Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
active-directory-b2c | Access Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/access-tokens.md | Title: Request an access token - Azure Active Directory B2C + Title: Request an access token in Azure Active Directory B2C description: Learn how to request an access token from Azure Active Directory B2C. -An *access token* contains claims that you can use in Azure Active Directory B2C (Azure AD B2C) to identify the granted permissions to your APIs. When calling a resource server, an access token must be present in the HTTP request. An access token is denoted as **access_token** in the responses from Azure AD B2C. +An *access token* contains claims that you can use in Azure Active Directory B2C (Azure AD B2C) to identify the granted permissions to your APIs. To call a resource server, the HTTP request must include an access token. An access token is denoted as **access_token** in the responses from Azure AD B2C. This article shows you how to request an access token for a web application and web API. For more information about tokens in Azure AD B2C, see the [overview of tokens in Azure Active Directory B2C](tokens-overview.md). > [!NOTE]-> **Web API chains (On-Behalf-Of) is not supported by Azure AD B2C.** - Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in clients that have a web API back end, which in turn calls a another service. This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C. Although On-Behalf-Of works for applications registered in Azure AD, it does not work for applications registered in Azure AD B2C, regardless of the tenant (Azure AD or Azure AD B2C) that is issuing the tokens. +> **Web API chains (On-Behalf-Of) is not supported by Azure AD B2C** - Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in clients that have a web API back end, which in turn calls a another service. This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C. Although On-Behalf-Of works for applications registered in Azure AD, it does not work for applications registered in Azure AD B2C, regardless of the tenant (Azure AD or Azure AD B2C) that is issuing the tokens. ## Prerequisites If the **response_type** parameter in an `/authorize` request includes `token`, ## Request a token -To request an access token, you need an authorization code. Below is an example of a request to the `/authorize` endpoint for an authorization code. --In the following example, you replace these values in the query string: --- `<tenant-name>` - The name of your [Azure AD B2C tenant](tenant-management-read-tenant-name.md#get-your-tenant-name). If you're using a custom domain, replace `tenant-name.b2clogin.com` with your domain, such as `contoso.com`. -- `<policy-name>` - The name of your custom policy or user flow.-- `<application-ID>` - The application identifier of the web application that you registered to support the user flow.-- `<application-ID-URI>` - The application identifier URI that you set under **Expose an API** blade of the client application.-- `<scope-name>` - The name of the scope that you added under **Expose an API** blade of the client application.-- `<redirect-uri>` - The **Redirect URI** that you entered when you registered the client application.-+To request an access token, you need an authorization code. The following is an example of a request to the `/authorize` endpoint for an authorization code: ```http GET https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize? client_id=<application-ID> client_id=<application-ID> &response_type=code ``` +Replace the values in the query string as follows: ++- `<tenant-name>` - The name of your [Azure AD B2C tenant](tenant-management-read-tenant-name.md#get-your-tenant-name). If you're using a custom domain, replace `tenant-name.b2clogin.com` with your domain, such as `contoso.com`. +- `<policy-name>` - The name of your custom policy or user flow. +- `<application-ID>` - The application identifier of the web application that you registered to support the user flow. +- `<application-ID-URI>` - The application identifier URI that you set under **Expose an API** blade of the client application. +- `<scope-name>` - The name of the scope that you added under **Expose an API** blade of the client application. +- `<redirect-uri>` - The **Redirect URI** that you entered when you registered the client application. + To get a feel of how the request works, paste the request into your browser and run it. -This is the interactive part of the flow, where you take action. You're asked to complete the user flow's workflow. This might involve entering your username and password in a sign in form or any other number of steps. The steps you complete depend on how the user flow is defined. +This's the interactive part of the flow, where you take action. You're asked to complete the user flow's workflow. This might involve entering your username and password in a sign in form or any other number of steps. The steps you complete depend on how the user flow is defined. The response with the authorization code should be similar to this example: The response with the authorization code should be similar to this example: https://jwt.ms/?code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC... ``` -After successfully receiving the authorization code, you can use it to request an access token. Note that the parameters are in the body of the HTTP POST request: +After successfully receiving the authorization code, you can use it to request an access token. The parameters are in the body of the HTTP POST request: ```http POST <tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/token HTTP/1.1 grant_type=authorization_code &client_secret=2hMG2-_:y12n10vwH... ``` -If you're testing this POST HTTP request, you can use any HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview) or [Postman](https://www.postman.com/). +If you want to test this POST HTTP request, you can use any HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview) or [Postman](https://www.postman.com/). A successful token response looks like this: |
active-directory-b2c | Configure Authentication Sample Angular Spa App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/configure-authentication-sample-angular-spa-app.md | The sign-in flow involves the following steps: ### App registration -To enable your app to sign in with Azure AD B2C and call a web API, you must register two applications in the Azure AD B2C directory: +To enable your app to sign in with Azure AD B2C and call a web API, you must register two applications in your Azure AD B2C tenant: - The *single-page application* (Angular) registration enables your app to sign in with Azure AD B2C. During app registration, you specify the *redirect URI*. The redirect URI is the endpoint to which the user is redirected after they authenticate with Azure AD B2C. The app registration process generates an *application ID*, also known as the *client ID*, that uniquely identifies your app. This article uses the example **App ID: 1**. The following diagram describes the app registrations and the app architecture. Before you follow the procedures in this article, make sure that your computer is running: -* [Visual Studio Code](https://code.visualstudio.com/) or another code editor. +* [Visual Studio Code](https://code.visualstudio.com/) or any other code editor. * [Node.js runtime](https://nodejs.org/en/download/) and [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm). * [Angular CLI](https://angular.io/cli). In this step, you create the registrations for the Angular SPA and the web API a Follow these steps to create the Angular app registration: 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your Azure AD B2C tenant: + 1. Select the **Directories + subscriptions** icon in the portal toolbar. + 2. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. 1. In the Azure portal, search for and select **Azure AD B2C**. 1. Select **App registrations**, and then select **New registration**. 1. For **Name**, enter a name for the application. For example, enter **MyApp**. Your final configuration file should look like the following JSON: ## Step 5: Run the Angular SPA and web API -You're now ready to test the Angular scoped access to the API. In this step, run both the web API and the sample Angular application on your local machine. Then, log in to the Angular application, and select the **TodoList** button to start a request to the protected API. +You're now ready to test the Angular scoped access to the API. In this step, run both the web API and the sample Angular application on your local machine. Then, sign in to the Angular application, and select the **TodoList** button to start a request to the protected API. ### Run the web API You're now ready to test the Angular scoped access to the API. In this step, run  -1. Complete the sign-up or login process. -1. Upon successful login, you should see your profile. From the menu, select **TodoList**. +1. Complete the sign-up or sign-in process. +1. Upon successful sign-in, you should see your profile. From the menu, select **TodoList**.  You can add and modify redirect URIs in your registered applications at any time * [Learn more about the code sample](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/) * [Enable authentication in your own Angular application](enable-authentication-angular-spa-app.md) * [Configure authentication options in your Angular application](enable-authentication-angular-spa-app-options.md)-* [Enable authentication in your own web API](enable-authentication-web-api.md) +* [Enable authentication in your own web API](enable-authentication-web-api.md) |
active-directory-b2c | Customize Ui With Html | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/customize-ui-with-html.md | Azure AD B2C runs code in your customer's browser by using [Cross-Origin Resourc Create an HTML page with your own branding to serve your custom page content. This page can be a static `*.html` page, or a dynamic page like .NET, Node.js, or PHP. -Your custom page content can contain any HTML elements, including CSS and JavaScript, but cannot include insecure elements like iframes. The only required element is a div element with `id` set to `api`, such as this one `<div id="api"></div>` within your HTML page. +Your custom page content can contain any HTML elements, including CSS and JavaScript, but can't include insecure elements like iframes. The only required element is a div element with `id` set to `api`, such as this one `<div id="api"></div>` within your HTML page. ```html <!DOCTYPE html> The following table lists the default page content provided by Azure AD B2C. Dow | Page | Description | Templates | |:--|:--|-| | Unified sign-up or sign-in | This page handles the user sign-up and sign-in process. Users can use enterprise identity providers, social identity providers such as Facebook, Microsoft account, or local accounts. | [Classic](https://login.microsoftonline.com/static/tenant/default/unified.cshtml), [Ocean Blue](https://login.microsoftonline.com/static/tenant/templates/AzureBlue/unified.cshtml), and [Slate Gray](https://login.microsoftonline.com/static/tenant/templates/MSA/unified.cshtml). |-| Sign-in (only)| The sign-in page is also known as the *Identity provider selection*. It handles the user sign-in with local account, or federated identity providers. Use this page to allow sign-in without the ability to sign-up. For example before user can edit their profile. | [Classic](https://login.microsoftonline.com/static/tenant/default/idpSelector.cshtml), [Ocean Blue](https://login.microsoftonline.com/static/tenant/templates/AzureBlue/idpSelector.cshtml), and [Slate Gray](https://login.microsoftonline.com/static/tenant/templates/MSA/idpSelector.cshtml). +| Sign-in (only)| The sign-in page is also known as the *Identity provider selection*. It handles the user sign-in with local account, or federated identity providers. Use this page to allow sign-in without the ability to sign up. For example before user can edit their profile. | [Classic](https://login.microsoftonline.com/static/tenant/default/idpSelector.cshtml), [Ocean Blue](https://login.microsoftonline.com/static/tenant/templates/AzureBlue/idpSelector.cshtml), and [Slate Gray](https://login.microsoftonline.com/static/tenant/templates/MSA/idpSelector.cshtml). | Self-Asserted | Most interactions in Azure AD B2C where the user is expected to provide input are self-asserted. For example, a sign-up page, sign-in page, or password reset page. Use this template as a custom page content for a social account sign-up page, a local account sign-up page, a local account sign-in page, password reset, edit profile, block page and more. The self-asserted page can contain various input controls, such as: a text input box, a password entry box, a radio button, single-select drop-down boxes, and multi-select check boxes. | [Classic](https://login.microsoftonline.com/static/tenant/default/selfAsserted.cshtml), [Ocean Blue](https://login.microsoftonline.com/static/tenant/templates/AzureBlue/selfAsserted.cshtml), and [Slate Gray](https://login.microsoftonline.com/static/tenant/templates/MSA/selfAsserted.cshtml). | | Multi-factor authentication | On this page, users can verify their phone numbers (by using text or voice) during sign-up or sign-in. | [Classic](https://login.microsoftonline.com/static/tenant/default/multifactor-1.0.0.cshtml), [Ocean Blue](https://login.microsoftonline.com/static/tenant/templates/AzureBlue/multifactor-1.0.0.cshtml), and [Slate Gray](https://login.microsoftonline.com/static/tenant/templates/MSA/multifactor-1.0.0.cshtml). | | Error | This page is displayed when an exception or an error is encountered. | [Classic](https://login.microsoftonline.com/static/tenant/default/exception.cshtml), [Ocean Blue](https://login.microsoftonline.com/static/tenant/templates/AzureBlue/exception.cshtml), and [Slate Gray](https://login.microsoftonline.com/static/tenant/templates/MSA/exception.cshtml). | The following example defines the following classes: * `imprint-en` - Used when the current language is English. * `imprint-de` - Used when the current language is German.-* `imprint` - Default class that is used when the current language is neither English nor German. +* `imprint` - Default class that is used when the current language is not English or German. ```css .imprint-en:lang(en), The language customization feature allows Azure AD B2C to pass the OpenID Connec > [!NOTE] > Azure AD B2C doesn't pass OpenID Connect parameters, such as `ui_locales`, to the [exception pages](page-layout.md#exception-page-globalexception). -Content can be pulled from different places based on the locale that's used. In your CORS-enabled endpoint, you set up a folder structure to host content for specific languages. You'll call the right one if you use the wildcard value `{Culture:RFC5646}`. +Content can be pulled from different places based on the locale that's used. In your CORS-enabled endpoint, you set up a folder structure to host content for specific languages. You call the right one if you use the wildcard value `{Culture:RFC5646}`. For example, your custom page URI might look like: Here's an overview of the process: Create a custom page content with your product's brand name in the title. -1. Copy the following HTML snippet. It is well-formed HTML5 with an empty element called *\<div id="api"\>\</div\>* located within the *\<body\>* tags. This element indicates where Azure AD B2C content is to be inserted. +1. Copy the following HTML snippet. It's well-formed HTML5 with an empty element called *\<div id="api"\>\</div\>* located within the *\<body\>* tags. This element indicates where Azure AD B2C content is to be inserted. ```html <!DOCTYPE html> In this article, we use Azure Blob storage to host our content. You can choose t > [!NOTE] > In an Azure AD B2C tenant, you can't provision Blob storage. You must create this resource in your Azure AD tenant. -To host your HTML content in Blob storage, perform the following steps: +To host your HTML content in Blob storage, use the following steps: 1. Sign in to the [Azure portal](https://portal.azure.com). 1. Make sure you're using the directory that contains your Azure AD tenant, and which has a subscription: To host your HTML content in Blob storage, perform the following steps: 1. **Performance** can remain **Standard**. 1. **Redundancy** can remain **Geo-redundant storage (GRS)** 1. Select **Review + create** and wait a few seconds for Azure AD to run a validation. -1. Select **Create** to create the storage account. After the deployment is completed, the storage account page opens automatically or select **Go to resource**. +1. Select **Create** to create the storage account. After the deployment is completed, the storage account page opens automatically or you need to select **Go to resource**. #### 2.1 Create a container To create a public container in Blob storage, perform the following steps: 1. Select **Upload**. 1. Select the **customize-ui.html** blob that you uploaded. 1. To the right of the **URL** text box, select the **Copy to clipboard** icon to copy the URL to your clipboard.-1. In web browser, navigate to the URL you copied to verify the blob you uploaded is accessible. If it is inaccessible, for example if you encounter a `ResourceNotFound` error, make sure the container access type is set to **blob**. +1. In web browser, navigate to the URL you copied to verify the blob you uploaded is accessible. If it's inaccessible, for example if you encounter a `ResourceNotFound` error, make sure the container access type is set to **blob**. ### 3. Configure CORS You should see a page similar to the following example with the elements centere ### 4. Modify the extensions file -To configure UI customization, copy the **ContentDefinition** and its child elements from the base file to the extensions file. +To configure UI customization, copy the **ContentDefinition** and its child elements from the base file to the extensions file: 1. Open the base file of your policy. For example, <em>`SocialAndLocalAccounts/`**`TrustFrameworkBase.xml`**</em>. This base file is one of the policy files included in the custom policy starter pack, which you should have obtained in the prerequisite, [Get started with custom policies](./tutorial-create-user-flows.md?pivots=b2c-custom-policy). 1. Search for and copy the entire contents of the **ContentDefinitions** element. To configure UI customization, copy the **ContentDefinition** and its child elem #### 5.1 Upload the custom policy -1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your Azure AD B2C tenant: + 1. Select the **Directories + subscriptions** icon in the portal toolbar. + 2. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. 1. Search for and select **Azure AD B2C**. 1. Under **Policies**, select **Identity Experience Framework**. 1. Select **Upload custom policy**. |
active-directory-b2c | Enable Authentication Angular Spa App Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/enable-authentication-angular-spa-app-options.md | Title: Enable Angular application options by using Azure Active Directory B2C + Title: Configure authentication options in an Angular application by using Azure Active Directory B2C description: Enable the use of Angular application options in several ways. - Previously updated : 07/29/2021+ Last updated : 03/09/2023 -This article describes ways you can customize and enhance the Azure Active Directory B2C (Azure AD B2C) authentication experience for your Angular single-page application (SPA). Before you start, familiarize yourself with the article [Configure authentication in an Angular SPA](configure-authentication-sample-angular-spa-app.md) or [Enable authentication in your own Angular SPA](enable-authentication-angular-spa-app.md). +This article describes how you can customize and enhance the Azure Active Directory B2C (Azure AD B2C) authentication experience for your Angular single-page application (SPA). +## Prerequisites ++Familiarize yourself with the article [Configure authentication in an Angular SPA](configure-authentication-sample-angular-spa-app.md) or [Enable authentication in your own Angular SPA](enable-authentication-angular-spa-app.md). -## Sign-in and sign-out behavior +## Sign-in and sign-out behavior You can configure your single-page application to sign in users with MSAL.js in two ways: -- **Pop-up window**: The authentication happens in a pop-up window, and the state of the application is preserved. Use this approach if you don't want users to move away from your application page during authentication. Note that there are [known issues with pop-up windows on Internet Explorer](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/internet-explorer.md#popups).+- **Pop-up window**: The authentication happens in a pop-up window, and the state of the application is preserved. Use this approach if you don't want users to move away from your application page during authentication. However, there are [known issues with pop-up windows on Internet Explorer](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/internet-explorer.md#popups). - To sign in with pop-up windows, in the `src/app/app.component.ts` class, use the `loginPopup` method. - In the `src/app/app.module.ts` class, set the `interactionType` attribute to `InteractionType.Popup`. - To sign out with pop-up windows, in the `src/app/app.component.ts` class, use the `logoutPopup` method. You can also configure `logoutPopup` to redirect the main window to a different page, such as the home page or sign-in page, after sign-out is complete by passing `mainWindowRedirectUri` as part of the request. - **Redirect**: The user is redirected to Azure AD B2C to complete the authentication flow. Use this approach if users have browser constraints or policies where pop-up windows are disabled. - To sign in with redirection, in the `src/app/app.component.ts` class, use the `loginRedirect` method. - In the `src/app/app.module.ts` class, set the `interactionType` attribute to `InteractionType.Redirect`.- - To sign out with redirection, in the `src/app/app.component.ts` class, use the `logoutRedirect` method. Configure the URI to which it should redirect after sign-out by setting `postLogoutRedirectUri`. This URI should be registered as a redirect URI in your application registration. + - To sign out with redirection, in the `src/app/app.component.ts` class, use the `logoutRedirect` method. Configure the URI to which it should redirect after a sign-out by setting `postLogoutRedirectUri`. You should add this URI as a redirect URI in your application registration. The following sample demonstrates how to sign in and sign out: |
active-directory-b2c | Enable Authentication Angular Spa App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/enable-authentication-angular-spa-app.md | Use this article with the related article titled [Configure authentication in a ## Prerequisites -Review the prerequisites and integration steps in the [Configure authentication in a sample Angular single-page application](configure-authentication-sample-angular-spa-app.md) article. +Complete the steps in the [Configure authentication in a sample Angular single-page application](configure-authentication-sample-angular-spa-app.md) article. ## Create an Angular app project export const loginRequest = { ## Start the authentication libraries -Public client applications are not trusted to safely keep application secrets, so they don't have client secrets. In the *src/app* folder, open *app.module.ts* and make the following changes: +Public client applications aren't trusted to safely keep application secrets, so they don't have client secrets. In the *src/app* folder, open *app.module.ts* and make the following changes: 1. Import the MSAL Angular and MSAL Browser libraries. 1. Import the Azure AD B2C configuration module. |
active-directory-b2c | Tokens Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/tokens-overview.md | Azure AD B2C supports the [OAuth 2.0 and OpenID Connect protocols](protocols-ove The following tokens are used in communication with Azure AD B2C: -- **ID token** - A JWT that contains claims that you can use to identify users in your application. This token is securely sent in HTTP requests for communication between two components of the same application or service. You can use the claims in an ID token as you see fit. They're commonly used to display account information or to make access control decisions in an application. ID tokens are signed, but the're not encrypted. When your application or API receives an ID token, it must validate the signature to prove that the token is authentic. Your application or API must also validate a few claims in the token to prove that it's valid. Depending on the scenario requirements, the claims validated by an application can vary, but your application must perform some common claim validations in every scenario.+- **ID token** - A JWT that contains claims that you can use to identify users in your application. This token is securely sent in HTTP requests for communication between two components of the same application or service. You can use the claims in an ID token as you see fit. They're commonly used to display account information or to make access control decisions in an application. ID tokens are signed, but they're not encrypted. When your application or API receives an ID token, it must validate the signature to prove that the token is authentic. Your application or API must also validate a few claims in the token to prove that it's valid. Depending on the scenario requirements, the claims validated by an application can vary, but your application must perform some common claim validations in every scenario. - **Access token** - A JWT that contains claims that you can use to identify the granted permissions to your APIs. Access tokens are signed, but they aren't encrypted. Access tokens are used to provide access to APIs and resource servers. When your API receives an access token, it must validate the signature to prove that the token is authentic. Your API must also validate a few claims in the token to prove that it's valid. Depending on the scenario requirements, the claims validated by an application can vary, but your application must perform some common claim validations in every scenario. -- **Refresh token** - Refresh tokens are used to acquire new ID tokens and access tokens in an OAuth 2.0 flow. They provide your application with long-term access to resources on behalf of users without requiring interaction with those users. Refresh tokens are opaque to your application. They're issued by Azure AD B2C and can be inspected and interpreted only by Azure AD B2C. They're long-lived, but your application shouldn't be written with the expectation that a refresh token will last for a specific period of time. Refresh tokens can be invalidated at any moment for a variety of reasons. The only way for your application to know if a refresh token is valid is to attempt to redeem it by making a token request to Azure AD B2C. When you redeem a refresh token for a new token, you receive a new refresh token in the token response. Save the new refresh token. It replaces the refresh token that you previously used in the request. This action helps guarantee that your refresh tokens remain valid for as long as possible. Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours. [Learn more about the security implications of refresh tokens in the browser](../active-directory/develop/reference-third-party-cookies-spas.md#security-implications-of-refresh-tokens-in-the-browser). +- **Refresh token** - Refresh tokens are used to acquire new ID tokens and access tokens in an OAuth 2.0 flow. They provide your application with long-term access to resources on behalf of users without requiring interaction with those users. Refresh tokens are opaque to your application. They're issued by Azure AD B2C and can be inspected and interpreted only by Azure AD B2C. They're long-lived, but your application shouldn't be written with the expectation that a refresh token will last for a specific period of time. Refresh tokens can be invalidated at any moment for various reasons. The only way for your application to know if a refresh token is valid is to attempt to redeem it by making a token request to Azure AD B2C. When you redeem a refresh token for a new token, you receive a new refresh token in the token response. Save the new refresh token. It replaces the refresh token that you previously used in the request. This action helps guarantee that your refresh tokens remain valid for as long as possible. Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours. [Learn more about the security implications of refresh tokens in the browser](../active-directory/develop/reference-third-party-cookies-spas.md#security-implications-of-refresh-tokens-in-the-browser). ## Endpoints Security tokens that your application receives from Azure AD B2C can come from t When you use Azure AD B2C, you have fine-grained control over the content of your tokens. You can configure [user flows](user-flow-overview.md) and [custom policies](custom-policy-overview.md) to send certain sets of user data in claims that are required for your application. These claims can include standard properties such as **displayName** and **emailAddress**. Your applications can use these claims to securely authenticate users and requests. -The claims in ID tokens are not returned in any particular order. New claims can be introduced in ID tokens at any time. Your application shouldn't break as new claims are introduced. You can also include [custom user attributes](user-flow-custom-attributes.md) in your claims. +The claims in ID tokens aren't returned in any particular order. New claims can be introduced in ID tokens at any time. Your application shouldn't break as new claims are introduced. You can also include [custom user attributes](user-flow-custom-attributes.md) in your claims. The following table lists the claims that you can expect in ID tokens and access tokens issued by Azure AD B2C. The following table lists the claims that you can expect in ID tokens and access | Subject | `sub` | `884408e1-2918-4cz0-b12d-3aa027d7563b` | The principal about which the token asserts information, such as the user of an application. This value is immutable and can't be reassigned or reused. It can be used to perform authorization checks safely, such as when the token is used to access a resource. By default, the subject claim is populated with the object ID of the user in the directory. | | Authentication context class reference | `acr` | Not applicable | Used only with older policies. | | Trust framework policy | `tfp` | `b2c_1_signupsignin1` | The name of the policy that was used to acquire the ID token. |-| Authentication time | `auth_time` | `1438535543` | The time at which a user last entered credentials, represented in epoch time. There is no discrimination between that authentication being a fresh sign-in, a single sign-on (SSO) session, or another sign-in type. The `auth_time` is the last time the application (or user) initiated an authentication attempt against Azure AD B2C. The method used to authenticate isn't differentiated. | +| Authentication time | `auth_time` | `1438535543` | The time at which a user last entered credentials, represented in epoch time. There's no discrimination between that authentication being a fresh sign-in, a single sign-on (SSO) session, or another sign-in type. The `auth_time` is the last time the application (or user) initiated an authentication attempt against Azure AD B2C. The method used to authenticate isn't differentiated. | | Scope | `scp` | `Read`| The permissions granted to the resource for an access token. Multiple granted permissions are separated by a space. | | Authorized Party | `azp` | `975251ed-e4f5-4efd-abcb-5f1a8f566ab7` | The **application ID** of the client application that initiated the request. | The following properties are used to [manage lifetimes of security tokens](confi - **Refresh token lifetime (days)** - The maximum time period before which a refresh token can be used to acquire a new access or ID token. The time period also covers acquiring a new refresh token if your application has been granted the `offline_access` scope. The default is 14 days. The minimum (inclusive) is one day. The maximum (inclusive) is 90 days. -- **Refresh token sliding window lifetime (days)** - After this time period elapses the user is forced to reauthenticate, irrespective of the validity period of the most recent refresh token acquired by the application. It can only be provided if the switch is set to **Bounded**. It needs to be greater than or equal to the **Refresh token lifetime (days)** value. If the switch is set to **No expiry**, you cannot provide a specific value. The default is 90 days. The minimum (inclusive) is one day. The maximum (inclusive) is 365 days.+- **Refresh token sliding window lifetime (days)** - After this time period elapses the user is forced to reauthenticate, irrespective of the validity period of the most recent refresh token acquired by the application. It can only be provided if the switch is set to **Bounded**. It needs to be greater than or equal to the **Refresh token lifetime (days)** value. If the switch is set to **No expiry**, you can't provide a specific value. The default is 90 days. The minimum (inclusive) is one day. The maximum (inclusive) is 365 days. The following use cases are enabled using these properties: |
active-directory-b2c | User Flow Custom Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/user-flow-custom-attributes.md | zone_pivot_groups: b2c-policy-type [!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)] -In the [Add claims and customize user input using custom policies](configure-user-input.md) article you learn how to use built-in [user profile attributes](user-profile-attributes.md). In this article, you enable a custom attribute in your Azure Active Directory B2C (Azure AD B2C) directory. Later, you can use the new attribute as a custom claim in [user flows](user-flow-overview.md) or [custom policies](user-flow-overview.md) simultaneously. +In the [Add claims and customize user input using custom policies](configure-user-input.md) article, you learn how to use built-in [user profile attributes](user-profile-attributes.md). In this article, you enable a custom attribute in your Azure Active Directory B2C (Azure AD B2C) directory. Later, you can use the new attribute as a custom claim in [user flows](user-flow-overview.md) or [custom policies](user-flow-overview.md) simultaneously. Your Azure AD B2C directory comes with a [built-in set of attributes](user-profile-attributes.md). However, you often need to create your own attributes to manage your specific scenario, for example when: Azure AD B2C allows you to extend the set of attributes stored on each user acco ## Create a custom attribute 1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.-1. Make sure you're using the directory that contains your Azure AD B2C tenant by switching to it in the top-right corner of the Azure portal. Select your subscription information, and then select **Switch Directory**. +1. Make sure you're using the directory that contains your Azure AD B2C tenant: + 1. Select the **Directories + subscriptions** icon in the portal toolbar. + 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the Directory name list, and then select **Switch** 1. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**. 1. Select **User attributes**, and then select **Add**. 1. Provide a **Name** for the custom attribute (for example, "ShoeSize") Azure AD B2C allows you to extend the set of attributes stored on each user acco 1. Optionally, enter a **Description** for informational purposes. 1. Select **Create**. -The custom attribute is now available in the list of **User attributes** and for use in your user flows. A custom attribute is only created the first time it is used in any user flow, and not when you add it to the list of **User attributes**. +The custom attribute is now available in the list of **User attributes** and for use in your user flows. A custom attribute is only created the first time it's used in any user flow, and not when you add it to the list of **User attributes**. ::: zone pivot="b2c-user-flow" Once you've created a new user using the user flow, you can use the [Run user fl ## Azure AD B2C extensions app -Extension attributes can only be registered on an application object, even though they might contain data for a user. The extension attribute is attached to the application called `b2c-extensions-app`. Do not modify this application, as it's used by Azure AD B2C for storing user data. You can find this application under Azure AD B2C, app registrations. +Extension attributes can only be registered on an application object, even though they might contain data for a user. The extension attribute is attached to the application called `b2c-extensions-app`. Don't modify this application, as it's used by Azure AD B2C for storing user data. You can find this application under Azure AD B2C, app registrations. ::: zone pivot="b2c-user-flow" ### Get extensions app's application ID 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your Azure AD B2C tenant; + 1. Select the **Directories + subscriptions** icon in the portal toolbar. + 2. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. 1. In the left menu, select **Azure AD B2C**. Or, select **All services** and search for and select **Azure AD B2C**. 1. Select **App registrations**, and then select **All applications**. 1. Select the `b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.` application. Extension attributes can only be registered on an application object, even thoug ### Get extensions app's application properties 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your Azure AD B2C tenant: + 1. Select the **Directories + subscriptions** icon in the portal toolbar. + 2. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. 1. In the left menu, select **Azure AD B2C**. Or, select **All services** and search for and select **Azure AD B2C**. 1. Select **App registrations**, and then select **All applications**. 1. Select the **b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.** application. Extension attributes can only be registered on an application object, even thoug ## Modify your custom policy -To enable custom attributes in your policy, provide **Application ID** and Application **Object ID** in the AAD-Common technical profile metadata. The *AAD-Common* technical profile is found in the base [Azure Active Directory](active-directory-technical-profile.md) technical profile, and provides support for Azure AD user management. Other Azure AD technical profiles include the AAD-Common to leverage its configuration. Override the AAD-Common technical profile in the extension file. +To enable custom attributes in your policy, provide **Application ID** and Application **Object ID** in the AAD-Common technical profile metadata. The *AAD-Common* technical profile is found in the base [Azure Active Directory](active-directory-technical-profile.md) technical profile, and provides support for Azure AD user management. Other Azure AD technical profiles include the AAD-Common to use its configuration. Override the AAD-Common technical profile in the extension file. 1. Open the extensions file of your policy. For example, <em>`SocialAndLocalAccounts/`**`TrustFrameworkExtensions.xml`**</em>. 1. Find the ClaimsProviders element. Add a new ClaimsProvider to the ClaimsProviders element. To enable custom attributes in your policy, provide **Application ID** and Appli ## Upload your custom policy 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your Azure B2C AD tenant. Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your Azure B2C AD tenant: + 1. Select the **Directories + subscriptions** icon in the portal toolbar. + 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**. 1. Select **Identity Experience Framework**. 1. Select **Upload Custom Policy**, and then upload the TrustFrameworkExtensions.xml policy files that you changed. > [!NOTE]-> The first time the Azure AD technical profile persists the claim to the directory, it checks whether the custom attribute exists. If not, it creates the custom attribute. +> The first time the Azure AD technical profile persists the claim to the directory, it checks whether the custom attribute exists. If it doesn't, it creates the custom attribute. ## Create a custom attribute through Azure portal The following example demonstrates the use of a custom attribute in Azure AD B2C You can use Microsoft Graph to create and manage the custom attributes then set the values for a user. Extension attributes are also called directory or Azure AD extensions. -Custom attributes (directory extensions) in the Microsoft Graph API are named by using the convention `extension_{appId-without-hyphens}_{extensionProperty-name}` where `{appId-without-hyphens}` is the stripped version of the **appId** (called Client ID on the Azure AD B2C portal) for the `b2c-extensions-app` with only characters 0-9 and A-Z. For example, if the **appId** of the `b2c-extensions-app` application is `25883231-668a-43a7-80b2-5685c3f874bc` and the attribute name is `loyaltyId`, then the custom attribute will be named `extension_25883231668a43a780b25685c3f874bc_loyaltyId`. +Custom attributes (directory extensions) in the Microsoft Graph API are named by using the convention `extension_{appId-without-hyphens}_{extensionProperty-name}` where `{appId-without-hyphens}` is the stripped version of the **appId** (called Client ID on the Azure AD B2C portal) for the `b2c-extensions-app` with only characters 0-9 and A-Z. For example, if the **appId** of the `b2c-extensions-app` application is `25883231-668a-43a7-80b2-5685c3f874bc` and the attribute name is `loyaltyId`, then the custom attribute is named `extension_25883231668a43a780b25685c3f874bc_loyaltyId`. Learn how to [manage extension attributes in your Azure AD B2C tenant](microsoft-graph-operations.md#application-extension-directory-extension-properties) using the Microsoft Graph API. Unlike built-in attributes, custom attributes can be removed. The extension attr ::: zone pivot="b2c-user-flow" -Use the following steps to remove a custom attribute from a user flow in your: +Use the following steps to remove a custom attribute from a user flow in your tenant: 1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant. 2. Make sure you're using the directory that contains your Azure AD B2C tenant: Use the [Microsoft Graph API](microsoft-graph-operations.md#application-extensio ## Next steps -Follow the guidance for how to [add claims and customize user input using custom policies](configure-user-input.md). This sample uses a built-in claim 'city'. To use a custom attribute, replace 'city' with your own custom attributes. +Learn how to [add claims and customize user input using custom policies](configure-user-input.md). This sample uses a built-in claim 'city'. To use a custom attribute, replace 'city' with your own custom attributes. <!-- LINKS --> |
active-directory-domain-services | Migrate From Classic Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/migrate-from-classic-vnet.md | With your managed domain migrated to the Resource Manager deployment model, [cre [migration-benefits]: concepts-migration-benefits.md <!-- EXTERNAL LINKS -->-[powershell-script]: https://www.powershellgallery.com/packages/Migrate-Aadds/ +[powershell-script]: https://www.powershellgallery.com/packages/Migrate-Aadds/ |
active-directory-domain-services | Scoped Synchronization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/scoped-synchronization.md | To learn more about the synchronization process, see [Understand synchronization [concepts-sync]: synchronization.md [tutorial-create-instance]: tutorial-create-instance.md [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md +[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md |
active-directory-domain-services | Template Create Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/template-create-instance.md | To see the managed domain in action, you can [domain-join a Windows VM][windows- [Get-AzSubscription]: /powershell/module/Az.Accounts/Get-AzSubscription [cloud-shell]: ../cloud-shell/cloud-shell-windows-users.md [naming-prefix]: /windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain-[New-AzResourceGroupDeployment]: /powershell/module/Az.Resources/New-AzResourceGroupDeployment +[New-AzResourceGroupDeployment]: /powershell/module/Az.Resources/New-AzResourceGroupDeployment |
active-directory-domain-services | Troubleshoot Alerts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/troubleshoot-alerts.md | To check for applied policies on the Azure AD DS components and update them, com 1. For each of the managed domain's network components in your resource group, such as virtual network, NIC, or public IP address, check the operation logs in the Azure portal. These operation logs should indicate why an operation is failing and where a restrictive policy is applied. 1. Select the resource where a policy is applied, then under **Policies**, select and edit the policy so it's less restrictive. +## AADDS120: The managed domain has encountered an error onboarding one or more custom attributes ++### Alert message ++*The following Azure AD extension properties have not successfully onboarded as a custom attribute for synchronization. This may happen if a property conflicts with the built-in schema: \[extensions]* ++### Resolution ++>[!WARNING] +>If a custom attribute's LDAPName conflicts with an existing AD built-in schema attribute, it can't be onboarded and results in an error. Contact Microsoft Support if your scenario is blocked. For more information, see [Onboarding Custom Attributes](https://aka.ms/aadds-customattr). ++Review the [Azure AD DS Health](check-health.md) alert and see which Azure AD extension properties failed to onboard successfully. Navigate to the **Custom Attributes** page to find the expected Azure AD DS LDAPName of the extension. Make sure the LDAPName doesn't conflict with another AD schema attribute, or that it's one of the allowed built-in AD attributes. ++Then follow these steps to retry onboarding the custom attribute in the **Custom Attributes** page: ++1. Select the attributes that were unsuccessful, then click **Remove** and **Save**. +1. Wait for the health alert to be removed, or verify that the corresponding attributes have been removed from the **AADDSCustomAttributes** OU from a domain-joined VM. +1. Select **Add** and choose the desired attributes again, then click **Save**. ++Upon successful onboarding, Azure AD DS will back fill synchronized users and groups with the onboarded custom attribute values. The custom attribute values appear gradually, depending on the size of the tenant. To check the backfill status, go to [Azure AD DS Health](check-health.md) and verify the **Synchronization with Azure AD** monitor timestamp has updated within the last hour. + ## AADDS500: Synchronization has not completed in a while ### Alert message |
active-directory | Use Scim To Provision Users And Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md | organization.", **TLS Protocol Versions** -The only acceptable TLS protocol versions are TLS 1.2 and TLS 1.3. No other versions of TLS are permitted. No version of SSL is permitted. +The only acceptable protocol versions are TLS 1.2 and TLS 1.3. No other SSL/TLS versions are permitted. - RSA keys must be at least 2,048 bits. - ECC keys must be at least 256 bits, generated using an approved elliptic curve The .NET Core SDK includes an HTTPS development certificate that is used during * Microsoft.SCIM.WebHostSample: `https://localhost:5001` * IIS Express: `https://localhost:44359` -For more information on HTTPS in ASP.NET Core use the following link: +For more information on HTTPS in ASP.NET Core, use the following link: [Enforce HTTPS in ASP.NET Core](/aspnet/core/security/enforcing-ssl) ### Handling endpoint authentication -Requests from Azure AD Provisioning Service include an OAuth 2.0 bearer token. The bearer token is a security token that's issued by an authorization server, such as Azure AD and is trusted by your application. You can configure the Azure AD provisions service to use one of the following tokens: +Requests from Azure AD Provisioning Service include an OAuth 2.0 bearer token. An authorization server issues the bearer token. Azure AD is an example of a trusted authorization server. Configure the Azure AD provisioning service to use one of the following tokens: - A long-lived bearer token. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optional **Secret Token** field. In a development environment, you can use the testing token from the `/scim/token` endpoint. Test tokens shouldn't be used in production environments. - Azure AD bearer token. If **Secret Token** field is left blank, Azure AD includes an OAuth bearer token issued from Azure AD with each request. Apps that use Azure AD as an identity provider can validate this Azure AD-issued token. - The application that receives requests should validate the token issuer as being Azure AD for an expected Azure AD tenant.- - In the token, the issuer is identified by an `iss` claim. For example, `"iss":"https://sts.windows.net/12345678-0000-0000-0000-000000000000/"`. In this example, the base address of the claim value, `https://sts.windows.net` identifies Azure AD as the issuer, while the relative address segment, _12345678-0000-0000-0000-000000000000_, is a unique identifier of the Azure AD tenant for which the token was issued. + - An `iss` claim identifies the issuer of the token. For example, `"iss":"https://sts.windows.net/12345678-0000-0000-0000-000000000000/"`. In this example, the base address of the claim value, `https://sts.windows.net` identifies Azure AD as the issuer, while the relative address segment, _12345678-0000-0000-0000-000000000000_, is a unique identifier of the Azure AD tenant for which the token was issued. - The audience for a token is the **Application ID** for the application in the gallery. Applications registered in a single tenant receive the same `iss` claim with SCIM requests. The application ID for all custom apps is _8adf8e6e-67b2-4cf2-a259-e3dc5476c621_. The token generated by the Azure AD provisioning service should only be used for testing. It shouldn't be used in production environments. |
active-directory | Concept Condition Filters For Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-condition-filters-for-devices.md | The following device attributes can be used with the filter for devices conditio | model | Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotIn | Any string | (device.model -notContains "Surface") | | operatingSystem | Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotIn | A valid operating system (like Windows, iOS, or Android) | (device.operatingSystem -eq "Windows") | | operatingSystemVersion | Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotIn | A valid operating system version (like 6.1 for Windows 7, 6.2 for Windows 8, or 10.0 for Windows 10 and Windows 11) | (device.operatingSystemVersion -in ["10.0.18363", "10.0.19041", "10.0.19042", "10.0.22000"]) |-| physicalIds | Contains, NotContains | As an example all Windows Autopilot devices store ZTDId (a unique value assigned to all imported Windows Autopilot devices) in device physicalIds property. | (device.devicePhysicalIDs -contains "[ZTDId]:value") | +| physicalIds | Contains, NotContains | As an example all Windows Autopilot devices store ZTDId (a unique value assigned to all imported Windows Autopilot devices) in device physicalIds property. | (device.physicalIds -contains "[ZTDId]:value") | | profileType | Equals, NotEquals | A valid profile type set for a device. Supported values are: RegisteredDeviceΓÇ»(default), SecureVM (used for Windows VMs in Azure enabled with Azure AD sign in.), Printer (used for printers), Shared (used for shared devices), IoT (used for IoT devices) | (device.profileType -eq "Printer") | | systemLabels | Contains, NotContains | List of labels applied to the device by the system. Some of the supported values are: AzureResource (used for Windows VMs in Azure enabled with Azure AD sign in), M365Managed (used for devices managed using Microsoft Managed Desktop), MultiUser (used for shared devices) | (device.systemLabels -contains "M365Managed") | | trustType | Equals, NotEquals | A valid registered state for devices. Supported values are: AzureAD (used for Azure AD joined devices), ServerAD (used for Hybrid Azure AD joined devices), Workplace (used for Azure AD registered devices) | (device.trustType -eq "ServerAD") | |
