Updates from: 02/09/2024 02:34:53
Service Microsoft Docs article Related commit history on GitHub Change details
advisor Advisor Reference Reliability Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-reference-reliability-recommendations.md
In active-active configuration, both instances of the VPN gateway establish S2S
Learn more about [Virtual network gateway - VNetGatewayActiveActive (Enable Active-Active gateways for redundancy)](https://aka.ms/aa_vpnha_learnmore).
+<!--
### Use HEAD health probes For health probes, itΓÇÖs a good practice to use the HEAD method, which reduces the amount of traffic load on your origins. Learn more about [Front Door - Use HEAD health probes](https://aka.ms/afd-use-health-probes).-
+-->
### Use managed TLS certificates Front Door management of your TLS certificates reduces your operational costs and helps you to avoid costly outages caused by forgetting to renew a certificate.
If you only have a single origin, Front Door always routes traffic to that origi
Learn more about [Health probe best practices](https://aka.ms/afd-disable-health-probes).
+### Use the same domain name on Azure Front Door and your origin
+
+We recommend that you preserve the original HTTP host name when you use a reverse proxy in front of a web application. Having a different host name at the reverse proxy than the one that's provided to the back-end application server can lead to cookies or redirect URLs that don't work properly. For example, session state can get lost, authentication can fail, or back-end URLs can inadvertently be exposed to end users. You can avoid these problems by preserving the host name of the initial request so that the application server sees the same domain as the web browser.
+
+Learn more about [Use the same domain name on Azure Front Door and your origin](https://aka.ms/afd-same-domain-origin).
+ ## SAP for Azure ### Enable the 'concurrent-fencing' parameter in Pacemaker cofiguration in ASCS HA setup in SAP workloads
ai-services Use Native Documents https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/native-document-support/use-native-documents.md
A native document refers to the file format used to create the original document
* [Document summarization](../summarization/overview.md). Document summarization uses natural language processing to generate extractive (salient sentence extraction) or abstractive (contextual word extraction) summaries for documents. Both `AbstractiveSummarization` and `ExtractiveSummarization` APIs support native document processing.
-## Development options
-
-Native document support can be integrated into your applications using the [Azure AI Language REST API](/rest/api/language/). The REST API is a language agnostic interface that enables you to create HTTP requests for text-based data analysis.
-
-|Service|Description|API Reference (Latest GA version)|API Reference (Latest Preview version)|
-|--|--|--|--|
-| Text analysis - runtime | &bullet; Runtime prediction calls to extract **Personally Identifiable Information (PII)**.</br>&bullet; Custom redaction for native documents is supported in the latest **2023-04-14-preview**.|[`2023-04-01`](/rest/api/language/2023-04-01/text-analysis-runtime)|[`2023-04-15-preview`.](/rest/api/language/2023-04-15-preview/text-analysis-runtime)|
-| Summarization for documents - runtime|Runtime prediction calls to **query summarization for documents models**.|[`2023-04-01`](/rest/api/language/2023-04-01/text-analysis-runtime/submit-job)|[`2023-04-15-preview`](/rest/api/language/2023-04-15-preview/text-analysis-runtime)|
- ## Supported document formats Applications use native file formats to create, save, or open native documents. Currently **PII** and **Document summarization** capabilities supports the following native document formats:
Before you run the **POST** request, replace `{your-language-resource-endpoint}`
***PowerShell*** ```powershell
- cmd /c curl "{your-language-resource-endpoint}/language/analyze-text/jobs?api-version=2023-04-01" -i -X POST --header "Content-Type: application/json" --header "Ocp-Apim-Subscription-Key: {your-key}" --data "@document-summarization.json"
+ cmd /c curl "{your-language-resource-endpoint}/language/analyze-documents/jobs?api-version=2023-11-15-preview" -i -X POST --header "Content-Type: application/json" --header "Ocp-Apim-Subscription-Key: {your-key}" --data "@document-summarization.json"
``` ***command prompt / terminal*** ```bash
- curl -v -X POST "{your-language-resource-endpoint}/language/analyze-text/jobs?api-version=2023-04-01" --header "Content-Type: application/json" --header "Ocp-Apim-Subscription-Key: {your-key}" --data "@document-summarization.json"
+ curl -v -X POST "{your-language-resource-endpoint}/language/analyze-documents/jobs?api-version=2023-11-15-preview" --header "Content-Type: application/json" --header "Ocp-Apim-Subscription-Key: {your-key}" --data "@document-summarization.json"
``` Here's a sample response:
ai-services Gpt With Vision https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/gpt-with-vision.md
Enhancements let you incorporate other Azure AI services (such as Azure AI Visio
**Object grounding**: Azure AI Vision complements GPT-4 Turbo with VisionΓÇÖs text response by identifying and locating salient objects in the input images. This lets the chat model give more accurate and detailed responses about the contents of the image. > [!IMPORTANT]
-> To use Vision enhancement, you need a Computer Vision resource. It must be in the paid (S0) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.
+> To use Vision enhancement, you need a Computer Vision resource. It must be in the paid (S1) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.
:::image type="content" source="../media/concepts/gpt-v/object-grounding.png" alt-text="Screenshot of an image with object grounding applied. Objects have bounding boxes with labels.":::
Base Pricing for GPT-4 Turbo with Vision is:
See the [Tokens section of the overview](/azure/ai-services/openai/overview#tokens) for information on how text and images translate to tokens.
-Additionally, if you use video prompt integration with the Video Retrieval add-on, it accrues other costs:
-- Ingestion: $0.05 per minute of video-- Transactions: $0.25 per 1000 queries of the Video Retrieval index
+If you turn on Enhancements, additional usage applies for using GPT-4 Turbo with Vision with Azure AI Vision functionality.
+
+| Model | Price |
+|--|--|
+| + Enhanced add-on features for OCR | $1.5 per 1000 transactions |
+| + Enhanced add-on features for Object Detection | $1.5 per 1000 transactions |
+| + Enhanced add-on feature for ΓÇ£Add your ImageΓÇ¥ Image Embeddings | $1.5 per 1000 transactions |
+| + Enhanced add-on feature for ΓÇ£Video RetrievalΓÇ¥ integration **<sup>1</sup>** | Ingestion: $0.05 per minute of video <br>Transactions: $0.25 per 1000 queries of the Video Retrieval index |
+
+**<sup>1</sup>** Processing videos involves the use of extra tokens to identify key frames for analysis. The number of these additional tokens will be roughly equivalent to the sum of the tokens in the text input, plus 700 tokens.
+
+### Example image price calculation
+> [!IMPORTANT]
+> The following content is an example only, and prices are subject to change in the future.
+
+For a typical use case, take an image with both visible objects and text and a 100-token prompt input. When the service processes the prompt, it generates 100 tokens of output. In the image, both text and objects can be detected. The price of this transaction would be:
+
+| Item | Detail | Total Cost |
+|--|--|--|
+| GPT-4 Turbo with Vision input tokens | 100 text tokens | $0.001 |
+| Enhanced add-on features for OCR | $1.50 / 1000 transactions | $0.0015 |
+| Enhanced add-on features for Object Grounding | $1.50 / 1000 transactions | $0.0015 |
+| Output Tokens | 100 tokens (assumed) | $0.003 |
+| **Total Cost** | | $0.007 |
-Processing videos involves the use of extra tokens to identify key frames for analysis. The number of these additional tokens will be roughly equivalent to the sum of the tokens in the text input, plus 700 tokens.
-### Example price calculation
+### Example video price calculation
> [!IMPORTANT] > The following content is an example only, and prices are subject to change in the future.
ai-studio Configure Managed Network https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/configure-managed-network.md
You need to configure following network isolation configurations.
- Choose network isolation mode. You have two options: allow internet outbound mode or allow only approved outbound mode. - Create private endpoint outbound rules to your private Azure resources. Note that private Azure AI Services and Azure AI Search are not supported yet. -- If you use Visual Studio Code integration with allow only approved outbound mode, create FQDN outbound rules described [here](#scenario-use-visual-studio-code).-- If you use HuggingFace models in Models with allow only approved outbound mode, create FQDN outbound rules described [here](#scenario-use-huggingface-models).
+- If you use Visual Studio Code integration with allow only approved outbound mode, create FQDN outbound rules described in the [use Visual Studio Code](#scenario-use-visual-studio-code) section.
+- If you use HuggingFace models in Models with allow only approved outbound mode, create FQDN outbound rules described in the [use HuggingFace models](#scenario-use-huggingface-models) section.
## Network isolation architecture and isolation modes
There are three different configuration modes for outbound traffic from the mana
* Always use private endpoints to access Azure resources. * You must add rules for each outbound connection you need to allow.
-* Adding FQDN outbound rules increase your costs as this rule type uses Azure Firewall.
+* Adding FQDN outbound rules __increase your costs__ as this rule type uses Azure Firewall.
* The default rules for _allow only approved outbound_ are designed to minimize the risk of data exfiltration. Any outbound rules you add might increase your risk. The managed VNet is preconfigured with [required default rules](#list-of-required-rules). It's also configured for private endpoint connections to your Azure AI, Azure AI's default storage, container registry and key vault __if they're configured as private__ or __the Azure AI isolation mode is set to allow only approved outbound__. After choosing the isolation mode, you only need to consider other outbound requirements you might need to add.
If you plan to use __Visual Studio Code__ with Azure AI, add outbound _FQDN_ rul
* `update.code.visualstudio.com` * `*.vo.msecnd.net` * `marketplace.visualstudio.com`
-* `ghcr.io`
* `pkg-containers.githubusercontent.com` * `github.com`
The Azure AI managed VNet feature is free. However, you're charged for the follo
* Managed VNet uses private endpoint connection to access your private resources. You can't have a private endpoint and a service endpoint at the same time for your Azure resources, such as a storage account. We recommend using private endpoints in all scenarios. * The managed VNet is deleted when the Azure AI is deleted. * Data exfiltration protection is automatically enabled for the only approved outbound mode. If you add other outbound rules, such as to FQDNs, Microsoft can't guarantee that you're protected from data exfiltration to those outbound destinations.
+* Using FQDN outbound rules increases the cost of the managed VNet because FQDN rules use Azure Firewall. For more information, see [Pricing](#pricing).
ai-studio Deploy Chat Web App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/tutorials/deploy-chat-web-app.md
- ignite-2023 Previously updated : 11/15/2023 Last updated : 2/8/2024
Follow these steps to deploy a chat model and test it without your data.
1. Sign in to [Azure AI Studio](https://ai.azure.com). 1. Go to your project or [create a new project](../how-to/create-projects.md) in Azure AI Studio.
-1. Select **Build** from the top menu and then select **Deployments** > **Create**.
+1. Select **Build** from the top menu and then select **Deployments** > **Create** > **Real-time endpoint**.
:::image type="content" source="../media/tutorials/chat-web-app/deploy-create.png" alt-text="Screenshot of the deployments page without deployments." lightbox="../media/tutorials/chat-web-app/deploy-create.png":::
Follow these steps to add your data to the playground to help the assistant answ
:::image type="content" source="../media/tutorials/chat-web-app/chat-with-data.png" alt-text="Screenshot of the assistant's reply with grounding data." lightbox="../media/tutorials/chat-web-app/chat-with-data.png":::
-### Remarks about adding your data
-
-Although it's beyond the scope of this tutorial, to understand more about how the model uses your data, you can export the playground setup to prompt flow.
--
-Following through from there you can see the graphical representation of how the model uses your data to construct the response. For more information about prompt flow, see [prompt flow](../how-to/prompt-flow.md).
- ## Deploy your web app Once you're satisfied with the experience in Azure AI Studio, you can deploy the model as a standalone web application.
To deploy the web app:
- **Resource group**: Select a resource group in which to deploy the web app. You can use the same resource group as the Azure AI hub resource. - **Location**: Select a location in which to deploy the web app. You can use the same location as the Azure AI hub resource. - **Pricing plan**: Choose a pricing plan for the web app.
- - **Enable chat history in the web app**: For the tutorial, make sure this box isn't selected.
+ - **Enable chat history in the web app**: For the tutorial, the chat history box isn't selected. If you enable the feature, your users will have access to their individual previous queries and responses. For more information, see [chat history remarks](#chat-history).
- **I acknowledge that web apps will incur usage to my account**: Selected 1. Wait for the app to be deployed, which might take a few minutes.
You're almost there! Now you can test the web app.
To avoid incurring unnecessary Azure costs, you should delete the resources you created in this quickstart if they're no longer needed. To manage resources, you can use the [Azure portal](https://portal.azure.com?azure-portal=true).
+## Remarks
+
+### Remarks about adding your data
+
+Although it's beyond the scope of this tutorial, to understand more about how the model uses your data, you can export the playground setup to prompt flow.
++
+Following through from there you can see the graphical representation of how the model uses your data to construct the response. For more information about prompt flow, see [prompt flow](../how-to/prompt-flow.md).
+
+### Chat history
+
+With the chat history feature, your users will have access to their individual previous queries and responses.
+
+You can enable chat history when you [deploy the web app](#deploy-the-web-app). Select the **Enable chat history in the web app** checkbox.
++
+> [!IMPORTANT]
+> Enabling chat history will create a [Cosmos DB instance](/azure/cosmos-db/introduction) in your resource group, and incur [additional charges](https://azure.microsoft.com/pricing/details/cosmos-db/autoscale-provisioned/) for the storage used.
+> Deleting your web app does not delete your Cosmos DB instance automatically. To delete your Cosmos DB instance, along with all stored chats, you need to navigate to the associated resource in the Azure portal and delete it.
+
+Once you've enabled chat history, your users will be able to show and hide it in the top right corner of the app. When the history is shown, they can rename, or delete conversations. As they're logged into the app, conversations will be automatically ordered from newest to oldest, and named based on the first query in the conversation.
+
+If you delete the Cosmos DB resource but keep the chat history option enabled on the studio, your users will be notified of a connection error, but can continue to use the web app without access to the chat history.
+ ## Next steps - [Create a project in Azure AI Studio](../how-to/create-projects.md).
ai-studio Deploy Copilot Ai Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/tutorials/deploy-copilot-ai-studio.md
description: Use this article to build and deploy a question and answer copilot
Previously updated : 11/15/2023 Last updated : 2/8/2024
Once a project is created, you can access the **Tools**, **Components**, and **S
Follow these steps to deploy an Azure OpenAI chat model for your copilot. 1. Sign in to [Azure AI Studio](https://ai.azure.com) with credentials that have access to your Azure OpenAI resource. During or after the sign-in workflow, select the appropriate directory, Azure subscription, and Azure OpenAI resource. You should be on the Azure AI Studio **Home** page.
-1. Select **Build** from the top menu and then select **Deployments** > **Create**.
+1. Select **Build** from the top menu and then select **Deployments** > **Create** > **Real-time endpoint**.
:::image type="content" source="../media/tutorials/copilot-deploy-flow/deploy-create.png" alt-text="Screenshot of the deployments page with a button to create a new project." lightbox="../media/tutorials/copilot-deploy-flow/deploy-create.png":::
ai-studio Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/whats-new.md
+
+ Title: What's new in Azure AI Studio?
+
+description: This article provides you with information about new releases and features.
+
+keywords: Release notes
++ Last updated : 2/7/2024+++++
+# What's new in Azure AI Studio?
++
+Azure AI Studio is updated on an ongoing basis. To stay up-to-date with recent developments, this article provides you with information about new releases and features.
+
+## February 2024
+
+### Azure AI hub
+
+Azure AI resource is renamed Azure AI hub resource. For additional information about the Azure AI hub resource, check out [the Azure AI hub resource documentation](./concepts/ai-resources.md).
+
+## January 2024
+
+### Benchmarks
+
+New models, datasets, and metrics are released for benchmarks. For additional information about the benchmarks experience, check out [the model catalog documentation](./how-to/model-catalog.md).
+
+Added models:
+- `microsoft-phi-2`
+- `mistralai-mistral-7b-instruct-v01`
+- `mistralai-mistral-7b-v01`
+- `codellama-13b-hf`
+- `codellama-13b-instruct-hf`
+- `codellama-13b-python-hf`
+- `codellama-34b-hf`
+- `codellama-34b-instruct-hf`
+- `codellama-34b-python-hf`
+- `codellama-7b-hf`
+- `codellama-7b-instruct-hf`
+- `codellama-7b-python-hf`
+
+Added datasets:
+- `truthfulqa_generation`
+- `truthfulqa_mc1`
+
+Added metrics:
+- `Coherence`
+- `Fluency`
+- `GPTSimilarity`
+
+## November 2023
+
+### Benchmarks
+
+Benchmarks are released as public preview in Azure AI Studio. For additional information about the Benchmarks experience, check out [the model catalog documentation](./how-to/model-catalog.md).
+
+Added models:
+- `gpt-35-turbo-0301`
+- `gpt-4-0314`
+- `gpt-4-32k-0314`
+- `llama-2-13b-chat`
+- `llama-2-13b`
+- `llama-2-70b-chat`
+- `llama-2-70b`
+- `llama-2-7b-chat`
+- `llama-2-7b`
+
+Added datasets:
+- `boolq`
+- `gsm8k`
+- `hellaswag`
+- `human_eval`
+- `mmlu_humanities`
+- `mmlu_other`
+- `mmlu_social_sciences`
+- `mmlu_stem`
+- `openbookqa`
+- `piqa`
+- `social_iqa`
+- `winogrande`
+
+Added tasks:
+- `Question Answering`
+- `Text Generation`
+
+Added metrics:
+- `Accuracy`
+
+## Related content
+
+- Learn more about the [Azure AI Studio](./what-is-ai-studio.md).
+- Learn about [what's new in Azure OpenAI Service](../ai-services/openai/whats-new.md).
aks Auto Upgrade Node Os Image https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/auto-upgrade-node-os-image.md
It's best to use both cluster-level [auto-upgrades][Autoupgrade] and the node OS
## Channels for node OS image upgrades
-The selected channel determines the timing of upgrades. When making changes to node OS auto-upgrade channels, allow up to 24 hours for the changes to take effect.
+The selected channel determines the timing of upgrades. When making changes to node OS auto-upgrade channels, allow up to 24 hours for the changes to take effect. Once you change from one channel to another channel, a reimage will be triggered leading to rolling nodes.
> [!NOTE] > Node OS image auto-upgrade won't affect the cluster's Kubernetes version. It only works for a cluster in a [supported version][supported].
aks Enable Authentication Microsoft Entra Id https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/enable-authentication-microsoft-entra-id.md
Title: Enable managed identity authentication on Azure Kubernetes Service description: Learn how to enable Microsoft Entra ID on Azure Kubernetes Service with kubelogin and authenticate Azure users with credentials or managed roles. Previously updated : 11/22/2023 Last updated : 02/08/2024 # Enable Azure managed identity authentication for Kubernetes clusters with kubelogin
-The AKS-managed Microsoft Entra integration simplifies the Microsoft Entra integration process. Previously, you were required to create a client and server app, and the Microsoft Entra tenant had to grant Directory Read permissions. Now, the AKS resource provider manages the client and server apps for you.
+The AKS-managed Microsoft Entra integration simplifies the Microsoft Entra integration process. Previously, you were required to create a client and server app, and the Microsoft Entra tenant had to assign [Directory Readers][directory-readers-rbac-role] role permissions. Now, the AKS resource provider manages the client and server apps for you.
Cluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Microsoft Entra authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [OpenID Connect documentation][open-id-connect]. Learn more about the Microsoft Entra integration flow in the [Microsoft Entra documentation](concepts-identity.md#azure-ad-integration).
+This article provides details on how to enable and use managed identities for Azure resources with your AKS cluster.
+ ## Limitations The following are constraints integrating Azure managed identity authentication on AKS.
If you lack administrative access to a valid Microsoft Entra group, you can foll
* Learn about [Microsoft Entra integration with Kubernetes RBAC][azure-ad-rbac]. * Learn more about [AKS and Kubernetes identity concepts][aks-concepts-identity].
+* Learn how to [use kubelogin][kubelogin-authentication] for all supported Microsoft Entra authentication methods in AKS.
* Use [Azure Resource Manager (ARM) templates][aks-arm-template] to create AKS-managed Microsoft Entra ID enabled clusters.- <!-- LINKS - external --> [aks-arm-template]: /azure/templates/microsoft.containerservice/managedclusters [kubelogin]: https://github.com/Azure/kubelogin [azure-kubelogin-known-issues]: https://azure.github.io/kubelogin/known-issues.html <!-- LINKS - Internal -->
+[directory-readers-rbac-role]: /entra/identity/role-based-access-control/permissions-reference#directory-readers
[aks-concepts-identity]: concepts-identity.md [azure-ad-rbac]: azure-ad-rbac.md [az-aks-create]: /cli/azure/aks#az_aks_create
If you lack administrative access to a valid Microsoft Entra group, you can foll
[az-group-create]: /cli/azure/group#az_group_create [open-id-connect]:../active-directory/develop/v2-protocols-oidc.md [az-aks-update]: /cli/azure/aks#az_aks_update
+[kubelogin-authentication]: kubelogin-authentication.md
aks Upgrade Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/upgrade-cluster.md
Title: Upgrade options for Azure Kubernetes Service (AKS) clusters description: Learn the different ways to upgrade an Azure Kubernetes Service (AKS) cluster. Previously updated : 01/26/2024 Last updated : 02/08/2024 # Upgrade options for Azure Kubernetes Service (AKS) clusters
-This article shares different upgrade options for AKS clusters. To perform a basic Kubernetes version upgrade, see [Upgrade an AKS cluster](./upgrade-aks-cluster.md).
+This article covers the different upgrade options for AKS clusters. To perform a basic Kubernetes version upgrade, see [Upgrade an AKS cluster](./upgrade-aks-cluster.md).
For AKS clusters that use multiple node pools or Windows Server nodes, see [Upgrade a node pool in AKS][nodepool-upgrade]. To upgrade a specific node pool without performing a Kubernetes cluster upgrade, see [Upgrade a specific node pool][specific-nodepool].
To configure automatic upgrades, see the following articles:
## Special considerations for node pools that span multiple availability zones
-AKS uses best-effort zone balancing in node groups. During an upgrade surge, the zones for the surge nodes in Virtual Machine Scale Sets are unknown ahead of time, which can temporarily cause an unbalanced zone configuration during an upgrade. However, AKS deletes surge nodes once the upgrade completes and preserves the original zone balance. If you want to keep your zones balanced during upgrades, you can increase the surge to a multiple of *three nodes*, and Virtual Machine Scale Sets balances your nodes across availability zones with best-effort zone balancing.
+AKS uses best-effort zone balancing in node groups. During an upgrade surge, the zones for the surge nodes in Virtual Machine Scale Sets are unknown ahead of time, which can temporarily cause an unbalanced zone configuration during an upgrade. However, AKS deletes surge nodes once the upgrade completes and preserves the original zone balance. If you want to keep your zones balanced during upgrades, you can increase the surge to a multiple of *three nodes*, and Virtual Machine Scale Sets balances your nodes across availability zones with best-effort zone balancing. With best-effort zone balance, the scale set attempts to scale in and out while maintaining balance. However, if for some reason this is not possible (for example, if one zone goes down, the scale set cannot create a new VM in that zone), the scale set allows temporary imbalance to successfully scale in or out.
Persistent volume claims (PVCs) backed by Azure locally redundant storage (LRS) Disks are bound to a particular zone and might fail to recover immediately if the surge node doesn't match the zone of the PVC. If the zones don't match, it can cause downtime on your application when the upgrade operation continues to drain nodes but the PVs are bound to a zone. To handle this case and maintain high availability, configure a [Pod Disruption Budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) on your application to allow Kubernetes to respect your availability requirements during the drain operation.
The combination of [Planned Maintenance Window][planned-maintenance], [Max Surge
* [Node drain timeout][drain-timeout] on the node pool allows you to configure the wait duration for eviction of pods and graceful termination per node during an upgrade. This option is useful when dealing with long running workloads. When the node drain timeout is specified (in minutes), AKS respects waiting on pod disruption budgets. If not specified, the default timeout is 30 minutes. * [Node soak time][soak-time] (preview) helps stagger node upgrades in a controlled manner and can minimize application downtime during an upgrade. You can specify a wait time, preferably as reasonably close to 0 minutes as possible, to check application readiness between node upgrades. If not specified, the default value is 0 minutes. Node soak time works together with the max surge and node drain timeout properties available in the node pool to deliver the right outcomes in terms of upgrade speed and application availability.
- > [!NOTE]
- > To use node soak duration (preview), you must have the aks-preview Azure CLI extension version 0.5.173 or later installed.
+ > [!NOTE]
+ > To use node soak duration (preview), you must have the `aks-preview` Azure CLI extension version 0.5.173 or later installed.
## Next steps
aks Use Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-managed-identity.md
- devx-track-azurecli - ignite-2023 Previously updated : 01/25/2024 Last updated : 02/08/2024 # Use a managed identity in Azure Kubernetes Service (AKS)
-Azure Kubernetes Service (AKS) clusters require an identity to access Azure resources like load balancers and managed disks. This identity can be a *managed identity* or *service principal*. A system-assigned managed identity is automatically created when you create an AKS cluster. This identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. For more information about managed identities in Microsoft Entra ID, see [Managed identities for Azure resources][managed-identity-resources-overview].
+Azure Kubernetes Service (AKS) clusters require an identity to access Azure resources like load balancers and managed disks. The identity can be a *managed identity* or a *service principal*.
-AKS doesn't automatically create a [service principal](kubernetes-service-principal.md), so you have to create one. Clusters that use a service principal eventually expire, and the service principal must be renewed to avoid impacting cluster authentication with the identity. Managing service principals adds complexity, so it's easier to use managed identities instead. The same permission requirements apply for both service principals and managed identities. Managed identities use certificate-based authentication. Each managed identity's credentials have an expiration of *90 days* and are rolled after *45 days*. AKS uses both system-assigned and user-assigned managed identity types, and these identities are immutable.
+This article provides details on how to enable the following managed identity types on a new or existing AKS cluster:
+
+* System-assigned managed identity
+* Bring your own user-assigned managed identity
+* Pre-created Kubelet managed identity
+
+## Overview
+
+When you deploy an AKS cluster, a system-assigned managed identity is automatically created, and it's managed by the Azure platform, so it doesn't require you to provision or rotate any secrets. For more information, see [managed identities for Azure resources][managed-identity-resources-overview].
+
+AKS doesn't automatically create a [service principal](kubernetes-service-principal.md), so you have to create one. Clusters that use a service principal eventually expire, and the service principal must be renewed to avoid impacting cluster authentication with the identity. Managing service principals adds complexity, so it's easier to use managed identities instead. The same permission requirements apply for both service principals and managed identities. Managed identities use certificate-based authentication. Each managed identity's credentials have an expiration of *90 days* and are rolled after *45 days*.
+
+AKS uses both system-assigned and user-assigned managed identity types, and these identities are immutable.
> [!IMPORTANT] > The open source [Microsoft Entra pod-managed identity][entra-id-pod-managed-identity] (preview) in Azure Kubernetes Service was deprecated on 10/24/2022, and the project archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement). The AKS Managed add-on begins deprecation in Sept. 2024.
AKS uses several managed identities for built-in services and add-ons.
| Add-on | Ingress application gateway | Manages required network resources. | Contributor role for node resource group | No | Add-on | omsagent | Used to send AKS metrics to Azure Monitor. | Monitoring Metrics Publisher role | No | Add-on | Virtual-Node (ACIConnector) | Manages required network resources for Azure Container Instances (ACI). | Contributor role for node resource group | No
-| Add-on | Cost analysis | Used to gather cost allocation data | |
+| Add-on | Cost analysis | Used to gather cost allocation data | |
| OSS project | Microsoft Entra ID-pod-identity | Enables applications to access cloud resources securely with Microsoft Entra ID. | N/A | Steps to grant permission at [Microsoft Entra Pod Identity Role Assignment configuration](./use-azure-ad-pod-identity.md). ## Enable managed identities on a new AKS cluster
Now you can create your AKS cluster with your existing identities. Make sure to
## Next steps
-Use [Azure Resource Manager templates][aks-arm-template] to create a managed identity-enabled cluster.
+* Use [Azure Resource Manager templates][aks-arm-template] to create a managed identity-enabled cluster.
+* Learn how to [use kubelogin][kubelogin-authentication] for all supported Microsoft Entra authentication methods in AKS.
<!-- LINKS - external --> [aks-arm-template]: /azure/templates/microsoft.containerservice/managedclusters
api-center Enable Api Center Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-center/enable-api-center-portal.md
First configure an app registration in your Microsoft Entra ID tenant. The app r
1. On the **Overview** page, copy the **Application (client) ID**. You use this value when you configure the identity provider for the portal in your API center. 1. On the **API permissions** page, select **+ Add a permission**.
- 1. On the **Request API permissions** page, select the **APIs my organization uses** tab. Search for and select **Azure API Center**.
+ 1. On the **Request API permissions** page, select the **APIs my organization uses** tab. Search for and select **Azure API Center**. You can also search for and select application ID `c3ca1a77-7a87-4dba-b8f8-eea115ae4573`.
1. On the **Request permissions** page, select **user_impersonation**. 1. Select **Add permissions**.
If the user is assigned the role, there might be a problem with the registration
az provider register --namespace Microsoft.ApiCenter ```
-For more information and steps to register the resource provider using other tools, see [Register resource provider](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider).
+### Unable to select Azure API Center permissions in Microsoft Entra app registration
+
+If you're unable to request API permissions to Azure API Center in your Microsoft Entra app registration for the API Center portal, check that you are searching for **Azure API Center** (or application ID `c3ca1a77-7a87-4dba-b8f8-eea115ae4573`).
+
+If the app isn't present, there might be a problem with the registration of the **Microsoft.ApiCenter** resource provider in your subscription. You might need to re-register the resource provider. To do this, run the following command in the Azure CLI:
+
+```azurecli
+az provider register --namespace Microsoft.ApiCenter
+```
+
+After re-registering the resource provider, try again to request API permissions.
## Related content
For more information and steps to register the resource provider using other too
* [Azure CLI reference for API Center](/cli/azure/apic) * [What is Azure role-based access control (RBAC)?](../role-based-access-control/overview.md) * [Best practices for Azure RBAC](../role-based-access-control/best-practices.md)
+* [Register a resource provider](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider)
api-management Api Management Debug Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-debug-policies.md
Title: Debug Azure API Management policies in Visual Studio Code | Microsoft Docs
-description: Learn how to debug Azure API Management Policies using the Azure API Management Visual Studio Code extension
+description: Learn how to debug Azure API Management Policies using the Azure API Management Visual Studio Code extension
- Last updated 09/22/2020
If there is an error during policy execution, you will see the details of the er
+ Learn more about the [API Management extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-apimanagement). + Report issues in the [GitHub repository](https://github.com/Microsoft/vscode-apimanagement)-
api-management Api Management Error Handling Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-error-handling-policies.md
ms.assetid: 3c777964-02b2-4f55-8731-8c3bd3c0ae27 - Last updated 01/10/2020
api-management Api Management Howto Cache https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-cache.md
ms.assetid: 740f6a27-8323-474d-ade2-828ae0c75e7a - Last updated 11/13/2020 - # Add caching to improve performance in Azure API Management
api-management Api Management Howto Create Or Invite Developers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-create-or-invite-developers.md
- Last updated 02/13/2018 - # How to manage user accounts in Azure API Management
api-management Api Management Howto Create Subscriptions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-create-subscriptions.md
- Last updated 08/03/2022
Get more information on API Management:
+ Learn other [concepts](api-management-terminology.md) in API Management. + Follow our [tutorials](import-and-publish.md) to learn more about API Management.
-+ Check our [FAQ page](api-management-faq.yml) for common questions.
++ Check our [FAQ page](api-management-faq.yml) for common questions.
api-management Api Management Howto Provision Self Hosted Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-provision-self-hosted-gateway.md
- Last updated 03/31/2020 - # Provision a self-hosted gateway in Azure API Management
api-management Api Management Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-kubernetes.md
- Last updated 12/14/2019
api-management Api Management Log To Eventhub Sample https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-log-to-eventhub-sample.md
ms.assetid: c528cf6f-5f16-4a06-beea-fa1207541a47 - ms.devlang: csharp
api-management Api Management Terminology https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-terminology.md
- Last updated 05/09/2022
api-management Api Management Troubleshoot Cannot Add Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-troubleshoot-cannot-add-custom-domain.md
- Last updated 07/19/2019
api-management Automation Manage Api Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/automation-manage-api-management.md
ms.assetid: 2e53c9af-f738-47f8-b1b6-593050a7c51b - Last updated 02/13/2018 - # Managing Azure API Management using Azure Automation This guide introduces you to the Azure Automation service, and how it can be used to simplify management of Azure API Management.
Here are some examples of using API Management with PowerShell:
## Next Steps Now that you've learned the basics of Azure Automation and how it can be used to manage Azure API Management, follow these links to learn more.
-* See the Azure Automation [getting started tutorial](../automation/learn/powershell-runbook-managed-identity.md).
+* See the Azure Automation [getting started tutorial](../automation/learn/powershell-runbook-managed-identity.md).
api-management Edit Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/edit-api.md
description: Learn how to use API Management to edit an API. Add, delete, or ren
- Last updated 01/19/2022 - # Edit an API
api-management How To Configure Cloud Metrics Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-configure-cloud-metrics-logs.md
- Last updated 04/30/2020 - # Configure cloud metrics and logs for Azure API Management self-hosted gateway
If a gateway is deployed in [Azure Kubernetes Service](https://azure.microsoft.c
* To learn more about the [observability capabilities of the Azure API Management gateways](observability.md). * To learn more about the self-hosted gateway, see [Azure API Management self-hosted gateway overview](self-hosted-gateway-overview.md)
-* Learn about [configuring and persisting logs locally](how-to-configure-local-metrics-logs.md)
+* Learn about [configuring and persisting logs locally](how-to-configure-local-metrics-logs.md)
api-management How To Configure Local Metrics Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-configure-local-metrics-logs.md
- Last updated 05/11/2021 - # Configure local metrics and logs for Azure API Management self-hosted gateway
api-management How To Deploy Self Hosted Gateway Kubernetes Opentelemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes-opentelemetry.md
description: Learn how to deploy a self-hosted gateway component of Azure API Ma
- Last updated 12/17/2021
api-management How To Deploy Self Hosted Gateway Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes.md
description: Learn how to deploy a self-hosted gateway component of Azure API Ma
- Last updated 05/22/2023
api-management How To Self Hosted Gateway On Kubernetes In Production https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-self-hosted-gateway-on-kubernetes-in-production.md
description: Learn about guidance to run an API Management self-hosted gateway o
- Last updated 01/17/2023
api-management Import Function App As Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-function-app-as-api.md
- Last updated 04/16/2021 - # Import an Azure Function App as an API in Azure API Management
api-management Import Logic App As Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-logic-app-as-api.md
- Last updated 04/16/2021
api-management Observability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/observability.md
- Last updated 06/01/2020 - # Observability in Azure API Management
api-management Vscode Create Service Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/vscode-create-service-instance.md
Title: Quickstart - Create Azure API Management instance - VS Code description: Use this quickstart to create an Azure API Management instance with the API Management extension for Visual Studio Code. -
app-service Overview App Gateway Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-app-gateway-integration.md
ms.assetid: 073eb49c-efa1-4760-9f0c-1fecd5c251cc - Last updated 09/29/2023
app-service Overview Nat Gateway Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-nat-gateway-integration.md
ms.assetid: 0a84734e-b5c1-4264-8d1f-77e781b28426 - Last updated 04/08/2022
app-service Quickstart Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-java.md
keywords: azure, app service, web app, windows, linux, java, maven, quickstart
ms.assetid: 582bb3c2-164b-42f5-b081-95bfcb7a502a ms.devlang: java Previously updated : 08/31/2023 Last updated : 02/10/2024 zone_pivot_groups: app-service-java-hosting adobe-target: true
::: zone-end ::: zone-end
app-service Samples Resource Manager Templates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/samples-resource-manager-templates.md
To learn about the JSON syntax and properties for App Services resources, see [M
|-|-| | [App Service plan and basic Linux app](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-basic-linux) | Deploys an App Service app that is configured for Linux. | | [App Service plan and basic Windows app](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-basic-windows) | Deploys an App Service app that is configured for Windows. |
+| [App Service plan and basic Windows container app](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/app-service-docs-windows-container) | Deploys an App Service app that is configured for a Windows container. |
| [App linked to a GitHub repository](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/web-app-github-deploy)| Deploys an App Service app that pulls code from GitHub. | | [App with custom deployment slots](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-custom-deployment-slots)| Deploys an App Service app with custom deployment slots/environments. | | [App with Private Endpoint](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/private-endpoint-webapp)| Deploys an App Service app with a Private Endpoint. |
app-service Samples Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/samples-terraform.md
Last updated 11/18/2022
- # Terraform samples for Azure App Service
app-service Scenario Secure App Access Microsoft Graph As App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scenario-secure-app-access-microsoft-graph-as-app.md
- Last updated 04/05/2023
app-service Scenario Secure App Access Microsoft Graph As User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scenario-secure-app-access-microsoft-graph-as-user.md
- Last updated 09/15/2023
app-service Scenario Secure App Access Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scenario-secure-app-access-storage.md
- Last updated 07/31/2023
app-service Scenario Secure App Authentication App Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scenario-secure-app-authentication-app-service.md
- Last updated 06/25/2023
-#Customer intent: As an application developer, enable authentication and authorization for a web app running on Azure App Service.
+#Customer intent: As an application developer, enable authentication and authorization for a web app running on Azure App Service.
# Tutorial: Add app authentication to your web app running on Azure App Service
app-service Scenario Secure App Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scenario-secure-app-overview.md
Title: Tutorial - Build a secure web app on Azure App Service | Azure
-description: In this tutorial, you learn how to build a web app by using Azure App Service, enable authentication, call Azure Storage, and call Microsoft Graph.
+description: In this tutorial, you learn how to build a web app by using Azure App Service, enable authentication, call Azure Storage, and call Microsoft Graph.
- Last updated 12/10/2021
-#Customer intent: As an application developer, I want to learn how to secure access to a web app running on Azure App Service.
+#Customer intent: As an application developer, I want to learn how to secure access to a web app running on Azure App Service.
# Tutorial: Enable authentication in App Service and access storage and Microsoft Graph
app-service Powershell Deploy Private Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scripts/powershell-deploy-private-endpoint.md
Last updated 12/06/2022 -
app-service Template Deploy Private Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scripts/template-deploy-private-endpoint.md
Last updated 07/08/2020 -
app-service Terraform Secure Backend Frontend https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scripts/terraform-secure-backend-frontend.md
Last updated 12/06/2022 -
app-service Tutorial Connect App Access Microsoft Graph As App Javascript https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-app-access-microsoft-graph-as-app-javascript.md
- Last updated 03/14/2023
app-service Tutorial Connect App Access Microsoft Graph As User Javascript https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-app-access-microsoft-graph-as-user-javascript.md
- Last updated 03/08/2022
app-service Tutorial Connect App Access Sql Database As User Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-app-access-sql-database-as-user-dotnet.md
description: Secure database connectivity with Microsoft Entra authentication fr
- ms.devlang: csharp
app-service Tutorial Connect App Access Storage Javascript https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-app-access-storage-javascript.md
- Last updated 07/31/2023
application-gateway Create Gateway Internal Load Balancer App Service Environment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/create-gateway-internal-load-balancer-app-service-environment.md
-
+ Title: Troubleshoot an Application Gateway in Azure ΓÇô ILB ASE | Microsoft Docs description: Learn how to troubleshoot an application gateway by using an Internal Load Balancer with an App Service Environment in Azure
- Last updated 06/10/2022
application-gateway Ipv6 Application Gateway Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ipv6-application-gateway-portal.md
description: Learn how to configure Application Gateway with a frontend public I
Previously updated : 11/06/2023 Last updated : 02/08/2024
The IPv6 Application Gateway preview is available to all public cloud regions wh
* IPv6 private Link is currently not supported * IPv6-only Application Gateway is currently not supported. Application Gateway must be dual stack (IPv6 and IPv4) * Deletion of frontend IP addresses aren't supported
+* Application Gateway Ingress Controller (AGIC) does not support IPv6 configuration
* Existing IPv4 Application Gateways cannot be upgraded to dual stack Application Gateways > [!NOTE]
To opt out of the public preview for the enhanced Application Gateway network co
## Next steps -- [What is Azure Application Gateway v2?](overview-v2.md)
+- [What is Azure Application Gateway v2?](overview-v2.md)
application-gateway Ipv6 Application Gateway Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ipv6-application-gateway-powershell.md
Previously updated : 08/17/2023 Last updated : 02/08/2024
The IPv6 Application Gateway preview is available to all public cloud regions wh
* IPv6 private Link is currently not supported * IPv6-only Application Gateway is currently not supported. Application Gateway must be dual stack (IPv6 and IPv4) * Deletion of frontend IP addresses aren't supported
+* Application Gateway Ingress Controller (AGIC) does not support IPv6 configuration
* Existing IPv4 Application Gateways cannot be upgraded to dual stack Application Gateways > [!NOTE]
application-gateway Create Vmss Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/scripts/create-vmss-cli.md
tags: azure-resource-manager
vm-windows- Last updated 01/29/2018
application-gateway Create Vmss Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/scripts/create-vmss-powershell.md
tags: azure-resource-manager
vm-windows- Last updated 01/29/2018
application-gateway Create Vmss Waf Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/scripts/create-vmss-waf-cli.md
tags: azure-resource-manager
vm-windows- Last updated 01/29/2018
application-gateway Create Vmss Waf Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/scripts/create-vmss-waf-powershell.md
tags: azure-resource-manager
vm-windows- Last updated 01/29/2018
automanage Arm Deploy Arc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/arm-deploy-arc.md
Title: Onboard an Azure Arc-enabled server to Azure Automanage with an ARM template description: Learn how to onboard an Azure Arc-enabled server to Azure Automanage with an Azure Resource Manager template. - Last updated 02/25/2022
automanage Arm Deploy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/arm-deploy.md
Title: Onboard a machine to Azure Automanage with an ARM template description: Learn how to onboard a machine to Azure Automanage with an Azure Resource Manager template. - Last updated 12/10/2021
automanage Automanage Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/automanage-account.md
Title: Azure Automanage Account description: Learn how an Automanage Account works and how to create one. - Last updated 12/10/2021
az deployment sub create --location <location> --template-file azuredeploy2.json
``` ## Next steps
-* Learn about Automanage services for [Linux](./automanage-linux.md) and [Windows](./automanage-windows-server.md)
+* Learn about Automanage services for [Linux](./automanage-linux.md) and [Windows](./automanage-windows-server.md)
automanage Automanage Arc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/automanage-arc.md
Title: Azure Automanage for Azure Arc-enabled servers
description: Learn about Azure Automanage for Azure Arc-enabled servers - Last updated 05/12/2022
automanage Automanage Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/automanage-linux.md
description: Learn about Azure Automanage for virtual machines best practices fo
- Last updated 12/10/2021
automanage Automanage Smb Over Quic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/automanage-smb-over-quic.md
Title: SMB over QUIC with Azure Automanage machine best practices
-description: Overview of managing SMB over QUIC with Azure Automanage machine best practices
+description: Overview of managing SMB over QUIC with Azure Automanage machine best practices
- Last updated 11/1/2021-+ # SMB over QUIC with Automanage machine best practices
It may take a couple of hours for machine best practices to be configured and th
## Next steps > [!div class="nextstepaction"]
-> [Learn more about SMB over QUIC](/windows-server/storage/file-server/smb-over-quic)
+> [Learn more about SMB over QUIC](/windows-server/storage/file-server/smb-over-quic)
automanage Automanage Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/automanage-upgrade.md
Title: Upgrade your Azure Automanage machines to the latest Automanage version
description: Learn how to upgrade your machines to the latest Azure Automanage version - Last updated 9/1/2022
automanage Automanage Windows Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/automanage-windows-server.md
Title: Azure Automanage for Windows Server
description: Learn about Azure Automanage for virtual machines best practices for services that are automatically onboarded and configured for Windows Server machines. - Last updated 03/22/2022
automanage Common Errors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/common-errors.md
Title: Troubleshoot common Azure Automanage onboarding errors description: Common Automanage onboarding errors and how to troubleshoot them - Last updated 12/10/2021
If you don't see any failed deployments in the resource group or subscription co
* [Learn more about Azure Automanage](./overview-about.md) > [!div class="nextstepaction"]
-> [Enable Automanage for machines in the Azure portal](quick-create-virtual-machines-portal.md)
+> [Enable Automanage for machines in the Azure portal](quick-create-virtual-machines-portal.md)
automanage How To Disable Automanage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/how-to-disable-automanage.md
Title: Disable Azure Automanage for virtual machines
description: Learn how to disable Azure Automanage for Automanaged virtual machines. - Last updated 09/07/2022
First and foremost, we will not off-board the virtual machine from any of the se
Get the most frequently asked questions answered in our FAQ. > [!div class="nextstepaction"]
-> [Frequently Asked Questions](faq.yml)
+> [Frequently Asked Questions](faq.yml)
automanage Move Automanaged Configuration Profile https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/move-automanaged-configuration-profile.md
Title: Move an Azure Automanage configuration profile across regions description: Learn how to move an Automanage Configuration Profile across regions - Last updated 05/01/2022
automanage Move Automanaged Vms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/move-automanaged-vms.md
Title: Move an Azure Automanage virtual machine across regions description: Learn how to move an Automanaged virtual machine across regions - Last updated 12/10/2021
Once you have moved your VMs across regions, you may re-enable Automanage on the
## Next steps * [Learn more about Azure Automanage](./overview-about.md)
-* [View frequently asked questions about Azure Automanage](./faq.yml)
+* [View frequently asked questions about Azure Automanage](./faq.yml)
automanage Overview About https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/overview-about.md
Title: About Azure Automanage Machine Best Practices
description: Learn about Azure Automanage machine best practices. - Last updated 9/07/2022
automanage Overview Azure Disk Encryption https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/overview-azure-disk-encryption.md
Title: Azure disk encryption
description: Learn about Azure disk encryption on Azure Automanaged enabled virtual machines. - Last updated 9/07/2022
In this article, you learned that Automanage for machines provides a means for w
Try enabling Automanage for Azure virtual machines or Arc-enabled servers in the Azure portal. > [!div class="nextstepaction"]
-> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
+> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
automanage Overview Configuration Profiles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/overview-configuration-profiles.md
Title: Automanage Configuration profiles
description: Learn about Azure Automanage configuration profiles for virtual machines. - Last updated 9/07/2022
In this article, you learned that Automanage for machines provides a means for w
Try enabling Automanage for Azure virtual machines or Arc-enabled servers in the Azure portal. > [!div class="nextstepaction"]
-> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
+> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
automanage Overview Vm Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/overview-vm-status.md
Title: Check an Automanaged VM status
description: Learn about Azure Automanage configuration profile statuses for virtual machines. - Last updated 9/07/2022
In this article, you learned that Automanage for machines provides a means for w
Try enabling Automanage for Azure virtual machines or Arc-enabled servers in the Azure portal. > [!div class="nextstepaction"]
-> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
+> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
automanage Quick Create Virtual Machines Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/quick-create-virtual-machines-portal.md
Last updated 12/10/2021 -
automanage Quick Go Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/quick-go-sdk.md
Title: Azure Quickstart SDK for Go
description: Create configuration profile assignments using the GO SDK for Automanage. - Last updated 08/24/2022
automanage Quick Java Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/quick-java-sdk.md
Title: Azure Quickstart SDK for Java
description: Create configuration profile assignments using the Java SDK for Automanage. - Last updated 08/24/2022
automanage Quick Javascript Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/quick-javascript-sdk.md
Title: Azure Quickstart SDK for JavaScript
description: Create configuration profile assignments using the JavaScript SDK for Automanage. - Last updated 08/24/2022
automanage Quick Python Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/quick-python-sdk.md
Title: Azure Quickstart SDK for Python
description: Create configuration profile assignments using the Python SDK for Automanage. - Last updated 08/24/2022
automanage Reference Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/reference-sdk.md
Title: SDK Overview
description: Get started with the Automanage SDKs. - Last updated 11/17/2022
automanage Repair Automanage Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/repair-automanage-account.md
Title: Repair a broken Azure Automanage Account
-description: If you've recently moved a subscription that contains an Automanage Account to a new tenant, you need to reconfigure it. In this article, you'll learn how.
