights/alertRules/*",
- "Microsoft.Insights/metricAlerts/*",
- "Microsoft.Insights/diagnosticSettings/*",
- "Microsoft.Insights/logdefinitions/*",
- "Microsoft.Insights/metricDefinitions/*",
- "Microsoft.Logic/*",
- "Microsoft.Resources/deployments/*",
- "Microsoft.Resources/subscriptions/operationresults/read",
- "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Storage/storageAccounts/listkeys/action",
- "Microsoft.Storage/storageAccounts/read",
- "Microsoft.Support/*",
- "Microsoft.Web/connectionGateways/*",
- "Microsoft.Web/connections/*",
- "Microsoft.Web/customApis/*",
- "Microsoft.Web/serverFarms/join/action",
- "Microsoft.Web/serverFarms/read",
- "Microsoft.Web/sites/functions/listSecrets/action"
+ "Microsoft.EventGrid/eventSubscriptions/read",
+ "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
+ "Microsoft.EventGrid/locations/eventSubscriptions/read",
+ "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
+ "Microsoft.Resources/subscriptions/resourceGroups/read"
], "notActions": [], "dataActions": [], "notDataActions": [] } ],
- "roleName": "Logic App Contributor",
+ "roleName": "EventGrid EventSubscription Reader",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Logic App Operator
+### FHIR Data Contributor
-Lets you read, enable, and disable logic apps, but not edit or update them. [Learn more](../logic-apps/logic-apps-securing-a-logic-app.md)
+Role allows user or principal full access to FHIR Data [Learn more](../healthcare-apis/configure-azure-rbac.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/*/read | Read Insights alert rules |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricAlerts/*/read | |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/diagnosticSettings/*/read | Gets diagnostic settings for Logic Apps |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/*/read | Gets the available metrics for Logic Apps. |
-> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/*/read | Reads Logic Apps resources. |
-> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/disable/action | Disables the workflow. |
-> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/enable/action | Enables the workflow. |
-> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/validate/action | Validates the workflow. |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
-> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/*/read | Read Connection Gateways. |
-> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/*/read | Read Connections. |
-> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/*/read | Read Custom API. |
-> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan |
+> | *none* | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | *none* | |
+> | Microsoft.HealthcareApis/services/fhir/resources/* | |
> | **NotDataActions** | | > | *none* | |
@@ -6579,63 +6701,38 @@ Lets you read, enable, and disable logic apps, but not edit or update them. [Lea
"assignableScopes": [ "/" ],
- "description": "Lets you read, enable and disable logic app.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
- "name": "515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
+ "description": "Role allows user or principal full access to FHIR Data",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd",
+ "name": "5a1fc7df-4bf1-4951-a576-89034ee01acd",
"permissions": [ {
- "actions": [
- "Microsoft.Authorization/*/read",
- "Microsoft.Insights/alertRules/*/read",
- "Microsoft.Insights/metricAlerts/*/read",
- "Microsoft.Insights/diagnosticSettings/*/read",
- "Microsoft.Insights/metricDefinitions/*/read",
- "Microsoft.Logic/*/read",
- "Microsoft.Logic/workflows/disable/action",
- "Microsoft.Logic/workflows/enable/action",
- "Microsoft.Logic/workflows/validate/action",
- "Microsoft.Resources/deployments/operations/read",
- "Microsoft.Resources/subscriptions/operationresults/read",
- "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*",
- "Microsoft.Web/connectionGateways/*/read",
- "Microsoft.Web/connections/*/read",
- "Microsoft.Web/customApis/*/read",
- "Microsoft.Web/serverFarms/read"
- ],
+ "actions": [],
"notActions": [],
- "dataActions": [],
+ "dataActions": [
+ "Microsoft.HealthcareApis/services/fhir/resources/*"
+ ],
"notDataActions": [] } ],
- "roleName": "Logic App Operator",
+ "roleName": "FHIR Data Contributor",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-## Identity
--
-### Managed Identity Contributor
+### FHIR Data Exporter
-Create, Read, Update, and Delete User Assigned Identity [Learn more](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md)
+Role allows user or principal to read and export FHIR Data [Learn more](../healthcare-apis/configure-azure-rbac.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/read | Gets an existing user assigned identity |
-> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/write | Creates a new user assigned identity or updates the tags associated with an existing user assigned identity |
-> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/delete | Deletes an existing user assigned identity |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
+> | *none* | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | *none* | |
+> | Microsoft.HealthcareApis/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). |
+> | Microsoft.HealthcareApis/services/fhir/resources/export/action | Export operation ($export). |
> | **NotDataActions** | | > | *none* | |
@@ -6644,50 +6741,38 @@ Create, Read, Update, and Delete User Assigned Identity [Learn more](../active-d
"assignableScopes": [ "/" ],
- "description": "Create, Read, Update, and Delete User Assigned Identity",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
- "name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
+ "description": "Role allows user or principal to read and export FHIR Data",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843",
+ "name": "3db33094-8700-4567-8da5-1501d4e7e843",
"permissions": [ {
- "actions": [
- "Microsoft.ManagedIdentity/userAssignedIdentities/read",
- "Microsoft.ManagedIdentity/userAssignedIdentities/write",
- "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
- "Microsoft.Authorization/*/read",
- "Microsoft.Insights/alertRules/*",
- "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Resources/deployments/*",
- "Microsoft.Support/*"
- ],
+ "actions": [],
"notActions": [],
- "dataActions": [],
+ "dataActions": [
+ "Microsoft.HealthcareApis/services/fhir/resources/read",
+ "Microsoft.HealthcareApis/services/fhir/resources/export/action"
+ ],
"notDataActions": [] } ],
- "roleName": "Managed Identity Contributor",
+ "roleName": "FHIR Data Exporter",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Managed Identity Operator
+### FHIR Data Reader
-Read and Assign User Assigned Identity [Learn more](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md)
+Role allows user or principal to read FHIR Data [Learn more](../healthcare-apis/configure-azure-rbac.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/*/read | |
-> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/*/assign/action | |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
+> | *none* | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | *none* | |
+> | Microsoft.HealthcareApis/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). |
> | **NotDataActions** | | > | *none* | |
@@ -6696,127 +6781,76 @@ Read and Assign User Assigned Identity [Learn more](../active-directory/managed-
"assignableScopes": [ "/" ],
- "description": "Read and Assign User Assigned Identity",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
- "name": "f1a07417-d97a-45cb-824c-7a7467783830",
+ "description": "Role allows user or principal to read FHIR Data",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508",
+ "name": "4c8d0bbc-75d3-4935-991f-5f3c56d81508",
"permissions": [ {
- "actions": [
- "Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
- "Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
- "Microsoft.Authorization/*/read",
- "Microsoft.Insights/alertRules/*",
- "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Resources/deployments/*",
- "Microsoft.Support/*"
- ],
+ "actions": [],
"notActions": [],
- "dataActions": [],
+ "dataActions": [
+ "Microsoft.HealthcareApis/services/fhir/resources/read"
+ ],
"notDataActions": [] } ],
- "roleName": "Managed Identity Operator",
+ "roleName": "FHIR Data Reader",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-## Security
--
-### Azure Sentinel Contributor
+### FHIR Data Writer
-Azure Sentinel Contributor [Learn more](../sentinel/roles.md)
+Role allows user or principal to read and write FHIR Data [Learn more](../healthcare-apis/configure-azure-rbac.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/* | |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/savedSearches/* | |
-> | [Microsoft.OperationsManagement](resource-provider-operations.md#microsoftoperationsmanagement)/solutions/read | Get exiting OMS solution |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/read | Run queries over the data in the workspace |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/*/read | |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get datasources under a workspace. |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooks/* | |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/myworkbooks/read | Read a private Workbook |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
+> | *none* | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | *none* | |
+> | Microsoft.HealthcareApis/services/fhir/resources/* | |
> | **NotDataActions** | |
-> | *none* | |
+> | Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action | Hard Delete (including version history). |
```json { "assignableScopes": [ "/" ],
- "description": "Azure Sentinel Contributor",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade",
- "name": "ab8e14d6-4a74-4a29-9ba8-549422addade",