active-directory | Concept Token Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-token-protection.md | + + Title: Token protection in Azure AD Conditional Access +description: Learn how to use token protection in Conditional Access policies. +++ Last updated : 03/09/2023+++++++++# Conditional Access: Token protection (preview) ++Token protection (sometimes referred to as token binding in the industry) attempts to reduce attacks using token theft by ensuring a token is usable only from the intended device. When an attacker is able to steal a token, by hijacking or replay, they can impersonate their victim until the token expires or is revoked. Token theft is thought to be a relatively rare event, but the damage from it can be significant. ++Token protection creates a cryptographically secure tie between the token and the device (client secret) it's issued to. Without the client secret, the bound token is useless. When a user registers a Windows 10 or newer device in Azure AD, their primary identity is [bound to the device](../devices/concept-primary-refresh-token.md#how-is-the-prt-protected). This connection means that any issued sign-in token is tied to the device significantly reducing the chance of theft and replay attacks. These sign-in tokens are specifically the session cookies in Microsoft Edge and most Microsoft product refresh tokens in this preview release. ++With this preview, we're giving you the ability to create a Conditional Access policy to require token protection for sign-in tokens for specific services. We support token protection for sign-in tokens in Conditional Access for Exchange Online and SharePoint Online on Windows devices. +++## Requirements ++This preview supports the following configurations: ++* Windows 10 or newer devices that are Azure AD joined, hybrid Azure AD joined, or Azure AD registered. +* OneDrive sync client version 22.217 or later +* Teams native client version 1.6.00.1331 or later +* Office Perpetual clients aren't supported ++### Known limitations ++- External users (Azure AD B2B) aren't supported and shouldn't be included in your Conditional Access policy. +- The following applications don't support signing in using protected token flows and users are blocked when accessing Exchange and SharePoint: + - Power BI Desktop client + - PowerShell modules accessing Exchange, SharePoint, or Microsoft Graph scopes that are served by Exchange or SharePoint + - PowerQuery extension for Excel + - Extensions to Visual Studio Code which access Exchange or SharePoint + - Visual Studio +- The following Windows client devices aren't supported: + - Windows Server + - Surface Hub ++## Deployment ++For users, the deployment of a Conditional Access policy to enforce token protection should be invisible when using compatible client platforms on registered devices and compatible applications. ++To minimize the likelihood of user disruption due to app or device incompatibility, we highly recommend: ++- Start with a pilot group of users, and expand over time. +- Create a Conditional Access policy in [report-only mode](concept-conditional-access-report-only.md) before moving to enforcement of token protection. +- Capture both Interactive and Non-interactive sign in logs. +- Analyze these logs for long enough to cover normal application use. +- Add known good users to an enforcement policy. ++This process helps to assess your usersΓÇÖ client and app compatibility for token protection enforcement. ++### Create a Conditional Access policy ++Users who perform specialized roles like those described in [Privileged access security levels](/security/compass/privileged-access-security-levels#specialized) are possible targets for this functionality. We recommend piloting with a small subset to begin. +++The steps that follow help create a Conditional Access policy to require token protection for Exchange Online and SharePoint Online on Windows devices. ++1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. +1. Select **New policy**. +1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. +1. Under **Assignments**, select **Users or workload identities**. + 1. Under **Include**, select the users or groups who are testing this policy. + 1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. +1. Under **Cloud apps or actions** > **Include**, select **Select apps**. + 1. Under **Select**, select the following applications supported by the preview: + 1. Office 365 Exchange Online + 1. Office 365 SharePoint Online + + > [!WARNING] + > Your Conditional Access policy should only be configured for these applications. Selecting the **Office 365** application group may result in unintended failures. This is an exception to the general rule that the **Office 365** application group should be selected in a Conditional Access policy. ++ 1. Choose **Select**. +1. Under **Conditions**: + 1. Under **Device platforms**: + 1. Set **Configure** to **Yes**. + 1. **Include** > **Select device platforms** > **Windows**. + 1. Select **Done**. + 1. Under **Client apps**: + 1. Set **Configure** to **Yes**. + 1. Under Modern authentication clients, only select **Mobile apps and desktop clients**. Leave other items unchecked. + 1. Select **Done**. +1. Under **Access controls** > **Session**, select **Require token protection for sign-in sessions** and select **Select**. +1. Confirm your settings and set **Enable policy** to **Report-only**. +1. Select **Create** to create to enable your policy. ++After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**. ++### Capture logs and analyze ++Monitoring Conditional Access enforcement of token protection before and after enforcement. ++#### Sign-in logs ++Use Azure AD sign-in log to verify the outcome of a token protection enforcement policy in report only mode or in enabled mode. ++1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Browse to **Azure Active Directory** > **Sign-in logs**. +1. Select a specific request to determine if the policy is applied or not. +1. Go to the **Conditional Access** or **Report-Only** pane depending on its state and select the name of your policy requiring token protection. +1. Under **Session Controls** check to see if the policy requirements were satisfied or not. +++#### Log Analytics ++You can also use [Log Analytics](../reports-monitoring/tutorial-log-analytics-wizard.md) to query the sign-in logs (interactive and non-interactive) for blocked requests due to token protection enforcement failure. ++Here's a sample Log Analytics query searching the non-interactive sign-in logs for the last seven days, highlighting **Blocked** versus **Allowed** requests by **Application**. ++```kusto +//Per Apps query +// Select the log you want to query (SigninLogs or AADNonInteractiveUserSignInLogs ) +//SigninLogs +AADNonInteractiveUserSignInLogs +// Adjust the time range below +| where TimeGenerated > ago(7d) +| project Id,ConditionalAccessPolicies, Status,UserPrincipalName, AppDisplayName, ResourceDisplayName +| where ConditionalAccessPolicies != "[]" +| where ResourceDisplayName == "Office 365 Exchange Online" or ResourceDisplayName =="Office 365 SharePoint Online" +//Add userPrinicpalName if you want to filter +// | where UserPrincipalName =="<user_principal_Name>" +| mv-expand todynamic(ConditionalAccessPolicies) +| where ConditionalAccessPolicies ["enforcedSessionControls"] contains '["Protection"]' +| where ConditionalAccessPolicies.result !="reportOnlyNotApplied" and ConditionalAccessPolicies.result !="notApplied" +| extend SessionNotSatisfyResult = ConditionalAccessPolicies["sessionControlsNotSatisfied"] +| extend Result = case (SessionNotSatisfyResult contains 'Protection', 'Block','Allow') +| summarize by Id,UserPrincipalName, AppDisplayName, Result +| summarize Requests = count(), Users = dcount(UserPrincipalName), Block = countif(Result == "Block"), Allow = countif(Result == "Allow"), BlockedUsers = dcountif(UserPrincipalName, Result == "Block") by AppDisplayName +| extend PctAllowed = round(100.0 * Allow/(Allow+Block), 2) +| sort by Requests desc +``` ++The result of the previous query should be similar to the following screenshot: +++The following query example looks at the non-interactive sign-in log for the last seven days, highlighting **Blocked** versus **Allowed** requests by **User**. + +```kusto +//Per users query +// Select the log you want to query (SigninLogs or AADNonInteractiveUserSignInLogs ) +//SigninLogs +AADNonInteractiveUserSignInLogs +// Adjust the time range below +| where TimeGenerated > ago(7d) +| project Id,ConditionalAccessPolicies, UserPrincipalName, AppDisplayName, ResourceDisplayName +| where ConditionalAccessPolicies != "[]" +| where ResourceDisplayName == "Office 365 Exchange Online" or ResourceDisplayName =="Office 365 SharePoint Online" +//Add userPrincipalName if you want to filter +// | where UserPrincipalName =="<user_principal_Name>" +| mv-expand todynamic(ConditionalAccessPolicies) +| where ConditionalAccessPolicies.enforcedSessionControls contains '["Protection"]' +| where ConditionalAccessPolicies.result !="reportOnlyNotApplied" and ConditionalAccessPolicies.result !="notApplied" +| extend SessionNotSatisfyResult = ConditionalAccessPolicies.sessionControlsNotSatisfied +| extend Result = case (SessionNotSatisfyResult contains 'Protection', 'Block','Allow') +| summarize by Id, UserPrincipalName, AppDisplayName, ResourceDisplayName,Result +| summarize Requests = count(),Block = countif(Result == "Block"), Allow = countif(Result == "Allow") by UserPrincipalName, AppDisplayName,ResourceDisplayName +| extend PctAllowed = round(100.0 * Allow/(Allow+Block), 2) +| sort by UserPrincipalName asc +``` ++## Next steps ++- [What is a Primary Refresh Token?](../devices/concept-primary-refresh-token.md) |
active-directory | Terms Of Use | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/terms-of-use.md | You can configure a Conditional Access policy for the Microsoft Intune Enrollmen > [!NOTE] > The Intune Enrollment app is not supported for [Per-device terms of use](#per-device-terms-of-use). +> [!NOTE] +> For iOS/iPadOS Automated device enrollment, adding a custom URL to the Azure AD Terms of Use policy doesn't allow for users to open the policy from the URL in Setup Assistant to read it. The policy can be read by the user after Setup Assistant is completed from the Company Portal website, or in the Company Portal app.  + ## Frequently asked questions **Q: I cannot sign in using PowerShell when terms of use is enabled.**<br /> |
active-directory | Multi Service Web App Access Microsoft Graph As App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/multi-service-web-app-access-microsoft-graph-as-app.md | Last updated 08/19/2022 ms.devlang: csharp, javascript--#Customer intent: As an application developer, I want to learn how to access data in Microsoft Graph by using managed identities. + +#Customer intent: As an application developer, I want to learn how to access data in Microsoft Graph by using managed identities. # Tutorial: Access Microsoft Graph from a secured app as the app If you're finished with this tutorial and no longer need the web app or associat ## Next steps > [!div class="nextstepaction"]-> [Clean up resources](multi-service-web-app-clean-up-resources.md)) +> [Clean up resources](multi-service-web-app-clean-up-resources.md)) |
active-directory | Publisher Verification Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/publisher-verification-overview.md | App developers must meet a few requirements to complete the publisher verificati - In Partner Center, this user must have one of the following [roles](/partner-center/permissions-overview): MPN Partner Admin, Account Admin, or Global Administrator (a shared role that's mastered in Azure AD). -- The user who initiates verification must sign in by using [multifactor authentication](../authentication/howto-mfa-getstarted.md).+- The user who initiates verification must sign in by using [Azure AD multifactor authentication](../authentication/howto-mfa-getstarted.md). - The publisher must consent to the [Microsoft identity platform for developers Terms of Use](/legal/microsoft-identity-platform/terms-of-use). |
active-directory | Workload Identity Federation Create Trust User Assigned Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/workload-identity-federation-create-trust-user-assigned-managed-identity.md | https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RES ## Next steps -- For information about the required format of JWTs created by external identity providers, read about the [assertion format](active-directory-certificate-credentials.md#assertion-format).+- For information about the required format of JWTs created by external identity providers, read about the [assertion format](active-directory-certificate-credentials.md#assertion-format). |
active-directory | Workload Identity Federation Create Trust | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/workload-identity-federation-create-trust.md | |
active-directory | Domains Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/domains-manage.md | Keep your domain names current with your Registrar, and verify TXT records for a * If you purposefully are expiring your domain name or turning over ownership to someone else (separately from your Azure AD tenant), you should delete it from your Azure AD tenant prior to expiring or transferring. * If you do allow your domain name to expire, if you are able to reactivate it/regain control of it, carefully review all TXT records with the registrar to ensure no tampering of your domain name took place.-* If you can't reactivate or regain control of your domain name immediately, you should delete it from your Azure AD tenant. Dom't readd/re-verify until you are able to resolve ownership of the domain name and verify the full TXT record for correctness. +* If you can't reactivate or regain control of your domain name immediately, you should delete it from your Azure AD tenant. Don't read/re-verify until you are able to resolve ownership of the domain name and verify the full TXT record for correctness. >[!NOTE] > Microsoft will not allow a domain name to be verified with more than Azure AD tenant. Once you delete a domain name from your tenant, you will not be able to re-add/re-verify it with your Azure AD tenant if it is subsequently added and verified with another Azure AD tenant. |
active-directory | Active Directory How To Find Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-how-to-find-tenant.md | |
active-directory | Four Steps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/four-steps.md | Title: Four steps to a strong identity foundation - Azure AD -description: This topic describes four steps hybrid identity customers can take to build a strong identity foundation. +description: This article describes four steps hybrid identity customers can take to build a strong identity foundation. -Managing access to apps and data can no longer rely on the traditional network security boundary strategies such as perimeter networks and firewalls because of the rapid movement of apps to the cloud. Now organizations must trust their identity solution to control who and what has access to the organization's apps and data. More organizations are allowing employees to bring their own devices to work and use their devices from anywhere they can connect to the Internet. Ensuring those devices are compliant and secure has become an important consideration in the identity solution an organization chooses to implement. In today's digital workplace, [identity is the primary control plane](https://www.microsoft.com/security/technology/identity-access-management?rtc=1) of any organization moving to the cloud. +Managing access to apps and data can no longer rely on the traditional network security boundary strategies such as perimeter networks and firewalls because of the rapid movement of apps to the cloud. Now organizations must trust their identity solution to control who and what has access to the organization's apps and data. More organizations are allowing employees to bring their own devices to work and use their devices from anywhere they can connect to the Internet from. Ensuring those devices are compliant and secure has become an important consideration in the identity solution an organization chooses to implement. In today's digital workplace, [identity is the primary control plane](https://www.microsoft.com/security/technology/identity-access-management?rtc=1) of any organization moving to the cloud. -In adopting an Azure Active Directory (Azure AD) hybrid identity solution, organizations gain access to premium features that unlock productivity through automation, delegation, self-service, and single sign-on capabilities. It allows your workers to access company resources from wherever they need to do their work while allowing your IT team to govern that access by ensuring that the right people have the right access to the right resources to establish secure productivity. +In adopting an Azure Active Directory (Azure AD) hybrid identity solution, organizations gain access to premium features that unlock productivity through automation, delegation, self-service, and single sign-on capabilities. It allows employees to access company resources from wherever they need to do their work while allowing IT teams to govern that access and ensure that the right people have the right access to the right resources for the right time to establish secure productivity. -Based on our learnings, this checklist of best practices will help you quickly deploy recommended actions to build a *strong* identity foundation in your organization: +Based on our learnings, this checklist of best practices helps you quickly deploy recommended actions to build a *strong* identity foundation in your organization: * Connect to apps easily * Establish one identity for every user automatically Based on our learnings, this checklist of best practices will help you quickly d ## Step 1 - Connect to apps easily -By connecting your apps with Azure AD, you can improve end-user productivity and security by enabling single sign-on (SSO) and do user provisioning. By managing your apps in a single place, Azure AD, you can minimize administrative overhead and achieve a single point of control for your security and compliance policies. +By connecting your apps with Azure AD, you can improve end-user productivity and security by enabling single sign-on (SSO) and performing automatic user provisioning. By managing your apps in a single place, Azure AD, you can minimize administrative overhead and achieve a single point of control for your security and compliance policies. This section covers your options for managing user access to apps, enabling secure remote access to internal apps, and the benefits of migrating your apps to Azure AD. ### Make apps available to your users seamlessly -Azure AD enables administrators to [add applications](../manage-apps/add-application-portal.md) to the Enterprise applications gallery in the [Azure portal](https://portal.azure.com/). Adding applications to the Enterprise applications gallery makes it easier for you to configure applications to use Azure AD as your identity provider. It also lets you manage user access to the application with Conditional Access policies and configure single sign-on (SSO) to applications so that users don't have to enter their passwords repeatedly and are automatically signed into both on-premises and cloud-based applications. +Azure AD enables administrators to [add applications](../manage-apps/add-application-portal.md) to the Azure AD application gallery in the [Azure portal](https://portal.azure.com/). Adding applications to the Enterprise applications gallery makes it easier for you to configure applications to use Azure AD as your identity provider. It also lets you manage user access to the application with Conditional Access policies and configure single sign-on (SSO) to applications so that users don't have to enter their passwords repeatedly and are automatically signed into both on-premises and cloud-based applications. -Once applications are added to the Azure AD gallery, users can see apps that are assigned to them and search and request other apps as needed. Azure AD provides [several methods](../manage-apps/end-user-experiences.md) for users to access their apps: +Once applications are integrated into Azure AD gallery, users can see apps that are assigned to them and search and request other apps as needed. Azure AD provides [several methods](../manage-apps/end-user-experiences.md) for users to access their apps: -* Access panel/My Apps +* My Apps portal * Microsoft 365 app launcher * Direct sign-on to federated apps * Direct sign-on links -To learn more about user access to apps, see **Step 3 -- Empower Your Users** in this article. +To learn more about user access to apps, see [Step 3](#step-3empower-your-users-securely). ### Migrate apps from Active Directory Federation Services to Azure AD Migrating single sign-on configuration from Active Directory Federation Services * Increasing productivity * Addressing compliance and governance -To learn more, see the [Migrating Your Applications to Azure Active Directory](https://aka.ms/migrateapps/whitepaper) whitepaper. - ### Enable secure remote access to apps -[Azure AD Application Proxy](../app-proxy/what-is-application-proxy.md) provides a simple solution for organizations to publish on-premises apps to the cloud for remote users who need access to internal apps in a secure manner. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through external URLs or an internal application portal. +[Azure AD Application Proxy](../app-proxy/what-is-application-proxy.md) provides a simple solution for organizations to publish on-premises apps to the cloud for remote users who need access to internal apps in a secure manner. After single sign-on to Azure AD, users can access both cloud and on-premises applications through external URLs or the My Apps portal. Azure AD Application Proxy offers the following benefits: * Extending Azure AD to on-premises resources * Cloud-scale security and protection * Features like Conditional Access and Multi-Factor Authentication that are easy to enable-* No components in the perimeter network such as VPN and traditional reverse proxy solutions +* No components needed in the perimeter network such as VPN and traditional reverse proxy solutions * No inbound connections required * Single sign-on (SSO) across devices, resources, and apps in the cloud and on-premises * Empowers end users to be productive anytime and anywhere ### Discover Shadow IT with Microsoft Defender for Cloud Apps -In modern enterprises, IT departments are often not aware of all the cloud applications that are used by the users to do their work. When IT admins are asked how many cloud apps they think their employees use, on average they say 30 or 40. In reality, the average is over 1,000 separate apps being used by employees in your organization. 80% of employees use non-sanctioned apps that no one has reviewed and may not be compliant with your security and compliance policies. +In modern enterprises, IT departments are often not aware of all cloud applications that are used by the users to do their work. When IT admins are asked how many cloud apps they think their employees use, on average they say 30 or 40. In reality, the average is over 1,000 separate apps being used by employees in your organization. 80% of employees use non-sanctioned apps that no one has reviewed and may not be compliant with your security and compliance policies. -[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security) can help you identify useful apps that are popular with users that IT may sanction and add to the Enterprise applications gallery so that users benefit from capabilities such as SSO and Conditional Access. +[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security) can help you identify useful apps that are popular with users that IT may sanction and integrate in Azure AD so that users benefit from capabilities such as SSO and Conditional Access. <em>"**Defender for Cloud Apps** helps us ensure that our people are properly using our cloud and SaaS applications, in ways that support the foundational security policies that help protect Accenture."</em> [John Blasi, Managing Director, Information Security, Accenture](https://customers.microsoft.com/story/accenture-professional-services-cloud-app-security) -In addition to detecting shadow IT, Defender for Cloud Apps can also determine the risk level of apps, prevent unauthorized access to corporate data, possible data leakage, and other security risks inherent in the applications. +In addition to detecting shadow IT, Microsoft Defender for Cloud Apps can also determine the risk level of apps, prevent unauthorized access to corporate data, possible data leakage, and other security risks inherent in the applications. ## Step 2 - Establish one identity for every user automatically -Bringing on-premises and cloud-based directories together in an Azure AD hybrid identity solution will allow you to reuse your existing on-premises Active Directory investment by provisioning your existing identities in the cloud. The solution synchronizes on-premises identities with Azure AD, while IT keeps the on-premises Active Directory running with any existing governance solutions as the primary source of truth for identities. Microsoft's Azure AD hybrid identity solution spans on-premises and cloud-based capabilities, creating a common user identity for authentication and authorization to all resources regardless of their location. +Bringing on-premises and cloud-based directories together in an Azure AD hybrid identity solution allows you to reuse your existing on-premises Active Directory investment by provisioning your existing identities in the cloud. The solution synchronizes on-premises identities with Azure AD, while IT keeps the on-premises Active Directory running with any existing governance solutions as the primary source of truth for identities. Microsoft's Azure AD hybrid identity solution spans on-premises and cloud-based capabilities, creating a common user identity for authentication and authorization to all resources regardless of their location. -Integrating your on-premises directories with Azure AD makes your users more productive and prevents users from using multiple accounts across apps and services by providing a common identity for accessing both cloud and on-premises resources. Using multiple accounts is a pain point for end users and IT alike. From an end-user perspective, having multiple accounts means having to remember multiple passwords. To avoid this, many users reuse the same password for each account, which is bad from a security perspective. From an IT perspective, reuse often leads to more password resets and helpdesk costs along with the end-user complaints. +Integrate your on-premises directories with Azure AD to make your users more productive. Prevent users from using multiple accounts across apps and services by providing a common identity to access both cloud and on-premises resources. Using multiple accounts is a pain point for end users and IT alike. From an end-user perspective, having multiple accounts means having to remember multiple passwords. To avoid this, many users reuse the same password for each account, which is bad from a security perspective. From an IT perspective, reuse often leads to more password resets and helpdesk costs along with the end-user complaints. -Azure AD Connect is the tool that is used for to sync your on-premises identities to Azure AD, which can then be used to access cloud applications. Once the identities are in Azure AD, they can provision to SaaS applications like Salesforce or Concur. +Azure AD Connect is the tool that is used to synchronize your on-premises identities to Azure AD, which can then be used to access integrated applications. Once the identities are in Azure AD, they can be provisioned to SaaS applications like Salesforce or Concur. In this section, we list recommendations for providing high availability, modern authentication for the cloud, and reducing your on-premises footprint. In this section, we list recommendations for providing high availability, modern ### Set up a staging server for Azure AD Connect and keep it up-to-date -Azure AD Connect plays a key role in the provisioning process. If the Sync Server goes offline for any reason, changes to on-premises won't be updated in the cloud and cause access issues to users. It's important to define a failover strategy that allows administrators to quickly resume synchronization after the sync server goes offline. +Azure AD Connect plays a key role in the provisioning process. If the Server running Azure AD Connect goes offline for any reason, changes to on-premises won't be updated in the cloud and cause access issues to users. It's important to define a failover strategy that allows administrators to quickly resume synchronization after the Azure AD Connect server goes offline. -To provide high availability in the event your primary Azure AD Connect server goes offline, it's recommended that you deploy a separate [staging server](./how-to-connect-sync-staging-server.md) for Azure AD Connect. Deploying a server allows the administrator to "promote" the staging server to production by a simple configuration switch. Having a standby server configured in staging mode also allows you to test and deploy new configuration changes and introduce a new server if decommissioning the old one. +To provide high availability in the event your primary Azure AD Connect server goes offline, it's recommended that you deploy a separate [staging server](./how-to-connect-sync-staging-server.md) for Azure AD Connect. With a server in staging mode, you can make changes to the configuration and preview the changes before you make the server active. It also allows you to run full import and full synchronization to verify that all changes are expected before you make these changes into your production environment. Deploying a staging server allows the administrator to "promote" it to production by a simple configuration switch. Having a standby server configured in staging mode also allows you to introduce a new server if decommissioning the old one. > [!TIP] > Azure AD Connect is updated on a regular basis. Therefore, it's strongly recommended that you keep the staging server current in order to take advantage of the performance improvements, bug fixes, and new capabilities that each new version provides. To provide high availability in the event your primary Azure AD Connect server g Organizations with on-premises Active Directory should extend their directory to Azure AD using Azure AD Connect and configure the appropriate authentication method. [Choosing the correct authentication method](./choose-ad-authn.md) for your organization is the first step in your journey of moving apps to the cloud. It's a critical component since it controls access to all cloud data and resources. -The simplest and recommended method for enabling cloud authentication for on-premises directory objects in Azure AD is to enable [Password Hash Synchronization](./how-to-connect-password-hash-synchronization.md) (PHS). Alternatively, some organizations may consider enabling [Pass-through Authentication](./how-to-connect-pta-quick-start.md) (PTA). +The simplest and recommended method to enable cloud authentication for on-premises directory objects in Azure AD is [Password Hash Synchronization](./how-to-connect-password-hash-synchronization.md) (PHS). Alternatively, some organizations may consider enabling [Pass-through Authentication](./how-to-connect-pta-quick-start.md) (PTA). -Whether you choose PHS or PTA, don't forget to enable [Seamless Single Sign-on](./how-to-connect-sso.md) to allow users to access cloud apps without constantly entering their username and password in the app when using Windows 7 and 8 devices on your corporate network. Without single sign-on, users must remember application-specific passwords and sign into each application. Likewise, IT staff needs to create and update user accounts for each application such as Microsoft 365, Box, and Salesforce. Users need to remember their passwords, plus spend the time to sign into each application. Providing a standardized single sign-on mechanism to the entire enterprise is crucial for best user experience, reduction of risk, ability to report, and governance. +Whether you choose PHS or PTA, don't forget to consider [SSO](./how-to-connect-sso.md) to allow users to access apps without constantly entering their username and password. SSO can be achieved by using [Hybrid Azure AD joined](../devices/concept-azure-ad-join-hybrid.md) or [Azure AD joined](../devices/concept-azure-ad-join.md) devices while keeping access to on-premises resources. For devices that canΓÇÖt be Azure AD joined, [Seamless single sign-on (Seamless SSO)](how-to-connect-sso-quick-start.md) helps provide those capabilities. Without single sign-on, users must remember application-specific passwords and sign into each application. Likewise, IT staff needs to create and update user accounts for each application such as Microsoft 365, Box, and Salesforce. Users need to remember their passwords, plus spend the time to sign into each application. Providing a standardized single sign-on mechanism to the entire enterprise is crucial for best user experience, reduction of risk, ability to report, and governance. -For organizations already using AD FS or another on-premises authentication provider, moving to Azure AD as your identity provider can reduce complexity and improve availability. Unless you have specific use cases for using federation, we recommend migrating from federated authentication to either PHS and Seamless SSO or PTA and Seamless SSO to enjoy the benefits of a reduced on-premises footprint and the flexibility the cloud offers with improved user experiences. For more information, see [Migrate from federation to password hash synchronization for Azure Active Directory](./migrate-from-federation-to-cloud-authentication.md). +For organizations already using AD FS or another on-premises authentication provider, moving to Azure AD as your identity provider can reduce complexity and improve availability. Unless you have specific use cases for using federation, we recommend migrating from federated authentication to either PHS or PTA. Doing this you can enjoy the benefits of a reduced on-premises footprint, and the flexibility the cloud offers with improved user experiences. For more information, see [Migrate from federation to password hash synchronization for Azure Active Directory](./migrate-from-federation-to-cloud-authentication.md). ### Enable automatic deprovisioning of accounts -Enabling automated provisioning and deprovisioning to your applications is the best strategy for governing the lifecycle of identities across multiple systems. Azure AD supports [automated, policy-based provisioning and deprovisioning](../app-provisioning/configure-automatic-user-provisioning-portal.md) of user accounts to a variety of popular SaaS applications such as ServiceNow and Salesforce, and others that implement the [SCIM 2.0 protocol](../app-provisioning/use-scim-to-provision-users-and-groups.md). Unlike traditional provisioning solutions, which require custom code or manual uploading of CSV files, the provisioning service is hosted in the cloud, and features pre-integrated connectors that can be set up and managed using the Azure portal. A key benefit of automatic deprovisioning is that it helps secure your organization by instantly removing users' identities from key SaaS apps when they leave the organization. +Enabling automated provisioning and deprovisioning to your applications is the best strategy for governing the lifecycle of identities across multiple systems. Azure AD supports [automated, policy-based provisioning and deprovisioning](../app-provisioning/configure-automatic-user-provisioning-portal.md) of user accounts to various popular SaaS applications such as ServiceNow and Salesforce, and others that implement the [SCIM 2.0 protocol](../app-provisioning/use-scim-to-provision-users-and-groups.md). Unlike traditional provisioning solutions, which require custom code or manual uploading of CSV files, the provisioning service is hosted in the cloud, and features pre-integrated connectors that can be set up and managed using the Azure portal. A key benefit of automatic deprovisioning is that it helps secure your organization by instantly removing users' identities from key SaaS apps when they leave the organization. To learn more about automatic user account provisioning and how it works, see [Automate User Provisioning and Deprovisioning to SaaS Applications with Azure Active Directory](../app-provisioning/user-provisioning.md). ## Step 3 - Empower your users securely -In today's digital workplace, it's important to balance security with productivity. However, end users often push back on security measures that slow their productivity and access to cloud apps. To help address this, Azure AD provides self-service capabilities that enable users to remain productive while minimizing administrative overhead. +In today's digital workplace, it's important to balance security with productivity. However, end users often push back on security measures that slow their productivity and access to apps. To help address this, Azure AD provides self-service capabilities that enable users to remain productive while minimizing administrative overhead. This section lists recommendations for removing friction from your organization by empowering your users while remaining vigilant. This section lists recommendations for removing friction from your organization Azure's [self-service password reset](../authentication/tutorial-enable-sspr.md) (SSPR) offers a simple means for IT administrators to allow users to reset and unlock their passwords or accounts without administrator intervention. The system includes detailed reporting that tracks when users access the system, along with notifications to alert you to misuse or abuse. -By default, Azure AD unlocks accounts when it performs a password reset. However, when you enable Azure AD Connect [integration on-premises](../authentication/concept-sspr-howitworks.md#on-premises-integration), you also have the option to separate those two operations, which enable users to unlock their account without having to reset the password. +By default, Azure AD unlocks accounts when it performs a password reset. However, when you enable Azure AD Connect [integration on-premises](../authentication/concept-sspr-howitworks.md#on-premises-integration), you can also separate those two operations, which enable users to unlock their account without having to reset the password. ### Ensure all users are registered for MFA and SSPR -Azure provides reports that can be used by you and your organization to ensure users are registered for MFA and SSPR. Users who haven't registered may need to be educated on the process. +Azure provides reports that are used by organizations to ensure users are registered for MFA and SSPR. Users who haven't registered may need to be educated on the process. The MFA [sign-ins report](../authentication/howto-mfa-reporting.md) includes information about MFA usage and gives you insights into how MFA is working in your organization. Having access to sign-in activity (and audits and risk detections) for Azure AD is crucial for troubleshooting, usage analytics, and forensics investigations. Likewise, the [Self-service Password Management report](../authentication/howto- ### Self-service app management -Before your users can self-discover applications from their access panel, you need to enable [self-service application access](../manage-apps/access-panel-manage-self-service-access.md) to any applications that you wish to allow users to self-discover and request access to. Self-service application access is a great way to allow users to self-discover applications and optionally allow the business group to approve access to those applications. You can allow the business group to manage the credentials assigned to those users for [Password Single-Sign On Applications](../manage-apps/troubleshoot-password-based-sso.md#automatically-capture-sign-in-fields-for-an-app) right from their access panels. +Before your users can self-discover applications from their access panel, you need to enable [self-service application access](../manage-apps/access-panel-manage-self-service-access.md) to any applications that you wish to allow users to self-discover and request access to them. The request can optionally require approval before access being granted. ### Self-service group management Assigning users to applications is best mapped when using groups, because they a * Attribute-based using dynamic group membership * Delegation to app owners -Azure AD provides the ability to manage access to resources using security groups and Microsoft 365 groups. These groups can be managed by a group owner who can approve or deny membership requests and delegate control of group membership. Known as [self-service group management](../enterprise-users/groups-self-service-management.md), this feature saves time by allowing group owners who aren't assigned an administrative role to create and manage groups without having to rely on administrators to handle their requests. +Azure AD provides the ability to manage access to resources using security groups and Microsoft 365 groups. These groups are managed by a group owner who can approve or deny membership requests and delegate control of group membership. The [self-service group management](../enterprise-users/groups-self-service-management.md) feature, saves time by allowing group owners who aren't assigned an administrative role to create and manage groups without having to rely on administrators to handle their requests. ## Step 4 - Operationalize your insights Auditing and logging of security-related events and related alerts are essential * Is there anything suspicious or malicious happening in my tenant? * Who was impacted during a security incident? -Security logs and reports provide you with an electronic record of suspicious activities and help you detect patterns that may indicate attempted or successful external penetration of the network, and internal attacks. You can use auditing to monitor user activity, document regulatory compliance, do forensic analysis, and more. Alerts provide notifications of security events. +Security logs and reports provide you with an electronic record of activities and help you detect patterns that may indicate attempted or successful attacks. You can use auditing to monitor user activity, document regulatory compliance, do forensic analysis, and more. Alerts provide notifications of security events. ### Assign least privileged admin roles for operations -As you think about your approach to operations, there are a couple levels of administration to consider. The first level places the burden of administration on your Hybrid Identity Administrator(s). Always using the Hybrid Identity Administrator role, might be appropriate for smaller companies. But for larger organizations with help desk personnel and administrators responsible for specific tasks, assigning the role of Hybrid Identity Administrator can be a security risk since it provides those individuals with the ability to manage tasks that are above and beyond what they should be capable of doing. +As you think about your approach to operations, there are a couple levels of administration to consider. The first level places the burden of administration on your Hybrid Identity Administrator(s). Always using the Hybrid Identity Administrator role, might be appropriate for smaller companies. But for larger organizations with help desk personnel and administrators responsible for specific tasks, assigning the role of Hybrid Identity Administrator can be a security risk since it provides those individuals with the ability to manage tasks that are beyond their capabilities. In this case, you should consider the next level of administration. Using Azure AD, you can designate end users as "limited administrators" who can manage tasks in less-privileged roles. For example, you might assign your help desk personnel the [security reader](../roles/permissions-reference.md#security-reader) role to provide them with the ability to manage security-related features with read-only access. Or perhaps it makes sense to assign the [authentication administrator](../roles/permissions-reference.md#authentication-administrator) role to individuals to give them the ability to reset non-password credentials or read and configure Azure Service Health. To learn more, go read [Monitor AD FS using Azure AD Connect Health](./how-to-co ### Create custom dashboards for your leadership and your day to day -Organizations that don't have a SIEM solution can download the [Power BI Content Pack](../reports-monitoring/howto-use-azure-monitor-workbooks.md) for Azure AD. The Power BI content pack contains pre-built reports to help you understand how your users adopt and use Azure AD features, which allows you to gain insights into all the activities within your directory. You can also create your own [custom dashboard](/power-bi/service-dashboards) and share with your leadership team to report on day-to-day activities. Dashboards are a great way to monitor your business and see all of your most important metrics at a glance. The visualizations on a dashboard may come from one underlying dataset or many, and from one underlying report or many. A dashboard combines on-premises and cloud data, providing a consolidated view regardless of where the data lives. -- +Organizations that don't have a SIEM solution can use Azure Monitor workbooks for Azure AD(../reports-monitoring/howto-use-azure-monitor-workbooks). The integration contains pre-built workbooks and templates to help you understand how your users adopt and use Azure AD features, which allows you to gain insights into all the activities within your directory. You can also create your own workbooks and share with your leadership team to report on day-to-day activities. Workbooks are a great way to monitor your business and see all of your most important metrics at a glance. ### Understand your support call drivers When you implement a hybrid identity solution as outlined in this article, you should ultimately notice a reduction in your support calls. Common issues such as forgotten passwords and account lockouts are mitigated by implementing Azure's self-service password reset, while enabling self-service application access allows users to self-discover and request access to applications without relying on your IT staff. -If you don't observe a reduction in support calls, we recommend that you analyze your support call drivers in an attempt to confirm if SSPR or self-service application access has been configured correctly or if there are any other new issues that can be systematically addressed. +If you don't observe a reduction in support calls, we recommend that you analyze your support call drivers in an attempt to confirm if SSPR, or self-service application access has been configured correctly or if there are any other new issues that can be systematically addressed. *"In our digital transformation journey, we needed a reliable identity and access management provider to facilitate seamless yet secure integration between us, partners and cloud service providers, for an effective ecosystem; Azure AD was the best option offering us the needed capabilities and visibility that enabled us to detect and respond to risks."* [Yazan Almasri, Global Information Security Director, Aramex](https://customers.microsoft.com/story/aramex-azure-active-directory-travel-transportation-united-arab-emirates-en) In addition to discovering Shadow IT, monitoring app usage across your organizat ## Summary -There are many aspects to implementing a hybrid Identity solution, but this four-step checklist will help you quickly accomplish an identity infrastructure that will enable users to be more productive and secure. +There are many aspects to implementing a hybrid Identity solution, but this four-step checklist helps you quickly accomplish an identity infrastructure that enables users to be more productive and secure. * Connect to apps easily * Establish one identity for every user automatically We recommend that you print the following checklist for reference as you begin y Learn how you can increase your secure posture using the capabilities of Azure Active Directory and this five-step checklist - [Five steps to securing your identity infrastructure](../../security/fundamentals/steps-secure-identity.md). -Learn how the identity features in Azure AD can help you accelerate your transition to cloud governed management by providing the solutions and capabilities that allow organizations to quickly adopt and move more of their identity management from traditional on-premises systems to Azure AD - [How Azure AD Delivers Cloud Governed Management for On-Premises Workloads](./cloud-governed-management-for-on-premises.md). +Learn how the identity features in Azure AD can help you accelerate your transition to cloud governed management by providing the solutions and capabilities that allow organizations to quickly adopt and move more of their identity management from traditional on-premises systems to Azure AD - [How Azure AD Delivers Cloud Governed Management for on-premises Workloads](./cloud-governed-management-for-on-premises.md). |
active-directory | Howto Identity Protection Simulate Risk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-simulate-risk.md | This risk detection indicates that the application's valid credentials have been 5. Get the TenantID and Application(Client)ID in the **Overview** page. 6. Ensure you disable the application via **Azure Active Directory** > **Enterprise Application** > **Properties** > Set **Enabled for users to sign-in** to **No**.-7. Create a **public** GitHub Repository, add the following config and commit the change. +7. Create a **public** GitHub Repository, add the following config and commit the change as a file with the .txt extension. ```GitHub file "AadClientId": "XXXX-2dd4-4645-98c2-960cf76a4357", "AadSecret": "p3n7Q~XXXX", |
active-directory | F5 Bigip Deployment Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-bigip-deployment-guide.md | Get-AzVmSnapshot -ResourceGroupName '<E.g.contoso-RG>' -VmName '<E.g.BIG-IP-VM>' ## Next steps -Select a [deployment scenario](f5-aad-integration.md) and start your implementation. +Select a [deployment scenario](f5-aad-integration.md) and start your implementation. |
active-directory | Grant Admin Consent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/grant-admin-consent.md | To grant tenant-wide admin consent to an app listed in **Enterprise applications 1. Select the application to which you want to grant tenant-wide admin consent, and then select **Permissions**. :::image type="content" source="media/grant-tenant-wide-admin-consent/grant-tenant-wide-admin-consent.png" alt-text="Screenshot shows how to grant tenant-wide admin consent."::: +1. Add the redirect **URI** (https://entra.microsoft.com/TokenAuthorize) as permitted redirect **URI** to the app. 1. Carefully review the permissions that the application requires. If you agree with the permissions the application requires, select **Grant admin consent**. ## Grant admin consent in App registrations |
active-directory | How To Assign App Role Managed Identity Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-cli.md | Title: Assign a managed identity to an application role using Azure CLI - Azure AD description: Step-by-step instructions for assigning a managed identity access to another application's role, using Azure CLI. - |
active-directory | Tutorial Vm Managed Identities Cosmos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-vm-managed-identities-cosmos.md | |
active-directory | Quickstart App Registration Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/quickstart-app-registration-limits.md | |