+description: If you've recently moved a subscription that contains an Automanage Account to a new tenant, you need to reconfigure it. In this article, you'll learn how.
- Last updated 11/05/2020
automanage Tutorial Create Assignment Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/tutorial-create-assignment-python.md
Title: Tutorial - python
description: Create a virtual machine and assign an automanage best practices configuration profile to it. - Last updated 08/25/2022
automanage Virtual Machines Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/virtual-machines-best-practices.md
Title: Azure Automanage Machine Best Practices
description: Learn about the Azure Automanage machine best practices for services that are automatically onboarded and configured for you. - Last updated 12/10/2021
automanage Virtual Machines Custom Profile https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/virtual-machines-custom-profile.md
Title: Create a custom profile in Azure Automanage for VMs
description: Learn how to create a custom profile in Azure Automanage and select your services and settings. - Last updated 07/01/2023
automanage Virtual Machines Policy Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/virtual-machines-policy-enable.md
Title: Enable Automanage for virtual machines through Azure Policy
description: Learn how to enable Azure Automanage for VMs through a built-in Azure Policy in the Azure portal. - Last updated 12/10/2021
Sign in to the [Azure portal](https://portal.azure.com/).
Learn another way to enable Azure Automanage for virtual machines through the Azure portal. > [!div class="nextstepaction"]
-> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
+> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
automation Guidance Migration Log Analytics Monitoring Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/change-tracking/guidance-migration-log-analytics-monitoring-agent.md
Previously updated : 11/03/2023 Last updated : 02/07/2024 + # Migration guidance from Change Tracking and inventory using Log Analytics to Change Tracking and inventory using Azure Monitoring Agent version
Using the Azure portal, you can migrate from Change Tracking & Inventory with LA
#### Prerequisites -- Ensure to have the Windows PowerShell console installed. We recommend that you use PowerShell version 7.2 or higher. Follow the steps to [Install PowerShell on Windows](/powershell/scripting/install/installing-powershell-on-windows).
+- Ensure you have PowerShell installed. The latest version of PowerShell 7 or higher is recommended. Follow the steps to [Install PowerShell on Windows, Linux, and macOS](/powershell/scripting/install/installing-powershell).
- Obtain Read access for the specified workspace resources.-- Ensure that you have `Az.Accounts` and `Az.OperationalInsights` modules installed. The `Az.PowerShell` module is used to pull workspace agent configuration information.-- Ensure to have the Azure credentials to run `Connect-AzAccount` and `Select Az-Context` that set the context for the script to run.
+- [Install the latest version of the Az PowerShell module](/powershell/azure/install-azure-powershell). The **Az.Accounts** and **Az.OperationalInsights** modules are required to pull workspace agent configuration information.
+- Ensure you have Azure credentials to run `Connect-AzAccount` and `Select-AzContext` which set the script's context.
Follow these steps to migrate using scripts. #### Migration guidance 1. Install the script and run it to conduct migrations.
-1. Ensure that the new workspace resource ID is different to the one with which it's associated to in the Change Tracking and Inventory using the LA version.
+1. Ensure the new workspace resource ID is different from the one associated with the Change Tracking and Inventory using the LA version.
1. Migrate settings for the following data types: - Windows Services - Linux Files - Windows Files - Windows Registry - Linux Daemons
-1. Generate and associates a new DCR to transfer the settings to the Change Tracking and Inventory using AMA.
+1. Generate and associate a new DCR to transfer the settings to the Change Tracking and Inventory using AMA.
#### Onboard at scale
-Use the [script](https://github.com/mayguptMSFT/AzureMonitorCommunity/blob/master/Azure%20Services/Azure%20Monitor/Agents/Migration%20Tools/DCR%20Config%20Generator/CTDcrGenerator/CTWorkSpaceSettingstoDCR.ps1) to migrate Change tracking workspace settings to data collection rule.
+Use the [script](https://github.com/mayguptMSFT/AzureMonitorCommunity/blob/master/Azure%20Services/Azure%20Monitor/Agents/Migration%20Tools/DCR%20Config%20Generator/CTDcrGenerator/CTWorkSpaceSettingstoDCR.ps1) to migrate Change tracking workspace settings to a data collection rule.
#### Parameters **Parameter** | **Required** | **Description** | | | |
-`InputWorkspaceResourceId`| Yes | Resource ID of the workspace associated to Change Tracking & Inventory with Log Analytics. |
-`OutputWorkspaceResourceId`| Yes | Resource ID of the workspace associated to Change Tracking & Inventory with Azure Monitoring Agent. |
+`InputWorkspaceResourceId`| Yes | Resource ID of the workspace associated with Change Tracking & Inventory with Log Analytics. |
+`OutputWorkspaceResourceId`| Yes | Resource ID of the workspace associated with Change Tracking & Inventory with Azure Monitoring Agent. |
`OutputDCRName`| Yes | Custom name of the new DCR created. | `OutputDCRLocation`| Yes | Azure location of the output workspace ID. | `OutputDCRTemplateFolderPath`| Yes | Folder path where DCR templates are created. |
To obtain the Log Analytics Workspace resource ID, follow these steps:
### [Using PowerShell script](#tab/limit-policy)
-1. For File Content changes-based settings, you have to migrate manually from LA version to AMA version of Change Tracking & Inventory. Follow the guidance listed in [Track file contents](manage-change-tracking.md#track-file-contents).
-1. Any VM with > 100 file/registry settings for migration via portal isn't supported now.
+1. For File Content changes-based settings, you must migrate manually from LA version to AMA version of Change Tracking & Inventory. Follow the guidance listed in [Track file contents](manage-change-tracking.md#track-file-contents).
+1. Any VM with > 100 file/registry settings for migration via Azure Portal isn't supported.
1. Alerts that you configure using the Log Analytics Workspace must be [manually configured](configure-alerts.md).
automation Quickstart Create Automation Account Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/quickstart-create-automation-account-template.md
description: This article shows how to create an Automation account by using the
Last updated 04/12/2023 -
azure-arc Managed Instance Disaster Recovery Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/managed-instance-disaster-recovery-cli.md
Follow the steps below if Azure Arc data services are deployed in `indirectly` c
2. Switch context to the secondary cluster by running ```kubectl config use-context <secondarycluster>``` and provision the managed instance in the secondary site that will be the disaster recovery instance. At this point, the system databases are not part of the contained availability group. > [!NOTE]
- > It is important to specify `--license-type DisasterRecovery` **during** the Azure Arc-enabled SQL MI creation. This will allow the DR instance to be seeded from the primary instance in the primary data center. Updating this property post deployment will not have the same effect.
+ > It is important to specify `--license-type DisasterRecovery` **during** the managed instance. This will allow the DR instance to be seeded from the primary instance in the primary data center. Updating this property post deployment will not have the same effect.
```azurecli az sql mi-arc create --name <secondaryinstance> --tier bc --replicas 3 --license-type DisasterRecovery --k8s-namespace <namespace> --use-k8s ```
-3. Mirroring certificates - The binary data inside the Mirroring Certificate property of the Azure Arc-enabled SQL MI is needed for the Instance Failover Group CR (Custom Resource) creation.
+3. Mirroring certificates - The binary data inside the Mirroring Certificate property of the managed instance is needed for the Instance Failover Group CR (Custom Resource) creation.
This can be achieved in a few ways: (a) If using `az` CLI, generate the mirroring certificate file first, and then point to that file while configuring the Instance Failover Group so the binary data is read from the file and copied over into the CR. The cert files are not needed after failover group creation.
- (b) If using `kubectl`, directly copy and paste the binary data from the Azure Arc-enabled SQL MI CR into the yaml file that will be used to create the Instance Failover Group.
+ (b) If using `kubectl`, directly copy and paste the binary data from the managed instance CR into the yaml file that will be used to create the Instance Failover Group.
Using (a) above:
Use `az sql instance-failover-group-arc update ...` command group to initiate a
Run the following command to initiate a manual failover, in `direct` connected mode using ARM APIs: ```azurecli
-az sql instance-failover-group-arc update --name <shared name of failover group> --mi <primary Azure Arc-enabled SQL MI> --role secondary --resource-group <resource group>
+az sql instance-failover-group-arc update --name <shared name of failover group> --mi <primary instance> --role secondary --resource-group <resource group>
``` Example:
On the geo-secondary DR instance, run the following command to promote it to pri
### Directly connected mode ```azurecli
-az sql instance-failover-group-arc update --name <shared name of failover group> --mi <secondary Azure Arc-enabled SQL MI> --role force-primary-allow-data-loss --resource-group <resource group> --partner-sync-mode async
+az sql instance-failover-group-arc update --name <shared name of failover group> --mi <instance> --role force-primary-allow-data-loss --resource-group <resource group> --partner-sync-mode async
``` Example:
az sql instance-failover-group-arc update --name myfog --mi sqlmi2 --role force-
az sql instance-failover-group-arc update --k8s-namespace my-namespace --name secondarycr --use-k8s --role force-primary-allow-data-loss --partner-sync-mode async ```
-When the geo-primary Azure Arc-enabled SQL MI instance becomes available, run the below command to bring it into the failover group and synchronize the data:
+When the geo-primary instance becomes available, run the below command to bring it into the failover group and synchronize the data:
### Directly connected mode ```azurecli
-az sql instance-failover-group-arc update --name <shared name of failover group> --mi <old primary Azure Arc-enabled SQL MI> --role force-secondary --resource-group <resource group>
+az sql instance-failover-group-arc update --name <shared name of failover group> --mi <old primary instance> --role force-secondary --resource-group <resource group>
``` ### Indirectly connected mode
azure-arc Deployment Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/deployment-options.md
The following table highlights each method so that you can determine which works
| Interactively | Manually install the agent on a single or small number of machines by [connecting machines using a deployment script](onboard-portal.md).<br> From the Azure portal, you can generate a script and execute it on the machine to automate the install and configuration steps of the agent.| | Interactively | [Connect machines from Windows Admin Center](onboard-windows-admin-center.md) | | Interactively or at scale | [Connect machines using PowerShell](onboard-powershell.md) |
-| Interactively or at scale | [Connect machines using Windows PowerShell Desired State Configuration (DSC)](onboard-dsc.md) |
| At scale | [Connect machines using a service principal](onboard-service-principal.md) to install the agent at scale non-interactively.| | At scale | [Connect machines by running PowerShell scripts with Configuration Manager](onboard-configuration-manager-powershell.md) | At scale | [Connect machines with a Configuration Manager custom task sequence](onboard-configuration-manager-custom-task.md)
azure-arc Manage Automatic Vm Extension Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/manage-automatic-vm-extension-upgrade.md
Automatic extension upgrade supports the following extensions:
- Key Vault Extension - Linux only - Azure Update Manager - Linux and Windows - Azure Automation Hybrid Runbook Worker - Linux and Windows-- Azure Arc-enabled SQL Server agent - Linux and Windows
+- Azure extension for SQL Server - Linux and Windows
More extensions will be added over time. Extensions that do not support automatic extension upgrade today are still configured to enable automatic upgrades by default. This setting will have no effect until the extension publisher chooses to support automatic upgrades.
azure-arc Onboard Dsc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/onboard-dsc.md
- Title: Install Connected Machine agent using Windows PowerShell DSC
-description: In this article, you learn how to connect machines to Azure using Azure Arc-enabled servers using Windows PowerShell DSC.
Previously updated : 08/17/2021---
-# How to install the Connected Machine agent using Windows PowerShell DSC
-
-Using [Windows PowerShell Desired State Configuration](/powershell/dsc/getting-started/winGettingStarted) (DSC), you can automate software installation and configuration for a Windows computer. This article describes how to use DSC to install the Azure Connected Machine agent on hybrid Windows machines.
-
->[!NOTE]
-> The PowerShell module described in this article is not currently supported by Microsoft. Any changes or improvements are only handled as a best-effort by the community.
->
-
-## Requirements
--- Windows PowerShell version 4.0 or higher--- The AzureConnectedMachineDsc module--- A service principal to connect the machines to Azure Arc-enabled servers non-interactively. Follow the steps under the section [Create a Service Principal for onboarding at scale](onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale) if you have not created a service principal for Azure Arc-enabled servers already.-
-## Install the ConnectedMachine DSC module
-
-1. To manually install the module, download the source code from GitHub. Save the content to the
-`$env:ProgramFiles\WindowsPowerShell\Modules folder`.
-
- ```powershell
- git clone https://github.com/azure/AzureConnectedMachineDsc
- ```
-
-2. To confirm installation, run the following command and ensure you see the Azure Connected Machine DSC resources available.
-
- ```powershell
- Get-DscResource -Module AzureConnectedMachineDsc
- ```
-
- In the output, you should see something similar to the following:
-
- ![Confirmation of Connected Machine DSC module installation example](./media/onboard-dsc/confirm-module-installation.png)
-
-## Install the agent and connect to Azure
-
-The resources in this module are designed to manage the Azure Connected Machine agent configuration. Also included is a PowerShell script `AzureConnectedMachineAgent.ps1`, found in the `AzureConnectedMachineDsc\examples` folder. It uses community resources to automate the download and installation, and establish a connection with Azure Arc. This script performs similar steps described in the [Connect hybrid machines to Azure from the Azure portal](onboard-portal.md) article.
-
-If the machine needs to communicate through a proxy server to the service, after you install the agent you need to run a command that's described [here](manage-agent.md#update-or-remove-proxy-settings). This sets the proxy server system environment variable `https_proxy`. Instead of running the command manually, you can perform this step with DSC by using the [ComputeManagementDsc](https://www.powershellgallery.com/packages/ComputerManagementDsc) module. Using this configuration, the agent communicates through the proxy server using the HTTP protocol.
-
->[!NOTE]
->To allow DSC to run, Windows needs to be configured to receive PowerShell remote commands even when you're running a localhost configuration. To easily configure your environment correctly, just run `Set-WsManQuickConfig -Force` in an elevated PowerShell Terminal.
->
-
-Configuration documents (MOF files) can be applied to the machine using the `Start-DscConfiguration` cmdlet.
-
-The following are the parameters you pass to the PowerShell script to use.
--- `TenantId`: The unique identifier (GUID) that represents your dedicated instance of Microsoft Entra ID.--- `SubscriptionId`: The subscription ID (GUID) of your Azure subscription that you want the machines in.--- `ResourceGroup`: The resource group name where you want your connected machines to belong to.--- `Location`: See [supported Azure regions](overview.md#supported-regions). This location can be the same or different, as the resource group's location.--- `Tags`: String array of tags that should be applied to the connected machine resource.--- `Credential`: A PowerShell credential object with the **ApplicationId** and **password** used to register machines at scale using a [service principal](onboard-service-principal.md).-
-1. In a PowerShell console, navigate to the folder where you saved the `.ps1` file.
-
-2. Run the following PowerShell commands to compile the MOF document (for information about compiling DSC configurations, see [DSC Configurations](/powershell/dsc/configurations/configurations):
-
- ```powershell
- .\`AzureConnectedMachineAgent.ps1 -TenantId <TenantId GUID> -SubscriptionId <SubscriptionId GUID> -ResourceGroup '<ResourceGroupName>' -Location '<LocationName>' -Tags '<Tag>' -Credential <psCredential>
- ```
-
-3. This will create a `localhost.mof file` in a new folder named `C:\dsc`.
-
-After you install the agent and configure it to connect to Azure Arc-enabled servers, go to the Azure portal to verify that the server has been successfully connected. View your machines in the [Azure portal](https://aka.ms/hybridmachineportal).
-
-## Adding to existing configurations
-
-This resource can be added to existing DSC configurations to represent an end-to-end configuration for a machine. For example, you might wish to add this resource to a configuration that sets secure operating system settings.
-
-The [CompositeResource](https://www.powershellgallery.com/packages/compositeresource) module from the PowerShell Gallery can be used to create a [composite resource](/powershell/dsc/resources/authoringResourceComposite) of the example configuration, to further simplify combining configurations.
-
-## Next steps
-
-* Troubleshooting information can be found in the [Troubleshoot Connected Machine agent guide](troubleshoot-agent-onboard.md).
-
-* Review the [Planning and deployment guide](plan-at-scale-deployment.md) to plan for deploying Azure Arc-enabled servers at any scale and implement centralized management and monitoring.
-
-* Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/machine-configuration/overview.md), verifying the machine is reporting to the expected Log Analytics workspace, enable monitoring with [VM insights](../../azure-monitor/vm/vminsights-enable-policy.md), and much more.
azure-arc Run Command https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/run-command.md
Title: How to remotely and securely configure servers using Run command (Preview) description: Learn how to remotely and securely configure servers using Run Command. Previously updated : 12/22/2023 Last updated : 02/07/2024
Run Command on Azure Arc-enabled servers (Public Preview) uses the Connected Mac
- **Configuration:** Run Command doesn't require more configuration or the deployment of any extensions. The Connected Machine agent version must be 1.33 or higher. +
+## Limiting access to Run Command using RBAC
+
+Listing the run commands or showing details of a command requires the `Microsoft.HybridCompute/machines/runCommands/read` permission. The built-in [Reader](/azure/role-based-access-control/built-in-roles) role and higher levels have this permission.
+
+Running a command requires the `Microsoft.HybridCompute/machines/runCommands/write` permission. The [Azure Connected Machine Resource Administrator](/azure/role-based-access-control/built-in-roles) role and higher levels have this permission.
+
+You can use one of the [built-in roles](/azure/role-based-access-control/built-in-roles) or create a [custom role](/azure/role-based-access-control/custom-roles) to use Run Command.
+
+## Blocking run commands locally
+
+The Connected Machine agent supports local configurations that allow you to set an allowlist or a blocklist. See [Extension allowlists and blocklists](security-overview.md#extension-allowlists-and-blocklists) to learn more.
+
+For Windows:
+
+`azcmagent config set extensions.blocklist " microsoft.cplat.core/runcommandhandlerwindows"`
+
+For Linux:
+
+`azcmagent config set extensions.blocklist " microsoft.cplat.core/runcommandhandlerlinux"`
++
+## Azure CLI
+
+The following examples use [az connectedmachine run-command](/cli/azure/connectedmachine/run-command) to run a shell script on an Azure Windows machine.
+
+### Execute a script with the machine
+
+This command delivers the script to the machine, executes it, and returns the captured output.
+
+```azurecli
+az connectedmachine run-command create ΓÇô-name "myRunCommand" --machine-name "myMachine" --resource-group "myRG" --script "Write-Host Hello World!"
+```
+
+### List all deployed RunCommand resources on a machine
+
+This command returns a full list of previously deployed run commands along with their properties.
+
+```azurecli
+az connectedmachine run-command list --machine-name "myMachine" --resource-group "myRG"
+```
+
+### Get execution status and results
+
+This command retrieves current execution progress, including latest output, start/end time, exit code, and terminal state of the execution.
+
+```azurecli
+az connectedmachine run-command show --name "myRunCommand" --machine-name "myMachine" --resource-group "myRG"
+```
+
+> [!NOTE]
+> Output and error fields in `instanceView` is limited to the last 4KB. To access the full output and error, you can forward the output and error data to storage append blobs using `-outputBlobUri` and `-errorBlobUri` parameters while executing Run Command.
+>
+
+### Delete RunCommand resource from the machine
+
+Remove the RunCommand resource previously deployed on the machine. If the script execution is still in progress, execution will be terminated.
+
+```azurecli
+az connectedmachine run-command delete --name "myRunCommand" --machine-name "myMachine" --resource-group "myRG"
+```
+
+## PowerShell
+
+### Execute a script with the machine
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName "myRG" -MachineName "myMachine" -Location "EastUS" -RunCommandName "RunCommandName" ΓÇôSourceScript "echo Hello World!"
+```
+
+### Execute a script on the machine using SourceScriptUri parameter
+
+`OutputBlobUri` and `ErrorBlobUri` are optional parameters.
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName -MachineName -RunCommandName -SourceScriptUri ΓÇ£< SAS URI of a storage blob with read access or public URI>ΓÇ¥ -OutputBlobUri ΓÇ£< SAS URI of a storage append blob with read, add, create, write access>ΓÇ¥ -ErrorBlobUri ΓÇ£< SAS URI of a storage append blob with read, add, create, write access>ΓÇ¥
+```
+
+### List all deployed RunCommand resources on a machine
+
+This command returns a full list of previously deployed Run Commands along with their properties.
+
+```powershell
+Get-AzConnectedMachineRunCommand -ResourceGroupName "myRG" -MachineName "myMachine"
+```
+
+### Get execution status and results
+
+This command retrieves current execution progress, including latest output, start/end time, exit code, and terminal state of the execution.
+
+```powershell
+Get-AzConnectedMachineRunCommand -ResourceGroupName "myRG" - MachineName "myMachine" -RunCommandName "RunCommandName"
+```
+
+### Create or update Run Command on a machine using SourceScriptUri (storage blob SAS URL)
+
+Create or update Run Command on a Windows machine using a SAS URL of a storage blob that contains a PowerShell script. `SourceScriptUri` can be a storage blobΓÇÖs full SAS URL or public URL.
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName MyRG0 -MachineName MyMachine -RunCommandName MyRunCommand -Location EastUS2EUAP -SourceScriptUri <SourceScriptUri>
+```
+
+> [!NOTE]
+> SAS URL must provide read access to the blob. An expiration time of 24 hours is suggested for SAS URL. SAS URLs can be generated on the Azure portal using blob options, or SAS token using `New-AzStorageBlobSASToken`. If generating SAS token using `New-AzStorageBlobSASToken`, your SAS URL = "base blob URL" + "?" + "SAS token from `New-AzStorageBlobSASToken`"
+>
+
+### Get a Run Command Instance View for a machine after creating or updating Run Command
+
+Get a Run Command for machine with Instance View. Instance View contains the execution state of run command (Succeeded, Failed, etc.), exit code, standard output, and standard error generated by executing the script using Run Command. A non-zero ExitCode indicates an unsuccessful execution.
+
+```powershell
+Get-AzConnectedMachineRunCommand -ResourceGroupName MyRG -MachineName MyMachine -RunCommandName MyRunCommand
+```
+
+`InstanceViewExecutionState`: Status of user's Run Command script. Refer to this state to know whether your script was successful or not.
+
+`ProvisioningState`: Status of general extension provisioning end to end (whether extension platform was able to trigger Run Command script or not).
+
+### Create or update Run Command on a machine using SourceScript (script text)
+
+Create or update Run Command on a machine passing the script content directly to `-SourceScript` parameter. Use `;` to separate multiple commands.
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName MyRG0 -MachineName MyMachine -RunCommandName MyRunCommand2 -Location EastUS2EUAP -SourceScript "id; echo HelloWorld"
+```
+
+### Create or update Run Command on a machine using OutputBlobUri, ErrorBlobUri to stream standard output and standard error messages to output and error Append blobs
+
+Create or update Run Command on a machine and stream standard output and standard error messages to output and error Append blobs.
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName MyRG0 - MachineName MyMachine -RunCommandName MyRunCommand3 -Location EastUS2EUAP -SourceScript "id; echo HelloWorld"-OutputBlobUri <OutPutBlobUrI> -ErrorBlobUri <ErrorBlobUri>
+```
+
+> [!NOTE]
+> Output and error blobs must be the AppendBlob type and their SAS URLs must provide read, append, create, write access to the blob. An expiration time of 24 hours is suggested for SAS URL. If output or error blob does not exist, a blob of type AppendBlob will be created. SAS URLs can be generated on Azure portal using blob's options, or SAS token from using `New-AzStorageBlobSASToken`.
+>
+
+### Create or update Run Command on a machine as a different user using RunAsUser and RunAsPassword parameters
+
+Create or update Run Command on a machine as a different user using `RunAsUser` and `RunAsPassword` parameters. For RunAs to work properly, contact the administrator the of machine and make sure user is added on the machine, user has access to resources accessed by the Run Command (directories, files, network etc.), and in case of Windows machine, 'Secondary Logon' service is running on the machine.
+
+```powershell
+New-AzMachineRunCommand -ResourceGroupName MyRG0 -MachineName MyMachine -RunCommandName MyRunCommand -Location EastUS2EUAP -SourceScript "id; echo HelloWorld" -RunAsUser myusername -RunAsPassword mypassword
+```
+
+### Create or update Run Command on a machine resource using SourceScriptUri (storage blob SAS URL)
+
+Create or update Run Command on a Windows machine resource using a SAS URL of a storage blob that contains a PowerShell script.
++
+```powershell
+New-AzMachineRunCommand -ResourceGroupName MyRG0 -MachineName MyMachine -RunCommandName MyRunCommand -Location EastUS2EUAP -SourceScriptUri <SourceScriptUri>
+```
+
+> [!NOTE]
+> SAS URL must provide read access to the blob. An expiry time of 24 hours is suggested for SAS URL. SAS URLs can be generated on Azure portal using blob options or SAS token using `New-AzStorageBlobSASToken`. If generating SAS token using `New-AzStorageBlobSASToken`, the SAS URL format is: base blob URL + "?" + the SAS token from `New-AzStorageBlobSASToken`.
+>
+
+### Create or update Run Command on a machine instance using Parameter and ProtectedParameter parameters (Public and Protected Parameters to script)
+
+Use ProtectedParameter to pass any sensitive inputs to script such as passwords, keys etc.
+
+- Windows: Parameters and ProtectedParameters are passed to script as arguments are passed to script and run like this: `myscript.ps1 -publicParam1 publicParam1value -publicParam2 publicParam2value -secret1 secret1value -secret2 secret2value`
+
+- Linux: Named Parameters and its values are set to environment config, which should be accessible within the .sh script. For Nameless arguments, pass an empty string to name input. Nameless arguments are passed to script and run like this: `myscript.sh publicParam1value publicParam2value secret1value secret2value`
+
+### Delete RunCommand resource from the machine
+
+Remove the RunCommand resource previously deployed on the machine. If the script execution is still in progress, execution will be terminated.
+
+```powershell
+Remove-AzConnetedMachineRunCommand -ResourceGroupName "myRG" -MachineName "myMachine" -RunCommandName "RunCommandName"
+```
+ ## Run Command operations Run Command on Azure Arc-enabled servers supports the following operations:
azure-boost Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-boost/overview.md
description: Learn more about how Azure Boost can Learn more about how Azure Boo
- - ignite-2023 Last updated 11/07/2023
azure-cache-for-redis Cache How To Monitor https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-monitor.md
In contrast, for clustered caches, we recommend using the metrics with the suffi
- If the geo-replication link is unhealthy for over an hour, [file a support request](../azure-portal/supportability/how-to-create-azure-support-request.md). - Gets
- - The number of get operations from the cache during the specified reporting interval. This value is the sum of the following values from the Redis INFO all command: `cmdstat_get`, `cmdstat_hget`, `cmdstat_hgetall`, `cmdstat_hmget`, `cmdstat_mget`, `cmdstat_getbit`, and `cmdstat_getrange`, and is equivalent to the sum of cache hits and misses during the reporting interval.
+ - Sum of the number of get commands run on the cache during the specified reporting interval. This is a combined total of the increases in the `cmdstat` counts reported by the Redis INFO all command for all commands in the _get_ family, including `GET`, `HGET` , `MGET`, and others. This value can differ from the total number of hits and misses because some individual commands access multiple keys. For example: `MGET key1 key2 key3` only increments the number of gets by one but increments the combined number of hits and misses by three.
- Operations per Second - The total number of commands processed per second by the cache server during the specified reporting interval. This value maps to "instantaneous_ops_per_sec" from the Redis INFO command. - Server Load
In contrast, for clustered caches, we recommend using the metrics with the suffi
> The _Server Load_ metric can present incorrect data for Enterprise and Enterprise Flash tier caches. Sometimes _Server Load_ is represented as being over 100. We are investigating this issue. We recommend using the CPU metric instead in the meantime. - Sets
- - The number of set operations to the cache during the specified reporting interval. This value is the sum of the following values from the Redis INFO all command: `cmdstat_set`, `cmdstat_hset`, `cmdstat_hmset`, `cmdstat_hsetnx`, `cmdstat_lset`, `cmdstat_mset`, `cmdstat_msetnx`, `cmdstat_setbit`, `cmdstat_setex`, `cmdstat_setrange`, and `cmdstat_setnx`.
+ - Sum of the number of set commands run on the cache during the specified reporting interval. This is a combined total of the increases in the `cmdstat` counts reported by the Redis INFO all command for all commands in the _set_ family, including `SET`, `HSET` , `MSET`, and others.
- Total Keys - The maximum number of keys in the cache during the past reporting time period. This number maps to `keyspace` from the Redis INFO command. Because of a limitation in the underlying metrics system for caches with clustering enabled, Total Keys return the maximum number of keys of the shard that had the maximum number of keys during the reporting interval. - Total Operations
In contrast, for clustered caches, we recommend using the metrics with the suffi
- The amount of cache memory in MB that is used for key/value pairs in the cache during the specified reporting interval. This value maps to `used_memory` from the Redis INFO command. This value doesn't include metadata or fragmentation. - On the Enterprise and Enterprise Flash tier, the Used Memory value includes the memory in both the primary and replica nodes. This can make the metric appear twice as large as expected. - Used Memory Percentage
- - The percent of total memory that is being used during the specified reporting interval. This value references the `used_memory` value from the Redis INFO command to calculate the percentage. This value doesn't include fragmentation.
+ - The percent of total memory that is being used during the specified reporting interval. This value references the `used_memory` value from the Redis INFO command to calculate the percentage. This value doesn't include fragmentation.
- Used Memory RSS - The amount of cache memory used in MB during the specified reporting interval, including fragmentation. This value maps to `used_memory_rss` from the Redis INFO command. This metric isn't available in Enterprise or Enterprise Flash tier caches.
azure-government Documentation Accelerate Compliance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/compliance/documentation-accelerate-compliance.md
- Last updated 05/30/2023
azure-government Documentation Government Cognitiveservices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-cognitiveservices.md
cloud: gov
- Last updated 08/30/2021
azure-government Documentation Government Connect Ssms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-connect-ssms.md
description: Manage your subscription in Azure Government by connecting with SQL
- Last updated 10/01/2021
azure-government Documentation Government Connect Vs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-connect-vs.md
cloud: gov - Last updated 03/09/2021
azure-government Documentation Government Csp Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-csp-application.md
cloud: gov
- Last updated 05/30/2023
azure-government Documentation Government Developer Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-developer-guide.md
Title: Azure Government developer guide
description: Provides guidance on developing applications for Azure Government - recommendations: false
azure-government Documentation Government Extension https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-extension.md
cloud: gov
- Previously updated : 08/31/2021 Last updated : 08/31/2021 # Azure Government virtual machine extensions
azure-government Documentation Government Get Started Connect With Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-get-started-connect-with-cli.md
cloud: gov - Last updated 03/09/2021 #Customer intent: As a developer working for a federal government agency "x", I want to connect to Azure Government using CLI so I can start developing against Azure Government's secure isolated datacenters.
azure-government Documentation Government Get Started Connect With Ps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-get-started-connect-with-ps.md
Title: Connect to Azure Government with PowerShell
description: Information on connecting to your subscription in Azure Government with PowerShell. - Last updated 01/18/2023
azure-government Documentation Government How To Access Enterprise Agreement Billing Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-how-to-access-enterprise-agreement-billing-account.md
- Last updated 11/08/2023
azure-government Documentation Government Howto Deploy Webandmobile https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-howto-deploy-webandmobile.md
cloud: gov
- Last updated 08/10/2018- #Customer intent: As a developer working for a federal government agency "x", I want to connect to Azure Government and deploy an Azure App Services app in the Azure Government cloud because i want to be sure that my agency meets government security and compliance requirements.
This tutorial showed you how to deploy an Azure App Services app to Azure Govern
> [!div class="nextstepaction"] > [Microsoft Azure Government Blog](https://blogs.msdn.microsoft.com/azuregov/).-
azure-government Documentation Government Image Gallery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-image-gallery.md
cloud: gov
- Previously updated : 08/31/2021 Last updated : 08/31/2021 # Azure Government Marketplace images
azure-government Documentation Government Manage Marketplace Partners https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-manage-marketplace-partners.md
cloud: gov
- Last updated 08/31/2021
Make sure that any virtual machine extensions your solution template relies on a
- Subscribe to the [Azure Government blog](https://blogs.msdn.microsoft.com/azuregov/) - Get help on Stack Overflow by using the [azure-gov](https://stackoverflow.com/questions/tagged/azure-gov) tag--
azure-government Documentation Government Manage Oms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-manage-oms.md
cloud: gov
- Last updated 12/05/2016
This is just one example of an out-of-box Azure Monitor logs solution that can b
Azure Monitor continues to update its machine learning to fight the latest threats automatically for you, and we continue to roll out new solutions to the Azure marketplace as well.
-For more information about Azure Monitor logs, see [our documentation page](./documentation-government-overview.md).
+For more information about Azure Monitor logs, see [our documentation page](./documentation-government-overview.md).
azure-government Documentation Government Plan Compliance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-plan-compliance.md
Title: Azure Government compliance
description: Provides an overview of the available compliance assurances for Azure Government -
azure-government Documentation Government Quickstarts Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-quickstarts-vm.md
cloud: gov
- Last updated 08/10/2018- #Customer intent: As a developer working for a federal government agency "x", I want to connect to Azure Government and provision a VM in the Azure Government cloud because i want to be sure that my agency meets government security and compliance requirements.
This tutorial showed you how to create Virtual Machines in Azure Government. To
> [!div class="nextstepaction"] > [Microsoft Azure Government Blog](https://blogs.msdn.microsoft.com/azuregov/).-
azure-government Documentation Government Welcome https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-welcome.md
Title: Azure Government Overview
description: Overview of Azure Government capabilities -
azure-monitor Agents Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/agents-overview.md
View [supported operating systems for Azure Arc Connected Machine agent](../../a
| Windows Server 2016 Core | Γ£ô | | Γ£ô | | Windows Server 2012 R2 | Γ£ô | Γ£ô | Γ£ô | | Windows Server 2012 | Γ£ô | Γ£ô | Γ£ô |
-| Windows Server 2008 R2 SP1 | Γ£ô | Γ£ô | Γ£ô |
-| Windows Server 2008 R2 | | | Γ£ô |
-| Windows Server 2008 SP2 | | Γ£ô | |
| Windows 11 Client and Pro | Γ£ô<sup>2</sup>, <sup>3</sup> | | | | Windows 11 Enterprise<br>(including multi-session) | Γ£ô | | | | Windows 10 1803 (RS4) and higher | Γ£ô<sup>2</sup> | | |
azure-monitor Azure Monitor Agent Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-manage.md
The following prerequisites must be met prior to installing Azure Monitor Agent.
- `<virtual-machine-region-name>`.handler.control.monitor.azure.com (example: westus.handler.control.monitor.azure.com) - `<log-analytics-workspace-id>`.ods.opinsights.azure.com (example: 12345a01-b1cd-1234-e1f2-1234567g8h99.ods.opinsights.azure.com) (If you use private links on the agent, you must also add the [dce endpoints](../essentials/data-collection-endpoint-overview.md#components-of-a-data-collection-endpoint)).
+- **Disk Space**: Required disk space can vary greatly depending upon how an agent is utilized or if the agent is unable to communicate with the destinations where it is instructed to send monitoring data. The following provides guidance for capacity planning:
+
+| Purpose | Environment | Path | Suggested Space |
+|:|:|:|:|
+| Download and install packages | Linux | /var/lib/waagent/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-{Version}/ | 500 MB |
+| Download and install packages | Windows | C:\Packages\Plugins\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent | 500 MB|
+| Extension Logs | Linux (Azure VM) | /var/log/azure/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent/ | 100 MB |
+| Extension Logs | Linux (Azure Arc) | /var/lib/GuestConfig/extension_logs/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-{version}/ | 100 MB |
+| Extension Logs | Windows (Azure VM) | C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent | 100 MB |
+| Extension Logs | Windows (Azure Arc) | C:\ProgramData\GuestConfig\extension_logs\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent | 100 MB |
+| Agent Cache | Linux | /etc/opt/microsoft/azuremonitoragent, /var/opt/microsoft/azuremonitoragent | 500 MB |
+| Agent Cache | Windows (Azure VM) | C:\WindowsAzure\Resources\AMADataStore.{DataStoreName} | 10.5 GB |
+| Agent Cache | Windows (Azure Arc) | C:\Resources\Directory\AMADataStore. {DataStoreName} | 10.5 GB |
+| Event Cache | Linux | /var/opt/microsoft/azuremonitoragent/events | 10 GB |
> [!NOTE] > This article only pertains to agent installation or management. After you install the agent, you must review the next article to [configure data collection rules and associate them with the machines](./data-collection-rule-azure-monitor-agent.md) with agents installed. *Azure Monitor Agents can't function without being associated with data collection rules.*
azure-monitor Api Custom Events Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/api-custom-events-metrics.md
The recommended way to send request telemetry is where the request acts as an <a
You can correlate telemetry items together by associating them with operation context. The standard request-tracking module does this for exceptions and other events that are sent while an HTTP request is being processed. In [Search](./transaction-search-and-diagnostics.md?tabs=transaction-search) and [Analytics](../logs/log-query-overview.md), you can easily find any events associated with the request by using its operation ID.
-For more information on correlation, see [Telemetry correlation in Application Insights](distributed-tracing-telemetry-correlation.md).
+For more information on correlation, see [Telemetry correlation in Application Insights](distributed-trace-data.md).
When you track telemetry manually, the easiest way to ensure telemetry correlation is by using this pattern:
azure-monitor App Map https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/app-map.md
To provide feedback, use the feedback option.
## Next steps
-* To learn more about how correlation works in Application Insights, see [Telemetry correlation](distributed-tracing-telemetry-correlation.md).
+* To learn more about how correlation works in Application Insights, see [Telemetry correlation](distributed-trace-data.md).
* The [end-to-end transaction diagnostic experience](./transaction-search-and-diagnostics.md?tabs=transaction-diagnostics) correlates server-side telemetry from across all your Application Insights-monitored components into a single view. * For advanced correlation scenarios in ASP.NET Core and ASP.NET, see [Track custom operations](custom-operations-tracking.md).
azure-monitor Custom Operations Tracking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/custom-operations-tracking.md
This article provides guidance on how to track custom operations with the Applic
## Overview
-An operation is a logical piece of work run by an application. It has a name, start time, duration, result, and a context of execution like user name, properties, and result. If operation A was initiated by operation B, then operation B is set as a parent for A. An operation can have only one parent, but it can have many child operations. For more information on operations and telemetry correlation, see [Application Insights telemetry correlation](distributed-tracing-telemetry-correlation.md).
+An operation is a logical piece of work run by an application. It has a name, start time, duration, result, and a context of execution like user name, properties, and result. If operation A was initiated by operation B, then operation B is set as a parent for A. An operation can have only one parent, but it can have many child operations. For more information on operations and telemetry correlation, see [Application Insights telemetry correlation](distributed-trace-data.md).
In the Application Insights .NET SDK, the operation is described by the abstract class [OperationTelemetry](https://github.com/microsoft/ApplicationInsights-dotnet/blob/7633ae849edc826a8547745b6bf9f3174715d4bd/BASE/src/Microsoft.ApplicationInsights/Extensibility/Implementation/OperationTelemetry.cs) and its descendants [RequestTelemetry](https://github.com/microsoft/ApplicationInsights-dotnet/blob/7633ae849edc826a8547745b6bf9f3174715d4bd/BASE/src/Microsoft.ApplicationInsights/DataContracts/RequestTelemetry.cs) and [DependencyTelemetry](https://github.com/microsoft/ApplicationInsights-dotnet/blob/7633ae849edc826a8547745b6bf9f3174715d4bd/BASE/src/Microsoft.ApplicationInsights/DataContracts/DependencyTelemetry.cs).
Each Application Insights operation (request or dependency) involves `Activity`.
## Next steps -- Learn the basics of [telemetry correlation](distributed-tracing-telemetry-correlation.md) in Application Insights.
+- Learn the basics of [telemetry correlation](distributed-trace-data.md) in Application Insights.
- Check out how correlated data powers [transaction diagnostics experience](./transaction-search-and-diagnostics.md?tabs=transaction-diagnostics) and [Application Map](./app-map.md). - See the [data model](./data-model-complete.md) for Application Insights types and data model. - Report custom [events and metrics](./api-custom-events-metrics.md) to Application Insights.
azure-monitor Data Model Complete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-complete.md
The following types of telemetry are used to monitor the execution of your app.
* [Request](#request): Generated to log a request received by your app. For example, the Application Insights web SDK automatically generates a Request telemetry item for each HTTP request that your web app receives.
- An *operation* is made up of the threads of execution that process a request. You can also [write code](./api-custom-events-metrics.md#trackrequest) to monitor other types of operation, such as a "wake up" in a web job or function that periodically processes data. Each operation has an ID. The ID can be used to [group](distributed-tracing-telemetry-correlation.md) all telemetry generated while your app is processing the request. Each operation either succeeds or fails and has a duration of time.
+ An *operation* is made up of the threads of execution that process a request. You can also [write code](./api-custom-events-metrics.md#trackrequest) to monitor other types of operation, such as a "wake up" in a web job or function that periodically processes data. Each operation has an ID. The ID can be used to [group](distributed-trace-data.md) all telemetry generated while your app is processing the request. Each operation either succeeds or fails and has a duration of time.
* [Exception](#exception): Typically represents an exception that causes an operation to fail. * [Dependency](#dependency): Represents a call from your app to an external service or storage, such as a REST API or SQL. In ASP.NET, dependency calls to SQL are defined by `System.Data`. Calls to HTTP endpoints are defined by `System.Net`.
Every telemetry item can define the [context information](#context) like applica
You can use session ID to calculate an outage or an issue impact on users. Calculating the distinct count of session ID values for a specific failed dependency, error trace, or critical exception gives you a good understanding of an impact.
-The Application Insights telemetry model defines a way to [correlate](distributed-tracing-telemetry-correlation.md) telemetry to the operation of which it's a part. For example, a request can make a SQL Database call and record diagnostics information. You can set the correlation context for those telemetry items that tie it back to the request telemetry.
+The Application Insights telemetry model defines a way to [correlate](distributed-trace-data.md) telemetry to the operation of which it's a part. For example, a request can make a SQL Database call and record diagnostics information. You can set the correlation context for those telemetry items that tie it back to the request telemetry.
## Schema improvements
The Application Insights web SDK sends a request name "as is" about letter case.
### ID
-ID is the identifier of a request call instance. It's used for correlation between the request and other telemetry items. The ID should be globally unique. For more information, see [Telemetry correlation in Application Insights](distributed-tracing-telemetry-correlation.md).
+ID is the identifier of a request call instance. It's used for correlation between the request and other telemetry items. The ID should be globally unique. For more information, see [Telemetry correlation in Application Insights](distributed-trace-data.md).
**Maximum length:** 128 characters
URL is the request URL with all query string parameters.
### Source
-Source is the source of the request. Examples are the instrumentation key of the caller or the IP address of the caller. For more information, see [Telemetry correlation in Application Insights](distributed-tracing-telemetry-correlation.md).
+Source is the source of the request. Examples are the instrumentation key of the caller or the IP address of the caller. For more information, see [Telemetry correlation in Application Insights](distributed-trace-data.md).
**Maximum length:** 1,024 characters
This field is the name of the command initiated with this dependency call. It ha
### ID
-ID is the identifier of a dependency call instance. It's used for correlation with the request telemetry item that corresponds to this dependency call. For more information, see [Telemetry correlation in Application Insights](distributed-tracing-telemetry-correlation.md).
+ID is the identifier of a dependency call instance. It's used for correlation with the request telemetry item that corresponds to this dependency call. For more information, see [Telemetry correlation in Application Insights](distributed-trace-data.md).
### Data
This field is the dependency type name. It has a low cardinality value for logic
### Target
-This field is the target site of a dependency call. Examples are server name and host address. For more information, see [Telemetry correlation in Application Insights](distributed-tracing-telemetry-correlation.md).
+This field is the target site of a dependency call. Examples are server name and host address. For more information, see [Telemetry correlation in Application Insights](distributed-trace-data.md).