+ "description": "Role allows user or principal to read and write FHIR Data",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913",
+ "name": "3f88fce4-5892-4214-ae73-ba5294559913",
"permissions": [ {
- "actions": [
- "Microsoft.SecurityInsights/*",
- "Microsoft.OperationalInsights/workspaces/analytics/query/action",
- "Microsoft.OperationalInsights/workspaces/*/read",
- "Microsoft.OperationalInsights/workspaces/savedSearches/*",
- "Microsoft.OperationsManagement/solutions/read",
- "Microsoft.OperationalInsights/workspaces/query/read",
- "Microsoft.OperationalInsights/workspaces/query/*/read",
- "Microsoft.OperationalInsights/workspaces/dataSources/read",
- "Microsoft.Insights/workbooks/*",
- "Microsoft.Insights/myworkbooks/read",
- "Microsoft.Authorization/*/read",
- "Microsoft.Insights/alertRules/*",
- "Microsoft.Resources/deployments/*",
- "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*"
- ],
+ "actions": [],
"notActions": [],
- "dataActions": [],
- "notDataActions": []
+ "dataActions": [
+ "Microsoft.HealthcareApis/services/fhir/resources/*"
+ ],
+ "notDataActions": [
+ "Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action"
+ ]
} ],
- "roleName": "Azure Sentinel Contributor",
+ "roleName": "FHIR Data Writer",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Azure Sentinel Reader
+### Integration Service Environment Contributor
-Azure Sentinel Reader [Learn more](../sentinel/roles.md)
+Lets you manage integration service environments, but not access to them. [Learn more](../logic-apps/add-artifacts-integration-service-environment-ise.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/*/read | |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/dataConnectorsCheckRequirements/action | Check user authorization and license |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/query/action | Query Threat Intelligence Indicators |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/queryIndicators/action | Query Threat Intelligence Indicators |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/LinkedServices/read | Get linked services under given workspace. |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/savedSearches/read | Gets a saved search query |
-> | [Microsoft.OperationsManagement](resource-provider-operations.md#microsoftoperationsmanagement)/solutions/read | Get exiting OMS solution |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/read | Run queries over the data in the workspace |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/*/read | |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get datasources under a workspace. |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooks/read | Read a workbook |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/myworkbooks/read | Read a private Workbook |
> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
+> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/integrationServiceEnvironments/* | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
@@ -6829,79 +6863,40 @@ Azure Sentinel Reader [Learn more](../sentinel/roles.md)
"assignableScopes": [ "/" ],
- "description": "Azure Sentinel Reader",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb",
- "name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb",
+ "description": "Lets you manage integration service environments, but not access to them.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
+ "name": "a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
"permissions": [ { "actions": [
- "Microsoft.SecurityInsights/*/read",
- "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
- "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
- "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
- "Microsoft.OperationalInsights/workspaces/analytics/query/action",
- "Microsoft.OperationalInsights/workspaces/*/read",
- "Microsoft.OperationalInsights/workspaces/LinkedServices/read",
- "Microsoft.OperationalInsights/workspaces/savedSearches/read",
- "Microsoft.OperationsManagement/solutions/read",
- "Microsoft.OperationalInsights/workspaces/query/read",
- "Microsoft.OperationalInsights/workspaces/query/*/read",
- "Microsoft.OperationalInsights/workspaces/dataSources/read",
- "Microsoft.Insights/workbooks/read",
- "Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
- "Microsoft.Insights/alertRules/*",
- "Microsoft.Resources/deployments/*",
- "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*"
+ "Microsoft.Support/*",
+ "Microsoft.Logic/integrationServiceEnvironments/*"
], "notActions": [], "dataActions": [], "notDataActions": [] } ],
- "roleName": "Azure Sentinel Reader",
+ "roleName": "Integration Service Environment Contributor",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Azure Sentinel Responder
+### Integration Service Environment Developer
-Azure Sentinel Responder [Learn more](../sentinel/roles.md)
+Allows developers to create and update workflows, integration accounts and API connections in integration service environments. [Learn more](../logic-apps/add-artifacts-integration-service-environment-ise.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/*/read | |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/dataConnectorsCheckRequirements/action | Check user authorization and license |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/automationRules/* | |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/cases/* | |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/incidents/* | |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/appendTags/action | Append tags to Threat Intelligence Indicator |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/query/action | Query Threat Intelligence Indicators |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/bulkTag/action | Bulk Tags Threat Intelligence |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/appendTags/action | Append tags to Threat Intelligence Indicator |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/replaceTags/action | Replace Tags of Threat Intelligence Indicator |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/queryIndicators/action | Query Threat Intelligence Indicators |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get datasources under a workspace. |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/savedSearches/read | Gets a saved search query |
-> | [Microsoft.OperationsManagement](resource-provider-operations.md#microsoftoperationsmanagement)/solutions/read | Get exiting OMS solution |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/read | Run queries over the data in the workspace |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/*/read | |
-> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get datasources under a workspace. |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooks/read | Read a workbook |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/myworkbooks/read | Read a private Workbook |
> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
+> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/integrationServiceEnvironments/read | Reads the integration service environment. |
+> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/integrationServiceEnvironments/*/join/action | |
> | **NotActions** | |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/cases/*/Delete | |
-> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/incidents/*/Delete | |
+> | *none* | |
> | **DataActions** | | > | *none* | | > | **NotDataActions** | |
@@ -6912,74 +6907,46 @@ Azure Sentinel Responder [Learn more](../sentinel/roles.md)
"assignableScopes": [ "/" ],
- "description": "Azure Sentinel Responder",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
- "name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
+ "description": "Allows developers to create and update workflows, integration accounts and API connections in integration service environments.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
+ "name": "c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
"permissions": [ { "actions": [
- "Microsoft.SecurityInsights/*/read",
- "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
- "Microsoft.SecurityInsights/automationRules/*",
- "Microsoft.SecurityInsights/cases/*",
- "Microsoft.SecurityInsights/incidents/*",
- "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
- "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
- "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
- "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
- "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
- "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
- "Microsoft.OperationalInsights/workspaces/analytics/query/action",
- "Microsoft.OperationalInsights/workspaces/*/read",
- "Microsoft.OperationalInsights/workspaces/dataSources/read",
- "Microsoft.OperationalInsights/workspaces/savedSearches/read",
- "Microsoft.OperationsManagement/solutions/read",
- "Microsoft.OperationalInsights/workspaces/query/read",
- "Microsoft.OperationalInsights/workspaces/query/*/read",
- "Microsoft.OperationalInsights/workspaces/dataSources/read",
- "Microsoft.Insights/workbooks/read",
- "Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
- "Microsoft.Insights/alertRules/*",
- "Microsoft.Resources/deployments/*",
- "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*"
- ],
- "notActions": [
- "Microsoft.SecurityInsights/cases/*/Delete",
- "Microsoft.SecurityInsights/incidents/*/Delete"
+ "Microsoft.Support/*",
+ "Microsoft.Logic/integrationServiceEnvironments/read",
+ "Microsoft.Logic/integrationServiceEnvironments/*/join/action"
],
+ "notActions": [],
"dataActions": [], "notDataActions": [] } ],
- "roleName": "Azure Sentinel Responder",
+ "roleName": "Integration Service Environment Developer",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Key Vault Administrator (preview)
+### Intelligent Systems Account Contributor
-Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.