active-directory | Brainstorm Platform Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/brainstorm-platform-tutorial.md | + + Title: Azure Active Directory SSO integration with BrainStorm Platform +description: Learn how to configure single sign-on between Azure Active Directory and BrainStorm Platform. ++++++++ Last updated : 03/09/2023+++++# Azure Active Directory SSO integration with BrainStorm Platform ++In this article, you learn how to integrate BrainStorm Platform with Azure Active Directory (Azure AD). The BrainStorm Platform empowers end users to personalize their experience, empowering them to embrace long-term behavioral change. When you integrate BrainStorm Platform with Azure AD, you can: ++* Control in Azure AD who has access to BrainStorm Platform. +* Enable your users to be automatically signed-in to BrainStorm Platform with their Azure AD accounts. +* Manage your accounts in one central location - the Azure portal. ++You are able to configure and test Azure AD single sign-on for BrainStorm Platform in your BrainStorm environment. BrainStorm Platform supports only **SP** initiated single sign-on and **Just In Time** user provisioning. ++> [!NOTE] +> Identifier of this application is a fixed string value so only one instance can be configured in one tenant. ++## Prerequisites ++To integrate Azure Active Directory with BrainStorm Platform, you need: ++* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal. +* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* BrainStorm Platform single sign-on (SSO) enabled subscription. ++## Add application and assign a test user ++Before you begin the process of configuring single sign-on, you need to add the BrainStorm Platform application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration. ++### Add BrainStorm Platform from the Azure AD gallery ++Add BrainStorm Platform from the Azure AD application gallery to configure single sign-on with BrainStorm Platform. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md). ++### Create and assign Azure AD test user ++Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides). ++## Configure Azure AD SSO ++Complete the following steps to enable Azure AD single sign-on in the Azure portal. ++1. In the Azure portal, on the **BrainStorm Platform** application integration page, find the **Manage** section and select **single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings. ++  ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type the value: + `urn:brainstorminc:auth:wsfed` ++ b. In the **Reply URL** textbox, type the URL: + `https://auth.brainstorminc.com/signin-wsfed` ++ c. In the **Sign on URL** textbox, type a URL using the following pattern: + `https://auth.brainstorminc.com/auth/wsfed?providerId=<ID>` ++ > [!NOTE] + > This value is not real. Update this value with the actual Sign on URL. Contact [BrainStorm Platform Client support team](mailto:support@brainstorminc.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. ++1. BrainStorm Platform application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. ++  ++1. In addition to above, the BrainStorm platform application allows few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements. ++ | Name | Source Attribute| + | | | + | title | user.jobtitle + | department | user.department | ++1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. ++  ++## Configure BrainStorm Platform SSO ++To configure single sign-on on **BrainStorm Platform** side, you need to send the **App Federation Metadata Url** to [BrainStorm Platform support team](mailto:support@brainstorminc.com). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create BrainStorm Platform test user ++In this section, a user called B.Simon is created in BrainStorm Platform. BrainStorm Platform supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in BrainStorm Platform, a new one is commonly created after authentication. ++## Test SSO ++In this section, you test your Azure AD single sign-on configuration with following options. ++* Click on **Test this application** in Azure portal. This will redirect to BrainStorm Platform Sign-on URL where you can initiate the login flow. ++* Go to BrainStorm Platform Sign-on URL directly and initiate the login flow from there. ++* You can use Microsoft My Apps. When you click the BrainStorm Platform tile in the My Apps, this will redirect to BrainStorm Platform Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Additional resources ++* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md). ++## Next steps ++Once you configure BrainStorm Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad). |
active-directory | Facebook Work Accounts Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/facebook-work-accounts-provisioning-tutorial.md | Title: 'Tutorial: Configure Facebook Work Accounts for automatic user provisioning with Azure Active Directory | Microsoft Docs' -description: Learn how to automatically provision and de-provision user accounts from Azure AD to Facebook Work Accounts. + Title: 'Tutorial: Configure Meta Work Accounts for automatic user provisioning with Azure Active Directory | Microsoft Docs' +description: Learn how to automatically provision and de-provision user accounts from Azure AD to Meta Work Accounts. -# Tutorial: Configure Facebook Work Accounts for automatic user provisioning +# Tutorial: Configure Meta Work Accounts for automatic user provisioning -This tutorial describes the steps you need to perform in both Facebook Work Accounts and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Facebook Work Accounts](https://work.facebook.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md). +This tutorial describes the steps you need to perform in both Meta Work Accounts and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Meta Work Accounts](https://work.meta.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md). ## Capabilities supported > [!div class="checklist"]-> * Create users in Facebook Work Accounts -> * Remove users in Facebook Work Accounts when they do not require access anymore -> * Keep user attributes synchronized between Azure AD and Facebook Work Accounts -> * Single sign-on to Facebook Work Accounts (recommended) +> * Create users in Meta Work Accounts +> * Remove users in Meta Work Accounts when they do not require access anymore +> * Keep user attributes synchronized between Azure AD and Meta Work Accounts +> * Single sign-on to Meta Work Accounts (recommended) ## Prerequisites The scenario outlined in this tutorial assumes that you already have the followi 1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md). 1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).-1. Determine what data to [map between Azure AD and Facebook Work Accounts](../app-provisioning/customize-application-attributes.md). +1. Determine what data to [map between Azure AD and Meta Work Accounts](../app-provisioning/customize-application-attributes.md). -## Step 2. Add Facebook Work Accounts from the Azure AD application gallery +## Step 2. Add Meta Work Accounts from the Azure AD application gallery -Add Facebook Work Accounts from the Azure AD application gallery to start managing provisioning to Facebook Work Accounts. If you have previously setup Facebook Work Accounts for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md). +Add Meta Work Accounts from the Azure AD application gallery to start managing provisioning to Meta Work Accounts. If you have previously setup Meta Work Accounts for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md). ## Step 3. Define who will be in scope for provisioning The Azure AD provisioning service allows you to scope who will be provisioned ba * If you need additional roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles. -## Step 4. Configure automatic user provisioning to Facebook Work Accounts +## Step 4. Configure automatic user provisioning to Meta Work Accounts This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD. -### To configure automatic user provisioning for Facebook Work Accounts in Azure AD: +### To configure automatic user provisioning for Meta Work Accounts in Azure AD: 1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**. -1. In the applications list, select **Facebook Work Accounts**. +1. In the applications list, select **Meta Work Accounts**. 1. Select the **Provisioning** tab. 1. Set the **Provisioning Mode** to **Automatic**. -1. Under the **Admin Credentials** section, click on **Authorize**. You will be redirected to **Facebook Work Accounts**'s authorization page. Input your Facebook Work Accounts username and click on the **Continue** button. Click **Test Connection** to ensure Azure AD can connect to Facebook Work Accounts. If the connection fails, ensure your Facebook Work Accounts account has Admin permissions and try again. +1. Under the **Admin Credentials** section, click on **Authorize**. You will be redirected to **Meta Work Accounts**'s authorization page. Input your Meta Work Accounts username and click on the **Continue** button. Click **Test Connection** to ensure Azure AD can connect to Meta Work Accounts. If the connection fails, ensure your Meta Work Accounts account has Admin permissions and try again. - :::image type="content" source="media/facebook-work-accounts-provisioning-tutorial/azure-connect.png" alt-text="Screenshot shows the Facebook Work Accounts authorization page."::: + :::image type="content" source="media/facebook-work-accounts-provisioning-tutorial/azure-connect.png" alt-text="Screenshot shows the Meta Work Accounts authorization page."::: 1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box. 1. Select **Save**. -1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Facebook Work Accounts**. +1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Meta Work Accounts**. -1. Review the user attributes that are synchronized from Azure AD to Facebook Work Accounts in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Facebook Work Accounts for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Facebook Work Accounts API supports filtering users based on that attribute. Select the **Save** button to commit any changes. +1. Review the user attributes that are synchronized from Azure AD to Meta Work Accounts in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Meta Work Accounts for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Meta Work Accounts API supports filtering users based on that attribute. Select the **Save** button to commit any changes. |Attribute|Type|Supported for filtering| |||| This section guides you through the steps to configure the Azure AD provisioning 1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). -1. To enable the Azure AD provisioning service for Facebook Work Accounts, change the **Provisioning Status** to **On** in the **Settings** section. +1. To enable the Azure AD provisioning service for Meta Work Accounts, change the **Provisioning Status** to **On** in the **Settings** section. -1. Define the users and/or groups that you would like to provision to Facebook Work Accounts by choosing the desired values in **Scope** in the **Settings** section. +1. Define the users and/or groups that you would like to provision to Meta Work Accounts by choosing the desired values in **Scope** in the **Settings** section.  |
active-directory | Hawkeyebsb Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/hawkeyebsb-tutorial.md | Title: Azure Active Directory SSO integration with HawkeyeBSB -description: Learn how to configure single sign-on between Azure Active Directory and HawkeyeBSB. + Title: Azure Active Directory SSO integration with Hawkeye Platform +description: Learn how to configure single sign-on between Azure Active Directory and Hawkeye Platform. -# Azure Active Directory SSO integration with HawkeyeBSB +# Azure Active Directory SSO integration with Hawkeye Platform -In this article, you'll learn how to integrate HawkeyeBSB with Azure Active Directory (Azure AD). HawkeyeBSB was developed by Redbridge Debt & Treasury Advisory to help Clients manage their bank fees. When you integrate HawkeyeBSB with Azure AD, you can: +In this article, you learn how to integrate Hawkeye Platform with Azure Active Directory (Azure AD). Hawkeye Platform was developed by Redbridge Debt & Treasury Advisory to help Clients manage their bank fees. When you integrate Hawkeye Platform with Azure AD, you can: -* Control in Azure AD who has access to HawkeyeBSB. -* Enable your users to be automatically signed-in to HawkeyeBSB with their Azure AD accounts. +* Control in Azure AD who has access to Hawkeye Platform. +* Enable your users to be automatically signed-in to Hawkeye Platform with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal. -You'll configure and test Azure AD single sign-on for HawkeyeBSB in a test environment. HawkeyeBSB supports both **SP** and **IDP** initiated single sign-on. +You'll configure and test Azure AD single sign-on for Hawkeye Platform in a test environment. Hawkeye Platform supports both **SP** and **IDP** initiated single sign-on. ## Prerequisites -To integrate Azure Active Directory with HawkeyeBSB, you need: +To integrate Azure Active Directory with Hawkeye Platform, you need: * An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). * One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal. * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).-* HawkeyeBSB single sign-on (SSO) enabled subscription. +* Hawkeye Platform single sign-on (SSO) enabled subscription. ## Add application and assign a test user -Before you begin the process of configuring single sign-on, you need to add the HawkeyeBSB application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration. +Before you begin the process of configuring single sign-on, you need to add the Hawkeye Platform application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration. -### Add HawkeyeBSB from the Azure AD gallery +### Add Hawkeye Platform from the Azure AD gallery -Add HawkeyeBSB from the Azure AD application gallery to configure single sign-on with HawkeyeBSB. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md). +Add Hawkeye Platform from the Azure AD application gallery to configure single sign-on with Hawkeye Platform. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md). ### Create and assign Azure AD test user Alternatively, you can also use the [Enterprise App Configuration Wizard](https: Complete the following steps to enable Azure AD single sign-on in the Azure portal. -1. In the Azure portal, on the **HawkeyeBSB** application integration page, find the **Manage** section and select **single sign-on**. +1. In the Azure portal, on the **Hawkeye Platform** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings. Complete the following steps to enable Azure AD single sign-on in the Azure port `https://hawkeye.redbridgeanalytics.com/sso/saml/login/<uniqueSlugPerCustomer>` > [!NOTE]- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [HawkeyeBSB Client support team](mailto:casemanagement@redbridgedta.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Hawkeye Platform Client support team](mailto:casemanagement@redbridgedta.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. 1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.  -1. On the **Set up HawkeyeBSB** section, copy the appropriate URL(s) based on your requirement. +1. On the **Set up Hawkeye Platform** section, copy the appropriate URL(s) based on your requirement.  -## Configure HawkeyeBSB SSO +## Configure Hawkeye Platform SSO -To configure single sign-on on **HawkeyeBSB** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [HawkeyeBSB support team](mailto:casemanagement@redbridgedta.com). They set this setting to have the SAML SSO connection set properly on both sides. +To configure single sign-on on **Hawkeye Platform** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Hawkeye Platform support team](mailto:casemanagement@redbridgedta.com). They set this setting to have the SAML SSO connection set properly on both sides. -### Create HawkeyeBSB test user +### Create Hawkeye Platform test user -In this section, you create a user called Britta Simon at HawkeyeBSB. Work with [HawkeyeBSB support team](mailto:casemanagement@redbridgedta.com) to add the users in the HawkeyeBSB platform. Users must be created and activated before you use single sign-on. +In this section, you create a user called Britta Simon at Hawkeye Platform. Work with [Hawkeye Platform support team](mailto:casemanagement@redbridgedta.com) to add the users in the Hawkeye Platform platform. Users must be created and activated before you use single sign-on. ## Test SSO In this section, you test your Azure AD single sign-on configuration with follow #### SP initiated: -1. Click on **Test this application** in Azure portal. This will redirect to HawkeyeBSB Sign-on URL where you can initiate the login flow. +1. Click on **Test this application** in Azure portal. This will redirect to Hawkeye Platform Sign-on URL where you can initiate the login flow. -1. Go to HawkeyeBSB Sign-on URL directly and initiate the login flow from there. +1. Go to Hawkeye Platform Sign-on URL directly and initiate the login flow from there. #### IDP initiated: -1. Click on **Test this application** in Azure portal and you should be automatically signed in to the HawkeyeBSB for which you set up the SSO. +1. Click on **Test this application** in Azure portal and you should be automatically signed in to the Hawkeye Platform for which you set up the SSO. -1. You can also use Microsoft My Apps to test the application in any mode. When you click the HawkeyeBSB tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the HawkeyeBSB for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). +1. You can also use Microsoft My Apps to test the application in any mode. When you click the Hawkeye Platform tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Hawkeye Platform for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ## Additional resources In this section, you test your Azure AD single sign-on configuration with follow ## Next steps -Once you configure HawkeyeBSB you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad). +Once you configure Hawkeye Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad). |
active-directory | Infinitecampus Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/infinitecampus-tutorial.md | Title: 'Tutorial: Azure Active Directory integration with Infinite Campus | Microsoft Docs' + Title: 'Tutorial: Azure Active Directory SSO integration with Infinite Campus' description: Learn how to configure single sign-on between Azure Active Directory and Infinite Campus. -# Tutorial: Azure Active Directory integration with Infinite Campus +# Tutorial: Azure Active Directory SSO integration with Infinite Campus -In this tutorial, you'll learn how to integrate Infinite Campus with Azure Active Directory (Azure AD). When you integrate Infinite Campus with Azure AD, you can: +In this tutorial, you learn how to integrate Infinite Campus with Azure Active Directory (Azure AD). When you integrate Infinite Campus with Azure AD, you can: * Control in Azure AD who has access to Infinite Campus. * Enable your users to be automatically signed-in to Infinite Campus with their Azure AD accounts. To configure the integration of Infinite Campus into Azure AD, you need to add I 1. In the **Add from the gallery** section, type **Infinite Campus** in the search box. 1. Select **Infinite Campus** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) + Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) ## Configure and test Azure AD SSO for Infinite Campus To configure and test Azure AD SSO with Infinite Campus, perform the following s 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on. 1. **[Configure Infinite Campus SSO](#configure-infinite-campus-sso)** - to configure the single sign-on settings on application side.- 1. **[Create Infinite Campus test user](#create-infinite-campus-test-user)** - to have a counterpart of B.Simon in Infinite Campus that is linked to the Azure AD representation of user. 1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.  -4. On the Basic SAML Configuration section, perform the following steps (note that the domain will vary with Hosting Model, but the **FULLY-QUALIFIED-DOMAIN** value must match your Infinite Campus installation): +4. On the Basic SAML Configuration section, perform the following steps (note that the domain varies with Hosting Model, but the **FULLY-QUALIFIED-DOMAIN** value must match your Infinite Campus installation): a. In the **Sign-on URL** textbox, type a URL using the following pattern: `https://<DOMAIN>.infinitecampus.com/campus/SSO/<DISTRICTNAME>/SIS` Follow these steps to enable Azure AD SSO in the Azure portal. ### Create an Azure AD test user -In this section, you'll create a test user in the Azure portal called B.Simon. +In this section, you create a test user in the Azure portal called B.Simon. 1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. In this section, you'll create a test user in the Azure portal called B.Simon. ### Assign the Azure AD test user -In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Infinite Campus. +In this section, you enable B.Simon to use Azure single sign-on by granting access to Infinite Campus. 1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Infinite Campus**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.-1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. +1. If you're expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Infinite Campus SSO -1. In a different web browser window, sign in to Infinite Campus as a Security Administrator. +For detailed steps on how to configure SSO within Infinite Campus, [please follow the steps in this document](https://kb.infinitecampus.com/help/sso-service-provider-configuration#SSOServiceProviderConfiguration-EnableandConfigureSAMLSSOFunctionality). -2. On the left side of menu, click **System Administration**. +Once you have completed configuring SSO within Infinite Campus, if you would like users to be signed out their Azure SSO connection when logging out of Infinite Campus, [follow these steps](https://kb.infinitecampus.com/help/sso-service-provider-configuration#SSOServiceProviderConfiguration-AddtheInfiniteCampusLogoutURLtotheMicrosoftAzureSAMLSSOConfiguration). -  --3. Navigate to **User Security** > **SAML Management** > **SSO Service Provider Configuration**. --  --4. On the **SSO Service Provider Configuration** page, perform the following steps: --  -- a. Select **Enable SAML Single Sign On**. +## Test SSO - b. Edit the **Optional Attribute Name** to contain **name**. +In this section, you test your Azure AD single sign-on configuration with following options. - c. On the **Select an option to retrieve Identity Provider (IDP) server data** section, select **Metadata URL**, paste the **App Federation Metadata Url** value, which you have copied from the Azure portal in the box, and then click **Sync**. +* Click on **Test this application** in Azure portal. This will redirect to Infinite Campus Sign-on URL where you can initiate the login flow. - d. After clicking **Sync** the values get auto-populated in **SSO Service Provider Configuration** page. These values can be verified to match the values seen in Step 4 above. +* Go to Infinite Campus Sign-on URL directly and initiate the login flow from there. - e. Click **Save**. +* You can use Microsoft My Apps. When you click the Infinite Campus tile in the My Apps, this will redirect to Infinite Campus Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). -### Create Infinite Campus test user +## Configure Azure SSO for Non-Production Infinite Campus Environments (Sandbox, Staging) -Infinite Campus has a demographics centered architecture. Please contact [Infinite Campus support team](mailto:sales@infinitecampus.com) to add the users in the Infinite Campus platform. +If your district has other Infinite Campus environments, this entire setup process must be repeated for each environment. For example, if your district has an Infinite Campus sandbox site, add the Infinite Campus app from the gallery again and complete the process while referencing the SSO Service Provider Configuration screen within your Infinite Campus sandbox site. If your district also has, for example, an Infinite Campus staging site, you need to complete this process a third time. -## Test SSO +See Infinite Campus [documentation](https://kb.infinitecampus.com/help/sso-service-provider-configuration#sandbox/staging/non-production-environments) for more information about this process. -In this section, you test your Azure AD single sign-on configuration with following options. +## Replacing an Expiring SAML Certificate -* Click on **Test this application** in Azure portal. This will redirect to Infinite Campus Sign-on URL where you can initiate the login flow. +The SAML certificate of this integration relies on which eventually need to be renewed so users can continue logging into Infinite Campus through single sign-on. For districts with proper Campus Messenger Email Settings established, Infinite Campus sends warning emails as the certificate expiration approaches. (Subject: "Action required: Your certificate is expiring.") -* Go to Infinite Campus Sign-on URL directly and initiate the login flow from there. +These are the steps to take to replace an expiring SAML certificate: +1. Have your district's Microsoft Azure Active Directory admin sign-in to the Azure portal. +1. On the left navigation pane, select the Azure Active Directory service. +1. Navigate to Enterprise Applications and select your Infinite Campus application set up previously. (If you have multiple Infinite Campus environments like a sandbox or staging site, you have multiple Infinite Campus applications set up here. You need to complete this process in each respective Infinite Campus environment for any with an expiring certificate.) +1. Select Single sign-on. +1. Navigate to the SAML Certificate and copy the App Federation Metadata URL. +1. Within Infinite Campus, navigate to the SSO Service Provider Configuration tool, select the configuration, and paste the App Federation Metadata URL copied in the previous step into the Metadata URL field. +1. In a separate window, go back to the Azure portal. Under SAML Certificates, in the Token Signing Certificate area, select Edit. +1. Select New Certificate. Modify the expiration date if desired. +1. Select Save. (Leave the Signing Option and Signing Algorithm as-is) +1. Return to the Infinite Campus window and click the Sync button next to the Metadata URL. It says "IDP Synchronization successful". Select OK and Save. +1. Return to the Azure portal, still on the SAML Signing Certificate edit screen, select the three dots (...) next to the new certificate. Select Make Certificate Active and click Save. +1. Select the three dots next to the old certificate. Select Delete Certificate. +1. Return to Infinite Campus and hit the Sync button next to the Metadata URL again. It says "IDP Synchronization successful" again. Hit OK and Save again. -* You can use Microsoft My Apps. When you click the Infinite Campus tile in the My Apps, this will redirect to Infinite Campus Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). +This completes the process of replacing an expiring certificate. For more information, see Infinite Campus [documentation](https://kb.infinitecampus.com/help/sso-service-provider-configuration#SSOServiceProviderConfiguration-CertificateExpirationWarnings). ## Next steps |
active-directory | Island Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/island-tutorial.md | + + Title: Azure Active Directory SSO integration with Island +description: Learn how to configure single sign-on between Azure Active Directory and Island. ++++++++ Last updated : 03/09/2023+++++# Azure Active Directory SSO integration with Island ++In this article, you learn how to integrate Island with Azure Active Directory (Azure AD). Azure AD single sign-on enables end-users to directly access Island, The Enterprise Browser, via Azure AD authentication. Admins can add or remove users and update attributes from Azure AD as well. When you integrate Island with Azure AD, you can: ++* Control in Azure AD who has access to Island. +* Enable your users to be automatically signed-in to Island with their Azure AD accounts. +* Manage your accounts in one central location - the Azure portal. ++You'll configure and test Azure AD single sign-on for Island in a test environment. Island supports both **SP** and **IDP** initiated single sign-on and **Just In Time** user provisioning. ++## Prerequisites ++To integrate Azure Active Directory with Island, you need: ++* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal. +* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* Island single sign-on (SSO) enabled subscription. ++## Add application and assign a test user ++Before you begin the process of configuring single sign-on, you need to add the Island application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration. ++### Add Island from the Azure AD gallery ++Add Island from the Azure AD application gallery to configure single sign-on with Island. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md). ++### Create and assign Azure AD test user ++Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides). ++## Configure Azure AD SSO ++Complete the following steps to enable Azure AD single sign-on in the Azure portal. ++1. In the Azure portal, on the **Island** application integration page, find the **Manage** section and select **single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings. ++  ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type a URL using the following pattern: + `urn:auth0:za-production:<TENANTID>-saml-browser-prod` ++ b. In the **Reply URL** textbox, type a URL using the following pattern: + `https://login.island.io/login/callback?connection=<TENANTID>-saml-browser-prod` ++1. If you wish to configure the application in **SP** initiated mode, then perform the following step: ++ In the **Sign on URL** textbox, type the URL: + `https://download.island.io` ++ > [!NOTE] + > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Island Client support team](mailto:support@island.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. ++1. Your Island application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Unique User Identifier** is **user.userprincipalname** but Island expects this to be mapped with the user's object ID and change the name identifier +format setting to **Persistent**. For that you can use **user.objectid** attribute from the list or use the appropriate attribute value based on your organization configuration. ++  ++ > [!NOTE] + > From the list of default attributes, please edit the following claims manually: + > 1. Click the **givenname** (user.givenname) claim, change the Name setting to **given_name** and click **Save**. + > 1. Click the **name** (user.userprincipalname) claim, change the Source setting to **Transformation** and edit the Manage transformation settings as follows. + > 1. Select Transformation, choose Join(). Select user.givenname as Parameter 1 and add a single whitespace as Separator and choose user.surname as Parameter 2. + > 1. Click Add and Save to complete the configuration. ++1. In addition to above, Island application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements. ++ | Name | Source Attribute| + | | | + | email | user.mail | + | family_name | user.surname | + | groups | user.groups [All] | ++1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer. ++  ++1. On the **Set up Island** section, copy the appropriate URL(s) based on your requirement. ++  ++## Configure Island SSO ++To configure single sign-on on **Island** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Island support team](mailto:support@island.io). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create Island test user ++In this section, a user called B.Simon is created in Island. Island supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Island, a new one is commonly created after authentication. ++## Test SSO ++In this section, you test your Azure AD single sign-on configuration with following options. ++#### SP initiated: ++* Click on **Test this application** in Azure portal. This will redirect to Island Sign-on URL where you can initiate the login flow. ++* Go to Island Sign-on URL directly and initiate the login flow from there. ++#### IDP initiated: ++* Click on **Test this application** in Azure portal and you should be automatically signed in to the Island for which you set up the SSO. ++You can also use Microsoft My Apps to test the application in any mode. When you click the Island tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Island for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Additional resources ++* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md). ++## Next steps ++Once you configure Island you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad). |
active-directory | Proactis Rego Source To Pay Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/proactis-rego-source-to-pay-tutorial.md | + + Title: Azure Active Directory SSO integration with Proactis Rego Source-to-Pay +description: Learn how to configure single sign-on between Azure Active Directory and Proactis Rego Source-to-Pay. ++++++++ Last updated : 03/09/2023+++++# Azure Active Directory SSO integration with Proactis Rego Source-to-Pay ++In this article, you learn how to integrate Proactis Rego Source-to-Pay with Azure Active Directory (Azure AD). Proactis Rego is a powerful Source-to-Pay software platform designed for mid-market organizations. It's easy to use and integrate, giving you control over your spend and supply-chain risks. When you integrate Proactis Rego Source-to-Pay with Azure AD, you can: ++* Control in Azure AD who has access to Proactis Rego Source-to-Pay. +* Enable your users to be automatically signed-in to Proactis Rego Source-to-Pay with their Azure AD accounts. +* Manage your accounts in one central location - the Azure portal. ++You are able to configure and test Azure AD single sign-on for Proactis Rego Source-to-Pay in a test environment. Proactis Rego Source-to-Pay supports **SP** initiated single sign-on. ++## Prerequisites ++To integrate Azure Active Directory with Proactis Rego Source-to-Pay, you need: ++* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal. +* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* Proactis Rego Source-to-Pay single sign-on (SSO) enabled subscription. ++## Add application and assign a test user ++Before you begin the process of configuring single sign-on, you need to add the Proactis Rego Source-to-Pay application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration. ++### Add Proactis Rego Source-to-Pay from the Azure AD gallery ++Add Proactis Rego Source-to-Pay from the Azure AD application gallery to configure single sign-on with Proactis Rego Source-to-Pay. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md). ++### Create and assign Azure AD test user ++Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides). ++## Configure Azure AD SSO ++Complete the following steps to enable Azure AD single sign-on in the Azure portal. ++1. In the Azure portal, on the **Proactis Rego Source-to-Pay** application integration page, find the **Manage** section and select **single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings. ++  ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type a URL using one of the following patterns: ++ | **Identifier** | + || + | `https://consult.esize.nl/domain/<domainId>` | + | `https://start.esize.nl/domain/<domainId>` | + | `https://bsmuk-uat.proactiscloud.com/domain/<domainId>` | + | `https://bsmuk.proactiscloud.com/domain/<domainId>` | + | `https://pxus-con.proactiscloud.com/domain/<domainId>` | + | `https://bsmus.proactiscloud.com/domain/domainId` | ++ b. In the **Reply URL** textbox, type a URL using one of the following patterns: ++ | **Reply URL** | + || + | `https://consult.esize.nl/saml/domain/<domainId>/login` | + | `https://start.esize.nl/saml/domain/<domainId>/login` | + | `https://bsmuk-uat.proactiscloud.com/saml/domain/<domainId>/login` | + | `https://bsmuk.proactiscloud.com/saml/domain/<domainId>/login` | + | `https://pxus-con.proactiscloud.com/saml/domain/<domainId>/login` | + | `https://bsmus.proactiscloud.com/saml/domain/<domainId>/login` | ++ c. In the **Sign on URL** textbox, type a URL using one of the following patterns: ++ | **Sign on URL** | + || + | `https://consult.esize.nl/saml/domain/<domainId>` | + | `https://start.esize.nl/saml/domain/<domainId>` | + | `https://bsmuk-uat.proactiscloud.com/saml/domain/<domainId>` | + | `https://bsmuk.proactiscloud.com/saml/domain/<domainId>` | + | `https://pxus-con.proactiscloud.com/saml/domain/<domainId>` | + | `https://bsmus.proactiscloud.com/saml/domain/<domainId>` | ++ > [!Note] + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Proactis Rego Source-to-Pay support team](mailto:itcrowd@proactis.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration section** in the Azure portal. ++ 1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (PEM)** and select **Download** to download the certificate and save it on your computer. ++  ++1. On the **Set up Proactis Rego Source-to-Pay** section, copy the appropriate URL(s) based on your requirement. ++  ++## Configure Proactis Rego Source-to-Pay SSO ++To configure single sign-on on **Proactis Rego Source-to-Pay** side, you need to send the downloaded **Certificate (PEM)** and appropriate copied URLs from Azure portal to [Proactis Rego Source-to-Pay support team](mailto:itcrowd@proactis.com). They set this setting to have the SAML SSO connection set properly on both sides ++### Create Proactis Rego Source-to-Pay test user ++In this section, you create a user called Britta Simon at Proactis Rego Source-to-Pay. Work with [Proactis Rego Source-to-Pay support team](mailto:itcrowd@proactis.com) to add the users in the Proactis Rego Source-to-Pay platform. Users must be created and activated before you use single sign-on. ++## Test SSO ++In this section, you test your Azure AD single sign-on configuration with following options. ++* Click on **Test this application** in Azure portal. This will redirect to Proactis Rego Source-to-Pay Sign-on URL where you can initiate the login flow. ++* Go to Proactis Rego Source-to-Pay Sign-on URL directly and initiate the login flow from there. ++* You can use Microsoft My Apps. When you click the Proactis Rego Source-to-Pay tile in the My Apps, this will redirect to Proactis Rego Source-to-Pay Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Next steps ++Once you configure Proactis Rego Source-to-Pay you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad). |
active-directory | Wayleadr Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/wayleadr-tutorial.md | + + Title: Azure Active Directory SSO integration with Wayleadr +description: Learn how to configure single sign-on between Azure Active Directory and Wayleadr. ++++++++ Last updated : 03/09/2023+++++# Azure Active Directory SSO integration with Wayleadr ++In this article, you learn how to integrate Wayleadr with Azure Active Directory (Azure AD). Wayleadr is the worldΓÇÖs first software for managing parking, EV charger rotation and access control. Make arriving at your building easy. When you integrate Wayleadr with Azure AD, you can: ++* Control in Azure AD who has access to Wayleadr. +* Enable your users to be automatically signed-in to Wayleadr with their Azure AD accounts. +* Manage your accounts in one central location - the Azure portal. ++You'll configure and test Azure AD single sign-on for Wayleadr in a test environment. Wayleadr supports both **SP** and **IDP** initiated single sign-on. ++> [!NOTE] +> Identifier of this application is a fixed string value so only one instance can be configured in one tenant. ++## Prerequisites ++To integrate Azure Active Directory with Wayleadr, you need: ++* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal. +* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* Wayleadr single sign-on (SSO) enabled subscription. ++## Add application and assign a test user ++Before you begin the process of configuring single sign-on, you need to add the Wayleadr application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration. ++### Add Wayleadr from the Azure AD gallery ++Add Wayleadr from the Azure AD application gallery to configure single sign-on with Wayleadr. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md). ++### Create and assign Azure AD test user ++Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides). ++## Configure Azure AD SSO ++Complete the following steps to enable Azure AD single sign-on in the Azure portal. ++1. In the Azure portal, on the **Wayleadr** application integration page, find the **Manage** section and select **single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings. ++  ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type the URL: + `https://app.wayleadr.com` ++ b. In the **Reply URL** textbox, type a URL using the following pattern: + `https://app.wayleadr.com/users/auth/saml_<CustomerName>/callback` ++1. If you wish to configure the application in **SP** initiated mode, then perform the following step: ++ In the **Sign on URL** textbox, type one of the following URLs: ++ | **Sign on URL** | + |--| + | `https://app.wayleadr.com/users/sign_in` | + | `https://app.wayleadr.com/` | + | `https://app.wayleadr.com/users/sign_in_sso` | ++ > [!NOTE] + > This value is not real. Update this value with the actual Reply URL. Contact [Wayleadr Client support team](mailto:support@wayleadr.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. ++1. In the **SAML Signing Certificate** section, click **Edit** button to open **SAML Signing Certificate** dialog. ++  ++1. In the **SAML Signing Certificate** section, copy the **Thumbprint Value** and save it on your computer. ++  ++## Configure Wayleadr SSO ++To configure single sign-on on **Wayleadr** side, you need to send the **Thumbprint Value** and appropriate copied URLs from Azure portal to [Wayleadr support team](mailto:support@wayleadr.com). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create Wayleadr test user ++In this section, you create a user called Britta Simon at Wayleadr. Work with [Wayleadr support team](mailto:support@wayleadr.com) to add the users in the Wayleadr platform. Users must be created and activated before you use single sign-on. ++## Test SSO ++In this section, you test your Azure AD single sign-on configuration with following options. ++#### SP initiated: ++* Click on **Test this application** in Azure portal. This will redirect to Wayleadr Sign-on URL where you can initiate the login flow. ++* Go to Wayleadr Sign-on URL directly and initiate the login flow from there. ++#### IDP initiated: ++* Click on **Test this application** in Azure portal and you should be automatically signed in to the Wayleadr for which you set up the SSO. ++You can also use Microsoft My Apps to test the application in any mode. When you click the Wayleadr tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Wayleadr for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Additional resources ++* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md). ++## Next steps ++Once you configure Wayleadr you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad). |
active-directory | You At College Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/you-at-college-tutorial.md | + + Title: Azure Active Directory SSO integration with YOU at College +description: Learn how to configure single sign-on between Azure Active Directory and YOU at College. ++++++++ Last updated : 01/27/2023+++++# Azure Active Directory SSO integration with YOU at College ++In this article, you learn how to integrate YOU at College with Azure Active Directory (Azure AD). YOU at College is an opt-in, web-based well-being application that higher education institutions can license and promote to their students and staff. When you integrate YOU at College with Azure AD, you can: ++* Control in Azure AD who has access to YOU at College. +* Enable your users to be automatically signed-in to YOU at College with their Azure AD accounts. +* Manage your accounts in one central location - the Azure portal. ++You'll configure and test Azure AD single sign-on for YOU at College in a test environment. YOU at College supports only **SP** initiated single sign-on and **Just In Time** user provisioning. ++> [!NOTE] +> Identifier of this application is a fixed string value so only one instance can be configured in one tenant. ++## Prerequisites ++To integrate Azure Active Directory with YOU at College, you need: ++* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal. +* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* YOU at College single sign-on (SSO) enabled subscription. ++## Add application and assign a test user ++Before you begin the process of configuring single sign-on, you need to add the YOU at College application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration. ++### Add YOU at College from the Azure AD gallery ++Add YOU at College from the Azure AD application gallery to configure single sign-on with YOU at College. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md). ++### Create and assign Azure AD test user ++Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides). ++## Configure Azure AD SSO ++Complete the following steps to enable Azure AD single sign-on in the Azure portal. ++1. In the Azure portal, on the **YOU at College** application integration page, find the **Manage** section and select **single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings. ++  ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type the URL: + `http://sso.youatcollege.com/shibboleth` ++ b. In the **Reply URL** textbox, type the URL: + `https://sso.youatcollege.com/Shibboleth.sso/SAML2/POST` ++ c. In the **Sign on URL** textbox, type a URL using the following pattern: + `https://sso.youatcollege.com/idp-<domain>.php` ++ > [!NOTE] + > This value is not real. Update this value with the actual Sign on URL. Contact [YOU at College Client support team](mailto:technology@gritdigitalhealth.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. ++1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer. ++  ++1. On the **Set up YOU at College** section, copy the appropriate URL(s) based on your requirement. ++  ++## Configure YOU at College SSO ++To configure single sign-on on **YOU at College** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [YOU at College support team](mailto:technology@gritdigitalhealth.com). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create YOU at College test user ++In this section, a user called B.Simon is created in YOU at College. YOU at College supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in YOU at College, a new one is commonly created after authentication. ++## Test SSO ++In this section, you test your Azure AD single sign-on configuration with following options. ++* Click on **Test this application** in Azure portal. This will redirect to YOU at College Sign-on URL where you can initiate the login flow. ++* Go to YOU at College Sign-on URL directly and initiate the login flow from there. ++* You can use Microsoft My Apps. When you select the YOU at College tile in the My Apps, this will redirect to YOU at College Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Additional resources ++* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) +* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md). ++## Next steps ++Once you configure YOU at College you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad). |
active-directory | Zeroheight Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zeroheight-tutorial.md | Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with zeroheight | Microsoft Docs' + Title: 'Tutorial: Azure Active Directory SSO integration with zeroheight' description: Learn how to configure single sign-on between Azure Active Directory and zeroheight. -# Tutorial: Azure Active Directory single sign-on (SSO) integration with zeroheight +# Tutorial: Azure Active Directory SSO integration with zeroheight -In this tutorial, you'll learn how to integrate zeroheight with Azure Active Directory (Azure AD). When you integrate zeroheight with Azure AD, you can: +In this tutorial, you learn how to integrate zeroheight with Azure Active Directory (Azure AD). When you integrate zeroheight with Azure AD, you can: * Control in Azure AD who has access to zeroheight. * Enable your users to be automatically signed-in to zeroheight with their Azure AD accounts. Follow these steps to enable Azure AD SSO in the Azure portal. `https://zeroheight.com/sso` > [!NOTE]- > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [zeroheight Client support team](mailto:support@zeroheight.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + > These values are not real. Update these values with the actual Identifier and Reply URL. These values will be generated for you in your account. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. 1. The zeroheight application expects the SAML assertions in a specific format and requires you to add custom attribute mappings to your SAML token attributes configuration. Find the following section with the default attributes. In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure zeroheight SSO -To configure single sign-on on **zeroheight** side, you need to send the **App Federation Metadata Url** to [zeroheight support team](mailto:support@zeroheight.com). They set this setting to have the SAML SSO connection set properly on both sides. +To configure single sign-on on **zeroheight** side, you need to paste the **App Federation Metadata Url** into your browser and download the XML file. Then you will need to extract the Identity Provider Single Sign-On URL and X.509 Certificate from it. Ask your IT team if you are unsure. ### Create zeroheight test user |
advisor | Advisor Alerts Arm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-alerts-arm.md | Title: Create Azure Advisor alerts for new recommendations using Resource Manager template description: Learn how to set up an alert for new recommendations from Azure Advisor using an Azure Resource Manager template (ARM template). -+ Last updated 06/29/2020 |
advisor | Advisor Alerts Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-alerts-bicep.md | description: Learn how to set up an alert for new recommendations from Azure Adv -+ Last updated 04/26/2022 |
aks | Api Server Vnet Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/api-server-vnet-integration.md | |
aks | Azure Ad Integration Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-ad-integration-cli.md | Title: Integrate Azure Active Directory with Azure Kubernetes Service (legacy) description: Learn how to use the Azure CLI to create and Azure Active Directory-enabled Azure Kubernetes Service (AKS) cluster (legacy) + Last updated 11/11/2021 - # Integrate Azure Active Directory with Azure Kubernetes Service using the Azure CLI (legacy) |
aks | Azure Ad Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-ad-rbac.md | Title: Use Azure AD and Kubernetes RBAC for clusters description: Learn how to use Azure Active Directory group membership to restrict access to cluster resources using Kubernetes role-based access control (Kubernetes RBAC) in Azure Kubernetes Service (AKS) + Last updated 02/13/2023- # Use Kubernetes role-based access control with Azure Active Directory in Azure Kubernetes Service az ad group delete --group opssre [rbac-authorization]: concepts-identity.md#kubernetes-rbac [operator-best-practices-identity]: operator-best-practices-identity.md [terraform-on-azure]: /azure/developer/terraform/overview-[enable-azure-ad-integration-existing-cluster]: managed-aad.md#enable-aks-managed-azure-ad-integration-on-your-existing-cluster +[enable-azure-ad-integration-existing-cluster]: managed-aad.md#enable-aks-managed-azure-ad-integration-on-your-existing-cluster |
aks | Azure Blob Csi | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-blob-csi.md | Title: Use Container Storage Interface (CSI) driver for Azure Blob storage on Azure Kubernetes Service (AKS) description: Learn how to use the Container Storage Interface (CSI) driver for Azure Blob storage in an Azure Kubernetes Service (AKS) cluster. Previously updated : 01/18/2023 Last updated : 03/09/2023 When you mount Azure Blob storage as a file system into a container or pod, it e The data on the object storage can be accessed by applications using BlobFuse or Network File System (NFS) 3.0 protocol. Before the introduction of the Azure Blob storage CSI driver, the only option was to manually install an unsupported driver to access Blob storage from your application running on AKS. When the Azure Blob storage CSI driver is enabled on AKS, there are two built-in storage classes: *azureblob-fuse-premium* and *azureblob-nfs-premium*. -> [!NOTE] -> Azure Blob CSI driver only supports NFS 3.0 protocol for Kubernetes versions 1.25 on AKS. - To create an AKS cluster with CSI drivers support, see [CSI drivers on AKS][csi-drivers-aks]. To learn more about the differences in access between each of the Azure storage types using the NFS protocol, see [Compare access to Azure Files, Blob Storage, and Azure NetApp Files with NFS][compare-access-with-nfs]. ## Azure Blob storage CSI driver features |
aks | Azure Cni Overlay | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-cni-overlay.md | Use the traditional VNet option when: ## Limitations with Azure CNI Overlay -The overlay solution has the following limitations: +Azure CNI Overlay has the following limitations: -* Overlay can be enabled only for new clusters. Existing (already deployed) clusters can't be configured to use overlay. * You can't use Application Gateway as an Ingress Controller (AGIC) for an overlay cluster. * Windows Server 2019 node pools are not supported for overlay. az aks create -n $clusterName -g $resourceGroup --location $location --network-p To update an existing cluster to use Azure CNI overlay, there are a couple prerequisites: -1. The cluster must use Azure CNI without the pod subnet feature. -1. The cluster is _not_ using network policies. -1. The Overlay Pod CIDR needs to be an address range that _does not_ overlap with the existing cluster's VNet. +* The cluster must use Azure CNI without the pod subnet feature. +* The cluster is _not_ using network policies. +* The Overlay Pod CIDR needs to be an address range that _does not_ overlap with the existing cluster's VNet. +* If you have subnet Network Security Group rules, they must allow traffic to and from the Pod CIDR (refer to the [network security groups](#network-security-groups) section in this document for more information). To update a cluster, run the following Azure CLI command. |