### Duration
Originally, this field was used to indicate the type of the device the user of t
### Operation ID
-This field is the unique identifier of the root operation. This identifier allows grouping telemetry across multiple components. For more information, see [Telemetry correlation](distributed-tracing-telemetry-correlation.md). Either a request or a page view creates the operation ID. All other telemetry sets this field to the value for the containing request or page view.
+This field is the unique identifier of the root operation. This identifier allows grouping telemetry across multiple components. For more information, see [Telemetry correlation](distributed-trace-data.md). Either a request or a page view creates the operation ID. All other telemetry sets this field to the value for the containing request or page view.
**Maximum length:** 128 ### Parent operation ID
-This field is the unique identifier of the telemetry item's immediate parent. For more information, see [Telemetry correlation](distributed-tracing-telemetry-correlation.md).
+This field is the unique identifier of the telemetry item's immediate parent. For more information, see [Telemetry correlation](distributed-trace-data.md).
**Maximum length:** 128
azure-monitor Kubernetes Codeless https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/kubernetes-codeless.md
Title: Monitor applications on AKS with Application Insights - Azure Monitor | M
description: Azure Monitor integrates seamlessly with your application running on Azure Kubernetes Service and allows you to spot the problems with your apps quickly. Previously updated : 11/15/2022 Last updated : 02/29/2024
Troubleshoot the following issue.
## Next steps * Learn more about [Azure Monitor](../overview.md) and [Application Insights](./app-insights-overview.md).
-* Get an overview of [distributed tracing](distributed-tracing-telemetry-correlation.md) and see what [Application Map](./app-map.md?tabs=net) can do for your business.
+* Get an overview of [distributed tracing](distributed-trace-data.md) and see what [Application Map](./app-map.md?tabs=net) can do for your business.
azure-monitor Monitor Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/monitor-functions.md
To collect custom telemetry from services such as Redis, Memcached, and MongoDB,
## Next steps * Read more instructions and information about [monitoring Azure Functions](../../azure-functions/functions-monitoring.md).
-* Get an overview of [distributed tracing](distributed-tracing-telemetry-correlation.md).
+* Get an overview of [distributed tracing](distributed-trace-data.md).
* See what [Application Map](./app-map.md?tabs=net) can do for your business. * Read about [requests and dependencies for Java apps](./java-in-process-agent.md). * Learn more about [Azure Monitor](../overview.md) and [Application Insights](./app-insights-overview.md).
azure-monitor Opentelemetry Add Modify https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-add-modify.md
The distros automatically collect data by bundling OpenTelemetry instrumentation
Requests - [ASP.NET
- Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.AspNetCore/README.md) ┬╣
+ Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.AspNetCore/README.md) ┬╣┬▓
Dependencies-- [HttpClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.Http/README.md) ┬╣
+- [HttpClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.Http/README.md) ┬╣┬▓
- [SqlClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.SqlClient/README.md) ┬╣ Logging - `ILogger`
-
+ For more information about `ILogger`, see [Logging in C# and .NET](/dotnet/core/extensions/logging) and [code examples](https://github.com/open-telemetry/opentelemetry-dotnet/tree/main/docs/logs). #### [.NET](#tab/net)
Instrumentations can be configured using AzureMonitorOpenTelemetryOptions
``` - #### [Python](#tab/python) Requests
azure-monitor Opentelemetry Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-configuration.md
This article covers configuration settings for the Azure Monitor OpenTelemetry distro. - ## Connection string A connection string in Application Insights defines the target location for sending telemetry data, ensuring it reaches the appropriate resource for monitoring and analysis.
A connection string in Application Insights defines the target location for send
Use one of the following three ways to configure the connection string: -- Add `UseAzureMonitor()` to your application startup. Depending on your version of .NET, it is in either your `startup.cs` or `program.cs` class.
+- Add `UseAzureMonitor()` to your application startup. This is in your `program.cs` class.
+ ```csharp // Create a new ASP.NET Core web application builder. var builder = WebApplication.CreateBuilder(args);
Use one of the following three ways to configure the connection string:
// Start the ASP.NET Core web application. app.Run(); ```+ - Set an environment variable:+ ```console APPLICATIONINSIGHTS_CONNECTION_STRING=<Your Connection String> ```+ - Add the following section to your `appsettings.json` config file:+ ```json { "AzureMonitor": {
Use one of the following three ways to configure the connection string:
Use one of the following two ways to configure the connection string: - Add the Azure Monitor Exporter to each OpenTelemetry signal in application startup.+ ```csharp // Create a new OpenTelemetry tracer provider. // It is important to keep the TracerProvider instance active throughout the process lifetime.
Use one of the following two ways to configure the connection string:
}); }); ```+ - Set an environment variable: ```console APPLICATIONINSIGHTS_CONNECTION_STRING=<Your Connection String>
To set the connection string, see [Connection string](java-standalone-config.md#
Use one of the following two ways to configure the connection string: - Set an environment variable:
-
+ ```console APPLICATIONINSIGHTS_CONNECTION_STRING=<Your Connection String> ```
Use one of the following two ways to configure the connection string:
Use one of the following two ways to configure the connection string: - Set an environment variable:
-
+ ```console APPLICATIONINSIGHTS_CONNECTION_STRING=<Your Connection String> ```
useAzureMonitor(options);
Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [OpenTelemetry Semantic Conventions](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/README.md). Set Resource attributes using the `OTEL_RESOURCE_ATTRIBUTES` and/or `OTEL_SERVICE_NAME` environment variables. `OTEL_RESOURCE_ATTRIBUTES` takes series of comma-separated key-value pairs. For example, to set the Cloud Role Name to `my-namespace.my-helloworld-service` and set Cloud Role Instance to `my-instance`, you can set `OTEL_RESOURCE_ATTRIBUTES` and `OTEL_SERVICE_NAME` as such:+ ``` export OTEL_RESOURCE_ATTRIBUTES="service.namespace=my-namespace,service.instance.id=my-instance" export OTEL_SERVICE_NAME="my-helloworld-service" ``` If you don't set the `service.namespace` Resource attribute, you can alternatively set the Cloud Role Name with only the OTEL_SERVICE_NAME environment variable or the `service.name` Resource attribute. For example, to set the Cloud Role Name to `my-helloworld-service` and set Cloud Role Instance to `my-instance`, you can set `OTEL_RESOURCE_ATTRIBUTES` and `OTEL_SERVICE_NAME` as such:+ ``` export OTEL_RESOURCE_ATTRIBUTES="service.instance.id=my-instance" export OTEL_SERVICE_NAME="my-helloworld-service"
export OTEL_SERVICE_NAME="my-helloworld-service"
You might want to enable sampling to reduce your data ingestion volume, which reduces your cost. Azure Monitor provides a custom *fixed-rate* sampler that populates events with a sampling ratio, which Application Insights converts to `ItemCount`. The *fixed-rate* sampler ensures accurate experiences and event counts. The sampler is designed to preserve your traces across services, and it's interoperable with older Application Insights SDKs. For more information, see [Learn More about sampling](sampling.md#brief-summary).
-> [!NOTE]
+> [!NOTE]
> Metrics and Logs are unaffected by sampling. #### [ASP.NET Core](#tab/aspnetcore)
We support the credential classes provided by [Azure Identity](https://github.co
- Provide the tenant ID, client ID, and client secret to the constructor. 1. Install the latest [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) package:+ ```dotnetcli dotnet add package Azure.Identity ```
-
+ 1. Provide the desired credential class:+ ```csharp // Create a new ASP.NET Core web application builder. var builder = WebApplication.CreateBuilder(args);
We support the credential classes provided by [Azure Identity](https://github.co
- Provide the tenant ID, client ID, and client secret to the constructor. 1. Install the latest [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) package:+ ```dotnetcli dotnet add package Azure.Identity ```
-1. Provide the desired credential class:
+1. Provide the desired credential class:
+ ```csharp // Create a DefaultAzureCredential. var credential = new DefaultAzureCredential();
We support the credential classes provided by [Azure Identity](https://github.co
}); }); ```
-
+ #### [Java](#tab/java) For more information about Java, see the [Java supplemental documentation](java-standalone-config.md).
useAzureMonitor(options);
``` #### [Python](#tab/python)
-
+ ```python # Import the `ManagedIdentityCredential` class from the `azure.identity` package. from azure.identity import ManagedIdentityCredential
configure_azure_monitor(
- ## Offline Storage and Automatic Retries To improve reliability and resiliency, Azure Monitor OpenTelemetry-based offerings write to offline/local storage by default when an application loses its connection with Application Insights. It saves the application telemetry to disk and periodically tries to send it again for up to 48 hours. In high-load applications, telemetry is occasionally dropped for two reasons. First, when the allowable time is exceeded, and second, when the maximum file size is exceeded or the SDK doesn't have an opportunity to clear out the file. If we need to choose, the product saves more recent events over old ones. [Learn More](/previous-versions/azure/azure-monitor/app/data-retention-privacy#does-the-sdk-create-temporary-local-storage)
You might want to enable the OpenTelemetry Protocol (OTLP) Exporter alongside th
``` 1. Add the following code snippet. This example assumes you have an OpenTelemetry Collector with an OTLP receiver running. For details, see the [example on GitHub](https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/examples/Console/TestOtlpExporter.cs).
-
+ ```csharp // Create a new OpenTelemetry tracer provider and add the Azure Monitor trace exporter and the OTLP trace exporter. // It is important to keep the TracerProvider instance active throughout the process lifetime.
For more information about Java, see the [Java supplemental documentation](java-
1. Install the [opentelemetry-exporter-otlp](https://pypi.org/project/opentelemetry-exporter-otlp/) package. 1. Add the following code snippet. This example assumes you have an OpenTelemetry Collector with an OTLP receiver running. For details, see this [README](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/monitor/azure-monitor-opentelemetry-exporter/samples/traces#collector).
-
+ ```python # Import the `configure_azure_monitor()`, `trace`, `OTLPSpanExporter`, and `BatchSpanProcessor` classes from the appropriate packages. from azure.monitor.opentelemetry import configure_azure_monitor
For more information about Java, see the [Java supplemental documentation](java-
## OpenTelemetry configurations The following OpenTelemetry configurations can be accessed through environment variables while using the Azure Monitor OpenTelemetry Distros.+ ### [ASP.NET Core](#tab/aspnetcore) | Environment variable | Description |
The following OpenTelemetry configurations can be accessed through environment v
| `OTEL_RESOURCE_ATTRIBUTES` | Key-value pairs to be used as resource attributes. For more information about resource attributes, see the [Resource SDK specification](https://github.com/open-telemetry/opentelemetry-specification/blob/v1.5.0/specification/resource/sdk.md#specifying-resource-information-via-an-environment-variable). | | `OTEL_SERVICE_NAME` | Sets the value of the `service.name` resource attribute. If `service.name` is also provided in `OTEL_RESOURCE_ATTRIBUTES`, then `OTEL_SERVICE_NAME` takes precedence. | - ### [.NET](#tab/net) | Environment variable | Description |
azure-monitor Opentelemetry Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-enable.md
Follow the steps in this section to instrument your application with OpenTelemet
### [ASP.NET Core](#tab/aspnetcore) -- [ASP.NET Core Application](/aspnet/core/introduction-to-aspnet-core) using an officially supported version of [.NET Core](https://dotnet.microsoft.com/download/dotnet)
+- [ASP.NET Core Application](/aspnet/core/introduction-to-aspnet-core) using an officially supported version of [.NET](https://dotnet.microsoft.com/download/dotnet)
### [.NET](#tab/net)
pip install azure-monitor-opentelemetry
### Enable Azure Monitor Application Insights+ To enable Azure Monitor Application Insights, you make a minor modification to your application and set your "Connection String." The Connection String tells your application where to send the telemetry the Distro collects, and it's unique to you. #### Modify your Application ##### [ASP.NET Core](#tab/aspnetcore)
-Add `UseAzureMonitor()` to your application startup. Depending on your version of .NET, it is in either your `startup.cs` or `program.cs` class.
+Add `UseAzureMonitor()` to your application startup. This is in your `program.cs` class.
```csharp // Import the Azure.Monitor.OpenTelemetry.AspNetCore namespace.
using Azure.Monitor.OpenTelemetry.AspNetCore;
// Create a new WebApplicationBuilder instance. var builder = WebApplication.CreateBuilder(args);
-// Add the OpenTelemetry NuGet package to the application's services and configure OpenTelemetry to use Azure Monitor.
+// Add OpenTelemetry and configure it to use Azure Monitor.
builder.Services.AddOpenTelemetry().UseAzureMonitor(); // Build the application.
app.Run();
##### [.NET](#tab/net) Add the Azure Monitor Exporter to each OpenTelemetry signal in application startup. Depending on your version of .NET, it is in either your `startup.cs` or `program.cs` class.+ ```csharp // Create a new tracer provider builder and add an Azure Monitor trace exporter to the tracer provider builder. // It is important to keep the TracerProvider instance active throughout the process lifetime.
+// See https://github.com/open-telemetry/opentelemetry-dotnet/tree/main/docs/trace#tracerprovider-management
var tracerProvider = Sdk.CreateTracerProviderBuilder() .AddAzureMonitorTraceExporter(); // Add an Azure Monitor metric exporter to the metrics provider builder. // It is important to keep the MetricsProvider instance active throughout the process lifetime.
+// See https://github.com/open-telemetry/opentelemetry-dotnet/tree/main/docs/metrics#meterprovider-management
var metricsProvider = Sdk.CreateMeterProviderBuilder() .AddAzureMonitorMetricExporter(); // Create a new logger factory. // It is important to keep the LoggerFactory instance active throughout the process lifetime.
+// See https://github.com/open-telemetry/opentelemetry-dotnet/tree/main/docs/logs#logger-management
var loggerFactory = LoggerFactory.Create(builder => { builder.AddOpenTelemetry(options =>
input()
#### Copy the Connection String from your Application Insights Resource+ > [!TIP] > If you don't already have one, now is a great time to [Create an Application Insights Resource](create-workspace-resource.md#create-a-workspace-based-resource). Here's when we recommend you [create a new Application Insights Resource versus use an existing one](create-workspace-resource.md#when-to-use-a-single-application-insights-resource).
To paste your Connection String, select from the following options:
B. Set via Configuration File - Java Only (Recommended) Create a configuration file named `applicationinsights.json`, and place it in the same directory as `applicationinsights-agent-3.4.19.jar` with the following content:
-
+ ```json { "connectionString": "<Your Connection String>" } ```+ Replace `<Your Connection String>` in the preceding JSON with *your* unique connection string. C. Set via Code - ASP.NET Core, Node.js, and Python Only (Not recommended)
To paste your Connection String, select from the following options:
See [Connection String Configuration](opentelemetry-configuration.md#connection-string) for an example of setting Connection String via code. > [!NOTE]
- > If you set the connection string in more than one place, we adhere to the following precendence:
+ > If you set the connection string in more than one place, we adhere to the following precedence:
+ >
> 1. Code > 2. Environment Variable > 3. Configuration File
azure-monitor Sampling Classic Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sampling-classic-api.md
In [`ApplicationInsights.config`](./configuration-with-applicationinsights-confi
* `<MaxTelemetryItemsPerSecond>5</MaxTelemetryItemsPerSecond>`
- The target rate of [logical operations](distributed-tracing-telemetry-correlation.md#data-model-for-telemetry-correlation) that the adaptive algorithm aims to collect **on each server host**. If your web app runs on many hosts, reduce this value so as to remain within your target rate of traffic at the Application Insights portal.
+ The target rate of [logical operations](distributed-trace-data.md#data-model-for-telemetry-correlation) that the adaptive algorithm aims to collect **on each server host**. If your web app runs on many hosts, reduce this value so as to remain within your target rate of traffic at the Application Insights portal.
* `<EvaluationInterval>00:00:15</EvaluationInterval>`
azure-monitor Transaction Search And Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/transaction-search-and-diagnostics.md
This behavior is by design. All the related items, across all components, are al
### Is there a way to see fewer events per transaction when I use the Application Insights JavaScript SDK?
-The transaction diagnostics experience shows all telemetry in a [single operation](distributed-tracing-telemetry-correlation.md#data-model-for-telemetry-correlation) that shares an [Operation ID](data-model-complete.md#operation-id). By default, the Application Insights SDK for JavaScript creates a new operation for each unique page view. In a single-page application (SPA), only one page view event is generated and a single Operation ID is used for all telemetry generated. As a result, many events might be correlated to the same operation.
+The transaction diagnostics experience shows all telemetry in a [single operation](distributed-trace-data.md#data-model-for-telemetry-correlation) that shares an [Operation ID](data-model-complete.md#operation-id). By default, the Application Insights SDK for JavaScript creates a new operation for each unique page view. In a single-page application (SPA), only one page view event is generated and a single Operation ID is used for all telemetry generated. As a result, many events might be correlated to the same operation.
In these scenarios, you can use Automatic Route Tracking to automatically create new operations for navigation in your SPA. You must turn on [enableAutoRouteTracking](javascript.md#single-page-applications) so that a page view is generated every time the URL route is updated (logical page view occurs). If you want to manually refresh the Operation ID, call `appInsights.properties.context.telemetryTrace.traceID = Microsoft.ApplicationInsights.Telemetry.Util.generateW3CId()`. Manually triggering a PageView event also resets the Operation ID.
azure-monitor Worker Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/worker-service.md
Run your application. The workers from all the preceding examples make an HTTP c
Application Insights collects these ILogger logs, with a severity of Warning or above by default, and dependencies. They're correlated to `RequestTelemetry` with a parent-child relationship. Correlation also works across process/network boundaries. For example, if the call was made to another monitored component, it's correlated to this parent as well.
-This custom operation of `RequestTelemetry` can be thought of as the equivalent of an incoming web request in a typical web application. It isn't necessary to use an operation, but it fits best with the [Application Insights correlation data model](distributed-tracing-telemetry-correlation.md). `RequestTelemetry` acts as the parent operation and every telemetry generated inside the worker iteration is treated as logically belonging to the same operation.
+This custom operation of `RequestTelemetry` can be thought of as the equivalent of an incoming web request in a typical web application. It isn't necessary to use an operation, but it fits best with the [Application Insights correlation data model](distributed-trace-data.md). `RequestTelemetry` acts as the parent operation and every telemetry generated inside the worker iteration is treated as logically belonging to the same operation.
This approach also ensures all the telemetry generated, both automatic and manual, will have the same `operation_id`. Because sampling is based on `operation_id`, the sampling algorithm either keeps or drops all the telemetry from a single iteration.
azure-monitor Azure Monitor Operations Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/azure-monitor-operations-manager.md
If your monitoring of a business application is limited to functionality provide
- Collect detailed application usage and performance data such as response time, failure rates, and request rates. - Collect browser data such as page views and load performance. - Detect exceptions and drill into stack trace and related requests.-- Perform advanced analysis using features such as [distributed tracing](app/distributed-tracing-telemetry-correlation.md) and [smart detection](alerts/proactive-diagnostics.md).
+- Perform advanced analysis using features such as [distributed tracing](app/distributed-trace-data.md) and [smart detection](alerts/proactive-diagnostics.md).
- Use [metrics explorer](essentials/metrics-getting-started.md) to interactively analyze performance data. - Use [log queries](logs/log-query-overview.md) to interactively analyze collected telemetry together with data collected for Azure services and VM insights.
azure-monitor Monitor Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/monitor-kubernetes.md
Following are common scenarios for monitoring your application.
- Use the **Performance** view in Application insights to view the performance of different operations in your application. - Use [Profiler](../profiler/profiler-overview.md) to capture and view performance traces for your application. - Use [Application Map](../app/app-map.md) to view the dependencies between your application components and identify any bottlenecks.-- Enable [distributed tracing](../app/distributed-tracing-telemetry-correlation.md), which provides a performance profiler that works like call stacks for cloud and microservices architectures, to gain better observability into the interaction between services.
+- Enable [distributed tracing](../app/distributed-trace-data.md), which provides a performance profiler that works like call stacks for cloud and microservices architectures, to gain better observability into the interaction between services.
**Application failures**<br> - Use the **Failures** tab of Application insights to view the number of failed requests and the most common exceptions.
azure-monitor Data Platform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/data-platform.md
Title: Azure Monitor data platform
description: Overview of the Azure Monitor data platform and collection of observability data. - Last updated 08/09/2023
Read more about Azure Monitor logs including their sources of data in [Logs in A
Traces are series of related events that follow a user request through a distributed system. They can be used to determine the behavior of application code and the performance of different transactions. While logs will often be created by individual components of a distributed system, a trace measures the operation and performance of your application across the entire set of components.
-Distributed tracing in Azure Monitor is enabled with the [Application Insights SDK](app/distributed-tracing-telemetry-correlation.md). Trace data is stored with other application log data collected by Application Insights. This way it's available to the same analysis tools as other log data including log queries, dashboards, and alerts.
+Distributed tracing in Azure Monitor is enabled with the [Application Insights SDK](app/distributed-trace-data.md). Trace data is stored with other application log data collected by Application Insights. This way it's available to the same analysis tools as other log data including log queries, dashboards, and alerts.
-Read more about distributed tracing at [What is distributed tracing?](app/distributed-tracing-telemetry-correlation.md).
+Read more about distributed tracing at [What is distributed tracing?](app/distributed-trace-data.md).
### Changes
azure-monitor Data Sources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/data-sources.md
When you enable Application Insights for an application by installing an instrum
| Destination | Description | Reference | |:|:|:| | Azure Monitor Logs | Operational data about your application including page views, application requests, exceptions, and traces. | [Analyze log data in Azure Monitor](logs/log-query-overview.md) |
-| | Dependency information between application components to support Application Map and telemetry correlation. | [Telemetry correlation in Application Insights](app/distributed-tracing-telemetry-correlation.md) <br> [Application Map](app/app-map.md) |
+| | Dependency information between application components to support Application Map and telemetry correlation. | [Telemetry correlation in Application Insights](app/distributed-trace-data.md) <br> [Application Map](app/app-map.md) |
| | Results of availability tests that test the availability and responsiveness of your application from different locations on the public Internet. | [Monitor availability and responsiveness of any web site](/previous-versions/azure/azure-monitor/app/monitor-web-app-availability) | | Azure Monitor Metrics | Application Insights collects metrics describing the performance and operation of the application in addition to custom metrics that you define in your application into the Azure Monitor metrics database. | [Log-based and pre-aggregated metrics in Application Insights](app/pre-aggregated-metrics-log-metrics.md)<br>[Application Insights API for custom events and metrics](app/api-custom-events-metrics.md) | | Azure Monitor Change Analysis | Change Analysis detects and provides insights on various types of changes in your application. | [Use Change Analysis in Azure Monitor](./change/change-analysis.md) |
azure-monitor Data Platform Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/data-platform-metrics.md
description: Learn about metrics in Azure Monitor, which are lightweight monitor
- Last updated 04/25/2023
azure-monitor Availability Zones https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/availability-zones.md
Azure Monitor creates Log Analytics workspaces in a shared cluster, unless you [
### Shared clusters (default) All shared clusters in the following regions use availability zones. If your workspace is in one of these regions, Azure Monitor replicates your logs across the region-specific zones, as of January 2024.
-* Canada Central
-* France Central
-* North Europe
-* South Central US
-* Southeast Asia
-* UK South
-* West US 3
+| Americas | Europe | Middle East | Asia Pacific |
+| | | | |
+| Canada Central | France Central | UAE North | Australia East |
+| South Central US | North Europe | | Central India |
+| West US 3 | Norway East | | Southeast Asia |
+| | UK South | | |
+| | Sweden Central | | |
+ ### Dedicated clusters Azure Monitor currently supports data resilience for availability-zone-enabled dedicated clusters in these regions:
azure-monitor Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/whats-new.md
Title: "What's new in Azure Monitor documentation"
description: "What's new in Azure Monitor documentation" Previously updated : 10/11/2023 Last updated : 02/08/2024
This article lists significant changes to Azure Monitor documentation.
> > :::image type="content" source="./media//whats-new/rss.png" alt-text="An rss icon."::: https://aka.ms/azmon/rss +
+## [2024](#tab/2024)
+
+## January 2024
+
+|Subservice | Article | Description |
+||||
+Agents|[MMA Discovery and Removal Utility](agents/azure-monitor-agent-mma-removal-tool.md)|Added a PowerShell script that discovers and removes the Log Analytics agent from machines as part of the migration to Azure Monitor Agent.|
+Agents|[Send data to Event Hubs and Storage (Preview)](agents/azure-monitor-agent-send-data-to-event-hubs-and-storage.md)|Update azure-monitor-agent-send-data-to-event-hubs-and-storage.md|
+Alerts|[Resource Manager template samples for metric alert rules in Azure Monitor](alerts/resource-manager-alerts-metric.md)|We've added a clarification about the parameters used when creating metric alert rules programatically.|
+Alerts|[Manage your alert instances](alerts/alerts-manage-alert-instances.md)|We've added documentation about the new alerts timeline view.|
+Alerts|[Create or edit a log alert rule](alerts/alerts-create-log-alert-rule.md)|Added limitations to log search alert queries.|
+Alerts|[Create or edit a log alert rule](alerts/alerts-create-log-alert-rule.md)|We've added samples of log search alert rule queries that use Azure Data Explorer and Azure Resource Graph.|
+Application-Insights|[Data Collection Basics of Azure Monitor Application Insights](app/opentelemetry-overview.md)|We've provided information on how to get a list of Application Insights SDK versions and their names.|
+Application-Insights|[Application Insights logging with .NET](app/ilogger.md)|We've clarified steps to view ILogger telemetry.|
+Application-Insights|[Migrate to workspace-based Application Insights resources](app/convert-classic-resource.md)|The script to discover classic resources has been updated.|
+Application-Insights|[Migrate to workspace-based Application Insights resources](app/convert-classic-resource.md)|Extra details are now available on migrating from Continuous Export to Diagnostic Settings.|
+Application-Insights|[Telemetry processors (preview) - Azure Monitor Application Insights for Java](app/java-standalone-telemetry-processors.md)|Sample metrics filters have been added.|
+Application-Insights|[Log-based and preaggregated metrics in Application Insights](app/pre-aggregated-metrics-log-metrics.md)|We've clarified how custom metrics work.|
+Containers|[Default Prometheus metrics configuration in Azure Monitor](containers/prometheus-metrics-scrape-default.md)|Added default targets for Control Plane to minimal ingestion profile|
+Containers|[Azure Monitor features for Kubernetes monitoring](containers/container-insights-overview.md)|Rewritten to focus on role of log collection and added agent details.|
+Containers|[Configure data collection in Container insights using ConfigMap](containers/container-insights-data-collection-configmap.md)|New article to consolidate ConfigMap configuration of all cluster configurations.|
+Containers|[Configure data collection in Container insights using data collection rule](containers/container-insights-data-collection-dcr.md)|New article to consolidate DCR configuration of all cluster configurations.|
+Containers|[Container insights log schema](containers/container-insights-logs-schema.md)|Combine Prometheus and Container insights|
+Containers|[Enable monitoring for Kubernetes clusters](containers/container-insights-enable-aks.md)|New article to consolidate onboarding process for all container configurations and for both Prometheus and Container insights.|
+Containers|[Customize scraping of Prometheus metrics in Azure Monitor managed service for Prometheus](containers/prometheus-metrics-scrape-configuration.md)|[Azure Monitor Managed Prometheus] Docs for pod annotation scraping through configmap|
+Essentials|[Custom metrics in Azure Monitor (preview)](essentials/metrics-custom-overview.md)|Article refreshed an updated|
+General|[Disable monitoring of your Kubernetes cluster](containers/kubernetes-monitoring-disable.md)|New article to consolidate process for all container configurations and for both Prometheus and Container insights.|
+Logs|[ Best practices for Azure Monitor Logs](best-practices-logs.md)|Dedicated clusters are now available in all commitment tiers, with a minimum daily ingestion of 100 GB.|
+Logs|[Enhance data and service resilience in Azure Monitor Logs with availability zones](logs/availability-zones.md)|Availability zones are now supported in the Israel Central, Poland Central, and Italy North regions.|
+Virtual-Machines|[Dependency Agent](vm/vminsights-dependency-agent-maintenance.md)|VM Insights Dependency Agent now supports RHEL 8.6 Linux.|
+Visualizations|[Composite bar renderer](visualize/workbooks-composite-bar.md)|We've edited the Workbooks content to make some features and functionality easier to find based on customer feedback. We've also removed legacy content.|
++++ ## [2023](#tab/2023) ## December 2023
Alerts|[Create or edit an activity log, service health, or resource health alert
Alerts|[Create or edit a metric alert rule](alerts/alerts-create-new-alert-rule.md)|Added limitations for use of custom properties in alert rules. Added list of query plugins not supported by log alert rule queries.| Application-Insights|[Add, modify, and filter OpenTelemetry](app/opentelemetry-add-modify.md)|Custom events code samples and instructions have been added to .NET Core / .NET tabs.| Application-Insights|[Migrate availability tests](app/availability-test-migration.md)|We've clarified the URL ping tests retirement statement. Migrate your URL ping tests as soon as possible using the PowerShell scripts provided in this article.|
-Application-Insights|[Enable Azure Monitor Application Insights Real User Monitoring](app/javascript-sdk.md)|Additional guidance has been added on when to use the npm package.|
-Application-Insights|[Migrate to workspace-based Application Insights resources](app/convert-classic-resource.md)|We confirmed that migrating from classic to workspace-based resources doesn't introduce application downtime or restarts, and it does not change your existing instrumentation key or connection string.|
+Application-Insights|[Enable Azure Monitor Application Insights Real User Monitoring](app/javascript-sdk.md)|More guidance has been added on when to use the npm package.|
+Application-Insights|[Migrate to workspace-based Application Insights resources](app/convert-classic-resource.md)|We confirmed that migrating from classic to workspace-based resources doesn't introduce application downtime or restarts, and it doesn't change your existing instrumentation key or connection string.|
Logs|[Correlate data in Azure Data Explorer and Azure Resource Graph with data in a Log Analytics workspace](logs/azure-monitor-data-explorer-proxy.md)|Explained how to query Azure Data Explorer external tables using the `adx("")` expression. | Logs|[Logs Ingestion API in Azure Monitor](logs/logs-ingestion-api-overview.md)|Updated Log Ingestion API version.| Profiler|[Profile production applications in Azure with Application Insights Profiler](profiler/profiler-overview.md)|Add support for Java profiler and link to docs from .NET profiler overview.|
Alerts|[Create and manage action groups in the Azure portal](alerts/action-group
Alerts|[Create and manage action groups in the Azure portal](alerts/action-groups.md)|Added list of countries/regions supported by voice notifications.| Alerts|[Connect ServiceNow to Azure Monitor](alerts/itsmc-secure-webhook-connections-servicenow.md)|Added Tokyo to list of supported ServiceNow webhook integrations.| Application-Insights|[Application Insights SDK support guidance](app/sdk-support-guidance.md)|Release notes are now available for each SDK.|
-Application-Insights|[What is distributed tracing and telemetry correlation?](app/distributed-tracing-telemetry-correlation.md)|Merged our documents related to distributed tracing and telemetry correlation.|
+Application-Insights|[What is distributed tracing and telemetry correlation?](app/distributed-trace-data.md)|Merged our documents related to distributed tracing and telemetry correlation.|
Application-Insights|[Application Insights availability tests](app/availability-overview.md)|Separated and called out the two Classic Tests, which are older versions of availability tests.| Application-Insights|[Microsoft Azure Monitor Application Insights JavaScript SDK configuration](app/javascript-sdk-configuration.md)|JavaScript SDK configuration now includes npm setup, cookie configuration and management, source map un-minify support, and tree shaking optimized code.| Application-Insights|[Microsoft Azure Monitor Application Insights JavaScript SDK](app/javascript-sdk.md)|Our introductory article to the JavaScript SDK now provides only the fast and easy code-snippet method of getting started.|
azure-netapp-files Access Smb Volume From Windows Client https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/access-smb-volume-from-windows-client.md
Title: Access SMB volumes from Microsoft Entra joined Windows virtual machines description: Learn how to access Azure NetApp Files SMB volumes from an on-premises environment using Microsoft Entra ID. -
azure-netapp-files Application Volume Group Add Hosts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-add-hosts.md
description: Describes how to add additional HANA hosts after you have created t
- Last updated 11/19/2021
azure-netapp-files Application Volume Group Add Volume Secondary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-add-volume-secondary.md
description: Describes using application volume group to add volumes for an SAP
- Last updated 11/19/2021
azure-netapp-files Application Volume Group Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-considerations.md
Title: Requirements and considerations for Azure NetApp Files application volume group for SAP HANA | Microsoft Docs
-description: Describes the requirements and considerations you need to be aware of before using Azure NetApp Files application volume group for SAP HANA.
+description: Describes the requirements and considerations you need to be aware of before using Azure NetApp Files application volume group for SAP HANA.
- Last updated 11/08/2023
azure-netapp-files Application Volume Group Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-delete.md
description: Describes how to delete an application volume group.
- Last updated 11/19/2021
azure-netapp-files Application Volume Group Deploy First Host https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-deploy-first-host.md
Title: Deploy the first SAP HANA host using Azure NetApp Files application volume group for SAP HANA | Microsoft Docs
-description: Describes how to deploy the first SAP HANA host using Azure NetApp Files application volume group for SAP HANA.
+description: Describes how to deploy the first SAP HANA host using Azure NetApp Files application volume group for SAP HANA.
- Last updated 10/13/2022
azure-netapp-files Application Volume Group Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-disaster-recovery.md
description: Describes using an application volume group to add volumes for an S
- Last updated 08/22/2022
azure-netapp-files Application Volume Group Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-introduction.md
Title: Understand Azure NetApp Files application volume group for SAP HANA | Microsoft Docs
-description: Describes the use cases and key features of Azure NetApp Files application volume group for SAP HANA.
+description: Describes the use cases and key features of Azure NetApp Files application volume group for SAP HANA.
- Last updated 02/24/2023
azure-netapp-files Application Volume Group Manage Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-manage-volumes.md
Title: Manage volumes in Azure NetApp Files application volume group | Microsoft Docs
-description: Describes how to manage a volume from its application volume group, including resizing, deleting, or changing throughput for the volume.
+description: Describes how to manage a volume from its application volume group, including resizing, deleting, or changing throughput for the volume.
- Last updated 11/19/2021
azure-netapp-files Auxiliary Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/auxiliary-groups.md
Title: Understand auxiliary/supplemental groups with NFS in Azure NetApp Files
-description: Learn about auxiliary/supplemental groups with NFS in Azure NetApp Files.
+description: Learn about auxiliary/supplemental groups with NFS in Azure NetApp Files.
- Last updated 11/13/2023
For more information about the option, including how it behaves with different v
## Next steps * [Understand the use of LDAP with Azure NetApp Files](lightweight-directory-access-protocol.md)
-* [Allow local NFS users with LDAP option](configure-ldap-extended-groups.md)
+* [Allow local NFS users with LDAP option](configure-ldap-extended-groups.md)
azure-netapp-files Azacsnap Cmd Ref Backup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-backup.md
Title: Back up using Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides a guide for running the backup command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides a guide for running the backup command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 07/29/2022
azure-netapp-files Azacsnap Cmd Ref Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-configure.md
Title: Configure the Azure Application Consistent Snapshot tool for Azure NetApp Files
-description: Learn how to run the configure command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Learn how to run the configure command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 08/21/2023
azure-netapp-files Azacsnap Cmd Ref Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-delete.md
Title: Delete using Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides a guide for running the delete command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides a guide for running the delete command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 01/18/2023
azure-netapp-files Azacsnap Cmd Ref Details https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-details.md
Title: Obtain details using Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides a guide for running the details command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides a guide for running the details command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 04/21/2021
azure-netapp-files Azacsnap Cmd Ref Restore https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-restore.md
Title: Restore using Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides a guide for running the restore command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides a guide for running the restore command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 05/04/2023
azure-netapp-files Azacsnap Cmd Ref Runbefore Runafter https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-runbefore-runafter.md
Title: RunBefore and RunAfter using Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides a guide for using the runbefore and runafter options of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides a guide for using the runbefore and runafter options of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 07/29/2022
PORTAL_GENERATED_SAS="https://<targetstorageaccount>.blob.core.windows.net/<blob
## Next steps - [Take a backup](azacsnap-cmd-ref-backup.md)-- [Get snapshot details](azacsnap-cmd-ref-details.md)
+- [Get snapshot details](azacsnap-cmd-ref-details.md)
azure-netapp-files Azacsnap Cmd Ref Test https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-test.md
Title: Test Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Explains how to run the test command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Explains how to run the test command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 08/04/2021
azure-netapp-files Azacsnap Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-disaster-recovery.md
Title: Disaster recovery using Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Explains how to perform disaster recovery when using the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Explains how to perform disaster recovery when using the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 04/21/2021
azure-netapp-files Azacsnap Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-get-started.md
Title: Get started with Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides a guide for installing the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides a guide for installing the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 03/03/2022
The following guidance is provided to illustrate the usage of the snapshot tools
## Next steps - [Install Azure Application Consistent Snapshot tool](azacsnap-installation.md)-
azure-netapp-files Azacsnap Installation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-installation.md
Title: Install the Azure Application Consistent Snapshot tool for Azure NetApp Files
-description: Learn how to install the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Learn how to install the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 08/21/2023
No special database configuration is required for Db2 because you're using the i
## Next steps - [Configure the Azure Application Consistent Snapshot tool](azacsnap-cmd-ref-configure.md)-
azure-netapp-files Azacsnap Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-introduction.md
Title: What is the Azure Application Consistent Snapshot tool for Azure NetApp Files
-description: Get basic information about the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Get basic information about the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 08/21/2023
azure-netapp-files Azacsnap Preview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-preview.md
Title: Preview features for the Azure Application Consistent Snapshot tool for Azure NetApp Files
-description: Learn about the preview features of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Learn about the preview features of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 08/21/2023
azure-netapp-files Azacsnap Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-release-notes.md
Title: Release Notes for Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides release notes for the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides release notes for the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 08/21/2023
AzAcSnap v5.0 Preview (Build: 20210318.30771) has been released with the followi
- [Get started with Azure Application Consistent Snapshot tool](azacsnap-get-started.md) - [Download the latest release of the installer](https://aka.ms/azacsnapinstaller)--
azure-netapp-files Azacsnap Tips https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-tips.md
Title: Tips and tricks for using Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides tips and tricks for using the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides tips and tricks for using the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 09/20/2023
azure-netapp-files Azacsnap Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-troubleshoot.md
description: Troubleshoot communication issues, test failures, and other SAP HAN
- Last updated 01/16/2023
In the preceding example, adding the `DATABASE BACKUP ADMIN` privilege to the SY
- [Tips and tricks for using AzAcSnap](azacsnap-tips.md) - [AzAcSnap command reference](azacsnap-cmd-ref-configure.md)--
azure-netapp-files Azure Government https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-government.md
description: Learn how to connect to Azure Government to use Azure NetApp Files
- Last updated 11/02/2023
azure-netapp-files Azure Netapp Files Configure Export Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-configure-export-policy.md
- Last updated 07/28/2021
azure-netapp-files Azure Netapp Files Configure Nfsv41 Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-configure-nfsv41-domain.md
Title: Configure NFSv4.1 ID domain for Azure NetApp Files | Microsoft Docs
description: Learn how to configure NFSv4.1 ID domain for using NFSv4.1 with Azure NetApp Files. - Last updated 07/12/2023
azure-netapp-files Azure Netapp Files Cost Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-cost-model.md
description: Describes the cost model for Azure NetApp Files for managing expens
- Last updated 11/08/2021
azure-netapp-files Azure Netapp Files Create Netapp Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-create-netapp-account.md
description: Learn how to access Azure NetApp Files and create a NetApp account
- Last updated 10/04/2021
azure-netapp-files Azure Netapp Files Create Volumes Smb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-create-volumes-smb.md
description: This article shows you how to create an SMB3 volume in Azure NetApp
- Last updated 05/31/2023
azure-netapp-files Azure Netapp Files Create Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-create-volumes.md
description: This article shows you how to create an NFS volume in Azure NetApp
- Last updated 05/28/2023
azure-netapp-files Azure Netapp Files Delegate Subnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-delegate-subnet.md
description: Learn how to delegate a subnet to Azure NetApp Files. Specify the d
- Last updated 09/28/2023
azure-netapp-files Azure Netapp Files Develop With Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-develop-with-rest-api.md
description: The REST API for the Azure NetApp Files service defines HTTP operat
- Last updated 09/30/2022
azure-netapp-files Azure Netapp Files Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-introduction.md
description: Learn about Azure NetApp Files, an Azure native, first-party, enter
- Last updated 01/11/2024
azure-netapp-files Azure Netapp Files Manage Snapshots https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-manage-snapshots.md
Title: Create an on-demand snapshot using Azure NetApp Files | Microsoft Docs
-description: Describes how to create on-demand snapshots with Azure NetApp Files.
+description: Describes how to create on-demand snapshots with Azure NetApp Files.
- Last updated 10/25/2021
azure-netapp-files Azure Netapp Files Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-metrics.md
description: Azure NetApp Files provides metrics on allocated storage, actual st
- Last updated 07/19/2023
azure-netapp-files Azure Netapp Files Mount Unmount Volumes For Virtual Machines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md
description: Learn how to mount an NFS volume for Windows or Linux virtual machi
- Last updated 09/07/2022
azure-netapp-files Azure Netapp Files Network Topologies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-network-topologies.md
description: Describes guidelines that can help you design an effective network
- Last updated 08/10/2023
azure-netapp-files Azure Netapp Files Performance Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-performance-considerations.md
description: Learn about performance for Azure NetApp Files, including the relat
- Last updated 08/31/2023
azure-netapp-files Azure Netapp Files Performance Metrics Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-performance-metrics-volumes.md
description: Learn about benchmark testing recommendations for volume performanc
- Last updated 05/08/2023
azure-netapp-files Azure Netapp Files Quickstart Set Up Account Create Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-quickstart-set-up-account-create-volumes.md
description: Quickstart - Describes how to quickly set up Azure NetApp Files and
- Last updated 02/21/2023
azure-netapp-files Azure Netapp Files Register https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-register.md
description: Learn how to register the NetApp Resource Provider for Azure NetApp
- Last updated 01/21/2022
azure-netapp-files Azure Netapp Files Resize Capacity Pools Or Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-resize-capacity-pools-or-volumes.md
description: Learn how to change the size of a capacity pool or a volume. Resizi
- Last updated 02/21/2023
azure-netapp-files Azure Netapp Files Resource Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-resource-limits.md
description: Describes limits for Azure NetApp Files resources and how to reques
- Last updated 09/29/2023
azure-netapp-files Azure Netapp Files Sdk Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-sdk-cli.md
description: "Learn about supported SDKs for Azure NetApp Files and their publis
- Last updated 09/30/2022
azure-netapp-files Azure Netapp Files Service Levels https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-service-levels.md
description: Describes throughput performance for the service levels of Azure Ne
- Last updated 08/02/2022
azure-netapp-files Azure Netapp Files Set Up Capacity Pool https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-set-up-capacity-pool.md
Title: Create a capacity pool for Azure NetApp Files | Microsoft Docs
-description: Describes how to create a capacity pool so that you can create volumes within it.
+description: Describes how to create a capacity pool so that you can create volumes within it.
- Last updated 10/23/2023
azure-netapp-files Azure Netapp Files Smb Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-smb-performance.md
description: Helps you understand SMB performance and best practices for Azure N
- Last updated 02/07/2022
azure-netapp-files Azure Netapp Files Solution Architectures https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-solution-architectures.md
description: Provides references to best practices for solution architectures us
- Last updated 09/18/2023
azure-netapp-files Azure Netapp Files Troubleshoot Resource Provider Errors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-troubleshoot-resource-provider-errors.md
description: Describes causes, solutions, and workarounds for common Azure NetAp
- Last updated 02/09/2022
azure-netapp-files Azure Netapp Files Understand Storage Hierarchy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-understand-storage-hierarchy.md
description: Describes the storage hierarchy, including Azure NetApp Files accou
- Last updated 07/27/2023
azure-netapp-files Azure Netapp Files Videos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-videos.md
Title: Azure NetApp Files videos | Microsoft Docs
-description: Provides references to videos that contain discussions about using Azure NetApp Files.
+description: Provides references to videos that contain discussions about using Azure NetApp Files.
- Last updated 12/07/2023
azure-netapp-files Azure Policy Definitions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-policy-definitions.md
Title: Azure Policy definitions for Azure NetApp Files | Microsoft Docs
-description: Describes the Azure Policy custom definitions and built-in definitions that you can use with Azure NetApp Files.
+description: Describes the Azure Policy custom definitions and built-in definitions that you can use with Azure NetApp Files.
- Last updated 06/02/2022
azure-netapp-files Backup Configure Manual https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-configure-manual.md
Title: Configure manual backups for Azure NetApp Files | Microsoft Docs
-description: Describes how to configure manual backups for Azure NetApp Files volumes.
+description: Describes how to configure manual backups for Azure NetApp Files volumes.
- Last updated 06/13/2023
If you havenΓÇÖt done so, enable the backup functionality for the volume before
* [Delete backups of a volume](backup-delete.md) * [Volume backup metrics](azure-netapp-files-metrics.md#volume-backup-metrics) * [Azure NetApp Files backup FAQs](faq-backup.md)--
azure-netapp-files Backup Configure Policy Based https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-configure-policy-based.md
Title: Configure policy-based backups for Azure NetApp Files | Microsoft Docs
-description: Describes how to configure policy-based (scheduled) backups for Azure NetApp Files volumes.
+description: Describes how to configure policy-based (scheduled) backups for Azure NetApp Files volumes.
- Last updated 10/25/2023
azure-netapp-files Backup Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-delete.md
description: Describes how to delete individual backups that you no longer need
- Last updated 10/27/2022
azure-netapp-files Backup Disable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-disable.md
Title: Disable backup functionality for an Azure NetApp Files volume | Microsoft Docs
-description: Describes how to disable the backup functionality for a volume that no longer needs backup protection.
+description: Describes how to disable the backup functionality for a volume that no longer needs backup protection.
- Last updated 10/27/2022
azure-netapp-files Backup Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-introduction.md
Title: Understand Azure NetApp Files backup | Microsoft Docs
-description: Describes what Azure NetApp Files backup does, supported regions, and the cost model.