+Lets you manage Intelligent Systems accounts, but not access to them.
> [!div class="mx-tableFixed"] > | Actions | Description | > | | | > | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | Microsoft.IntelligentSystems/accounts/* | Create and manage intelligent systems accounts |
+> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/*/read | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/* | |
+> | *none* | |
> | **NotDataActions** | | > | *none* | |
@@ -6988,58 +6955,63 @@ Perform all data plane operations on a key vault and all objects in it, includin
"assignableScopes": [ "/" ],
- "description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
- "name": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
+ "description": "Lets you manage Intelligent Systems accounts, but not access to them.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e",
+ "name": "03a6d094-3444-4b3d-88af-7477090a9e5e",
"permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*",
+ "Microsoft.IntelligentSystems/accounts/*",
+ "Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*",
- "Microsoft.KeyVault/checkNameAvailability/read",
- "Microsoft.KeyVault/deletedVaults/read",
- "Microsoft.KeyVault/locations/*/read",
- "Microsoft.KeyVault/vaults/*/read",
- "Microsoft.KeyVault/operations/read"
+ "Microsoft.Support/*"
], "notActions": [],
- "dataActions": [
- "Microsoft.KeyVault/vaults/*"
- ],
+ "dataActions": [],
"notDataActions": [] } ],
- "roleName": "Key Vault Administrator (preview)",
+ "roleName": "Intelligent Systems Account Contributor",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Key Vault Certificates Officer (preview)
+### Logic App Contributor
-Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.
+Lets you manage logic apps, but not change access to them. [Learn more](../logic-apps/logic-apps-securing-a-logic-app.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | | > | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
+> | [Microsoft.ClassicStorage](resource-provider-operations.md#microsoftclassicstorage)/storageAccounts/listKeys/action | Lists the access keys for the storage accounts. |
+> | [Microsoft.ClassicStorage](resource-provider-operations.md#microsoftclassicstorage)/storageAccounts/read | Return the storage account with the given account. |
> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricAlerts/* | |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/logdefinitions/* | This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log. |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/* | Read metric definitions (list of available metric types for a resource). |
+> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/* | Manages Logic Apps resources. |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
+> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. |
+> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/*/read | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider |
+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/* | Create and manages a Connection Gateway. |
+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/* | Create and manages a Connection. |
+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/* | Creates and manages a Custom API. |
+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/join/action | Joins an App Service Plan |
+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan |
+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/functions/listSecrets/action | List Function secrets. |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/certificatecas/* | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/certificates/* | |
+> | *none* | |
> | **NotDataActions** | | > | *none* | |
@@ -7048,54 +7020,71 @@ Perform any action on the certificates of a key vault, except manage permissions
"assignableScopes": [ "/" ],
- "description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985",
- "name": "a4417e6f-fecd-4de8-b567-7b0420556985",
+ "description": "Lets you manage logic app, but not access to them.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e",
+ "name": "87a39d53-fc1b-424a-814c-f7e04687dc9e",
"permissions": [ { "actions": [ "Microsoft.Authorization/*/read",
+ "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
+ "Microsoft.ClassicStorage/storageAccounts/read",
"Microsoft.Insights/alertRules/*",
+ "Microsoft.Insights/metricAlerts/*",
+ "Microsoft.Insights/diagnosticSettings/*",
+ "Microsoft.Insights/logdefinitions/*",
+ "Microsoft.Insights/metricDefinitions/*",
+ "Microsoft.Logic/*",
"Microsoft.Resources/deployments/*",
+ "Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
+ "Microsoft.Storage/storageAccounts/listkeys/action",
+ "Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*",
- "Microsoft.KeyVault/checkNameAvailability/read",
- "Microsoft.KeyVault/deletedVaults/read",
- "Microsoft.KeyVault/locations/*/read",
- "Microsoft.KeyVault/vaults/*/read",
- "Microsoft.KeyVault/operations/read"
+ "Microsoft.Web/connectionGateways/*",
+ "Microsoft.Web/connections/*",
+ "Microsoft.Web/customApis/*",
+ "Microsoft.Web/serverFarms/join/action",
+ "Microsoft.Web/serverFarms/read",
+ "Microsoft.Web/sites/functions/listSecrets/action"
], "notActions": [],
- "dataActions": [
- "Microsoft.KeyVault/vaults/certificatecas/*",
- "Microsoft.KeyVault/vaults/certificates/*"
- ],
+ "dataActions": [],
"notDataActions": [] } ],
- "roleName": "Key Vault Certificates Officer (preview)",
+ "roleName": "Logic App Contributor",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Key Vault Contributor
+### Logic App Operator
-Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. [Learn more](../key-vault/general/secure-your-key-vault.md)
+Lets you read, enable, and disable logic apps, but not edit or update them. [Learn more](../logic-apps/logic-apps-securing-a-logic-app.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | | > | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/* | |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/*/read | Read Insights alert rules |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricAlerts/*/read | |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/diagnosticSettings/*/read | Gets diagnostic settings for Logic Apps |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/*/read | Gets the available metrics for Logic Apps. |
+> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/*/read | Reads Logic Apps resources. |
+> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/disable/action | Disables the workflow. |
+> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/enable/action | Enables the workflow. |
+> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/validate/action | Validates the workflow. |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/*/read | Read Connection Gateways. |
+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/*/read | Read Connections. |
+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/*/read | Read Custom API. |
+> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan |
> | **NotActions** | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/deletedVaults/purge/action | Purge a soft deleted key vault |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/hsmPools/* | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/managedHsms/* | |
+> | *none* | |
> | **DataActions** | | > | *none* | | > | **NotDataActions** | |
@@ -7106,55 +7095,63 @@ Manage key vaults, but does not allow you to assign roles in Azure RBAC, and doe
"assignableScopes": [ "/" ],
- "description": "Lets you manage key vaults, but not access to them.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395",
- "name": "f25e0fa2-a7c8-4377-a976-54943a77a395",
+ "description": "Lets you read, enable and disable logic app.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
+ "name": "515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
"permissions": [ { "actions": [ "Microsoft.Authorization/*/read",
- "Microsoft.Insights/alertRules/*",
- "Microsoft.KeyVault/*",
- "Microsoft.Resources/deployments/*",
+ "Microsoft.Insights/alertRules/*/read",
+ "Microsoft.Insights/metricAlerts/*/read",
+ "Microsoft.Insights/diagnosticSettings/*/read",
+ "Microsoft.Insights/metricDefinitions/*/read",
+ "Microsoft.Logic/*/read",
+ "Microsoft.Logic/workflows/disable/action",
+ "Microsoft.Logic/workflows/enable/action",
+ "Microsoft.Logic/workflows/validate/action",
+ "Microsoft.Resources/deployments/operations/read",
+ "Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*"
- ],
- "notActions": [
- "Microsoft.KeyVault/locations/deletedVaults/purge/action",
- "Microsoft.KeyVault/hsmPools/*",
- "Microsoft.KeyVault/managedHsms/*"
+ "Microsoft.Support/*",
+ "Microsoft.Web/connectionGateways/*/read",
+ "Microsoft.Web/connections/*/read",
+ "Microsoft.Web/customApis/*/read",
+ "Microsoft.Web/serverFarms/read"
],
+ "notActions": [],
"dataActions": [], "notDataActions": [] } ],
- "roleName": "Key Vault Contributor",
+ "roleName": "Logic App Operator",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Key Vault Crypto Officer (preview)
+## Identity
-Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.