aks | Azure Cni Powered By Cilium | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-cni-powered-by-cilium.md | Learn more about networking in AKS in the following articles: [aks-ingress-internal]: ingress-internal-ip.md [az-provider-register]: /cli/azure/provider#az-provider-register [az-feature-register]: /cli/azure/feature#az-feature-register-[az-feature-show]: /cli/azure/feature#az-feature-show +[az-feature-show]: /cli/azure/feature#az-feature-show |
aks | Azure Csi Disk Storage Provision | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-csi-disk-storage-provision.md | Title: Create a persistent volume with Azure Disks in Azure Kubernetes Service ( description: Learn how to create a static or dynamic persistent volume with Azure Disks for use with multiple concurrent pods in Azure Kubernetes Service (AKS) + Last updated 01/18/2023 configuration file created in the previous steps: [disk-encryption]: ../virtual-machines/windows/disk-encryption.md [azure-disk-write-accelerator]: ../virtual-machines/windows/how-to-enable-write-accelerator.md [on-demand-bursting]: ../virtual-machines/disk-bursting.md-[customer-usage-attribution]: ../marketplace/azure-partner-customer-usage-attribution.md +[customer-usage-attribution]: ../marketplace/azure-partner-customer-usage-attribution.md |
aks | Azure Csi Files Storage Provision | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-csi-files-storage-provision.md | Title: Create a persistent volume with Azure Files in Azure Kubernetes Service ( description: Learn how to create a static or dynamic persistent volume with Azure Files for use with multiple concurrent pods in Azure Kubernetes Service (AKS) + Last updated 01/18/2023 |
aks | Azure Disk Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-disk-customer-managed-keys.md | Title: Use a customer-managed key to encrypt Azure disks in Azure Kubernetes Service (AKS) description: Bring your own keys (BYOK) to encrypt AKS OS and Data disks. + Last updated 07/18/2022- # Bring your own keys (BYOK) with Azure disks in Azure Kubernetes Service (AKS) |
aks | Azure Files Csi | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-files-csi.md | In addition to the original in-tree driver features, Azure Files CSI driver supp |Name | Meaning | Available Value | Mandatory | Default value | | | | | |skuName | Azure Files storage account type (alias: `storageAccountType`)| `Standard_LRS`, `Standard_ZRS`, `Standard_GRS`, `Standard_RAGRS`, `Standard_RAGZRS`,`Premium_LRS`, `Premium_ZRS` | No | `StandardSSD_LRS`<br> Minimum file share size for Premium account type is 100 GiB.<br> ZRS account type is supported in limited regions.<br> NFS file share only supports Premium account type.|-|fsType | File System Type | `ext4`, `ext3`, `ext2`, `xfs`| Yes | `ext4` for Linux| |location | Specify Azure region where Azure storage account will be created. | For example, `eastus`. | No | If empty, driver uses the same location name as current AKS cluster.| |resourceGroup | Specify the resource group where the Azure Disks will be created. | Existing resource group name | No | If empty, driver uses the same resource group name as current AKS cluster.| |shareName | Specify Azure file share name | Existing or new Azure file share name. | No | If empty, driver generates an Azure file share name. | |shareNamePrefix | Specify Azure file share name prefix created by driver. | Share name can only contain lowercase letters, numbers, hyphens, and length should be fewer than 21 characters. | No | |folderName | Specify folder name in Azure file share. | Existing folder name in Azure file share. | No | If folder name does not exist in file share, mount will fail. | |shareAccessTier | [Access tier for file share][storage-tiers] | General purpose v2 account can choose between `TransactionOptimized` (default), `Hot`, and `Cool`. Premium storage account type for file shares only. | No | Empty. Use default setting for different storage account types.|-|accountAccessTier | [Access tier for storage account][access-tiers-overview] | Standard account can choose `Hot` or `Cool`, and Premium account can only choose `Premium`. | No | Empty. Use default setting for different storage account types. | |server | Specify Azure storage account server address | Existing server address, for example `accountname.privatelink.file.core.windows.net`. | No | If empty, driver uses default `accountname.file.core.windows.net` or other sovereign cloud account address. | |disableDeleteRetentionPolicy | Specify whether disable DeleteRetentionPolicy for storage account created by driver. | `true` or `false` | No | `false` | |allowBlobPublicAccess | Allow or disallow public access to all blobs or containers for storage account created by driver. | `true` or `false` | No | `false` | This option is optimized for random access workloads with in-place data updates ### Prerequisites -- Your AKS cluster *Control plane* identity (that is, your AKS cluster name) is added to the [Contributor](../role-based-access-control/built-in-roles.md#contributor) role in the resource group hosting the VNet.+- Your AKS cluster *Control plane* identity (that is, your AKS cluster name) is added to the [Contributor](../role-based-access-control/built-in-roles.md#contributor) role on the VNet and NetworkSecurityGroup. - Your AKS cluster's service principal or managed service identity (MSI) must be added to the Contributor role to the storage account. > [!NOTE] |
aks | Azure Hpc Cache | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-hpc-cache.md | description: Learn how to integrate HPC Cache with Azure Kubernetes Service + Last updated 09/08/2021- #Customer intent: As a cluster operator or developer, I want to learn how to integrate HPC Cache with AKS |
aks | Azure Netapp Files | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-netapp-files.md | Title: Provision Azure NetApp Files volumes on Azure Kubernetes Service description: Learn how to provision Azure NetApp Files volumes on an Azure Kubernetes Service cluster. + Last updated 02/08/2023 |
aks | Certificate Rotation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/certificate-rotation.md | Title: Certificate Rotation in Azure Kubernetes Service (AKS) description: Learn certificate rotation in an Azure Kubernetes Service (AKS) cluster. + Last updated 01/19/2023 |
aks | Cluster Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-configuration.md | Title: Cluster configuration in Azure Kubernetes Services (AKS) description: Learn how to configure a cluster in Azure Kubernetes Service (AKS) + Last updated 02/16/2023 az aks update -n aks -g myResourceGroup --disable-node-restriction [aks-add-np-containerd]: ./learn/quick-windows-container-deploy-cli.md#add-a-windows-server-node-pool-with-containerd [az-aks-create]: /cli/azure/aks#az-aks-create [az-aks-update]: /cli/azure/aks#az-aks-update-[baseline-reference-architecture-aks]: /azure/architecture/reference-architectures/containers/aks/baseline-aks +[baseline-reference-architecture-aks]: /azure/architecture/reference-architectures/containers/aks/baseline-aks |
aks | Cluster Container Registry Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-container-registry-integration.md | |
aks | Cluster Extensions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-extensions.md | Title: Cluster extensions for Azure Kubernetes Service (AKS) description: Learn how to deploy and manage the lifecycle of extensions on Azure Kubernetes Service (AKS)-+ Last updated 09/29/2022 az k8s-extension delete --name azureml --cluster-name <clusterName> --resource-g [use-azure-ad-pod-identity]: use-azure-ad-pod-identity.md <!-- EXTERNAL -->-[arc-k8s-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc®ions=all +[arc-k8s-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc®ions=all |
aks | Configure Kube Proxy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-kube-proxy.md | Title: Configure kube-proxy (iptables/IPVS) (preview) description: Learn how to configure kube-proxy to utilize different load balancing configurations with Azure Kubernetes Service (AKS). + Last updated 10/25/2022 - #Customer intent: As a cluster operator, I want to utilize a different kube-proxy configuration. Learn more about Kubernetes services at the [Kubernetes services documentation][ [aks-byo-cni]: use-byo-cni.md [az-provider-register]: /cli/azure/provider#az-provider-register [az-feature-register]: /cli/azure/feature#az-feature-register-[az-feature-show]: /cli/azure/feature#az-feature-show +[az-feature-show]: /cli/azure/feature#az-feature-show |
aks | Configure Kubenet Dual Stack | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-kubenet-dual-stack.md | description: Learn how to configure dual-stack kubenet networking in Azure Kuber + Last updated 12/15/2021 |
aks | Configure Kubenet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-kubenet.md | description: Learn how to configure kubenet (basic) network in Azure Kubernetes + Last updated 10/26/2022 |
aks | Control Kubeconfig Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/control-kubeconfig-access.md | Title: Limit access to kubeconfig in Azure Kubernetes Service (AKS) description: Learn how to control access to the Kubernetes configuration file (kubeconfig) for cluster administrators and cluster users + Last updated 05/06/2020- # Use Azure role-based access control to define access to the Kubernetes configuration file in Azure Kubernetes Service (AKS) For enhanced security on access to AKS clusters, [integrate Azure Active Directo [az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create [az-role-assignment-delete]: /cli/azure/role/assignment#az_role_assignment_delete [aad-integration]: ./azure-ad-integration-cli.md-[az-ad-group-show]: /cli/azure/ad/group#az_ad_group_show +[az-ad-group-show]: /cli/azure/ad/group#az_ad_group_show |
aks | Custom Certificate Authority | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/custom-certificate-authority.md | description: Learn how to use a custom certificate authority (CA) in an Azure Ku + Last updated 4/12/2022 For more information on AKS security best practices, see [Best practices for clu [az-extension-update]: /cli/azure/extension#az-extension-update [az-feature-show]: /cli/azure/feature#az-feature-show [az-feature-register]: /cli/azure/feature#az-feature-register-[az-provider-register]: /cli/azure/provider#az-provider-register +[az-provider-register]: /cli/azure/provider#az-provider-register |
aks | Dapr Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr-overview.md | description: Learn more about using Dapr on your Azure Kubernetes Service (AKS) Last updated 10/11/2022-+ # Dapr |
aks | Deploy Marketplace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/deploy-marketplace.md | If you experience issues, see the [troubleshooting checklist for failed deployme [azure-marketplace]: /marketplace/azure-marketplace-overview [cluster-extensions]: ./cluster-extensions.md [billing]: ../cost-management-billing/costs/quick-acm-cost-analysis.md-[marketplace-troubleshoot]: /troubleshoot/azure/azure-kubernetes/troubleshoot-failed-kubernetes-deployment-offer +[marketplace-troubleshoot]: /troubleshoot/azure/azure-kubernetes/troubleshoot-failed-kubernetes-deployment-offer |
aks | Enable Host Encryption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/enable-host-encryption.md | Title: Enable host-based encryption on Azure Kubernetes Service (AKS) description: Learn how to configure a host-based encryption in an Azure Kubernetes Service (AKS) cluster Last updated 04/26/2021 -+ ms.devlang: azurecli-- # Host-based encryption on Azure Kubernetes Service (AKS) |
aks | Gpu Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/gpu-cluster.md | Title: Use GPUs on Azure Kubernetes Service (AKS) description: Learn how to use GPUs for high performance compute or graphics-intensive workloads on Azure Kubernetes Service (AKS) -+ Last updated 08/06/2021 #Customer intent: As a cluster administrator or developer, I want to create an AKS cluster that can use high-performance GPU-based VMs for compute-intensive workloads. |
aks | Howto Deploy Java Liberty App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/howto-deploy-java-liberty-app.md | |
aks | Http Application Routing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/http-application-routing.md | Title: HTTP application routing add-on on Azure Kubernetes Service (AKS) description: Use the HTTP application routing add-on to access applications deployed on Azure Kubernetes Service (AKS). + Last updated 04/23/2021 |
aks | Image Cleaner | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/image-cleaner.md | description: Learn how to use Image Cleaner to clean up stale images on Azure Ku + Last updated 03/02/2023 |
aks | Ingress Basic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/ingress-basic.md | description: Learn how to create and configure an ingress controller in an Azure + Last updated 02/23/2023 |
aks | Ingress Tls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/ingress-tls.md | Title: Use TLS with an ingress controller on Azure Kubernetes Service (AKS) description: Learn how to install and configure an ingress controller that uses TLS in an Azure Kubernetes Service (AKS) cluster. + Last updated 01/20/2023- #Customer intent: As a cluster operator or developer, I want to use TLS with an ingress controller to handle the flow of incoming traffic and secure my apps using my own certificates or automatically generated certificates. |
aks | Keda Deploy Add On Arm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-deploy-add-on-arm.md | Title: Install the Kubernetes Event-driven Autoscaling (KEDA) add-on by using an description: Use an ARM template to deploy the Kubernetes Event-driven Autoscaling (KEDA) add-on to Azure Kubernetes Service (AKS). + Last updated 10/10/2022 |
aks | Keda Deploy Add On Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-deploy-add-on-cli.md | |
aks | Quick Kubernetes Deploy Rm Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-rm-template.md | Title: Quickstart - Create an Azure Kubernetes Service (AKS) cluster description: Learn how to quickly create a Kubernetes cluster using an Azure Resource Manager template and deploy an application in Azure Kubernetes Service (AKS) Last updated 11/01/2022-+ #Customer intent: As a developer or cluster operator, I want to quickly create an AKS cluster and deploy an application so that I can see how to run applications using the managed Kubernetes service in Azure. |
aks | Quick Windows Container Deploy Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-windows-container-deploy-cli.md | Title: Create a Windows Server container on an AKS cluster by using Azure CLI description: Learn how to quickly create a Kubernetes cluster, deploy an application in a Windows Server container in Azure Kubernetes Service (AKS) using the Azure CLI. -+ Last updated 11/01/2022 #Customer intent: As a developer or cluster operator, I want to quickly create an AKS cluster and deploy a Windows Server container so that I can see how to run applications running on a Windows Server container using the managed Kubernetes service in Azure. |
aks | Tutorial Kubernetes Workload Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/tutorial-kubernetes-workload-identity.md | Title: Tutorial - Use a workload identity with an application on Azure Kubernetes Service (AKS) description: In this Azure Kubernetes Service (AKS) tutorial, you deploy an Azure Kubernetes Service cluster and configure an application to use a workload identity. + Last updated 01/11/2023 |
aks | Limit Egress Traffic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/limit-egress-traffic.md | Title: Restrict egress traffic in Azure Kubernetes Service (AKS) description: Learn what ports and addresses are required to control egress traffic in Azure Kubernetes Service (AKS) + Last updated 07/26/2022 - #Customer intent: As an cluster operator, I want to restrict egress traffic for nodes to only access defined ports and addresses and improve cluster security. |
aks | Load Balancer Standard | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/load-balancer-standard.md | Title: Use a public load balancer description: Learn how to use a public load balancer with a Standard SKU to expose your services with Azure Kubernetes Service (AKS). + Last updated 02/22/2023 - #Customer intent: As a cluster operator or developer, I want to learn how to create a service in AKS that uses an Azure Load Balancer with a Standard SKU. To learn more about using internal load balancer for inbound traffic, see the [A [service-tags]: ../virtual-network/network-security-groups-overview.md#service-tags [maxsurge]: upgrade-cluster.md#customize-node-surge-upgrade [az-lb]: ../load-balancer/load-balancer-overview.md-[alb-outbound-rules]: ../load-balancer/outbound-rules.md +[alb-outbound-rules]: ../load-balancer/outbound-rules.md |
aks | Manage Azure Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-azure-rbac.md | Title: Use Azure RBAC for Kubernetes Authorization description: Learn how to use Azure role-based access control (Azure RBAC) for Kubernetes Authorization with Azure Kubernetes Service (AKS). + Last updated 03/02/2023 - #Customer intent: As a cluster operator or developer, I want to learn how to leverage Azure RBAC permissions to authorize actions within the AKS cluster. |
aks | Managed Aad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/managed-aad.md | Title: Use Azure AD in Azure Kubernetes Service description: Learn how to use Azure AD in Azure Kubernetes Service (AKS) + Last updated 01/23/2023 |
aks | Nat Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/nat-gateway.md | |
aks | Node Image Upgrade | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-image-upgrade.md | Title: Upgrade Azure Kubernetes Service (AKS) node images description: Learn how to upgrade the images on AKS cluster nodes and node pools. + Last updated 11/25/2020 |
aks | Node Pool Snapshot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-pool-snapshot.md | Title: Snapshot Azure Kubernetes Service (AKS) node pools description: Learn how to snapshot AKS cluster node pools and create clusters and node pools from a snapshot. + Last updated 09/11/2020 - # Azure Kubernetes Service (AKS) node pool snapshot |
aks | Operator Best Practices Multi Region | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/operator-best-practices-multi-region.md | Title: Best practices for AKS business continuity and disaster recovery -description: Learn a cluster operator's best practices to achieve maximum uptime for your applications, providing high availability and preparing for disaster recovery in Azure Kubernetes Service (AKS). + Title: Best practices for business continuity and disaster recovery in Azure Kubernetes Service (AKS) +description: Best practices for a cluster operator to achieve maximum uptime for your applications and to provide high availability and prepare for disaster recovery in Azure Kubernetes Service (AKS). Previously updated : 03/11/2021- Last updated : 03/08/2023 #Customer intent: As an AKS cluster operator, I want to plan for business continuity or disaster recovery to help protect my cluster from region problems. As you manage clusters in Azure Kubernetes Service (AKS), application uptime bec This article focuses on how to plan for business continuity and disaster recovery in AKS. You learn how to: > [!div class="checklist"]+ > * Plan for AKS clusters in multiple regions.-> * Route traffic across multiple clusters by using Azure Traffic Manager. +> * Route traffic across multiple clusters using Azure Traffic Manager. > * Use geo-replication for your container image registries. > * Plan for application state across multiple clusters. > * Replicate storage across multiple regions. This article focuses on how to plan for business continuity and disaster recover An AKS cluster is deployed into a single region. To protect your system from region failure, deploy your application into multiple AKS clusters across different regions. When planning where to deploy your AKS cluster, consider: * [**AKS region availability**](./quotas-skus-regions.md#region-availability)- * Choose regions close to your users. + * Choose regions close to your users. * AKS continually expands into new regions.+ * [**Azure paired regions**](../availability-zones/cross-region-replication-azure.md) * For your geographic area, choose two regions paired together.- * AKS platform updates (planned maintenance) are serialized with a delay of at least 24 hours between paired regions. - * Recovery efforts for paired regions are prioritized where needed. + * AKS platform updates (planned maintenance) are serialized with a delay of at least 24 hours between paired regions. + * Recovery efforts for paired regions are prioritized where needed. + * **Service availability** * Decide whether your paired regions should be hot/hot, hot/warm, or hot/cold.- * Do you want to run both regions at the same time, with one region *ready* to start serving traffic? Or, + * Do you want to run both regions at the same time, with one region *ready* to start serving traffic? *or* * Do you want to give one region time to get ready to serve traffic? AKS region availability and paired regions are a joint consideration. Deploy your AKS clusters into paired regions designed to manage region disaster recovery together. For example, AKS is available in East US and West US. These regions are paired. Choose these two regions when you're creating an AKS BC/DR strategy. For information on how to set up endpoints and routing, see [Configure priority ### Application routing with Azure Front Door Service Using split TCP-based anycast protocol, [Azure Front Door Service](../frontdoor/front-door-overview.md) promptly connects your end users to the nearest Front Door POP (Point of Presence). More features of Azure Front Door Service:+ * TLS termination * Custom domain * Web application firewall * URL Rewrite-* Session affinity +* Session affinity Review the needs of your application traffic to understand which solution is the most suitable. Before peering virtual networks with running AKS clusters, use the standard Load ## Enable geo-replication for container images > **Best practice**-> +> > Store your container images in Azure Container Registry and geo-replicate the registry to each AKS region. -To deploy and run your applications in AKS, you need a way to store and pull the container images. Container Registry integrates with AKS, so it can securely store your container images or Helm charts. Container Registry supports multimaster geo-replication to automatically replicate your images to Azure regions around the world. +To deploy and run your applications in AKS, you need a way to store and pull the container images. Container Registry integrates with AKS, so it can securely store your container images or Helm charts. Container Registry supports multimaster geo-replication to automatically replicate your images to Azure regions around the world. -To improve performance and availability: -1. Use Container Registry geo-replication to create a registry in each region where you have an AKS cluster. -1. Each AKS cluster then pulls container images from the local container registry in the same region: +To improve performance and availability, use Container Registry geo-replication to create a registry in each region where you have an AKS cluster.Each AKS cluster will then pull container images from the local container registry in the same region.  -When you use Container Registry geo-replication to pull images from the same region, the results are: +Using Container Registry geo-replication to pull images from the same region has the following benefits: * **Faster**: Pull images from high-speed, low-latency network connections within the same Azure region. * **More reliable**: If a region is unavailable, your AKS cluster pulls the images from an available container registry. Geo-replication is a *Premium* SKU container registry feature. For information o ## Remove service state from inside containers > **Best practice**-> +> > Avoid storing service state inside the container. Instead, use an Azure platform as a service (PaaS) that supports multi-region replication. *Service state* refers to the in-memory or on-disk data required by a service to function. State includes the data structures and member variables that the service reads and writes. Depending on how the service is architected, the state might also include files or other resources stored on the disk. For example, the state might include the files a database uses to store data and transaction logs. Geo-replication is a *Premium* SKU container registry feature. For information o State can be either externalized or co-located with the code that manipulates the state. Typically, you externalize state by using a database or other data store that runs on different machines over the network or that runs out of process on the same machine. Containers and microservices are most resilient when the processes that run inside them don't retain state. Since applications almost always contain some state, use a PaaS solution, such as:+ * Azure Cosmos DB * Azure Database for PostgreSQL * Azure Database for MySQL Your applications might use Azure Storage for their data. If so, your applicatio Your applications might require persistent storage even after a pod is deleted. In Kubernetes, you can use persistent volumes to persist data storage. Persistent volumes are mounted to a node VM and then exposed to the pods. Persistent volumes follow pods even if the pods are moved to a different node inside the same cluster. The replication strategy you use depends on your storage solution. The following common storage solutions provide their own guidance about disaster recovery and replication:+ * [Gluster](https://docs.gluster.org/en/latest/Administrator-Guide/Geo-Replication/) * [Ceph](https://docs.ceph.com/docs/master/cephfs/disaster-recovery/) * [Rook](https://rook.io/docs/rook/v1.2/ceph-disaster-recovery.html) |
aks | Out Of Tree | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/out-of-tree.md | Title: Enable Cloud Controller Manager description: Learn how to enable the Out of Tree cloud provider + Last updated 04/08/2022 - # Enable Cloud Controller Manager |
aks | Planned Maintenance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/planned-maintenance.md | Title: Use Planned Maintenance to schedule and control upgrades for your Azure K description: Learn how to use Planned Maintenance to schedule and control cluster and node image upgrades in Azure Kubernetes Service (AKS). + Last updated 01/17/2023 az aks maintenanceconfiguration delete -g myResourceGroup --cluster-name myAKSCl [auto-upgrade]: auto-upgrade-cluster.md [node-image-auto-upgrade]: auto-upgrade-node-image.md [pm-weekly]: ./aks-planned-maintenance-weekly-releases.md- |
aks | Quickstart Event Grid | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/quickstart-event-grid.md | Title: Subscribe to Azure Kubernetes Service events with Azure Event Grid description: Use Azure Event Grid to subscribe to Azure Kubernetes Service events + Last updated 07/12/2021 |
aks | Quickstart Helm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/quickstart-helm.md | Title: Develop on Azure Kubernetes Service (AKS) with Helm description: Use Helm with AKS and Azure Container Registry to package and run application containers in a cluster. + Last updated 03/03/2023 |
aks | Rdp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/rdp.md | Title: RDP to AKS Windows Server nodes description: Learn how to create an RDP connection with Azure Kubernetes Service (AKS) cluster Windows Server nodes for troubleshooting and maintenance tasks. + Last updated 07/06/2022-- #Customer intent: As a cluster operator, I want to learn how to use RDP to connect to nodes in an AKS cluster to perform maintenance or troubleshoot a problem. |
aks | Start Stop Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/start-stop-cluster.md | description: Learn how to stop or start an Azure Kubernetes Service (AKS) cluste Last updated 08/09/2021 - # Stop and Start an Azure Kubernetes Service (AKS) cluster If the `ProvisioningState` shows `Starting` that means your cluster hasn't fully [kubernetes-walkthrough-powershell]: kubernetes-walkthrough-powershell.md [stop-azakscluster]: /powershell/module/az.aks/stop-azakscluster [get-azakscluster]: /powershell/module/az.aks/get-azakscluster-[start-azakscluster]: /powershell/module/az.aks/start-azakscluster +[start-azakscluster]: /powershell/module/az.aks/start-azakscluster |
aks | Supported Kubernetes Versions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/supported-kubernetes-versions.md | |
aks | Tutorial Kubernetes App Update | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/tutorial-kubernetes-app-update.md | Title: Kubernetes on Azure tutorial - Update an application description: In this Azure Kubernetes Service (AKS) tutorial, you learn how to update an existing application deployment to AKS with a new version of the application code. Last updated 12/20/2021---+ #Customer intent: As a developer, I want to learn how to update an existing application deployment in an Azure Kubernetes Service (AKS) cluster so that I can maintain the application lifecycle. |
aks | Tutorial Kubernetes Deploy Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/tutorial-kubernetes-deploy-application.md | Title: Kubernetes on Azure tutorial - Deploy an application description: In this Azure Kubernetes Service (AKS) tutorial, you deploy a multi-container application to your cluster using a custom image stored in Azure Container Registry. Last updated 01/04/2023--+ #Customer intent: As a developer, I want to learn how to deploy apps to an Azure Kubernetes Service (AKS) cluster so that I can deploy and run my own applications. In the next tutorial, you'll learn how to scale a Kubernetes application and th [azure-powershell-install]: /powershell/azure/install-az-ps [get-azcontainerregistry]: /powershell/module/az.containerregistry/get-azcontainerregistry [gitops-flux-tutorial]: ../azure-arc/kubernetes/tutorial-use-gitops-flux2.md?toc=/azure/aks/toc.json-[gitops-flux-tutorial-aks]: ../azure-arc/kubernetes/tutorial-use-gitops-flux2.md?toc=/azure/aks/toc.json#for-azure-kubernetes-service-clusters +[gitops-flux-tutorial-aks]: ../azure-arc/kubernetes/tutorial-use-gitops-flux2.md?toc=/azure/aks/toc.json#for-azure-kubernetes-service-clusters |
aks | Tutorial Kubernetes Scale | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/tutorial-kubernetes-scale.md | Title: Kubernetes on Azure tutorial - Scale Application description: In this Azure Kubernetes Service (AKS) tutorial, you learn how to scale nodes and pods in Kubernetes, and implement horizontal pod autoscaling. Last updated 05/24/2021---+ #Customer intent: As a developer or IT pro, I want to learn how to scale my applications in an Azure Kubernetes Service (AKS) cluster so that I can provide high availability or respond to customer demand and application load. |
aks | Upgrade Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/upgrade-cluster.md | Title: Upgrade an Azure Kubernetes Service (AKS) cluster description: Learn how to upgrade an Azure Kubernetes Service (AKS) cluster to get the latest features and security updates. -+ Last updated 12/17/2020 To confirm that the upgrade was successful, navigate to your AKS cluster in the When you upgrade your cluster, the following Kubernetes events may occur on each node: - Surge ΓÇô Create surge node.-- Drain ΓÇô Pods are being evicted from the node. Each pod has a 30-minute timeout to complete the eviction.+- Drain ΓÇô Pods are being evicted from the node. Each pod has a 30-second timeout to complete the eviction. - Update ΓÇô Update of a node has succeeded or failed. - Delete ΓÇô Deleted a surge node. |
aks | Use Azure Ad Pod Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-azure-ad-pod-identity.md | Title: Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview) description: Learn how to use Azure AD pod-managed identities in Azure Kubernetes Service (AKS) + Last updated 11/01/2022- # Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview) |
aks | Use Azure Dedicated Hosts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-azure-dedicated-hosts.md | Title: Use Azure Dedicated Hosts in Azure Kubernetes Service (AKS) description: Learn how to create an Azure Dedicated Hosts Group and associate it with Azure Kubernetes Service (AKS) + Last updated 12/01/2022 |
aks | Use Group Managed Service Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-group-managed-service-accounts.md | Title: Enable Group Managed Service Accounts (GMSA) for your Windows Server nodes on your Azure Kubernetes Service (AKS) cluster description: Learn how to enable Group Managed Service Accounts (GMSA) for your Windows Server nodes on your Azure Kubernetes Service (AKS) cluster for securing your pods. + Last updated 11/01/2021 |
aks | Use Kms Etcd Encryption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-kms-etcd-encryption.md | Title: Use Key Management Service (KMS) etcd encryption in Azure Kubernetes Service (AKS) description: Learn how to use the Key Management Service (KMS) etcd encryption with Azure Kubernetes Service (AKS) + Last updated 02/20/2023 |
aks | Use Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-managed-identity.md | Title: Use a managed identity in Azure Kubernetes Service description: Learn how to use a system-assigned or user-assigned managed identity in Azure Kubernetes Service (AKS) + Last updated 11/08/2022 |
aks | Use Multiple Node Pools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-multiple-node-pools.md | Title: Use multiple node pools in Azure Kubernetes Service (AKS) description: Learn how to create and manage multiple node pools for a cluster in Azure Kubernetes Service (AKS) -+ Last updated 05/16/2022 |
aks | Use Network Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-network-policies.md | Title: Secure pod traffic with network policy description: Learn how to secure traffic that flows in and out of pods by using Kubernetes network policies in Azure Kubernetes Service (AKS) + Last updated 01/05/2023- # Secure traffic between pods using network policies in Azure Kubernetes Service (AKS) |
aks | Use Node Public Ips | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-node-public-ips.md | Title: Use instance-level public IPs in Azure Kubernetes Service (AKS) description: Learn how to manage instance-level public IPs Azure Kubernetes Service (AKS) + Last updated 1/12/2023 Containers: [use-labels]: use-labels.md [cordon-and-drain]: resize-node-pool.md#cordon-the-existing-nodes [internal-lb-different-subnet]: internal-lb.md#specify-a-different-subnet-[drain-nodes]: resize-node-pool.md#drain-the-existing-nodes +[drain-nodes]: resize-node-pool.md#drain-the-existing-nodes |
aks | Use System Pools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-system-pools.md | Title: Use system node pools in Azure Kubernetes Service (AKS) description: Learn how to create and manage system node pools in Azure Kubernetes Service (AKS) Last updated 11/22/2022-+ # Manage system node pools in Azure Kubernetes Service (AKS) |
aks | Use Tags | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-tags.md | Title: Use Azure tags in Azure Kubernetes Service (AKS) description: Learn how to use Azure provider tags to track resources in Azure Kubernetes Service (AKS). + Last updated 05/26/2022 |
aks | Use Wasi Node Pools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-wasi-node-pools.md | Title: Create WebAssembly System Interface (WASI) node pools in Azure Kubernetes Service (AKS) to run your WebAssembly (WASM) workload (preview) description: Learn how to create a WebAssembly System Interface (WASI) node pool in Azure Kubernetes Service (AKS) to run your WebAssembly (WASM) workload on Kubernetes. + Last updated 10/19/2022 |
aks | Vertical Pod Autoscaler | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/vertical-pod-autoscaler.md | Title: Vertical Pod Autoscaling (preview) in Azure Kubernetes Service (AKS) description: Learn how to vertically autoscale your pod on an Azure Kubernetes Service (AKS) cluster. + Last updated 01/12/2023 |
aks | Web App Routing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/web-app-routing.md | Title: Web Application Routing add-on on Azure Kubernetes Service (AKS) (Preview) description: Use the Web Application Routing add-on to securely access applications deployed on Azure Kubernetes Service (AKS). + Last updated 05/13/2021 |
aks | Workload Identity Deploy Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/workload-identity-deploy-cluster.md | Title: Deploy and configure an Azure Kubernetes Service (AKS) cluster with workload identity (preview) description: In this Azure Kubernetes Service (AKS) article, you deploy an Azure Kubernetes Service cluster and configure it with an Azure AD workload identity (preview). + Last updated 01/11/2023 |
aks | Workload Identity Migrate From Pod Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/workload-identity-migrate-from-pod-identity.md | Title: Modernize your Azure Kubernetes Service (AKS) application to use workload identity (preview) description: In this Azure Kubernetes Service (AKS) article, you learn how to configure your Azure Kubernetes Service pod to authenticate with workload identity. + Last updated 02/08/2023 |
aks | Workload Identity Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/workload-identity-overview.md | If you've used [Azure AD pod-managed identity][use-azure-ad-pod-identity], think |`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the projected service account token. It's an optional field that you configure to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Azure AD tokens. Azure AD tokens expire in 24 hours after they're issued. <sup>1</sup> |3600<br> Supported range is 3600-86400. | |`azure.workload.identity/skip-containers` |Represents a semi-colon-separated list of containers to skip adding projected service account token volume. For example `container1;container2`. |By default, the projected service account token volume is added to all containers if the service account is labeled with `azure.workload.identity/use: true`. | |`azure.workload.identity/inject-proxy-sidecar` |Injects a proxy init container and proxy sidecar into the pod. The proxy sidecar is used to intercept token requests to IMDS and acquire an Azure AD token on behalf of the user with federated identity credential. |true |-|`azure.workload.identity/proxy-sidecar-port` |Represents the port of the proxy sidecar. |8080 | +|`azure.workload.identity/proxy-sidecar-port` |Represents the port of the proxy sidecar. |8000 | <sup>1</sup> Takes precedence if the service account is also annotated. |
analysis-services | Analysis Services Create Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-create-template.md | Last updated 01/26/2023 tags: azure-resource-manager-+ #Customer intent: As a BI developer who is new to Azure, I want to use Azure Analysis Services to store and manage my organizations data models. |
analysis-services | Analysis Services Server Admins | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-server-admins.md | |
analysis-services | Analysis Services Service Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-service-principal.md | |
api-management | Api Management Get Started Publish Versions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-get-started-publish-versions.md | description: Follow the steps of this tutorial to learn how to publish multiple -+ Last updated 02/10/2021 - # Tutorial: Publish multiple versions of your API |
api-management | Api Management Howto Developer Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-developer-portal.md | |
api-management | Api Management Howto Properties | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-properties.md | Title: How to use named values in Azure API Management policies description: Learn how to use named values in Azure API Management policies. Named values can contain literal strings, policy expressions, and secrets stored in Azure Key Vault. Last updated 01/13/2023 -+ # Use named values in Azure API Management policies |
api-management | Api Management Howto Use Managed Service Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-use-managed-service-identity.md | API Management is a trusted Microsoft service to the following resources. This a |Azure Key Vault | [Trusted-access-to-azure-key-vault](../key-vault/general/overview-vnet-service-endpoints.md#trusted-services)| |Azure Storage | [Trusted-access-to-azure-storage](../storage/common/storage-network-security.md?tabs=azure-portal#trusted-access-based-on-system-assigned-managed-identity)| |Azure Service Bus | [Trusted-access-to-azure-service-bus](../service-bus-messaging/service-bus-ip-filtering.md#trusted-microsoft-services)|-|Azure Event Hubs | [Trused-access-to-azure-event-hub](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services)| +|Azure Event Hubs | [Trusted-access-to-azure-event-hub](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services)| ## Create a user-assigned managed identity |
api-management | Api Management Using With Internal Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-using-with-internal-vnet.md | Learn more about: [Common network configuration problems]: virtual-network-reference.md [ServiceTags]: ../virtual-network/network-security-groups-overview.md#service-tags- |
api-management | Api Management Using With Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-using-with-vnet.md | |
api-management | How To Configure Service Fabric Backend | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-configure-service-fabric-backend.md | Title: Set up Service Fabric backend in Azure API Management | Microsoft Docs description: How to create a Service Fabric service backend in Azure API Management using the Azure portal Last updated 01/29/2021 - # Set up a Service Fabric backend in API Management using the Azure portal |
app-service | App Service Ip Restrictions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/app-service-ip-restrictions.md | |
app-service | App Service Web Tutorial Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/app-service-web-tutorial-custom-domain.md | keywords: app service, azure app service, domain mapping, domain name, existing ms.assetid: dc446e0e-0958-48ea-8d99-441d2b947a7c Last updated 01/31/2023-+ # Map an existing custom DNS name to Azure App Service If you receive a `Page not secure` warning or error, it's because your domain do > [!div class="nextstepaction"] > [Secure a custom DNS name with a TLS/SSL binding in Azure App Service](configure-ssl-bindings.md)- |
app-service | Configure Common | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-common.md | keywords: azure app service, web app, app settings, environment variables ms.assetid: 9af8a367-7d39-4399-9941-b80cbc5f39a0 Last updated 07/11/2022-+ ms.devlang: azurecli- # Configure an App Service app |
app-service | Configure Vnet Integration Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-vnet-integration-enable.md | keywords: vnet integration + Last updated 02/13/2023 ms.tool: azure-cli, azure-powershell $webApp | Set-AzResource -Force ## Next steps - [Configure virtual network integration routing](./configure-vnet-integration-routing.md)-- [General networking overview](./networking-features.md)+- [General networking overview](./networking-features.md) |
app-service | Deploy Configure Credentials | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-configure-credentials.md | description: Learn what types of deployment credentials are in Azure App Service Last updated 02/11/2021 --+ # Configure deployment credentials for Azure App Service |
app-service | Deploy Ftp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-ftp.md | ms.assetid: ae78b410-1bc0-4d72-8fc4-ac69801247ae Last updated 02/26/2021 --+ # Deploy your app to Azure App Service using FTP/S |
app-service | Deploy Resource Manager Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-resource-manager-template.md | |
app-service | Deploy Zip | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-zip.md | description: Learn to deploy various app packages or discrete libraries, static Last updated 08/13/2021 --+ # Deploy files to App Service |
app-service | Create From Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/create-from-template.md | ms.assetid: 6eb7d43d-e820-4a47-818c-80ff7d3b6f8e Last updated 01/20/2023 -+ # Create an ASE by using an Azure Resource Manager template However, just like apps that run on the public multitenant service, developers c [ASEv1Intro]: app-service-app-service-environment-intro.md [Pricing]: https://azure.microsoft.com/pricing/details/app-service/ [ARMOverview]: ../../azure-resource-manager/management/overview.md-[ConfigureSSL]: ../../app-service/configure-ssl-certificate.md +[ConfigureSSL]: ../../app-service/configure-ssl-certificate.md |
app-service | Creation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/creation.md | Title: Create an App Service Environment description: Learn how to create an App Service Environment. Previously updated : 11/15/2021 Last updated : 03/09/2023 Before you deploy your App Service Environment, think about the virtual IP (VIP) With an *internal VIP*, an address in your App Service Environment subnet reaches your apps. Your apps aren't on a public DNS. When you create your App Service Environment in the Azure portal, you have an option to create an Azure private DNS zone for your App Service Environment. With an *external VIP*, your apps are on an address facing the public internet, and they're in a public DNS. For both *internal VIP* and *external VIP* you can specify *Inbound IP address*, you can select *Automatic* or *Manual* options. If you want to use the *Manual* option for an *external VIP*, you must first create a standard *Public IP address* in Azure. -For the deployment type, you can choose *single zone*, *zone redundant*, or *host group*. The single zone is available in all regions where App Service Environment v3 is available. With the single zone deployment type, you have a minimum charge in your App Service plan of one instance of Windows Isolated v2. As soon as you've one or more instances, then that charge goes away. It isn't an additive charge. +For the deployment type, you can choose *single zone*, *zone redundant*, or *host group*. The single zone is available in all regions where App Service Environment v3 is available. With the single zone deployment type, you have a minimum charge in your App Service plan of one instance of Windows Isolated v2. As soon as you use one or more instances, then that charge goes away. It isn't an additive charge. In a zone redundant App Service Environment, your apps spread across three zones in the same region. Zone redundant is available in regions that support availability zones. With this deployment type, the smallest size for your App Service plan is three instances. That ensures that there's an instance in each availability zone. App Service plans can be scaled up one or more instances at a time. Scaling doesn't need to be in units of three, but the app is only balanced across all availability zones when the total instances are multiples of three. Here's how:  -3. From the **Hosting** tab, for **Physical hardware isolation**, select **Enabled** or **Disabled**. If you enable this option, you can deploy onto dedicated hardware. With a dedicated host deployment, you're charged for two dedicated hosts per our pricing when you create the App Service Environment v3 and then, as you scale, you're charged a specialized Isolated v2 rate per vCore. I1v2 uses two vCores, I2v2 uses four vCores, and I3v2 uses eight vCores per instance. +3. From the **Hosting** tab, for **Physical hardware isolation**, select **Enabled** or **Disabled**. If you enable this option, you can deploy onto dedicated hardware. With a dedicated host deployment, you're charged for two dedicated hosts per our pricing when you create the App Service Environment v3 and then, as you scale, you're charged a specialized Isolated v2 rate per vCore. I1v2 uses two vCores, I2v2 uses four vCores, and I3v2 uses eight vCores per instance. For **Zone redundancy**, select **Enabled** or **Disabled**.  If you're creating an App Service Environment with an external VIP, you can sele When your App Service Environment has been successfully created, you can select it as a location when you're creating your apps. +To learn how to create an App Service Environment from an ARM template, see [Create an App Service Environment by using an Azure Resource Manager template](how-to-create-from-template.md). + <!--Links--> [Intro]: ./overview.md [UsingASE]: ./using.md |
app-service | How To Create From Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/how-to-create-from-template.md | Title: Create an App Service Environment (ASE) v3 with Azure Resource Manager description: Learn how to create an external or ILB App Service Environment v3 by using an Azure Resource Manager template. Previously updated : 01/20/2023 Last updated : 03/09/2023 # Create an App Service Environment by using an Azure Resource Manager template In addition to the core properties, there are other configuration options that y * *name*: Required. This parameter defines a unique App Service Environment name. The name must be no more than 36 characters. * *virtualNetwork -> id*: Required. Specifies the resource ID of the subnet. Subnet must be empty and delegated to Microsoft.Web/hostingEnvironments * *internalLoadBalancingMode*: Required. In most cases, set this property to "Web, Publishing", which means both HTTP/HTTPS traffic and FTP traffic is on an internal VIP (Internal Load Balancer). If this property is set to "None", all traffic remains on the public VIP (External Load Balancer).-* *zoneRedundant*: Optional. Defines with true/false if the App Service Environment will be deployed into Availability Zones (AZ). For more information, see [zone redundancy](./zone-redundancy.md). +* *zoneRedundant*: Optional. Defines with true/false if the App Service Environment will be deployed into Availability Zones (AZ). For more information, see [Regions and availability zones](./overview-zone-redundancy.md). * *dedicatedHostCount*: Optional. In most cases, set this property to 0 or left out. You can set it to 2 if you want to deploy your App Service Environment with physical hardware isolation on dedicated hosts. * *upgradePreference*: Optional. Defines if upgrade is started automatically or a 15 day windows to start the deployment is given. Valid values are "None", "Early", "Late", "Manual". More information [about upgrade preference](./how-to-upgrade-preference.md). * *clusterSettings*: Optional. For more information, see [cluster settings](./app-service-app-service-environment-custom-settings.md). |
app-service | How To Migrate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/how-to-migrate.md | Title: Use the migration feature to migrate your App Service Environment to App description: Learn how to migrate your App Service Environment to App Service Environment v3 using the migration feature + Last updated 12/5/2022 zone_pivot_groups: app-service-cli-portal |
app-service | Manage Create Arc Environment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/manage-create-arc-environment.md | Title: 'Set up Azure Arc for App Service, Functions, and Logic Apps' description: For your Azure Arc-enabled Kubernetes clusters, learn how to enable App Service apps, function apps, and logic apps. + Last updated 11/02/2021 # Set up an Azure Arc-enabled Kubernetes cluster to run App Service, Functions, and Logic Apps (Preview) |
app-service | Overview Patch Os Runtime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-patch-os-runtime.md | Title: OS and runtime patching cadence description: Learn how Azure App Service updates the OS and runtimes, what runtimes and patch level your apps has, and how you can get update announcements. Last updated 01/21/2021--+ # OS and runtime patching in Azure App Service |
app-service | Quickstart Dotnetcore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-dotnetcore.md | description: Learn how to run web apps in Azure App Service by deploying your fi ms.assetid: b1e6bd58-48d1-4007-9d6c-53fd6db061e3 Last updated 02/08/2022-+ zone_pivot_groups: app-service-ide adobe-target: true adobe-target-activity: DocsExpΓÇô386541ΓÇôA/BΓÇôEnhanced-Readability-QuickstartsΓÇô2.19.2021 |
app-service | Quickstart Php | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-php.md | |
app-service | Quickstart Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-python.md | Last updated 08/23/2022 ms.devlang: python-+ # Quickstart: Deploy a Python (Django or Flask) web app to Azure App Service |
app-service | Scenario Secure App Access Microsoft Graph As App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scenario-secure-app-access-microsoft-graph-as-app.md | Last updated 08/19/2022 ms.devlang: csharp--#Customer intent: As an application developer, I want to learn how to access data in Microsoft Graph by using managed identities. + +#Customer intent: As an application developer, I want to learn how to access data in Microsoft Graph by using managed identities. # Tutorial: Access Microsoft Graph from a secured .NET app as the app |
app-service | Cli Deploy Privateendpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scripts/cli-deploy-privateendpoint.md | description: Learn how to use the Azure CLI to deploy Private Endpoint for your ms.assetid: a56faf72-7237-41e7-85ce-da8346f2bcaa ms.devlang: azurecli+ Last updated 07/06/2020 |