+description: Describes what Azure NetApp Files backup does, supported regions, and the cost model.
- Last updated 09/29/2023
If you choose to restore a backup of, for example, 600 GiB to a new volume, you'
* [Volume backup metrics](azure-netapp-files-metrics.md#volume-backup-metrics) * [Azure NetApp Files backup FAQs](faq-backup.md) * [How Azure NetApp Files snapshots work](snapshots-introduction.md)--
azure-netapp-files Backup Manage Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-manage-policies.md
Title: Manage backup policies for Azure NetApp Files | Microsoft Docs
-description: Describes how to modify or suspend a backup policy for Azure NetApp Files volumes.
+description: Describes how to modify or suspend a backup policy for Azure NetApp Files volumes.
- Last updated 07/31/2023
azure-netapp-files Backup Requirements Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-requirements-considerations.md
Title: Requirements and considerations for Azure NetApp Files backup | Microsoft Docs
-description: Describes the requirements and considerations you need to be aware of before using Azure NetApp Files backup.
+description: Describes the requirements and considerations you need to be aware of before using Azure NetApp Files backup.
- Last updated 08/15/2023
azure-netapp-files Backup Restore New Volume https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-restore-new-volume.md
Title: Restore a backup to a new Azure NetApp Files volume | Microsoft Docs
-description: Describes how to restore a backup to a new volume.
+description: Describes how to restore a backup to a new volume.
- Last updated 10/17/2023
azure-netapp-files Backup Search https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-search.md
Title: Search backups of Azure NetApp Files volumes | Microsoft Docs
-description: Describes how to display and search backups of Azure NetApp Files volumes at the volume level and the NetApp account level.
+description: Describes how to display and search backups of Azure NetApp Files volumes at the volume level and the NetApp account level.
- Last updated 09/27/2021
azure-netapp-files Backup Vault Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-vault-manage.md
Title: Manage backup vaults for Azure NetApp Files | Microsoft Docs
-description: Describes how to use backup vaults to manage backups in Azure NetApp Files.
+description: Describes how to use backup vaults to manage backups in Azure NetApp Files.
- Last updated 10/27/2022
azure-netapp-files Configure Access Control Lists https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-access-control-lists.md
Title: Configure access control lists with Azure NetApp Files | Microsoft Docs
description: This article shows you how to configure access control lists (ACLs) on NFSv4.1 with Azure NetApp Files. - Last updated 12/20/2022
azure-netapp-files Configure Application Volume Group Sap Hana Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-application-volume-group-sap-hana-api.md
Title: Configure application volume groups for SAP HANA using REST API
-description: Setting up your application volume groups for the SAP HANA API requires special configurations.
+ Title: Configure application volume groups for SAP HANA using REST API
+description: Setting up your application volume groups for the SAP HANA API requires special configurations.
- Last updated 04/09/2023
azure-netapp-files Configure Customer Managed Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-customer-managed-keys.md
description: Describes how to configure customer-managed keys for Azure NetApp F
- Last updated 10/02/2023
azure-netapp-files Configure Kerberos Encryption https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-kerberos-encryption.md
description: Describes how to configure NFSv4.1 Kerberos encryption for Azure Ne
- Last updated 01/10/2022
azure-netapp-files Configure Ldap Extended Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-ldap-extended-groups.md
Title: Enable Active Directory Domain Services (AD DS) LDAP authentication for NFS volumes | Microsoft Docs
-description: Describes the considerations and steps for enabling LDAP with extended groups when you create an NFS volume by using Azure NetApp Files.
+description: Describes the considerations and steps for enabling LDAP with extended groups when you create an NFS volume by using Azure NetApp Files.
- Last updated 03/17/2023
azure-netapp-files Configure Ldap Over Tls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-ldap-over-tls.md
Title: Configure AD DS LDAP over TLS for Azure NetApp Files | Microsoft Docs
-description: Describes how to configure AD DS LDAP over TLS for Azure NetApp Files, including root CA certificate management.
+description: Describes how to configure AD DS LDAP over TLS for Azure NetApp Files, including root CA certificate management.
- Last updated 02/23/2023
azure-netapp-files Configure Network Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-network-features.md
Title: Configure network features for an Azure NetApp Files volume | Microsoft Docs
-description: Describes the options for network features and how to configure the Network Features option for a volume.
+description: Describes the options for network features and how to configure the Network Features option for a volume.
- Last updated 11/07/2023
azure-netapp-files Configure Nfs Clients https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-nfs-clients.md
Title: Configure an NFS client for Azure NetApp Files | Microsoft Docs
-description: Describes how to configure NFS clients to use with Azure NetApp Files.
+description: Describes how to configure NFS clients to use with Azure NetApp Files.
- Last updated 05/27/2022
azure-netapp-files Configure Unix Permissions Change Ownership Mode https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-unix-permissions-change-ownership-mode.md
Title: Configure Unix permissions and change ownership mode for Azure NetApp Files NFS and dual-protocol volumes | Microsoft Docs
-description: Describes how to set the Unix permissions and the change ownership mode options for Azure NetApp Files NFS and dual-protocol volumes.
+description: Describes how to set the Unix permissions and the change ownership mode options for Azure NetApp Files NFS and dual-protocol volumes.
- Last updated 02/28/2023
azure-netapp-files Convert Nfsv3 Nfsv41 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/convert-nfsv3-nfsv41.md
Title: Convert an NFS volume between NFSv3 and NFSv4.1 with Azure NetApp Files | Microsoft Docs
-description: Describes how to convert an NFS volume between NFSv3 and NFSv4.1.
+description: Describes how to convert an NFS volume between NFSv3 and NFSv4.1.
- Last updated 11/08/2022
azure-netapp-files Cool Access Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cool-access-introduction.md
description: Explains how to use standard storage with cool access to configure
- Last updated 11/01/2023
azure-netapp-files Create Active Directory Connections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/create-active-directory-connections.md
description: This article shows you how to create and manage Active Directory co
- Last updated 11/07/2023
azure-netapp-files Create Cross Zone Replication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/create-cross-zone-replication.md
description: This article shows you how to create and manage cross-zone replicat
- Last updated 01/04/2023
azure-netapp-files Create Volumes Dual Protocol https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/create-volumes-dual-protocol.md
description: Describes how to create a volume that uses the dual protocol (NFSv3
- Last updated 06/22/2023
azure-netapp-files Cross Region Replication Create Peering https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-region-replication-create-peering.md
description: Describes how to create volume replication peering for Azure NetApp
- Last updated 02/23/2023
azure-netapp-files Cross Region Replication Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-region-replication-delete.md
Title: Delete volume replications or volumes for Azure NetApp Files cross-region replication | Microsoft Docs
-description: Describes how to delete a replication connection that is no longer needed between the source and the destination volumes.
+description: Describes how to delete a replication connection that is no longer needed between the source and the destination volumes.
- Last updated 03/22/2023
azure-netapp-files Cross Region Replication Display Health Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-region-replication-display-health-status.md
description: Describes how to view replication status on the source volume or th
- Last updated 05/16/2022
Create [alert rules in Azure Monitor](../azure-monitor/alerts/alerts-overview.md
* [Volume replication metrics](azure-netapp-files-metrics.md#replication) * [Delete volume replications or volumes](cross-region-replication-delete.md) * [Troubleshoot cross-region replication](troubleshoot-cross-region-replication.md)-
azure-netapp-files Cross Region Replication Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-region-replication-introduction.md
Title: Cross-region replication of Azure NetApp Files volumes | Microsoft Docs
-description: Describes what Azure NetApp Files cross-region replication does, supported region pairs, service-level objectives, data durability, and cost model.
+description: Describes what Azure NetApp Files cross-region replication does, supported region pairs, service-level objectives, data durability, and cost model.
- Last updated 05/08/2023
azure-netapp-files Cross Region Replication Manage Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-region-replication-manage-disaster-recovery.md
description: Describes how to manage disaster recovery by using Azure NetApp Fil
- Last updated 11/09/2022
After the resync operation from destination to source is complete, you need to b
* [Volume replication metrics](azure-netapp-files-metrics.md#replication) * [Delete volume replications or volumes](cross-region-replication-delete.md) * [Troubleshoot cross-region replication](troubleshoot-cross-region-replication.md)-
azure-netapp-files Cross Region Replication Requirements Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-region-replication-requirements-considerations.md
Title: Requirements and considerations for Azure NetApp Files cross-region replication | Microsoft Docs
-description: Describes the requirements and considerations for using the volume cross-region replication functionality of Azure NetApp Files.
+description: Describes the requirements and considerations for using the volume cross-region replication functionality of Azure NetApp Files.
- Last updated 02/28/2023
azure-netapp-files Cross Zone Replication Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-zone-replication-introduction.md
description: Describes what Azure NetApp Files cross-zone replication does.
- Last updated 02/17/2023
Replicated volumes are hosted on a [capacity pool](azure-netapp-files-understand
* [Requirements and considerations for using cross-zone replication](cross-zone-replication-requirements-considerations.md) * [Create cross-zone replication](create-cross-zone-replication.md)-
azure-netapp-files Cross Zone Replication Requirements Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-zone-replication-requirements-considerations.md
description: Describes the requirements and considerations for using the volume
- Last updated 08/18/2023
azure-netapp-files Data Protection Disaster Recovery Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/data-protection-disaster-recovery-options.md
description: Learn about data protection and disaster recovery options available
- Last updated 07/11/2023
azure-netapp-files Default Individual User Group Quotas Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/default-individual-user-group-quotas-introduction.md
description: Helps you understand the use cases of managing default and individu
- Last updated 02/23/2023
In the following scenario, users `user4` and `user5` are members of `group2`. Th
* [Manage default and individual user and group quotas for a volume](manage-default-individual-user-group-quotas.md) * [Resource limits for Azure NetApp Files](azure-netapp-files-resource-limits.md)
-* [Security identifiers](/windows-server/identity/ad-ds/manage/understand-security-identifiers)
+* [Security identifiers](/windows-server/identity/ad-ds/manage/understand-security-identifiers)
azure-netapp-files Develop Rest Api Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/develop-rest-api-powershell.md
description: Describes how to get started with the Azure NetApp Files REST API u
- Last updated 09/30/2022
azure-netapp-files Disable Showmount https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/disable-showmount.md
description: Showmount on NFS clients has historically been how users can see ex
- Last updated 03/16/2023
The disable showmount capability is currently in preview. If you're using this f
```azurepowershell-interactive Unregister-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFDisableShowmount
- ```
+ ```
azure-netapp-files Double Encryption At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/double-encryption-at-rest.md
Title: Azure NetApp Files double encryption at rest | Microsoft Docs
-description: Explains Azure NetApp Files double encryption at rest to help you use this feature.
+description: Explains Azure NetApp Files double encryption at rest to help you use this feature.
- Last updated 08/28/2023
azure-netapp-files Dual Protocol Permission Behaviors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/dual-protocol-permission-behaviors.md
Title: Understand dual-protocol security style and permission behaviors in Azure NetApp Files | Microsoft Docs
-description: This article helps you understand dual-protocol security style and permission when you use Azure NetApp Files.
+description: This article helps you understand dual-protocol security style and permission when you use Azure NetApp Files.
- Last updated 08/02/2023
The following figure shows an example of that kind of configuration.
* [Understand the use of LDAP with Azure NetApp Files](lightweight-directory-access-protocol.md) * [Create a dual-protocol volume for Azure NetApp Files](create-volumes-dual-protocol.md) * [Azure NetApp Files NFS FAQ](faq-nfs.md)
-* [Azure NetApp Files SMB FAQ](faq-smb.md)
+* [Azure NetApp Files SMB FAQ](faq-smb.md)
azure-netapp-files Dynamic Change Volume Service Level https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/dynamic-change-volume-service-level.md
description: Describes how to dynamically change the service level of a volume.
- Last updated 05/11/2023
The capacity pool that you want to move the volume to must already exist. The ca
* [Resource limits for Azure NetApp Files](azure-netapp-files-resource-limits.md) * [Cost model for Azure NetApp Files](azure-netapp-files-cost-model.md) * [Metrics for Azure NetApp Files](azure-netapp-files-metrics.md)
-* [Troubleshoot issues for changing the capacity pool of a volume](troubleshoot-capacity-pools.md#issues-when-changing-the-capacity-pool-of-a-volume)
+* [Troubleshoot issues for changing the capacity pool of a volume](troubleshoot-capacity-pools.md#issues-when-changing-the-capacity-pool-of-a-volume)
azure-netapp-files Enable Continuous Availability Existing SMB https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/enable-continuous-availability-existing-SMB.md
Title: Enable Continuous Availability on existing Azure NetApp Files SMB volumes | Microsoft Docs
-description: Describes how to enable SMB Continuous Availability on existing Azure NetApp Files SMB volume.
+description: Describes how to enable SMB Continuous Availability on existing Azure NetApp Files SMB volume.
- Last updated 05/31/2023
azure-netapp-files Faq Application Resilience https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-application-resilience.md
Title: Application resilience FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about Azure NetApp Files application resilience. -
azure-netapp-files Faq Application Volume Group https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-application-volume-group.md
Title: FAQs About Azure NetApp Files application volume group | Microsoft Docs description: answers frequently asked questions (FAQs) about Azure NetApp Files application volume group. -
azure-netapp-files Faq Backup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-backup.md
Title: Azure NetApp Files backup FAQs | Microsoft Docs description: Answers frequently asked questions (FAQs) about using the Azure NetApp Files backup feature. -
azure-netapp-files Faq Capacity Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-capacity-management.md
Title: FAQs About Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about Azure NetApp Files capacity management. -
azure-netapp-files Faq Data Migration Protection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-data-migration-protection.md
Title: Data migration and protection FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about Azure NetApp Files data migration and protection. -
azure-netapp-files Faq Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-integration.md
Title: Integration FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about using other products or services with Azure NetApp Files. -
azure-netapp-files Faq Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-networking.md
Title: Networking FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about Azure NetApp Files networking. -
azure-netapp-files Faq Nfs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-nfs.md
Title: NFS FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about the NFS protocol of Azure NetApp Files. -
azure-netapp-files Faq Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-performance.md
Title: Performance FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about Azure NetApp Files Performance. -
Jumbo frames are not supported with Azure virtual machines.
- [Data migration and protection FAQs](faq-data-migration-protection.md) - [Azure NetApp Files backup FAQs](faq-backup.md) - [Application resilience FAQs](faq-application-resilience.md)-- [Integration FAQs](faq-integration.md)
+- [Integration FAQs](faq-integration.md)
azure-netapp-files Faq Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-security.md
Title: Security FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about Azure NetApp Files security. -
The AD Connector credentials are stored in the Azure NetApp Files control plane
- [Data migration and protection FAQs](faq-data-migration-protection.md) - [Azure NetApp Files backup FAQs](faq-backup.md) - [Application resilience FAQs](faq-application-resilience.md)-- [Integration FAQs](faq-integration.md)
+- [Integration FAQs](faq-integration.md)
azure-netapp-files Faq Smb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-smb.md
Title: SMB FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about the SMB protocol of Azure NetApp Files. -
azure-netapp-files Join Active Directory Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/join-active-directory-domain.md
description: Describes how to join a Linux VM to a Microsoft Entra Domain
- Last updated 12/20/2022
azure-netapp-files Large Volumes Requirements Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/large-volumes-requirements-considerations.md
Title: Requirements and considerations for large volumes | Microsoft Docs
-description: Describes the requirements and considerations you need to be aware of before using large volumes.
+description: Describes the requirements and considerations you need to be aware of before using large volumes.
- Last updated 11/02/2023
azure-netapp-files Lightweight Directory Access Protocol https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/lightweight-directory-access-protocol.md
Title: Understand the use of LDAP with Azure NetApp Files | Microsoft Learn
-description: This article helps you understand how Azure NetApp Files uses lightweight directory access protocol (LDAP).
+description: This article helps you understand how Azure NetApp Files uses lightweight directory access protocol (LDAP).
- Last updated 08/05/2023
azure-netapp-files Manage Availability Zone Volume Placement https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/manage-availability-zone-volume-placement.md
description: Describes how to create a volume with an availability zone by using
- Last updated 01/13/2023
azure-netapp-files Manage Billing Tags https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/manage-billing-tags.md
description: Describes how to manage Azure NetApp Files billing by using tags.
- Last updated 05/06/2021
Billing tags are assigned at the capacity pool level, not volume level.
## Next steps
-[Cost model for Azure NetApp Files](azure-netapp-files-cost-model.md)
+[Cost model for Azure NetApp Files](azure-netapp-files-cost-model.md)
azure-netapp-files Manage Cool Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/manage-cool-access.md
Title: Manage Azure NetApp Files standard storage with cool access
+ Title: Manage Azure NetApp Files standard storage with cool access
description: Learn how to free up storage by configuring inactive data to move from Azure NetApp Files Standard service-level storage (the hot tier) to an Azure storage account (the cool tier). - Last updated 01/16/2023
azure-netapp-files Manage Default Individual User Group Quotas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/manage-default-individual-user-group-quotas.md
Title: Manage default and individual user and group quotas for Azure NetApp Files volumes | Microsoft Docs
+ Title: Manage default and individual user and group quotas for Azure NetApp Files volumes | Microsoft Docs
description: Describes the considerations and steps for managing user and group quotas for Azure NetApp Files volumes. - Last updated 06/14/2023
azure-netapp-files Manage Manual Qos Capacity Pool https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/manage-manual-qos-capacity-pool.md
description: Describes how to manage a capacity pool that uses the manual QoS ty
- Last updated 06/14/2021
azure-netapp-files Manage Smb Share Access Control Lists https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/manage-smb-share-access-control-lists.md
- Last updated 11/03/2023
azure-netapp-files Modify Active Directory Connections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/modify-active-directory-connections.md
Title: Modify an Active Directory Connection for Azure NetApp Files | Microsoft
description: This article shows you how to modify Active Directory connections for Azure NetApp Files. - Last updated 02/21/2023
azure-netapp-files Monitor Azure Netapp Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/monitor-azure-netapp-files.md
description: Describes ways to monitor Azure NetApp Files, including the Activit
- Last updated 01/24/2022
azure-netapp-files Monitor Volume Capacity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/monitor-volume-capacity.md
Title: Monitor the capacity of an Azure NetApp Files volume | Microsoft Docs
-description: Describes ways to monitor the capacity utilization of an Azure NetApp Files volume.
+description: Describes ways to monitor the capacity utilization of an Azure NetApp Files volume.
- Last updated 09/30/2022
azure-netapp-files Mount Volumes Vms Smb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/mount-volumes-vms-smb.md
description: Learn how to mount SMB volumes for Windows virtual machines.
- Last updated 08/18/2022
You can mount an SMB file for Windows virtual machines (VMs).
* [Mount NFS volumes for Windows or Linux VMs](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md) * [SMB FAQs](faq-smb.md)
-* [Network File System overview](/windows-server/storage/nfs/nfs-overview)
+* [Network File System overview](/windows-server/storage/nfs/nfs-overview)
azure-netapp-files Network Attached File Permissions Nfs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-attached-file-permissions-nfs.md
Title: Understand NFS file permissions in Azure NetApp Files
-description: Learn about mode bits in NFS workloads on Azure NetApp Files.
+description: Learn about mode bits in NFS workloads on Azure NetApp Files.
- Last updated 11/13/2023
drwxr-xr-x. 2 root root 4096 Apr 23 14:39 umask_dir
## Next steps * [Understand auxiliary/supplemental groups with NFS](auxiliary-groups.md)
-* [Understand NFSv4.x access control lists](nfs-access-control-lists.md)
+* [Understand NFSv4.x access control lists](nfs-access-control-lists.md)
azure-netapp-files Network Attached File Permissions Smb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-attached-file-permissions-smb.md
Title: Understand SMB file permissions in Azure NetApp Files
-description: Learn about SMB file permissions options in Azure NetApp Files.
+description: Learn about SMB file permissions options in Azure NetApp Files.
- Last updated 11/13/2023
For a complete overview of NTFS-style ACLs, see [Microsoft Access Control overvi
## Next steps
-* [Create an SMB volume](azure-netapp-files-create-volumes-smb.md)
+* [Create an SMB volume](azure-netapp-files-create-volumes-smb.md)
azure-netapp-files Network Attached File Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-attached-file-permissions.md
Title: Understand NAS file permissions in Azure NetApp Files
-description: Learn about NAS file permissions options in Azure NetApp Files.
+description: Learn about NAS file permissions options in Azure NetApp Files.
- Last updated 11/13/2023
Folders can be assigned inheritance flags, which means that parent folder permis
* [Understand NFS file permissions](network-attached-file-permissions-nfs.md) * [Understand SMB file permissions](network-attached-file-permissions-smb.md)
-* [Understand NAS share permissions in Azure NetApp Files](network-attached-storage-permissions.md)
+* [Understand NAS share permissions in Azure NetApp Files](network-attached-storage-permissions.md)
azure-netapp-files Network Attached Storage Concept https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-attached-storage-concept.md
Title: Understand NAS concepts in Azure NetApp Files | Microsoft Docs
-description: This article covers important information about NAS volumes when using Azure NetApp Files.
+description: This article covers important information about NAS volumes when using Azure NetApp Files.
- Last updated 06/26/2023
azure-netapp-files Network Attached Storage Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-attached-storage-permissions.md
Title: Understand NAS share permissions in Azure NetApp Files
-description: Learn about NAS share permissions options in Azure NetApp Files.
+description: Learn about NAS share permissions options in Azure NetApp Files.
- Last updated 11/13/2023
azure-netapp-files Network Attached Storage Protocols https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-attached-storage-protocols.md
Title: Understand NAS protocols in Azure NetApp Files | Microsoft Learn
-description: Learn how SMB, NFS, and dual protocols operate in Azure NetApp Files.
+description: Learn how SMB, NFS, and dual protocols operate in Azure NetApp Files.
- Last updated 08/02/2023
azure-netapp-files Network File System Group Memberships https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-file-system-group-memberships.md
Title: Understand NFS group memberships and supplemental groups for Azure NetApp Files | Microsoft Learn
-description: This article helps you understand NFS group memberships and supplemental groups as they apply to Azure NetApp Files.
+description: This article helps you understand NFS group memberships and supplemental groups as they apply to Azure NetApp Files.
- Last updated 08/02/2023
azure-netapp-files Nfs Access Control Lists https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/nfs-access-control-lists.md
Title: Understand NFSv4.x access control lists in Azure NetApp Files
-description: Learn about using NFSv4.x access control lists in Azure NetApp Files.
+description: Learn about using NFSv4.x access control lists in Azure NetApp Files.
- Last updated 11/13/2023
Alternatively, in dual-protocol environments, NTFS ACLs can be used to granularl
## Next steps * [Configure NFS clients](configure-nfs-clients.md)
-* [Configure access control lists on NFSv4.1 volumes](configure-access-control-lists.md)
+* [Configure access control lists on NFSv4.1 volumes](configure-access-control-lists.md)
azure-netapp-files Performance Azure Vmware Solution Datastore https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-azure-vmware-solution-datastore.md
description: Describes considerations for Azure VMware Solution (AVS) datastore
- Last updated 11/12/2023
azure-netapp-files Performance Benchmarks Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-benchmarks-azure-vmware-solution.md
description: Describes performance benchmarks that Azure NetApp Files datastores
- Last updated 03/15/2023
azure-netapp-files Performance Benchmarks Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-benchmarks-linux.md
Title: Azure NetApp Files performance benchmarks for Linux | Microsoft Docs
-description: Describes performance benchmarks Azure NetApp Files delivers for Linux.
+description: Describes performance benchmarks Azure NetApp Files delivers for Linux.
- Last updated 09/29/2021
azure-netapp-files Performance Impact Kerberos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-impact-kerberos.md
Title: Performance impact of Kerberos on Azure NetApp Files NFSv4.1 volumes | Microsoft Docs
-description: Describes the available security options, the tested performance vectors, and the expected performance impact of kerberos on Azure NetApp Files NFSv4.1 volumes.
+description: Describes the available security options, the tested performance vectors, and the expected performance impact of kerberos on Azure NetApp Files NFSv4.1 volumes.
- Last updated 08/22/2022
azure-netapp-files Performance Linux Concurrency Session Slots https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-linux-concurrency-session-slots.md
Title: Linux concurrency best practices for Azure NetApp Files - Session slots and slot table entries | Microsoft Docs
-description: Describes best practices about session slots and slot table entries for Azure NetApp Files NFS protocol.
+description: Describes best practices about session slots and slot table entries for Azure NetApp Files NFS protocol.
- Last updated 08/02/2021
azure-netapp-files Performance Linux Direct Io https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-linux-direct-io.md
Title: Linux direct I/O best practices for Azure NetApp Files | Microsoft Docs
-description: Describes Linux direct I/O and the best practices to follow for Azure NetApp Files.
+description: Describes Linux direct I/O and the best practices to follow for Azure NetApp Files.
- Last updated 07/02/2021
azure-netapp-files Performance Linux Filesystem Cache https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-linux-filesystem-cache.md
Title: Linux filesystem cache best practices for Azure NetApp Files | Microsoft Docs
-description: Describes Linux filesystem cache best practices to follow for Azure NetApp Files.
+description: Describes Linux filesystem cache best practices to follow for Azure NetApp Files.
- Last updated 07/02/2021
azure-netapp-files Performance Linux Mount Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-linux-mount-options.md
Title: Linux NFS mount options best practices for Azure NetApp Files | Microsoft Docs
-description: Describes mount options and the best practices about using them with Azure NetApp Files.
+description: Describes mount options and the best practices about using them with Azure NetApp Files.
- Last updated 12/07/2022
azure-netapp-files Performance Linux Nfs Read Ahead https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-linux-nfs-read-ahead.md
description: Describes filesystem cache and Linux NFS read-ahead best practices
- Last updated 09/29/2022
azure-netapp-files Performance Oracle Multiple Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-oracle-multiple-volumes.md
description: Migrating highly performant Exadata grade databases to the cloud is
- Last updated 05/04/2023
azure-netapp-files Performance Oracle Single Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-oracle-single-volumes.md
Title: Oracle database performance on Azure NetApp Files single volume | Microsoft Docs
-description: Describes performance test results of a Azure NetApp Files single volume on Oracle database.
+description: Describes performance test results of a Azure NetApp Files single volume on Oracle database.
- Last updated 08/04/2022
In summary, Azure NetApp Files helps you take your Oracle databases to the cloud
## Next steps - [Performance benchmark test recommendations for Azure NetApp Files](azure-netapp-files-performance-metrics-volumes.md)-- [Performance benchmarks for Linux](performance-benchmarks-linux.md)
+- [Performance benchmarks for Linux](performance-benchmarks-linux.md)
azure-netapp-files Performance Virtual Machine Sku https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-virtual-machine-sku.md
Title: Azure virtual machine SKUs best practices for Azure NetApp Files | Microsoft Docs
-description: Describes Azure NetApp Files best practices about Azure virtual machine SKUs, including differences within and between SKUs.
+description: Describes Azure NetApp Files best practices about Azure virtual machine SKUs, including differences within and between SKUs.
- Last updated 07/02/2021
azure-netapp-files Reestablish Deleted Volume Relationships https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/reestablish-deleted-volume-relationships.md
Title: Re-establish deleted volume replication relationships in Azure NetApp Files
-description: You can re-establish the replication relationship between volumes.
+description: You can re-establish the replication relationship between volumes.
- Last updated 02/21/2023
azure-netapp-files Regional Capacity Quota https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/regional-capacity-quota.md
description: Explains regional capacity quota of Azure NetApp Files.
- Last updated 10/11/2021
azure-netapp-files Request Region Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/request-region-access.md
description: Describes how to request access to a region for using Azure NetApp
- Last updated 11/15/2021
azure-netapp-files Snapshots Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-delete.md
Title: Delete snapshots using Azure NetApp Files | Microsoft Docs
-description: Describes how to delete snapshots by using Azure NetApp Files.
+description: Describes how to delete snapshots by using Azure NetApp Files.
- Last updated 09/16/2021
azure-netapp-files Snapshots Edit Hide Path https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-edit-hide-path.md
Title: Edit the Hide Snapshot Path option of Azure NetApp Files | Microsoft Docs
-description: Describes how to control the visibility of a snapshot volume with Azure NetApp Files.
+description: Describes how to control the visibility of a snapshot volume with Azure NetApp Files.
- Last updated 09/16/2021
The Hide Snapshot Path option controls whether the snapshot path of a volume is
## Next steps
-* [Learn more about snapshots](snapshots-introduction.md)
+* [Learn more about snapshots](snapshots-introduction.md)
azure-netapp-files Snapshots Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-introduction.md
Title: How Azure NetApp Files snapshots work | Microsoft Docs
-description: Explains how Azure NetApp Files snapshots work, including ways to create snapshots, ways to restore snapshots, how to use snapshots in cross-region replication settings.
+description: Explains how Azure NetApp Files snapshots work, including ways to create snapshots, ways to restore snapshots, how to use snapshots in cross-region replication settings.
- Last updated 11/22/2022
azure-netapp-files Snapshots Manage Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-manage-policy.md
Title: Manage snapshot policies in Azure NetApp Files | Microsoft Docs
-description: Describes how to create, manage, modify, and delete snapshot policies by using Azure NetApp Files.
+description: Describes how to create, manage, modify, and delete snapshot policies by using Azure NetApp Files.
- Last updated 05/18/2023
azure-netapp-files Snapshots Restore File Client https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-restore-file-client.md
Title: Restore a file from a snapshot using a client with Azure NetApp Files | Microsoft Docs
-description: Describes how to restore a file from a snapshot using a client with the volume mounted using Azure NetApp Files.
+description: Describes how to restore a file from a snapshot using a client with the volume mounted using Azure NetApp Files.
- Last updated 09/16/2021
NFSv4.1 does not show the `.snapshot` directory (`ls -la`). However, when the Hi
* [Learn more about snapshots](snapshots-introduction.md) * [Resource limits for Azure NetApp Files](azure-netapp-files-resource-limits.md) * [Azure NetApp Files Snapshots 101 video](https://www.youtube.com/watch?v=uxbTXhtXCkw)
-* [Azure NetApp Files Snapshot Overview](https://anfcommunity.com/2021/01/31/azure-netapp-files-snapshot-overview/)
+* [Azure NetApp Files Snapshot Overview](https://anfcommunity.com/2021/01/31/azure-netapp-files-snapshot-overview/)
azure-netapp-files Snapshots Restore File Single https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-restore-file-single.md
Title: Restore individual files in Azure NetApp Files using single-file snapshot restore | Microsoft Docs
-description: Describes how to recover individual files directly within a volume from a snapshot.
+description: Describes how to recover individual files directly within a volume from a snapshot.
- Last updated 05/04/2023
From the Azure portal:
* [Learn more about snapshots](snapshots-introduction.md) * [Resource limits for Azure NetApp Files](azure-netapp-files-resource-limits.md)
-* [Azure NetApp Files Snapshot Overview](https://anfcommunity.com/2021/01/31/azure-netapp-files-snapshot-overview/)
+* [Azure NetApp Files Snapshot Overview](https://anfcommunity.com/2021/01/31/azure-netapp-files-snapshot-overview/)
azure-netapp-files Snapshots Restore New Volume https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-restore-new-volume.md
description: Describes how to create a new volume from a snapshot by using Azure
- Last updated 02/22/2023
azure-netapp-files Snapshots Revert Volume https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-revert-volume.md
Title: Revert a volume using snapshot revert with Azure NetApp Files | Microsoft Docs
-description: Describes how to revert a volume to an earlier state using Azure NetApp Files.
+description: Describes how to revert a volume to an earlier state using Azure NetApp Files.
- Last updated 02/28/2023
azure-netapp-files Solutions Benefits Azure Netapp Files Electronic Design Automation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/solutions-benefits-azure-netapp-files-electronic-design-automation.md
Title: Benefits of using Azure NetApp Files for electronic design automation | Microsoft Docs
-description: Explains the solution Azure NetApp Files provides for meeting the needs of the semiconductor and chip design industry. Presents test scenarios running a standard industry benchmark for electronic design automation (EDA) using Azure NetApp Files.
+description: Explains the solution Azure NetApp Files provides for meeting the needs of the semiconductor and chip design industry. Presents test scenarios running a standard industry benchmark for electronic design automation (EDA) using Azure NetApp Files.
- Last updated 04/24/2020
azure-netapp-files Solutions Benefits Azure Netapp Files Oracle Database https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/solutions-benefits-azure-netapp-files-oracle-database.md
Title: Benefits of using Azure NetApp Files with Oracle Database | Microsoft Docs
-description: Describes the technology and provides a performance comparison between Oracle Direct NFS (dNFS) and the traditional NFS client. Shows the advantages of using dNFS with Azure NetApp Files.
+description: Describes the technology and provides a performance comparison between Oracle Direct NFS (dNFS) and the traditional NFS client. Shows the advantages of using dNFS with Azure NetApp Files.
- Last updated 08/04/2022
You can enhance the performance of Oracle dNFS with the Azure NetApp Files servi
## Next steps - [Solution architectures using Azure NetApp Files](azure-netapp-files-solution-architectures.md)-- [Overview of Oracle Applications and solutions on Azure](../virtual-machines/workloads/oracle/oracle-overview.md)
+- [Overview of Oracle Applications and solutions on Azure](../virtual-machines/workloads/oracle/oracle-overview.md)
azure-netapp-files Solutions Benefits Azure Netapp Files Sql Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/solutions-benefits-azure-netapp-files-sql-server.md
Title: Benefits of using Azure NetApp Files for SQL Server deployment | Microsoft Docs
-description: Shows a detailed cost analysis performance benefits about using Azure NetApp Files for SQL Server deployment.
+description: Shows a detailed cost analysis performance benefits about using Azure NetApp Files for SQL Server deployment.
- Last updated 05/19/2021
With Azure NetApp Files, you can increase SQL server performance while reducing
* [Create an SMB volume for Azure NetApp Files](azure-netapp-files-create-volumes-smb.md) * [Solution architectures using Azure NetApp Files ΓÇô SQL Server](azure-netapp-files-solution-architectures.md#sql-server) -
azure-netapp-files Solutions Windows Virtual Desktop https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/solutions-windows-virtual-desktop.md
description: Provides best practice guidance and sample blueprints on deploying
- Last updated 08/13/2020
When building a POD based architecture like this, assigning users to the correct
## Next steps -- [Solution architectures using Azure NetApp Files](azure-netapp-files-solution-architectures.md)
+- [Solution architectures using Azure NetApp Files](azure-netapp-files-solution-architectures.md)
azure-netapp-files Storage Service Add Ons https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/storage-service-add-ons.md
description: Describes the services provided through the storage service add-ons
- Last updated 06/15/2021
azure-netapp-files Terraform Manage Volume https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/terraform-manage-volume.md
Title: Update Terraform-managed Azure resource
-description: Learn how to safely update Terraform-managed Azure resources to ensure the safety of your data.
+ Title: Update Terraform-managed Azure resource
+description: Learn how to safely update Terraform-managed Azure resources to ensure the safety of your data.
- Last updated 12/20/2023
azure-netapp-files Test Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/test-disaster-recovery.md
Title: Test disaster recovery for Azure NetApp Files | Microsoft Docs
-description: Enhance your disaster recovery preparedness with this test plan for cross-region replication.
+description: Enhance your disaster recovery preparedness with this test plan for cross-region replication.
- Last updated 09/26/2023
azure-netapp-files Tools Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/tools-reference.md
Title: Azure NetApp Files tools
-description: Learn about the tools available to you to maximize your experience and savings with Azure NetApp Files.
+ Title: Azure NetApp Files tools
+description: Learn about the tools available to you to maximize your experience and savings with Azure NetApp Files.
- Last updated 01/12/2023
azure-netapp-files Troubleshoot Application Volume Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-application-volume-groups.md
Title: Troubleshoot application volume group errors for Azure NetApp Files | Microsoft Docs
-description: Describes error or warning conditions and their resolutions for application volume groups for Azure NetApp Files.
+description: Describes error or warning conditions and their resolutions for application volume groups for Azure NetApp Files.
- Last updated 11/19/2021
azure-netapp-files Troubleshoot Capacity Pools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-capacity-pools.md
Title: Troubleshoot capacity pool errors for Azure NetApp Files | Microsoft Docs
-description: Describes potential issues you might have when managing capacity pools and provides solutions for the issues.
+description: Describes potential issues you might have when managing capacity pools and provides solutions for the issues.
- Last updated 04/18/2022
azure-netapp-files Troubleshoot Cross Region Replication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-cross-region-replication.md
Title: Troubleshoot cross-region replication errors for Azure NetApp Files | Microsoft Docs
-description: Describes error messages and resolutions that can help you troubleshoot cross-region replication issues for Azure NetApp Files.
+description: Describes error messages and resolutions that can help you troubleshoot cross-region replication issues for Azure NetApp Files.
- Last updated 08/02/2022
azure-netapp-files Troubleshoot Diagnose Solve Problems https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-diagnose-solve-problems.md
Title: Troubleshoot Azure NetApp Files using diagnose and solve problems tool
-description: Describes how to use the Azure diagnose and solve problems tool to troubleshoot issues of Azure NetApp Files.
+ Title: Troubleshoot Azure NetApp Files using diagnose and solve problems tool
+description: Describes how to use the Azure diagnose and solve problems tool to troubleshoot issues of Azure NetApp Files.
- Last updated 10/15/2023
For more information about using this tool, see [Diagnostics and solve tool - Az
* [Troubleshoot cross-region replication errors](troubleshoot-cross-region-replication.md) * [Troubleshoot Resource Provider errors](azure-netapp-files-troubleshoot-resource-provider-errors.md) * [Troubleshoot user access on LDAP volumes](troubleshoot-user-access-ldap.md)
-* [Troubleshoot file locks](troubleshoot-file-locks.md)
+* [Troubleshoot file locks](troubleshoot-file-locks.md)
azure-netapp-files Troubleshoot File Locks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-file-locks.md
Title: Troubleshoot file locks for an Azure NetApp Files volume | Microsoft Docs
-description: This article explains how to break file locks in an Azure NetApp Files volume.
+description: This article explains how to break file locks in an Azure NetApp Files volume.
- Last updated 05/03/2023
You can break file locks for all files in a volume or break all file locks initi
## Next steps * [NFS FAQs for Azure NetApp Files](faq-nfs.md)
-* [SMB FAQs for Azure NetApp Files](faq-smb.md)
+* [SMB FAQs for Azure NetApp Files](faq-smb.md)
azure-netapp-files Troubleshoot Snapshot Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-snapshot-policies.md
Title: Troubleshoot snapshot policy errors for Azure NetApp Files | Microsoft Docs
-description: Describes error messages and resolutions that can help you troubleshoot snapshot policy management issues for Azure NetApp Files.
+description: Describes error messages and resolutions that can help you troubleshoot snapshot policy management issues for Azure NetApp Files.
- Last updated 09/23/2020
azure-netapp-files Troubleshoot User Access Ldap https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-user-access-ldap.md
Title: Troubleshoot user access on LDAP volumes | Microsoft Docs
-description: Describes the steps for troubleshooting user access on LDAP-enabled volumes.
+description: Describes the steps for troubleshooting user access on LDAP-enabled volumes.
- Last updated 09/06/2023
azure-netapp-files Troubleshoot Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-volumes.md
description: Describes error messages and resolutions that can help you troubles
- Last updated 02/21/2023
azure-netapp-files Understand Data Encryption https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/understand-data-encryption.md
+
+ Title: Understand data encryption in Azure NetApp Files
+description: Learn about data encryption at-rest and in-transit in Azure NetApp Files.
++++ Last updated : 02/02/2024++
+# Understand data encryption in Azure NetApp Files
+
+Azure NetApp Files encrypts data through two different methods:
+
+* **Encryption at-rest**: Data is encrypted in-place using FIPS 140-2 compliant standards.
+* **Encryption in-transit**: Data is encrypted in transit--or over the wire--as it's transferred between client and server.
+
+## Understand encryption at-rest
+
+Data at-rest in Azure NetApp Files can be encrypted in two ways:
+* Single encryption uses software-based encryption for Azure NetApp Files volumes.
+* [Double encryption](double-encryption-at-rest.md) adds hardware-level encryption at the physical storage device layer.
+
+Azure NetApp Files uses standard CryptoMod to generate AES-256 encryption keys. [CryptoMod](https://public.cyber.mil/pki-pke/cryptographic-modernization/) is listed on the CMVP FIPS 140-2 validated modules list; for more information, seeΓÇ»[FIPS 140-2 Cert #4144](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4144). Encryption keys are associated with the volumes and can be Microsoft [platform-managed keys](faq-security.md#how-are-encryption-keys-managed) or [customer-managed keys](configure-customer-managed-keys.md).
+
+## Understand data in-transit encryption
+
+In addition to securing data at-rest, Azure NetApp Files can secure data when it's in-transit between endpoints. The encryption method used depends on the protocol or feature. DNS isn't encrypted in-transit in Azure NetApp files. Continue reading to learn about SMB and NFS encryption, LDAP, and data replication in Azure NetApp Files.
+
+### SMB encryption
+
+Windows SMB clients using the SMB3.x protocol version natively support [SMB encryption](/windows-server/storage/file-server/smb-security). [SMB encryption is conducted end-to-end](network-attached-storage-permissions.md) and encrypts the entirety of the SMB conversation using AES-256-GCM/AES-128-GCM and AES-256-CCM/AES-128-CCM cryptographic suites.
+
+SMB encryption isn't required for Azure NetApp Files volumes, but can be used for extra security. SMB encryption does add a performance overhead. To learn more about performance considerations with SMB encryption, see [SMB performance best practices for Azure NetApp Files](azure-netapp-files-smb-performance.md).
+
+#### Requiring encryption for SMB connections
+
+Azure NetApp Files provides an option to [enforce encryption on all SMB connections](create-active-directory-connections.md). Enforcing encryption disallows unencrypted SMB communication and uses SMB3 and later for SMB connections. Encryption is performed using AES encryption and encrypts all SMB packets. For this feature to work properly, SMB clients must support SMB encryption. If the SMB client doesn't support encryption and SMB3, then SMB connections are disallowed. If this option is enabled, all shares that have the same IP address require encryption, thus overriding the SMB share property setting for encryption.
+
+#### SMB share-level encryption
+
+Alternatively, encryption can be set at the level of [individual share of an Azure NetApp Files volume](azure-netapp-files-create-volumes-smb.md#smb3-encryption).
+
+#### UNC hardening
+
+In 2015, Microsoft introduced UNC hardening ([MS15-011](https://technet.microsoft.com/library/security/ms15-011) and [MS15-014](https://technet.microsoft.com/library/security/ms15-014)) to address remote network path vulnerabilities that could allow remote code execution across SMB shares. For more information, see [MS15-011 & MS15-014: Hardening Group Policy](https://msrc.microsoft.com/blog/2015/02/ms15-011-ms15-014-hardening-group-policy/).
+
+UNC hardening provides three options for securing UNC paths:
+
+* `RequireMutualAuthentication` ΓÇô Identity authentication required/not required to block spoofing attacks.
+* `RequireIntegrity` ΓÇô Integrity checking required/not required to block tampering attacks.
+* `RequirePrivacy` ΓÇô Privacy (total encryption of SMB packets) enabled/disabled to prevent traffic sniffing.
+
+Azure NetApp Files supports all three forms of UNC hardening.
+
+### NFS Kerberos
+
+Azure NetApp Files also provides [the ability to encrypt NFSv4.1 conversations via Kerberos authentication](configure-kerberos-encryption.md) using AES-256-GCM/AES-128-GCM and AES-256-CCM/AES-128-CCM cryptographic suites.
+
+With NFS Kerberos, Azure NetApp Files supports three different security flavors:
+
+* Kerberos 5 (`krb5`) ΓÇô Initial authentication only; requires a Kerberos ticket exchange/user sign-in to access the NFS export. NFS packets are not encrypted.
+* Kerberos 5i (`krb5i`) ΓÇô Initial authentication and integrity checking; requires a Kerberos ticket exchange/user sign-in to access the NFS export and adds integrity checks to each NFS packet to prevent man-in-the-middle attacks (MITM).
+* Kerberos 5p (`krb5p`) ΓÇô Initial authentication, integrity checking and privacy; requires a Kerberos ticket exchange/user sign-in to access the NFS export, performs integrity checks and applies a GSS wrapper to each NFS packet to encrypt its contents.
+
+Each Kerberos encryption level has an effect on performance. As the encryption types and security flavors incorporate more secure methods, the performance effect increases. For instance, `krb5` performs better than `krb5i`, krb5i performs better than `krb5p`, AES-128 perform better than AES-256, and so on. For more information about the performance effect of NFS Kerberos in Azure NetApp Files, see [Performance impact of Kerberos on Azure NetApp Files NFSv4.1 volumes](performance-impact-kerberos.md).
+
+>[!NOTE]
+>NFS Kerberos is only supported with NFSv4.1 in Azure NetApp Files.
+
+In the following image, Kerberos 5 (`krb5`) is used; only the initial authentication request (the sign in/ticket acquisition) is encrypted. All other NFS traffic arrives in plain text.
++
+When using Kerberos 5i (`krb5i`; integrity checking), a trace show that the NFS packets aren't encrypted, but there's a GSS/Kerberos wrapper added to the packet that requires the client and server ensure the integrity of the data transferred using a checksum.
++
+Kerberos 5p (privacy; `krb5p`) provides end-to-end encryption of all NFS traffic as shown in the trace image using a GSS/Kerberos wrapper. This method creates the most performance overhead due to the need to process every NFS packetΓÇÖs encryption.
++
+## Data replication
+
+In Azure NetApp Files, you can replicate entire volumes [across zones or regions in Azure to provide data protection](data-protection-disaster-recovery-options.md). Since the replication traffic resides in the Azure cloud, the transfers take place in the secure Azure network infrastructure, which is limited in access to prevent packet sniffing and man-in-the-middle attacks (eavesdropping or impersonating in-between communication endpoints). In addition, the replication traffic is encrypted using FIPS 140-2 compliant TLS 1.2 standards. For details, see [Security FAQs](faq-security.md#is-azure-netapp-files-cross-region-and-cross-zone-replication-traffic-encrypted).
+
+## LDAP encryption
+
+Normally, LDAP search and bind traffic passes over the wire in plain text, meaning anyone with access to sniff network packets can gain information from the LDAP server such as usernames, numeric IDs, group memberships, etc. This information can then be used to spoof users, send emails for phishing attacks, etc.