+
+### Managed Identity Contributor
+
+Create, Read, Update, and Delete User Assigned Identity [Learn more](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
+> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/read | Gets an existing user assigned identity |
+> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/write | Creates a new user assigned identity or updates the tags associated with an existing user assigned identity |
+> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/delete | Deletes an existing user assigned identity |
> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/*/read | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/* | |
+> | *none* | |
> | **NotDataActions** | | > | *none* | |
@@ -7163,52 +7160,50 @@ Perform any action on the keys of a key vault, except manage permissions. Only w
"assignableScopes": [ "/" ],
- "description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
- "name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
+ "description": "Create, Read, Update, and Delete User Assigned Identity",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
+ "name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
"permissions": [ { "actions": [
+ "Microsoft.ManagedIdentity/userAssignedIdentities/read",
+ "Microsoft.ManagedIdentity/userAssignedIdentities/write",
+ "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
"Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*",
- "Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*",
- "Microsoft.KeyVault/checkNameAvailability/read",
- "Microsoft.KeyVault/deletedVaults/read",
- "Microsoft.KeyVault/locations/*/read",
- "Microsoft.KeyVault/vaults/*/read",
- "Microsoft.KeyVault/operations/read"
+ "Microsoft.Resources/deployments/*",
+ "Microsoft.Support/*"
], "notActions": [],
- "dataActions": [
- "Microsoft.KeyVault/vaults/keys/*"
- ],
+ "dataActions": [],
"notDataActions": [] } ],
- "roleName": "Key Vault Crypto Officer (preview)",
+ "roleName": "Managed Identity Contributor",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Key Vault Crypto Service Encryption User (preview)
+### Managed Identity Operator
-Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.
+Read and Assign User Assigned Identity [Learn more](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/write | Create or update an eventSubscription |
-> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/read | Read an eventSubscription |
-> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/delete | Delete an eventSubscription |
+> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/*/read | |
+> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/*/assign/action | |
+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
+> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/wrap/action | Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access. |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/unwrap/action | Unwraps a symmetric key with a Key Vault key. |
+> | *none* | |
> | **NotDataActions** | | > | *none* | |
@@ -7217,51 +7212,48 @@ Read metadata of keys and perform wrap/unwrap operations. Only works for key vau
"assignableScopes": [ "/" ],
- "description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6",
- "name": "e147488a-f6f5-4113-8e2d-b22465e65bf6",
+ "description": "Read and Assign User Assigned Identity",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
+ "name": "f1a07417-d97a-45cb-824c-7a7467783830",
"permissions": [ { "actions": [
- "Microsoft.EventGrid/eventSubscriptions/write",
- "Microsoft.EventGrid/eventSubscriptions/read",
- "Microsoft.EventGrid/eventSubscriptions/delete"
+ "Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
+ "Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
+ "Microsoft.Authorization/*/read",
+ "Microsoft.Insights/alertRules/*",
+ "Microsoft.Resources/subscriptions/resourceGroups/read",
+ "Microsoft.Resources/deployments/*",
+ "Microsoft.Support/*"
], "notActions": [],
- "dataActions": [
- "Microsoft.KeyVault/vaults/keys/read",
- "Microsoft.KeyVault/vaults/keys/wrap/action",
- "Microsoft.KeyVault/vaults/keys/unwrap/action"
- ],
+ "dataActions": [],
"notDataActions": [] } ],
- "roleName": "Key Vault Crypto Service Encryption User (preview)",
+ "roleName": "Managed Identity Operator",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Key Vault Crypto User (preview)
+## Security
-Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.
+
+### Attestation Contributor
+
+Can read write or delete the attestation provider instance [Learn more](../attestation/quickstart-powershell.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | *none* | |
+> | Microsoft.Attestation/attestationProviders/attestation/read | |
+> | Microsoft.Attestation/attestationProviders/attestation/write | |
+> | Microsoft.Attestation/attestationProviders/attestation/delete | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/update/action | Updates the specified attributes associated with the given key. |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/backup/action | Creates the backup file of a key. The file can used to restore the key in a Key Vault of same subscription. Restrictions may apply. |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/encrypt/action | Encrypts plaintext with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access. |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/decrypt/action | Decrypts ciphertext with a key. |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/wrap/action | Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access. |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/unwrap/action | Unwraps a symmetric key with a Key Vault key. |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/sign/action | Signs a message digest (hash) with a key. |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/verify/action | Verifies the signature of a message digest (hash) with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access. |
+> | *none* | |
> | **NotDataActions** | | > | *none* | |
@@ -7270,55 +7262,39 @@ Perform cryptographic operations using keys. Only works for key vaults that use
"assignableScopes": [ "/" ],
- "description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424",
- "name": "12338af0-0e69-4776-bea7-57ae8d297424",
+ "description": "Can read write or delete the attestation provider instance",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
+ "name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
"permissions": [ {
- "actions": [],
- "notActions": [],
- "dataActions": [
- "Microsoft.KeyVault/vaults/keys/read",
- "Microsoft.KeyVault/vaults/keys/update/action",
- "Microsoft.KeyVault/vaults/keys/backup/action",
- "Microsoft.KeyVault/vaults/keys/encrypt/action",
- "Microsoft.KeyVault/vaults/keys/decrypt/action",
- "Microsoft.KeyVault/vaults/keys/wrap/action",
- "Microsoft.KeyVault/vaults/keys/unwrap/action",
- "Microsoft.KeyVault/vaults/keys/sign/action",
- "Microsoft.KeyVault/vaults/keys/verify/action"
+ "actions": [
+ "Microsoft.Attestation/attestationProviders/attestation/read",
+ "Microsoft.Attestation/attestationProviders/attestation/write",
+ "Microsoft.Attestation/attestationProviders/attestation/delete"
],
+ "notActions": [],
+ "dataActions": [],
"notDataActions": [] } ],
- "roleName": "Key Vault Crypto User (preview)",
+ "roleName": "Attestation Contributor",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Key Vault Reader (preview)
+### Attestation Reader
-Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.