app-service | Template Deploy Private Endpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scripts/template-deploy-private-endpoint.md | Last updated 07/08/2020 - # Create an App Service app and deploy a private endpoint by using an Azure Resource Manager template |
app-service | Tutorial Connect App Access Microsoft Graph As App Javascript | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-app-access-microsoft-graph-as-app-javascript.md | Last updated 01/21/2022 ms.devlang: javascript--#Customer intent: As an application developer, I want to learn how to access data in Microsoft Graph by using managed identities. + +#Customer intent: As an application developer, I want to learn how to access data in Microsoft Graph by using managed identities. # Tutorial: Access Microsoft Graph from a secured JavaScript app as the app |
app-service | Tutorial Dotnetcore Sqldb App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-dotnetcore-sqldb-app.md | |
app-service | Tutorial Java Quarkus Postgresql App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-java-quarkus-postgresql-app.md | |
app-service | Tutorial Java Tomcat Connect Managed Identity Postgresql Database | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-java-tomcat-connect-managed-identity-postgresql-database.md | |
app-service | Tutorial Networking Isolate Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-networking-isolate-vnet.md | Title: 'Tutorial: Isolate back-end communication with Virtual Network integration' description: Connections from App Service to back-end services are routed through shared network infrastructure with other apps and subscriptions. Learn how to isolate traffic by using Virtual Network integration. + Last updated 10/26/2021 |
app-service | Tutorial Php Mysql App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-php-mysql-app.md | ms.assetid: 14feb4f3-5095-496e-9a40-690e1414bd73 ms.devlang: php Last updated 01/31/2023-+ # Tutorial: Build a PHP and MySQL app in Azure App Service |
app-service | Tutorial Python Postgresql App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-python-postgresql-app.md | description: Create a Python Django or Flask web app with a PostgreSQL database ms.devlang: python Last updated 02/28/2023-+ # Deploy a Python (Django or Flask) web app with PostgreSQL in Azure |
app-service | Tutorial Troubleshoot Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-troubleshoot-monitor.md | description: Learn how Azure Monitor and Log Analytics helps you monitor your Ap + Last updated 06/20/2020- # Tutorial: Troubleshoot an App Service app with Azure Monitor |
application-gateway | Application Gateway Diagnostics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/application-gateway-diagnostics.md | |
application-gateway | Configuration Listeners | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/configuration-listeners.md | |
application-gateway | Configure Web App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/configure-web-app.md | description: This article provides guidance on how to configure Application Gate + Last updated 12/05/2022 |
application-gateway | Http Response Codes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/http-response-codes.md | |
application-gateway | Private Link Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/private-link-configure.md | description: This article shows you how to configure Application Gateway Private + Last updated 05/09/2022 - # Configure Azure Application Gateway Private Link (preview) |
application-gateway | Quick Create Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/quick-create-bicep.md | |
application-gateway | Quick Create Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/quick-create-template.md | |
application-gateway | Redirect External Site Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/redirect-external-site-cli.md | description: Learn how to create an application gateway that redirects external + Last updated 09/24/2020 |
application-gateway | Redirect Http To Https Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/redirect-http-to-https-cli.md | description: Learn how to create an HTTP to HTTPS redirection and add a certific + Last updated 09/24/2020 To accept the security warning if you used a self-signed certificate, select **D ## Next steps -- [Create an application gateway with internal redirection using the Azure CLI](redirect-internal-site-cli.md)+- [Create an application gateway with internal redirection using the Azure CLI](redirect-internal-site-cli.md) |
application-gateway | Redirect Internal Site Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/redirect-internal-site-cli.md | description: Learn how to create an application gateway that redirects internal + Last updated 11/14/2019 |
application-gateway | Renew Certificates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/renew-certificates.md | |
application-gateway | Troubleshoot App Service Redirection App Service Url | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/troubleshoot-app-service-redirection-app-service-url.md | |
application-gateway | Tutorial Ingress Controller Add On Existing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/tutorial-ingress-controller-add-on-existing.md | |
applied-ai-services | How To Create Immersive Reader | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/immersive-reader/how-to-create-immersive-reader.md | The script is designed to be flexible. It will first look for existing Immersive * View the [Android tutorial](./how-to-launch-immersive-reader.md) to see what else you can do with the Immersive Reader SDK using Java or Kotlin for Android * View the [iOS tutorial](./how-to-launch-immersive-reader.md) to see what else you can do with the Immersive Reader SDK using Swift for iOS * View the [Python tutorial](./how-to-launch-immersive-reader.md) to see what else you can do with the Immersive Reader SDK using Python-* Explore the [Immersive Reader SDK](https://github.com/microsoft/immersive-reader-sdk) and the [Immersive Reader SDK Reference](./reference.md) +* Explore the [Immersive Reader SDK](https://github.com/microsoft/immersive-reader-sdk) and the [Immersive Reader SDK Reference](./reference.md) |
applied-ai-services | Security How To Update Role Assignment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/immersive-reader/security-how-to-update-role-assignment.md | |
attestation | Quickstart Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/quickstart-Bicep.md | |
attestation | Quickstart Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/quickstart-template.md | |
automanage | Repair Automanage Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/repair-automanage-account.md | |
automation | Add User Assigned Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/add-user-assigned-identity.md | Title: Using a user-assigned managed identity for an Azure Automation account description: This article describes how to set up a user-assigned managed identity for Azure Automation accounts. + Last updated 10/26/2021 |
automation | Automation Edit Textual Runbook | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-edit-textual-runbook.md | |
automation | Automation Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-faq.md | Title: Azure Automation FAQ description: This article gives answers to frequently asked questions about Azure Automation. - Last updated 08/25/2021- #Customer intent: As an implementer, I want answers to various questions. |
automation | Automation Hybrid Runbook Worker | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-hybrid-runbook-worker.md | |
automation | Automation Linux Hrw Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-linux-hrw-install.md | The file *VERSION* has the version number of Hybrid Runbook Worker. * To learn how to configure your runbooks to automate processes in your on-premises datacenter or other cloud environment, see [Run runbooks on a Hybrid Runbook Worker](automation-hrw-run-runbooks.md). -* To learn how to troubleshoot your Hybrid Runbook Workers, see [Troubleshoot Hybrid Runbook Worker issues - Linux](troubleshoot/hybrid-runbook-worker.md#linux). +* To learn how to troubleshoot your Hybrid Runbook Workers, see [Troubleshoot Hybrid Runbook Worker issues - Linux](troubleshoot/hybrid-runbook-worker.md#linux). |
automation | Automation Manage Send Joblogs Log Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-manage-send-joblogs-log-analytics.md | |
automation | Automation Runbook Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-runbook-types.md | |
automation | Automation Secure Asset Encryption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-secure-asset-encryption.md | description: This article provides concepts for configuring the Automation accou + Last updated 07/27/2021 |
automation | Automation Windows Hrw Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-windows-hrw-install.md | You must update the Log Analytics agent to the latest version by following the b * To learn how to configure your runbooks to automate processes in your on-premises datacenter or other cloud environment, see [Run runbooks on a Hybrid Runbook Worker](automation-hrw-run-runbooks.md). -* To learn how to troubleshoot your Hybrid Runbook Workers, see [Troubleshoot Hybrid Runbook Worker issues](troubleshoot/hybrid-runbook-worker.md#general). +* To learn how to troubleshoot your Hybrid Runbook Workers, see [Troubleshoot Hybrid Runbook Worker issues](troubleshoot/hybrid-runbook-worker.md#general). |
automation | Context Switching | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/context-switching.md | Title: Context switching in Azure Automation description: This article explains context switching and how to avoid runbook issues. + Last updated 09/27/2021 #Customer intent: As a developer, I want to understand Azure context so that I can avoid error when running multiple runbooks. Get-AzureRmResource : Resource group "SomeResourceGroupName" could not be found. - [Azure Automation account authentication overview](automation-security-overview.md) - [Runbook execution in Azure Automation](automation-runbook-execution.md) - [Manage modules in Azure Automation](./shared-resources/modules.md)- |
automation | Delete Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/delete-account.md | |
automation | Dsc Linux Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/dsc-linux-powershell.md | description: This article tells you how to configure a Linux virtual machine to + Last updated 08/31/2021 |
automation | Extension Based Hybrid Runbook Worker Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/extension-based-hybrid-runbook-worker-install.md | Title: Deploy an extension-based Windows or Linux User Hybrid Runbook Worker in description: This article provides information about deploying the extension-based User Hybrid Runbook Worker to run runbooks on Windows or Linux machines in your on-premises datacenter or other cloud environment. + Last updated 02/20/2023 #Customer intent: As a developer, I want to learn about extension so that I can efficiently deploy Hybrid Runbook Workers. Using [VM insights](../azure-monitor/vm/vminsights-overview.md), you can monitor - To learn about Azure VM extensions, see [Azure VM extensions and features for Windows](../virtual-machines/extensions/features-windows.md) and [Azure VM extensions and features for Linux](../virtual-machines/extensions/features-linux.md). - To learn about VM extensions for Arc-enabled servers, see [VM extension management with Azure Arc-enabled servers](../azure-arc/servers/manage-vm-extensions.md).-- To learn about VM extensions for Arc-enabled VMware vSphere VMs, see [Manage VMware VMs in Azure through Arc-enabled VMware vSphere (preview)](../azure-arc/vmware-vsphere/manage-vmware-vms-in-azure.md).+- To learn about VM extensions for Arc-enabled VMware vSphere VMs, see [Manage VMware VMs in Azure through Arc-enabled VMware vSphere (preview)](../azure-arc/vmware-vsphere/manage-vmware-vms-in-azure.md). |
automation | Move Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/how-to/move-account.md | |
automation | Private Link Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/how-to/private-link-security.md | Title: Use Azure Private Link to securely connect networks to Azure Automation description: Use Azure Private Link to securely connect networks to Azure Automation Last updated 12/15/2022-- # Use Azure Private Link to securely connect networks to Azure Automation |
automation | Powershell Runbook Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/learn/powershell-runbook-managed-identity.md | Title: Create PowerShell runbook using managed identity in Azure Automation description: In this tutorial, you learn how to use managed identities with a PowerShell runbook in Azure Automation. + Last updated 11/24/2021 #Customer intent: As a developer, I want PowerShell runbooks to execute code using a manged identity. Remove-AzRoleAssignment ` In this tutorial, you created a [PowerShell runbook](../automation-runbook-types.md#powershell-runbooks) in Azure Automation that used a [managed identity](../automation-security-overview.md#managed-identities), rather than the Run As account to interact with resources. For a look at PowerShell Workflow runbooks, see: > [!div class="nextstepaction"]-> [Tutorial: Create a PowerShell Workflow runbook](automation-tutorial-runbook-textual.md) +> [Tutorial: Create a PowerShell Workflow runbook](automation-tutorial-runbook-textual.md) |
automation | Manage Run As Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/manage-run-as-account.md | Title: Manage an Azure Automation Run As account description: This article tells how to manage your Azure Automation Run As account with PowerShell or from the Azure portal. - Last updated 08/02/2021 - # Manage an Azure Automation Run As account |
automation | Python 3 Packages | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/python-3-packages.md | |
automation | Remove User Assigned Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/remove-user-assigned-identity.md | Title: Remove user-assigned managed identity for Azure Automation account description: This article explains how to remove a user-assigned managed identity for an Azure Automation account. + Last updated 10/26/2021 |
automation | Credentials | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/shared-resources/credentials.md | |
automation | Hybrid Runbook Worker | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/troubleshoot/hybrid-runbook-worker.md | description: This article tells how to troubleshoot and resolve issues that aris Last updated 10/18/2021 - # Troubleshoot agent-based Hybrid Runbook Worker issues in Automation If you don't see your problem here or you can't resolve your issue, try one of t * Get answers from Azure experts through [Azure Forums](https://azure.microsoft.com/support/forums/). * Connect with [@AzureSupport](https://twitter.com/azuresupport), the official Microsoft Azure account for improving customer experience. Azure Support connects the Azure community to answers, support, and experts.-* File an Azure support incident. Go to the [Azure support site](https://azure.microsoft.com/support/options/), and select **Get Support**. +* File an Azure support incident. Go to the [Azure support site](https://azure.microsoft.com/support/options/), and select **Get Support**. |
automation | Enable From Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/update-management/enable-from-template.md | When you no longer need them, delete the **Updates** solution in the Log Analyti * If you no longer want to use Update Management and wish to remove it, see instructions in [Remove Update Management feature](remove-feature.md). -* To delete VMs from Update Management, see [Remove VMs from Update Management](remove-vms.md). +* To delete VMs from Update Management, see [Remove VMs from Update Management](remove-vms.md). |
azure-app-configuration | Concept Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/concept-customer-managed-keys.md | description: Encrypt your configuration data using customer-managed keys Last updated 08/30/2022-+ - # Use customer-managed keys to encrypt your App Configuration data |
azure-app-configuration | Howto Move Resource Between Regions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-move-resource-between-regions.md | Title: Move an App Configuration store to another region description: Learn how to move an App Configuration store to a different region. + Last updated 8/23/2021- -#Customer intent: I want to move my App Configuration resource from one Azure region to another. -+#Customer intent: I want to move my App Configuration resource from one Azure region to another. # Move an App Configuration store to another region |
azure-app-configuration | Howto Set Up Private Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-set-up-private-access.md | If you have issues with a private endpoint, check the following guide: [Troubles >[Use private endpoints for Azure App Configuration](concept-private-endpoint.md) > [!div class="nextstepaction"]->[Disable public access in Azure App Configuration](howto-disable-public-access.md) +>[Disable public access in Azure App Configuration](howto-disable-public-access.md) |
azure-app-configuration | Quickstart Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/quickstart-bicep.md | |
azure-app-configuration | Quickstart Resource Manager | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/quickstart-resource-manager.md | |
azure-arc | Create Data Controller Direct Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/create-data-controller-direct-cli.md | kubectl get datacontrollers --namespace arc [Create an Azure Arc-enabled PostgreSQL server](create-postgresql-server.md) [Create an Azure Arc-enabled SQL Managed Instance](create-sql-managed-instance.md)- |
azure-arc | Create Postgresql Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/create-postgresql-server.md | description: Create an Azure Arc-enabled PostgreSQL server from CLI + |
azure-arc | Preview Testing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/preview-testing.md | |
azure-arc | Upgrade Data Controller Direct Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/upgrade-data-controller-direct-cli.md | description: Article describes how to upgrade a directly connected Azure Arc dat + |
azure-arc | Upload Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/upload-logs.md | description: Upload logs for Azure Arc-enabled data services to Azure Monitor + |
azure-arc | Upload Metrics And Logs To Azure Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/upload-metrics-and-logs-to-azure-monitor.md | description: Upload resource inventory, usage data, metrics, and logs to Azure + |
azure-arc | Upload Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/upload-metrics.md | description: Upload Azure Arc-enabled data services metrics to Azure Monitor + |
azure-arc | Azure Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/azure-rbac.md | Title: "Azure RBAC for Azure Arc-enabled Kubernetes clusters" Last updated 11/28/2022 + description: "Use Azure RBAC for authorization checks on Azure Arc-enabled Kubernetes clusters." az connectedk8s enable-features -n <clusterName> -g <resourceGroupName> --featur ## Next steps - Securely connect to the cluster by using [Cluster Connect](cluster-connect.md).-- Read about the [architecture of Azure RBAC on Arc-enabled Kubernetes](conceptual-azure-rbac.md).+- Read about the [architecture of Azure RBAC on Arc-enabled Kubernetes](conceptual-azure-rbac.md). |
azure-arc | Cluster Connect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/cluster-connect.md | Title: "Use cluster connect to securely connect to Azure Arc-enabled Kubernetes clusters." Last updated 01/18/2023 + description: "With cluster connect, you can securely connect to Azure Arc-enabled Kubernetes clusters without requiring any inbound port to be enabled on the firewall." |
azure-arc | Conceptual Extensions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/conceptual-extensions.md | Title: "Cluster extensions - Azure Arc-enabled Kubernetes" Previously updated : 01/23/2023 Last updated : 03/08/2023 description: "This article provides a conceptual overview of the Azure Arc-enabled Kubernetes cluster extensions capability." Both the `config-agent` and `extensions-manager` components running in the clust > > Protected configuration settings for an extension instance are stored for up to 48 hours in the Azure Arc-enabled Kubernetes services. As a result, if the cluster remains disconnected during the 48 hours after the extension resource was created on Azure, the extension changes from a `Pending` state to `Failed` state. To prevent this, we recommend bringing clusters online regularly. +> [!IMPORTANT] +> Currently, Azure Arc-enabled Kubernetes cluster extensions aren't supported on ARM64-based clusters. To [install and use cluster extensions](extensions.md), the cluster must have at least one node of operating system and architecture type `linux/amd64`. + ## Extension scope Each extension type defines the scope at which they operate on the cluster. Extension installations on Arc-enabled Kubernetes clusters are either *cluster-scoped* or *namespace-scoped*. |
azure-arc | Conceptual Gitops Flux2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/conceptual-gitops-flux2.md | Title: "GitOps Flux v2 configurations with AKS and Azure Arc-enabled Kubernetes" description: "This article provides a conceptual overview of GitOps in Azure for use in Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters." Last updated 02/07/2023 + # GitOps Flux v2 configurations with AKS and Azure Arc-enabled Kubernetes |
azure-arc | Extensions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/extensions.md | Title: "Azure Arc-enabled Kubernetes cluster extensions" Previously updated : 01/23/2023 Last updated : 03/08/2023 description: "Deploy and manage lifecycle of extensions on Azure Arc-enabled Kubernetes clusters." Before you begin, read the [conceptual overview of Arc-enabled Kubernetes cluste az extension update --name k8s-extension ``` -* An existing Azure Arc-enabled Kubernetes connected cluster. +* An existing Azure Arc-enabled Kubernetes connected cluster, with at least one node of operating system and architecture type `linux/amd64`. * If you haven't connected a cluster yet, use our [quickstart](quickstart-connect-cluster.md). * [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to the latest version. |
azure-arc | Network Requirements | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/network-requirements.md | For a complete list of network requirements for Azure Arc features and Azure Arc ## Next steps +- Learn about other [requirements for Arc-enabled Kubernetes](system-requirements.md). - Use our [quickstart](quickstart-connect-cluster.md) to connect your cluster. - Review [frequently asked questions](faq.md) about Arc-enabled Kubernetes. |
azure-arc | Quickstart Connect Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/quickstart-connect-cluster.md | Title: "Quickstart: Connect an existing Kubernetes cluster to Azure Arc" description: In this quickstart, you learn how to connect an Azure Arc-enabled Kubernetes cluster. Previously updated : 03/07/2023 Last updated : 03/08/2023 ms.devlang: azurecli In addition to the prerequisites below, be sure to meet all [network requirement ### [Azure CLI](#tab/azure-cli) * An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).- * A basic understanding of [Kubernetes core concepts](../../aks/concepts-clusters-workloads.md).--* An identity (user or service principal) which can be used to [log in to Azure CLI](/cli/azure/authenticate-azure-cli) and connect your cluster to Azure Arc. -- > [!IMPORTANT] - > - > * The identity must have 'Read' and 'Write' permissions on the Azure Arc-enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`). - > * If connecting the cluster to an existing resource group (rather than a new one created by this identity), the identity must have 'Read' permission for that resource group. - > * The [Kubernetes Cluster - Azure Arc Onboarding built-in role](../../role-based-access-control/built-in-roles.md#kubernetes-clusterazure-arc-onboarding) can be used for this identity. This role is useful for at-scale onboarding, as it has only the granular permissions required to connect clusters to Azure Arc, and doesn't have permission to update, delete, or modify any other clusters or other Azure resources. --* [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to the latest version. --* Install the latest version of **connectedk8s** Azure CLI extension: +* An [identity (user or service principal)](system-requirements.md#azure-ad-identity-requirements) which can be used to [log in to Azure CLI](/cli/azure/authenticate-azure-cli) and connect your cluster to Azure Arc. +* The latest version of [Azure CLI](/cli/azure/install-azure-cli). +* The latest version of **connectedk8s** Azure CLI extension, installed by running the following command: ```azurecli az extension add --name connectedk8s In addition to the prerequisites below, be sure to meet all [network requirement * Self-managed Kubernetes cluster using [Cluster API](https://cluster-api.sigs.k8s.io/user/quick-start.html) >[!NOTE]- > The cluster needs to have at least one node of operating system and architecture type `linux/amd64`. Clusters with only `linux/arm64` nodes aren't yet supported. --* At least 850 MB free for the Arc agents that will be deployed on the cluster, and capacity to use approximately 7% of a single CPU. For a multi-node Kubernetes cluster environment, pods can get scheduled on different nodes. + > The cluster needs to have at least one node of operating system and architecture type `linux/amd64` and/or `linux/arm64`. See [Cluster requirements](system-requirements.md#cluster-requirements) for more about ARM64 scenarios. +* At least 850 MB free for the Arc agents that will be deployed on the cluster, and capacity to use approximately 7% of a single CPU. * A [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) and context pointing to your cluster.- * Install [Helm 3](https://helm.sh/docs/intro/install). Ensure that the Helm 3 version is < 3.7.0. ### [Azure PowerShell](#tab/azure-powershell) * An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).- * A basic understanding of [Kubernetes core concepts](../../aks/concepts-clusters-workloads.md).-+* An [identity (user or service principal)](system-requirements.md#azure-ad-identity-requirements) which can be used to [log in to Azure PowerShell](/powershell/azure/authenticate-azureps) and connect your cluster to Azure Arc. * [Azure PowerShell version 6.6.0 or later](/powershell/azure/install-az-ps)--* Install the **Az.ConnectedKubernetes** PowerShell module: +* The **Az.ConnectedKubernetes** PowerShell module, installed by running the following command: ```azurepowershell-interactive Install-Module -Name Az.ConnectedKubernetes ``` -* An identity (user or service principal) which can be used to [log in to Azure PowerShell](/powershell/azure/authenticate-azureps) and connect your cluster to Azure Arc. -- > [!IMPORTANT] - > - > * The identity must have 'Read' and 'Write' permissions on the Azure Arc-enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`). - > * If connecting the cluster to an existing resource group (rather than a new one created by this identity), the identity must have 'Read' permission for that resource group. - > * The [Kubernetes Cluster - Azure Arc Onboarding built-in role](../../role-based-access-control/built-in-roles.md#kubernetes-clusterazure-arc-onboarding) is useful for at-scale onboarding as it has the granular permissions required to only connect clusters to Azure Arc. This role doesn't have the permissions to update, delete, or modify any other clusters or other Azure resources. - * An up-and-running Kubernetes cluster. If you don't have one, you can create a cluster using one of these options: * [Kubernetes in Docker (KIND)](https://kind.sigs.k8s.io/) * Create a Kubernetes cluster using Docker for [Mac](https://docs.docker.com/docker-for-mac/#kubernetes) or [Windows](https://docs.docker.com/docker-for-windows/#kubernetes) * Self-managed Kubernetes cluster using [Cluster API](https://cluster-api.sigs.k8s.io/user/quick-start.html) >[!NOTE]- > The cluster needs to have at least one node of operating system and architecture type `linux/amd64`. Clusters with only `linux/arm64` nodes aren't yet supported. --* At least 850 MB free for the Arc agents that will be deployed on the cluster, and capacity to use approximately 7% of a single CPU. For a multi-node Kubernetes cluster environment, pods can get scheduled on different nodes. + > The cluster needs to have at least one node of operating system and architecture type `linux/amd64` and/or `linux/arm64`. See [Cluster requirements](system-requirements.md#cluster-requirements) for more about ARM64 scenarios. +* At least 850 MB free for the Arc agents that will be deployed on the cluster, and capacity to use approximately 7% of a single CPU. * A [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) and context pointing to your cluster.- * Install [Helm 3](https://helm.sh/docs/intro/install). Ensure that the Helm 3 version is < 3.7.0. |
azure-arc | Resource Graph Samples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/resource-graph-samples.md | Title: Azure Resource Graph sample queries for Azure Arc-enabled Kubernetes description: Sample Azure Resource Graph queries for Azure Arc-enabled Kubernetes showing use of resource types and tables to access Azure Arc-enabled Kubernetes related resources and properties. Last updated 07/07/2022 -+ # Azure Resource Graph sample queries for Azure Arc-enabled Kubernetes |
azure-arc | System Requirements | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/system-requirements.md | + + Title: "Azure Arc-enabled Kubernetes system requirements" Last updated : 03/08/2023++description: Learn about the system requirements to connect Kubernetes clusters to Azure Arc. +++# Azure Arc-enabled Kubernetes system requirements ++This article describes the basic requirements for [connecting a Kubernetes cluster to Azure Arc](quickstart-connect-cluster.md), along with system requirement information related to various Arc-enabled Kubernetes scenarios. ++## Cluster requirements ++Azure Arc-enabled Kubernetes works with any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters. This includes clusters running on other public cloud providers (such as GCP or AWS) and clusters running on your on-premises data center (such as VMware vSphere or Azure Stack HCI). ++You must also have a [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) and context pointing to your cluster. ++The cluster must have at least one node with operating system and architecture type `linux/amd64` and/or `linux/arm64`. ++> [!IMPORTANT] +> Many Arc-enabled Kubernetes features and scenarios are supported on ARM64 nodes, such as [cluster connect](cluster-connect.md) and [viewing Kubernetes resources in the Azure portal](kubernetes-resource-view.md). However, if using Azure CLI to enable these scenarios, [Azure CLI must be installed](/cli/azure/install-azure-cli) and run from an AMD64 machine. +> +> Currently, Azure Arc-enabled Kubernetes [cluster extensions](conceptual-extensions.md) aren't supported on ARM64-based clusters. To [install and use cluster extensions](extensions.md), the cluster must have at least one node of operating system and architecture type `linux/amd64`. ++## Compute and memory requirements ++The Arc agents deployed on the cluster require: ++- At least 850 MB of free memory +- Capacity to use approximately 7% of a single CPU ++For a multi-node Kubernetes cluster environment, pods can get scheduled on different nodes. ++## Management tool requirements ++Connecting a cluster to Azure Arc requires [Helm 3](https://helm.sh/docs/intro/install), version 3.7.0 or earlier. ++You'll also need to use either Azure CLI or Azure PowerShell. ++For Azure CLI: ++- [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to the latest version. +- Install the latest version of **connectedk8s** Azure CLI extension: ++ ```azurecli + az extension add --name connectedk8s + ``` ++For Azure PowerShell: ++- Install [Azure PowerShell version 6.6.0 or later](/powershell/azure/install-az-ps). +- Install the **Az.ConnectedKubernetes** PowerShell module: ++ ```azurepowershell-interactive + Install-Module -Name Az.ConnectedKubernetes + ``` ++## Azure AD identity requirements ++To connect your cluster to Azure Arc, you must have an Azure AD identity (user or service principal) which can be used to log in to [Azure CLI](/cli/azure/authenticate-azure-cli) or [Azure PowerShell](/powershell/azure/authenticate-azureps) and connect your cluster to Azure Arc. ++This identity must have 'Read' and 'Write' permissions on the Azure Arc-enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`). If connecting the cluster to an existing resource group (rather than a new one created by this identity), the identity must have 'Read' permission for that resource group. ++The [Kubernetes Cluster - Azure Arc Onboarding built-in role](../../role-based-access-control/built-in-roles.md#kubernetes-clusterazure-arc-onboarding) can be used for this identity. This role is useful for at-scale onboarding, as it has only the granular permissions required to connect clusters to Azure Arc, and doesn't have permission to update, delete, or modify any other clusters or other Azure resources. ++## Azure resource provider requirements ++To use Azure Arc-enabled Kubernetes, the following [Azure resource providers](../../azure-resource-manager/management/resource-providers-and-types.md) must be registered in your subscription: ++- **Microsoft.Kubernetes** +- **Microsoft.KubernetesConfiguration** +- **Microsoft.ExtendedLocation** ++You can register the resource providers using the following commands: ++Azure PowerShell: ++```azurepowershell-interactive +Connect-AzAccount +Set-AzContext -SubscriptionId [subscription you want to onboard] +Register-AzResourceProvider -ProviderNamespace Microsoft.Kubernetes +Register-AzResourceProvider -ProviderNamespace Microsoft.KubernetesConfiguration +Register-AzResourceProvider -ProviderNamespace Microsoft.ExtendedLocation +``` ++Azure CLI: ++```azurecli-interactive +az account set --subscription "{Your Subscription Name}" +az provider register --namespace Microsoft.Kubernetes +az provider register --namespace Microsoft.KubernetesConfiguration +az provider register --namespace Microsoft.ExtendedLocation +``` ++You can also register the resource providers in the [Azure portal](../../azure-resource-manager/management/resource-providers-and-types.md#azure-portal). ++## Network requirements ++Be sure that you have connectivity to the [required endpoints for Azure Arc-enabled Kubernetes](network-requirements.md). ++## Next steps ++- Review the [network requirements for using Arc-enabled Kubernetes](system-requirements.md). +- Use our [quickstart](quickstart-connect-cluster.md) to connect your cluster. |
azure-arc | Troubleshooting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/troubleshooting.md | Title: "Troubleshoot common Azure Arc-enabled Kubernetes issues" Last updated 01/23/2023 + description: "Learn how to resolve common issues with Azure Arc-enabled Kubernetes clusters and GitOps." |
azure-arc | Tutorial Akv Secrets Provider | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/tutorial-akv-secrets-provider.md | Title: Use Azure Key Vault Secrets Provider extension to fetch secrets into Azure Arc-enabled Kubernetes clusters description: Learn how to set up the Azure Key Vault Provider for Secrets Store CSI Driver interface as an extension on Azure Arc enabled Kubernetes cluster-+ Last updated 03/06/2023 |
azure-arc | Tutorial Arc Enabled Open Service Mesh | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/tutorial-arc-enabled-open-service-mesh.md | Title: Azure Arc-enabled Open Service Mesh description: Open Service Mesh (OSM) extension on Azure Arc-enabled Kubernetes cluster-+ Last updated 10/12/2022 |
azure-arc | Deploy Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/resource-bridge/deploy-cli.md | Title: Azure Arc resource bridge (preview) deployment command overview -description: Learn about the Azure CLI commands which can be used to manage your Azure Arc resource bridge (preview) deployment. +description: Learn about the Azure CLI commands that can be used to manage your Azure Arc resource bridge (preview) deployment. Last updated 02/06/2023 -The `createconfig` command features two modes: interactive and non-interactive. Interactive mode provides helpful prompts that explain the parameter and what to pass. To initiate interactive mode, pass only the three required parameters. Non-interactive mode allows you to pass all the parameters needed to create the configuration files without being prompted, which saves time and is useful for automation scripts. +The `createconfig` command features two modes: interactive and non-interactive. Interactive mode provides helpful prompts that explain the parameter and what to pass. To initiate interactive mode, pass only the three required parameters. Non-interactive mode allows you to pass all the parameters needed to create the configuration files without being prompted, which saves time and is useful for automation scripts. Three configuration files are generated: resource.yaml, appliance.yaml and infra.yaml. These files should be kept and stored in a secure location, as they're required for maintenance of Arc resource bridge. This command also calls the `validate` command to check the configuration files. > [!NOTE] > Azure Stack HCI and Hybrid AKS use different commands to create the Arc resource bridge configuration files. - ## az arcappliance validate -The `validate` command checks the configuration files for a valid schema, cloud and core validations (such as management machine connectivity to required URLs), network settings, and proxy settings. It also performs tests on identity privileges and role assignments, network configuration, loadbalancer configuration and content delivery network connectivity. -+The `validate` command checks the configuration files for a valid schema, cloud and core validations (such as management machine connectivity to required URLs), network settings, and proxy settings. It also performs tests on identity privileges and role assignments, network configuration, load balancer configuration and content delivery network connectivity. ## az arcappliance prepare This command downloads the OS images from Microsoft that are used to deploy the This command takes about 10-30+ minutes to complete, depending on the network speed. Allow the command to complete before continuing with the deployment. - ## az arcappliance deploy -The `deploy` command deploys an on-premises instance of Arc resource bridge as an appliance VM, bootstrapped to be a Kubernetes management cluster. This command gets all necessary pods and agents within the Kubernetes cluster into a running state. Once the appliance VM is up, the kubeconfig file is generated. -+The `deploy` command deploys an on-premises instance of Arc resource bridge as an appliance VM, bootstrapped to be a Kubernetes management cluster. This command gets all necessary pods and agents within the Kubernetes cluster into a running state. Once the appliance VM is up, the kubeconfig file is generated. ## az arcappliance create This command creates Arc resource bridge in Azure as an ARM resource, then establishes the connection between the ARM resource and on-premises appliance VM. -Once the `create` command initiates the connection, it will return in the terminal even though the connection between the ARM resource and on-premises appliance VM is not yet complete. The resource bridge needs about 5 minutes to establish the connection between the ARM resource and the on-premises VM. -+Once the `create` command initiates the connection, it will return in the terminal, even though the connection between the ARM resource and on-premises appliance VM is not yet complete. The resource bridge needs about 5 minutes to establish the connection between the ARM resource and the on-premises VM. ## az arcappliance show The `show` command gets the status of the Arc resource bridge and ARM resource information. It can be used to check the progress of the connection between the ARM resource and on-premises appliance VM. -While the Arc resource bridge is connecting the ARM resource to the on-premises VM, the resource bridge will progress through the stages below: +While the Arc resource bridge is connecting the ARM resource to the on-premises VM, the resource bridge progresses through the following stages: -`ProvisioningState` will be `Creating`, `Created`, `Failed`, `Deleting`, or `Succeeded`. +`ProvisioningState` may be `Creating`, `Created`, `Failed`, `Deleting`, or `Succeeded`. -`Status` will transition between `WaitingForHeartbeat` -> `Validating` -> `Connected` -> `Running`. +`Status` transitions between `WaitingForHeartbeat` -> `Validating` -> `Connected` -> `Running`. Successful Arc resource bridge creation results in `ProvisioningState = Succeeded` and `Status = Running`. - ## az arcappliance delete This command deletes the appliance VM and Azure resources. It doesn't clean up the OS image, which remains in the on-premises cloud gallery. If a deployment fails, run this command to clean up the environment before you attempt to deploy again. - ## Next steps - Explore the full list of [Azure CLI commands and required parameters](/cli/azure/arcappliance) for Arc resource bridge. |
azure-arc | Maintenance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/resource-bridge/maintenance.md | + + Title: Azure Arc resource bridge (preview) maintenance operations +description: Learn how to manage Azure Arc resource bridge (preview) so that it remains online and operational. + Last updated : 03/08/2023+++# Azure Arc resource bridge (preview) maintenance operations ++To keep your Azure Arc resource bridge (preview) deployment online and operational, you may need to perform maintenance operations such as updating credentials or monitoring upgrades. ++To maintain the on-premises appliance VM, the [appliance configuration files generated during deployment](deploy-cli.md#az-arcappliance-createconfig) need to be saved in a secure location and made available on the management machine. The management machine used to perform maintenance operations must meet all of [the Arc resource bridge (preview) requirements](system-requirements.md). ++The following sections describe some of the most common maintenance tasks for Arc resource bridge (preview). ++## Update credentials in the Appliance VM ++Arc resource bridge consists of an on-premises appliance VM. The appliance VM [stores credentials](system-requirements.md#user-account-and-credentials) (for example, a user account for VMware vCenter) used to access the control center of the on-premises infrastructure to view and manage on-premises resources. ++The credentials used by Arc resource bridge are the same ones provided during deployment of the bridge. This allows the bridge visibility to on-premises resources for guest management in Azure. ++If the credentials change, the credentials stored in the Arc resource bridge need to be updated with the [`update-infracredentials` command](/cli/azure/arcappliance/update-infracredentials). This command must be run from the management machine, and it requires a [kubeconfig file](system-requirements.md#kubeconfig). ++## Troubleshoot Arc resource bridge ++If you experience problems with the appliance VM, the appliance configuration files may help with troubleshooting. You can include these files when you [open an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). ++You may also want to [collect logs](/cli/azure/arcappliance/logs#az-arcappliance-logs-vmware), which requires you to pass credentials to the on-premises control center: ++- For VMWare vSphere, use the username and password provided to Arc resource bridge at deployment. +- For Azure Stack HCI, use the cloud service IP and HCI login configuration file path. ++## Delete Arc resource bridge ++You may need to delete Arc resource bridge due to deployment failures or when no longer needed. To do so, you'll need the appliance configuration files. The [delete command](deploy-cli.md#az-arcappliance-delete) is the recommended way to delete the bridge. This command deletes the on-premises appliance VM as well as the Azure resource and underlying components across the two environments. ++## Next steps ++- Review the [Azure Arc resource bridge (preview) overview](overview.md) to understand more about requirements and technical details. +- Learn about [system requirements for Azure Arc resource bridge (preview)](system-requirements.md). |
azure-arc | System Requirements | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/resource-bridge/system-requirements.md | The control plane IP has the following requirements: Arc resource bridge may require a separate user account with the necessary roles to view and manage resources in the on-premises infrastructure (such as Arc-enabled VMware vSphere or Arc-enabled SCVMM). If so, during creation of the configuration files, the `username` and `password` parameters will be required. The account credentials are then stored in a configuration file locally within the appliance VM. -If the user account is set to periodically change passwords, the credentials must be immediately updated on the resource bridge. This user account may also be set with a lockout policy to protect the on-premises infrastructure, in case the credentials aren't updated and the resource bridge makes multiple attempts to use expired credentials to access the on-premises control center. +If the user account is set to periodically change passwords, [the credentials must be immediately updated on the resource bridge](maintenance.md#update-credentials-in-the-appliance-vm). This user account may also be set with a lockout policy to protect the on-premises infrastructure, in case the credentials aren't updated and the resource bridge makes multiple attempts to use expired credentials to access the on-premises control center. For example, with Arc-enabled VMware, Arc resource bridge needs a separate user account for vCenter with the necessary roles. If the [credentials for the user account change](troubleshoot-resource-bridge.md#insufficient-permissions), then the credentials stored in Arc resource bridge must be immediately updated by running `az arcappliance update-infracredentials` from the [management machine](#management-machine-requirements). Otherwise, the appliance will make repeated attempts to use the expired credentials to access vCenter, which will result in a lockout of the account. |
azure-arc | Agent Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/agent-overview.md | Title: Overview of the Azure Connected Machine agent description: This article provides a detailed overview of the Azure Arc-enabled servers agent available, which supports monitoring virtual machines hosted in hybrid environments. Last updated 01/23/2023 - # Overview of Azure Connected Machine agent |
azure-arc | Manage Automatic Vm Extension Upgrade | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/manage-automatic-vm-extension-upgrade.md | If you continue to have trouble upgrading an extension, you can [disable automat ### Timing of automatic extension upgrades -When a new version of a VM extension is published, it becomes available for installation and manual upgrade on Arc-enabled servers. For servers that already have the extension installed and automatic extension upgrade enabled, it may take up to 5 weeks for every server with that extension to get the automatic upgrade. Upgrades are issued in batches across Azure regions and subscriptions, so you may see the extension get upgraded on some of your servers before others. If you need to upgrade an extension immediately, follow the guidance to manually upgrade extensions using the [Azure portal](manage-vm-extensions-portal.md#upgrade-extensions), [Azure PowerShell](manage-vm-extensions-powershell.md#upgrade-extension) or [Azure CLI](manage-vm-extensions-cli.md#upgrade-extensions). +When a new version of a VM extension is published, it becomes available for installation and manual upgrade on Arc-enabled servers. For servers that already have the extension installed and automatic extension upgrade enabled, it may take 5 - 8 weeks for every server with that extension to get the automatic upgrade. Upgrades are issued in batches across Azure regions and subscriptions, so you may see the extension get upgraded on some of your servers before others. If you need to upgrade an extension immediately, follow the guidance to manually upgrade extensions using the [Azure portal](manage-vm-extensions-portal.md#upgrade-extensions), [Azure PowerShell](manage-vm-extensions-powershell.md#upgrade-extension) or [Azure CLI](manage-vm-extensions-cli.md#upgrade-extensions). ++Extension versions fixing critical security vulnerabilities are rolled out much faster. These automatic upgrades happen using a specialized roll out process which can take 1 - 3 weeks to automatically upgrade every server with that extension. Azure handles identifying which extension version should be rollout quickly to ensure all servers are protected. If you need to upgrade the extension immediately, follow the guidance to manually upgrade extensions using the [Azure portal](manage-vm-extensions-portal.md#upgrade-extensions), [Azure PowerShell](manage-vm-extensions-powershell.md#upgrade-extension) or [Azure CLI](manage-vm-extensions-cli.md#upgrade-extensions). ## Supported extensions |
azure-arc | Manage Vm Extensions Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/manage-vm-extensions-template.md | Title: Enable VM extension using Azure Resource Manager template description: This article describes how to deploy virtual machine extensions to Azure Arc-enabled servers running in hybrid cloud environments using an Azure Resource Manager template. Last updated 06/02/2022 - # Enable Azure VM extensions by using ARM template |
azure-arc | Onboard Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/onboard-powershell.md | Title: Connect hybrid machines to Azure by using PowerShell description: In this article, you learn how to install the agent and connect a machine to Azure by using Azure Arc-enabled servers. You can do this with PowerShell. Last updated 07/16/2021 - # Connect hybrid machines to Azure by using PowerShell |
azure-arc | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/system-center-virtual-machine-manager/overview.md | Azure Arc-enabled System Center Virtual Machine Manager allows you to manage you Arc-enabled System Center VMM allows you to: -- Perform various VM lifecycle operations such as start, stop, pause, delete VMs on VMM managed VMs directly from Azure.+- Perform various VM lifecycle operations such as start, stop, pause, and delete VMs on VMM managed VMs directly from Azure. - Empower developers and application teams to self-serve VM operations on-demand using [Azure role-based access control (RBAC)](../../role-based-access-control/overview.md). - Browse your VMM resources (VMs, templates, VM networks, and storage) in Azure, providing you a single pane view for your infrastructure across both environments. - Discover and onboard existing SCVMM managed VMs to Azure. For a complete list of network requirements for Azure Arc features and Azure Arc ## Next steps -[See how to create a Azure Arc VM](create-virtual-machine.md) +[See how to create a Azure Arc VM](create-virtual-machine.md) |
azure-arc | Disaster Recovery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/vmware-vsphere/disaster-recovery.md | Title: Perform disaster recovery operations description: Learn how to perform recovery operations for the Azure Arc resource bridge VM in Azure Arc-enabled VMware vSphere disaster scenarios. + Last updated 08/16/2022- # Perform disaster recovery operations If the recovery steps above are unsuccessful in restoring Arc resource bridge to - Get answers from Azure experts through [Microsoft Q&A](/answers/topics/azure-arc.html). - Connect with [@AzureSupport](https://twitter.com/azuresupport), the official Microsoft Azure account for improving customer experience. Azure Support connects the Azure community to answers, support, and experts.-- [Open an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md).+- [Open an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). |
azure-cache-for-redis | Cache Administration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-administration.md | |