+
+To protect LDAP communications from being intercepted and read, LDAP traffic can leverage over-the-wire encryption leveraging AES and TLS 1.2 via LDAP signing and LDAP over TLS, respectively. For details on configuring these options, see [Create and manage Active Directory connections](create-active-directory-connections.md#ldap-signing).
+
+### LDAP signing
+
+LDAP signing is specific to connections on Microsoft Active Directory servers that are hosting UNIX identities for users and groups. This functionality enables integrity verification for Simple Authentication and Security Layer (SASL) LDAP binds to AD servers hosting LDAP connections. Signing does not require configuration of security certificates because it uses GSS-API communication with Active DirectoryΓÇÖs Kerberos Key Distribution Center (KDC) services. LDAP signing only checks the integrity of an LDAP packet; it does not encrypt the payload of the packet.
++
+LDAP signing can also be [configured from the Windows server side](/troubleshoot/windows-server/identity/enable-ldap-signing-in-windows-server) via Group Policy to either be [opportunistic with LDAP signing (none ΓÇô support if requested by client) or to enforce LDAP signing (require)](/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements). LDAP signing can add some performance overhead to LDAP traffic that usually isn't noticeable to end users.
+
+Windows Active Directory also enables you to use LDAP signing and sealing (end-to-end encryption of LDAP packets). Azure NetApp Files doesn't support this feature.
+
+### LDAP channel binding
+
+Because of a security vulnerability discovered in Windows Active Directory domain controllers, a default setting was changed for Windows servers. For details, see [Microsoft Security Advisory ADV190023](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV190023).
+
+Essentially, Microsoft recommends that administrators enable LDAP signing along with channel binding. If the LDAP client supports channel binding tokens and LDAP signing, channel binding and signing are required, and registry options are set by the new Microsoft patch.
+
+Azure NetApp Files, by default, supports LDAP channel binding opportunistically, meaning LDAP channel binding is used when the client supports it. If it doesn't support/send channel binding, communication is still allowed, and channel binding isn't enforced.
+
+### LDAP over SSL (port 636)
+
+LDAP traffic in Azure NetApp Files passes over port 389 in all cases. This port cannot be modified. LDAP over SSL (LDAPS) isn't supported and is considered legacy by most LDAP server vendors ([RFC 1777](https://www.ietf.org/rfc/rfc1777.txt) was published in 1995). If you want to use LDAP encryption with Azure NetApp Files, use LDAP over TLS.
+
+### LDAP over StartTLS
+
+LDAP over StartTLS was introduced with [RFC 2830](https://www.ietf.org/rfc/rfc2830.txt) in 2000 and was combined into the LDAPv3 standard with [RFC 4511](https://www.ietf.org/rfc/rfc2830.txt) in 2006. After StartTLS was made a standard, LDAP vendors began to refer to LDAPS as deprecated.
+
+LDAP over StartTLS uses port 389 for the LDAP connection. After the initial LDAP connection has been made, a StartTLS OID is exchanged and certificates are compared; then all LDAP traffic is encrypted by using TLS. The packet capture shown below shows the LDAP bind, StartTLS handshake and subsequent TLS-encrypted LDAP traffic.
++
+There are two main differences between LDAPS and StartTLS:
+
+* StartTLS is part of the LDAP standard; LDAPS isn't. As a result, LDAP library support on the LDAP servers or clients can vary, and functionality might or might not work in all cases.
+* If encryption fails, StartTLS allows the configuration to fall back to regular LDAP. LDAPS does not. As a result, StartTLS offers some flexibility and resiliency, but it also presents security risks if it's misconfigured.
+
+#### Security considerations with LDAP over StartTLS
+
+StartTLS enables administrators to fall back to regular LDAP traffic if they want. For security purposes, most LDAP administrators don't allow it. The following recommendations for StartTLS can help secure LDAP communication:
+
+* Ensure that StartTLS is enabled and that certificates are configured.
+* For internal environments, you can use self-signed certificates, but for external LDAP, use a certificate authority. For more information about certificates, see the [Difference Between Self Signed SSL & Certificate Authority](https://social.technet.microsoft.com/wiki/contents/articles/15189.difference-between-self-signed-ssl-certificate-authority.aspx).
+* Prevent LDAP queries and binds that do not use StartTLS. By default, Active Directory disables anonymous binds.
+
+## Active Directory security connection
+
+Active Directory connections with Azure NetApp Files volumes can be configured to try the strongest available Kerberos encryption type first: AES-256. When AES encryption is enabled, domain controller communications (such as scheduled SMB server password resets) use the highest available encryption type supported on the domain controllers. Azure NetApp Files supports the following encryption types for domain controller communications, in order of attempted authentication: AES-256, AES-128, RC4-HMAC, DES
+
+>[!NOTE]
+>It's not possible to disable weaker authentication types in Azure NetApp Files (such as RC4-HMAC and DES). Instead, if desired, these should be disabled from the domain controller so that authentication requests do not attempt to use them. If RC4-HMAC is disabled on the domain controllers, then AES encryption must be enabled in Azure NetApp Files for proper functionality.
+
+## Next steps
+* [Azure NetApp Files double encryption at rest](double-encryption-at-rest.md)
+* [Configure customer-managed keys for Azure NetApp Files volume encryption](configure-customer-managed-keys.md)
+* [Understand data protection and disaster recovery options in Azure NetApp Files](data-protection-disaster-recovery-options.md)
+* [Create and manage Active Directory connections](create-active-directory-connections.md)
azure-netapp-files Understand File Locks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/understand-file-locks.md
description: Understand the concept of file locking and the different types of N
- Last updated 06/12/2023
Manually locking files allows you to test file open and edit interactions and te
* [SMB FAQs for Azure NetApp Files](faq-smb.md) * [Troubleshoot file locks on an Azure NetApp Files volume](troubleshoot-file-locks.md) * [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md)-
azure-netapp-files Understand Guidelines Active Directory Domain Service Site https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/understand-guidelines-active-directory-domain-service-site.md
description: Proper Active Directory Domain Services (AD DS) design and planning
- Last updated 02/21/2023
azure-netapp-files Use Availability Zones https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/use-availability-zones.md
description: Azure availability zones are highly available, fault tolerant, and
- Last updated 11/17/2022
azure-netapp-files Use Dfs N And Dfs Root Consolidation With Azure Netapp Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/use-dfs-n-and-dfs-root-consolidation-with-azure-netapp-files.md
description: Learn how to configure DFS-N and DFS Root Consolidation with Azure
- Last updated 06/30/2022
azure-netapp-files Volume Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/volume-delete.md
Title: Delete an Azure NetApp Files volume | Microsoft Docs
-description: Describes how to delete an Azure NetApp Files volume.
+description: Describes how to delete an Azure NetApp Files volume.
- Last updated 06/22/2023
azure-netapp-files Volume Hard Quota Guidelines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/volume-hard-quota-guidelines.md
Title: What changing to volume hard quota means for your Azure NetApp Files service | Microsoft Docs
-description: Describes the change to using volume hard quota, how to plan for the change, and how to monitor and manage capacities.
+description: Describes the change to using volume hard quota, how to plan for the change, and how to monitor and manage capacities.
- Last updated 09/30/2022
azure-netapp-files Volume Quota Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/volume-quota-introduction.md
Title: Understand volume quota for Azure NetApp Files | Microsoft Docs
-description: Provides an overview about volume quota. Also provides references about monitoring and managing volume and pool capacity.
+description: Provides an overview about volume quota. Also provides references about monitoring and managing volume and pool capacity.
- Last updated 04/30/2021
This article provides an overview about volume quota for Azure NetApp Files. It
* [Cost model for Azure NetApp Files](azure-netapp-files-cost-model.md) * [Monitor the capacity of a volume](monitor-volume-capacity.md) * [Resize the capacity pool or a volume](azure-netapp-files-resize-capacity-pools-or-volumes.md)
-* [Capacity management FAQs](faq-capacity-management.md)
+* [Capacity management FAQs](faq-capacity-management.md)
azure-netapp-files Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/whats-new.md
description: Provides a summary about the latest new features and enhancements o
- Last updated 11/27/2023
azure-resource-manager Resource Name Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/resource-name-rules.md
In the following tables, the term alphanumeric refers to:
> | | | | | > | factories | global | 3-63 | Alphanumerics and hyphens.<br><br>Start and end with alphanumeric. | > | factories / dataflows | factory | 1-260 | Can't use:<br>`<>*#.%&:\\+?/` or control characters<br><br>Start with alphanumeric. |
-> | factories / datasets | factory | 1-260 | Can't use:<br>`<>*#.%&:\\+?/` or control characters<br><br>Start with alphanumeric. |
+> | factories / datasets | factory | 1-260 | Can't use:<br>`<>*#.%&:\\+?/-` or control characters<br><br>Start with alphanumeric. |
> | factories / integrationRuntimes | factory | 3-63 | Alphanumerics and hyphens.<br><br>Start and end with alphanumeric. | > | factories / linkedservices | factory | 1-260 | Can't use:<br>`<>*#.%&:\\+?/` or control characters<br><br>Start with alphanumeric. | > | factories / pipelines | factory | 1-260 | Can't use:<br>`<>*#.%&:\\+?/` or control characters<br><br>Start with alphanumeric. |
backup Backup Azure Database Postgresql Flex Support Matrix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-database-postgresql-flex-support-matrix.md
You can use [Azure Backup](./backup-overview.md) to protect Azure Database for P
## Supported regions
-Azure Database for PostgreSQL server backup (preview) currently supports East US, Central India, and West Europe regions.
+Azure Database for PostgreSQL server backup (preview) is now available in all public regions.
## Support scenarios
backup Backup Azure Security Feature Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-security-feature-cloud.md
Title: Soft delete for Azure Backup description: Learn how to use security features in Azure Backup to make backups more secure. Previously updated : 01/04/2024 Last updated : 02/08/2024
Follow these steps:
1. Identify the items that are in soft-deleted state. ```powershell-
- Get-AzRecoveryServicesBackupItem -BackupManagementType AzureVM -WorkloadType AzureVM -VaultId $myVaultID | Where-Object {$_.DeleteState -eq "ToBeDeleted"}
+ $vault = Get-AzRecoveryServicesVault -ResourceGroupName "yourResourceGroupName" -Name "yourVaultName"
+ Get-AzRecoveryServicesBackupItem -BackupManagementType AzureVM -WorkloadType AzureVM -VaultID $vault.ID | Where-Object {$_.DeleteState -eq "ToBeDeleted"}
Name ContainerType ContainerUniqueName WorkloadType ProtectionStatus HealthStatus DeleteState - - - - --
backup Backup Vault Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-vault-overview.md
Title: Overview of the Backup vaults description: An overview of Backup vaults. Previously updated : 02/01/2024 Last updated : 02/08/2024
This section discusses the options available for encrypting your backup data sto
### Encryption of backup data using platform-managed keys
-By default, all your data is encrypted using platform-managed keys. You don't need to take any explicit action from your end to enable this encryption. It applies to all workloads being backed up to your Backup vault.
+Azure Backup provides you two options (**Microsoft managed keys** and **Customer Managed keys**) to manage the backup data encryption for your Backup vault. By default, all your data is encrypted using Microsoft managed keys. Azure Backup uses the Backup Management Service app to access Azure Key Vault, but not the managed identity of the Backup vault.
+
+You can fetch your own keys to encrypt the backup data by using the **Customer Managed Keys** option under **Encryption settings** on the *Backup vault*.
## Cross Region Restore support for PostgreSQL using Azure Backup
cdn Cdn Billing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-billing.md
- Last updated 02/27/2023 - # Understanding Azure CDN billing
cdn Cdn Create Endpoint How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-create-endpoint-how-to.md
- Last updated 02/27/2023
cdn Cdn Http Debug Headers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-http-debug-headers.md
- Last updated 04/12/2018 - # X-EC-Debug HTTP headers for Azure CDN rules engine The debug cache request header, `X-EC-Debug`, provides additional information about the cache policy that is applied to the requested asset. These headers are specific to **Azure CDN Premium from Edgio** products.
cdn Cdn Manage Expiration Of Blob Content https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-manage-expiration-of-blob-content.md
Title: Manage expiration of Azure Blob storage description: Learn about the options for controlling time-to-live for blobs in Azure CDN caching.-+ ms.assetid: ad4801e9-d09a-49bf-b35c-efdc4e6034e8 - ms.devlang: csharp Last updated 02/27/2023
cdn Cdn Manage Expiration Of Cloud Service Content https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-manage-expiration-of-cloud-service-content.md
ms.assetid: bef53fcc-bb13-4002-9324-9edee9da8288 - ms.devlang: csharp Last updated 02/27/2023 - # Manage expiration of web content in Azure CDN > [!div class="op_single_selector"]
cdn Cdn Msft Http Debug Headers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-msft-http-debug-headers.md
- Last updated 02/27/2023 - # Debug HTTP header for Azure CDN from Microsoft
cdn Cdn Pop Abbreviations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-pop-abbreviations.md
- Last updated 02/27/2023 - # Azure CDN POP locations by abbreviation
cdn Cdn Pop Locations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-pop-locations.md
ms.assetid: 669ef140-a6dd-4b62-9b9d-3f375a14215e - Last updated 05/30/2023 - # Azure CDN Coverage by Metro > [!div class="op_single_selector"]
cdn Cdn Resource Health https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-resource-health.md
ms.assetid: bf23bd89-35b2-4aca-ac7f-68ee02953f31 - Last updated 02/27/2023 - # Monitor the health of Azure CDN resources
We're sorry, we're experiencing issues with some of our CDN providers | Check ba
- [Read an overview of Azure resource health](../service-health/resource-health-overview.md) - [Troubleshoot issues with CDN compression](./cdn-troubleshoot-compression.md)-- [Troubleshoot issues with 404 errors](./cdn-troubleshoot-endpoint.md)
+- [Troubleshoot issues with 404 errors](./cdn-troubleshoot-endpoint.md)
cdn Cdn Token Auth https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-token-auth.md
ms.assetid: 837018e3-03e6-4f9c-a23e-4b63d5707a64 - Last updated 02/27/2023
cdn Cdn Verizon Http Headers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-verizon-http-headers.md
- Last updated 02/27/2023 - # Edgio-specific HTTP headers for Azure CDN rules engine
cloud-services Mitigate Se https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services/mitigate-se.md
tags: azure-resource-manager keywords: spectre,meltdown,specter - vm-windows Last updated 02/21/2023
confidential-computing Attestation Solutions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/attestation-solutions.md
description: Learn what attestation is and how to use it at Microsoft
- Last updated 05/02/2023
confidential-computing Attestation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/attestation.md
- Last updated 12/20/2021
confidential-computing Concept Skr Attestation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/concept-skr-attestation.md
description: Concept guide on what SKR is and its usage with Azure Confidential
- Last updated 8/22/2023
confidential-computing Confidential Ai https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/confidential-ai.md
- Last updated 05/17/2023
Use a partner that has built Confidential AI solutions on top of the Azure confi
- [Mithril Security](https://www.mithrilsecurity.io/) provides tooling to help SaaS vendors serve AI models inside secure enclaves, and providing an on-premises level of security and control to data owners. Data owners can use their SaaS AI solutions while remaining compliant and in control of their data. -- [Opaque](https://opaque.co/) provides a confidential computing platform for collaborative analytics and AI, giving the ability to perform analytics while protecting data end-to-end and enabling organizations to comply with legal and regulatory mandates.
+- [Opaque](https://opaque.co/) provides a confidential computing platform for collaborative analytics and AI, giving the ability to perform analytics while protecting data end-to-end and enabling organizations to comply with legal and regulatory mandates.
confidential-computing Confidential Computing Deployment Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/confidential-computing-deployment-models.md
description: Choose Between Deployment Models
- Last updated 11/04/2021
confidential-computing Confidential Computing Enclaves https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/confidential-computing-enclaves.md
description: Learn about Intel SGX hardware to enable your confidential computin
- Last updated 11/01/2021
confidential-computing Confidential Computing Solutions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/confidential-computing-solutions.md
description: Learn how to build solutions on Azure confidential computing
- Last updated 11/01/2021
confidential-computing Confidential Nodes Aks Addon https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/confidential-nodes-aks-addon.md
description: How to use the Intel SGX device plugin and Intel SGX quote helper d
- Last updated 11/01/2021
confidential-computing Create Confidential Vm From Compute Gallery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/create-confidential-vm-from-compute-gallery.md
- Last updated 07/14/2022
confidential-computing Enclave Development Oss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/enclave-development-oss.md
description: Learn how to use tools to develop Intel SGX applications for Azure
- Last updated 11/01/2021
confidential-computing Harden A Linux Image To Remove Azure Guest Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/harden-a-linux-image-to-remove-azure-guest-agent.md
m - Last updated 8/03/2023
confidential-computing Harden The Linux Image To Remove Sudo Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/harden-the-linux-image-to-remove-sudo-users.md
m - Last updated 7/21/2023
confidential-computing How To Create Custom Image Confidential Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/how-to-create-custom-image-confidential-vm.md
m - Last updated 6/09/2023
confidential-computing How To Fortanix Confidential Computing Manager Node Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/how-to-fortanix-confidential-computing-manager-node-agent.md
- Last updated 03/24/2021
confidential-computing How To Fortanix Confidential Computing Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/how-to-fortanix-confidential-computing-manager.md
description: Learn how to deploy Fortanix Confidential Computing Manager (CCM) i
- Last updated 02/03/2021
confidential-computing How To Leverage Virtual Tpms In Azure Confidential Vms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/how-to-leverage-virtual-tpms-in-azure-confidential-vms.md
m - Last updated 08/02/2023
confidential-computing Multi Party Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/multi-party-data.md
-- Last updated 04/20/2023 - # Cleanroom and Multi-party Data Analytics
confidential-computing Overview Azure Products https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/overview-azure-products.md
description: Learn about all the confidential computing services that Azure prov
- Last updated 06/09/2023
confidential-computing Anjuna https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/anjuna.md
- Last updated 03/29/2023
confidential-computing Beekeeperai https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/beekeeperai.md
- Last updated 03/29/2023
confidential-computing Decentriq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/decentriq.md
- Last updated 03/29/2023
confidential-computing Edgeless https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/edgeless.md
- Last updated 03/29/2023
You can learn more and get started with these [Azure Marketplace solutions, here
- Learn more about [Edgeless Systems](https://www.edgeless.systems/). - Check out the [Azure confidential computing webinar series](https://vshow.on24.com/vshow/Azure_Confidential/exhibits/Home) for more such partners.-
confidential-computing Enclaive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/enclaive.md
- Last updated 03/29/2023
confidential-computing Fortanix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/fortanix.md
- Last updated 03/29/2023
You can learn more and get started with these [Azure Marketplace solutions, here
- Learn more about [Fortanix](https://www.fortanix.com/). - Check out the [Azure confidential computing webinar series](https://vshow.on24.com/vshow/Azure_Confidential/exhibits/Home) for more such partners.-
confidential-computing Habu https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/habu.md
- Last updated 03/29/2023
confidential-computing Mithril https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/mithril.md
- Last updated 03/29/2023
confidential-computing Opaque https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/opaque.md
- Last updated 03/29/2023
confidential-computing Partner Pages Index https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/partner-pages-index.md
description: Learn about how Azure confidential computing partners build on the
- Last updated 03/29/2023
Azure confidential computing enables an ecosystem of partners that build on our
- [Opaque Systems](../partner-pages/opaque.md) is a confidential computing and data clean room platform that enables secure data sharing, multi-party analytics and machine learning on encrypted data. -- [Scone](../partner-pages/scone.md) confidential computing platform facilitates always encrypted execution: one can run services and applications such that neither the data nor the code is ever accessible as plain text - not even for root users.
+- [Scone](../partner-pages/scone.md) confidential computing platform facilitates always encrypted execution: one can run services and applications such that neither the data nor the code is ever accessible as plain text - not even for root users.
confidential-computing Scone https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/scone.md
- Last updated 03/29/2023
This is the easiest way to get started with SCONE, now available on [Azure Mark
- Learn more about [Scontain](https://scontain.com/). - Check out the [Azure confidential computing webinar series](https://vshow.on24.com/vshow/Azure_Confidential/exhibits/Home) for more such partners.-
confidential-computing Quick Create Confidential Vm Arm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-confidential-vm-arm.md
description: Learn how to quickly create and deploy an Azure confidential virtua
- Last updated 12/01/2023
confidential-computing Quick Create Confidential Vm Azure Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-confidential-vm-azure-cli.md
m - Last updated 12/01/2023
confidential-computing Quick Create Confidential Vm Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-confidential-vm-portal.md
description: Learn how to quickly create a confidential virtual machine (confide
- Last updated 12/01/2023
confidential-computing Quick Create Marketplace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-marketplace.md
description: Get started with your deployments by learning how to quickly create
- Last updated 11/01/2021
confidential-computing Quick Create Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-portal.md
description: Get started with your deployments by learning how to quickly create
- Last updated 11/1/2021
confidential-computing Skr Flow Confidential Containers Azure Container Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/skr-flow-confidential-containers-azure-container-instance.md
description: Learn how to build an application that securely gets the key from A
- Last updated 3/9/2023
confidential-computing Skr Flow Confidential Vm Sev Snp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/skr-flow-confidential-vm-sev-snp.md
description: Learn how to build an application that securely gets the key from A
- Last updated 2/2/2023
confidential-computing Skr Policy Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/skr-policy-examples.md
description: Examples of AKV SKR policies across offered Azure Confidential Comp
- Last updated 3/5/2023
Follow the policy [grammar](../key-vault/keys/policy-grammar.md) for more exampl
[Microsoft Azure Attestation (MAA)](../attestation/overview.md)
-[Secure Key Release Concept and Basic Steps](concept-skr-attestation.md)
+[Secure Key Release Concept and Basic Steps](concept-skr-attestation.md)
confidential-computing Virtual Machine Solutions Sgx https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/virtual-machine-solutions-sgx.md
description: Learn about using Intel SGX virtual machines (VMs) in Azure confide
- Last updated 9/12/2023
confidential-computing Virtual Machine Solutions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/virtual-machine-solutions.md
- Last updated 11/15/2023
confidential-computing Vmss Deployment From Hardened Linux Image https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/vmss-deployment-from-hardened-linux-image.md
m - Last updated 9/12/2023
connectors Connectors Azure Monitor Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/connectors-azure-monitor-logs.md
ms.suite: integration Previously updated : 01/10/2024 Last updated : 02/08/2024 tags: connectors # Customer intent: As a developer, I want to get log data from my Log Analytics workspace or telemetry from my Application Insights resource to use with my workflow in Azure Logic Apps.
This how-to guide describes how to build a [Consumption logic app workflow](../l
For technical information about this connector's operations, see the [connector's reference documentation](/connectors/azuremonitorlogs/).
-> [!NOTE]
->
-> Both of the following actions can run a log query against a Log Analytics workspace or
-> Application Insights resource. The difference exists in the way that data is returned.
->
-> | Action | Description |
-> |--|-|
-> | [Run query and list results](/connectors/azuremonitorlogs/#run-query-and-list-results) | Returns each row as its own object. Use this action when you want to work with each row separately in the rest of the workflow. The action is typically followed by a [For each action](../logic-apps/logic-apps-control-flow-loops.md). |
-> | [Run query and visualize results](/connectors/azuremonitorlogs/#run-query-and-visualize-results) | Returns a JPG file that depicts the query result set. This action lets you use the result set in the rest of the workflow by sending the results in an email, for example. The action only returns a JPG file if the query returns results. |
+Both of the following actions can run a log query against a Log Analytics workspace or Application Insights resource. The difference exists in the way that data is returned.
+
+| Action | Description |
+|--|-|
+| [Run query and list results](/connectors/azuremonitorlogs/#run-query-and-list-results) | Returns each row as its own object. Use this action when you want to work with each row separately in the rest of the workflow. The action is typically followed by a [For each action](../logic-apps/logic-apps-control-flow-loops.md). |
+| [Run query and visualize results](/connectors/azuremonitorlogs/#run-query-and-visualize-results) | Returns a JPG file that depicts the query result set. This action lets you use the result set in the rest of the workflow by sending the results in an email, for example. The action only returns a JPG file if the query returns results. |
## Limitations
For technical information about this connector's operations, see the [connector'
- The [Consumption logic app workflow](../logic-apps/logic-apps-overview.md#resource-environment-differences) from where you want to access your Log Analytics workspace or Application Insights resource. To use an Azure Monitor Logs action, start your workflow with any trigger. This guide uses the [**Recurrence** trigger](connectors-native-recurrence.md).
- > [!NOTE]
- >
- > Although you can turn on the Log Analytics setting in a logic app resource to collect information about runtime data
- > and events as described in the how-to guide [Set up Azure Monitor logs and collect diagnostics data for Azure Logic Apps](../logic-apps/monitor-workflows-collect-diagnostic-data.md), this setting isn't required
- > for you to use the Azure Monitor Logs connector.
- - An Office 365 Outlook account to complete the example in this guide. Otherwise, you can use any email provider that has an available connector in Azure Logic Apps. ## Add an Azure Monitor Logs action
-1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer.
-
-1. In your workflow where you want to add the Azure Monitor Logs action, follow one of these steps:
-
- - To add an action under the last step, select **New step**.
-
- - To add an action between steps, move your pointer use over the connecting arrow. Select the plus sign (**+**) that appears, and then select **Add an action**.
-
- For more information about adding an action, see [Build a workflow by adding a trigger or action](../logic-apps/create-workflow-with-trigger-or-action.md).
+1. In the [Azure portal](https://portal.azure.com), open your Consumption logic app and workflow in the designer.
-1. Under the **Choose an operation** search box, select **Standard**. In the search box, enter **Azure Monitor Logs**.
-
-1. From the actions list, select the action that you want.
+1. In your workflow where you want to add the Azure Monitor Logs action, follow these general steps to add an Azure Monitor Logs action](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=consumption#add-action).
This example continues with the action named **Run query and visualize results**.
For technical information about this connector's operations, see the [connector'
1. In the **Query** box, enter the following Kusto query to retrieve the specified log data from the following sources:
+ > [!NOTE]
+ >
+ > When you create your own queries, make sure they work correctly in Log Analytics before you add them to your Azure Monitor Logs action.
+ * Log Analytics workspace The following example query selects errors that occurred within the last day, reports their total number, and sorts them in ascending order.
For technical information about this connector's operations, see the [connector'
| evaluate autocluster() ```
- > [!NOTE]
- >
- > When you create your own queries, make sure they work correctly in Log Analytics before you add them to your Azure Monitor Logs action.
- 1. For **Time Range**, select **Set in query**.
+ The following table describes the options for **Time Range**:
+
+ | Time Range | Description |
+ ||-|
+ | **Exact** | Dynamically provide the start time and end time. |
+ | **Relative** | Set the relative value such as the last hour, last 12 hours, and so on. |
+ | **Set in query** | Applies when the **TimeGenerated** filter is included in query. |
+ 1. For **Chart Type**, select **Html Table**. 1. Save your workflow. On the designer toolbar, select **Save**.
container-apps Firewall Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/firewall-integration.md
The following tables describe how to configure a collection of NSG allow rules.
| Protocol | Source | Source ports | Destination | Destination ports | Description | |--|--|--|--|--|--|
-| TCP | Your client IPs | \* | Your container app's subnet<sup>1</sup> | `80`, `31080` | Allow your Client IPs to access Azure Container Apps when using HTTP. |
-| TCP | Your client IPs | \* | Your container app's subnet<sup>1</sup> | `443`, `31443` | Allow your Client IPs to access Azure Container Apps when using HTTPS. |
+| TCP | Your client IPs | \* | Your container app's subnet<sup>1</sup> | `80`, `31080` | Allow your Client IPs to access Azure Container Apps when using HTTP. `31080` is the port on which the Container Apps Environment Edge Proxy responds to the HTTP traffic. It is behind the internal load balancer. |
+| TCP | Your client IPs | \* | Your container app's subnet<sup>1</sup> | `443`, `31443` | Allow your Client IPs to access Azure Container Apps when using HTTPS. `31443` is the port on which the Container Apps Environment Edge Proxy responds to the HTTPS traffic. It is behind the internal load balancer. |
| TCP | AzureLoadBalancer | \* | Your container app's subnet | `30000-32676`<sup>2</sup> | Allow Azure Load Balancer to probe backend pools. | # [Consumption only environment](#tab/consumption-only)
container-registry Container Registry Private Link https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-private-link.md
az acr update --name $REGISTRY_NAME --public-network-enabled false
## Execute the `az acr build` with private endpoint and private registry
-Consider the following options to execute the `az acr build` successfully.
> [!NOTE] > Once you disable public network [access here](#disable-public-access), then `az acr build` commands will no longer work.
+> Unless you are utilizing dedicated agent pools, it's typically require the public IP's. Tasks reserve a set of public IPs in each region for outbound requests. If needed, we have the option to add these IPs to our firewall's allowed list for seamless communication.`az acr build` command uses the same set of IPs as the tasks.
+
+Consider the following options to execute the `az acr build` successfully.
-1. Assign a [dedicated agent pool.](./tasks-agent-pools.md)
-2. If agent pool is not available in the region, add the regional [Azure Container Registry Service Tag IPv4](../virtual-network/service-tags-overview.md#use-the-service-tag-discovery-api) to the [firewall access rules.](./container-registry-firewall-access-rules.md#allow-access-by-ip-address-range)
-3. Create an ACR task with a managed identity, and enable trusted services to [access network restricted ACR.](./allow-access-trusted-services.md#example-acr-tasks)
+* Assign a [dedicated agent pool.](./tasks-agent-pools.md)
+* If agent pool is not available in the region, add the regional [Azure Container Registry Service Tag IPv4](../virtual-network/service-tags-overview.md#use-the-service-tag-discovery-api) to the [firewall access rules.](./container-registry-firewall-access-rules.md#allow-access-by-ip-address-range). Tasks reserve a set of public IPs in each region (a.k.a. AzureContainerRegistry Service Tag) for outbound requests. You can choose to add the IPs in the firewall allowed list.
+* Create an ACR task with a managed identity, and enable trusted services to [access network restricted ACR.](./allow-access-trusted-services.md#example-acr-tasks)
## Disable access to a container registry using a service endpoint
cosmos-db Access System Properties https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/gremlin/access-system-properties.md
Title: Access system document properties vian Azure Cosmos DB Graph
-description: Learn how read and write Azure Cosmos DB system document properties via API for Gremlin
+ Title: Access system document properties
+
+description: Learn how to read and write system document properties using Azure Cosmos DB for Apache Gremlin.
+++ Previously updated : 09/16/2021-- Last updated : 02/08/2024
-# System document properties
+# Access system document properties using Azure Cosmos DB for Apache Gremlin
+ [!INCLUDE[Gremlin](../includes/appliesto-gremlin.md)]
-Azure Cosmos DB has [system properties](/rest/api/cosmos-db/databases) such as ```_ts```, ```_self```, ```_attachments```, ```_rid```, and ```_etag``` on every document. Additionally, Gremlin engine adds ```inVPartition``` and ```outVPartition``` properties on edges. By default, these properties are available for traversal. However, it's possible to include specific properties, or all of them, in Gremlin traversal.
+Azure Cosmos DB for Gremlin has [system properties](/rest/api/cosmos-db/databases) such as `_ts`, `_self`, `_attachments`, `_rid`, and `_etag` on every item. Additionally, Gremlin engine adds `inVPartition` and `outVPartition` properties on edges. By default, these properties are available for traversal. However, it's possible to include specific properties, or all of them, in Gremlin traversal.
-```console
+```gremlin
g.withStrategies(ProjectionStrategy.build().IncludeSystemProperties('_ts').create()) ``` ## E-Tag
-This property is used for optimistic concurrency control. If application needs to break operation into a few separate traversals, it can use eTag property to avoid data loss in concurrent writes.
+This property is used for optimistic concurrency control. If an application needs to break an operation into separate traversals, use the eTag property to avoid data loss in concurrent writes.
-```console
+```gremlin
g.withStrategies(ProjectionStrategy.build().IncludeSystemProperties('_etag').create()).V('1').has('_etag', '"00000100-0000-0800-0000-5d03edac0000"').property('test', '1') ``` ## Time-to-live (TTL)
-If collection has document expiration enabled and documents have `ttl` property set on them, then this property will be available in Gremlin traversal as a regular vertex or edge property. `ProjectionStrategy` isn't necessary to enable time-to-live property exposure.
+If a graph has document expiration enabled and documents have `ttl` property set on them, then this property is available in Gremlin traversal as a regular vertex or edge property. `ProjectionStrategy` isn't necessary to enable time-to-live property exposure.
+
+- Use the following command to set time-to-live on a new vertex:
-* Use the following command to set time-to-live on a new vertex:
+ ```gremlin
+ g.addV(<ID>).property('ttl', <expirationTime>)
+ ```
- ```console
- g.addV(<ID>).property('ttl', <expirationTime>)
- ```
+ For example, a vertex created with the following traversal is automatically deleted after *123 seconds*:
- For example, a vertex created with the following traversal is automatically deleted after *123 seconds*:
+ ```gremlin
+ g.addV('vertex-one').property('ttl', 123)
+ ```
- ```console
- g.addV('vertex-one').property('ttl', 123)
- ```
+- Use the following command to set time-to-live on an existing vertex:
-* Use the following command to set time-to-live on an existing vertex:
+ ```gremlin
+ g.V().hasId(<ID>).has('pk', <pk>).property('ttl', <expirationTime>)
+ ```
- ```console
- g.V().hasId(<ID>).has('pk', <pk>).property('ttl', <expirationTime>)
- ```
+- Applying the time-to-live property on vertices doesn't automatically apply it to associated edges. This behavior occurs because edges are independent records in the database store. Use the following command to set time-to-live on vertices and all the incoming and outgoing edges of the vertex:
-* Applying time-to-live property on vertices does not automatically apply it to edges. Because edges are independent records in the database store. Use the following command to set time-to-live on vertices and all the incoming and outgoing edges of the vertex:
+ ```gremlin
+ g.V().hasId(<ID>).has('pk', <pk>).as('v').bothE().hasNot('ttl').property('ttl', <expirationTime>)
+ ```
- ```console
- g.V().hasId(<ID>).has('pk', <pk>).as('v').bothE().hasNot('ttl').property('ttl', <expirationTime>)
- ```
+> [!NOTE]
+> You can set time to Live (TTL) on the container to `-1` or to **On (no default)** from the Azure portal. Then, the TTL is infinite for any item unless the item has a TTL value explicitly set.
-You can set TTL on the container to -1 or set it to **On (no default)** from Azure portal, then the TTL is infinite for any item unless the item has TTL value explicitly set.
+## Next step
-## Next steps
-* [Azure Cosmos DB Optimistic Concurrency](../faq.yml#how-does-the-api-for-nosql-provide-concurrency-)
-* [Time to Live (TTL)](../time-to-live.md) in Azure Cosmos DB
+> [!div class="nextstepaction"]
+> [Time to Live (TTL) in Azure Cosmos DB](../time-to-live.md)
cosmos-db High Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/high-availability.md
Service-managed failover allows Azure Cosmos DB to fail over the write region of
> [!IMPORTANT] > If you have chosen single-region write configuration with multiple read regions, we strongly recommend that you configure the Azure Cosmos DB accounts used for production workloads to *enable service-managed failover*. This configuration enables Azure Cosmos DB to fail over the account databases to available regions. > In the absence of this configuration, the account will experience loss of write availability for the whole duration of the write region outage. Manual failover won't succeed because of a lack of region connectivity.
->
+
+> [!WARNING]
+> Even with service-managed failover enabled, partial outage may require manual intervention for the Azure Cosmos DB service team. In these scenarios, it may take up to 1 hour (or more) for failover to take effect. For better write availability during partial outages, we recommend enabling availability zones in addition to service-managed failover.
+ ### Multiple write regions
The following table summarizes the high-availability capabilities of various acc
* Review the expected [behavior of the Azure Cosmos DB SDKs](troubleshoot-sdk-availability.md) during events and which configurations affect it.
-* To ensure high write and read availability, configure your Azure Cosmos DB account to span at least two regions (or three, if you're using strong consistency). Remember that the best configuration to achieve high availability for a region outage is a single write region with service-managed failover. To learn more, see [Tutorial: Set up Azure Cosmos DB global distribution using the API for NoSQL](nosql/tutorial-global-distribution.md).
+* To ensure high write and read availability, configure your Azure Cosmos DB account to span at least two regions (or three, if you're using strong consistency). To learn more, see [Tutorial: Set up Azure Cosmos DB global distribution using the API for NoSQL](nosql/tutorial-global-distribution.md).
* For multiple-region Azure Cosmos DB accounts that are configured with a single write region, [enable service-managed failover by using the Azure CLI or the Azure portal](how-to-manage-database-account.md#automatic-failover). After you enable service-managed failover, whenever there's a regional disaster, Azure Cosmos DB will fail over your account without any user input.
cosmos-db Concepts Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/concepts-authentication.md
Previously updated : 11/07/2023 Last updated : 02/06/2024 # Microsoft Entra ID and PostgreSQL authentication with Azure Cosmos DB for PostgreSQL [!INCLUDE [PostgreSQL](../includes/appliesto-postgresql.md)]
-> [!IMPORTANT]
-> Microsoft Entra ID (formerly Azure Active Directory) authentication in Azure Cosmos DB for PostgreSQL is currently in preview.
-> This preview version is provided without a service level agreement, and it's not recommended
-> for production workloads. Certain features might not be supported or might have constrained
-> capabilities.
->
-> You can see a complete list of other new features in [preview features](product-updates.md#features-in-preview).
- Azure Cosmos DB for PostgreSQL supports PostgreSQL authentication and integration with Microsoft Entra ID. Each Azure Cosmos DB for PostgreSQL cluster is created with native PostgreSQL authentication enabled and one built-in PostgreSQL role named `citus`. You can add more native PostgreSQL roles after cluster provisioning is completed. You can also enable Microsoft Entra ID (formerly Azure Active Directory) authentication on a cluster in addition to the PostgreSQL authentication method or instead of it. You can configure authentication methods on each Azure Cosmos DB for PostgreSQL cluster independently. If you need to change authentication method, you can do it at any time after cluster provisioning is completed. Changing authentication methods doesn't require cluster restart.
Notably, the `citus` role has some restrictions:
`citus` role can't be deleted but would be disabled if 'Microsoft Entra ID authentication only' authentication method is selected on cluster. <a name='azure-active-directory-authentication-preview'></a>
+<a name='microsoft-entra-id-authentication-preview'></a>
-## Microsoft Entra ID authentication (preview)
+## Microsoft Entra ID authentication
[Microsoft Entra ID](/entra/fundamentals/whatis) (formerly Azure Active Directory) authentication is a mechanism of connecting to Azure Cosmos DB for PostgreSQL using identities defined in Microsoft Entra ID. With Microsoft Entra ID authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.
Benefits of using Microsoft Entra ID include:
### Manage PostgreSQL access for Microsoft Entra ID principals
-When Microsoft Entra ID authentication is enabled and Microsoft Entra ID principal is added as a Microsoft Entra ID administrator, the account gets the same privileges as [the `citus` role](#the-citus-role). The Microsoft Entra ID administrator sign-in can be a Microsoft Entra ID user, Service Principal or Managed Identity. Multiple Microsoft Entra ID administrators can be configured at any time and you can optionally disable PostgreSQL (password) authentication to the Azure Cosmos DB for PostgreSQL cluster for better auditing and compliance needs.
+When Microsoft Entra ID authentication is enabled and Microsoft Entra ID principal is added as a Microsoft Entra ID administrator, the account gets the same privileges as [the `citus` role](#the-citus-role). The Microsoft Entra ID administrator sign-in can be a Microsoft Entra ID user, Service Principal, or Managed Identity. Multiple Microsoft Entra ID administrators can be configured at any time and you can optionally disable PostgreSQL (password) authentication to the Azure Cosmos DB for PostgreSQL cluster for better auditing and compliance needs.
-Additionally, any number of non-admin Microsoft Entra ID roles can be added to a cluster at any time once Microsoft Entra ID authentication is enabled. Database permissions for non-admin Microsoft Entra ID roles are managed similar to regular roles.
+Additionally, any number of nonadmin Microsoft Entra ID roles can be added to a cluster at any time once Microsoft Entra ID authentication is enabled. Database permissions for nonadmin Microsoft Entra ID roles are managed similar to regular roles.
<a name='connect-using-azure-ad-identities'></a>
Once you've authenticated against the Microsoft Entra ID, you then retrieve a to
## Next steps -- Check out [Microsoft Entra ID limits and limitations in Azure Cosmos DB for PostgreSQL](./reference-limits.md#azure-active-directory-authentication)
+- Check out [Microsoft Entra ID limits and limitations in Azure Cosmos DB for PostgreSQL](./reference-limits.md#microsoft-entra-id-authentication)
- [Learn how to configure authentication for Azure Cosmos DB for PostgreSQL clusters](./how-to-configure-authentication.md) - Set up private network access to the cluster nodes, see [Manage private access](./howto-private-access.md) - Set up public network access to the cluster nodes, see [Manage public access](./howto-manage-firewall-using-portal.md)
cosmos-db How To Configure Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/how-to-configure-authentication.md
Previously updated : 11/06/2023 Last updated : 02/06/2024 # Use Microsoft Entra ID and native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL [!INCLUDE [PostgreSQL](../includes/appliesto-postgresql.md)]
-> [!IMPORTANT]
-> Microsoft Entra ID (formerly Azure Active Directory) authentication in Azure Cosmos DB for PostgreSQL is currently in preview.
-> This preview version is provided without a service level agreement, and it's not recommended
-> for production workloads. Certain features might not be supported or might have constrained
-> capabilities.
->
-> You can see a complete list of other new features in [preview features](product-updates.md#features-in-preview).
- In this article, you configure authentication methods for Azure Cosmos DB for PostgreSQL. You manage Microsoft Entra ID admin users and native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL. You also learn how to use a Microsoft Entra ID token with Azure Cosmos DB for PostgreSQL. An Azure Cosmos DB for PostgreSQL cluster is created with one built-in native PostgreSQL role named 'citus'. You can add more native PostgreSQL roles after cluster provisioning is completed.
You need to use Azure portal to configure authentication methods on an Azure Cos
Complete the following items on your Azure Cosmos DB for PostgreSQL cluster to enable or disable Microsoft Entra ID authentication and native PostgreSQL authentication. 1. On the cluster page, under the **Cluster management** heading, choose **Authentication** to open authentication management options.
-1. In **Authentication methods** section, choose **PostgreSQL authentication only**, **Microsoft Entra ID authentication (preview)**, or **PostgreSQL and Microsoft Entra ID authentication (preview)** as the authentication method based on your requirements.
+1. In **Authentication methods** section, choose **PostgreSQL authentication only**, **Microsoft Entra ID authentication**, or **PostgreSQL and Microsoft Entra ID authentication** as the authentication method based on your requirements.
-Once done proceed with [configuring Microsoft Entra ID authentication](#configure-azure-active-directory-authentication) or [adding native PostgreSQL roles](#configure-native-postgresql-authentication) on **Authentication** page.
+Once done proceed with [configuring Microsoft Entra ID authentication](#configure-azure-active-directory-authentication) or [adding native PostgreSQL roles](#configure-native-postgresql-authentication) on the same **Authentication** page.
<a name='configure-azure-active-directory-authentication'></a>
Users need to be allowed to sign in to Azure Cosmos DB for PostgreSQL in the Mic
1. Open 'Microsoft Entra ID' service. 1. On the **Overview** page of Microsoft Entra ID service in the **Overview** section, search for 'b4fa09d8-5da5-4352-83d9-05c2a44cf431' application ID. 1. Choose 'Azure Cosmos DB for PostgreSQL AAD Authentication' enterprise application in the search results.
-1. In the Azure Cosmos DB for PostgreSQL AAD Authentication enterprise application, choose **Properties** page.
+1. In the **Azure Cosmos DB for PostgreSQL AAD Authentication** enterprise application, choose **Properties** page.
1. Set **Enabled for users to sign-in?** to **Yes** and save the change. # [Azure CLI](#tab/cli)
az ad sp update --id b4fa09d8-5da5-4352-83d9-05c2a44cf431 --set accountEnabled=t
```
+> [!NOTE]
+> Editing enterprise application's properties such as 'Enabled for users to sign-in' requires permissions granted to the Global Administrator, Cloud Application Administrator, or Application Administrator roles. See [the list of built-in Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference).
+ ### Add Microsoft Entra ID admins to Azure Cosmos DB for PostgreSQL cluster To add or remove Microsoft Entra ID roles on cluster, follow these steps on **Authentication** page:
-1. In **Microsoft Entra ID authentication (preview)** section, select **Add Microsoft Entra ID admins**.
+1. In **Microsoft Entra ID authentication** section, select **Add Microsoft Entra ID admins**.
1. In **Select Microsoft Entra ID Admins** panel, select one or more valid Microsoft Entra ID user or enterprise application in the current AD tenant to be a Microsoft Entra ID administrator on your Azure Cosmos DB for PostgreSQL cluster. 1. Use **Select** to confirm your choice. 1. In the **Authentication** page, select **Save** in the toolbar to save changes or proceed with adding native PostgreSQL roles.
az login
The command opens a browser window to the Microsoft Entra ID authentication page. It requires you to give your Microsoft Entra ID user name and password.
+The user account name you use to authenticate (for example, user@tenant.onmicrosoft.com) is the one the access token will be generated for in the next step.
+ <a name='retrieve-the-azure-ad-access-token'></a> ### Retrieve the Microsoft Entra ID access token
The command opens a browser window to the Microsoft Entra ID authentication page
Use the Azure CLI to acquire an access token for the Microsoft Entra ID authenticated user to access Azure Cosmos for PostgreSQL. Here's an example: ```azurecli-interactive
-az account get-access-token --resource https://postgres.cosmos.azure.com
+az account get-access-token --resource https://token.postgres.cosmos.azure.com
``` After authentication is successful, Microsoft Entra ID returns an access token for current Azure subscription:
After authentication is successful, Microsoft Entra ID returns an access token f
} ```
-The TOKEN is a Base64 string. It encodes all the information about the authenticated user and is targeted to the Azure Cosmos DB for PostgreSQL service. The token is valid for at least 5 minutes with the maximum of 90 minutes. The expiresOn defines actual token expiration time.