+Can read the attestation provider properties [Learn more](../attestation/troubleshoot-guide.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/*/read | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider |
+> | Microsoft.Attestation/attestationProviders/attestation/read | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. |
+> | *none* | |
> | **NotDataActions** | | > | *none* | |
@@ -7327,58 +7303,51 @@ Read metadata of key vaults and its certificates, keys, and secrets. Cannot read
"assignableScopes": [ "/" ],
- "description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
- "name": "21090545-7ca7-4776-b22c-e363652d74d2",
+ "description": "Can read the attestation provider properties",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
+ "name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
"permissions": [ { "actions": [
- "Microsoft.Authorization/*/read",
- "Microsoft.Insights/alertRules/*",
- "Microsoft.Resources/deployments/*",
- "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*",
- "Microsoft.KeyVault/checkNameAvailability/read",
- "Microsoft.KeyVault/deletedVaults/read",
- "Microsoft.KeyVault/locations/*/read",
- "Microsoft.KeyVault/vaults/*/read",
- "Microsoft.KeyVault/operations/read"
+ "Microsoft.Attestation/attestationProviders/attestation/read"
], "notActions": [],
- "dataActions": [
- "Microsoft.KeyVault/vaults/*/read",
- "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
- ],
+ "dataActions": [],
"notDataActions": [] } ],
- "roleName": "Key Vault Reader (preview)",
+ "roleName": "Attestation Reader",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Key Vault Secrets Officer (preview)
+### Azure Sentinel Contributor
-Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.
+Azure Sentinel Contributor [Learn more](../sentinel/roles.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/* | |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/savedSearches/* | |
+> | [Microsoft.OperationsManagement](resource-provider-operations.md#microsoftoperationsmanagement)/solutions/read | Get exiting OMS solution |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/read | Run queries over the data in the workspace |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/*/read | |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get datasources under a workspace. |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooks/* | |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/myworkbooks/read | Read a private Workbook |
> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | > | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/*/read | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/* | |
+> | *none* | |
> | **NotDataActions** | | > | *none* | |
@@ -7387,49 +7356,69 @@ Perform any action on the secrets of a key vault, except manage permissions. Onl
"assignableScopes": [ "/" ],
- "description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
- "name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
+ "description": "Azure Sentinel Contributor",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade",
+ "name": "ab8e14d6-4a74-4a29-9ba8-549422addade",
"permissions": [ { "actions": [
+ "Microsoft.SecurityInsights/*",
+ "Microsoft.OperationalInsights/workspaces/analytics/query/action",
+ "Microsoft.OperationalInsights/workspaces/*/read",
+ "Microsoft.OperationalInsights/workspaces/savedSearches/*",
+ "Microsoft.OperationsManagement/solutions/read",
+ "Microsoft.OperationalInsights/workspaces/query/read",
+ "Microsoft.OperationalInsights/workspaces/query/*/read",
+ "Microsoft.OperationalInsights/workspaces/dataSources/read",
+ "Microsoft.Insights/workbooks/*",
+ "Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*",
- "Microsoft.KeyVault/checkNameAvailability/read",
- "Microsoft.KeyVault/deletedVaults/read",
- "Microsoft.KeyVault/locations/*/read",
- "Microsoft.KeyVault/vaults/*/read",
- "Microsoft.KeyVault/operations/read"
+ "Microsoft.Support/*"
], "notActions": [],
- "dataActions": [
- "Microsoft.KeyVault/vaults/secrets/*"
- ],
+ "dataActions": [],
"notDataActions": [] } ],
- "roleName": "Key Vault Secrets Officer (preview)",
+ "roleName": "Azure Sentinel Contributor",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Key Vault Secrets User (preview)
+### Azure Sentinel Reader
-Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.
+Azure Sentinel Reader [Learn more](../sentinel/roles.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | *none* | |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/*/read | |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/dataConnectorsCheckRequirements/action | Check user authorization and license |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/query/action | Query Threat Intelligence Indicators |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/queryIndicators/action | Query Threat Intelligence Indicators |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/LinkedServices/read | Get linked services under given workspace. |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/savedSearches/read | Gets a saved search query |
+> | [Microsoft.OperationsManagement](resource-provider-operations.md#microsoftoperationsmanagement)/solutions/read | Get exiting OMS solution |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/read | Run queries over the data in the workspace |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/*/read | |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get datasources under a workspace. |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooks/read | Read a workbook |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/myworkbooks/read | Read a private Workbook |
+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
+> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/getSecret/action | Gets the value of a secret. |
-> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. |
+> | *none* | |
> | **NotDataActions** | | > | *none* | |
@@ -7438,47 +7427,79 @@ Read secret contents. Only works for key vaults that use the 'Azure role-based a
"assignableScopes": [ "/" ],
- "description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6",
- "name": "4633458b-17de-408a-b874-0445c86b69e6",
+ "description": "Azure Sentinel Reader",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb",
+ "name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb",
"permissions": [ {
- "actions": [],
- "notActions": [],
- "dataActions": [
- "Microsoft.KeyVault/vaults/secrets/getSecret/action",
- "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
+ "actions": [
+ "Microsoft.SecurityInsights/*/read",
+ "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
+ "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
+ "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
+ "Microsoft.OperationalInsights/workspaces/analytics/query/action",
+ "Microsoft.OperationalInsights/workspaces/*/read",
+ "Microsoft.OperationalInsights/workspaces/LinkedServices/read",
+ "Microsoft.OperationalInsights/workspaces/savedSearches/read",
+ "Microsoft.OperationsManagement/solutions/read",
+ "Microsoft.OperationalInsights/workspaces/query/read",
+ "Microsoft.OperationalInsights/workspaces/query/*/read",
+ "Microsoft.OperationalInsights/workspaces/dataSources/read",
+ "Microsoft.Insights/workbooks/read",
+ "Microsoft.Insights/myworkbooks/read",
+ "Microsoft.Authorization/*/read",
+ "Microsoft.Insights/alertRules/*",
+ "Microsoft.Resources/deployments/*",
+ "Microsoft.Resources/subscriptions/resourceGroups/read",
+ "Microsoft.Support/*"
],
+ "notActions": [],
+ "dataActions": [],
"notDataActions": [] } ],
- "roleName": "Key Vault Secrets User (preview)",
+ "roleName": "Azure Sentinel Reader",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Security Admin
+### Azure Sentinel Responder
-View and update permissions for Security Center. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations. [Learn more](../security-center/security-center-permissions.md)
+Azure Sentinel Responder [Learn more](../sentinel/roles.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/*/read | |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/dataConnectorsCheckRequirements/action | Check user authorization and license |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/automationRules/* | |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/cases/* | |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/incidents/* | |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/appendTags/action | Append tags to Threat Intelligence Indicator |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/query/action | Query Threat Intelligence Indicators |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/bulkTag/action | Bulk Tags Threat Intelligence |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/appendTags/action | Append tags to Threat Intelligence Indicator |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/replaceTags/action | Replace Tags of Threat Intelligence Indicator |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/queryIndicators/action | Query Threat Intelligence Indicators |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get datasources under a workspace. |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/savedSearches/read | Gets a saved search query |
+> | [Microsoft.OperationsManagement](resource-provider-operations.md#microsoftoperationsmanagement)/solutions/read | Get exiting OMS solution |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/read | Run queries over the data in the workspace |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/*/read | |
+> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get datasources under a workspace. |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooks/read | Read a workbook |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/myworkbooks/read | Read a private Workbook |
> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policyAssignments/* | Create and manage policy assignments |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policyDefinitions/* | Create and manage policy definitions |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policyExemptions/* | Create and manage policy exemptions |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policySetDefinitions/* | Create and manage policy sets |
> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. |