azure-cache-for-redis | Cache Best Practices Enterprise Tiers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-best-practices-enterprise-tiers.md | + + Title: Best practices for the Enterprise tiers ++description: Learn about the Azure Cache for Redis Enterprise and Enterprise Flash tiers +++ Last updated : 03/09/2023++++# Best Practices for the Enterprise and Enterprise Flash tiers of Azure Cache for Redis ++## Zone Redundancy ++We strongly recommended that you deploy new caches in a [zone redundant](cache-high-availability.md) configuration. Zone redundancy ensures that Redis Enterprise nodes are spread among three availability zones, boosting redundancy from data center-level outages. Using zone redundancy increases availability. For more information, see [Service Level Agreements (SLA) for Online Services](https://azure.microsoft.com/support/legal/sla/cache/v1_1/). ++Zone redundancy is important on the Enterprise tier because your cache instance always uses at least three nodes. Two nodes are data nodes, which hold your data, and a _quorum node_. Increasing capacity scales the number of data nodes in even-number increments. ++There's also another node called a quorum node. This node monitors the data nodes and automatically selects the new primary node if there was a failover. Zone redundancy ensures that the nodes are distributed evenly across three availability zones, minimizing the potential for quorum loss. Customers aren't charged for the quorum node and there's no other charge for using zone redundancy beyond [intra-zonal bandwidth charges](https://azure.microsoft.com/pricing/details/bandwidth/). ++## Scaling ++In the Enterprise and Enterprise Flash tiers of Azure Cache for Redis, we recommended prioritizing scaling up over scaling out. Prioritize scaling up because the Enterprise tiers are built on Redis Enterprise, which is able to utilize more CPU cores in larger VMs. ++Conversely, the opposite recommendation is true for the Basic, Standard, and Premium tiers, which are built on open-source Redis. In those tiers, prioritizing scaling out over scaling up is recommended in most cases. +++## Sharding and CPU utilization ++In the Basic, Standard, and Premium tiers of Azure Cache for Redis, determining the number of virtual CPUs (vCPUs) utilized is straightforward. Each Redis node runs on a dedicated VM. The Redis server process is single-threaded, utilizing one vCPU on each primary and each replica node. The other vCPUs on the VM are still used for other activities, such as workflow coordination for different tasks, health monitoring, and TLS load, among others. ++When you use clustering, the effect is to spread data across more nodes with one shard per node. By increasing the number of shards, you linearly increase the number of vCPUs you use, based on the number of shards in the cluster. ++Redis Enterprise, on the other hand, can use multiple vCPUs for the Redis instance itself. In other words, all tiers of Azure Cache for Redis can use multiple vCPUs for background and monitoring tasks, but only the Enterprise and Enterprise Flash tiers are able to utilize multiple vCPUs per VM for Redis shards. The table shows the number of effective vCPUs used for each SKU and capacity (that is, scale-out) configuration. ++The tables show the number of vCPUs used for the primary shards, not the replica shards. Shards don't map one-to-one to the number of vCPUs. The tables only illustrate vCPUs, not shards. Some configurations use more shards than available vCPUs to boost performance in some usage scenarios. ++### E10 ++|Capacity|Effective vCPUs| +|:|:| +| 2 | 2 | +| 4 | 6 | +| 6 | 6 | +| 8 | 16 | +| 10 | 20 | +++### E20 +|Capacity|Effective vCPUs| +|:|:| +|2| 2| +|4|6| +|6|6| +|8|16| +|10|20| ++### E50 ++|Capacity|Effective vCPUs| +|:|:| +|2|6| +|4|6| +|6|6| +|8|30 | +|10|30| +++### E100 +|Capacity|Effective vCPUs| +|:|:| +|2| 6| +|4|30| +|6|30| +|8|30| +|10|30| ++### F300 +|Capacity|Effective vCPUs| +|:|:| +|3| 6| +|9|30| ++### F700 +|Capacity|Effective vCPUs| +|:|:| +|3| 30| +|9| 30| ++### F1500 +|Capacity|Effective vCPUs | +|:|:| +|3| 30 | +|9| 90 | +++## Clustering on Enterprise ++Enterprise and Enterprise Flash tiers are inherently clustered, in contrast to the Basic, Standard, and Premium tiers. The implementation depends on the clustering policy that is selected. +The Enterprise tiers offer two choices for Clustering Policy: _OSS_ and _Enterprise_. _OSS_ cluster policy is recommended for most applications because it supports higher maximum throughput, but there are advantages and disadvantages to each version. ++The _OSS clustering policy_ implements the same [Redis Cluster API](https://redis.io/docs/reference/cluster-spec/) as open-source Redis. The Redis Cluster API allows the Redis client to connect directly to each Redis node, minimizing latency and optimizing network throughput. As a result, near-linear scalability is obtained when scaling out the cluster with more nodes. The OSS clustering policy generally provides the best latency and throughput performance, but requires your client library to support Redis Clustering. OSS clustering policy also can't be used with the [RediSearch module](cache-redis-modules.md). ++The _Enterprise clustering policy_ is a simpler configuration that utilizes a single endpoint for all client connections. Using the Enterprise clustering policy routes all requests to a single Redis node that is then used as a proxy, internally routing requests to the correct node in the cluster. The advantage of this approach is that Redis client libraries donΓÇÖt need to support Redis Clustering to take advantage of multiple nodes. The downside is that the single node proxy can be a bottleneck, in either compute utilization or network throughput. The Enterprise clustering policy is the only one that can be used with the [RediSearch module](cache-redis-modules.md). ++## Multi-key commands ++Because the Enterprise tiers use a clustered configuration, you might see `CROSSSLOT` exceptions on commands that operate on multiple keys. Behavior varies depending on the clustering policy used. If you use the OSS clustering policy, multi-key commands require all keys to be mapped to [the same hash slot](https://docs.redis.com/latest/rs/databases/configure/oss-cluster-api/#multi-key-command-support). ++You might also see `CROSSSLOT` errors with Enterprise clustering policy. Only the following multi-key commands are allowed across slots with Enterprise clustering: `DEL`, `MSET`, `MGET`, `EXISTS`, `UNLINK`, and `TOUCH`. For more information, see [Database clustering](https://docs.redis.com/latest/rs/databases/durability-ha/clustering/#multikey-operations). ++## Handling Region Down Scenarios with Active Geo-Replication ++Active geo-replication is a powerful feature to dramatically boost availability when using the Enterprise tiers of Azure Cache for Redis. You should take steps, however, to prepare your caches if there's a regional outage. ++For example, consider these tips: ++- Identify in advance which other cache in the geo-replication group to switch over to if a region goes down. +- Ensure that firewalls are set so that any applications and clients can access the identified backup cache. +- Each cache in the geo-replication group has its own access key. Determine how the application will switch access keys when targeting a backup cache. +- If a cache in the geo-replication group goes down, a buildup of metadata starts to occur in all the caches in the geo-replication group. The metadata can't be discarded until writes can be synced again to all caches. You can prevent the metadata build-up by _force unlinking_ the cache that is down. Consider monitoring the available memory in the cache and unlinking if there's memory pressure, especially for write-heavy workloads. ++It's also possible to use a [circuit breaker pattern](/azure/architecture/patterns/circuit-breaker). Use the pattern to automatically redirect traffic away from a cache experiencing a region outage, and towards a backup cache in the same geo-replication group. Use Azure services such as [Azure Traffic Manager](../traffic-manager/traffic-manager-overview.md) or [Azure Load Balancer](../load-balancer/load-balancer-overview.md) to enable the redirection. ++## Data Persistence vs Data Backup ++The [data persistence](cache-how-to-premium-persistence.md) feature in the Enterprise and Enterprise Flash tiers is designed to automatically provide a quick recovery point for data when a cache goes down. The quick recovery is made possible by storing the RDB or AOF file in a managed disk that is mounted to the cache instance. Persistence files on the disk aren't accessible to users. ++Many customers want to use persistence to take periodic backups of the data on their cache. We don't recommend that you use data persistence in this way. Instead, use the [import/export](cache-how-to-import-export-data.md) feature. You can export copies of cache data in RDB format directly into your chosen storage account and trigger the data export as frequently as you require. Export can be triggered either from the portal or by using the CLI, PowerShell, or SDK tools. ++## Next steps ++- [Development](cache-best-practices-development.md) + |
azure-cache-for-redis | Cache How To Geo Replication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-geo-replication.md | To configure geo-replication between two caches, the following prerequisites mus - Both caches are in the same Azure subscription. - The secondary linked cache is either the same cache size or a larger cache size than the primary linked cache. To use geo-failover, both caches must be the same size. - Both caches are created and in a running state.+- Both caches are running the same version of Redis server. > [!NOTE] > Data transfer between Azure regions is charged at standard [bandwidth rates](https://azure.microsoft.com/pricing/details/bandwidth/). |
azure-cache-for-redis | Cache How To Premium Persistence | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-premium-persistence.md | Using managed identity adds the cache instance to the [trusted services list](.. No, you can't use Append-only File (AOF) persistence with multiple replicas (more than one replica). +### How do I check if soft delete is enabled on my storage account? ++Select the storage account that your cache is using for persistence. Select **Data Protection** from the Resource menu. In the working pane, check the state of *Enable soft delete for blobs*. + ## Next steps Learn more about Azure Cache for Redis features. |
azure-cache-for-redis | Cache How To Redis Cli Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-redis-cli-tool.md | |
azure-cache-for-redis | Cache Manage Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-manage-cli.md | |
azure-cache-for-redis | Cache Ml | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-ml.md | description: In this article, you deploy a model from Azure Machine Learning as + Last updated 06/09/2021- # Deploy a machine learning model to Azure Functions with Azure Cache for Redis After a few moments, the resource group and all of its resources are deleted. * Learn more about [Azure Cache for Redis](./cache-overview.md) * Learn to configure your function app in the [Functions](../azure-functions/functions-create-function-linux-custom-image.md) documentation. * [API Reference](/python/api/azureml-contrib-functions/azureml.contrib.functions)-* Create a [Python app that uses Azure Cache for Redis](./cache-python-get-started.md) +* Create a [Python app that uses Azure Cache for Redis](./cache-python-get-started.md) |
azure-cache-for-redis | Cache Network Isolation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-network-isolation.md | Azure Private Link provides private connectivity from a virtual network to Azure ### Advantages of Private Link -- Supported on Basic, Standard, and Premium Azure Cache for Redis instances.+- Supported on Basic, Standard, Premium, Enterprise, and Enterprise Flash tiers of Azure Cache for Redis instances. - By using [Azure Private Link](../private-link/private-link-overview.md), you can connect to an Azure Cache instance from your virtual network via a private endpoint. The endpoint is assigned a private IP address in a subnet within the virtual network. With this private link, cache instances are available from both within the VNet and publicly. - Once a private endpoint is created, access to the public network can be restricted through the `publicNetworkAccess` flag. This flag is set to `Disabled` by default, which will only allow private link access. You can set the value to `Enabled` or `Disabled` with a PATCH request. For more information, see [Azure Cache for Redis with Azure Private Link](cache-private-link.md). - All external cache dependencies won't affect the VNet's NSG rules. |
azure-cache-for-redis | Cache Private Link | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-private-link.md | |
azure-cache-for-redis | Cache Redis Cache Arm Provision | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-redis-cache-arm-provision.md | |
azure-cache-for-redis | Cache Redis Cache Bicep Provision | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-redis-cache-bicep-provision.md | |
azure-cache-for-redis | Cache Web App Arm With Redis Cache Provision | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-web-app-arm-with-redis-cache-provision.md | New-AzResourceGroupDeployment -TemplateUri https://raw.githubusercontent.com/Azu ```azurecli azure group deployment create --template-uri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.web/web-app-with-redis-cache/azuredeploy.json -g ExampleDeployGroup-``` +``` |
azure-cache-for-redis | Cache Web App Bicep With Redis Cache Provision | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-web-app-bicep-with-redis-cache-provision.md | |
azure-functions | Create First Function Cli Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/create-first-function-cli-java.md | description: Learn how to create a Java function from the command line, then pub Last updated 11/03/2020 ms.devlang: java-+ adobe-target: true adobe-target-activity: DocsExpΓÇô386541ΓÇôA/BΓÇôEnhanced-Readability-QuickstartsΓÇô2.19.2021 adobe-target-experience: Experience B |
azure-functions | Disable Function | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/disable-function.md | Title: How to disable functions in Azure Functions description: Learn how to disable and enable functions in Azure Functions. Last updated 12/01/2022 -+ # How to disable functions in Azure Functions |
azure-functions | Functions Create First Function Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-create-first-function-bicep.md | Now that you've created your function app resources in Azure, you can deploy you * [Visual Studio Code](functions-develop-vs-code.md#republish-project-files) * [Visual Studio](functions-develop-vs.md#publish-to-azure) * [Azure Functions Core Tools](functions-run-local.md#publish)- |
azure-functions | Functions Create First Function Resource Manager | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-create-first-function-resource-manager.md | description: Create and deploy to Azure a simple HTTP triggered serverless funct Last updated 07/19/2022 -+ # Quickstart: Create and deploy Azure Functions resources from an ARM template |
azure-functions | Functions Create First Kotlin Maven | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-create-first-kotlin-maven.md | |
azure-functions | Functions How To Use Azure Function App Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-how-to-use-azure-function-app-settings.md | description: Learn how to configure function app settings in Azure Functions. ms.assetid: 81eb04f8-9a27-45bb-bf24-9ab6c30d205c Last updated 12/13/2022-+ # Manage your function app |
azure-functions | Functions Infrastructure As Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-infrastructure-as-code.md | description: Learn how to build a Bicep file or an Azure Resource Manager templa ms.assetid: d20743e3-aab6-442c-a836-9bcea09bfd32 Last updated 08/30/2022-+ # Automate resource deployment for your function app in Azure Functions |
azure-functions | Functions Machine Learning Tensorflow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-machine-learning-tensorflow.md | |
azure-functions | Functions Premium Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-premium-plan.md | |
azure-functions | Functions Reference Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-reference-java.md | description: Understand how to develop functions with Java. Last updated 09/14/2018 ms.devlang: java-+ # Azure Functions Java developer guide |
azure-functions | Functions Reference Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-reference-powershell.md | description: Understand how to develop functions by using PowerShell. ms.devlang: powershell-+ Last updated 04/22/2019- # Customer intent: As a PowerShell developer, I want to understand Azure Functions so that I can leverage the full power of the platform. |
azure-functions | Machine Learning Pytorch | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/machine-learning-pytorch.md | description: Use a pre-trained ResNet 18 deep neural network from PyTorch with A Last updated 01/05/2023--+ # Tutorial: Deploy a pre-trained image classification model to Azure Functions with PyTorch |
azure-functions | Set Runtime Version | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/set-runtime-version.md | Title: How to target Azure Functions runtime versions description: Azure Functions supports multiple versions of the runtime. Learn how to specify the runtime version of a function app hosted in Azure. Last updated 10/22/2022- # How to target Azure Functions runtime versions |
azure-government | Documentation Government Extension | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-extension.md | Title: Azure Government virtual machine extensions description: This article provides customer guidance on how to obtain a complete list of virtual machine extensions available in Azure Government. cloud: gov na Last updated 08/31/2021 - # Azure Government virtual machine extensions |
azure-government | Documentation Government Image Gallery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-image-gallery.md | Title: Azure Government Marketplace images description: This article provides an overview of Azure Government Marketplace image gallery cloud: gov na Last updated 08/31/2021 - # Azure Government Marketplace images |
azure-monitor | Azure Monitor Agent Windows Client | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-windows-client.md | |
azure-monitor | Data Collection Iis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/data-collection-iis.md | To create the data collection rule in the Azure portal: [ ](media/data-collection-iis/iis-data-collection-rule.png#lightbox) -1. Optionally, specify a file pattern to identify the directory where the log files are located. +1. Specify a file pattern to identify the directory where the log files are located. 1. On the **Destination** tab, add one or more destinations for the data source. You can select multiple destinations of the same or different types. For instance, you can select multiple Log Analytics workspaces, which is also known as multihoming. [  ](media/data-collection-rule-azure-monitor-agent/data-collection-rule-destination.png#lightbox) |
azure-monitor | Diagnostics Extension Windows Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/diagnostics-extension-windows-install.md | |
azure-monitor | Alerts Classic Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-classic-portal.md | description: Learn how to use Azure portal or PowerShell to create, view and man + Last updated 2/23/2022 |
azure-monitor | Alerts Manage Alert Rules | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-manage-alert-rules.md | Manage your alert rules in the Azure portal, or using the CLI or PowerShell. > [!NOTE] > This section describes how to manage alert rules created in the latest UI or using an API version later than `2018-04-16`. See [View and manage log alert rules created in previous versions](alerts-manage-alerts-previous-version.md) for information about how to view and manage log alert rules created in the previous UI. -## Enable recommended alert rules in the Azure portal (preview) +## Enable recommended alert rules in the Azure portal If you don't have alert rules defined for the selected resource, either individually or as part of a resource group or subscription, you can [create a new alert rule](alerts-log.md#create-a-new-log-alert-rule-in-the-azure-portal), or enable recommended out-of-the-box alert rules in the Azure portal. The system compiles a list of recommended alert rules based on: - Telemetry that tells us what customers commonly alert on for this resource. > [!NOTE]-> The alert rule recommendations feature is currently in preview and is only enabled for: +> The alert rule recommendations feature is enabled for: > - Virtual machines > - AKS resources > - Log Analytics workspaces |
azure-monitor | Alerts Manage Alerts Previous Version | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-manage-alerts-previous-version.md | description: Use the Azure Monitor portal to manage log alert rules created in e Last updated 2/23/2022-+ # Manage alert rules created in previous versions |
azure-monitor | Alerts Metric Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-metric-logs.md | |
azure-monitor | Alerts Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-overview.md | This table provides a brief description of each alert type. For more information |[Smart detection alerts](alerts-types.md#smart-detection-alerts)|Smart detection on an Application Insights resource automatically warns you of potential performance problems and failure anomalies in your web application. You can migrate smart detection on your Application Insights resource to create alert rules for the different smart detection modules.| |[Prometheus alerts (preview)](alerts-types.md#prometheus-alerts-preview)|Prometheus alerts are used for alerting on the performance and health of Kubernetes clusters, including Azure Kubernetes Service (AKS). The alert rules are based on PromQL, which is an open-source query language.| -## Out-of-the-box alert rules (preview) +## Recommended alert rules -If you don't have alert rules defined for the selected resource, you can [enable recommended out-of-the-box alert rules in the Azure portal](alerts-manage-alert-rules.md#enable-recommended-alert-rules-in-the-azure-portal-preview). +If you don't have alert rules defined for the selected resource, you can [enable recommended out-of-the-box alert rules in the Azure portal](alerts-manage-alert-rules.md#enable-recommended-alert-rules-in-the-azure-portal). > [!NOTE] > The alert rule recommendations feature is currently in preview and is only enabled for: |
azure-monitor | Alerts Processing Rules | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-processing-rules.md | Title: Alert processing rules for Azure Monitor alerts description: Understand Azure Monitor alert processing rules and how to configure and manage them. + Last updated 2/23/2022 - # Alert processing rules |
azure-monitor | Alerts Troubleshoot Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-troubleshoot-log.md | Try the following steps to resolve the problem: - Learn about [log alerts in Azure](./alerts-unified-log.md). - Learn more about [configuring log alerts](../logs/log-query-overview.md).-- Learn more about [log queries](../logs/log-query-overview.md).+- Learn more about [log queries](../logs/log-query-overview.md). |
azure-monitor | Itsmc Secure Webhook Connections Servicenow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-secure-webhook-connections-servicenow.md | Ensure that you've met the following prerequisites: 1. Use the link `https://(instance name).service-now.com/api/sn_em_connector/em/inbound_event?source=azuremonitor` to the URI for the Secure Webhook definition. 1. Follow the instructions according to the version:+ * [Tokyo](https://docs.servicenow.com/bundle/tokyo-it-operations-management/page/product/event-management/concept/azure-integration.html) * [Rome](https://docs.servicenow.com/bundle/rome-it-operations-management/page/product/event-management/concept/azure-integration.html) * [Quebec](https://docs.servicenow.com/bundle/quebec-it-operations-management/page/product/event-management/concept/azure-integration.html) * [Paris](https://docs.servicenow.com/bundle/paris-it-operations-management/page/product/event-management/concept/azure-integration.html) |
azure-monitor | Convert Classic Resource | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/convert-classic-resource.md | Title: Migrate an Application Insights classic resource to a workspace-based res description: Learn how to upgrade your Application Insights classic resource to the new workspace-based model. Last updated 02/14/2023- |
azure-monitor | Ip Collection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/ip-collection.md | Title: Application Insights IP address collection | Microsoft Docs description: Understand how Application Insights handles IP addresses and geolocation. Last updated 11/15/2022-+ |
azure-monitor | Autoscale Common Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-common-metrics.md | |
azure-monitor | Autoscale Multiprofile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-multiprofile.md | |
azure-monitor | Change Analysis Track Outages | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/change/change-analysis-track-outages.md | ms.contributor: cawa Last updated 01/11/2023 - # Track a web app outage using Change Analysis The sample application includes a virtual network to make sure the application r ## Next steps -Learn more about [Change Analysis](./change-analysis.md). +Learn more about [Change Analysis](./change-analysis.md). |
azure-monitor | Change Analysis Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/change/change-analysis-troubleshoot.md | |
azure-monitor | Change Analysis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/change/change-analysis.md | |
azure-monitor | Container Insights Agent Config | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-agent-config.md | ConfigMap is a global list and there can be only one ConfigMap applied to the ag | Key | Data type | Value | Description | |--|--|--|--|-| `[agent_settings.proxy_config] ignore_proxy_settings =` | Boolean | True or false | Set this value to true to ignore proxy settings. On both AKS & Arc K8s enviornments, if your cluster is configured with forward proxy, then proxy settings are automatically applied and used for the agent. For certain configurations, such as, with AMPLS + Proxy, you may with for the proxy config to be ignored. . By default, this setting is set to `false`. | +| `[agent_settings.proxy_config] ignore_proxy_settings =` | Boolean | True or false | Set this value to true to ignore proxy settings. On both AKS & Arc K8s environments, if your cluster is configured with forward proxy, then proxy settings are automatically applied and used for the agent. For certain configurations, such as, with AMPLS + Proxy, you may with for the proxy config to be ignored. . By default, this setting is set to `false`. | ## Configure and deploy ConfigMaps |
azure-monitor | Container Insights Enable Aks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-enable-aks.md | Title: Enable Container insights for Azure Kubernetes Service (AKS) cluster description: Learn how to enable Container insights on an Azure Kubernetes Service (AKS) cluster. Last updated 01/09/2023-+ |
azure-monitor | Container Insights Metric Alerts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-metric-alerts.md | The following sections present information on the alert rules provided by Contai ### Community alert rules -These handpicked alerts come from the Prometheus community. Source code for these mixin alerts can be found in [GitHub](https://aka.ms/azureprometheus-mixins): --- KubeJobNotCompleted-- KubeJobFailed-- KubePodCrashLooping-- KubePodNotReady-- KubeDeploymentReplicasMismatch-- KubeStatefulSetReplicasMismatch-- KubeHpaReplicasMismatch-- KubeHpaMaxedOut-- KubeQuotaAlmostFull-- KubeMemoryQuotaOvercommit-- KubeCPUQuotaOvercommit-- KubeVersionMismatch-- KubeNodeNotReady-- KubeNodeReadinessFlapping-- KubeletTooManyPods-- KubeNodeUnreachable+These handpicked alerts come from the Prometheus community. Source code for these mixin alerts can be found in [GitHub](https://aka.ms/azureprometheus-communityalerts): ++| Alert name | Description | Default threshold | +|:|:|:| +| NodeFilesystemSpaceFillingUp | An extrapolation algorithm predicts that disk space usage for a node on a device in a cluster will run out of space within the upcoming 24 hours. | NA | +| NodeFilesystemSpaceUsageFull85Pct | Disk space usage for a node on a device in a cluster is greater than 85%. | 85% | +| KubePodCrashLooping | Pod is in CrashLoop which means the app dies or is unresponsive and kubernetes tries to restart it automatically. | NA | +| KubePodNotReady | Pod has been in a non-ready state for more than 15 minutes. | NA | +| KubeDeploymentReplicasMismatch | Deployment has not matched the expected number of replicas. | NA | +| KubeStatefulSetReplicasMismatch | StatefulSet has not matched the expected number of replicas. | NA | +| KubeJobNotCompleted | Job is taking more than 1h to complete. | NA | +| KubeJobFailed | Job failed complete. | NA | +| KubeHpaReplicasMismatch | Horizontal Pod Autoscaler has not matched the desired number of replicas for longer than 15 minutes. | NA | +| KubeHpaMaxedOut | Horizontal Pod Autoscaler has been running at max replicas for longer than 15 minutes. | NA | +| KubeCPUQuotaOvercommit | Cluster has overcommitted CPU resource requests for Namespaces and cannot tolerate node failure. | 1.5 | +| KubeMemoryQuotaOvercommit | Cluster has overcommitted memory resource requests for Namespaces. | 1.5 | +| KubeQuotaAlmostFull | Cluster reaches to the allowed limits for given namespace. | Between 0.9 and 1 | +| KubeVersionMismatch | Different semantic versions of Kubernetes components running. | NA | +| KubeNodeNotReady | KubeNodeNotReady alert is fired when a Kubernetes node is not in Ready state for a certain period. | NA | +| KubeNodeUnreachable | Kubernetes node is unreachable and some workloads may be rescheduled. | NA | +| KubeletTooManyPods | The alert fires when a specific node is running >95% of its capacity of pods | 0.95 | +| KubeNodeReadinessFlapping | The readiness status of node has changed few times in the last 15 minutes. | 2 | ### Recommended alert rules |
azure-monitor | Container Insights Optout Openshift V3 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-optout-openshift-v3.md | Title: How to stop monitoring your Azure Red Hat OpenShift v3 cluster | Microsof description: This article describes how you can stop monitoring of your Azure Red Hat OpenShift cluster with Container insights. Last updated 05/24/2022- - # How to stop monitoring your Azure Red Hat OpenShift v3 cluster |
azure-monitor | Container Insights Optout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-optout.md | Title: Stop monitoring your Azure Kubernetes Service cluster | Microsoft Docs description: This article describes how you can discontinue monitoring of your Azure AKS cluster with Container insights. Last updated 05/24/2022-+ ms.devlang: azurecli - # Stop monitoring your Azure Kubernetes Service cluster with Container insights |
azure-monitor | Activity Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/activity-log.md | Each event is stored in the PT1H.json file with the following format. This forma ## Legacy collection methods +> [!NOTE] +> * Azure Activity logs solution was used to forward Activity Logs to Azure Log Analytics. This solution is being retired on the 15th of Sept 2026 and will be automatically converted to Diagnostic settings. + If you're collecting activity logs using the legacy collection method, we recommend you [export activity logs to your Log Analytics workspace](#send-to-log-analytics-workspace) and disable the legacy collection using the [Data Sources - Delete API](/rest/api/loganalytics/data-sources/delete?tabs=HTTP) as follows: 1. List all data sources connected to the workspace using the [Data Sources - List By Workspace API](/rest/api/loganalytics/data-sources/list-by-workspace?tabs=HTTP#code-try-0) and filter for activity logs by setting `kind eq 'AzureActivityLog'`. |
azure-monitor | Collect Custom Metrics Guestos Vm Cloud Service Classic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/collect-custom-metrics-guestos-vm-cloud-service-classic.md | |
azure-monitor | Diagnostic Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/diagnostic-settings.md | |
azure-monitor | Prometheus Metrics Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/prometheus-metrics-enable.md | Deploy the template with the parameter file using any valid method for deploying ## Verify Deployment -Run the following command to verify that the daemon set was deployed properly: +Run the following command to verify that the DaemonSet was deployed properly: ``` kubectl get ds ama-metrics-node --namespace=kube-system ``` -The output should resemble the following: +The number of pods should be equal to the number of nodes on the cluster. The output should resemble the following: ``` User@aksuser:~$ kubectl get ds ama-metrics-node --namespace=kube-system NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SEL ama-metrics-node 1 1 1 1 1 <none> 10h ``` -Run the following command to which verify that the replica set was deployed properly: +Run the following command to which verify that the ReplicaSets were deployed properly: ``` kubectl get rs --namespace=kube-system NAME DESIRED CURRENT READY AGE ama-metrics-5c974985b8 1 1 1 11h ama-metrics-ksm-5fcf8dffcd 1 1 1 11h ```+## Feature Support +- ARM64 and Mariner nodes are supported. +- HTTP Proxy is supported and will use the same settings as the HTTP Proxy settings for the AKS cluster configured with [these instructions](/articles/aks/http-proxy.md). ## Limitations - CPU and Memory requests and limits can't be changed for Container insights metrics addon. If changed, they'll be reconciled and replaced by original values in a few seconds.-- Metrics addon doesn't work on AKS clusters configured with HTTP proxy.+- Azure Monitor Private Link (AMPLS) is not currently supported. +- Only public clouds are currently supported. ## Uninstall metrics addon |
azure-monitor | Prometheus Metrics Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/prometheus-metrics-troubleshoot.md | +Note that the ReplicaSet pod scrapes metrics from `kube-state-metrics` and custom scrape targets in the `ama-metrics-prometheus-config` configmap. The DaemonSet pods scrape metrics from the following targets on their respective node: `kubelet`, `cAdvisor`, `node-exporter`, and custom scrape targets in the `ama-metrics-prometheus-config-node` configmap. The pod that you will want to view the logs and the Prometheus UI for will depend on which scrape target you are investigating. + ## Pod status Check the pod status with the following command: |
azure-monitor | Prometheus Remote Write Active Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/prometheus-remote-write-active-directory.md | This step is only required if you didn't enable Azure Key Vault Provider for Sec ```yml prometheus: prometheusSpec:- cluster: <CLUSTER-NAME> + cluster: <CLUSTER-NAME> + + ## Azure Managed Prometheus currently exports some default mixins in Grafana. + ## These mixins are compatible with data scraped by Azure Monitor agent on your + ## Azure Kubernetes Service cluster. These mixins aren't compatible with Prometheus + ## metrics scraped by the Kube Prometheus stack. + ## To make these mixins compatible, uncomment the remote write relabel configuration below: ++ ## writeRelabelConfigs: + ## - sourceLabels: [metrics_path] + ## regex: /metrics/cadvisor + ## targetLabel: job + ## replacement: cadvisor + ## action: replace + ## - sourceLabels: [job] + ## regex: 'node-exporter' + ## targetLabel: job + ## replacement: node + ## action: replace ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write remoteWrite: |
azure-monitor | Azure Networking Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/insights/azure-networking-analytics.md | |
azure-monitor | Availability Zones | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/availability-zones.md | Azure Monitor currently supports service resilience for availability-zone-enable - East US 2 - West US 2+- North Europe - Canada Central - France Central - Japan East |
azure-monitor | Azure Data Explorer Query Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/azure-data-explorer-query-storage.md | description: Use Azure Data Explorer to query data that was exported from your L Last updated 03/22/2022- # Query exported data from Azure Monitor by using Azure Data Explorer |
azure-monitor | Create Custom Table | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/create-custom-table.md | |
azure-monitor | Logs Dedicated Clusters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/logs-dedicated-clusters.md | You need 'write' permissions to both the workspace and the cluster resource for - In the workspace: *Microsoft.OperationalInsights/workspaces/write* - In the cluster resource: *Microsoft.OperationalInsights/clusters/write* -Other than the billing aspects, configuration of linked workspace remain, including data retention settings. +Other than the billing aspects that is governed by the cluster plan, the linked workspace configuration remain. The workspace and the cluster can be in different subscriptions. It's possible for the workspace and cluster to be in different tenants if Azure Lighthouse is used to map both of them to a single tenant. -Linking a workspace can be performed only after the completion of the Log Analytics cluster provisioning. --> [!WARNING] -> Linking a workspace to a cluster requires syncing multiple backend components and assuring cache hydration. Since this operation may take up to two hours to complete, you should you run it asynchronously. +> [!NOTE] +> Linking a workspace can be performed only after the completion of the Log Analytics cluster provisioning. +> Linking a workspace to a cluster involves syncing multiple backend components and cache hydration, which can take up to two hours. Use the following commands to link a workspace to a cluster: N/A You need to have *write* permissions on the cluster resource. When deleting a cluster, you're losing access to all data in cluster, which was ingested from workspaces that were linked to it. This operation isn't reversible.-The cluster's billing stops when deleted, regardless the 30 days commitment tier. +The cluster's billing stops when deleted, regardless of the 30-days commitment tier in cluster. If you delete your cluster while workspaces are linked, Workspaces get automatically unlinked from the cluster before the cluster delete, and new data sent to workspaces gets ingested to Log Analytics store instead. If the retention of data in workspaces older than the period it was linked to the cluster, you can query workspace for the time range before the link to cluster and after the unlink, and the service performs cross-cluster queries seamlessly. |
azure-monitor | Resource Manager Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/resource-manager-workspace.md | |
azure-monitor | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/overview.md | Use Azure Monitor to monitor these types of resources in Azure, other clouds, or - Security events in combination with Azure Sentinel - Networking events and health in combination with Network Watcher - Custom sources that use the APIs to get data into Azure Monitor+ - Collect your Prometheus metrics with Azure Managed Prometheus and analyze them using PromQL in Azure Managed Grafana. You can also export monitoring data from Azure Monitor into other systems so you can: - Integrate with other third-party and open-source monitoring and visualization tools Azure Monitor collects these types of data: |Data Type |Description | ||| |Application|Data about the performance and functionality of your application code on any platform.|-|Infrastructure|**- Container.** Data about containers, such as Azure Kubernetes, and about the applications running inside containers.<br>**- Operating system.** Data about the guest operating system on which your application is running.| +|Infrastructure|**- Container.** Data about containers, such as [Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/intro-kubernetes), [Prometheus](./essentials/prometheus-metrics-overview.md), and about the applications running inside containers.<br>**- Operating system.** Data about the guest operating system on which your application is running.| |Azure Platform|**- Azure resource**. The operation of an Azure resource.<br>**- Azure subscription.** The operation and management of an Azure subscription, and data about the health and operation of Azure itself.<br>**- Azure tenant.** Data about the operation of tenant-level Azure services, such as Azure Active Directory.<br>**- Azure resource changes.** Data about changes within your Azure resources and how to address and triage incidents and issues. | |Custom Sources|Use the Azure Monitor REST API to send customer metric or log data to Azure Monitor and incorporate monitoring of resources that donΓÇÖt expose monitoring data through other methods.| Azure Monitor collects and routes monitoring data using several mechanisms, depe |[Application SDK](app/app-insights-overview.md)|Add the Application Insights SDK to your application code to receive, store, and explore your monitoring data. The SDK pre-processes telemetry and metrics before sending the data to Azure where it's ingested and processed further before being stored in Azure Monitor Logs.| |[Azure Monitor REST API](logs/logs-ingestion-api-overview.md)|The Logs Ingestion API in Azure Monitor lets you send data to a Log Analytics workspace from any REST API client.| |[Azure Monitor Agents](agents/agents-overview.md)|Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud.|+|[Azure Monitor managed service for Prometheus](./essentials/prometheus-metrics-overview.md)|Azure Monitor managed service for Prometheus lets you to collect and analyze metrics at scale using a Prometheus-compatible monitoring solution, based on the [Prometheus](https://aka.ms/azureprometheus-promio) project from the Cloud Native Compute Foundation. For detailed information about data collection, see [data collection](./best-practices-data-collection.md). Azure Monitor stores data in data stores for each of the pillars of observabilit |Pillar of Observability/<br>Data Store|Description| |||-|[Azure Monitor Metrics](essentials/data-platform-metrics.md)|Metrics are numerical values that describe an aspect of a system at a particular point in time. [Azure Monitor Metrics](./essentials/data-platform-metrics.md) is a time-series database, optimized for analyzing time-stamped data. Azure Monitor collects metrics at regular intervals. Metrics are identified with a timestamp, a name, a value, and one or more defining labels. They can be aggregated using algorithms, compared to other metrics, and analyzed for trends over time. It supports native Azure Monitor metrics and [Prometheus based metrics](essentials/prometheus-metrics-overview.md).| +|[Azure Monitor Metrics](essentials/data-platform-metrics.md)|Metrics are numerical values that describe an aspect of a system at a particular point in time. [Azure Monitor Metrics](./essentials/data-platform-metrics.md) is a time-series database, optimized for analyzing time-stamped data. Azure Monitor collects metrics at regular intervals. Metrics are identified with a timestamp, a name, a value, and one or more defining labels. They can be aggregated using algorithms, compared to other metrics, and analyzed for trends over time. It supports native Azure Monitor metrics and [Prometheus metrics](essentials/prometheus-metrics-overview.md).| |[Azure Monitor Logs](logs/data-platform-logs.md)|Logs are recorded system events. Logs can contain different types of data, be structured or free-form text, and they contain a timestamp. Azure Monitor stores structured and unstructured log data of all types in [Azure Monitor Logs](./logs/data-platform-logs.md). You can route data to [Log Analytics workspaces](./logs/log-analytics-overview.md) for querying and analysis.| |Traces|Distributed traces identify the series of related events that follow a user request through a distributed system. A trace measures the operation and performance of your application across the entire set of components in your system. Traces can be used to determine the behavior of application code and the performance of different transactions. Azure Monitor gets distributed trace data from the Application Insights SDK. The trace data is stored in a separate workspace in Azure Monitor Logs.| |Changes|Changes are a series of events in your application and resources. They're tracked and stored when you use the [Change Analysis](./change/change-analysis.md) service, which uses [Azure Resource Graph](../governance/resource-graph/overview.md) as its store. Change Analysis helps you understand which changes, such as deploying updated code, may have caused issues in your systems.| |
azure-monitor | Profiler Bring Your Own Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-bring-your-own-storage.md | |
azure-monitor | Resource Manager Samples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/resource-manager-samples.md | |
azure-monitor | Vminsights Configure Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/vm/vminsights-configure-workspace.md | Title: Configure Log Analytics workspace for VM insights description: Describes how to create and configure the Log Analytics workspace used by VM insights. -+ Last updated 06/22/2022- # Configure Log Analytics workspace for VM insights To remove the *VMInsights*solution, use the same process as [removing any other ## Next steps - See [Onboard agents to VM insights](vminsights-enable-overview.md) to connect agents to VM insights.-- See [Targeting monitoring solutions in Azure Monitor (Preview)](../insights/solution-targeting.md) to limit the amount of data sent from a solution to the workspace.+- See [Targeting monitoring solutions in Azure Monitor (Preview)](../insights/solution-targeting.md) to limit the amount of data sent from a solution to the workspace. |
azure-monitor | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/whats-new.md | Application-Insights|[Enable Azure Monitor OpenTelemetry for .NET, Node.js, Pyth Application-Insights|[Application Monitoring for Azure App Service and Java](app/azure-web-apps-java.md)|We updated and separated out the instructions to manually deploy the latest Application Insights Java version.| Containers|[Enable Container insights for Azure Kubernetes Service (AKS) cluster](containers/container-insights-enable-aks.md)|Added section for enabling private link without managed identity authentication.| Containers|[Syslog collection with Container Insights (preview)](containers/container-insights-syslog.md)|Added use of ARM templates for enabling syslog collection|+Containers|[Enable cost optimization settings (preview)](containers/container-insights-cost-config.md)|New Article: Enable cost optimization settings| Essentials|[Data collection transformations in Azure Monitor](essentials/data-collection-transformations.md)|Added section and sample for using transformations to send to multiple destinations.| Essentials|[Custom metrics in Azure Monitor (preview)](essentials/metrics-custom-overview.md)|Added reference to the limit of 64 KB on the combined length of all custom metrics names| Essentials|[Azure monitoring REST API walkthrough](essentials/rest-api-walkthrough.md)|Refresh REST API walkthrough| |
azure-netapp-files | Azacsnap Preview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-preview.md | Title: Preview features for Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs description: Provides a guide for using the preview features of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files. -- na+ Last updated 12/16/2022 |
azure-netapp-files | Azure Netapp Files Quickstart Set Up Account Create Volumes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-quickstart-set-up-account-create-volumes.md | Use the Azure portal, PowerShell, or the Azure CLI to delete the resource group. > [Solution architectures using Azure NetApp Files](azure-netapp-files-solution-architectures.md) > [!div class="nextstepaction"]-> [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md) +> [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md) |
azure-netapp-files | Create Active Directory Connections | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/create-active-directory-connections.md | Title: Create and manage Active Directory connections for Azure NetApp Files | Microsoft Docs description: This article shows you how to create and manage Active Directory connections for Azure NetApp Files. -- na+ Last updated 03/01/2023 |
azure-netapp-files | Cross Region Replication Requirements Considerations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-region-replication-requirements-considerations.md | This article describes requirements and considerations about [using the volume c * See [resource limits](azure-netapp-files-resource-limits.md) for the maximum number of cross-region replication destination volumes. You can open a support ticket to [request a limit increase](azure-netapp-files-resource-limits.md#request-limit-increase) in the default quota of replication destination volumes (per subscription in a region). * There can be a delay up to five minutes for the interface to reflect a newly added snapshot on the source volume. * Cascading and fan in/out topologies aren't supported.-* Configuring volume replication for source volumes created from snapshot isn't supported at this time. * After you set up cross-region replication, the replication process creates *SnapMirror snapshots* to provide references between the source volume and the destination volume. SnapMirror snapshots are cycled automatically when a new one is created for every incremental transfer. You can't delete SnapMirror snapshots until replication relationship and volume is deleted. * You can't mount a dual-protocol volume until you [authorize replication from the source volume](cross-region-replication-create-peering.md#authorize-replication-from-the-source-volume) and the initial [transfer](cross-region-replication-display-health-status.md#display-replication-status) happens. * You can delete manual snapshots on the source volume of a replication relationship when the replication relationship is active or broken, and also after the replication relationship is deleted. You can't delete manual snapshots for the destination volume until the replication relationship is broken. |
azure-netapp-files | Cross Zone Replication Requirements Considerations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-zone-replication-requirements-considerations.md | This article describes requirements and considerations about [using the volume c * See [resource limits](azure-netapp-files-resource-limits.md) for the maximum number of cross-zone destination volumes. You can open a support ticket to [request a limit increase](azure-netapp-files-resource-limits.md#request-limit-increase) in the default quota of replication destination volumes (per subscription in a region). * There can be a delay up to five minutes for the interface to reflect a newly added snapshot on the source volume. * Cross-zone replication does not support cascading and fan in/out topologies.-* At this time, you can't configure volume replication for source volumes created from snapshot with cross-zone replication. * After you set up cross-zone replication, the replication process creates *SnapMirror snapshots* to provide references between the source volume and the destination volume. SnapMirror snapshots are cycled automatically when a new one is created for every incremental transfer. You cannot delete SnapMirror snapshots until you delete the replication relationship and volume. * You cannot mount a dual-protocol volume until you [authorize replication from the source volume](cross-region-replication-create-peering.md#authorize-replication-from-the-source-volume) and the initial [transfer](cross-region-replication-display-health-status.md#display-replication-status) happens. * You can delete manual snapshots on the source volume of a replication relationship when the replication relationship is active or broken, and also after you've deleted replication relationship. You cannot delete manual snapshots for the destination volume until you break the replication relationship. |
azure-portal | Quickstart Portal Dashboard Azure Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-portal/quickstart-portal-dashboard-azure-cli.md | Title: Create an Azure portal dashboard with Azure CLI description: "Quickstart: Learn how to create a dashboard in the Azure portal using the Azure CLI. A dashboard is a focused and organized view of your cloud resources." -+ Last updated 01/13/2022 |
azure-resource-manager | Bicep Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-cli.md | Title: Bicep CLI commands and overview description: Describes the commands that you can use in the Bicep CLI. These commands include building Azure Resource Manager templates from Bicep. + Last updated 01/10/2023 |
azure-resource-manager | Decompile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/decompile.md | Title: Decompile ARM template JSON to Bicep description: Describes commands for decompiling Azure Resource Manager templates to Bicep files. Last updated 11/11/2022- # Decompiling ARM template JSON to Bicep |