+The TOKEN is a Base64 string. It encodes all the information about the authenticated user and is associated with the Azure Cosmos DB for PostgreSQL service. The token is valid for at least 5 minutes with the maximum of 90 minutes. The **expiresOn** defines actual token expiration time.
### Use a token as a password for signing in with client psql
export PGPASSWORD=$(az account get-access-token --resource-type oss-rdbms --quer
> or clear the PGPASSWORD variable value to enter the password interactively. > Authentication would fail with the wrong value in PGPASSWORD.
-Now you can initiate a connection with Azure Cosmos DB for PostgreSQL as you usually would (without 'password' parameter in the command line):
+Now you can initiate a connection with Azure Cosmos DB for PostgreSQL using the Microsoft Entra ID user account that the access token was generated for. You would do it as you usually would with the user account as the user and without 'password' parameter in the command line:
```sql psql "host=mycluster.[uniqueID].postgres.cosmos.azure.com user=user@tenant.onmicrosoft.com dbname=[db_name] sslmode=require"
cosmos-db Product Updates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/product-updates.md
Previously updated : 01/21/2024 Last updated : 02/06/2024 # Product updates for Azure Cosmos DB for PostgreSQL
Updates that donΓÇÖt directly affect the internals of a cluster are rolled out g
Updates that change cluster internals, such as installing a [new minor PostgreSQL version](https://www.postgresql.org/developer/roadmap/), are delivered to existing clusters as part of the next [scheduled maintenance](concepts-maintenance.md) event. Such updates are available immediately to newly created clusters.
+### February 2024
+* General availability: [Microsoft Entra authentication](./concepts-authentication.md#microsoft-entra-id-authentication-preview) is now supported in addition to Postgres roles in [all supported regions](./resources-regions.md).
+ ### January 2024 * General availability: [32 TiB storage per node for multi-node configurations](./resources-compute.md#multi-node-cluster) in all supported regions. * See [how to get the most out of storage](./resources-compute.md#maximum-iops-for-your-compute--storage-configuration)
Updates that change cluster internals, such as installing a [new minor PostgreSQ
* General availability: Citus 12 is now available in [all supported regions](./resources-regions.md) with PostgreSQL 14 and PostgreSQL 15. * Check [what's new in Citus 12](https://www.citusdata.com/updates/v12-0/). * See [Postgres and Citus version in-place upgrade](./concepts-upgrade.md).
-* Preview: [Microsoft Entra authentication](./concepts-authentication.md#azure-active-directory-authentication-preview) is now supported in addition to Postgres roles.
+* Preview: [Microsoft Entra authentication](./concepts-authentication.md#microsoft-entra-id-authentication-preview) is now supported in addition to Postgres roles.
* Preview: Azure CLI is now supported for all Azure Cosmos DB for PostgreSQL management operations. * See [details](/cli/azure/cosmosdb/postgres).
might have capabilities with limitations. For more information, see
[Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)
-* [Microsoft Entra ID authentication](./concepts-authentication.md#azure-active-directory-authentication-preview)
+* There are no features in preview at this time.
## Contact us
cosmos-db How To Use Php https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/table/how-to-use-php.md
- Title: Use Azure Storage Table service or Azure Cosmos DB for Table from PHP
-description: Store structured data in the cloud using Azure Table storage or the Azure Cosmos DB for Table from PHP.
----- Previously updated : 07/23/2020-
-# How to use Azure Storage Table service or the Azure Cosmos DB for Table from PHP
--
-> [!WARNING]
-> This project is in the [community support](https://azure.github.io/azure-sdk/policies_support.html#package-lifecycle) stage of it's lifecycle. Eventually, all associated client libraries will be retired permanently. For more details on the retirement and alternatives to using this project, see [Retirement notice: Azure Storage PHP client libraries](https://azure.microsoft.com/updates/retirement-notice-the-azure-storage-php-client-libraries-will-be-retired-on-17-march-2024/).
--
-This article shows you how to create tables, store your data, and perform CRUD operations on the data. Choose either the Azure Table service or the Azure Cosmos DB for Table. The samples are written in PHP and use the [Azure Storage Table PHP Client Library][download]. The scenarios covered include **creating and deleting a table**, and **inserting, deleting, and querying entities in a table**. For more information on the Azure Table service, see the [Next steps](#next-steps) section.
-
-## Create an Azure service account
--
-**Create an Azure storage account**
--
-**Create an Azure Cosmos DB for Table account**
--
-## Create a PHP application
-
-The only requirement to create a PHP application to access the Storage Table service or Azure Cosmos DB for Table is to reference classes in the azure-storage-table SDK for PHP from within your code. You can use any development tools to create your application, including Notepad.
-
-In this guide, you use Storage Table service or Azure Cosmos DB features that can be called from within a PHP application locally, or in code running within an Azure web role, worker role, or website.
-
-## Get the client library
-
-1. Create a file named composer.json in the root of your project and add the following code to it:
- ```json
- {
- "require": {
- "microsoft/azure-storage-table": "*"
- }
- }
- ```
-2. Download [composer.phar](https://getcomposer.org/composer.phar) in your root.
-3. Open a command prompt and execute the following command in your project root:
- ```
- php composer.phar install
- ```
- Alternatively, go to the [Azure Storage Table PHP Client Library](https://github.com/Azure/azure-storage-php/tree/master/azure-storage-table) on GitHub to clone the source code.
-
-## Add required references
-
-To use the Storage Table service or Azure Cosmos DB APIs, you must:
-
-* Reference the autoloader file using the [require_once][require_once] statement, and
-* Reference any classes you use.
-
-The following example shows how to include the autoloader file and reference the **TableRestProxy** class.
-
-```php
-require_once 'vendor/autoload.php';
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-```
-
-In the examples below, the `require_once` statement is always shown, but only the classes necessary for the example to execute are referenced.
-
-## Add your connection string
-
-You can either connect to the Azure storage account or the Azure Cosmos DB for Table account. Get the connection string based on the type of account you are using.
-
-### Add a Storage Table service connection
-
-To instantiate a Storage Table service client, you must first have a valid connection string. The format for the Storage Table service connection string is:
-
-```php
-$connectionString = "DefaultEndpointsProtocol=[http|https];AccountName=[yourAccount];AccountKey=[yourKey]"
-```
-
-### Add a Storage Emulator connection
-
-To access the emulator storage:
-
-```php
-UseDevelopmentStorage = true
-```
-
-### Add an Azure Cosmos DB connection
-
-To instantiate an Azure Cosmos DB Table client, you must first have a valid connection string. The format for the Azure Cosmos DB connection string is:
-
-```php
-$connectionString = "DefaultEndpointsProtocol=[https];AccountName=[myaccount];AccountKey=[myaccountkey];TableEndpoint=[https://myendpoint/]";
-```
-
-To create an Azure Table service client or Azure Cosmos DB client, you need to use the **TableRestProxy** class. You can:
-
-* Pass the connection string directly to it or
-* Use the **CloudConfigurationManager (CCM)** to check multiple external sources for the connection string:
- * By default, it comes with support for one external source - environmental variables.
- * You can add new sources by extending the `ConnectionStringSource` class.
-
-For the examples outlined here, the connection string is passed directly.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-
-$tableClient = TableRestProxy::createTableService($connectionString);
-```
-
-## Create a table
-
-A **TableRestProxy** object lets you create a table with the **createTable** method. When creating a table, you can set the Table service timeout. (For more information about the Table service timeout, see [Setting Timeouts for Table Service Operations][table-service-timeouts].)
-
-```php
-require_once 'vendor\autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-
-// Create Table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-try {
- // Create table.
- $tableClient->createTable("mytable");
-}
-catch(ServiceException $e){
- $code = $e->getCode();
- $error_message = $e->getMessage();
- // Handle exception based on error codes and messages.
- // Error codes and messages can be found here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
-}
-```
-
-For information about restrictions on table names, see [Understanding the Table Service Data Model][table-data-model].
-
-## Add an entity to a table
-
-To add an entity to a table, create a new **Entity** object and pass it to **TableRestProxy->insertEntity**. Note that when you create an entity, you must specify a `PartitionKey` and `RowKey`. These are the unique identifiers for an entity and are values that can be queried much faster than other entity properties. The system uses `PartitionKey` to automatically distribute the table's entities over many Storage nodes. Entities with the same `PartitionKey` are stored on the same node. (Operations on multiple entities stored on the same node perform better than on entities stored across different nodes.) The `RowKey` is the unique ID of an entity within a partition.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-use MicrosoftAzure\Storage\Table\Models\Entity;
-use MicrosoftAzure\Storage\Table\Models\EdmType;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-$entity = new Entity();
-$entity->setPartitionKey("tasksSeattle");
-$entity->setRowKey("1");
-$entity->addProperty("Description", null, "Take out the trash.");
-$entity->addProperty("DueDate",
- EdmType::DATETIME,
- new DateTime("2012-11-05T08:15:00-08:00"));
-$entity->addProperty("Location", EdmType::STRING, "Home");
-
-try{
- $tableClient->insertEntity("mytable", $entity);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
-}
-```
-
-For information about Table properties and types, see [Understanding the Table Service Data Model][table-data-model].
-
-The **TableRestProxy** class offers two alternative methods for inserting entities: **insertOrMergeEntity** and **insertOrReplaceEntity**. To use these methods, create a new **Entity** and pass it as a parameter to either method. Each method will insert the entity if it does not exist. If the entity already exists, **insertOrMergeEntity** updates property values if the properties already exist and adds new properties if they do not exist, while **insertOrReplaceEntity** completely replaces an existing entity. The following example shows how to use **insertOrMergeEntity**. If the entity with `PartitionKey` "tasksSeattle" and `RowKey` "1" does not already exist, it will be inserted. However, if it has previously been inserted (as shown in the example above), the `DueDate` property is updated, and the `Status` property is added. The `Description` and `Location` properties are also updated, but with values that effectively leave them unchanged. If these latter two properties were not added as shown in the example, but existed on the target entity, their existing values would remain unchanged.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-use MicrosoftAzure\Storage\Table\Models\Entity;
-use MicrosoftAzure\Storage\Table\Models\EdmType;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-//Create new entity.
-$entity = new Entity();
-
-// PartitionKey and RowKey are required.
-$entity->setPartitionKey("tasksSeattle");
-$entity->setRowKey("1");
-
-// If entity exists, existing properties are updated with new values and
-// new properties are added. Missing properties are unchanged.
-$entity->addProperty("Description", null, "Take out the trash.");
-$entity->addProperty("DueDate", EdmType::DATETIME, new DateTime()); // Modified the DueDate field.
-$entity->addProperty("Location", EdmType::STRING, "Home");
-$entity->addProperty("Status", EdmType::STRING, "Complete"); // Added Status field.
-
-try {
- // Calling insertOrReplaceEntity, instead of insertOrMergeEntity as shown,
- // would simply replace the entity with PartitionKey "tasksSeattle" and RowKey "1".
- $tableClient->insertOrMergeEntity("mytable", $entity);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-```
-
-## Retrieve a single entity
-
-The **TableRestProxy->getEntity** method allows you to retrieve a single entity by querying for its `PartitionKey` and `RowKey`. In the example below, the partition key `tasksSeattle` and row key `1` are passed to the **getEntity** method.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-try {
- $result = $tableClient->getEntity("mytable", "tasksSeattle", 1);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-
-$entity = $result->getEntity();
-
-echo $entity->getPartitionKey().":".$entity->getRowKey();
-```
-
-## Retrieve all entities in a partition
-
-Entity queries are constructed using filters (for more information, see [Querying Tables and Entities][filters]). To retrieve all entities in partition, use the filter "PartitionKey eq *partition_name*". The following example shows how to retrieve all entities in the `tasksSeattle` partition by passing a filter to the **queryEntities** method.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-$filter = "PartitionKey eq 'tasksSeattle'";
-
-try {
- $result = $tableClient->queryEntities("mytable", $filter);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-
-$entities = $result->getEntities();
-
-foreach($entities as $entity){
- echo $entity->getPartitionKey().":".$entity->getRowKey()."<br />";
-}
-```
-
-## Retrieve a subset of entities in a partition
-
-The same pattern used in the previous example can be used to retrieve any subset of entities in a partition. The subset of entities you retrieve are determined by the filter you use (for more information, see [Querying Tables and Entities][filters]).The following example shows how to use a filter to retrieve all entities with a specific `Location` and a `DueDate` less than a specified date.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-$filter = "Location eq 'Office' and DueDate lt '2012-11-5'";
-
-try {
- $result = $tableClient->queryEntities("mytable", $filter);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-
-$entities = $result->getEntities();
-
-foreach($entities as $entity){
- echo $entity->getPartitionKey().":".$entity->getRowKey()."<br />";
-}
-```
-
-## Retrieve a subset of entity properties
-
-A query can retrieve a subset of entity properties. This technique, called *projection*, reduces bandwidth and can improve query performance, especially for large entities. To specify a property to retrieve, pass the name of the property to the **Query->addSelectField** method. You can call this method multiple times to add more properties. After executing **TableRestProxy->queryEntities**, the returned entities will only have the selected properties. (If you want to return a subset of Table entities, use a filter as shown in the queries above.)
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-use MicrosoftAzure\Storage\Table\Models\QueryEntitiesOptions;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-$options = new QueryEntitiesOptions();
-$options->addSelectField("Description");
-
-try {
- $result = $tableClient->queryEntities("mytable", $options);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-
-// All entities in the table are returned, regardless of whether
-// they have the Description field.
-// To limit the results returned, use a filter.
-$entities = $result->getEntities();
-
-foreach($entities as $entity){
- $description = $entity->getProperty("Description")->getValue();
- echo $description."<br />";
-}
-```
-
-## Update an entity
-
-You can update an existing entity by using the **Entity->setProperty** and **Entity->addProperty** methods on the entity, and then calling **TableRestProxy->updateEntity**. The following example retrieves an entity, modifies one property, removes another property, and adds a new property. Note that you can remove a property by setting its value to **null**.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-use MicrosoftAzure\Storage\Table\Models\Entity;
-use MicrosoftAzure\Storage\Table\Models\EdmType;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-$result = $tableClient->getEntity("mytable", "tasksSeattle", 1);
-
-$entity = $result->getEntity();
-$entity->setPropertyValue("DueDate", new DateTime()); //Modified DueDate.
-$entity->setPropertyValue("Location", null); //Removed Location.
-$entity->addProperty("Status", EdmType::STRING, "In progress"); //Added Status.
-
-try {
- $tableClient->updateEntity("mytable", $entity);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-```
-
-## Delete an entity
-
-To delete an entity, pass the table name, and the entity's `PartitionKey` and `RowKey` to the **TableRestProxy->deleteEntity** method.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-try {
- // Delete entity.
- $tableClient->deleteEntity("mytable", "tasksSeattle", "2");
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-```
-
-For concurrency checks, you can set the Etag for an entity to be deleted by using the **DeleteEntityOptions->setEtag** method and passing the **DeleteEntityOptions** object to **deleteEntity** as a fourth parameter.
-
-## Batch table operations
-
-The **TableRestProxy->batch** method allows you to execute multiple operations in a single request. The pattern here involves adding operations to **BatchRequest** object and then passing the **BatchRequest** object to the **TableRestProxy->batch** method. To add an operation to a **BatchRequest** object, you can call any of the following methods multiple times:
-
-* **addInsertEntity** (adds an insertEntity operation)
-* **addUpdateEntity** (adds an updateEntity operation)
-* **addMergeEntity** (adds a mergeEntity operation)
-* **addInsertOrReplaceEntity** (adds an insertOrReplaceEntity operation)
-* **addInsertOrMergeEntity** (adds an insertOrMergeEntity operation)
-* **addDeleteEntity** (adds a deleteEntity operation)
-
-The following example shows how to execute **insertEntity** and **deleteEntity** operations in a single request.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-use MicrosoftAzure\Storage\Table\Models\Entity;
-use MicrosoftAzure\Storage\Table\Models\EdmType;
-use MicrosoftAzure\Storage\Table\Models\BatchOperations;
-
-// Configure a connection string for Storage Table service.
-$connectionString = "DefaultEndpointsProtocol=[http|https];AccountName=[yourAccount];AccountKey=[yourKey]"
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-// Create list of batch operation.
-$operations = new BatchOperations();
-
-$entity1 = new Entity();
-$entity1->setPartitionKey("tasksSeattle");
-$entity1->setRowKey("2");
-$entity1->addProperty("Description", null, "Clean roof gutters.");
-$entity1->addProperty("DueDate",
- EdmType::DATETIME,
- new DateTime("2012-11-05T08:15:00-08:00"));
-$entity1->addProperty("Location", EdmType::STRING, "Home");
-
-// Add operation to list of batch operations.
-$operations->addInsertEntity("mytable", $entity1);
-
-// Add operation to list of batch operations.
-$operations->addDeleteEntity("mytable", "tasksSeattle", "1");
-
-try {
- $tableClient->batch($operations);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-```
-
-For more information about batching Table operations, see [Performing Entity Group Transactions][entity-group-transactions].
-
-## Delete a table
-
-Finally, to delete a table, pass the table name to the **TableRestProxy->deleteTable** method.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-try {
- // Delete table.
- $tableClient->deleteTable("mytable");
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-```
-
-## Next steps
-
-Now that you've learned the basics of the Azure Table service and Azure Cosmos DB, follow these links to learn more.
-
-* [Microsoft Azure Storage Explorer](../../vs-azure-tools-storage-manage-with-storage-explorer.md) is a free, standalone app from Microsoft that enables you to work visually with Azure Storage data on Windows, macOS, and Linux.
-
-* [PHP Developer Center](https://azure.microsoft.com/develop/php/).
-
-[download]: https://packagist.org/packages/microsoft/azure-storage-table
-[require_once]: https://php.net/require_once
-[table-service-timeouts]: /rest/api/storageservices/setting-timeouts-for-table-service-operations
-
-[table-data-model]: /rest/api/storageservices/Understanding-the-Table-Service-Data-Model
-[filters]: /rest/api/storageservices/Querying-Tables-and-Entities
-[entity-group-transactions]: /rest/api/storageservices/Performing-Entity-Group-Transactions
cosmos-db How To Use Ruby https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/table/how-to-use-ruby.md
- Title: Use Azure Cosmos DB for Table and Azure Table Storage with Ruby
-description: Store structured data in the cloud using Azure Table storage or the Azure Cosmos DB for Table.
--- Previously updated : 07/23/2020----
-# How to use Azure Table Storage and the Azure Cosmos DB for Table with Ruby
--
-> [!WARNING]
-> This project is in the [community support](https://azure.github.io/azure-sdk/policies_support.html#package-lifecycle) stage of it's lifecycle. Eventually, all associated client libraries will be retired permanently. For more details on the retirement and alternatives to using this project, see [Retirement notice: Azure Storage PHP client libraries](https://azure.microsoft.com/updates/retirement-notice-the-azure-storage-ruby-client-libraries-will-be-retired-on-13-september-2024/).
--
-This article shows you how to create tables, store your data, and perform CRUD operations on the data. Choose either the Azure Table service or the Azure Cosmos DB for Table. The samples described in this article are written in Ruby and uses the [Azure Storage Table Client Library for Ruby](https://github.com/azure/azure-storage-ruby/tree/master/table). The scenarios covered include create a table, delete a table, insert entities, and query entities from the table.
-
-## Create an Azure service account
--
-**Create an Azure storage account**
--
-**Create an Azure Cosmos DB account**
--
-## Add access to Azure storage or Azure Cosmos DB
-
-To use Azure Storage or Azure Cosmos DB, you must download and use the Ruby Azure package that includes a set of convenience libraries that communicate with the Table REST services.
-
-### Use RubyGems to obtain the package
-
-1. Use a command-line interface such as **PowerShell** (Windows), **Terminal** (Mac), or **Bash** (Unix).
-2. Type **gem install azure-storage-table** in the command window to install the gem and dependencies.
-
-### Import the package
-
-Use your favorite text editor, add the following to the top of the Ruby file where you intend to use Storage:
-
-```ruby
-require "azure/storage/table"
-```
-
-## Add your connection string
-
-You can either connect to the Azure storage account or the Azure Cosmos DB for Table account. Get the connection string based on the type of account you are using.
-
-### Add an Azure Storage connection
-
-The Azure Storage module reads the environment variables **AZURE_STORAGE_ACCOUNT** and **AZURE_STORAGE_ACCESS_KEY** for information required to connect to your Azure Storage account. If these environment variables are not set, you must specify the account information before using **Azure::Storage::Table::TableService** with the following code:
-
-```ruby
-Azure.config.storage_account_name = "<your Azure Storage account>"
-Azure.config.storage_access_key = "<your Azure Storage access key>"
-```
-
-To obtain these values from a classic or Resource Manager storage account in the Azure portal:
-
-1. Log in to the [Azure portal](https://portal.azure.com).
-2. Navigate to the Storage account you want to use.
-3. In the Settings blade on the right, click **Access Keys**.
-4. In the Access keys blade that appears, you'll see the access key 1 and access key 2. You can use either of these.
-5. Click the copy icon to copy the key to the clipboard.
-
-### Add an Azure Cosmos DB connection
-
-To connect to Azure Cosmos DB, copy your primary connection string from the Azure portal, and create a **Client** object using your copied connection string. You can pass the **Client** object when you create a **TableService** object:
-
-```ruby
-common_client = Azure::Storage::Common::Client.create(storage_account_name:'myaccount', storage_access_key:'mykey', storage_table_host:'mycosmosdb_endpoint')
-table_client = Azure::Storage::Table::TableService.new(client: common_client)
-```
-
-## Create a table
-
-The **Azure::Storage::Table::TableService** object lets you work with tables and entities. To create a table, use the **create_table()** method. The following example creates a table or prints the error if there is any.
-
-```ruby
-azure_table_service = Azure::Storage::Table::TableService.new
-begin
- azure_table_service.create_table("testtable")
-rescue
- puts $!
-end
-```
-
-## Add an entity to a table
-
-To add an entity, first create a hash object that defines your entity properties. Note that for every entity you must specify a **PartitionKey** and **RowKey**. These are the unique identifiers of your entities, and are values that can be queried much faster than your other properties. Azure Storage uses **PartitionKey** to automatically distribute the table's entities over many storage nodes. Entities with the same **PartitionKey** are stored on the same node. The **RowKey** is the unique ID of the entity within the partition it belongs to.
-
-```ruby
-entity = { "content" => "test entity",
- :PartitionKey => "test-partition-key", :RowKey => "1" }
-azure_table_service.insert_entity("testtable", entity)
-```
-
-## Update an entity
-
-There are multiple methods available to update an existing entity:
-
-* **update_entity():** Update an existing entity by replacing it.
-* **merge_entity():** Updates an existing entity by merging new property values into the existing entity.
-* **insert_or_merge_entity():** Updates an existing entity by replacing it. If no entity exists, a new one will be inserted:
-* **insert_or_replace_entity():** Updates an existing entity by merging new property values into the existing entity. If no entity exists, a new one will be inserted.
-
-The following example demonstrates updating an entity using **update_entity()**:
-
-```ruby
-entity = { "content" => "test entity with updated content",
- :PartitionKey => "test-partition-key", :RowKey => "1" }
-azure_table_service.update_entity("testtable", entity)
-```
-
-With **update_entity()** and **merge_entity()**, if the entity that you are updating doesn't exist then the update operation will fail. Therefore, if you want to store an entity regardless of whether it already exists, you should instead use **insert_or_replace_entity()** or **insert_or_merge_entity()**.
-
-## Work with groups of entities
-
-Sometimes it makes sense to submit multiple operations together in a batch to ensure atomic processing by the server. To accomplish that, you first create a **Batch** object and then use the **execute_batch()** method on **TableService**. The following example demonstrates submitting two entities with RowKey 2 and 3 in a batch. Notice that it only works for entities with the same PartitionKey.
-
-```ruby
-azure_table_service = Azure::TableService.new
-batch = Azure::Storage::Table::Batch.new("testtable",
- "test-partition-key") do
- insert "2", { "content" => "new content 2" }
- insert "3", { "content" => "new content 3" }
-end
-results = azure_table_service.execute_batch(batch)
-```
-
-## Query for an entity
-
-To query an entity in a table, use the **get_entity()** method, by passing the table name, **PartitionKey** and **RowKey**.
-
-```ruby
-result = azure_table_service.get_entity("testtable", "test-partition-key",
- "1")
-```
-
-## Query a set of entities
-
-To query a set of entities in a table, create a query hash object and use the **query_entities()** method. The following example demonstrates getting all the entities with the same **PartitionKey**:
-
-```ruby
-query = { :filter => "PartitionKey eq 'test-partition-key'" }
-result, token = azure_table_service.query_entities("testtable", query)
-```
-
-> [!NOTE]
-> If the result set is too large for a single query to return, a continuation token is returned that you can use to retrieve subsequent pages.
--
-## Query a subset of entity properties
-
-A query to a table can retrieve just a few properties from an entity. This technique, called "projection," reduces bandwidth and can improve query performance, especially for large entities. Use the select clause and pass the names of the properties you would like to bring over to the client.
-
-```ruby
-query = { :filter => "PartitionKey eq 'test-partition-key'",
- :select => ["content"] }
-result, token = azure_table_service.query_entities("testtable", query)
-```
-
-## Delete an entity
-
-To delete an entity, use the **delete_entity()** method. Pass in the name of the table that contains the entity, the PartitionKey, and the RowKey of the entity.
-
-```ruby
-azure_table_service.delete_entity("testtable", "test-partition-key", "1")
-```
-
-## Delete a table
-
-To delete a table, use the **delete_table()** method and pass in the name of the table you want to delete.
-
-```ruby
-azure_table_service.delete_table("testtable")
-```
-
-## Next steps
-
-* [Microsoft Azure Storage Explorer](../../vs-azure-tools-storage-manage-with-storage-explorer.md) is a free, standalone app from Microsoft that enables you to work visually with Azure Storage data on Windows, macOS, and Linux.
-* [Ruby Developer Center](https://azure.microsoft.com/develop/ruby/)
-* [Microsoft Azure Storage Table Client Library for Ruby](https://github.com/azure/azure-storage-ruby/tree/master/table)
cost-management-billing Reservation Utilization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/reservations/reservation-utilization.md
To view reservation utilization, you must have Azure RBAC access to the reservat
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Go to [Reservations](https://portal.azure.com/#blade/Microsoft_Azure_Reservations/ReservationsBrowseBlade).
-1. The list shows all the reservations where you have the Owner or Reader role. Each reservation shows the last known utilization percentage.
+1. The list shows all the reservations where you have the Owner or Reader role. You can also view all reservations in your Microsoft Entra tenant (directory) if you have Reservation administrator or reader role. Each reservation shows the last known utilization percentage.
1. Select the utilization percentage to see the utilization history and details. The following video shows an example. > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4sYwk]
data-factory Configure Bcdr Azure Ssis Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/configure-bcdr-azure-ssis-integration-runtime.md
Title: Configure Azure-SSIS integration runtime for business continuity and disa
description: This article describes how to configure Azure-SSIS integration runtime in Azure Data Factory with Azure SQL Database/Managed Instance failover group for business continuity and disaster recovery (BCDR). - ms.devlang: powershell
data-factory Connector Google Adwords https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-google-adwords.md
Previously updated : 12/22/2023 Last updated : 01/18/2024 # Copy data from Google Ads using Azure Data Factory or Synapse Analytics
Last updated 12/22/2023
This article outlines how to use the Copy Activity in an Azure Data Factory or Synapse Analytics pipeline to copy data from Google Ads. It builds on the [copy activity overview](copy-activity-overview.md) article that presents a general overview of copy activity. > [!Important]
-> It is highly recommended to [upgrade your Google Ads driver version](#upgrade-the-google-ads-driver-version).
+> Please kindly [upgrade your Google Ads driver version](#upgrade-the-google-ads-driver-version) before **February 18, 2024**. If not, connection will start to fail with an [error](connector-troubleshoot-google-ads.md#error-code-deprecatedgoogleadslegacydriverversion) because of the deprecation of the legacy driver.
## Supported capabilities
The following properties are supported for Google Ads linked service:
| Property | Description | Required | |: |: |: | | type | The type property must be set to: **GoogleAdWords** | Yes |
-| googleAdsApiVersion | The Google Ads API version that you use. You can refer this [article](https://developers.google.com/google-ads/api/docs/release-notes) for API version information.| Yes |
+| googleAdsApiVersion | The Google Ads API version that you use when you select the recommended driver version. You can refer this [article](https://developers.google.com/google-ads/api/docs/release-notes) for API version information.| Yes |
| clientCustomerID | The Client customer ID of the Ads account that you want to fetch report data for. | Yes | | loginCustomerID | The customer ID of the Google Ads manager account through which you want to fetch report data of specific customer.| No | | developerToken | The developer token associated with the manager account that you use to grant access to the Ads API. You can choose to mark this field as a SecureString to store it securely, or store password in Azure Key Vault and let the copy activity pull from there when performing data copy - learn more from [Store credentials in Key Vault](store-credentials-in-key-vault.md). | Yes |
-| authenticationType | The OAuth 2.0 authentication mechanism used for authentication. ServiceAuthentication can only be used on self-hosted IR. <br/>Allowed values are: **ServiceAuthentication**, **UserAuthentication** | Yes |
+| authenticationType | The OAuth 2.0 authentication mechanism used for authentication. <br/>Allowed values are: **ServiceAuthentication**, **UserAuthentication**. <br/>ServiceAuthentication can only be used on self-hosted IR. | Yes |
+|*For **UserAuthentication***:|||
| refreshToken | The refresh token obtained from Google for authorizing access to Ads for UserAuthentication. You can choose to mark this field as a SecureString to store it securely, or store password in Azure Key Vault and let the copy activity pull from there when performing data copy - learn more from [Store credentials in Key Vault](store-credentials-in-key-vault.md). | No | | clientId | The client ID of the Google application used to acquire the refresh token. You can choose to mark this field as a SecureString to store it securely, or store password in Azure Key Vault and let the copy activity pull from there when performing data copy - learn more from [Store credentials in Key Vault](store-credentials-in-key-vault.md). | No | | clientSecret | The client secret of the google application used to acquire the refresh token. You can choose to mark this field as a SecureString to store it securely, or store password in Azure Key Vault and let the copy activity pull from there when performing data copy - learn more from [Store credentials in Key Vault](store-credentials-in-key-vault.md). | No |
+|*For **ServiceAuthentication***:|||
| email | The service account email ID that is used for ServiceAuthentication and can only be used on self-hosted IR. | No | | privateKey | The service private key that is used for ServiceAuthentication for recommended driver version and can only be used on self-hosted IR. You can choose to mark this field as a SecureString to store it securely, or store password in Azure Key Vault and let the copy activity pull from there when performing data copy - learn more from [Store credentials in Key Vault](store-credentials-in-key-vault.md).| No |
-| keyFilePath | The full path to the `.p12` or `.json` key file that is used to authenticate the service account email address and can only be used on self-hosted IR. Specify this property when you use ServiceAuthentication for the legacy driver version. | No |
-| trustedCertPath | The full path of the .pem file containing trusted CA certificates for verifying the server when connecting over TLS. This property can only be set when using TLS on self-hosted IR. The default value is the cacerts.pem file installed with the IR. Specify this property when you use ServiceAuthentication for the legacy driver version. | No |
-| useSystemTrustStore | Specifies whether to use a CA certificate from the system trust store or from a specified PEM file. The default value is false. Specify this property when you use ServiceAuthentication for the legacy driver version. | No |
+|*For **ServiceAuthentication** using the legacy driver version*:|||
+| email | The service account email ID that is used for ServiceAuthentication and can only be used on self-hosted IR. | No |
+| keyFilePath | The full path to the `.p12` or `.json` key file that is used to authenticate the service account email address and can only be used on self-hosted IR. | No |
+| trustedCertPath | The full path of the .pem file containing trusted CA certificates for verifying the server when connecting over TLS. This property can only be set when using TLS on self-hosted IR. The default value is the cacerts.pem file installed with the IR. | No |
+| useSystemTrustStore | Specifies whether to use a CA certificate from the system trust store or from a specified PEM file. The default value is false. | No |
+ **Example:**
To upgrade your Google Ads driver version, you need update your linked service a
### Update the linked service configuration
-Create a new Google Ads linked service and configure it by referring to [Linked service properties](#linked-service-properties).
+In **Edit linked service** page, select **Recommended** under **Driver version** and configure the linked service by referring to [Linked service properties](#linked-service-properties).
### Migrate from SQL to GAQL
Here are the concrete examples of the field name conversion:
| Segments | `DayOfWeek` | `segments.day_of_week` | | Metrics | `VideoViews` | `metrics.video_views` | +
+## Upgrade Google AdWords connector to Google Ads connector
+
+Upgrade your Google AdWords linked service to the latest Google Ads linked service following the steps below:
+
+1. Select **Recommended** as driver version to create a new Google Ads linked service and configure it by referring to [Linked service properties](connector-google-adwords.md#linked-service-properties).
+1. Update your pipelines that refer to the legacy Google AdWords linked service. Considering that the Google Ads linked service only supports using query to copy data, so:
+ 1. If your pipeline is directly retrieving data from the report of Google AdWords, find the corresponding resource name of Google Ads in the table below and use this [tool](https://developers.google.com/google-ads/api/fields/v15/overview_query_builder) to build the query.
+
+ | Google AdWords report| Google Ads resource |
+ || --|
+ | ACCOUNT_PERFORMANCE_REPORT | customer |
+ | AD_PERFORMANCE_REPORT | ad_group_ad |
+ | ADGROUP_PERFORMANCE_REPORT | ad_group |
+ | AGE_RANGE_PERFORMANCE_REPORT | age_range_view |
+ | AUDIENCE_PERFORMANCE_REPORT | campaign_audience_view,ad_group_audience_view |
+ | AUTOMATIC_PLACEMENTS_PERFORMANCE_REPORT | group_placement_view |
+ | BID_GOAL_PERFORMANCE_REPORT | bidding_strategy |
+ | BUDGET_PERFORMANCE_REPORT | campaign_budget |
+ | CALL_METRICS_CALL_DETAILS_REPORT | call_view |
+ | CAMPAIGN_AD_SCHEDULE_TARGET_REPORT | ad_schedule_view |
+ | CAMPAIGN_CRITERIA_REPORT | campaign_criterion |
+ | CAMPAIGN_PERFORMANCE_REPORT | campaign |
+ | CAMPAIGN_SHARED_SET_REPORT | campaign_shared_set |
+ | CAMPAIGN_LOCATION_TARGET_REPORT | location_view |
+ | CLICK_PERFORMANCE_REPORT | click_view |
+ | DISPLAY_KEYWORD_PERFORMANCE_REPORT | display_keyword_view |
+ | DISPLAY_TOPICS_PERFORMANCE_REPORT | topic_view |
+ | GENDER_PERFORMANCE_REPORT | gender_view |
+ | GEO_PERFORMANCE_REPORT | geographic_view,user_location_view |
+ | KEYWORDLESS_QUERY_REPORT | dynamic_search_ads_search_term_view |
+ | KEYWORDS_PERFORMANCE_REPORT | keyword_view |
+ | LABEL_REPORT | label |
+ | LANDING_PAGE_REPORT | landing_page_view,expanded_landing_page_view |
+ | PAID_ORGANIC_QUERY_REPORT | paid_organic_search_term_view |
+ | PARENTAL_STATUS_PERFORMANCE_REPORT | parental_status_view |
+ | PLACEHOLDER_FEED_ITEM_REPORT | feed_item,feed_item_target |
+ | PLACEHOLDER_REPORT | feed_placeholder_view |
+ | PLACEMENT_PERFORMANCE_REPORT | managed_placement_view |
+ | PRODUCT_PARTITION_REPORT | product_group_view |
+ | SEARCH_QUERY_PERFORMANCE_REPORT | search_term_view |
+ | SHARED_SET_CRITERIA_REPORT | shared_criterion |
+ | SHARED_SET_REPORT | shared_set |
+ | SHOPPING_PERFORMANCE_REPORT | shopping_performance_view |
+ | TOP_CONTENT_PERFORMANCE_REPORT | No longer available in the Google Ads API. |
+ | URL_PERFORMANCE_REPORT | detail_placement_view |
+ | USER_AD_DISTANCE_REPORT | distance_view |
+ | VIDEO_PERFORMANCE_REPORT | video |
+
+ 1. If the pipeline is using query to retrieve data from Google AdWords, use [Query Migration tool](https://developers.google.com/google-ads/scripts/docs/reference/query-migration-tool) to translate the AWQL (AdWords Query Language) into GAQL (Google Ads Query Language).
+
+1. Be aware that there are certain limitations with this upgrade:
+ 1. Not all report types from AWQL are supported in GAQL.
+ 1. Not all AWQL queries are cleanly translated to GAQL queries.
+ ## Related content For a list of data stores supported as sources and sinks by the copy activity, see [supported data stores](copy-activity-overview.md#supported-data-stores-and-formats).
data-factory Connector Mariadb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-mariadb.md
Previously updated : 01/18/2024 Last updated : 02/07/2024
To learn details about the properties, check [Lookup activity](control-flow-look
Here are steps that help you upgrade your MariaDB driver version:
-1. Create a new MariaDB linked service and configure it by referring to [Linked service properties](connector-mariadb.md#linked-service-properties).
+1. In **Edit linked service** page, select **Recommended** under **Driver version** and configure the linked service by referring to [Linked service properties](connector-mariadb.md#linked-service-properties).
1. The data type mapping for the latest MariaDB linked service is different from that for the legacy version. To learn the latest data type mapping, see [Data type mapping for MariaDB](connector-mariadb.md#data-type-mapping-for-mariadb).
-1. More MariaDB versions are supported for the latest driver version. For more information, see [Supported capabilities](connector-mariadb.md#supported-capabilities).
+1. The latest driver version v2 supports more MariaDB versions. For more information, see [Supported capabilities](connector-mariadb.md#supported-capabilities).
## Related content
data-factory Connector Mysql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-mysql.md
Previously updated : 01/16/2024 Last updated : 02/07/2024
To learn details about the properties, check [Lookup activity](control-flow-look
Here are steps that help you upgrade your MySQL driver version:
-1. Create a new MySQL linked service and configure it by referring toΓÇ»[Linked service properties](connector-mysql.md#linked-service-properties).
+1. In **Edit linked service** page, select **Recommended** under **Driver version** and configure the linked service by referring to [Linked service properties](connector-mysql.md#linked-service-properties).
1. The data type mapping for the latest MySQL linked service is different from that for the legacy version. To learn the latest data type mapping, see [Data type mapping for MySQL](connector-mysql.md#data-type-mapping-for-mysql).
-1. More MySQL versions are supported for the latest driver version. For more information, see [Supported capabilities](connector-mysql.md#supported-capabilities).
+1. The latest driver version v2 supports more MySQL versions. For more information, see [Supported capabilities](connector-mysql.md#supported-capabilities).
## Related content
data-factory Connector Salesforce Legacy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-salesforce-legacy.md
Previously updated : 01/08/2024 Last updated : 01/26/2024 # Copy data from and to Salesforce using Azure Data Factory or Azure Synapse Analytics (legacy)
Last updated 01/08/2024
This article outlines how to use Copy Activity in Azure Data Factory and Azure Synapse pipelines to copy data from and to Salesforce. It builds on the [Copy Activity overview](copy-activity-overview.md) article that presents a general overview of the copy activity. >[!IMPORTANT]
->The service has released a new Salesforce connector which provides better native Salesforce support comparing to this ODBC-based implementation, refer to [Salesforce connector](connector-salesforce.md) article on details. This legacy Salesforce connector is kept supported as-is for backward compatibility, while for any new workload, please use the new connector.
+>The service has released a new Salesforce connector which provides better native Salesforce support, refer to [Salesforce connector](connector-salesforce.md) article on details. This legacy Salesforce connector is kept supported as-is for backward compatibility, while for any new workload, please use the new connector.
## Supported capabilities
data-factory Connector Salesforce Service Cloud Legacy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-salesforce-service-cloud-legacy.md
Previously updated : 01/15/2024 Last updated : 01/26/2024 # Copy data from and to Salesforce Service Cloud using Azure Data Factory or Synapse Analytics (legacy)
Last updated 01/15/2024
This article outlines how to use Copy Activity in Azure Data Factory and Synapse Analytics pipelines to copy data from and to Salesforce Service Cloud. It builds on the [Copy Activity overview](copy-activity-overview.md) article that presents a general overview of the copy activity. >[!IMPORTANT]
->The service has released a new Salesforce Service Cloud connector which provides better native Salesforce Service Cloud support comparing to this ODBC-based implementation, refer to [Salesforce Service Cloud connector](connector-salesforce-service-cloud.md) article on details. This legacy Salesforce Service Cloud connector is kept supported as-is for backward compatibility, while for any new workload, please use the new connector.
+>The service has released a new Salesforce Service Cloud connector which provides better native Salesforce Service Cloud support, refer to [Salesforce Service Cloud connector](connector-salesforce-service-cloud.md) article on details. This legacy Salesforce Service Cloud connector is kept supported as-is for backward compatibility, while for any new workload, please use the new connector.
## Supported capabilities
data-factory Connector Salesforce Service Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-salesforce-service-cloud.md
Previously updated : 01/15/2024 Last updated : 01/26/2024 # Copy data from and to Salesforce Service Cloud using Azure Data Factory or Azure Synapse Analytics
For a list of data stores that are supported as sources or sinks, see the [Suppo
Specifically, this Salesforce Service Cloud connector supports: - Salesforce Developer, Professional, Enterprise, or Unlimited editions.-- Copying data from and to custom domain.
+- Copying data from and to custom domain (Custom domain can be configured in both production and sanbox environments).
You can explicitly set the API version used to read/write data via [`apiVersion` property](#linked-service-properties) in linked service. When copying data to Salesforce Service Cloud, the connector uses BULK API 2.0.
You can explicitly set the API version used to read/write data via [`apiVersion`
> - The execution user must have the API Only permission. > - Access Token expire time could be changed through session policies instead of the refresh token.
-## Salesforce request limits
+## Salesforce Bulk API 2.0 Limits
-Salesforce has limits for both total API requests and concurrent API requests. Note the following points:
+We use Salesforce Bulk API 2.0 to query and ingest data. In Bulk API 2.0, batches are created for you automatically. You can submit up to **15,000** batches per rolling 24-hour period. If batches exceed the limit, you will see failures.
-- If the number of concurrent requests exceeds the limit, throttling occurs and you see random failures.-- If the total number of requests exceeds the limit, the Salesforce Service Cloud account is blocked for 24 hours.
+In Bulk API 2.0, only ingest jobs consume batches. Query jobs don't. For details, see [How Requests Are Processed in the Bulk API 2.0 Developer Guide](https://developer.salesforce.com/docs/atlas.en-us.api_asynch.meta/api_asynch/how_requests_are_processed.htm).
-You might also receive the "REQUEST_LIMIT_EXCEEDED" error message in both scenarios. For more information, see the "API request limits" section in [Salesforce developer limits](https://developer.salesforce.com/docs/atlas.en-us.218.0.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_api.htm).
+For more information, see the "General Limits" section in [Salesforce developer limits](https://developer.salesforce.com/docs/atlas.en-us.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_bulkapi.htm).
## Get started
The following properties are supported for the Salesforce Service Cloud linked s
|: |: |: | | type |The type property must be set to **SalesforceServiceCloudV2**. |Yes | | environmentUrl | Specify the URL of the Salesforce Service Cloud instance. <br>For example, specify `"https://<domainName>.my.salesforce.com"` to copy data from the custom domain. Learn how to configure or view your custom domain referring to this [article](https://help.salesforce.com/s/articleView?id=sf.domain_name_setting_login_policy.htm&type=5). |Yes |
+| authenticationType | Type of authentication used to connect to the Salesforce Service Cloud. <br/>The allowed value is **OAuth2ClientCredentials**. | Yes |
| clientId |Specify the client ID of the Salesforce OAuth 2.0 Connected App. For more information, go to this [article](https://help.salesforce.com/s/articleView?id=sf.connected_app_client_credentials_setup.htm&type=5) |Yes | | clientSecret |Specify the client secret of the Salesforce OAuth 2.0 Connected App. For more information, go to this [article](https://help.salesforce.com/s/articleView?id=sf.connected_app_client_credentials_setup.htm&type=5) |Yes |
-| apiVersion | Specify the Salesforce Bulk API 2.0 version to use, e.g. `52.0`. The Bulk API 2.0 only support API version >= 47.0. To learn about Bulk API 2.0 version, see [article](https://developer.salesforce.com/docs/atlas.en-us.api_asynch.meta/api_asynch/bulk_common_diff_two_versions.htm). If you use a lower API version, it will result in a failure. | Yes |
+| apiVersion | Specify the Salesforce Bulk API 2.0 version to use, e.g. `52.0`. The Bulk API 2.0 only supports API version >= 47.0. To learn about Bulk API 2.0 version, see [article](https://developer.salesforce.com/docs/atlas.en-us.api_asynch.meta/api_asynch/bulk_common_diff_two_versions.htm). If you use a lower API version, it will result in a failure. | Yes |
| connectVia | The [integration runtime](concepts-integration-runtime.md) to be used to connect to the data store. If not specified, it uses the default Azure Integration Runtime. | No | **Example: Store credentials**
The following properties are supported for the Salesforce Service Cloud linked s
"type": "SalesforceServiceCloudV2", "typeProperties": { "environmentUrl": "<environment URL>",
+ "authenticationType": "OAuth2ClientCredentials",
"clientId": "<client ID>", "clientSecret": { "type": "SecureString",
The following properties are supported for the Salesforce Service Cloud linked s
"type": "SalesforceServiceCloudV2", "typeProperties": { "environmentUrl": "<environment URL>",
+ "authenticationType": "OAuth2ClientCredentials",
"clientId": "<client ID>", "clientSecret": { "type": "AzureKeyVaultSecret",
data-factory Connector Salesforce https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-salesforce.md
Previously updated : 01/08/2024 Last updated : 01/26/2024 # Copy data from and to Salesforce using Azure Data Factory or Azure Synapse Analytics
For a list of data stores that are supported as sources or sinks, see the [Suppo
Specifically, this Salesforce connector supports: - Salesforce Developer, Professional, Enterprise, or Unlimited editions.-- Copying data from and to custom domain.