-> | [Microsoft.operationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/* | Create and manage security components and policies |
> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | > | **NotActions** | |
-> | *none* | |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/cases/*/Delete | |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/incidents/*/Delete | |
> | **DataActions** | | > | *none* | | > | **NotDataActions** | |
@@ -7489,48 +7510,74 @@ View and update permissions for Security Center. Same permissions as the Securit
"assignableScopes": [ "/" ],
- "description": "Security Admin Role",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
- "name": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
+ "description": "Azure Sentinel Responder",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
+ "name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
"permissions": [ { "actions": [
+ "Microsoft.SecurityInsights/*/read",
+ "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
+ "Microsoft.SecurityInsights/automationRules/*",
+ "Microsoft.SecurityInsights/cases/*",
+ "Microsoft.SecurityInsights/incidents/*",
+ "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
+ "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
+ "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
+ "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
+ "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
+ "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
+ "Microsoft.OperationalInsights/workspaces/analytics/query/action",
+ "Microsoft.OperationalInsights/workspaces/*/read",
+ "Microsoft.OperationalInsights/workspaces/dataSources/read",
+ "Microsoft.OperationalInsights/workspaces/savedSearches/read",
+ "Microsoft.OperationsManagement/solutions/read",
+ "Microsoft.OperationalInsights/workspaces/query/read",
+ "Microsoft.OperationalInsights/workspaces/query/*/read",
+ "Microsoft.OperationalInsights/workspaces/dataSources/read",
+ "Microsoft.Insights/workbooks/read",
+ "Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
- "Microsoft.Authorization/policyAssignments/*",
- "Microsoft.Authorization/policyDefinitions/*",
- "Microsoft.Authorization/policyExemptions/*",
- "Microsoft.Authorization/policySetDefinitions/*",
"Microsoft.Insights/alertRules/*",
- "Microsoft.Management/managementGroups/read",
- "Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Security/*",
"Microsoft.Support/*" ],
- "notActions": [],
+ "notActions": [
+ "Microsoft.SecurityInsights/cases/*/Delete",
+ "Microsoft.SecurityInsights/incidents/*/Delete"
+ ],
"dataActions": [], "notDataActions": [] } ],
- "roleName": "Security Admin",
+ "roleName": "Azure Sentinel Responder",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Security Assessment Contributor
+### Key Vault Administrator (preview)
-Lets you push assessments to Security Center
+Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/assessments/write | Create or update security assessments on your subscription |
+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
+> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/*/read | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | *none* | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/* | |
> | **NotDataActions** | | > | *none* | |
@@ -7539,46 +7586,58 @@ Lets you push assessments to Security Center
"assignableScopes": [ "/" ],
- "description": "Lets you push assessments to Security Center",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5",
- "name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5",
+ "description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
+ "name": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
"permissions": [ { "actions": [
- "Microsoft.Security/assessments/write"
+ "Microsoft.Authorization/*/read",
+ "Microsoft.Insights/alertRules/*",
+ "Microsoft.Resources/deployments/*",
+ "Microsoft.Resources/subscriptions/resourceGroups/read",
+ "Microsoft.Support/*",
+ "Microsoft.KeyVault/checkNameAvailability/read",
+ "Microsoft.KeyVault/deletedVaults/read",
+ "Microsoft.KeyVault/locations/*/read",
+ "Microsoft.KeyVault/vaults/*/read",
+ "Microsoft.KeyVault/operations/read"
], "notActions": [],
- "dataActions": [],
+ "dataActions": [
+ "Microsoft.KeyVault/vaults/*"
+ ],
"notDataActions": [] } ],
- "roleName": "Security Assessment Contributor",
+ "roleName": "Key Vault Administrator (preview)",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Security Manager (Legacy)
+### Key Vault Certificates Officer (preview)
-This is a legacy role. Please use Security Admin instead.
+Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.
> [!div class="mx-tableFixed"] > | Actions | Description | > | | | > | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.ClassicCompute](resource-provider-operations.md#microsoftclassiccompute)/*/read | Read configuration information classic virtual machines |
-> | [Microsoft.ClassicCompute](resource-provider-operations.md#microsoftclassiccompute)/virtualMachines/*/write | Write configuration for classic virtual machines |
-> | [Microsoft.ClassicNetwork](resource-provider-operations.md#microsoftclassicnetwork)/*/read | Read configuration information about classic network |
> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/* | Create and manage security components and policies |
> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/*/read | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | *none* | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/certificatecas/* | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/certificates/* | |
> | **NotDataActions** | | > | *none* | |
@@ -7587,54 +7646,54 @@ This is a legacy role. Please use Security Admin instead.
"assignableScopes": [ "/" ],
- "description": "This is a legacy role. Please use Security Administrator instead",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
- "name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
+ "description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985",
+ "name": "a4417e6f-fecd-4de8-b567-7b0420556985",
"permissions": [ { "actions": [ "Microsoft.Authorization/*/read",
- "Microsoft.ClassicCompute/*/read",
- "Microsoft.ClassicCompute/virtualMachines/*/write",
- "Microsoft.ClassicNetwork/*/read",
"Microsoft.Insights/alertRules/*",
- "Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Security/*",
- "Microsoft.Support/*"
+ "Microsoft.Support/*",
+ "Microsoft.KeyVault/checkNameAvailability/read",
+ "Microsoft.KeyVault/deletedVaults/read",
+ "Microsoft.KeyVault/locations/*/read",
+ "Microsoft.KeyVault/vaults/*/read",
+ "Microsoft.KeyVault/operations/read"
], "notActions": [],
- "dataActions": [],
+ "dataActions": [
+ "Microsoft.KeyVault/vaults/certificatecas/*",
+ "Microsoft.KeyVault/vaults/certificates/*"
+ ],
"notDataActions": [] } ],
- "roleName": "Security Manager (Legacy)",
+ "roleName": "Key Vault Certificates Officer (preview)",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Security Reader
+### Key Vault Contributor
-View permissions for Security Center. Can view recommendations, alerts, a security policy, and security states, but cannot make changes. [Learn more](../security-center/security-center-permissions.md)
+Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. [Learn more](../key-vault/general/secure-your-key-vault.md)
> [!div class="mx-tableFixed"] > | Actions | Description | > | | | > | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/read | Read a classic metric alert |
-> | [Microsoft.operationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/*/read | |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/* | |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/*/read | Read security components and policies |
-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/*/read | |
-> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/iotDefenderSettings/packageDownloads/action | Gets downloadable IoT Defender packages information |
-> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/iotDefenderSettings/downloadManagerActivation/action | Download manager activation file with subscription quota data |
-> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/iotSensors/downloadResetPassword/action | Downloads reset password file for IoT Sensors |
-> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. |
+> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
> | **NotActions** | |
-> | *none* | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/deletedVaults/purge/action | Purge a soft deleted key vault |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/hsmPools/* | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/managedHsms/* | |
> | **DataActions** | | > | *none* | | > | **NotDataActions** | |
@@ -7645,81 +7704,55 @@ View permissions for Security Center. Can view recommendations, alerts, a securi
"assignableScopes": [ "/" ],
- "description": "Security Reader Role",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4",
- "name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4",
- "permissions": [
- {
+ "description": "Lets you manage key vaults, but not access to them.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395",
+ "name": "f25e0fa2-a7c8-4377-a976-54943a77a395",
+ "permissions": [
+ {
"actions": [ "Microsoft.Authorization/*/read",
- "Microsoft.Insights/alertRules/read",
- "Microsoft.operationalInsights/workspaces/*/read",
- "Microsoft.Resources/deployments/*/read",
+ "Microsoft.Insights/alertRules/*",
+ "Microsoft.KeyVault/*",
+ "Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Security/*/read",
- "Microsoft.Support/*/read",
- "Microsoft.Security/iotDefenderSettings/packageDownloads/action",
- "Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
- "Microsoft.Security/iotSensors/downloadResetPassword/action",
- "Microsoft.Management/managementGroups/read"
+ "Microsoft.Support/*"
+ ],
+ "notActions": [
+ "Microsoft.KeyVault/locations/deletedVaults/purge/action",
+ "Microsoft.KeyVault/hsmPools/*",
+ "Microsoft.KeyVault/managedHsms/*"
],
- "notActions": [],
"dataActions": [], "notDataActions": [] } ],
- "roleName": "Security Reader",
+ "roleName": "Key Vault Contributor",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-## DevOps
--
-### DevTest Labs User
+### Key Vault Crypto Officer (preview)
-Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. [Learn more](../devtest-labs/devtest-lab-add-devtest-user.md)
+Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.