azure-resource-manager | Key Vault Parameter | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/key-vault-parameter.md | description: Shows how to pass a secret from a key vault as a parameter during B + Last updated 06/18/2021 |
azure-resource-manager | Quickstart Create Bicep Use Visual Studio Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/quickstart-create-bicep-use-visual-studio-code.md | Title: Create Bicep files - Visual Studio Code description: Use Visual Studio Code and the Bicep extension to Bicep files for deploy Azure resources Last updated 11/03/2022 -+ #Customer intent: As a developer new to Azure deployment, I want to learn how to use Visual Studio Code to create and edit Bicep files, so I can use them to deploy Azure resources. |
azure-resource-manager | Quickstart Create Template Specs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/quickstart-create-template-specs.md | Title: Create and deploy a template spec with Bicep description: Learn how to use Bicep to create and deploy a template spec to a resource group in your Azure subscription. Then, use a template spec to deploy Azure resources. Last updated 03/30/2022 --+ # Customer intent: As a developer I want to use Bicep to create and share deployment templates so that other people in my organization can deploy Microsoft Azure resources. |
azure-resource-manager | Template Specs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/template-specs.md | Title: Create & deploy template specs in Bicep description: Describes how to create template specs in Bicep and share them with other users in your organization. -+ Last updated 11/17/2022 |
azure-resource-manager | Create Custom Provider | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/custom-providers/create-custom-provider.md | |
azure-resource-manager | Update Managed Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/update-managed-resources.md | description: Describes how to work on resources in the managed resource group fo + Last updated 10/26/2017 |
azure-resource-manager | Azure Services Resource Providers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/azure-services-resource-providers.md | Title: Resource providers by Azure services description: Lists all resource provider namespaces for Azure Resource Manager and shows the Azure service for that namespace. Last updated 02/28/2023-+ # Resource providers for Azure services |
azure-resource-manager | Delete Resource Group | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/delete-resource-group.md | Title: Delete resource group and resources description: Describes how to delete resource groups and resources. It describes how Azure Resource Manager orders the deletion of resources when a deleting a resource group. It describes the response codes and how Resource Manager handles them to determine if the deletion succeeded. Last updated 10/13/2022-+ # Azure Resource Manager resource group and resource deletion |
azure-resource-manager | Deployment Models | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/deployment-models.md | Title: Resource Manager and classic deployment description: Describes the differences between the Resource Manager deployment model and the classic (or Service Management) deployment model. Last updated 04/12/2021 - # Azure Resource Manager vs. classic deployment: Understand deployment models and the state of your resources |
azure-resource-manager | Manage Private Link Access Commands | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/manage-private-link-access-commands.md | Title: Manage resource management private links description: Use APIs to manage existing resource management private links + Last updated 06/16/2022 The operation returns: `Status 200 OK`. * To learn more about private links, see [Azure Private Link](../../private-link/index.yml). * To manage your private endpoints, see [Manage Private Endpoints](../../private-link/manage-private-endpoint.md).-* To create a resource management private links, see [Use portal to create private link for managing Azure resources](create-private-link-access-portal.md) or [Use REST API to create private link for managing Azure resources](create-private-link-access-rest.md). +* To create a resource management private links, see [Use portal to create private link for managing Azure resources](create-private-link-access-portal.md) or [Use REST API to create private link for managing Azure resources](create-private-link-access-rest.md). |
azure-resource-manager | Preview Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/preview-features.md | Title: Set up preview features in Azure subscription description: Describes how to list, register, or unregister preview features in your Azure subscription for a resource provider. Last updated 08/10/2022-+ # Customer intent: As an Azure user, I want to use preview features in my subscription so that I can expose a resource provider's preview functionality. |
azure-resource-manager | Request Limits And Throttling | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/request-limits-and-throttling.md | Title: Request limits and throttling description: Describes how to use throttling with Azure Resource Manager requests when subscription limits have been reached. Last updated 03/02/2023-+ # Throttling Resource Manager requests |
azure-resource-manager | Resource Graph Samples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/resource-graph-samples.md | Title: Azure Resource Graph sample queries for Azure Resource Manager description: Sample Azure Resource Graph queries for Azure Resource Manager showing use of resource types and tables to access Azure Resource Manager related resources and properties. Last updated 07/07/2022 -+ # Azure Resource Graph sample queries for Azure Resource Manager |
azure-resource-manager | Deploy To Resource Group | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/deploy-to-resource-group.md | Title: Deploy resources to resource groups description: Describes how to deploy resources in an Azure Resource Manager template. It shows how to target more than one resource group. Last updated 08/05/2022- # Resource group deployments with ARM templates |
azure-resource-manager | Deployment History Deletions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/deployment-history-deletions.md | Title: Deployment history deletions description: Describes how Azure Resource Manager automatically deletes deployments from the deployment history. Deployments are deleted when the history is close to exceeding the limit of 800. Last updated 06/04/2021-+ # Automatic deletions from deployment history POST https://management.azure.com/subscriptions/{subscriptionId}/providers/Micro ## Next steps -* To learn about viewing the deployment history, see [View deployment history with Azure Resource Manager](deployment-history.md). +* To learn about viewing the deployment history, see [View deployment history with Azure Resource Manager](deployment-history.md). |
azure-resource-manager | Deployment Script Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/deployment-script-template.md | |
azure-resource-manager | Deployment Tutorial Local Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/deployment-tutorial-local-template.md | description: Learn how to deploy an Azure Resource Manager template (ARM templat Last updated 02/10/2021 - # Tutorial: Deploy a local ARM template |
azure-resource-manager | Export Template Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/export-template-powershell.md | Title: Export template in Azure PowerShell description: Use Azure PowerShell to export an Azure Resource Manager template from resources in your subscription. + Last updated 09/03/2021 # Use Azure PowerShell to export a template To get templates deployed at other levels, use: - Learn how to export templates with [Azure CLI](export-template-cli.md), [Azure portal](export-template-portal.md), or [REST API](/rest/api/resources/resourcegroups/exporttemplate). - To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](./syntax.md).-- To learn how to develop templates, see the [step-by-step tutorials](../index.yml).+- To learn how to develop templates, see the [step-by-step tutorials](../index.yml). |
azure-resource-manager | Linked Templates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/linked-templates.md | Title: Link templates for deployment description: Describes how to use linked templates in an Azure Resource Manager template (ARM template) to create a modular template solution. Shows how to pass parameters values, specify a parameter file, and dynamically created URLs. Last updated 01/06/2022-+ # Using linked and nested templates when deploying Azure resources |
azure-resource-manager | Outputs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/outputs.md | Title: Outputs in templates description: Describes how to define output values in an Azure Resource Manager template (ARM template). Last updated 09/28/2022- # Outputs in ARM templates |
azure-resource-manager | Parameter Files | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/parameter-files.md | Title: Create parameter file description: Create parameter file for passing in values during deployment of an Azure Resource Manager template Last updated 11/14/2022- # Create Resource Manager parameter file |
azure-resource-manager | Quickstart Create Templates Use Visual Studio Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/quickstart-create-templates-use-visual-studio-code.md | |
azure-resource-manager | Resource Location | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/resource-location.md | Title: Template resource location description: Describes how to set resource location in an Azure Resource Manager template (ARM template). Last updated 09/04/2019- # Set resource location in ARM template The following example shows a storage account that is deployed to a location spe ## Next steps * For the full list of template functions, see [ARM template functions](template-functions.md).-* For more information about template files, see [Understand the structure and syntax of ARM templates](./syntax.md). +* For more information about template files, see [Understand the structure and syntax of ARM templates](./syntax.md). |
azure-resource-manager | Rollback On Error | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/rollback-on-error.md | Title: Roll back on error to successful deployment description: Specify that a failed deployment should roll back to a successful deployment. Last updated 02/02/2021 -+ # Rollback on error to successful deployment The specified deployment must have succeeded. ## Next steps - To understand complete and incremental modes, see [Azure Resource Manager deployment modes](deployment-modes.md).-- To understand how to define parameters in your template, see [Understand the structure and syntax of Azure Resource Manager templates](./syntax.md).+- To understand how to define parameters in your template, see [Understand the structure and syntax of Azure Resource Manager templates](./syntax.md). |
azure-resource-manager | Scope Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/scope-functions.md | Title: Template functions in scoped deployments description: Describes how template functions are resolved in scoped deployments. The scope can be a tenant, management groups, subscriptions, and resource groups. Last updated 10/22/2020 - # ARM template functions in deployment scopes The output from the preceding example is: * To understand how to define parameters in your template, see [Understand the structure and syntax of ARM templates](./syntax.md). * For tips on resolving common deployment errors, see [Troubleshoot common Azure deployment errors with Azure Resource Manager](common-deployment-errors.md).-* For information about deploying a template that requires a SAS token, see [Deploy private ARM template with SAS token](secure-template-with-sas-token.md). +* For information about deploying a template that requires a SAS token, see [Deploy private ARM template with SAS token](secure-template-with-sas-token.md). |
azure-resource-manager | Template Cloud Consistency | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-cloud-consistency.md | |
azure-resource-manager | Template Expressions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-expressions.md | Title: Template syntax and expressions description: Describes the declarative JSON syntax for Azure Resource Manager templates (ARM templates). Last updated 02/22/2023- # Syntax and expressions in ARM templates To totally remove an element, you can use the [filter() function](./template-fun ## Next steps * For the full list of template functions, see [ARM template functions](template-functions.md).-* For more information about template files, see [Understand the structure and syntax of ARM templates](./syntax.md). +* For more information about template files, see [Understand the structure and syntax of ARM templates](./syntax.md). |
azure-resource-manager | Template Functions Resource | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-functions-resource.md | Title: Template functions - resources description: Describes the functions to use in an Azure Resource Manager template (ARM template) to retrieve values about resources. Last updated 09/09/2022-+ # Resource functions for ARM templates |
azure-resource-manager | Template Specs Create Portal Forms | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-specs-create-portal-forms.md | Title: Create portal forms for template spec description: Learn how to create forms that are displayed in the Azure portal forms. Use the form to deploying a template spec + Last updated 11/15/2022 |
azure-resource-manager | Template Specs Deploy Linked Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-specs-deploy-linked-template.md | Title: Deploy a template spec as a linked template description: Learn how to deploy an existing template spec in a linked deployment. Last updated 05/04/2021 -- # Tutorial: Deploy a template spec as a linked template |
azure-resource-manager | Template Tutorial Add Parameters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-tutorial-add-parameters.md | |
azure-resource-manager | Template Tutorial Create First Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-tutorial-create-first-template.md | |
azure-resource-manager | Template Tutorial Create Multiple Instances | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-tutorial-create-multiple-instances.md | |
azure-resource-manager | Template Tutorial Deploy Vm Extensions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-tutorial-deploy-vm-extensions.md | |
azure-resource-manager | Template Tutorial Deployment Script | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-tutorial-deployment-script.md | Title: Use template deployment scripts | Microsoft Docs description: Learn how to use deployment scripts in Azure Resource Manager templates (ARM templates). na+ Last updated 09/28/2022 |
azure-resource-manager | Template Tutorial Use Conditions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-tutorial-use-conditions.md | |
azure-resource-manager | Template Tutorial Use Key Vault | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-tutorial-use-key-vault.md | |
azure-resource-manager | Template Tutorial Use Parameter File | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-tutorial-use-parameter-file.md | |
azure-resource-manager | Common Deployment Errors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/troubleshooting/common-deployment-errors.md | description: Troubleshoot common Azure deployment errors for resources that are tags: top-support-issue Last updated 02/21/2023- # Troubleshoot common Azure deployment errors |
azure-resource-manager | Deployment Quota Exceeded | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/troubleshooting/deployment-quota-exceeded.md | Title: Deployment quota exceeded description: Describes how to resolve the error of having more than 800 deployments in the resource group history. Last updated 01/03/2023- # Resolve error when deployment count exceeds 800 |
azure-resource-manager | Enable Debug Logging | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/troubleshooting/enable-debug-logging.md | description: Describes how to enable debug logging to troubleshoot Azure resourc tags: top-support-issue Last updated 01/03/2023- # Enable debug logging |
azure-resource-manager | Error Not Found | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/troubleshooting/error-not-found.md | Title: Resource not found errors description: Describes how to resolve errors when a resource can't be found. The error might occur when you deploy a Bicep file or Azure Resource Manager template, or when doing management tasks. Last updated 01/03/2023- # Resolve errors for resource not found |
azure-resource-manager | Error Policy Requestdisallowedbypolicy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/troubleshooting/error-policy-requestdisallowedbypolicy.md | |
azure-resource-manager | Error Resource Quota | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/troubleshooting/error-resource-quota.md | Title: Resource quota errors description: Describes how to resolve resource quota errors when deploying resources with an Azure Resource Manager template (ARM template) or Bicep file. Last updated 01/03/2023- # Resolve errors for resource quotas |
azure-resource-manager | Error Sku Not Available | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/troubleshooting/error-sku-not-available.md | Title: SKU not available errors description: Describes how to troubleshoot the SKU not available error when deploying resources with an Azure Resource Manager template (ARM template) or Bicep file. Last updated 01/03/2023- # Resolve errors for SKU not available |
azure-resource-manager | Quickstart Troubleshoot Arm Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/troubleshooting/quickstart-troubleshoot-arm-deployment.md | Title: Troubleshoot ARM template JSON deployments description: Learn how to troubleshoot Azure Resource Manager template (ARM template) JSON deployments. Last updated 01/03/2023 -+ # Quickstart: Troubleshoot ARM template JSON deployments |
azure-resource-manager | Quickstart Troubleshoot Bicep Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/troubleshooting/quickstart-troubleshoot-bicep-deployment.md | Title: Troubleshoot Bicep file deployments description: Learn how to monitor and troubleshoot Bicep file deployments. Shows activity logs and deployment history. Last updated 01/03/2023 -+ # Quickstart: Troubleshoot Bicep file deployments |
azure-signalr | Howto Private Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/howto-private-endpoints.md | description: Overview of private endpoints for secure access to Azure SignalR Se + Last updated 12/09/2022 |
azure-signalr | Signalr Howto Event Grid Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/signalr-howto-event-grid-integration.md | description: A guide to show you how to enable Event Grid events for your Signal + Last updated 07/18/2022 |
azure-signalr | Signalr Howto Move Across Regions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/signalr-howto-move-across-regions.md | |
azure-signalr | Signalr Quickstart Azure Signalr Service Arm Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/signalr-quickstart-azure-signalr-service-arm-template.md | |
azure-signalr | Signalr Quickstart Azure Signalr Service Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/signalr-quickstart-azure-signalr-service-bicep.md | |
azure-sql-edge | Tutorial Deploy Azure Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-sql-edge/tutorial-deploy-azure-resources.md | |
azure-vmware | Configure Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-customer-managed-keys.md | Title: Configure customer-managed key encryption at rest in Azure VMware Solution description: Learn how to encrypt data in Azure VMware Solution with customer-managed keys using Azure Key Vault. + Last updated 6/30/2022- # Configure customer-managed key encryption at rest in Azure VMware Solution |
azure-web-pubsub | Howto Move Across Regions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/howto-move-across-regions.md | |
azure-web-pubsub | Quickstart Bicep Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/quickstart-bicep-template.md | |
azure-web-pubsub | Tutorial Serverless Iot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/tutorial-serverless-iot.md | description: A tutorial to walk through how to use Azure Web PubSub service and + Last updated 06/30/2022 |
azure-web-pubsub | Tutorial Serverless Static Web App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/tutorial-serverless-static-web-app.md | description: A tutorial about how to use Azure Web PubSub service and Azure Stat + Last updated 06/03/2022 |
backup | Backup Azure Delete Vault | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-delete-vault.md | description: In this article, learn how to remove dependencies and then delete a Last updated 05/23/2022 + |
backup | Backup Azure Linux Database Consistent Enhanced Pre Post | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-linux-database-consistent-enhanced-pre-post.md | Title: Database consistent snapshots using enhanced pre-post script framework description: Learn how Azure Backup allows you to take database consistent snapshots, leveraging Azure VM backup and using packaged pre-post scripts Last updated 09/16/2021 - |
backup | Backup Azure Restore Key Secret | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-restore-key-secret.md | Title: Restore Key Vault key & secret for encrypted VM description: Learn how to restore Key Vault key and secret in Azure Backup using PowerShell Last updated 02/28/2023 - |
backup | Backup Azure Sql Backup Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-sql-backup-cli.md | description: Learn how to use CLI to back up SQL server databases in Azure VMs i Last updated 08/11/2022 + |
backup | Backup Azure Sql Manage Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-sql-manage-cli.md | description: Learn how to use CLI to manage SQL server databases in Azure VMs in Last updated 08/11/2022 + To verify the status of this operation, use the [az backup job show](/cli/azure/ ## Next steps * Learn how to [back up an SQL database running on Azure VM using the Azure portal](backup-sql-server-database-azure-vms.md).-* Learn how to [manage a backed-up SQL database running on Azure VM using the Azure portal](manage-monitor-sql-database-backup.md). +* Learn how to [manage a backed-up SQL database running on Azure VM using the Azure portal](manage-monitor-sql-database-backup.md). |
backup | Backup Blobs Storage Account Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-blobs-storage-account-cli.md | Title: Back up Azure Blobs using Azure CLI description: Learn how to back up Azure Blobs using Azure CLI. + Last updated 08/06/2021 az dataprotection backup-instance create -g testBkpVaultRG --vault-name TestBkpV ## Next steps -[Restore Azure Blobs using Azure CLI](restore-blobs-storage-account-cli.md) +[Restore Azure Blobs using Azure CLI](restore-blobs-storage-account-cli.md) |
backup | Blob Backup Support Matrix | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/blob-backup-support-matrix.md | Operational backup of blobs uses blob point-in-time restore, blob versioning, so # [Vaulted backup](#tab/vaulted-backup) -The vaulted backup is currently in preview in the following regions: France Central, Canada Central, Canada East, US East, US South. - - You can back up only block blobs in a *standard general-purpose v2 storage account* using the vaulted backup solution for blobs. - HNS-enabled storage accounts are currently not supported. This includes *ADLS Gen2 accounts*, *accounts using NFS 3.0*, and *SFTP protocols* for blobs. - You can back up storage accounts with *up to 100 containers*. You can also select a subset of containers to back up (up to 100 containers). |
bastion | Connect Native Client Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/connect-native-client-windows.md | After you deploy this feature, there are two different sets of connection instru * Use native clients on *non*-Windows local computers (example: a Linux PC). * Use the native client of your choice. (This includes the Windows native client.)- * Connect using SSH or RDP. + * Connect using SSH or RDP. (Note that bastion tunnel does not relay web servers or hosts.) * Set up concurrent VM sessions with Bastion. * [Upload files](vm-upload-download-native.md#tunnel-command) to your target VM from your local computer. File download from the target VM to the local client is currently not supported for this command. Use the example that corresponds to the type of target VM to which you want to c ## <a name="connect-tunnel"></a>Connect to VM - other native clients -This section helps you connect to your virtual machine from native clients on *non*-Windows local computers (example: a Linux PC) using the **az network bastion tunnel** command. You can also connect using this method from a Windows computer. This is helpful when you require an SSH connection and want to upload files to your VM. +This section helps you connect to your virtual machine from native clients on *non*-Windows local computers (example: a Linux PC) using the **az network bastion tunnel** command. You can also connect using this method from a Windows computer. This is helpful when you require an SSH connection and want to upload files to your VM. Note that bastion tunnel supports RDP/SSH connection but does not relay web servers or hosts. This connection supports file upload from the local computer to the target VM. For more information, see [Upload files](vm-upload-download-native.md). |
cognitive-services | Concept Background Removal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Computer-vision/concept-background-removal.md | It's important to note the limitations of background removal: ## Use the API -The background removal feature is available through the [Image Analysis - Segment](https://aka.ms/vision-4-0-ref) API (`imageanalysis:segment`). You can call this API through REST calls. See the [Background removal how-to guide](./how-to/background-removal.md) for more information. +The background removal feature is available through the [Segment](https://centraluseuap.dev.cognitive.microsoft.com/docs/services/unified-vision-apis-public-preview-2023-02-01-preview/operations/63e6b6d9217d201194bbecbd) API (`imageanalysis:segment`). You can call this API through REST calls. See the [Background removal how-to guide](./how-to/background-removal.md) for more information. ## Next steps |
cognitive-services | Background Removal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Computer-vision/how-to/background-removal.md | Title: Remove the background in images -description: Learn how to call the Image Analysis - Segment API to isolate and remove the background from images. +description: Learn how to call the Segment API to isolate and remove the background from images. This guide assumes you've already [created a Computer Vision resource](https://p ## Submit data to the service -When calling the **Image Analysis - Segment** API, you specify the image's URL by formatting the request body like this: `{"url":"https://learn.microsoft.com/azure/cognitive-services/computer-vision/images/windows-kitchen.jpg"}`. +When calling the **[Segment](https://centraluseuap.dev.cognitive.microsoft.com/docs/services/unified-vision-apis-public-preview-2023-02-01-preview/operations/63e6b6d9217d201194bbecbd )** API, you specify the image's URL by formatting the request body like this: `{"url":"https://docs.microsoft.com/azure/cognitive-services/computer-vision/images/windows-kitchen.jpg"}`. To analyze a local image, you'd put the binary image data in the HTTP request body. |
cognitive-services | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Computer-vision/whats-new.md | Learn what's new in the service. These items may be release notes, videos, blog ### Computer Vision Image Analysis 4.0 SDK public preview -Image Analysis 4.0 is now available through client library SDKs in C#, C++, and Python. This update also includes the Florence-powered image captioning model that achieved human parity performance. +The [Florence foundation model](https://www.microsoft.com/en-us/research/project/projectflorence/) is now integrated into Azure Computer Vision. The improved Vision Services enable developers to create market-ready, responsible computer vision applications across various industries. Customers can now seamlessly digitize, analyze, and connect their data to natural language interactions, unlocking powerful insights from their image and video content to support accessibility, drive acquisition through SEO, protect users from harmful content, enhance security, and improve incident response times. For more information, see [Announcing Microsoft's Florence foundation model](https://aka.ms/florencemodel). ++### Computer Vision Image Analysis 4.0 SDK (public preview) ++Image Analysis 4.0 is now available through client library SDKs in C#, C++, and Python. This update also includes the Florence-powered image captioning and dense captioning at human parity performance. ### Image Analysis V4.0 Captioning and Dense Captioning (public preview): -"Caption" replaces "Describe" in V4.0 as the significantly improved image captioning feature rich with details and sematic understanding. Dense Captions provides more detail by generating one sentence descriptions of up to 10 regions of the image in addition to describing the whole image. Dense Captions also returns bounding box coordinates of the described image regions. There's also a new gender-neutral parameter to allow customers to choose whether to enable probabilistic gender inference for alt-text and Seeing AI applications. Automatically deliver rich captions, accessible alt-text, SEO optimization, and intelligent photo curation to support digital content. [Image captions](./concept-describe-images-40.md). +"Caption" replaces "Describe" in V4.0 as the significantly improved image captioning feature rich with details and semantic understanding. Dense Captions provides more detail by generating one sentence descriptions of up to 10 regions of the image in addition to describing the whole image. Dense Captions also returns bounding box coordinates of the described image regions. There's also a new gender-neutral parameter to allow customers to choose whether to enable probabilistic gender inference for alt-text and Seeing AI applications. Automatically deliver rich captions, accessible alt-text, SEO optimization, and intelligent photo curation to support digital content. [Image captions](./concept-describe-images-40.md). ### Video summary and frame locator (public preview): Search and interact with video content in the same intuitive way you think and write. Locate relevant content without the need for additional metadata. Available only in [Vision Studio](https://aka.ms/VisionStudio). As part of the Image Analysis 4.0 API, the [Background removal API](./concept-ba ## October 2022 -### Computer Vision Image Analysis 4.0 public preview +### Computer Vision Image Analysis 4.0 (public preview) Image Analysis 4.0 has been released in public preview. The new API includes image captioning, image tagging, object detection, smart crops, people detection, and Read OCR functionality, all available through one Analyze Image operation. The OCR is optimized for general, non-document images in a performance-enhanced synchronous API that makes it easier to embed OCR-powered experiences in your workflows. |
cognitive-services | Batch Transcription | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Speech-Service/batch-transcription.md | To get started with batch transcription, refer to the following how-to guides: Batch transcription jobs are scheduled on a best-effort basis. You can't estimate when a job will change into the running state, but it should happen within minutes under normal system load. When the job is in the running state, the transcription occurs faster than the audio runtime playback speed. +>[!NOTE] +> You can also use Batch Transcription in Power Platform applications (Power Automate, Power Apps, Logic Apps) via the [Batch Speech-to-text Connector](https://learn.microsoft.com/connectors/cognitiveservicesspe/) with your own Speech resource. Learn more about [Power Platform](https://learn.microsoft.com/power-platform/) and the [connectors](https://learn.microsoft.com/connectors/). +> ## Next steps - [Locate audio files for batch transcription](batch-transcription-audio-data.md) |
cognitive-services | Voice Assistants | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Speech-Service/voice-assistants.md | Whether you choose [Direct Line Speech](direct-line-speech.md) or [Custom Comman |-|-| |[Custom keyword](./custom-keyword-basics.md) | Users can start conversations with assistants by using a custom keyword such as "Hey Contoso." An app does this with a custom keyword engine in the Speech SDK, which you can configure by going to [Get started with custom keywords](./custom-keyword-basics.md). Voice assistants can use service-side keyword verification to improve the accuracy of the keyword activation (versus using the device alone). |[Speech-to-text](speech-to-text.md) | Voice assistants convert real-time audio into recognized text by using [speech-to-text](speech-to-text.md) from the Speech service. This text is available, as it's transcribed, to both your assistant implementation and your client application.-|[Text-to-speech](text-to-speech.md) | Textual responses from your assistant are synthesized through [text-to-speech](text-to-speech.md) from the Speech service. This synthesis is then made available to your client application as an audio stream. Microsoft offers the ability to build your own custom, high-quality Neural Text to Speech (Neural TTS) voice that gives a voice to your brand. To learn more, [contact us](mailto:mstts@microsoft.com). +|[Text-to-speech](text-to-speech.md) | Textual responses from your assistant are synthesized through [text-to-speech](text-to-speech.md) from the Speech service. This synthesis is then made available to your client application as an audio stream. Microsoft offers the ability to build your own custom, high-quality Neural Text to Speech (Neural TTS) voice that gives a voice to your brand. ## Get started with voice assistants |
cognitive-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/concepts/language-support.md | Use this article to learn about the languages currently supported by different f | Afrikaans | `af` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | | | Albanian | `sq` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | | | Amharic | `am` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | |-| Arabic | `ar` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | | | ✓ | ✓ | ✓ | | | | +| Arabic | `ar` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | ✓ | ✓ | | | | | Armenian | `hy` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | ✓ | ✓ | ✓ | | | | | Assamese | `as` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | | | Azerbaijani | `az` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | | Use this article to learn about the languages currently supported by different f | Catalan | `ca` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | ✓ | ✓ | ✓ | | | | | Central Khmer | `km` | | | | | ✓ | | | | | | | | | | | | | Chinese (Simplified) | `zh-hans` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | ✓ | ✓ | | ✓ | |-| Chinese (Traditional) | `zh-hant` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | | | ✓ | ✓ | ✓ | | | | +| Chinese (Traditional) | `zh-hant` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | ✓ | ✓ | | | | | Corsican | `co` | | | | | ✓ | | | | | | | | | | | | | Croatian | `hr` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | ✓ | ✓ | ✓ | | | |-| Czech | `cs` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | | | ✓ | ✓ | ✓ | | | | -| Danish | `da` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | | | ✓ | ✓ | ✓ | | | | +| Czech | `cs` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | ✓ | ✓ | | | | +| Danish | `da` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | ✓ | ✓ | | | | | Dari | `prs` | | | | | ✓ | | | | | | | | | | | | | Divehi | `dv` | | | | | ✓ | | | | | | | | | | | |-| Dutch | `nl` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | | | ✓ | ✓ | ✓ | | | | +| Dutch | `nl` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | ✓ | ✓ | | | | | English (UK) | `en-gb` | ✓ | ✓ | ✓ | | ✓ | | | | | | | | | | | | | English (US) | `en-us` | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Esperanto | `eo` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | | | Estonian | `et` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | ✓ | ✓ | ✓ | | | | | Fijian | `fj` | | | | | ✓ | | | | | | | | | | | | | Filipino | `tl` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | |-| Finnish | `fi` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | | | ✓ | ✓ | ✓ | | | | +| Finnish | `fi` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | ✓ | ✓ | | | | | French | `fr` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | ✓ | ✓ | | | Galician | `gl` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | ✓ | ✓ | ✓ | | | | | Georgian | `ka` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | | Use this article to learn about the languages currently supported by different f | Gujarati | `gu` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | ✓ | ✓ | ✓ | | | | | Haitian | `ht` | | | | | ✓ | | | | | | | | | | | | | Hausa | `ha` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | |-| Hebrew | `he` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | | | ✓ | ✓ | ✓ | ✓ | | | -| Hindi | `hi` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | | | ✓ | ✓ | ✓ | | | | +| Hebrew | `he` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | ✓ | ✓ | ✓ | | | +| Hindi | `hi` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | ✓ | ✓ | | | | | Hmong Daw | `mww` | | | | | ✓ | | | | | | | | | | | |-| Hungarian | `hu` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | | | ✓ | ✓ | ✓ | | | | +| Hungarian | `hu` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | ✓ | ✓ | | | | | Icelandic | `is` | | | | | ✓ | | | | | | ✓ | | | | | | | Igbo | `ig` | | | | | ✓ | | | | | | | | | | | | | Indonesian | `id` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | ✓ | ✓ | ✓ | | | | Use this article to learn about the languages currently supported by different f | Marathi | `mr` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | | | Mongolian | `mn` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | | | Nepali | `ne` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | |-| Norwegian (Bokmal) | `nb` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | | | ✓ | | | | | | +| Norwegian (Bokmal) | `nb` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | | | | | | | Norwegian | `no` | | | | | ✓ | | | | | | | ✓ | ✓ | | | | | Norwegian Nynorsk | `nn` | | | | | ✓ | | | | | | | | | | | | | Oriya | `or` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | | | Oromo | `om` | | | | | | ✓ | | | | | | ✓ | ✓ | | | | | Pashto | `ps` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | | | Persian (Farsi) | `fa` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | |-| Polish | `pl` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | | | ✓ | ✓ | ✓ | | | | +| Polish | `pl` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | ✓ | ✓ | | | | | Portuguese (Brazil) | `pt-br` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | ✓ | ✓ | | | Portuguese (Portugal) | `pt-pt` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | | ✓ | ✓ | | ✓ | | | Punjabi | `pa` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | ✓ | ✓ | ✓ | | | | | Queretaro Otomi | `otq` | | | | | ✓ | | | | | | | | | | | | | Romanian | `ro` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | ✓ | ✓ | ✓ | | | |-| Russian | `ru` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | | | ✓ | ✓ | ✓ | | | | +| Russian | `ru` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | ✓ | ✓ | | | | | Samoan | `sm` | | | | | ✓ | | | | | | | | | | | | | Sanskrit | `sa` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | | | Scottish Gaelic | `gd` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | | Use this article to learn about the languages currently supported by different f | Spanish | `es` | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | ✓ | | | | Sundanese | `su` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | | | Swahili | `sw` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | | ✓ | ✓ | | | |-| Swedish | `sv` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | | | ✓ | ✓ | ✓ | | | | +| Swedish | `sv` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | ✓ | ✓ | | | | | Tahitian | `ty` | | | | | ✓ | | | | | | | | | | | | | Tajik | `tg` | | | | | ✓ | | | | | | | | | | | | | Tamil | `ta` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | ✓ | ✓ | ✓ | | | | Use this article to learn about the languages currently supported by different f | Tibetan | `bo` | | | | | ✓ | | | | | | | | | | | | | Tigrinya | `ti` | | | | | ✓ | | | | | | | | | | | | | Tongan | `to` | | | | | ✓ | | | | | | | | | | | |-| Turkish | `tr` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | | | ✓ | ✓ | ✓ | | | | +| Turkish | `tr` | ✓ | ✓ | ✓ | | ✓ | ✓ | ✓ | | ✓ | | ✓ | ✓ | ✓ | | | | | Turkmen | `tk` | | | | | ✓ | | | | | | | | | | | | | Ukrainian | `uk` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | ✓ | ✓ | ✓ | | | | | Urdu | `ur` | ✓ | ✓ | ✓ | | ✓ | ✓ | | | | | ✓ | ✓ | ✓ | | | | |
cognitive-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/personally-identifiable-information/language-support.md | Use this article to learn which natural languages are supported by the PII and c ## PII language support | Language | Language code | Starting with model version | Notes |-|:-|:-:|:-:|::| -| Chinese-Simplified | `zh-hans` | 2021-01-15 | `zh` also accepted | -| English | `en` | 2020-07-01 | | -| French | `fr` | 2021-01-15 | | -| German | `de` | 2021-01-15 | | -| Italian | `it` | 2021-01-15 | | -| Japanese | `ja` | 2021-01-15 | | -| Korean | `ko` | 2021-01-15 | | -| Portuguese (Brazil) | `pt-BR` | 2021-01-15 | | -| Portuguese (Portugal) | `pt-PT` | 2021-01-15 | `pt` also accepted | -| Spanish | `es` | 2020-04-01 | | +||-|--|| +|Arabic |`ar` | 2023-01-01-preview | | +|Chinese-Simplified |`zh-hans` |2021-01-15 |`zh` also accepted| +|Chinese-Traditional |`zh-hant` | 2023-01-01-preview | | +|Czech |`cs` | 2023-01-01-preview | | +|Danish |`da` |2023-01-01-preview | | +|Dutch |`nl` |2023-01-01-preview | | +|English |`en` |2020-07-01 | | +|Finnish |`fi` | 2023-01-01-preview | | +|French |`fr` |2021-01-15 | | +|German |`de` | 2021-01-15 | | +|Hebrew |`he` | 2023-01-01-preview | | +|Hindi |`hi` |2023-01-01-preview | | +|Hungarian |`hu` | 2023-01-01-preview | | +|Italian |`it` |2021-01-15 | | +|Japanese |`ja` | 2021-01-15 | | +|Korean |`ko` | 2021-01-15 | | +|Norwegian (Bokmål) |`no` | 2023-01-01-preview |`nb` also accepted| +|Polish |`pl` | 2023-01-01-preview | | +|Portuguese (Brazil) |`pt-BR` |2021-01-15 | | +|Portuguese (Portugal)|`pt-PT` | 2021-01-15 |`pt` also accepted| +|Russian |`ru` | 2023-01-01-preview | | +|Spanish |`es` |2020-04-01 | | +|Swedish |`sv` | 2023-01-01-preview | | +|Turkish |`tr` |2023-01-01-preview | | + # [PII for conversations (preview)](#tab/conversations) |
cognitive-services | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/whats-new.md | +## March 2023 ++* New model version ('2023-01-01-preview') for Personally Identifiable Information (PII) detection with quality updates and new [language support](./personally-identifiable-information/language-support.md) ++* New versions of the text analysis client library are available in preview: ++ ### [C#](#tab/csharp) + + [**Package (NuGet)**](https://www.nuget.org/packages/Azure.AI.TextAnalytics/5.3.0-beta.2) + + [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-net/blob/Azure.AI.TextAnalytics_5.3.0-beta.2/sdk/textanalytics/Azure.AI.TextAnalytics/CHANGELOG.md) + + [**ReadMe**](https://github.com/Azure/azure-sdk-for-net/blob/Azure.AI.TextAnalytics_5.3.0-beta.2/sdk/textanalytics/Azure.AI.TextAnalytics/README.md) + + [**Samples**](https://github.com/Azure/azure-sdk-for-net/blob/Azure.AI.TextAnalytics_5.3.0-beta.2/sdk/textanalytics/Azure.AI.TextAnalytics/samples/README.md) + + ### [Java](#tab/java) + + [**Package (Maven)**](https://mvnrepository.com/artifact/com.azure/azure-ai-textanalytics/5.3.0-beta.2) + + [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-jav#530-beta2-2023-03-07) + + [**ReadMe**](https://github.com/Azure/azure-sdk-for-jav) + + [**Samples**](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/textanalytics/azure-ai-textanalytics/src/samples) + + ### [JavaScript](#tab/javascript) ++ [**Package (npm)**](https://www.npmjs.com/package/@azure/ai-language-text/v/1.1.0-beta.2) + + [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cognitivelanguage/ai-language-text/CHANGELOG.md) + + [**ReadMe**](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/cognitivelanguage/ai-language-text) + + [**Samples**](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/cognitivelanguage/ai-language-text/samples/v1-beta) ++ ### [Python](#tab/python) + + [**Package (PyPi)**](https://pypi.org/project/azure-ai-textanalytics/5.3.0b2/) + + [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-textanalytics_5.3.0b2/sdk/textanalytics/azure-ai-textanalytics/CHANGELOG.md) + + [**ReadMe**](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-textanalytics_5.3.0b2/sdk/textanalytics/azure-ai-textanalytics/README.md) + + [**Samples**](https://github.com/Azure/azure-sdk-for-python/tree/azure-ai-textanalytics_5.3.0b2/sdk/textanalytics/azure-ai-textanalytics/samples) + + ## February 2023 -* Conversational language understanding and Orchestration workflow is now available in the following regions in the sovereign cloud for China: +* Conversational language understanding and orchestration workflow is now available in the following regions in the sovereign cloud for China: * China East 2 (Authoring and Prediction) * China North 2 (Prediction) * New model evaluation updates for Conversational language understanding and Orchestration workflow. Azure Cognitive Service for Language is updated on an ongoing basis. To stay up- * Conversational PII now supports up to 40,000 characters as document size. * New versions of the text analysis client library are available in preview: - ### [Java](#tab/java) - - [**Package (Maven)**](https://mvnrepository.com/artifact/com.azure/azure-ai-textanalytics/5.3.0-beta.1) - - [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-jav) - - [**ReadMe**](https://github.com/Azure/azure-sdk-for-jav) - - [**Samples**](https://github.com/Azure/azure-sdk-for-java/tree/azure-ai-textanalytics_5.3.0-beta.1/sdk/textanalytics/azure-ai-textanalytics/src/samples) - - ### [JavaScript](#tab/javascript) -- [**Package (npm)**](https://www.npmjs.com/package/@azure/ai-language-text/v/1.1.0-beta.1) - - [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cognitivelanguage/ai-language-text/CHANGELOG.md) - - [**ReadMe**](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cognitivelanguage/ai-language-text/README.md) + * Java + * [**Package (Maven)**](https://mvnrepository.com/artifact/com.azure/azure-ai-textanalytics/5.3.0-beta.1) + * [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-jav) + * [**ReadMe**](https://github.com/Azure/azure-sdk-for-jav) + * [**Samples**](https://github.com/Azure/azure-sdk-for-java/tree/azure-ai-textanalytics_5.3.0-beta.1/sdk/textanalytics/azure-ai-textanalytics/src/samples) - [**Samples**](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/cognitivelanguage/ai-language-text/samples/v1) + * JavaScript + * [**Package (npm)**](https://www.npmjs.com/package/@azure/ai-language-text/v/1.1.0-beta.1) + * [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cognitivelanguage/ai-language-text/CHANGELOG.md) + * [**ReadMe**](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cognitivelanguage/ai-language-text/README.md) + * [**Samples**](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/cognitivelanguage/ai-language-text/samples/v1) - ### [Python](#tab/python) - - [**Package (PyPi)**](https://pypi.org/project/azure-ai-textanalytics/5.3.0b1/) - - [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-textanalytics_5.3.0b1/sdk/textanalytics/azure-ai-textanalytics/CHANGELOG.md) - - [**ReadMe**](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-textanalytics_5.3.0b1/sdk/textanalytics/azure-ai-textanalytics/README.md) - - [**Samples**](https://github.com/Azure/azure-sdk-for-python/tree/azure-ai-textanalytics_5.3.0b1/sdk/textanalytics/azure-ai-textanalytics/samples) - - + * Python + * [**Package (PyPi)**](https://pypi.org/project/azure-ai-textanalytics/5.3.0b1/) + * [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-textanalytics_5.3.0b1/sdk/textanalytics/azure-ai-textanalytics/CHANGELOG.md) + * [**ReadMe**](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-textanalytics_5.3.0b1/sdk/textanalytics/azure-ai-textanalytics/README.md) + * [**Samples**](https://github.com/Azure/azure-sdk-for-python/tree/azure-ai-textanalytics_5.3.0b1/sdk/textanalytics/azure-ai-textanalytics/samples) ## October 2022 |
cognitive-services | Chatgpt Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/openai/chatgpt-quickstart.md | + + Title: 'Quickstart - Using the ChatGPT API' ++description: Walkthrough on how to get started with Azure OpenAI Service ChatGPT API. +++++++ Last updated : 02/07/2023+zone_pivot_groups: openai-quickstart +recommendations: false +++# Quickstart: Get started using ChatGPT with Azure OpenAI Service ++Use this article to get started using Azure OpenAI. +++++++++ |