+- Copying data from and to custom domain (Custom domain can be configured in both production and sanbox environments).
You can explicitly set the API version used to read/write data via [`apiVersion` property](#linked-service-properties) in linked service. When copying data to Salesforce, the connector uses BULK API 2.0.
You can explicitly set the API version used to read/write data via [`apiVersion`
> - The execution user must have the API Only permission. > - Access Token expire time could be changed through session policies instead of the refresh token.
-## Salesforce request limits
+## Salesforce Bulk API 2.0 Limits
-Salesforce has limits for both total API requests and concurrent API requests. Note the following points:
+We use Salesforce Bulk API 2.0 to query and ingest data. In Bulk API 2.0, batches are created for you automatically. You can submit up to **15,000** batches per rolling 24-hour period. If batches exceed the limit, you will see failures.
-- If the number of concurrent requests exceeds the limit, throttling occurs and you see random failures.-- If the total number of requests exceeds the limit, the Salesforce account is blocked for 24 hours.
+In Bulk API 2.0, only ingest jobs consume batches. Query jobs don't. For details, see [How Requests Are Processed in the Bulk API 2.0 Developer Guide](https://developer.salesforce.com/docs/atlas.en-us.api_asynch.meta/api_asynch/how_requests_are_processed.htm).
-You might also receive the "REQUEST_LIMIT_EXCEEDED" error message in both scenarios. For more information, see the "API request limits" section in [Salesforce developer limits](https://developer.salesforce.com/docs/atlas.en-us.218.0.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_api.htm).
+For more information, see the "General Limits" section in [Salesforce developer limits](https://developer.salesforce.com/docs/atlas.en-us.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_bulkapi.htm).
## Get started
The following properties are supported for the Salesforce linked service.
|: |: |: | | type |The type property must be set to **SalesforceV2**. |Yes | | environmentUrl | Specify the URL of the Salesforce instance. <br>For example, specify `"https://<domainName>.my.salesforce.com"` to copy data from the custom domain. Learn how to configure or view your custom domain referring to this [article](https://help.salesforce.com/s/articleView?id=sf.domain_name_setting_login_policy.htm&type=5). |Yes |
+| authenticationType | Type of authentication used to connect to the Salesforce. <br/>The allowed value is **OAuth2ClientCredentials**. | Yes |
| clientId |Specify the client ID of the Salesforce OAuth 2.0 Connected App. For more information, go to this [article](https://help.salesforce.com/s/articleView?id=sf.connected_app_client_credentials_setup.htm&type=5) |Yes | | clientSecret |Specify the client secret of the Salesforce OAuth 2.0 Connected App. For more information, go to this [article](https://help.salesforce.com/s/articleView?id=sf.connected_app_client_credentials_setup.htm&type=5) |Yes |
-| apiVersion | Specify the Salesforce Bulk API 2.0 version to use, e.g. `52.0`. The Bulk API 2.0 only support API version >= 47.0. To learn about Bulk API 2.0 version, see [article](https://developer.salesforce.com/docs/atlas.en-us.api_asynch.meta/api_asynch/bulk_common_diff_two_versions.htm). If you use a lower API version, it will result in a failure. | Yes |
+| apiVersion | Specify the Salesforce Bulk API 2.0 version to use, e.g. `52.0`. The Bulk API 2.0 only supports API version >= 47.0. To learn about Bulk API 2.0 version, see [article](https://developer.salesforce.com/docs/atlas.en-us.api_asynch.meta/api_asynch/bulk_common_diff_two_versions.htm). If you use a lower API version, it will result in a failure. | Yes |
| connectVia | The [integration runtime](concepts-integration-runtime.md) to be used to connect to the data store. If not specified, it uses the default Azure Integration Runtime. | No | **Example: Store credentials**
The following properties are supported for the Salesforce linked service.
"type": "SalesforceV2", "typeProperties": { "environmentUrl": "<environment URL>",
+ "authenticationType": "OAuth2ClientCredentials",
"clientId": "<client ID>", "clientSecret": { "type": "SecureString",
The following properties are supported for the Salesforce linked service.
"type": "SalesforceV2", "typeProperties": { "environmentUrl": "<environment URL>",
+ "authenticationType": "OAuth2ClientCredentials",
"clientId": "<client ID>", "clientSecret": { "type": "AzureKeyVaultSecret",
Note that by doing so, you will no longer be able to use the UI to edit settings
"type": "LinkedServiceReference" }, },
+ "authenticationType": "OAuth2ClientCredentials",
"clientId": { "type": "AzureKeyVaultSecret", "secretName": "<secret name of client ID in AKV>",
data-factory Connector Troubleshoot Google Ads https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-troubleshoot-google-ads.md
+
+ Title: Troubleshoot the Google Ads connector
+
+description: Learn how to troubleshoot issues with the Google Ads connector in Azure Data Factory and Azure Synapse Analytics.
++++ Last updated : 01/19/2024++++
+# Troubleshoot the Google Ads connector in Azure Data Factory and Azure Synapse
++
+This article provides suggestions to troubleshoot common problems with the Google Ads connector in Azure Data Factory and Azure Synapse.
+
+## Error code: DeprecatedGoogleAdsLegacyDriverVersion
+
+- **Message**: `The Google Ads connectorΓÇÖs legacy driver has been deprecated. To ensure your pipeline works, please upgrade the driver version of Google Ads linked service. Detailed instructions can be found in this documentation: https://learn.microsoft.com/azure/data-factory/connector-google-adwords?tabs=data-factory#upgrade-the-google-ads-driver-version`
+
+- **Cause**: Your pipeline is still running on a legacy Google Ads connector's driver.
+
+- **Resolution**: Upgrade your Google Ads linked service's driver version to the Recommended version. Refer to this [article](connector-google-adwords.md#upgrade-the-google-ads-driver-version).
+
+
+## Error code: DeprecatedGoogleAdWordsOdbcConnector
+
+- **Message**: `The Google AdWords connector has been deprecated. To ensure your pipeline works, please create a new Google Ads linked service. Detailed instructions can be found in this documentation: https://learn.microsoft.com/azure/data-factory/connector-google-adwords#upgrade-google-adwords-connector-to-google-ads-connector`
+
+- **Cause**: Your pipeline is still running on a deprecated Google AdWords connector.
+
+- **Resolution**: Create a new Google Ads linked service. Refer to this [article](connector-google-adwords.md#upgrade-google-adwords-connector-to-google-ads-connector).
+
+## Related content
+
+For more troubleshooting help, try these resources:
+
+- [Connector troubleshooting guide](connector-troubleshoot-guide.md)
+- [Data Factory blog](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/bg-p/AzureDataFactoryBlog)
+- [Data Factory feature requests](/answers/topics/azure-data-factory.html)
+- [Azure videos](https://azure.microsoft.com/resources/videos/index/?sort=newest&services=data-factory)
+- [Microsoft Q&A page](/answers/topics/azure-data-factory.html)
+- [Stack Overflow forum for Data Factory](https://stackoverflow.com/questions/tagged/azure-data-factory)
+- [Twitter information about Data Factory](https://twitter.com/hashtag/DataFactory)
data-factory Copy Activity Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/copy-activity-performance.md
- Last updated 10/20/2023
data-factory Data Flow Sink https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/data-flow-sink.md
Mapping data flow follows an extract, load, and transform (ELT) approach and wor
| [Dataverse](connector-dynamics-crm-office-365.md#mapping-data-flow-properties) | | Γ£ô/Γ£ô | | [Dynamics 365](connector-dynamics-crm-office-365.md#mapping-data-flow-properties) | | Γ£ô/Γ£ô | | [Dynamics CRM](connector-dynamics-crm-office-365.md#mapping-data-flow-properties) | | Γ£ô/Γ£ô |
+| [Fabric Lakehouse](connector-microsoft-fabric-lakehouse.md#mapping-data-flow-properties) | | Γ£ô/Γ£ô |
| [SFTP](connector-sftp.md#mapping-data-flow-properties) | [Avro](format-avro.md#mapping-data-flow-properties) <br>[Delimited text](format-delimited-text.md#mapping-data-flow-properties) <br>[JSON](format-json.md#mapping-data-flow-properties) <br/>[ORC](format-orc.md#mapping-data-flow-properties)<br>[Parquet](format-parquet.md#mapping-data-flow-properties) | Γ£ô/Γ£ô <br>Γ£ô/Γ£ô <br>Γ£ô/Γ£ô <br>Γ£ô/Γ£ô<br>Γ£ô/Γ£ô| | [Snowflake](connector-snowflake.md) | | Γ£ô/Γ£ô | | [SQL Server](connector-sql-server.md) | | Γ£ô/Γ£ô |
data-factory Format Delta https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/format-delta.md
The below table lists the properties supported by a delta sink. You can edit the
| Format | Format must be `delta` | yes | `delta` | format | | File system | The container/file system of the delta lake | yes | String | fileSystem | | Folder path | The directory of the delta lake | yes | String | folderPath |
-| Compression type | The compression type of the delta table | no | `bzip2`<br>`gzip`<br>`deflate`<br>`ZipDeflate`<br>`snappy`<br>`lz4` | compressionType |
+| Compression type | The compression type of the delta table | no | `bzip2`<br>`gzip`<br>`deflate`<br>`ZipDeflate`<br>`snappy`<br>`lz4`<br>`TarGZip`<br>`tar` | compressionType |
| Compression level | Choose whether the compression completes as quickly as possible or if the resulting file should be optimally compressed. | required if `compressedType` is specified. | `Optimal` or `Fastest` | compressionLevel | | Vacuum | Deletes files older than the specified duration that is no longer relevant to the current table version. When a value of 0 or less is specified, the vacuum operation isn't performed. | yes | Integer | vacuum | | Table action | Tells ADF what to do with the target Delta table in your sink. You can leave it as-is and append new rows, overwrite the existing table definition and data with new metadata and data, or keep the existing table structure but first truncate all rows, then insert the new rows. | no | None, Truncate, Overwrite | deltaTruncate, overwrite |
data-factory Iterative Development Debugging https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/iterative-development-debugging.md
-
data-factory Solution Template Extract Data From Pdf https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/solution-template-extract-data-from-pdf.md
This article describes a solution template that you can use to extract data from
## About this solution template
-This template analyzes data from a PDF URL source using two Azure AI Document Intelligence calls. Then, it transforms the output to readable tables in a dataflow and outputs the data to a storage sink.
+This template analyzes data from a PDF URL source using two Azure AI Document Intelligence calls. Then, it transforms the output to readable tables in a dataflow and outputs the data to a storage sink.
This template contains two activities: -- **Web Activity** to call Azure AI Document Intelligence's layout model API
+- **Web Activity** to call Azure AI Document Intelligence's prebuilt read model API
- **Data flow** to transform extracted data from PDF
-This template defines 4 parameters:
-- *FormRecognizerURL* is the Azure AI Document Intelligence URL ("https://{endpoint}/formrecognizer/v2.1/layout/analyze"). Replace {endpoint} with the endpoint that you obtained with your Azure AI Document Intelligence subscription. You need to replace the default value with your own URL.-- *FormRecognizerKey* is the Azure AI Document Intelligence subscription key. You need to replace the default value with your own subscription key.-- *PDF_SourceURL* is the URL of your PDF source. You need to replace the default value with your own URL. -- *outputFolder* is the name of the folder path where you want your files to be in your destination store. You need to replace the default value with your own folder path.
+This template defines five parameters:
+- *CognitiveServicesURL* is the Azure AI Document Intelligence URL ("https://{endpoint}/formrecognizer/v2.1/layout/analyze"). Replace {endpoint} with the endpoint that you obtained with your Azure AI Document Intelligence subscription. You need to replace the default value with your own URL.
+- *CognitiveServicesKey* is the Azure AI Document Intelligence subscription key. You need to replace the default value with your own subscription key.
+- *PDF_SourceURL* is the URL of your PDF source. You need to replace the default value with your own URL.
+- *OutputContainer* is the name of the container path where you want your files to be in your destination store. You need to replace the default value with your own container.
+- *OutputFolder* is the name of the folder path where you want your files to be in your destination store. You need to replace the default value with your own folder path.
## Prerequisites
This template defines 4 parameters:
1. Go to template **Extract data from PDF**. Create a **New** connection to your Azure AI Document Intelligence resource or choose an existing connection.
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-1.png" alt-text="Screenshot of how to create a new connection or select an existing connection from a drop down menu to Azure AI Document Intelligence in template set up.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-1.png" alt-text="Screenshot of how to create a new connection or select an existing connection from a drop-down menu to an Azure AI Document Intelligence connection in template set-up.":::
- In your connection to Azure AI Document Intelligence, make sure to add a **Linked service Parameter**. You will need to use this parameter as your dynamic **Base URL**.
+ In your connection to Azure AI Document Intelligence, make sure to add a **Linked service Parameter**. You'll need to use this **url** parameter as your dynamic **Base URL**.
+ You will also need to add a new **Auth header** under **Auth headers**. The name should be **Ocp-Apim-Subscription-Key** and the value should be the key value you find from your Azure Resource.
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-9.png" alt-text="Screenshot of where to add your Azure AI Document Intelligence linked service parameter.":::
-
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-8.png" alt-text="Screenshot of the linked service base URL that references the linked service parameter.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-3.png" alt-text="Screenshot of the linked service base URL that references the linked service parameter and Auth headers to add.":::
-2. Create a **New** connection to your destination storage store or choose an existing connection.
+3. Create a **New** connection to your destination storage store or choose an existing connection. The chosen destination is where the extracted PDF data is stored.
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-2.png" alt-text="Screenshot of how to create a new connection or select existing connection from a drop down menu to your sink in template set up.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-4.png" alt-text="Screenshot of how to create a new connection or select existing connection from a drop-down menu to your sink in template set-up.":::
-3. Select **Use this template**.
+4. Select **Use this template**.
+
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-5.png" alt-text="Screenshot of how to complete the template by clicking use this template at the bottom of the screen.":::
+
+5. You should see the following pipeline.
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-3.png" alt-text="Screenshot of how to complete the template by clicking use this template at the bottom of the screen.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-6.png" alt-text="Screenshot of pipeline view with web activity linking to a dataflow activity.":::
-4. You should see the following pipeline:
+6. Navigate to the **Data flow** activity and find **Settings**. Here you need to add dynamic content for your linked service **url** parameter. After clicking **Add dynamic content**, the Pipeline expression builder will open. Select **Cognitive Services - POST activity output**. Then, type or copy and paste ".output.ADFWebActivityResponseHeaders['Operation-Location']." You should see the following expression in your expression builder.
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-4.png" alt-text="Screenshot of pipeline view with web activity linking to a dataflow activity.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-7.png" alt-text="Screenshot of pipeline view of the dataflow activity settings.":::
-5. Select **Debug**.
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-7.png" alt-text="Screenshot of the Pipeline expression builder with the dataflow dynamic content displayed.":::
+
+8. Click **OK** to return back to the pipeline.
+
+9. Next, select **Debug**.
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-5.png" alt-text="Screenshot of how to Debug pipeline using the debug button on the top banner of the screen.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-9.png" alt-text="Screenshot of how to Debug pipeline using the debug button on the top banner of the screen.":::
-6. Enter parameter values, review results, and publish.
+10. Enter parameter values, review results, and publish.
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-6.png" alt-text="Screesnhot of where to enter pipeline debug parameters on a panel to the right.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-10.png" alt-text="Screesnhot of where to enter pipeline debug parameters on a panel to the right.":::
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-7.png" alt-text="Screenshot of the results that return when the pipeline is triggered.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-11.png" alt-text="Screenshot of the results that return when the pipeline is triggered.":::
## Related content - [What's New in Azure Data Factory](whats-new.md)
data-factory Tutorial Bulk Copy Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/tutorial-bulk-copy-portal.md
- Last updated 08/10/2023
data-factory Tutorial Control Flow Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/tutorial-control-flow-portal.md
Title: Branching and chaining activities in a pipeline using Azure portal
+ Title: Copy data and send email notifications on success and failure
description: Learn how to control flow of data in Azure Data Factory pipeline by using the Azure portal.
Last updated 10/20/2023
-# Branching and chaining activities in an Azure Data Factory pipeline using the Azure portal
+# Copy data and send email notifications on success and failure
[!INCLUDE[appliesto-adf-xxx-md](includes/appliesto-adf-xxx-md.md)]
ddos-protection Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/alerts.md
- Last updated 08/07/2023
ddos-protection Ddos Configure Log Analytics Workspace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-configure-log-analytics-workspace.md
- Last updated 08/07/2023
ddos-protection Ddos Diagnostic Alert Templates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-diagnostic-alert-templates.md
- Last updated 08/07/2023
ddos-protection Ddos Disaster Recovery Guidance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-disaster-recovery-guidance.md
description: Learn what to do in the event of an Azure service disruption impact
- Last updated 11/06/2023
ddos-protection Ddos Pricing Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-pricing-guide.md
- Last updated 07/19/2023
ddos-protection Ddos Protection Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-protection-features.md
- Last updated 11/06/2023
ddos-protection Ddos Protection Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-protection-overview.md
- Last updated 11/08/2023
ddos-protection Ddos Protection Reference Architectures https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-protection-reference-architectures.md
- Last updated 06/15/2023
ddos-protection Ddos Rapid Response https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-rapid-response.md
- Last updated 11/06/2023
ddos-protection Ddos Response Strategy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-response-strategy.md
- Last updated 06/01/2023
ddos-protection Ddos View Alerts Defender For Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-view-alerts-defender-for-cloud.md
- Last updated 08/08/2023
In this tutorial you learned how to view DDoS protection alerts in Microsoft Def
> [!div class="nextstepaction"] > [Engage with Azure DDoS Rapid Response](ddos-rapid-response.md)
-> [components of a DDoS Rapid Response Strategy](ddos-response-strategy.md)
+> [components of a DDoS Rapid Response Strategy](ddos-response-strategy.md)
ddos-protection Ddos View Diagnostic Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-view-diagnostic-logs.md
- Last updated 08/08/2023
ddos-protection Diagnostic Logging https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/diagnostic-logging.md
- Last updated 08/07/2023
ddos-protection Fundamental Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/fundamental-best-practices.md
- Last updated 10/06/2023
ddos-protection Inline Protection Glb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/inline-protection-glb.md
- Last updated 11/06/2023
ddos-protection Manage Ddos Ip Protection Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-ip-protection-cli.md
description: Learn how to create Azure DDoS IP Protection using Azure CLI
-+ Last updated 04/04/2023-
ddos-protection Manage Ddos Ip Protection Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-ip-protection-portal.md
Title: 'Quickstart: Create and configure Azure DDoS IP Protection - Azure portal'
-description: Learn how to use Azure DDoS IP Protection to mitigate an attack.
+description: Learn how to use Azure DDoS IP Protection to mitigate an attack.
-+ Last updated 06/22/2023--
-# Customer intent As an IT admin, I want to learn how to enable DDoS IP Protection on my public IP address.
+ # Quickstart: Create and configure Azure DDoS IP Protection using Azure portal
ddos-protection Manage Ddos Ip Protection Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-ip-protection-template.md
- Last updated 03/08/2023
ddos-protection Manage Ddos Protection Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-bicep.md
- Last updated 10/12/2022
ddos-protection Manage Ddos Protection Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-cli.md
- Last updated 05/23/2023
ddos-protection Manage Ddos Protection Powershell Ip https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-powershell-ip.md
Last updated 04/04/2023-
ddos-protection Manage Ddos Protection Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-powershell.md
- Last updated 05/23/2023
ddos-protection Manage Ddos Protection Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-template.md
- Last updated 11/06/2023
ddos-protection Manage Ddos Protection Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-terraform.md
description: In this article, you create and configure Azure DDoS Network Protec
- Last updated 4/14/2023
ddos-protection Manage Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-permissions.md
- Last updated 11/06/2023
ddos-protection Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/policy-reference.md
description: Lists Azure Policy built-in policy definitions for Azure DDoS Prote
- Last updated 02/06/2024
ddos-protection Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/telemetry.md
- Last updated 11/06/2023
ddos-protection Test Through Simulations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/test-through-simulations.md
- Last updated 11/07/2023
ddos-protection Types Of Attacks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/types-of-attacks.md
- Last updated 12/07/2023
dedicated-hsm Deployment Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/deployment-architecture.md
- Last updated 06/03/2022
dedicated-hsm High Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/high-availability.md
- Last updated 03/25/2021
dedicated-hsm Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/monitoring.md
- Last updated 11/14/2022
dedicated-hsm Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/networking.md
- Last updated 03/25/2021
dedicated-hsm Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/overview.md
tags: azure-resource-manager - Last updated 03/25/2021
dedicated-hsm Physical Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/physical-security.md
- Last updated 03/25/2021
dedicated-hsm Supportability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/supportability.md
- Last updated 03/25/2021
dedicated-hsm Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/troubleshoot.md
tags: azure-resource-manager - Last updated 05/12/2022
defender-for-cloud Connect Azure Subscription https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/connect-azure-subscription.md
Title: Connect your Azure subscriptions description: Learn how to connect your Azure subscriptions to Microsoft Defender for Cloud Previously updated : 01/03/2024 Last updated : 02/08/2024
Microsoft Defender for Cloud is a cloud-native application protection platform (
- A cloud security posture management (CSPM) solution that surfaces actions that you can take to prevent breaches - A cloud workload protection platform (CWPP) with specific protections for servers, containers, storage, databases, and other workloads
-Defender for Cloud includes Foundational CSPM capabilities and access to [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender) for free. You can add additional paid plans to secure all aspects of your cloud resources. To learn more about these plans and their costs, see the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
+Defender for Cloud includes Foundational CSPM capabilities and access to [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender) for free. You can add additional paid plans to secure all aspects of your cloud resources. You can try Defender for Cloud for free for the first 30 days. After 30 days charges begin in accordance with the plans enabled in your environment. To learn more about these plans and their costs, see the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
+
+> [!IMPORTANT]
+> Malware scanning in Defender for Storage is not included for free in the first 30 day trial and will be charged from the first day in accordance with the pricing scheme available on the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
Defender for Cloud helps you find and fix security vulnerabilities. Defender for Cloud also applies access and application controls to block malicious activity, detect threats using analytics and intelligence, and respond quickly when under attack.
defender-for-cloud Defender For Storage Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-introduction.md
Title: Microsoft Defender for Storage - the benefits and features description: Learn about the benefits and features of Microsoft Defender for Storage. Previously updated : 08/21/2023 Last updated : 02/08/2024
Malware Scanning is charged on a per-gigabyte basis for scanned data. To ensure
By default, the limit is set to 5,000 GB per month per storage account. Once this threshold is exceeded, scanning will cease for the remaining blobs, with a 20-GB confidence interval. For configuration details, refer to [configure Defender for Storage](../storage/common/azure-defender-storage-configure.md).
+> [!IMPORTANT]
+> Malware scanning in Defender for Storage is not included for free in the first 30 day trial and will be charged from the first day in accordance with the pricing scheme available on the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
+ ### Enablement at scale with granular controls Microsoft Defender for Storage enables you to secure your data at scale with granular controls. You can apply consistent security policies across all your storage accounts within a subscription or customize them for specific accounts to suit your business needs. You can also control your costs by choosing the level of protection you need for each resource. To get started, visit [enable Defender for Storage](../storage/common/azure-defender-storage-configure.md).
defender-for-cloud Defender For Storage Malware Scan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-malware-scan.md
Title: Malware scanning in Microsoft Defender for Storage description: Learn about the benefits and features of malware scanning in Microsoft Defender for Storage. Previously updated : 09/10/2023 Last updated : 02/08/2024
Learn more about [setting up logging for malware scanning](advanced-configuratio
Malware scanning is billed per GB scanned. To provide cost predictability, Malware Scanning supports setting a cap on the amount of GB scanned in a single month per storage account.
+> [!IMPORTANT]
+> Malware scanning in Defender for Storage is not included for free in the first 30 day trial and will be charged from the first day in accordance with the pricing scheme available on the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
+ The "capping" mechanism is designed to set a monthly scanning limit, measured in gigabytes (GB), for each storage account, serving as an effective cost control. If a predefined scanning limit is established for a storage account in a single calendar month, the scanning operation would automatically halt once this threshold is reached (with up to a 20-GB deviation), and files wouldn't be scanned for malware. Updating the cap typically takes up to an hour to take effect. By default, a limit of 5 TB (5,000 GB) is established if no specific capping mechanism is defined.
By default, a limit of 5 TB (5,000 GB) is established if no specific capping mec
Follow [these steps](tutorial-enable-storage-plan.md#set-up-and-configure-microsoft-defender-for-storage) to configure the capping mechanism.
+## Additional costs of malware scanning
+
+Malware scanning uses other Azure services as its foundation. This means that when you enable Malware scanning, you will also be charged for the Azure services that it requires. These services include Azure Storage read operations, Azure Storage blob indexing and Azure Event Grid notifications.
+ ## Handling possible false positives and false negatives If you have a file that you suspect might be malware but isn't being detected (false negative) or is being incorrectly detected (false positive), you can submit it to us for analysis through the [sample submission portal](/microsoft-365/security/intelligence/submission-guide). Select ΓÇ£Microsoft Defender for StorageΓÇ¥ as the source.
defender-for-cloud Prepare Deprecation Log Analytics Mma Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent.md
+
+ Title: Prepare for retirement of the Log Analytics agent
+description: Learn how to prepare for the deprecation of the Log Analytics (MMA) agent in Microsoft Defender for Cloud
+++ Last updated : 02/08/2024++
+# Prepare for retirement of the Log Analytics agent
+
+The Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA), [will retire in August 2024](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-strategy-and-plan-towards-log/ba-p/3883341). As a result, the Defender for Servers and Defender for SQL on machines plans in Microsoft Defender for Cloud will be updated, and features that rely on the Log Analytics agent will be redesigned.
+
+This article summarizes plans for agent retirement.
+
+## Preparing Defender for Servers
+
+The Defender for Servers plan uses the Log Analytics agent in general availability (GA) and in AMA for [some features](plan-defender-for-servers-agents.md) (in preview). Here's what's happening with these features going forward:
+
+To simplify onboarding, all Defender for Servers security features and capabilities will be provided with a single agent ([Microsoft Defender for Endpoint (MDE))](integration-defender-for-endpoint.md), complemented by [agentless machine scanning](concept-agentless-data-collection.md), without any dependency on Log Analytics agent or AMA. Note that: 
+
+- Defender for Servers features, which are based on AMA, are currently in preview and wonΓÇÖt be released in GA.ΓÇ»
+- Features in preview that rely on AMA will remain supported until an alternative version of the feature is provided, based on Defender for Endpoint integration or agentless machine scanning.
+- By enabling Defender for Endpoint integration and agentless machine scanning early, your Defender for Servers deployment stays up to date and supported.
+
+### Feature functionality
+
+The following table summarizes how Defender for Servers features will be provided. Most features are already generally available using Defender for Endpoint integration or agentless machine scanning. The rest of the features will either be available in GA by the time the MMA is retired, or will be deprecated.
+
+| Feature | Current support | New support | New experience status |
+|-|-|-|-|
+| Microsoft Defender for Endpoint (MDE) integration for down-level Windows machines (Windows Server 2016/2012 R2) | Legacy Defender for Endpoint sensor, based on the Log Analytics agent | [Unified agent integration](/microsoft-365/security/defender-endpoint/configure-server-endpoints) | - Functionality with the unified agent is GA.<br/>- Functionality with the legacy Defender for Endpoint sensor using the Log Analytics agent will be deprecated in August 2024. |
+| OS-level threat detection | Log Analytics agent | Defender for Endpoint agent integration | Functionality with the Defender for Endpoint agent is GA. |
+| Adaptive application controls | Log Analytics agent (GA), AMA (Preview) | | The adaptive application control feature will be deprecated in August 2024. |
+| Endpoint protection discovery recommendations | Recommendations available in foundational CSPM and Defender for Servers, using the Log Analytics agent (GA), AMA (Preview)ΓÇ»| Agentless machine scanning | - Functionality with agentless machine scanning will be released to preview in February 2024 as part of Defender for Servers Plan 2 and the Defender CSPM plan.<br/>- Azure VMs, GCP instances, and AWS instances will be supported. On-premises machines wonΓÇÖt be supported. |
+| Missing OS update recommendation | Recommendations available in foundational CSPM and Defender for Servers using the Log Analytics agent. | Integration with Update Manager, Microsoft | New recommendations based on Azure Update Manager integration [are GA](release-notes-archive.md#two-recommendations-related-to-missing-operating-system-os-updates-were-released-to-ga), with no agent dependencies. |
+| OS misconfigurations (Microsoft Cloud Security Benchmark) | Recommendations available in foundational CSPM and Defender for Servers using the Log Analytics agent, Guest Configuration agent (Preview). | Microsoft Defender Vulnerability Management premium, as part of Defender for Servers Plan 2. | - Functionality based on integration with Microsoft Defender Vulnerability Management premium will be available in preview around April 2024.<br/>- Functionality with the Log Analytics agent will be deprecated in August 2024<br/>- Functionality with Guest Configuration agent (Preview) will deprecate when the Microsoft Defender Vulnerability Management is available.<br/>- Support of this feature for Docker-hub and VMMS will be deprecated in Aug 2024. |
+| File integrity monitoring | Log Analytics agent, AMA (Preview) | Defender for Endpoint agent integration | Functionality with the Defender for Endpoint agent will be available around April 2024.<br/>- Functionality with the Log Analytics agent will be deprecated in August 2024.<br/>- Functionality with AMA will deprecate when the Defender for Endpoint integration is released. |
+
+The [500-MB benefit](faq-defender-for-servers.yml#is-the-500-mb-of-free-data-ingestion-allowance-applied-per-workspace-or-per-machine-) for data ingestion over the defined tables will remain supported via the AMA agent for the machines under subscriptions covered by Defender for Servers Plan 2. Every machine is eligible for the benefit only once, even if both Log Analytics agent and Azure Monitor agent are installed on it.
+Learn more about how to [deploy AMA](/azure/azure-monitor/vm/monitor-virtual-machine-agent#agent-deployment-options).
+
+For SQL servers on machines, we recommend to [migrate to SQL server-targeted Azure Monitoring Agent's (AMA) autoprovisioning process](defender-for-sql-autoprovisioning.md).
+
+### Endpoint protection recommendations experience
+
+Endpoint discovery and recommendations are currently provided by Defender for Cloud foundational CSPM and the Defender for Servers plan using the Log Analytics agent in GA, or in preview via the AMA. This experience will be replaced by security recommendations that are gathered using agentless machine scanning.ΓÇ»
+
+Endpoint protection recommendations are constructed in two stages. The first stage is [EDR discovery](#edr-discovery) of an endpoint detection and response (EDR) solution. The second isΓÇ»[assessment](#edr-configuration-assessment) of the solutionΓÇÖs configuration. The following tables provide details of the current and new experiences for each stage.
+
+#### EDR discovery
+
+| Area | Current experience (based on AMA/MMA)| New experience (based on agentless machine scanning) |
+|-|-|-|
+|**What's needed to classify a resource as healthy?** | An anti-virus is in place. | An endpoint detection and response solution is in place. |
+| **What's needed to get the recommendation?** | Log Analytics agent | Agentless machine scanning |
+| **What plans are supported?** | - Foundational CSPM (free)<br/>- Defender for Servers Plan 1 and Plan 2 |- Defender CSPM<br/>- Defender for Servers Plan 2 |
+|**What fix is available?** | Install Microsoft anti-malware. | Install Defender for Endpoint on selected machines/subscriptions. |
+
+#### EDR configuration assessment
+
+| Area | Current experience (based on AMA/MMA)| New experience (based on agentless machine scanning) |
+|-|-|-|
+| Resources are classified as unhealthy if one or more of the security checks arenΓÇÖt healthy. | Three security checks:<br/>- Real time protection is off<br/>- Signatures are out of date.<br/>- Both quick scan and full scan haven't run for seven days. | Three security checks:<br/>- Anti-virus is off or partially configured<br/>- Signatures are out of date<br/>- Both quick scan and full scan haven't run for seven days. |
+| Prerequisites to get the recommendation | An anti-malware solution in place | An endpoint detection and response (EDR) solution in place. |
+
+#### Which recommendations are being deprecated?
+
+The following table summarizes the timetable for recommendations being deprecated and replaced.
+
+| Recommendation | Agent | Supported resources | Deprecation date | Replacement recommendation |
+|-|-|-|-|-|
+| [Endpoint protection should be installed on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/4fb67663-9ab9-475d-b026-8c544cced439) (public) | MM#changes-in-endpoint-protection-recommendations) |
+| [Endpoint protection health issues should be resolved on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/37a3689a-818e-4a0e-82ac-b1392b9bb000) (public)| MM#changes-in-endpoint-protection-recommendations) |
+| [Endpoint protection health failures on virtual machine scale sets should be resolved](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/e71020c2-860c-3235-cd39-04f3f8c936d2) | MMA | VMSS | August 2024 | No replacement |
+| [Endpoint protection solution should be installed on virtual machine scale sets](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/21300918-b2e3-0346-785f-c77ff57d243b) | MMA | VMSS | August 2024 | No replacement |
+| [Endpoint protection solution should be on machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee) | MMA | Non-Azure resources (Windows)| August 2024 | No replacement |
+| [Install endpoint protection solution on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/83f577bd-a1b6-b7e1-0891-12ca19d1e6df) | MMA | Azure and non-Azure (Windows) | August 2024 | [New agentless recommendation](upcoming-changes.md#changes-in-endpoint-protection-recommendations) |
+| [Endpoint protection health issues on machines should be resolved](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a) | MMA | Azure and non-Azure (Windows and Linux) | August 2024 | [New agentless recommendation](upcoming-changes.md#changes-in-endpoint-protection-recommendations). |
+
+The [new recommendations](upcoming-changes.md#changes-in-endpoint-protection-recommendations) experience based on agentless machine scanning will support both Windows and Linux OS across multicloud machines.
+
+#### How will the replacement work?
+
+- Current recommendations provided by the Log Analytics Agent or the AMA will be deprecated over time.
+- Some of these existing recommendations will be replaced by new recommendations based on agentless machine scanning.
+- Recommendations currently in GA will remain in place until the Log Analytics agent retires.
+- Recommendations that are currently in preview will be replaced when the new recommendation is available in preview.
+
+#### What's happening with secure score?
+
+- Recommendations that are currently in GA will continue to impact secure score.ΓÇ»
+- Current and upcoming new recommendations are located under the same Microsoft Cloud Security Benchmark control. This ensures that thereΓÇÖs no duplicate impact on secure score.
+
+#### How do I prepare for the new recommendations?
+
+- Ensure that [agentless machine scanning is enabled](enable-agentless-scanning-vms.md) as part of Defender for Servers Plan 2 or Defender CSPM.
+- If suitable for your environment, for best experience we recommend that you remove deprecated recommendations when the replacement GA recommendation becomes available. To do that, disable the recommendation in the [built-in Defender for Cloud initiative in Azure Policy](policy-reference.md).
+
+## Preparing Defender for SQL on Machines
+
+You can learn more about the [Defender for SQL Server on machines Log Analytics agent's deprecation plan](upcoming-changes.md#defender-for-sql-server-on-machines).
+
+If you're using the current Log Analytics agent/Azure Monitor agent autoprovisioning process, you should migrate to the new Azure Monitoring Agent for SQL Server on machines autoprovisioning process. The migration process is seamless and provides continuous protection for all machines.
+
+### Migrate to the SQL server-targeted AMA autoprovisioning process
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Search for and select **Microsoft Defender for Cloud**.
+1. In the Defender for Cloud menu, select **Environment settings**.
+1. Select the relevant subscription.
+1. Under the Databases plan, select **Action required**.
+
+ :::image type="content" source="media/prepare-deprecation-log-analytics-mma-agent/select-action-required.png" alt-text="Screenshot that shows where to select Action required." lightbox="media/prepare-deprecation-log-analytics-mma-agent/select-action-required.png":::
+
+1. In the pop-up window, select **Enable**.
+
+ :::image type="content" source="media/prepare-deprecation-log-analytics-mma-agent/select-enable-sql.png" alt-text="Screenshot that shows selecting enable from popup window." lightbox="media/prepare-deprecation-log-analytics-mma-agent/select-enable-sql.png":::
+
+1. Select **Save**.
+
+Once the SQL server-targeted AMA autoprovisioning process has been enabled, you should disable the Log Analytics agent/Azure Monitor agent autoprovisioning process and uninstall the MMA on all SQL servers:
+
+To disable the Log Analytics agent:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Search for and select **Microsoft Defender for Cloud**.
+1. In the Defender for Cloud menu, select **Environment settings**.
+1. Select the relevant subscription.
+1. Under the Database plan, select **Settings**.
+1. Toggle the Log Analytics agent to **Off**.
+
+ :::image type="content" source="media/prepare-deprecation-log-analytics-mma-agent/toggle-log-analytics-off.png" alt-text="Screenshot that shows toggling Log Analytics to Off." lightbox="media/prepare-deprecation-log-analytics-mma-agent/toggle-log-analytics-off.png":::
+
+1. Select **Continue**.
+1. Select **Save**.
+
+## Migration planning
+
+We recommend you plan agent migration in accordance with your business requirements. The table summarizes our guidance.
+
+| **Are you using Defender for Servers?** | **Are these Defender for Servers features required in GA: file integrity monitoring, endpoint protection recommendations, security baseline recommendations?** | **Are you using Defender for SQL servers on machines or AMA log collection?** | **Migration plan** |
+|-|-|-|-|
+| Yes | Yes | No | 1. Enable [Defender for Endpoint (MDE) integration](enable-defender-for-endpoint.md) and [agentless machine scanning](enable-agentless-scanning-vms.md).<br/>2. Wait for GA of all features with the alternative's platform (you can use preview version earlier).<br/>3. Once features are GA, disable the [Log Analytics agent](defender-for-sql-autoprovisioning.md#disable-the-log-analytics-agentazure-monitor-agent).
+| No | | No | You can remove the Log Analytics agent now. |
+| No | | Yes | 1. You can [migrate to SQL autoprovisioning for AMA](defender-for-sql-autoprovisioning.md) now.<br/>2. [Disable](defender-for-sql-autoprovisioning.md#disable-the-log-analytics-agentazure-monitor-agent) Log Analytics/Azure Monitor Agent. |
+| Yes | Yes | Yes | 1. Enable [Defender for Endpoint integration](enable-defender-for-endpoint.md) and [agentless machine scanning](enable-agentless-scanning-vms.md).<br/>2. You can use the Log Analytics agent and AMA side-by-side to get all features in GA. [Learn more](auto-deploy-azure-monitoring-agent.md#impact-of-running-with-both-the-log-analytics-and-azure-monitor-agents) about running agents side-by-side.<br>3. Migrate to [SQL autoprovisioning for AMA](defender-for-sql-autoprovisioning.md) in Defender for SQL on machines. Alternatively, start the migration from Log Analytics agent to AMA in April 2024.<br/>4. Once the migration is finished, [disable](defender-for-sql-autoprovisioning.md#disable-the-log-analytics-agentazure-monitor-agent) the Log Analytics agent. |
+| Yes | No | Yes | 1. Enable [Defender for Endpoint (MDE) integration](enable-defender-for-endpoint.md) and [agentless machine scanning](enable-agentless-scanning-vms.md).<br/>2. You can migrate to [SQL autoprovisioning for AMA](defender-for-sql-autoprovisioning.md) in Defender for SQL on machines now.<br/>3. [Disable](defender-for-sql-autoprovisioning.md#disable-the-log-analytics-agentazure-monitor-agent) the Log Analytics agent. |
+
+## Next steps
+
+See the [upcoming changes for the Defender for Cloud plan and strategy for the Log Analytics agent deprecation](upcoming-changes.md#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation).
defender-for-cloud Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/release-notes.md
Title: Release notes description: This page is updated frequently with the latest updates in Defender for Cloud. Previously updated : 01/25/2024 Last updated : 02/07/2024 # What's new in Microsoft Defender for Cloud?
To learn about *planned* changes that are coming soon to Defender for Cloud, see
If you're looking for items older than six months, you can find them in the [Archive for What's new in Microsoft Defender for Cloud](release-notes-archive.md).
+## February 2024
+
+|Date | Update |
+|-|-|
+| February 8 | [Recommendations released for preview: four recommendations for Azure Stack HCI resource type](#recommendations-released-for-preview-four-recommendations-for-azure-stack-hci-resource-type) |
+
+### Recommendations released for preview: four recommendations for Azure Stack HCI resource type
+
+February 8, 2024
+
+We have added four new recommendations for Azure Stack HCI as a new resource type that can be managed through Microsoft Defender for Cloud. These new recommendations are currently in public preview.
+
+| Recommendation | Description | Severity |
+|-|-|-|
+| [(Preview) Azure Stack HCI servers should meet Secured-core requirements](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f56c47221-b8b7-446e-9ab7-c7c9dc07f0ad)| Ensure that all Azure Stack HCI servers meet the Secured-core requirements. (Related policy: [Guest Configuration extension should be installed on machines - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/6c99f570-2ce7-46bc-8175-cde013df43bc)) | Low |
+| [(Preview) Azure Stack HCI servers should have consistently enforced application control policies](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f7384fde3-11b0-4047-acbd-b3cf3cc8ce07) | At a minimum, apply the Microsoft WDAC base policy in enforced mode on all Azure Stack HCI servers. Applied Windows Defender Application Control (WDAC) policies must be consistent across servers in the same cluster. (Related policy: [Guest Configuration extension should be installed on machines - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/6c99f570-2ce7-46bc-8175-cde013df43bc)) | High |
+| [(Preview) Azure Stack HCI systems should have encrypted volumes](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fae95f12a-b6fd-42e0-805c-6b94b86c9830) | Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems. (Related policy: [Guest Configuration extension should be installed on machines - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/6c99f570-2ce7-46bc-8175-cde013df43bc)) | High |
+| [(Preview) Host and VM networking should be protected on Azure Stack HCI systems](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2faee306e7-80b0-46f3-814c-d3d3083ed034) | Protect data on the Azure Stack HCI hostΓÇÖs network and on virtual machine network connections. (Related policy: [Guest Configuration extension should be installed on machines - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/6c99f570-2ce7-46bc-8175-cde013df43bc)) | Low |
+
+See the [list of security recommendations](recommendations-reference.md).
+ ## January 2024 |Date | Update |
defender-for-cloud Upcoming Changes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/upcoming-changes.md
If you're looking for the latest release notes, you can find them in the [What's
| [Enforcement of Defender CSPM for Premium DevOps Security Capabilities](#enforcement-of-defender-cspm-for-premium-devops-security-value) | January 29, 2024 | March 2024 | | [Update to agentless VM scanning built-in Azure role](#update-to-agentless-vm-scanning-built-in-azure-role) |January 14, 2024 | February 2024 | | [Deprecation of two recommendations related to PCI](#deprecation-of-two-recommendations-related-to-pci) |January 14, 2024 | February 2024 |
-| [Four new recommendations for Azure Stack HCI resource type](#four-new-recommendations-for-azure-stack-hci-resource-type) | January 11, 2024 | February 2024 |
| [Defender for Servers built-in vulnerability assessment (Qualys) retirement path](#defender-for-servers-built-in-vulnerability-assessment-qualys-retirement-path) | January 9, 2024 | May 2024 | | [Retirement of the Defender for Cloud Containers Vulnerability Assessment powered by Qualys](#retirement-of-the-defender-for-cloud-containers-vulnerability-assessment-powered-by-qualys) | January 9, 2023 | March 2024 | | [New version of Defender Agent for Defender for Containers](#new-version-of-defender-agent-for-defender-for-containers) | January 4, 2024 | February 2024 |
These public preview recommendations will be deprecated.
| Recommendation | Agent | Deprecation date | Replacement recommendation | |--|--|--|--|
-| [Endpoint protection should be installed on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/4fb67663-9ab9-475d-b026-8c544cced439) (public) | MMA/AMA | February 2024 | New agentless recommendations. |
-| [Endpoint protection health issues should be resolved on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/37a3689a-818e-4a0e-82ac-b1392b9bb000) (public)| MMA/AMA | February 2024 | New agentless recommendations. |
+| [Endpoint protection should be installed on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/4fb67663-9ab9-475d-b026-8c544cced439) (public) | MMA/AMA | March 2024 | New agentless recommendations. |
+| [Endpoint protection health issues should be resolved on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/37a3689a-818e-4a0e-82ac-b1392b9bb000) (public)| MMA/AMA | March 2024 | New agentless recommendations. |
The current generally available recommendations will remain supported until August 2024.
As part of that deprecation, weΓÇÖll be introducing new agentless endpoint prote
| Endpoint Detection and Response (EDR) configuration issues should be resolved on EC2s | February 2024 | | Endpoint Detection and Response (EDR) configuration issues should be resolved on GCP virtual machines | February 2024 |
+Learn more about the [migration to the updated Endpoint protection recommendations experience](prepare-deprecation-log-analytics-mma-agent.md#endpoint-protection-recommendations-experience).
+ ## Change in pricing for multicloud container threat detection **Announcement date: January 30, 2024**
The following two recommendations related to PCI (Permission Creep Index) are se
- `Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI)` - `Over-Provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)`
-## Four new recommendations for Azure Stack HCI resource type
-
-**Announcement date: January 11, 2024**
-
-**Estimated date for change: February 2024**
-
-Azure Stack HCI is set to be a new resource type that can be managed through Microsoft Defender for Cloud. We're adding four recommendations that are specific to the HCI resource type:
-
-| Recommendation | Description | Severity |
-|-|-|-|
-| Azure Stack HCI servers should meet Secured-core requirements | Ensure that all Azure Stack HCI servers meet the Secured-core requirements. (Related policy: [Guest Configuration extension should be installed on machines - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/6c99f570-2ce7-46bc-8175-cde013df43bc)) | Low |
-| Azure Stack HCI servers should have consistently enforced application control policies | At a minimum, apply the Microsoft WDAC base policy in enforced mode on all Azure Stack HCI servers. Applied Windows Defender Application Control (WDAC) policies must be consistent across servers in the same cluster. | High |
-| Azure Stack HCI systems should have encrypted volumes | Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems | High |
-| Host and VM networking should be protected on Azure Stack HCI systems | Protect data on the Azure Stack HCI hostΓÇÖs network and on virtual machine network connections. | Low |
- ## Defender for Servers built-in vulnerability assessment (Qualys) retirement path **Announcement date: January 9, 2024**
defender-for-iot Tutorial Onboarding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/tutorial-onboarding.md
Before you can start using your Defender for IoT sensor, you need to onboard you
1. In the **Add outbound allow rules** box, select the **Download endpoint details** link to download a JSON list of the endpoints you must configure as secure endpoints from your sensor.