> [!div class="mx-tableFixed"] > | Actions | Description | > | | | > | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/availabilitySets/read | Get the properties of an availability set |
-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/*/read | Read the properties of a virtual machine (VM sizes, runtime status, VM extensions, etc.) |
-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/deallocate/action | Powers off the virtual machine and releases the compute resources |
-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/read | Get the properties of a virtual machine |
-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/restart/action | Restarts the virtual machine |
-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/start/action | Starts the virtual machine |
-> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/*/read | Read the properties of a lab |
-> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/claimAnyVm/action | Claim a random claimable virtual machine in the lab. |
-> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/createEnvironment/action | Create virtual machines in a lab. |
-> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/ensureCurrentUserProfile/action | Ensure the current user has a valid profile in the lab. |
-> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/formulas/delete | Delete formulas. |
-> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/formulas/read | Read formulas. |
-> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/formulas/write | Add or modify formulas. |
-> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/policySets/evaluatePolicies/action | Evaluates lab policy. |
-> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/virtualMachines/claim/action | Take ownership of an existing virtual machine |
-> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/virtualmachines/listApplicableSchedules/action | Lists the applicable start/stop schedules, if any. |
-> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/virtualMachines/getRdpFileContents/action | Gets a string that represents the contents of the RDP file for the virtual machine |
-> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/backendAddressPools/join/action | Joins a load balancer backend address pool. Not Alertable. |
-> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/inboundNatRules/join/action | Joins a load balancer inbound nat rule. Not Alertable. |
-> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/*/read | Read the properties of a network interface (for example, all the load balancers that the network interface is a part of) |
-> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/join/action | Joins a Virtual Machine to a network interface. Not Alertable. |
-> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. |
-> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/write | Creates a network interface or updates an existing network interface. |
-> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/publicIPAddresses/*/read | Read the properties of a public IP address |
-> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/publicIPAddresses/join/action | Joins a public ip address. Not Alertable. |
-> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/publicIPAddresses/read | Gets a public ip address definition. |
-> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/read | Gets or lists deployments. |
+> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. |
+> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/*/read | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider |
> | **NotActions** | |
-> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/vmSizes/read | Lists available sizes the virtual machine can be updated to |
-> | **DataActions** | |
> | *none* | |
+> | **DataActions** | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/* | |
> | **NotDataActions** | | > | *none* | |
@@ -7728,76 +7761,52 @@ Lets you connect, start, restart, and shutdown your virtual machines in your Azu
"assignableScopes": [ "/" ],
- "description": "Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64",
- "name": "76283e04-6283-4c54-8f91-bcf1374a3c64",
+ "description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
+ "name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
"permissions": [ { "actions": [ "Microsoft.Authorization/*/read",
- "Microsoft.Compute/availabilitySets/read",
- "Microsoft.Compute/virtualMachines/*/read",
- "Microsoft.Compute/virtualMachines/deallocate/action",
- "Microsoft.Compute/virtualMachines/read",
- "Microsoft.Compute/virtualMachines/restart/action",
- "Microsoft.Compute/virtualMachines/start/action",
- "Microsoft.DevTestLab/*/read",
- "Microsoft.DevTestLab/labs/claimAnyVm/action",
- "Microsoft.DevTestLab/labs/createEnvironment/action",
- "Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action",
- "Microsoft.DevTestLab/labs/formulas/delete",
- "Microsoft.DevTestLab/labs/formulas/read",
- "Microsoft.DevTestLab/labs/formulas/write",
- "Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action",
- "Microsoft.DevTestLab/labs/virtualMachines/claim/action",
- "Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action",
- "Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action",
- "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
- "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
- "Microsoft.Network/networkInterfaces/*/read",
- "Microsoft.Network/networkInterfaces/join/action",
- "Microsoft.Network/networkInterfaces/read",
- "Microsoft.Network/networkInterfaces/write",
- "Microsoft.Network/publicIPAddresses/*/read",
- "Microsoft.Network/publicIPAddresses/join/action",
- "Microsoft.Network/publicIPAddresses/read",
- "Microsoft.Network/virtualNetworks/subnets/join/action",
- "Microsoft.Resources/deployments/operations/read",
- "Microsoft.Resources/deployments/read",
+ "Microsoft.Insights/alertRules/*",
+ "Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Storage/storageAccounts/listKeys/action"
+ "Microsoft.Support/*",
+ "Microsoft.KeyVault/checkNameAvailability/read",
+ "Microsoft.KeyVault/deletedVaults/read",
+ "Microsoft.KeyVault/locations/*/read",
+ "Microsoft.KeyVault/vaults/*/read",
+ "Microsoft.KeyVault/operations/read"
],
- "notActions": [
- "Microsoft.Compute/virtualMachines/vmSizes/read"
+ "notActions": [],
+ "dataActions": [
+ "Microsoft.KeyVault/vaults/keys/*"
],
- "dataActions": [],
"notDataActions": [] } ],
- "roleName": "DevTest Labs User",
+ "roleName": "Key Vault Crypto Officer (preview)",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Lab Creator
+### Key Vault Crypto Service Encryption User (preview)
-Lets you create new labs under your Azure Lab Accounts. [Learn more](../lab-services/add-lab-creator.md)
+Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labAccounts/*/read | |
-> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labAccounts/createLab/action | Create a lab in a lab account. |
-> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labAccounts/getPricingAndAvailability/action | Get the pricing and availability of combinations of sizes, geographies, and operating systems for the lab account. |
-> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labAccounts/getRestrictionsAndUsage/action | Get core restrictions and usage for this subscription |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/write | Create or update an eventSubscription |
+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/read | Read an eventSubscription |
+> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/delete | Delete an eventSubscription |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | *none* | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/wrap/action | Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/unwrap/action | Unwraps a symmetric key with a Key Vault key. |
> | **NotDataActions** | | > | *none* | |
@@ -7806,58 +7815,51 @@ Lets you create new labs under your Azure Lab Accounts. [Learn more](../lab-serv
"assignableScopes": [ "/" ],
- "description": "Lets you create new labs under your Azure Lab Accounts.",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead",
- "name": "b97fb8bc-a8b2-4522-a38b-dd33c7e65ead",
+ "description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6",
+ "name": "e147488a-f6f5-4113-8e2d-b22465e65bf6",
"permissions": [ { "actions": [
- "Microsoft.Authorization/*/read",
- "Microsoft.LabServices/labAccounts/*/read",
- "Microsoft.LabServices/labAccounts/createLab/action",
- "Microsoft.LabServices/labAccounts/getPricingAndAvailability/action",