- Save the downloaded file locally. Use the endpoints listed in the downloaded file to [later in this tutorial](#provision-for-cloud-management) to ensure that your new sensor can successfully connect to Azure.
+ Save the downloaded file locally. Use the endpoints listed in the downloaded file [later in this tutorial](#provision-for-cloud-management) to ensure that your new sensor can successfully connect to Azure.
> [!TIP] > You can also access the list of required endpoints from the **Sites and sensors** page. For more information, see [Sensor management options from the Azure portal](how-to-manage-sensors-on-the-cloud.md#sensor-management-options-from-the-azure-portal).
dns Dns Alerts Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-alerts-metrics.md
- Last updated 11/30/2023
dns Dns For Azure Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-for-azure-services.md
ms.assetid: e9b5eb94-7984-4640-9930-564bb9e82b78
- Last updated 11/30/2023
dns Dns Operations Dnszones Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-operations-dnszones-cli.md
ms.devlang: azurecli - Last updated 11/30/2023-+
dns Dns Operations Dnszones Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-operations-dnszones-portal.md
- Last updated 11/30/2023
dns Dns Operations Dnszones https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-operations-dnszones.md
- Last updated 11/30/2023-+
Learn how to [manage record sets and records](dns-operations-recordsets.md) in y
<br> Learn how to [delegate your domain to Azure DNS](dns-domain-delegation.md). <br>
-Review the [Azure DNS PowerShell reference documentation](/powershell/module/Az.dns).
+Review the [Azure DNS PowerShell reference documentation](/powershell/module/Az.dns).
dns Dns Operations Recordsets Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-operations-recordsets-cli.md
ms.devlang: azurecli - Last updated 11/30/2023
dns Dns Operations Recordsets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-operations-recordsets.md
- Last updated 11/30/2023
dns Dns Private Records https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-private-records.md
description: Overview of support for DNS records in Azure Private DNS.
- Last updated 02/07/2024
dns Dns Reverse Dns For Azure Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-reverse-dns-for-azure-services.md
- Last updated 01/10/2024-+
dns Dns Reverse Dns Hosting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-reverse-dns-hosting.md
description: Learn how to use Azure DNS to host the reverse DNS lookup zones for
- Last updated 04/27/2023
dns Dns Reverse Dns Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-reverse-dns-overview.md
- Last updated 04/27/2023
dns Dns Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-sdk.md
ms.assetid: eed99b87-f4d4-4fbf-a926-263f7e30b884
ms.devlang: csharp - Last updated 11/30/2023
dns Dns Zones Records https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-zones-records.md
ms.assetid: be4580d7-aa1b-4b6b-89a3-0991c0cda897
- Last updated 11/21/2023
dns Tutorial Public Dns Zones Child https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/tutorial-public-dns-zones-child.md
ms.assetid: be4580d7-aa1b-4b6b-89a3-0991c0cda897 - Last updated 11/30/2023
event-grid Ensure Tags Exists On New Virtual Machines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/ensure-tags-exists-on-new-virtual-machines.md
- Last updated 07/07/2020
expressroute Expressroute Locations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-locations.md
- Last updated 01/26/2024
expressroute Using Expressroute For Microsoft Pstn https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/using-expressroute-for-microsoft-pstn.md
description: ExpressRoute circuits can be used for Microsoft PSTN services, inc
- Last updated 09/06/2023 - # Using ExpressRoute for routing traffic to Microsoft PSTN services
All Microsoft PSTN services supported for Microsoft Peering use the 52.120.0.0/1
[ExR-Intro]: ./expressroute-introduction.md [CreatePeering]: ./expressroute-howto-routing-portal-resource-manager.md [MGN]: https://azure.microsoft.com/blog/how-microsoft-builds-its-fast-and-reliable-global-network/
-[ExRRF]: ./how-to-routefilter-portal.md
+[ExRRF]: ./how-to-routefilter-portal.md
expressroute Using Expressroute For Microsoft365 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/using-expressroute-for-microsoft365.md
- Last updated 6/30/2023 - # Using ExpressRoute for routing Microsoft 365 traffic
When you're using ExpressRoute, you can apply a route filter to Microsoft peerin
[ExRRF]: ./how-to-routefilter-portal.md [Teams]: /microsoftteams/microsoft-teams-online-call-flows [Microsoft 365-Test]: https://connectivity.office.com/
-[Microsoft 365perf]: /microsoft-365/enterprise/performance-tuning-using-baselines-and-history
+[Microsoft 365perf]: /microsoft-365/enterprise/performance-tuning-using-baselines-and-history
firewall-manager Quick Firewall Policy Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall-manager/quick-firewall-policy-terraform.md
Last updated 09/05/2023 - content_well_notifications: - AI-Contribution
firewall-manager Quick Secure Virtual Hub Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall-manager/quick-secure-virtual-hub-terraform.md
Last updated 09/05/2023 - content_well_notifications: - AI-Contribution
frontdoor Apex Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/apex-domain.md
- Last updated 02/07/2023
frontdoor Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/best-practices.md
- Last updated 02/23/2023
frontdoor Billing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/billing.md
- Last updated 12/28/2023
frontdoor Classic Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/classic-overview.md
- Last updated 08/09/2023
-# Customer intent: As an IT admin, I want to learn about Front Door and what I can use it for.
+# Customer intent: As an IT admin, I want to learn about Front Door and what I can use it for.
# What is Azure Front Door (classic)?
Subscribe to the RSS feed and view the latest Azure Front Door feature updates o
## Next steps - Learn how to [create a Front Door (classic)](quickstart-create-front-door.md).-- Learn about [how Front Door (classic) works](front-door-routing-architecture.md?pivots=front-door-classic).
+- Learn about [how Front Door (classic) works](front-door-routing-architecture.md?pivots=front-door-classic).
frontdoor Create Front Door Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-bicep.md
Last updated 12/29/2023 - #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
frontdoor Create Front Door Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-portal.md
- Last updated 10/02/2023
frontdoor Create Front Door Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-powershell.md
Last updated 06/28/2022 -
frontdoor Create Front Door Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-template.md
Last updated 07/12/2022 - #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
frontdoor Create Front Door Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-terraform.md
Last updated 8/11/2023 - content_well_notification: - AI-contribution
frontdoor Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/domain.md
- Last updated 10/31/2023
frontdoor Edge Locations By Abbreviation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/edge-locations-by-abbreviation.md
- Last updated 06/01/2023
frontdoor Edge Locations By Region https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/edge-locations-by-region.md
- Last updated 05/30/2023
frontdoor End To End Tls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/end-to-end-tls.md
- Last updated 02/07/2023 zone_pivot_groups: front-door-tiers
frontdoor Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/endpoint.md
- Last updated 08/09/2023
frontdoor Front Door Caching https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-caching.md
- Last updated 11/08/2023 zone_pivot_groups: front-door-tiers
frontdoor Front Door Cdn Comparison https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-cdn-comparison.md
- Last updated 10/13/2023
frontdoor Front Door Custom Domain Https https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-custom-domain-https.md
description: In this tutorial, you learn how to enable and disable HTTPS on your
- Last updated 08/09/2023
frontdoor Front Door Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-custom-domain.md
description: In this article, you learn how to onboard a custom domain to Azure
- Last updated 04/04/2023
frontdoor Front Door Ddos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-ddos.md
- Last updated 10/23/2023
frontdoor Front Door Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-diagnostics.md
- Last updated 12/19/2023 zone_pivot_groups: front-door-tiers
frontdoor Front Door Http Headers Protocol https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-http-headers-protocol.md
- Last updated 01/16/2023
frontdoor Front Door Http2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-http2.md
- Last updated 09/28/2020
frontdoor Front Door Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-overview.md
- Last updated 10/12/2023
-# Customer intent: As an IT admin, I want to learn about Front Door and what I can use it for.
+# Customer intent: As an IT admin, I want to learn about Front Door and what I can use it for.
# What is Azure Front Door?
frontdoor Front Door Quickstart Template Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-quickstart-template-samples.md
- Last updated 07/25/2023
frontdoor Front Door Route Matching https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-route-matching.md
- Last updated 12/04/2023 zone_pivot_groups: front-door-tiers
frontdoor Front Door Routing Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-routing-architecture.md
- Last updated 04/04/2023 zone_pivot_groups: front-door-tiers
Finally, the request is forwarded to the backend.
- Learn how to [create a Front Door profile](quickstart-create-front-door.md).
frontdoor Front Door Routing Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-routing-limits.md
- Last updated 12/28/2023
frontdoor Front Door Rules Engine Actions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-rules-engine-actions.md
- Last updated 06/01/2023 zone_pivot_groups: front-door-tiers
frontdoor Front Door Rules Engine https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-rules-engine.md
Title: What is a rule set?
-description: This article provides an overview of the Azure Front Door Rule sets feature.
+description: This article provides an overview of the Azure Front Door Rule sets feature.
- Last updated 05/15/2023
frontdoor Front Door Security Headers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-security-headers.md
Title: 'Tutorial: Add security headers with Rules Engine - Azure Front Door'
-description: This tutorial teaches you how to configure a security header via Rules Engine on Azure Front Door
+description: This tutorial teaches you how to configure a security header via Rules Engine on Azure Front Door
- Last updated 10/05/2023
-# Customer intent: As an IT admin, I want to learn about Front Door and how to configure a security header via Rules Engine.
+# Customer intent: As an IT admin, I want to learn about Front Door and how to configure a security header via Rules Engine.
# Tutorial: Add Security headers with Rules Engine
frontdoor Front Door Traffic Acceleration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-traffic-acceleration.md
- Last updated 08/31/2023 zone_pivot_groups: front-door-tiers
frontdoor Front Door Tutorial Rules Engine https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-tutorial-rules-engine.md
- Last updated 06/06/2023-+ # Customer intent: As an IT admin, I want to learn about Front Door and how to configure Rules Engine feature via the Azure portal or Azure CLI.
frontdoor Front Door Url Redirect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-url-redirect.md
- Last updated 04/04/2023 zone_pivot_groups: front-door-tiers
frontdoor Front Door Url Rewrite https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-url-rewrite.md
- Last updated 06/01/2023 zone_pivot_groups: front-door-tiers
frontdoor Front Door Waf https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-waf.md
Title: 'Tutorial: Scale and protect a web app by using Azure Front Door and Azure Web Application Firewall (WAF)'
+ Title: 'Tutorial: Scale and protect a web app by using Azure Front Door and Azure Web Application Firewall (WAF)'
description: This tutorial shows you how to use Azure Web Application Firewall with the Azure Front Door service. - Last updated 12/28/2023
frontdoor Front Door Wildcard Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-wildcard-domain.md
Title: Support for wildcard domains
+ Title: Support for wildcard domains
description: This article helps you understand how Azure Front Door supports mapping and managing wildcard domains in the list of custom domains. - Last updated 02/07/2023 zone_pivot_groups: front-door-tiers
frontdoor Health Probes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/health-probes.md
- Last updated 05/15/2023
frontdoor Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/manager.md
- Last updated 08/09/2023
frontdoor Origin Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/origin-security.md
- Last updated 10/02/2023 zone_pivot_groups: front-door-tiers
frontdoor Origin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/origin.md
- Last updated 04/04/2023 zone_pivot_groups: front-door-tiers
frontdoor Quickstart Create Front Door Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/quickstart-create-front-door-bicep.md
Last updated 03/30/2022 - #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
frontdoor Quickstart Create Front Door Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/quickstart-create-front-door-cli.md
- Last updated 3/28/2023 -+ ms.devlang: azurecli #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
frontdoor Quickstart Create Front Door Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/quickstart-create-front-door-powershell.md
Last updated 04/19/2021 - #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
frontdoor Quickstart Create Front Door Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/quickstart-create-front-door-template.md
Last updated 09/14/2020 - #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
frontdoor Quickstart Create Front Door Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/quickstart-create-front-door-terraform.md
Last updated 8/11/2023 - content_well_notification: - AI-contribution
frontdoor Quickstart Create Front Door https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/quickstart-create-front-door.md
Last updated 10/02/2023 - #Customer intent: As an IT admin, I want to manage user traffic to ensure high availability of web applications.
frontdoor Scenario Storage Blobs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/scenario-storage-blobs.md
- Last updated 12/28/2023
frontdoor Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/scenarios.md
- Last updated 02/13/2023
frontdoor How To Add Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/standard-premium/how-to-add-custom-domain.md
- Last updated 09/07/2023 #Customer intent: As a website owner, I want to add a custom domain to my Front Door configuration so that my users can use my custom domain to access my content.
frontdoor How To Cache Purge Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/standard-premium/how-to-cache-purge-cli.md
- Last updated 09/20/2022
frontdoor How To Cache Purge Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/standard-premium/how-to-cache-purge-powershell.md
- Last updated 09/20/2022
frontdoor How To Configure Https Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/standard-premium/how-to-configure-https-custom-domain.md
- Last updated 10/31/2023
frontdoor How To Enable Private Link Internal Load Balancer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/standard-premium/how-to-enable-private-link-internal-load-balancer.md
In this section, you map the Private Link service to a private endpoint created
1. Select **+ Add an origin** to add new origin. Select or enter the following settings to configure the internal load balancer origin. > [!NOTE]
- > The hostname must be a valid domain name, IPv4 or IPv6. The hostname can be the private IP of the internal load balancer or a domain name. If you are using a domain name, you must have a DNS record that resolves to the private IP of the internal load balancer.
+ > The hostname must be a valid domain name, IPv4 or IPv6. The hostname can be the private IP of the internal load balancer or a domain name.
:::image type="content" source="../media/how-to-enable-private-link-internal-load-balancer/private-endpoint-internal-load-balancer-ip.png" alt-text="Screenshot of enabling private link to an internal load balancer using an IP address.":::
frontdoor Terraform Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/terraform-samples.md
- Last updated 11/22/2022
frontdoor Troubleshoot Performance Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/troubleshoot-performance-issues.md
- Last updated 08/30/2023 #Customer intent: As a <type of user>, I want <some goal> so that <some reason>.
genomics Troubleshooting Guide Genomics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/genomics/troubleshooting-guide-genomics.md
- Last updated 10/29/2018- # Troubleshooting guide
governance Migrating From Azure Automation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/machine-configuration/whats-new/migrating-from-azure-automation.md
Before removing a machine from Azure Automation State Configuration, onboard eac
Azure Policy can manage the machine. The machine can be onboarded to Azure Arc at any time, but you can use Azure Automation State Configuration to automate the process.
-You can register a machine to Azure Arc-enabled servers by using PowerShell DSC. For details, view
-the page [How to install the Connected Machine agent using Windows PowerShell DSC][15]. Remember
-however, that Azure Automation State Configuration can manage only one configuration per machine,
-per Automation Account. You can export, test, and prepare your content for machine configuration,
-and then switch the node configuration in Azure Automation to onboard to Azure Arc. As the last
-step, remove the node registration from Azure Automation State Configuration and move forward only
-managing the machine state through machine configuration.
- ## Troubleshooting issues when exporting content Details about known issues are provided in this section.
When using PowerShell on macOS and Linux, you may have issues dealing with the f
`Export-AzAutomationDSCConfiguration`. As a workaround, a module has been published to the PowerShell Gallery named
-[AADSCConfigContent][16]. The module has only one command, which exports the content of a
+[AADSCConfigContent][15]. The module has only one command, which exports the content of a
configuration stored in Azure Automation by making a REST request to the service. ## Next steps -- [Develop a custom machine configuration package][17].-- Use the **GuestConfiguration** module to [create an Azure Policy definition][19] for at-scale
+- [Develop a custom machine configuration package][16].
+- Use the **GuestConfiguration** module to [create an Azure Policy definition][18] for at-scale
management of your environment. - [Assign your custom policy definition][20] using Azure portal. - Learn how to view [compliance details for machine configuration][21] policy assignments.
configuration stored in Azure Automation by making a REST request to the service
[12]: ../../policy/assign-policy-portal.md [13]: /azure/automation/automation-dsc-onboarding#enable-physicalvirtual-linux-machines [14]: /azure/azure-arc/servers/overview
-[15]: /azure/azure-arc/servers/onboard-dsc
-[16]: https://www.powershellgallery.com/packages/AADSCConfigContent/
-[17]: ../how-to/develop-custom-package/overview.md
-[19]: ../how-to/create-policy-definition.md
-[20]: ../../policy/assign-policy-portal.md
-[21]: ../../policy/how-to/determine-non-compliance.md
+[15]: https://www.powershellgallery.com/packages/AADSCConfigContent/
+[16]: ../how-to/develop-custom-package/overview.md
+[17]: ../how-to/create-policy-definition.md
+[18]: ../../policy/assign-policy-portal.md
+[19]: ../../policy/how-to/determine-non-compliance.md
governance Scope https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/concepts/scope.md
the definition location to target for assignment. The [resources covered by Azur
If the definition location is a: -- **Subscription** - Only resources within that subscription can be assigned the policy definition.-- **Management group** - Only resources within child management groups and child subscriptions can
+- **Subscription** - The subscription where policy is defined and resources within that subscription can be assigned the policy definition.
+- **Management group** - The management group where the policy is defined and resources within child management groups and child subscriptions can
be assigned the policy definition. If you plan to apply the policy definition to several subscriptions, the location must be a management group that contains each subscription.
governance Index https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/index.md
Azure:
- [Microsoft cloud security benchmark](./azure-security-benchmark.md) - [Microsoft Cloud for Sovereignty Confidential](./mcfs-baseline-confidential.md) - [Microsoft Cloud for Sovereignty Global](./mcfs-baseline-global.md)-- [New Zealand ISM Restricted](./new-zealand-ism.md)-- [New Zealand ISM Restricted 3.5](./nz-ism-restricted-3-5.md) - [NIST SP 800-53 Rev. 4](./nist-sp-800-53-r4.md) - [NIST SP 800-53 Rev. 5](./nist-sp-800-53-r5.md) - [NIST SP 800-171 R2](./nist-sp-800-171-r2.md)
governance New Zealand Ism https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/new-zealand-ism.md
- Title: Regulatory Compliance details for New Zealand ISM Restricted
-description: Details of the New Zealand ISM Restricted Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
Previously updated : 01/22/2024---
-# Details of the New Zealand ISM Restricted Regulatory Compliance built-in initiative
-
-The following article details how the Azure Policy Regulatory Compliance built-in initiative
-definition maps to **compliance domains** and **controls** in New Zealand ISM Restricted.
-For more information about this compliance standard, see
-[New Zealand ISM Restricted](https://www.nzism.gcsb.govt.nz/ism-document). To understand
-_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and
-[Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md).
-
-The following mappings are to the **New Zealand ISM Restricted** controls. Many of the controls
-are implemented with an [Azure Policy](../overview.md) initiative definition. To review the complete
-initiative definition, open **Policy** in the Azure portal and select the **Definitions** page.
-Then, find and select the **New Zealand ISM Restricted** Regulatory Compliance built-in
-initiative definition.
-
-> [!IMPORTANT]
-> Each control below is associated with one or more [Azure Policy](../overview.md) definitions.
-> These policies may help you [assess compliance](../how-to/get-compliance-data.md) with the
-> control; however, there often is not a one-to-one or complete match between a control and one or
-> more policies. As such, **Compliant** in Azure Policy refers only to the policy definitions
-> themselves; this doesn't ensure you're fully compliant with all requirements of a control. In
-> addition, the compliance standard includes controls that aren't addressed by any Azure Policy
-> definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your
-> overall compliance status. The associations between compliance domains, controls, and Azure Policy
-> definitions for this compliance standard may change over time. To view the change history, see the
-> [GitHub Commit History](https://github.com/Azure/azure-policy/commits/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/nz_ism.json).
-
-## Information security monitoring
-
-### 6.2.5 Conducting vulnerability assessments
-
-**ID**: NZISM Security Benchmark ISM-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
-|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
-|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
-
-### 6.2.6 Resolving vulnerabilities
-
-**ID**: NZISM Security Benchmark ISM-4
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) |
-|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) |
-|[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) |
-|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
-|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
-|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) |
-
-### 6.4.5 Availability requirements
-
-**ID**: NZISM Security Benchmark ISM-7
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Audit virtual machines without disaster recovery configured](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56) |Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit [https://aka.ms/asr-doc](https://aka.ms/asr-doc). |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json) |
-
-## Physical Security
-
-### 8.3.5 Network infrastructure in unsecure areas
-
-**ID**: NZISM Security Benchmark PS-4
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) |
-|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) |
-
-## Infrastructure
-
-### 10.8.35 Security Architecture
-
-**ID**: NZISM Security Benchmark INF-9
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) |
-|[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) |
-|[Azure Event Grid domains should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9830b652-8523-49cc-b1b3-e17dce1127ca) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json) |
-|[Azure Event Grid topics should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4b90e17e-8448-49db-875e-bd83fb6f804f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json) |
-|[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F45e05259-1eb5-4f70-9574-baf73e9d219b) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link](../../../machine-learning/how-to-configure-private-link.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_Audit_V2.json) |
-|[Azure SignalR Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2393d2cf-a342-44cd-a2e2-fe0188fd1234) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](https://aka.ms/asrs/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit_v2.json) |
-|[Azure Spring Cloud should use network injection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf35e2a4-ef96-44e7-a9ae-853dd97032c4) |Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. |Audit, Disabled, Deny |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Platform/Spring_VNETEnabled_Audit.json) |
-|[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) |
-|[Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7698e800-9299-47a6-b3b6-5a0fee576eed) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) |
-|[Private endpoint connections on Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F009a0c92-f5b4-4776-9b66-4ed2b4775563) |Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at [https://docs.microsoft.com/azure/batch/private-connectivity](../../../batch/private-connectivity.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_PrivateEndpoints_AuditIfNotExists.json) |
-|[Private endpoint should be enabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a1302fb-a631-4106-9753-f3d494733990) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json) |
-|[Private endpoint should be enabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7595c971-233d-4bcf-bd18-596129188c49) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json) |
-|[Private endpoint should be enabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0564d078-92f5-4f97-8398-b9f58a51f70b) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) |
-|[Storage accounts should restrict network access using virtual network rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2a1a9cdf-e04d-429a-8416-3bfb72a1b26f) |Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json) |
-|[Storage accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6edd7eda-6dd8-40f7-810d-67160c639cd9) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - [https://aka.ms/azureprivatelinkoverview](https://aka.ms/azureprivatelinkoverview) |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountPrivateEndpointEnabled_Audit.json) |
-|[VM Image Builder templates should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2154edb9-244f-4741-9970-660785bccdaa) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet](../../../virtual-machines/linux/image-builder-networking.md#deploy-using-an-existing-vnet). |Audit, Disabled, Deny |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json) |
-
-## Product Security
-
-### 12.4.4 Patching vulnerabilities in products
-
-**ID**: NZISM Security Benchmark PRS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) |
-|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) |Missing security system updates on your servers will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) |
-
-## Software security
-
-### 14.1.8 Developing hardened SOEs
-
-**ID**: NZISM Security Benchmark SS-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) |
-|[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) |
-|[Management ports should be closed on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22730e10-96f6-4aac-ad84-9383d35b5917) |Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json) |
-
-### 14.1.9 Maintaining hardened SOEs
-
-**ID**: NZISM Security Benchmark SS-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) |
-|[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) |Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) |
-|[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) |
-|[Azure Defender for Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e6763cc-5078-4e64-889d-ff4d9a839047) |Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) |
-|[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) |
-|[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) |
-|[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) |
-|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |
-|[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) |
-|[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) |
-|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) |
-|[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) |
-|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) |
-
-### 14.2.4 Application Whitelisting
-
-**ID**: NZISM Security Benchmark SS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Adaptive application controls for defining safe applications should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a6b606-51aa-4496-8bb7-64b11cf66adc) |Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json) |
-|[Allowlist rules in your adaptive application control policy should be updated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F123a3936-f020-408a-ba0c-47873faf1534) |Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json) |
-
-### 14.5.8 Web applications
-
-**ID**: NZISM Security Benchmark SS-9
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |
-|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
-|[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |
-|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
-
-## Access Control and Passwords
-
-### 16.1.32 System User Identitfication
-
-**ID**: NZISM Security Benchmark AC-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |
-|[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) |
-|[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) |
-
-### 16.1.35 Methods for system user identification and authentication
-
-**ID**: NZISM Security Benchmark AC-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Accounts with read permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithReadPermissions_Audit.json) |
-
-### 16.1.40 Password selection policy
-
-**ID**: NZISM Security Benchmark AC-4
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Audit Linux machines that have accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) |
-|[Windows machines should meet requirements for 'Security Settings - Account Policies'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff2143251-70de-4e81-87a8-36cee5a2f29d) |Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecuritySettingsAccountPolicies_AINE.json) |
-
-### 16.1.46 Suspension of access
-
-**ID**: NZISM Security Benchmark AC-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) |
-|[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |
-
-### 16.3.5 Use of Privileged Accounts
-
-**ID**: NZISM Security Benchmark AC-9
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) |It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) |
-
-### 16.4.30 Privileged Access Management
-
-**ID**: NZISM Security Benchmark AC-11
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Accounts with owner permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3e008c3-56b9-4133-8fd7-d3347377402a) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithOwnerPermissions_Audit.json) |
-|[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) |
-|[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |
-|[Audit Windows machines missing any of specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToInclude_AINE.json) |
-|[Audit Windows machines that have extra accounts in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3d2a3320-2a72-4c67-ac5f-caa40fbee2b2) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembers_AINE.json) |
-|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
-|[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) |
-|[Guest accounts with write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94e1c2ac-cbbe-4cac-a2b5-389c812dee87) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithWritePermissions_Audit.json) |
-|[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) |It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) |
-
-### 16.5.10 Authentication
-
-**ID**: NZISM Security Benchmark AC-13
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Audit Linux machines that allow remote connections from accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea53dbee-c6c9-4f0e-9f9e-de0039b78023) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json) |
-
-### 16.6.9 Events to be logged
-
-**ID**: NZISM Security Benchmark AC-17
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should have resource logs enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) |Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) |
-|[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |
-|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
-|[Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) |Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) |
-|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Data Lake Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc95c74d9-38fe-4f0d-af86-0c7d626a315c) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Event Hub should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83a214f7-d01a-484b-91a9-ed54470c9a6a) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in IoT Hub should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F383856f8-de7f-44a2-81fc-e5135b5c2aa4) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcf820ca0-f99e-4f3e-84fb-66e913812d21) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Logic Apps should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34f95f76-5386-4de7-b824-0d8478470c9d) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Search services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Service Bus should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8d36e2f-389b-4ee4-898d-21aeb69a0f45) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json) |
-
-## Cryptography
-
-### 17.1.45 Data Recovery
-
-**ID**: NZISM Security Benchmark CR-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Key vaults should have deletion protection enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b60c0b2-2dc2-4e1c-b5c9-abbed971de53) |Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json) |
-|[Key vaults should have soft delete enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d) |Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json) |
-
-### 17.1.46 Reducing storage and physical transfer requirements
-
-**ID**: NZISM Security Benchmark CR-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) |
-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) |
-|[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at [https://go.microsoft.com/fwlink/?linkid=2121321](https://go.microsoft.com/fwlink/?linkid=2121321). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json) |
-|[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) |
-|[MySQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83cef61d-dbd1-4b20-a4fc-5fbc7da10833) |Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json) |
-|[PostgreSQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F18adea5e-f416-4d0f-8aa8-d24321e3e274) |Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json) |
-|[SQL managed instances should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac01ad65-10e5-46df-bdd9-6b0cad13e1d2) |Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncrypted_Deny.json) |
-|[SQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a370ff3-6cab-4e85-8995-295fd854c5b8) |Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Deny.json) |
-|[Storage accounts should use customer-managed key for encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6fac406b-40ca-413b-bf8e-0bf964659c25) |Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json) |
-|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) |Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) |
-|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse,](https://aka.ms/disksse,) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](https://aka.ms/diskencryptioncomparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |
-
-### 17.4.16 Using TLS
-
-**ID**: NZISM Security Benchmark CR-7
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json) |
-|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
-|[Function apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F399b2637-a50f-4f95-96f8-3a145476eb15) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json) |
-|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
-|[Windows machines should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. |AuditIfNotExists, Disabled |[4.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
-
-### 17.5.7 Authentication mechanisms
-
-**ID**: NZISM Security Benchmark CR-9
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |
-
-### 17.9.25 Contents of KMPs
-
-**ID**: NZISM Security Benchmark CR-14
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[IP Forwarding on your virtual machine should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd352bd5-2853-4985-bf0d-73806b4a5744) |Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json) |
-|[PostgreSQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F18adea5e-f416-4d0f-8aa8-d24321e3e274) |Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json) |
-
-## Network security
-
-### 18.3.19 Content of a Denial of Service (DoS) response plan
-
-**ID**: NZISM Security Benchmark NS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure DDoS Protection should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa7aca53f-2ed4-4466-a25e-0b45ade68efd) |DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. |AuditIfNotExists, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json) |
-
-### 18.4.8 IDS/IPSs on gateways
-
-**ID**: NZISM Security Benchmark NS-7
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Web Application Firewall (WAF) should be enabled for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) |
-|[Web Application Firewall (WAF) should use the specified mode for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F12430be1-6cc8-4527-a9a8-e3d38f250096) |Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json) |
-|[Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F425bea59-a659-4cbb-8d31-34499bd030b8) |Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json) |
-
-## Gateway security
-
-### 19.1.11 Using Gateways
-
-**ID**: NZISM Security Benchmark GS-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1817ec0-a368-432a-8057-8371e17ac6ee) |Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditNamespaceAccessRules_Audit.json) |
-|[Azure Key Vault Managed HSM should have purge protection enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc39ba22d-4428-4149-b981-70acb31fc383) |Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_Recoverable_Audit.json) |
-|[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |
-|[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) |
-|[Public network access on Azure SQL Database should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b8ca024-1d5c-4dec-8995-b1a932b41780) |Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json) |
-|[Public network access should be disabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffdccbe47-f3e3-4213-ad5d-ea459b2fa077) |Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json) |
-|[Public network access should be disabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd9844e8a-1437-4aeb-a32c-0c992f056095) |Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json) |
-|[Public network access should be disabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb52376f7-9612-48a1-81cd-1ffe4b61032c) |Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json) |
-|[Storage account keys should not be expired](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F044985bb-afe1-42cd-8a36-9d5d42424537) |Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountKeysExpired_Restrict.json) |
-
-### 19.1.12 Configuration of Gateways
-
-**ID**: NZISM Security Benchmark GS-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) |
-|[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) |
-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) |
-|[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) |
-|[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) |
-|[Subnets should be associated with a Network Security Group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe71308d3-144b-4262-b144-efdc3cc90517) |Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json) |
-
-### 19.1.23 Testing of Gateways
-
-**ID**: NZISM Security Benchmark GS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) |
-
-## Data management
-
-### 20.4.4 Database files
-
-**ID**: NZISM Security Benchmark DM-6
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) |
-|[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |
-
-## Next steps
-
-Additional articles about Azure Policy:
--- [Regulatory Compliance](../concepts/regulatory-compliance.md) overview.-- See the [initiative definition structure](../concepts/initiative-definition-structure.md).-- Review other examples at [Azure Policy samples](./index.md).-- Review [Understanding policy effects](../concepts/effects.md).-- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
governance Nz Ism Restricted 3 5 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nz-ism-restricted-3-5.md
- Title: Regulatory Compliance details for NZ ISM Restricted v3.5
-description: Details of the NZ ISM Restricted v3.5 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
Previously updated : 01/22/2024---
-# Details of the NZ ISM Restricted v3.5 Regulatory Compliance built-in initiative
-
-The following article details how the Azure Policy Regulatory Compliance built-in initiative
-definition maps to **compliance domains** and **controls** in NZ ISM Restricted v3.5.
-For more information about this compliance standard, see
-[NZ ISM Restricted v3.5](https://www.nzism.gcsb.govt.nz/ism-document). To understand
-_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and
-[Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md).
-
-The following mappings are to the **NZ ISM Restricted v3.5** controls. Many of the controls
-are implemented with an [Azure Policy](../overview.md) initiative definition. To review the complete
-initiative definition, open **Policy** in the Azure portal and select the **Definitions** page.
-Then, find and select the **New Zealand ISM Restricted v3.5** Regulatory Compliance built-in
-initiative definition.
-
-> [!IMPORTANT]
-> Each control below is associated with one or more [Azure Policy](../overview.md) definitions.
-> These policies may help you [assess compliance](../how-to/get-compliance-data.md) with the
-> control; however, there often is not a one-to-one or complete match between a control and one or
-> more policies. As such, **Compliant** in Azure Policy refers only to the policy definitions
-> themselves; this doesn't ensure you're fully compliant with all requirements of a control. In
-> addition, the compliance standard includes controls that aren't addressed by any Azure Policy
-> definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your
-> overall compliance status. The associations between compliance domains, controls, and Azure Policy
-> definitions for this compliance standard may change over time. To view the change history, see the
-> [GitHub Commit History](https://github.com/Azure/azure-policy/commits/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/NZ_ISM_Restricted_v3_5.json).
-
-## Access Control and Passwords
-
-### 16.4.30 Privileged Access Management
-
-**ID**: NZISM Security Benchmark AC-11
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Accounts with owner permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3e008c3-56b9-4133-8fd7-d3347377402a) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithOwnerPermissions_Audit.json) |
-|[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) |
-|[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |
-|[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) |
-|[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) |
-|[Guest accounts with write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94e1c2ac-cbbe-4cac-a2b5-389c812dee87) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithWritePermissions_Audit.json) |
-|[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) |It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) |
-
-### 16.5.10 Authentication
-
-**ID**: NZISM Security Benchmark AC-13
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Audit Linux machines that allow remote connections from accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea53dbee-c6c9-4f0e-9f9e-de0039b78023) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json) |
-
-### 16.6.8 Logging Requirements
-
-**ID**: NZISM Security Benchmark AC-17
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Auto provisioning of the Log Analytics agent should be enabled on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F475aae12-b88a-4572-8b36-9b712b2b3a17) |To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json) |
-
-### 16.6.9 Events to be logged
-
-**ID**: NZISM Security Benchmark AC-18
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should have resource logs enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) |Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) |
-|[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |
-|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
-|[Disconnections should be logged for PostgreSQL database servers.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb6f77b9-bd53-4e35-a23d-7f65d5f0e446) |This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogDisconnections_Audit.json) |
-|[Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4fe33eb-e377-4efb-ab31-0784311bc499) |This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json) |
-|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) |Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) |
-|[Log connections should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb6f77b9-bd53-4e35-a23d-7f65d5f0e442) |This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogConnections_Audit.json) |
-|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Azure Kubernetes Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F245fc9df-fa96-4414-9a0b-3738c2f7341c) |Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/Kubernetes_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Data Lake Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc95c74d9-38fe-4f0d-af86-0c7d626a315c) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Event Hub should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83a214f7-d01a-484b-91a9-ed54470c9a6a) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in IoT Hub should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F383856f8-de7f-44a2-81fc-e5135b5c2aa4) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcf820ca0-f99e-4f3e-84fb-66e913812d21) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Logic Apps should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34f95f76-5386-4de7-b824-0d8478470c9d) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Search services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Service Bus should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8d36e2f-389b-4ee4-898d-21aeb69a0f45) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json) |
-|[SQL servers with auditing to storage account destination should be configured with 90 days retention or higher](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F89099bee-89e0-4b26-a5f4-165451757743) |For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditingRetentionDays_Audit.json) |
-
-### 16.6.12 Event log protection
-
-**ID**: NZISM Security Benchmark AC-19
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) |
-
-### 16.1.32 System User Identitfication
-
-**ID**: NZISM Security Benchmark AC-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |
-|[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) |
-|[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) |
-
-### 16.1.35 Methods for system user identification and authentication
-
-**ID**: NZISM Security Benchmark AC-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Accounts with read permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithReadPermissions_Audit.json) |
-
-### 16.1.46 Suspension of access
-
-**ID**: NZISM Security Benchmark AC-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) |
-|[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |
-
-### 16.3.5 Use of Privileged Accounts
-
-**ID**: NZISM Security Benchmark AC-9
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) |It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) |
-
-## Cryptography
-
-### 17.5.7 Authentication mechanisms
-
-**ID**: NZISM Security Benchmark CR-10
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |
-
-### 17.9.25 Contents of KMPs
-
-**ID**: NZISM Security Benchmark CR-15
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[IP Forwarding on your virtual machine should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd352bd5-2853-4985-bf0d-73806b4a5744) |Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json) |
-|[Key Vault keys should have an expiration date](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0) |Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_ExpirationSet.json) |
-|[Key Vault secrets should have an expiration date](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F98728c90-32c7-4049-8429-847dc0f4fe37) |Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_ExpirationSet.json) |
-|[PostgreSQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F18adea5e-f416-4d0f-8aa8-d24321e3e274) |Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json) |
-
-### 17.1.52 Data Recovery
-
-**ID**: NZISM Security Benchmark CR-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Key vaults should have deletion protection enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b60c0b2-2dc2-4e1c-b5c9-abbed971de53) |Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json) |
-|[Key vaults should have soft delete enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d) |Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json) |
-
-### 17.1.53 Reducing storage and physical transfer requirements
-
-**ID**: NZISM Security Benchmark CR-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) |
-|[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) |
-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) |
-|[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at [https://go.microsoft.com/fwlink/?linkid=2121321](https://go.microsoft.com/fwlink/?linkid=2121321). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json) |
-|[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) |
-|[MySQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83cef61d-dbd1-4b20-a4fc-5fbc7da10833) |Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json) |
-|[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) |Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) |
-|[SQL managed instances should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac01ad65-10e5-46df-bdd9-6b0cad13e1d2) |Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncrypted_Deny.json) |
-|[SQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a370ff3-6cab-4e85-8995-295fd854c5b8) |Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Deny.json) |
-|[Storage accounts should use customer-managed key for encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6fac406b-40ca-413b-bf8e-0bf964659c25) |Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json) |
-|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) |Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) |
-|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse,](https://aka.ms/disksse,) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](https://aka.ms/diskencryptioncomparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |
-
-### 17.2.24 Using RSA
-
-**ID**: NZISM Security Benchmark CR-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Certificates using RSA cryptography should have the specified minimum key size](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcee51871-e572-4576-855c-047c820360f0) |Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_RSA_MinimumKeySize.json) |
-
-### 17.4.16 Using TLS
-
-**ID**: NZISM Security Benchmark CR-8
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
-|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
-|[Windows machines should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. |AuditIfNotExists, Disabled |[4.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
-
-## Gateway security
-
-### 19.1.11 Using Gateways
-
-**ID**: NZISM Security Benchmark GS-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1817ec0-a368-432a-8057-8371e17ac6ee) |Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditNamespaceAccessRules_Audit.json) |
-|[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |
-|[Azure Key Vault Managed HSM should have purge protection enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc39ba22d-4428-4149-b981-70acb31fc383) |Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_Recoverable_Audit.json) |
-|[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |
-|[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) |
-|[Non-internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbb91dfba-c30d-4263-9add-9c2384e659a6) |Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternalVirtualMachines_Audit.json) |
-|[Public network access on Azure SQL Database should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b8ca024-1d5c-4dec-8995-b1a932b41780) |Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json) |
-|[Public network access should be disabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffdccbe47-f3e3-4213-ad5d-ea459b2fa077) |Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json) |
-|[Public network access should be disabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd9844e8a-1437-4aeb-a32c-0c992f056095) |Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json) |
-|[Public network access should be disabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb52376f7-9612-48a1-81cd-1ffe4b61032c) |Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json) |
-|[Storage account keys should not be expired](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F044985bb-afe1-42cd-8a36-9d5d42424537) |Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountKeysExpired_Restrict.json) |
-
-### 19.1.12 Configuration of Gateways
-
-**ID**: NZISM Security Benchmark GS-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) |
-|[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) |
-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) |
-|[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) |
-|[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) |
-|[Subnets should be associated with a Network Security Group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe71308d3-144b-4262-b144-efdc3cc90517) |Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json) |
-
-### 19.1.23 Testing of Gateways
-
-**ID**: NZISM Security Benchmark GS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) |
-
-## Infrastructure
-
-### 10.8.35 Security Architecture
-
-**ID**: NZISM Security Benchmark INF-9
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) |
-|[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) |
-|[Azure Event Grid domains should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9830b652-8523-49cc-b1b3-e17dce1127ca) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json) |
-|[Azure Event Grid topics should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4b90e17e-8448-49db-875e-bd83fb6f804f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json) |
-|[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F45e05259-1eb5-4f70-9574-baf73e9d219b) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link](../../../machine-learning/how-to-configure-private-link.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_Audit_V2.json) |
-|[Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a15ec92-a229-4763-bb14-0ea34a568f8d) |Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json) |
-|[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) |
-|[Azure Spring Cloud should use network injection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf35e2a4-ef96-44e7-a9ae-853dd97032c4) |Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. |Audit, Disabled, Deny |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Platform/Spring_VNETEnabled_Audit.json) |
-|[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) |
-|[Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7698e800-9299-47a6-b3b6-5a0fee576eed) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) |
-|[Private endpoint connections on Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F009a0c92-f5b4-4776-9b66-4ed2b4775563) |Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at [https://docs.microsoft.com/azure/batch/private-connectivity](../../../batch/private-connectivity.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_PrivateEndpoints_AuditIfNotExists.json) |
-|[Private endpoint should be enabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a1302fb-a631-4106-9753-f3d494733990) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json) |
-|[Private endpoint should be enabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7595c971-233d-4bcf-bd18-596129188c49) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json) |
-|[Private endpoint should be enabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0564d078-92f5-4f97-8398-b9f58a51f70b) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) |
-|[Storage accounts should restrict network access using virtual network rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2a1a9cdf-e04d-429a-8416-3bfb72a1b26f) |Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json) |
-|[Storage accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6edd7eda-6dd8-40f7-810d-67160c639cd9) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - [https://aka.ms/azureprivatelinkoverview](https://aka.ms/azureprivatelinkoverview) |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountPrivateEndpointEnabled_Audit.json) |
-|[VM Image Builder templates should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2154edb9-244f-4741-9970-660785bccdaa) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet](../../../virtual-machines/linux/image-builder-networking.md#deploy-using-an-existing-vnet). |Audit, Disabled, Deny |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json) |
-
-## Information Security Incidents
-
-### 7.1.7 Preventing and detecting information security incidents
-
-**ID**: NZISM Security Benchmark ISI-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) |Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) |
-|[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) |
-|[Azure Defender for Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e6763cc-5078-4e64-889d-ff4d9a839047) |Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) |
-|[Azure Defender for open-source relational databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a9fbe0d-c5c4-4da8-87d8-f4fd77338835) |Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at [https://aka.ms/AzDforOpenSourceDBsDocu](https://aka.ms/AzDforOpenSourceDBsDocu). Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnOpenSourceRelationalDatabases_Audit.json) |
-|[Azure Defender for Resource Manager should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at [https://aka.ms/defender-for-resource-manager](https://aka.ms/defender-for-resource-manager) . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) . |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) |
-|[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) |
-|[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) |
-|[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) |
-|[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |
-|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) |
-|[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) |
-
-## Information security monitoring
-
-### 6.2.5 Conducting vulnerability assessments
-
-**ID**: NZISM Security Benchmark ISM-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
-|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
-|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
-
-### 6.2.6 Resolving vulnerabilities
-
-**ID**: NZISM Security Benchmark ISM-4
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) |
-|[Email notification for high severity alerts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6e2593d9-add6-4083-9c9b-4b7d2188c899) |To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json) |
-|[Email notification to subscription owner for high severity alerts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b15565f-aa9e-48ba-8619-45960f2c314d) |To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json) |
-|[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) |Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) |
-|[Enforce SSL connection should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd158790f-bfb0-486c-8631-2dc6b4e8e6af) |Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) |
-|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) |
-|[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) |
-|[Subscriptions should have a contact email address for security issues](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7) |To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json) |
-|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
-|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
-|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) |
-
-### 6.4.5 Availability requirements
-
-**ID**: NZISM Security Benchmark ISM-7
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Audit virtual machines without disaster recovery configured](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56) |Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit [https://aka.ms/asr-doc](https://aka.ms/asr-doc). |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json) |
-
-## Network security
-
-### 18.3.19 Content of a Denial of Service (DoS) response plan
-
-**ID**: NZISM Security Benchmark NS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure DDoS Protection should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa7aca53f-2ed4-4466-a25e-0b45ade68efd) |DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. |AuditIfNotExists, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json) |
-
-### 18.4.7 Intrusion Detection and Prevention strategy (IDS/IPS)
-
-**ID**: NZISM Security Benchmark NS-7
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Connection throttling should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5345bb39-67dc-4960-a1bf-427e16b9a0bd) |This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_ConnectionThrottling_Enabled_Audit.json) |
-
-### 18.4.8 IDS/IPSs on gateways
-
-**ID**: NZISM Security Benchmark NS-8
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) |
-|[Web Application Firewall (WAF) should be enabled for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) |
-|[Web Application Firewall (WAF) should use the specified mode for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F12430be1-6cc8-4527-a9a8-e3d38f250096) |Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json) |
-|[Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F425bea59-a659-4cbb-8d31-34499bd030b8) |Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json) |
-
-## Product Security
-
-### 12.4.4 Patching vulnerabilities in products
-
-**ID**: NZISM Security Benchmark PRS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) |
-|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) |Missing security system updates on your servers will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) |
-
-## Physical Security
-
-### 8.3.5 Network infrastructure in unsecure areas
-
-**ID**: NZISM Security Benchmark PS-4
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) |
-|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) |
-
-## Software security
-
-### 14.1.8 Developing hardened SOEs
-
-**ID**: NZISM Security Benchmark SS-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json)