- "Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action",
- "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*"
+ "Microsoft.EventGrid/eventSubscriptions/write",
+ "Microsoft.EventGrid/eventSubscriptions/read",
+ "Microsoft.EventGrid/eventSubscriptions/delete"
], "notActions": [],
- "dataActions": [],
+ "dataActions": [
+ "Microsoft.KeyVault/vaults/keys/read",
+ "Microsoft.KeyVault/vaults/keys/wrap/action",
+ "Microsoft.KeyVault/vaults/keys/unwrap/action"
+ ],
"notDataActions": [] } ],
- "roleName": "Lab Creator",
+ "roleName": "Key Vault Crypto Service Encryption User (preview)",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-## Monitor
--
-### Application Insights Component Contributor
+### Key Vault Crypto User (preview)
-Can manage Application Insights components [Learn more](../azure-monitor/app/resources-roles-access-control.md)
+Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage classic alert rules |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/generateLiveToken/read | Live Metrics get token |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricAlerts/* | Create and manage new alert rules |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/components/* | Create and manage Insights components |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/scheduledqueryrules/* | |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/topology/read | Read Topology |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/transactions/read | Read Transactions |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/webtests/* | Create and manage Insights web tests |
-> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment |
-> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
-> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
+> | *none* | |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | *none* | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/update/action | Updates the specified attributes associated with the given key. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/backup/action | Creates the backup file of a key. The file can used to restore the key in a Key Vault of same subscription. Restrictions may apply. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/encrypt/action | Encrypts plaintext with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/decrypt/action | Decrypts ciphertext with a key. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/wrap/action | Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/unwrap/action | Unwraps a symmetric key with a Key Vault key. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/sign/action | Signs a message digest (hash) with a key. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/verify/action | Verifies the signature of a message digest (hash) with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access. |
> | **NotDataActions** | | > | *none* | |
@@ -7866,54 +7868,55 @@ Can manage Application Insights components [Learn more](../azure-monitor/app/res
"assignableScopes": [ "/" ],
- "description": "Can manage Application Insights components",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e",
- "name": "ae349356-3a1b-4a5e-921d-050484c6347e",
+ "description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424",
+ "name": "12338af0-0e69-4776-bea7-57ae8d297424",
"permissions": [ {
- "actions": [
- "Microsoft.Authorization/*/read",
- "Microsoft.Insights/alertRules/*",
- "Microsoft.Insights/generateLiveToken/read",
- "Microsoft.Insights/metricAlerts/*",
- "Microsoft.Insights/components/*",
- "Microsoft.Insights/scheduledqueryrules/*",
- "Microsoft.Insights/topology/read",
- "Microsoft.Insights/transactions/read",
- "Microsoft.Insights/webtests/*",
- "Microsoft.ResourceHealth/availabilityStatuses/read",
- "Microsoft.Resources/deployments/*",
- "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*"
- ],
+ "actions": [],
"notActions": [],
- "dataActions": [],
+ "dataActions": [
+ "Microsoft.KeyVault/vaults/keys/read",
+ "Microsoft.KeyVault/vaults/keys/update/action",
+ "Microsoft.KeyVault/vaults/keys/backup/action",
+ "Microsoft.KeyVault/vaults/keys/encrypt/action",
+ "Microsoft.KeyVault/vaults/keys/decrypt/action",
+ "Microsoft.KeyVault/vaults/keys/wrap/action",
+ "Microsoft.KeyVault/vaults/keys/unwrap/action",
+ "Microsoft.KeyVault/vaults/keys/sign/action",
+ "Microsoft.KeyVault/vaults/keys/verify/action"
+ ],
"notDataActions": [] } ],
- "roleName": "Application Insights Component Contributor",
+ "roleName": "Key Vault Crypto User (preview)",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Application Insights Snapshot Debugger
+### Key Vault Reader (preview)
-Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Note that these permissions are not included in the [Owner](#owner) or [Contributor](#contributor) roles. When giving users the Application Insights Snapshot Debugger role, you must grant the role directly to the user. The role is not recognized when it is added to a custom role. [Learn more](../azure-monitor/app/snapshot-debugger.md)
+Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.
> [!div class="mx-tableFixed"] > | Actions | Description | > | | | > | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/components/*/read | |
> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/*/read | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider |
> | **NotActions** | | > | *none* | | > | **DataActions** | |
-> | *none* | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. |
> | **NotDataActions** | | > | *none* | |
@@ -7922,73 +7925,58 @@ Gives user permission to view and download debug snapshots collected with the Ap
"assignableScopes": [ "/" ],
- "description": "Gives user permission to use Application Insights Snapshot Debugger features",
- "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b",
- "name": "08954f03-6346-4c2e-81c0-ec3a5cfae23b",
+ "description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
+ "name": "21090545-7ca7-4776-b22c-e363652d74d2",
"permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*",
- "Microsoft.Insights/components/*/read",
"Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read",
- "Microsoft.Support/*"
+ "Microsoft.Support/*",
+ "Microsoft.KeyVault/checkNameAvailability/read",
+ "Microsoft.KeyVault/deletedVaults/read",
+ "Microsoft.KeyVault/locations/*/read",
+ "Microsoft.KeyVault/vaults/*/read",
+ "Microsoft.KeyVault/operations/read"
], "notActions": [],
- "dataActions": [],
+ "dataActions": [
+ "Microsoft.KeyVault/vaults/*/read",
+ "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
+ ],
"notDataActions": [] } ],
- "roleName": "Application Insights Snapshot Debugger",
+ "roleName": "Key Vault Reader (preview)",
"roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ```
-### Monitoring Contributor
+### Key Vault Secrets Officer (preview)
-Can read all monitoring data and edit monitoring settings. See also [Get started with roles, permissions, and security with Azure Monitor](../azure-monitor/platform/roles-permissions-security.md#built-in-monitoring-roles). [Learn more](../azure-monitor/platform/roles-permissions-security.md)
+Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | */read | Read resources of all types, except secrets. |
-> | [Microsoft.AlertsManagement](resource-provider-operations.md#microsoftalertsmanagement)/alerts/* | |
-> | [Microsoft.AlertsManagement](resource-provider-operations.md#microsoftalertsmanagement)/alertsSummary/* | |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/actiongroups/* | |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/activityLogAlerts/* | |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/* | Create and manage a classic metric alert |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/components/* | Create and manage Insights components |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/dataCollectionRules/* | |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/dataCollectionRuleAssociations/* | |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/DiagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/eventtypes/* | List Activity Log events (management events) in a subscription. This permission is applicable to both programmatic and portal access to the Activity Log. |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/LogDefinitions/* | This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log. |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricalerts/* | |
-> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/MetricDefinitions/* | Read m