cognitive-services | Models | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/openai/concepts/models.md | Azure OpenAI provides access to many different models, grouped by family and cap | Model family | Description | |--|--|-| [GPT-3](#gpt-3-models) | A series of models that can understand and generate natural language. | +| [GPT-3](#gpt-3-models) | A series of models that can understand and generate natural language. This includes the new [ChatGPT model](#chatgpt-gpt-35-turbo). | | [Codex](#codex-models) | A series of models that can understand and generate code, including translating natural language to code. | | [Embeddings](#embeddings-models) | A set of models that can understand and use embeddings. An embedding is a special format of data representation that can be easily utilized by machine learning models and algorithms. The embedding is an information dense representation of the semantic meaning of a piece of text. Currently, we offer three families of Embeddings models for different functionalities: similarity, text search, and code search. | Ada is usually the fastest model and can perform tasks like parsing text, addres **Use for**: Parsing text, simple classification, address correction, keywords +### ChatGPT (gpt-35-turbo) ++The ChatGPT model (gpt-35-turbo) is a language model designed for conversational interfaces and the model behaves differently than previous GPT-3 models. Previous models were text-in and text-out, meaning they accepted a prompt string and returned a completion to append to the prompt. However, the ChatGPT model is conversation-in and message-out. The model expects a prompt string formatted in a specific chat-like transcript format, and returns a completion that represents a model-written message in the chat. ++The ChatGPT model uses the same completion API that you use for other models like text-davinci-002, but it requires a unique prompt format. It's important to use the new prompt format to get the best results. Without the right prompts, the model tends to be verbose and provides less useful responses. To learn more check out our [in-depth how-to](../how-to/chatgpt.md). + ## Codex models The Codex models are descendants of our base GPT-3 models that can understand and generate code. Their training data contains both natural language and billions of lines of public code from GitHub. When using our embeddings models, keep in mind their limitations and risks. ## Model Summary table and region availability ### GPT-3 Models-| Model ID | Supports Completions | Supports Embeddings | Base model Regions | Fine-Tuning Regions | -| | | | | | -| ada | Yes | No | N/A | East US<sup>2</sup>, South Central US, West Europe | -| text-ada-001 | Yes | No | East US<sup>2</sup>, South Central US, West Europe | N/A | -| babbage | Yes | No | N/A | East US<sup>2</sup>, South Central US, West Europe | -| text-babbage-001 | Yes | No | East US<sup>2</sup>, South Central US, West Europe | N/A | -| curie | Yes | No | N/A | East US<sup>2</sup>, South Central US, West Europe | -| text-curie-001 | Yes | No | East US<sup>2</sup>, South Central US, West Europe | N/A | -| davinci<sup>1</sup> | Yes | No | N/A | East US<sup>2</sup>, South Central US, West Europe | -| text-davinci-001 | Yes | No | South Central US, West Europe | N/A | -| text-davinci-002 | Yes | No | East US, South Central US, West Europe | N/A | -| text-davinci-003 | Yes | No | East US | N/A | -| text-davinci-fine-tune-002<sup>1</sup> | Yes | No | N/A | East US, West Europe | ++| Model ID | Supports Completions | Supports Embeddings | Base model Regions | Fine-Tuning Regions | Max Request (tokens) | Training Data (up to) | +| | -- | - | | - | -- | - | +| ada | Yes | No | N/A | East US<sup>2</sup>, South Central US, West Europe | 2,049 | Oct 2019| +| text-ada-001 | Yes | No | East US<sup>2</sup>, South Central US, West Europe | N/A | 2,049 | Oct 2019| +| babbage | Yes | No | N/A | East US<sup>2</sup>, South Central US, West Europe | 2,049 | Oct 2019 | +| text-babbage-001 | Yes | No | East US<sup>2</sup>, South Central US, West Europe | N/A | 2,049 | Oct 2019 | +| curie | Yes | No | N/A | East US<sup>2</sup>, South Central US, West Europe | 2,049 | Oct 2019 | +| text-curie-001 | Yes | No | East US<sup>2</sup>, South Central US, West Europe | N/A | 2,049 | Oct 2019 | +| davinci<sup>1</sup> | Yes | No | N/A | East US<sup>2</sup>, South Central US, West Europe | 2,049 | Oct 2019| +| text-davinci-001 | Yes | No | South Central US, West Europe | N/A | | | +| text-davinci-002 | Yes | No | East US, South Central US, West Europe | N/A | 4,097 | Jun 2021 | +| text-davinci-003 | Yes | No | East US | N/A | 4,097 | Jun 2021 | +| text-davinci-fine-tune-002<sup>1</sup> | Yes | No | N/A | East US, West Europe | | | +| gpt-35-turbo<sup>3</sup> (ChatGPT) | Yes | No | N/A | East US, South Central US | 4,096 | Sep 2021 <sup>1</sup> The model is available by request only. Currently we aren't accepting new requests to use the model. <br><sup>2</sup> East US is currently unavailable for new customers to fine-tune due to high demand. Please use US South Central region for US based training.+<br><sup>3</sup> Currently, only version `"0301"` of this model is available. This version of the model will be deprecated on 8/1/2023 in favor of newer version of the gpt-35-model. See [ChatGPT model versioning](../how-to/chatgpt.md#model-versioning) for more details. ### Codex Models-| Model ID | Supports Completions | Supports Embeddings | Base model Regions | Fine-Tuning Regions | -| | | | | | -| code-cushman-001<sup>1</sup> | Yes | No | South Central US, West Europe | East US<sup>2</sup> , South Central US, West Europe | -| code-davinci-002 | Yes | No | East US, West Europe | N/A | -| code-davinci-fine-tune-002<sup>1</sup> | Yes | No | N/A | East US<sup>2</sup> , West Europe | +| Model ID | Supports Completions | Supports Embeddings | Base model Regions | Fine-Tuning Regions | Max Request (tokens) | Training Data (up to) | +| | | | | | | | +| code-cushman-001<sup>1</sup> | Yes | No | South Central US, West Europe | East US<sup>2</sup> , South Central US, West Europe | 2,048 | | +| code-davinci-002 | Yes | No | East US, West Europe | N/A | 8,001 | Jun 2021 | +| code-davinci-fine-tune-002<sup>1</sup> | Yes | No | N/A | East US<sup>2</sup> , West Europe | | | <sup>1</sup> The model is available for fine-tuning by request only. Currently we aren't accepting new requests to fine-tune the model. <br><sup>2</sup> East US is currently unavailable for new customers to fine-tune due to high demand. Please use US South Central region for US based training. ### Embeddings Models-| Model ID | Supports Completions | Supports Embeddings | Base model Regions | Fine-Tuning Regions | -| | | | | | -| text-ada-embeddings-002 | No | Yes | East US, South Central US, West Europe | N/A | -| text-similarity-ada-001 | No | Yes | East US, South Central US, West Europe | N/A | -| text-similarity-babbage-001 | No | Yes | South Central US, West Europe | N/A | -| text-similarity-curie-001 | No | Yes | East US, South Central US, West Europe | N/A | -| text-similarity-davinci-001 | No | Yes | South Central US, West Europe | N/A | -| text-search-ada-doc-001 | No | Yes | South Central US, West Europe | N/A | -| text-search-ada-query-001 | No | Yes | South Central US, West Europe | N/A | -| text-search-babbage-doc-001 | No | Yes | South Central US, West Europe | N/A | -| text-search-babbage-query-001 | No | Yes | South Central US, West Europe | N/A | -| text-search-curie-doc-001 | No | Yes | South Central US, West Europe | N/A | -| text-search-curie-query-001 | No | Yes | South Central US, West Europe | N/A | -| text-search-davinci-doc-001 | No | Yes | South Central US, West Europe | N/A | -| text-search-davinci-query-001 | No | Yes | South Central US, West Europe | N/A | -| code-search-ada-code-001 | No | Yes | South Central US, West Europe | N/A | -| code-search-ada-text-001 | No | Yes | South Central US, West Europe | N/A | -| code-search-babbage-code-001 | No | Yes | South Central US, West Europe | N/A | -| code-search-babbage-text-001 | No | Yes | South Central US, West Europe | N/A | - +| Model ID | Supports Completions | Supports Embeddings | Base model Regions | Fine-Tuning Regions | Max Request (tokens) | Training Data (up to) | +| | | | | | | | +| text-ada-embeddings-002 | No | Yes | East US, South Central US, West Europe | N/A | 8,191 | Sep 2021 | +| text-similarity-ada-001 | No | Yes | East US, South Central US, West Europe | N/A | 2,046 | Aug 2020 | +| text-similarity-babbage-001 | No | Yes | South Central US, West Europe | N/A | 2,046 | Aug 2020 | +| text-similarity-curie-001 | No | Yes | East US, South Central US, West Europe | N/A | 2046 | Aug 2020 | +| text-similarity-davinci-001 | No | Yes | South Central US, West Europe | N/A | 2,046 | Aug 2020 | +| text-search-ada-doc-001 | No | Yes | South Central US, West Europe | N/A | 2,046 | Aug 2020 | +| text-search-ada-query-001 | No | Yes | South Central US, West Europe | N/A | 2,046 | Aug 2020 | +| text-search-babbage-doc-001 | No | Yes | South Central US, West Europe | N/A | 2,046 | Aug 2020 | +| text-search-babbage-query-001 | No | Yes | South Central US, West Europe | N/A | 2,046 | Aug 2020 | +| text-search-curie-doc-001 | No | Yes | South Central US, West Europe | N/A | 2,046 | Aug 2020 | +| text-search-curie-query-001 | No | Yes | South Central US, West Europe | N/A | 2,046 | Aug 2020 | +| text-search-davinci-doc-001 | No | Yes | South Central US, West Europe | N/A | 2,046 | Aug 2020 | +| text-search-davinci-query-001 | No | Yes | South Central US, West Europe | N/A | 2,046 | Aug 2020 | +| code-search-ada-code-001 | No | Yes | South Central US, West Europe | N/A | 2,046 | Aug 2020 | +| code-search-ada-text-001 | No | Yes | South Central US, West Europe | N/A | 2,046 | Aug 2020 | +| code-search-babbage-code-001 | No | Yes | South Central US, West Europe | N/A | 2,046 | Aug 2020 | +| code-search-babbage-text-001 | No | Yes | South Central US, West Europe | N/A | 2,046 | Aug 2020 | + ## Next steps [Learn more about Azure OpenAI](../overview.md) |
cognitive-services | Understand Embeddings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/openai/concepts/understand-embeddings.md | Azure OpenAI embeddings rely on cosine similarity to compute similarity between ## Next steps -Learn more about using Azure OpenAI and embeddings to perform document search with our [embeddings tutorial](../tutorials/embeddings.md). +Learn more about using Azure OpenAI and embeddings to perform document search with our [embeddings tutorial](../tutorials/embeddings.md). |
cognitive-services | Chatgpt | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/openai/how-to/chatgpt.md | + + Title: How to work with the Chat Markup Language (preview) ++description: Learn how to work with Chat Markup Language (preview) ++++ Last updated : 03/09/2023++keywords: ChatGPT +++# Learn how to work with Chat Markup Language (preview) ++The ChatGPT model (`gpt-35-turbo`) is a language model designed for conversational interfaces and the model behaves differently than previous GPT-3 models. Previous models were text-in and text-out, meaning they accepted a prompt string and returned a completion to append to the prompt. However, the ChatGPT model is conversation-in and message-out. The model expects a prompt string formatted in a specific chat-like transcript format, and returns a completion that represents a model-written message in the chat. While the prompt format was designed specifically for multi-turn conversations, you'll find it can also work well for non-chat scenarios too. ++The ChatGPT model can be used with the same [completion API](/azure/cognitive-services/openai/reference#completions) that you use for other models like text-davinci-002, but it requires a unique prompt format known as Chat Markup Language (ChatML). It's important to use the new prompt format to get the best results. Without the right prompts, the model tends to be verbose and provides less useful responses. ++## Working with the ChatGPT model ++The following code snippet shows the most basic way to use the ChatGPT model. We also have a UI driven experience that you can learn about in the [ChatGPT Quickstart](../chatgpt-quickstart.md). ++```python +import os +import openai +openai.api_type = "azure" +openai.api_base = "https://{your-resource-name}.openai.azure.com/" +openai.api_version = "2022-12-01" +openai.api_key = os.getenv("OPENAI_API_KEY") ++response = openai.Completion.create( + engine="gpt-35-turbo", + prompt="<|im_start|>system\nAssistant is a large language model trained by OpenAI.\n<|im_end|>\n<|im_start|>user\nWhat's the difference between garbanzo beans and chickpeas?\n<|im_end|>\n<|im_start|>assistant\n", + temperature=0, + max_tokens=500, + top_p=0.5, + stop=["<|im_end|>"]) ++print(response['choices'][0]['text']) +``` +> [!NOTE] +> The following parameters aren't available with the gpt-35-turbo model: `logprobs`, `best_of`, and `echo`. If you set any of these parameters, you'll get an error. ++The `<|im_end|>` token indicates the end of a message. We recommend including `<|im_end|>` token as a stop sequence to ensure that the model stops generating text when it reaches the end of the message. You can read more about the special tokens in the [Chat Markup Language (ChatML)](#chatml) section. ++Consider setting `max_tokens` to a slightly higher value than normal such as 300 or 500. This ensures that the model doesn't stop generating text before it reaches the end of the message. ++## Model versioning ++> [!NOTE] +> `gpt-35-turbo` is equivalent to the `gpt-3.5-turbo` model from OpenAI. ++Unlike previous GPT-3 and GPT-3.5 models, the `gpt-35-turbo` model will continue to be updated. When creating a [deployment](./create-resource.md#deploy-a-model) of `gpt-35-turbo`, you'll also need to specify a model version. ++Currently, only version `"0301"` is available. This is equivalent to the `gpt-3.5-turbo-0301` model from OpenAI. We'll continue to make updated versions available in the future. You can find model deprecation times on our [models](../concepts/models.md) page. ++One thing that's important to note is that Chat Markup Language (ChatML) will continue to evolve with the new versions of the model. You may need to make updates to your prompts when you upgrade to a new version of the model. ++<a id="chatml"></a> ++## Working with Chat Markup Language (ChatML) ++> [!NOTE] +> OpenAI continues to improve the `gpt-35-turbo` model and the Chat Markup Language used with the model will continue to evolve in the future. We'll keep this document updated with the latest information. ++OpenAI trained the gpt-35-turbo model on special tokens that delineate the different parts of the prompt. The prompt starts with a system message that is used to prime the model followed by a series of messages between the user and the assistant. ++The format of a basic ChatML prompt is as follows: ++``` +<|im_start|>system +Provide some context and/or instructions to the model. +<|im_end|> +<|im_start|>user +The userΓÇÖs message goes here +<|im_end|> +<|im_start|>assistant +``` ++### System message ++The system message is included at the beginning of the prompt between the `<|im_start|>system` and `<|im_end|>` tokens. This message provides the initial instructions to the model. You can provide various information in the system message including: ++* A brief description of the assistant +* Personality traits of the assistant +* Instructions or rules you would like the instructions to follow +* Data or information needed for the model, such as relevant questions from an FAQ ++You can customize the system message for your use case or just include a basic system message. The system message is optional, but it's recommended to at least include a basic one to get the best results. ++### Messages ++After the system message, you can include a series of messages between the **user** and the **assistant**. Each message should begin with the `<|im_start|>` token followed by the role (`user` or `assistant`) and end with the `<|im_end|>` token. ++``` +<|im_start|>user +What is thermodynamics? +<|im_end|> +``` ++To trigger a response from the model, the prompt should end with `<|im_start|>assistant` token indicating that it's the assistant's turn to respond. You can also include messages between the user and the assistant in the prompt as a way to do few shot learning. ++### Prompt examples ++The following section shows examples of different styles of prompts that you could use with the ChatGPT model. These examples are just a starting point, and you can experiment with different prompts to customize the behavior for your own use cases. ++#### Basic example ++If you want the ChatGPT model to behave similarly to [chat.openai.com](https://chat.openai.com/), you can use a basic system message like "Assistant is a large language model trained by OpenAI." ++``` +<|im_start|>system +Assistant is a large language model trained by OpenAI. +<|im_end|> +<|im_start|>user +What's the difference between garbanzo beans and chickpeas? +<|im_end|> +<|im_start|>assistant +``` ++#### Example with instructions ++For some scenarios, you may want to give additional instructions to the model to define guardrails for what the model is able to do. ++``` +<|im_start|>system +Assistant is an intelligent chatbot designed to help users answer their tax related questions. ++Instructions: +- Only answer questions related to taxes. +- If you're unsure of an answer, you can say "I don't know" or "I'm not sure" and recommend users go to the IRS website for more information. +<|im_end|> +<|im_start|>user +When are my taxes due? +<|im_end|> +<|im_start|>assistant +``` ++#### Using data for grounding ++You can also include relevant data or information in the system message to give the model extra context for the conversation. If you only need to include a small amount of information, you can hard code it in the system message. If you have a large amount of data that the model should be aware of, you can use [embeddings](/azure/cognitive-services/openai/tutorials/embeddings?tabs=command-line) or a product like [Azure Cognitive Search](https://azure.microsoft.com/services/search/) to retrieve the most relevant information at query time. ++``` +<|im_start|>system +Assistant is an intelligent chatbot designed to help users answer technical questions about Azure OpenAI Serivce. Only answer questions using the context below and if you're not sure of an answer, you can say "I don't know". ++Context: +- Azure OpenAI Service provides REST API access to OpenAI's powerful language models including the GPT-3, Codex and Embeddings model series. +- Azure OpenAI Service gives customers advanced language AI with OpenAI GPT-3, Codex, and DALL-E models with the security and enterprise promise of Azure. Azure OpenAI co-develops the APIs with OpenAI, ensuring compatibility and a smooth transition from one to the other. +- At Microsoft, we're committed to the advancement of AI driven by principles that put people first. Microsoft has made significant investments to help guard against abuse and unintended harm, which includes requiring applicants to show well-defined use cases, incorporating MicrosoftΓÇÖs principles for responsible AI use +<|im_end|> +<|im_start|>user +What is Azure OpenAI Service? +<|im_end|> +<|im_start|>assistant +``` ++#### Few shot learning with ChatML ++You can also give few shot examples to the model. The approach for few shot learning has changed slightly because of the new prompt format. You can now include a series of messages between the user and the assistant in the prompt as few shot examples. These examples can be used to seed answers to common questions to prime the model or teach particular behaviors to the model. ++This is only one example of how you can use few shot learning with ChatGPT. You can experiment with different approaches to see what works best for your use case. ++``` +<|im_start|>system +Assistant is an intelligent chatbot designed to help users answer their tax related questions. +<|im_end|> +<|im_start|>user +When do I need to file my taxes by? +<|im_end|> +<|im_start|>assistant +In 2023, you will need to file your taxes by April 18th. The date falls after the usual April 15th deadline because April 15th falls on a Saturday in 2023. For more details, see https://www.irs.gov/filing/individuals/when-to-file +<|im_end|> +<|im_start|>user +How can I check the status of my tax refund? +<|im_end|> +<|im_start|>assistant +You can check the status of your tax refund by visiting https://www.irs.gov/refunds +<|im_end|> +``` ++#### Using Chat Markup Language for non-chat scenarios ++ChatML is designed to make multi-turn conversations easier to manage, but it also works well for non-chat scenarios. ++For example, for an entity extraction scenario, you might use the following prompt: ++``` +<|im_start|>system +You are an assistant designed to extract entities from text. Users will paste in a string of text and you will respond with entities you've extracted from the text as a JSON object. Here's an example of your output format: +{ + "name": "", + "company": "", + "phone_number": "" +} +<|im_end|> +<|im_start|>user +Hello. My name is Robert Smith. IΓÇÖm calling from Contoso Insurance, Delaware. My colleague mentioned that you are interested in learning about our comprehensive benefits policy. Could you give me a call back at (555) 346-9322 when you get a chance so we can go over the benefits? +<|im_end|> +<|im_start|>assistant +``` +++## Preventing unsafe user inputs ++It's important to add mitigations into your application to ensure safe use of the Chat Markup Language. ++We recommend that you prevent end-users from being able to include special tokens in their input such as `<|im_start|>` and `<|im_end|>`. We also recommend that you include additional validation to ensure the prompts you're sending to the model are well formed and follow the Chat Markup Language format as described in this document. ++You can also provide instructions in the system message to guide the model on how to respond to certain types of user inputs. For example, you can instruct the model to only reply to messages about a certain subject. You can also reinforce this behavior with few shot examples. +++## Managing conversations with ChatGPT ++The token limit for `gpt-35-turbo` is 4096 tokens. This limit includes the token count from both the prompt and completion. The number of tokens in the prompt combined with the value of the `max_tokens` parameter must stay under 4096 or you'll receive an error. ++ItΓÇÖs your responsibility to ensure the prompt and completion falls within the token limit. This means that for longer conversations, you need to keep track of the token count and only send the model a prompt that falls within the token limit. ++The following code sample shows a simple example of how you could keep track of the separate messages in the conversation. ++```python +import os +import openai +openai.api_type = "azure" +openai.api_base = "https://{your-resource-name}.openai.azure.com/" +openai.api_version = "2022-12-01" +openai.api_key = os.getenv('api_key') ++# defining a function to create the prompt from the system message and the conversation messages +def create_prompt(system_message, messages): + prompt = system_message + for message in messages: + prompt += f"\n<|im_start|>{message['sender']}\n{message['text']}\n<|im_end|>" + prompt += "\n<|im_start|>assistant\n" + return prompt ++# defining the user input and the system message +user_input = "<your user input>" +system_message = f"<|im_start|>system\n{'<your system message>'}\n<|im_end|>" ++# creating a list of messages to track the conversation +messages = [{"sender": "user", "text": user_input}] ++response = openai.Completion.create( + engine="gpt-35-turbo", + prompt=create_prompt(system_message, messages), + temperature=0.5, + max_tokens=250, + top_p=0.9, + frequency_penalty=0, + presence_penalty=0, + stop=['<|im_end|>'] +) ++messages.append({"sender": "assistant", "text": response['choices'][0]['text']}) +print(response['choices'][0]['text']) +``` ++## Staying under the token limit ++The simplest approach to staying under the token limit is to truncate the oldest messages in the conversation when you reach the token limit. ++You can choose to always include as many tokens as possible while staying under the limit or you could always include a set number of previous messages assuming those messages stay within the limit. It's important to keep in mind that longer prompts take longer to generate a response and incur a higher cost than shorter prompts. ++You can estimate the number of tokens in a string by using the [tiktoken](https://github.com/openai/tiktoken) Python library as shown below. ++```python +import tiktoken ++cl100k_base = tiktoken.get_encoding("cl100k_base") ++enc = tiktoken.Encoding( + name="gpt-35-turbo", + pat_str=cl100k_base._pat_str, + mergeable_ranks=cl100k_base._mergeable_ranks, + special_tokens={ + **cl100k_base._special_tokens, + "<|im_start|>": 100264, + "<|im_end|>": 100265 + } +) ++tokens = enc.encode( + "<|im_start|>user\nHello<|im_end|><|im_start|>assistant", + allowed_special={"<|im_start|>", "<|im_end|>"} +) ++assert len(tokens) == 7 +assert tokens == [100264, 882, 198, 9906, 100265, 100264, 78191] +``` ++## Next steps ++* [Learn more about Azure OpenAI](../overview.md). +* Get started with the ChatGPT model with [the ChatGPT quickstart](../chatgpt-quickstart.md). +* For more examples check out the [Azure OpenAI Samples GitHub repository](https://github.com/Azure/openai-samples) |
cognitive-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/openai/overview.md | Azure OpenAI Service provides REST API access to OpenAI's powerful language mode | Feature | Azure OpenAI | | | |+| Models available | GPT-3 base series <br>**New ChatGPT (gpt-35-turbo)**<br> Codex series <br> Embeddings series <br> Learn more in our [Models](./concepts/models.md) page.| +| Fine-tuning | Ada <br> Babbage <br> Curie <br> Cushman* <br> Davinci* <br> \* Currently unavailable.| | Models available | GPT-3 base series <br> Codex series <br> Embeddings series <br> Learn more in our [Models](./concepts/models.md) page.| | Fine-tuning | Ada <br> Babbage <br> Curie <br> Cushman* <br> Davinci* <br> \* Currently unavailable. \*\*East US Fine-tuning is currently unavailable to new customers. Please use US South Central for US based training| | Price | [Available here](https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/) | |
cognitive-services | Quotas Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/openai/quotas-limits.md | The following sections provide you with a quick guide to the quotas and limits t | Limit Name | Limit Value | |--|--| | OpenAI resources per region | 2 | -| Requests per minute per model* | Davinci-models (002 and later): 120 <br> All other models: 300 | -| Tokens per minute per model* | Davinci-models (002 and later): 40,000 <br> All other models: 120,000 | +| Requests per minute per model* | Davinci-models (002 and later): 120 <br> ChatGPT model: 300 <br> All other models: 300| +| Tokens per minute per model* | Davinci-models (002 and later): 40,000 <br> ChatGPT model: 120,000 <br> All other models: 120,000 | | Max fine-tuned model deployments* | 2 | | Ability to deploy same model to multiple deployments | Not allowed | | Total number of training jobs per resource | 100 | The following sections provide you with a quick guide to the quotas and limits t *The limits are subject to change. We anticipate that you will need higher limits as you move toward production and your solution scales. When you know your solution requirements, please reach out to us by applying for a quota increase here: <https://aka.ms/oai/quotaincrease> +For information on max tokens for different models, consult the [models article](./concepts/models.md#model-summary-table-and-region-availability) + ### General best practices to mitigate throttling during autoscaling To minimize issues related to throttling, it's a good idea to use the following techniques: |
cognitive-services | Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/openai/reference.md | POST https://{your-resource-name}.openai.azure.com/openai/deployments/{deploymen | ```top_p``` | number | Optional | 1 | An alternative to sampling with temperature, called nucleus sampling, where the model considers the results of the tokens with top_p probability mass. So 0.1 means only the tokens comprising the top 10% probability mass are considered. We generally recommend altering this or temperature but not both. | | ```n``` | integer | Optional | 1 | How many completions to generate for each prompt. Note: Because this parameter generates many completions, it can quickly consume your token quota. Use carefully and ensure that you have reasonable settings for max_tokens and stop. | | ```stream``` | boolean | Optional | False | Whether to stream back partial progress. If set, tokens will be sent as data-only server-sent events as they become available, with the stream terminated by a data: [DONE] message.| -| ```logprobs``` | integer | Optional | null | Include the log probabilities on the logprobs most likely tokens, as well the chosen tokens. For example, if logprobs is 10, the API will return a list of the 10 most likely tokens. the API will always return the logprob of the sampled token, so there may be up to logprobs+1 elements in the response. | -| ```echo``` | boolean | Optional | False | Echo back the prompt in addition to the completion | +| ```logprobs``` | integer | Optional | null | Include the log probabilities on the logprobs most likely tokens, as well the chosen tokens. For example, if logprobs is 10, the API will return a list of the 10 most likely tokens. the API will always return the logprob of the sampled token, so there may be up to logprobs+1 elements in the response. This parameter cannot be used with `gpt-35-turbo`. | +| ```echo``` | boolean | Optional | False | Echo back the prompt in addition to the completion. This parameter cannot be used with `gpt-35-turbo`. | | ```stop``` | string or array | Optional | null | Up to four sequences where the API will stop generating further tokens. The returned text won't contain the stop sequence. | | ```presence_penalty``` | number | Optional | 0 | Number between -2.0 and 2.0. Positive values penalize new tokens based on whether they appear in the text so far, increasing the model's likelihood to talk about new topics. | | ```frequency_penalty``` | number | Optional | 0 | Number between -2.0 and 2.0. Positive values penalize new tokens based on their existing frequency in the text so far, decreasing the model's likelihood to repeat the same line verbatim. |-| ```best_of``` | integer | Optional | 1 | Generates best_of completions server-side and returns the "best" (the one with the lowest log probability per token). Results can't be streamed. When used with n, best_of controls the number of candidate completions and n specifies how many to return ΓÇô best_of must be greater than n. Note: Because this parameter generates many completions, it can quickly consume your token quota. Use carefully and ensure that you have reasonable settings for max_tokens and stop. | +| ```best_of``` | integer | Optional | 1 | Generates best_of completions server-side and returns the "best" (the one with the lowest log probability per token). Results can't be streamed. When used with n, best_of controls the number of candidate completions and n specifies how many to return ΓÇô best_of must be greater than n. Note: Because this parameter generates many completions, it can quickly consume your token quota. Use carefully and ensure that you have reasonable settings for max_tokens and stop. This parameter cannot be used with `gpt-35-turbo`. | | ```logit_bias``` | map | Optional | null | Modify the likelihood of specified tokens appearing in the completion. Accepts a json object that maps tokens (specified by their token ID in the GPT tokenizer) to an associated bias value from -100 to 100. You can use this tokenizer tool (which works for both GPT-2 and GPT-3) to convert text to token IDs. Mathematically, the bias is added to the logits generated by the model prior to sampling. The exact effect will vary per model, but values between -1 and 1 should decrease or increase likelihood of selection; values like -100 or 100 should result in a ban or exclusive selection of the relevant token. As an example, you can pass {"50256": -100} to prevent the <\|endoftext\|> token from being generated. | #### Example request |
cognitive-services | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/openai/whats-new.md | +## March 2023 ++- **ChatGPT (gpt-35-turbo) public preview**. To learn more checkout the new [quickstart](./quickstart.md), and [how-to articles](./how-to/chatgpt.md). ++- Adding additional use cases to your existing access.  Previously, the process for adding new use cases required customers to reapply to the service. Now, we're releasing a new process that allows you to quickly add new use cases to your use of the service. This process follows the established Limited Access process within Azure Cognitive Services. [Existing customers can attest to any and all new use cases here](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xUM003VEJPRjRSOTZBRVZBV1E5N1lWMk1XUyQlQCN0PWcu). Please note that this is required anytime you would like to use the service for a new use case you did not originally apply for. ++## February 2023 ++### New Features ++- .NET SDK(inference) [preview release](https://www.nuget.org/packages/Azure.AI.OpenAI/1.0.0-beta.3) | [Samples](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/openai/Azure.AI.OpenAI/tests/Samples) +- [Terraform SDK update](https://registry.terraform.io/providers/hashicorp/azurerm/3.37.0/docs/resources/cognitive_deployment) to support Azure OpenAI management operations. +- Inserting text at the end of a completion is now supported with the `suffix` parameter. ++### Updates ++- Content filtering is on by default. ++New articles on: ++- [Monitoring an Azure OpenAI Service](./how-to/monitoring.md) +- [Plan and manage costs for Azure OpenAI](./how-to/manage-costs.md) ++New training course: ++- [Intro to Azure OpenAI](/training/modules/explore-azure-openai/) ++ ## January 2023 ### New Features |
communications-gateway | Deploy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communications-gateway/deploy.md | Last updated 12/16/2022 # Deploy Azure Communications Gateway -This article will guide you through creating an Azure Communications Gateway resource in Azure. You must configure this resource before you can deploy Azure Communications Gateway. +This article guides you through creating an Azure Communications Gateway resource in Azure. You must configure this resource before you can deploy Azure Communications Gateway. ## Prerequisites If you haven't filled in the configuration correctly, you'll see an error messag Check your configuration and ensure it matches your requirements. If the configuration is correct, select **Create**. -You now need to wait for your resource to be provisioned and connected to the Microsoft Teams environment. When your resource has been provisioned and connected, your onboarding team will reach out to you and the Provisioning Status filed on the resource overview will show as "Complete". We recommend you check in periodically to see if your resource has been provisioned. This process can take up to two weeks, because updating ACLs in the Azure and Teams environments is done on a periodic basis. +You now need to wait for your resource to be provisioned and connected to the Microsoft Teams environment. When your resource has been provisioned and connected, your onboarding team will contact you and the Provisioning Status filed on the resource overview will be "Complete". We recommend you check in periodically to see if your resource has been provisioned. This process can take up to two weeks, because updating ACLs in the Azure and Teams environments is done on a periodic basis. -Once your resource has been provisioned, a message will appear saying **Your deployment is complete**. Select **Go to resource group**, and then check that your resource group contains the correct Azure Communications Gateway resource. +Once your resource has been provisioned, a message appears saying **Your deployment is complete**. Select **Go to resource group**, and then check that your resource group contains the correct Azure Communications Gateway resource. :::image type="content" source="media/deploy/go-to-resource-group.png" alt-text="Screenshot of the Create an Azure Communications Gateway portal, showing a completed deployment screen."::: ## 3. Complete the JSON onboarding file -Your onboarding team will require additional information to complete your Operator Connect onboarding. If you're being onboarded to Operator Connect/Teams Phone Mobile by Microsoft, the onboarding team will reach out to you. +Your onboarding team needs more information to complete your Operator Connect onboarding. If you're being onboarded to Operator Connect or Teams Phone Mobile by Microsoft, the onboarding team will contact you. Fill in the JSON onboarding file and give it to your onboarding team. Wait for your onboarding team to confirm that the onboarding process is complete before testing your portal access. |
communications-gateway | Prepare To Deploy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communications-gateway/prepare-to-deploy.md | Resource naming and tagging is useful for resource management. It enables your o If you believe tagging would be useful for your organization, design your naming and tagging conventions following the information in the [Resource naming and tagging decision guide](/azure/cloud-adoption-framework/decision-guides/resource-tagging/). -## 9. Get access to Azure Communications Gateway for your Azure subscription +## 10. Get access to Azure Communications Gateway for your Azure subscription Access to Azure Communications Gateway is restricted. When you've completed the other steps in this article, contact your onboarding team and ask them to enable your subscription. If you don't already have an onboarding team, contact azcog-enablement@microsoft.com with your Azure subscription ID and contact details. |
container-registry | Container Registry Delete | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-delete.md | As mentioned in the [Manifest digest](container-registry-concepts.md#manifest-di 1. Check manifests for repository *acr-helloworld*: ```azurecli- az acr manifest list-metadata --name myregistry --repository acr-helloworld + az acr manifest list-metadata --name acr-helloworld --registry myregistry ``` ```output |
data-factory | Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/introduction.md | If you prefer to code transformations by hand, ADF supports external activities After you have successfully built and deployed your data integration pipeline, providing business value from refined data, monitor the scheduled activities and pipelines for success and failure rates. Azure Data Factory has built-in support for pipeline monitoring via Azure Monitor, API, PowerShell, Azure Monitor logs, and health panels on the Azure portal. ## Top-level concepts-An Azure subscription might have one or more Azure Data Factory instances (or data factories). Azure Data Factory is composed of below key components. +An Azure subscription might have one or more Azure Data Factory instances (or data factories). Azure Data Factory is composed of the following key components: + - Pipelines - Activities - Datasets |
databox-online | Azure Stack Edge Technical Specifications Power Cords Regional | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-technical-specifications-power-cords-regional.md | Title: Azure Stack Edge Pro FPGA power cord technical specifications by location -description: Learn about the technical specifications for your Azure Stack Edge Pro FPGA power cords. + Title: Azure Stack Edge power cord specifications +description: Learn about the technical specifications for Azure Stack Edge power cords. Previously updated : 11/10/2021 Last updated : 03/09/2023 -# Azure Stack Edge Pro FPGA power cord specifications +# Azure Stack Edge power cord specifications -Your Azure Stack Edge Pro FPGA device will need a power cord that will vary depending on your Azure region. ++Your Azure Stack Edge device will need a power cord that will vary depending on your Azure region. ## Supported power cords -You can use the following table to find the correct cord specifications for your region: +Use the following table to find the correct cord specifications for your region: | Country | Rated Voltage (V)| Rated Current (A)| Cord Standard |Input Connector|Output Connector| Length mm | ||||-|--|-|--|--|--| You can use the following table to find the correct cord specifications for your ## Next steps -[Azure Stack Edge Pro FPGA technical specifications](./azure-stack-edge-technical-specifications-compliance.md) +- [Azure Stack Edge Pro GPU technical specifications](./azure-stack-edge-gpu-technical-specifications-compliance.md). |
defender-for-cloud | Concept Attack Path | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/concept-attack-path.md | Title: What are the cloud security graph, attack path analysis, and the cloud security explorer? + Title: Identify and analyze risks across your environment description: Learn how to prioritize remediation of cloud misconfigurations and vulnerabilities based on risk. Previously updated : 01/24/2023 Last updated : 03/06/2023 -# What are the cloud security graph, attack path analysis, and the cloud security explorer? +# Identify and analyze risks across your environment <iframe src="https://aka.ms/docs/player?id=36a5c440-00e6-4bd8-be1f-a27fbd007119" width="1080" height="530" allowFullScreen="true" frameBorder="0"></iframe> |
defender-for-cloud | Concept Cloud Security Posture Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/concept-cloud-security-posture-management.md | Title: Overview of Cloud Security Posture Management (CSPM) description: Learn more about the new Defender CSPM plan and the other enhanced security features that can be enabled for your multicloud environment through the Defender Cloud Security Posture Management (CSPM) plan. Previously updated : 02/20/2023 Last updated : 03/08/2023 # Cloud Security Posture Management (CSPM) Defender for Cloud continually assesses your resources, subscriptions and organi Defender for cloud offers foundational multicloud CSPM capabilities for free. These capabilities are automatically enabled by default on any subscription or account that has onboarded to Defender for Cloud. The foundational CSPM includes asset discovery, continuous assessment and security recommendations for posture hardening, compliance with Microsoft Cloud Security Benchmark (MCSB), and a [Secure score](secure-score-access-and-track.md) which measure the current status of your organizationΓÇÖs posture. -The optional Defender CSPM plan, provides advanced posture management capabilities such as [Attack path analysis](#attack-path-analysis), [Cloud security explorer](#cloud-security-explorer), advanced threat hunting, [security governance capabilities](#security-governance-and-regulatory-compliance), and also tools to assess your [security compliance](#security-governance-and-regulatory-compliance) with a wide range of benchmarks, regulatory standards, and any custom security policies required in your organization, industry, or region. +The optional Defender CSPM plan, provides advanced posture management capabilities such as [Attack path analysis](how-to-manage-attack-path.md), [Cloud security explorer](how-to-manage-cloud-security-explorer.md), advanced threat hunting, [security governance capabilities](concept-regulatory-compliance.md), and also tools to assess your [security compliance](review-security-recommendations.md) with a wide range of benchmarks, regulatory standards, and any custom security policies required in your organization, industry, or region. The following table summarizes each plan and their cloud availability. The following table summarizes each plan and their cloud availability. |--|--|--|--| | Continuous assessment of the security configuration of your cloud resources | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP, on-premises | | [Security recommendations to fix misconfigurations and weaknesses](review-security-recommendations.md) | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png":::| Azure, AWS, GCP, on-premises |-| [Secure score](secure-score-access-and-track.md) | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP, on-premises | -| [Governance](#security-governance-and-regulatory-compliance) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP, on-premises | -| [Regulatory compliance](#security-governance-and-regulatory-compliance) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP, on-premises | -| [Cloud security explorer](#cloud-security-explorer) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS | -| [Attack path analysis](#attack-path-analysis) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS | -| [Agentless scanning for machines](#agentless-scanning-for-machines) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS | +| [Secure score](secure-score-security-controls.md) | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP, on-premises | +| [Governance](concept-regulatory-compliance.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP, on-premises | +| [Regulatory compliance](concept-regulatory-compliance.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP, on-premises | +| [Cloud security explorer](how-to-manage-cloud-security-explorer.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS | +| [Attack path analysis](how-to-manage-attack-path.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS | +| [Agentless scanning for machines](concept-agentless-data-collection.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS | > [!NOTE] The following table summarizes each plan and their cloud availability. > > To enable Governance for for DevOps related recommendations, the Defender CSPM plan needs to be enabled on the Azure subscription that hosts the DevOps connector. -## Security governance and regulatory compliance --Security governance and regulatory compliance refer to the policies and processes which organizations have in place. These policies ensure that they comply with laws, rules and regulations put in place by external bodies (government) which control activity in a given jurisdiction. Defender for Cloud allows you to view your regulatory compliance through the regulatory compliance dashboard. --Defender for Cloud continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in the standards that you've applied to your subscriptions. The dashboard reflects the status of your compliance with these standards. --Learn more about [security and regulatory compliance in Defender for Cloud](concept-regulatory-compliance.md). --## Cloud security explorer --The cloud security graph is a graph-based context engine that exists within Defender for Cloud. The cloud security graph collects data from your multicloud environment and other data sources. For example, the cloud assets inventory, connections and lateral movement possibilities between resources, exposure to internet, permissions, network connections, vulnerabilities and more. The data collected builds a graph representing your multicloud environment. --Defender for Cloud then uses the generated graph to perform an attack path analysis and find the issues with the highest risk that exist within your environment. You can also query the graph using the cloud security explorer. --Learn more about [cloud security explorer](concept-attack-path.md#what-is-cloud-security-explorer) --## Attack path analysis --Attack path analysis is a graph-based algorithm that scans the cloud security graph. The scans: --- expose exploitable paths that attackers may use to breach your environment and reach your high-impact assets-- provide recommendations for ways to prevent successful breaches--When you take your environment's contextual information into account, attack path analysis identifies issues that may lead to a breach on your environment, and helps you to remediate the highest risk ones first. For example its exposure to the internet, permissions, lateral movement, and more. --Learn more about [attack path analysis](concept-attack-path.md#what-is-attack-path-analysis). --## Agentless scanning for machines --With agentless scanning for VMs, you can get visibility on actionable OS posture issues without installed agents, network connectivity, or machine performance. --Learn more about [agentless scanning](concept-agentless-data-collection.md). - ## Next steps Learn about Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads). |
defender-for-cloud | How To Manage Aws Assessments Standards | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/how-to-manage-aws-assessments-standards.md | Title: Manage AWS assessments and standards description: Learn how to create custom security assessments and standards for your AWS environment. Previously updated : 02/07/2023 Last updated : 03/09/2023 # Manage AWS assessments and standards -Security standards contain comprehensive sets of security recommendations to help secure your cloud environments. Security teams can use the readily available standards such as AWS CIS 1.2.0, AWS CIS 1.5.0, AWS Foundational Security Best Practices, and AWS PCI DSS 3.2.1, or create custom standards to meet specific internal requirements. +Security standards contain comprehensive sets of security recommendations to help secure your cloud environments. Security teams can use the readily available standards such as AWS CIS 1.2.0, AWS CIS 1.5.0, AWS Foundational Security Best Practices, and AWS PCI DSS 3.2.1. -There are three types of resources that are needed to create and manage assessments: +There are two types of resources that are needed to create and manage assessments: -- Assessment:- - assessment details such as name, description, severity, remediation logic, etc. - - assessment logic in KQL - - the standard it belongs to - Standard: defines a set of assessments-- Standard assignment: defines the scope, which the standard will evaluate. For example, specific AWS account(s).+- Standard assignment: defines the scope, which the standard evaluates. For example, specific AWS account(s). -You can either use the built-in regulatory compliance standards or create your own custom standards. +## Create a custom compliance standard to your AWS account -## Assign a built-in compliance standard to your AWS account --**To assign a built-in compliance standard to your AWS account**: +**To create a custom compliance standard to your AWS account**: 1. Sign in to the [Azure portal](https://portal.azure.com/). You can either use the built-in regulatory compliance standards or create your o 1. Select the relevant AWS account. -1. Select **Standards** > **Add** > **Standard**. +1. Select **Standards** > **+ Create** > **Standard**. :::image type="content" source="media/how-to-manage-assessments-standards/aws-add-standard.png" alt-text="Screenshot that shows you where to navigate to in order to add an AWS standard." lightbox="media/how-to-manage-assessments-standards/aws-add-standard-zoom.png"::: -1. Select a built-in standard from the drop-down menu. +1. Enter a name, description and select built-in recommendations from the drop-down menu. ++ :::image type="content" source="media/how-to-manage-assessments-standards/create-standard-aws.png" alt-text="Screenshot of the Create new standard window."::: -1. Select **Save**. +1. Select **Create**. -## Create a new custom standard for your AWS account +## Assign a built-in compliance standard to your AWS account -**To create a new custom standard for your AWS account**: +**To assign a built-in compliance standard to your AWS account**: 1. Sign in to the [Azure portal](https://portal.azure.com/). You can either use the built-in regulatory compliance standards or create your o 1. Select the relevant AWS account. -1. Select **Standards** > **Create** > **Standard**. --1. Select **New standard**. -- :::image type="content" source="media/how-to-manage-assessments-standards/new-aws-standard.png" alt-text="Screenshot that shows you where to select a new AWS standard." lightbox="media/how-to-manage-assessments-standards/new-aws-standard.png"::: +1. Select **Standards**. -1. Enter a name, description and select which assessments you want to add. +1. Select the **three dot button** for the built-in standard you want to assign. -1. Select **Save**. + :::image type="content" source="media/how-to-manage-assessments-standards/aws-built-in.png" alt-text="Screenshot that shows where the three dot button is located on the screen." lightbox="media/how-to-manage-assessments-standards/aws-built-in.png"::: -## Assign a built-in assessment to your AWS account --**To assign a built-in assessment to your AWS account**: --1. Sign in to the [Azure portal](https://portal.azure.com/). --1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**. --1. Select the relevant AWS account. +1. Select **Assign standard**. -1. Select **Standards** > **Add** > **Assessment**. -- :::image type="content" source="media/how-to-manage-assessments-standards/aws-assessment.png" alt-text="Screenshot that shows where to navigate to, to select an AWS assessment." lightbox="media/how-to-manage-assessments-standards/aws-assessment.png"::: --1. Select **Existing assessment**. --1. Select all relevant assessments from the drop-down menu. --1. Select the standards from the drop-down menu. --1. Select **Save**. --## How to build a query --The last row of the query should return all the original columns (don’t use ‘project’, ‘project-away'). End the query with an iff statement that defines the healthy or unhealthy conditions: `| extend HealthStatus = iff([boolean-logic-here], 'UNHEALTHY','HEALTHY')`. --### Sample KQL queries --When building a KQL query, you should use the following table structure: --```kusto -- TimeStamp- 2021-10-07T10:30:21.403732Z - - SdksInfo - { - "AWSSDK.EC2": "3.7.5.2" - } -- - RecordProviderInfo - { - "CloudName": "AWS", - "CspmDiscoveryCloudRoleArn": "arn:aws:iam::123456789123:role/CSPMMonitoring", - "Type": "MultiCloudDiscoveryServiceDataCollector", - "HierarchyIdentifier": "123456789123", - "ConnectorId": "b3113210-63f9-43c5-a6a7-f14a2a5b3cd0" - } - - RecordOrganizationInfo - { - "Type": "MyOrganization", - "TenantId": "bda8bc53-d9f8-4248-b9a9-3a6c7fe0b92f", - "SubscriptionId": "69444886-de6b-40c5-8b43-065f739fffb9", - "ResourceGroupName": "MyResourceGroupName" - } -- - CorrelationId - 4f5e50e1d92c400caf507036a1237c72 - - RecordRegionalInfo - { - "Type": "MultiCloudRegion", - "RegionUniqueName": "eu-west-2", - "RegionDisplayName": "EU West (London)", - "IsGlobalForRecord": false - } -- - RecordIdentifierInfo - { - "Type": "MultiCloudDiscoveryServiceDataCollector", - "RecordNativeCloudUniqueIdentifier": "arn:aws:ec2:eu-west-2:123456789123:elastic-ip/eipalloc-1234abcd5678efef9", - "RecordAzureUniqueIdentifier": "/subscriptions/69444886-de6b-40c5-8b43-065f739fffb9/resourcegroups/MyResourceGroupName/providers/Microsoft.Security/securityconnectors/b3113210-63f9-43c5-a6a7-f14a2a5b3cd0/securityentitydata/aws-ec2-elastic-ip-eipalloc-1234abcd5678efef9-eu-west-2", - "RecordIdentifier": "eipalloc-1234abcd5678efef9-eu-west-2", - "ResourceProvider": "EC2", - "ResourceType": "elastic-ip" - } - - Record - { - "AllocationId": "eipalloc-1234abcd5678efef9", - "AssociationId": "eipassoc-234abcd5678efef90", - "CarrierIp": null, - "CustomerOwnedIp": null, - "CustomerOwnedIpv4Pool": null, - "Domain": { - "Value": "vpc" - }, - "InstanceId": "i-0a8fcc00493c4625d", - "NetworkBorderGroup": "eu-west-2", - "NetworkInterfaceId": "eni-34abcd5678efef901", - "NetworkInterfaceOwnerId": "123456789123", - "PrivateIpAddress": "172.31.21.88", - "PublicIp": "19.218.211.431", - "PublicIpv4Pool": "amazon", - "Tags": [ - { - "Value": "arn:aws:cloudformation:eu-west-2:123456789123:stack/awseb-e-sjuh4tkr7a-stack/4ff15da0-2512-11ec-ab59-023b28e97f64", - "Key": "aws:cloudformation:stack-id" - }, - { - "Value": "e-sjuh4tkr7a", - "Key": "elasticbeanstalk:environment-id" - }, - { - "Value": "AWSEBEIP", - "Key": "aws:cloudformation:logical-id" - }, - { - "Value": "awseb-e-sjuh4tkr7a-stack", - "Key": "aws:cloudformation:stack-name" - }, - { - "Value": "Mebrennetest3-env", - "Key": "elasticbeanstalk:environment-name" - }, - { - "Value": "Mebrennetest3-env", - "Key": "Name" - } - ] - } -``` --> [!NOTE] -> The `Record` field contains the data structure as it is returned from the AWS API. Use this field to define conditions which will determine if the resource is healthy or unhealthy. -> -> You can access internal properties of `Record` filed using a dot notation. For example: `| extend EncryptionType = Record.Encryption.Type`. --**Stopped EC2 instances should be removed after a specified time period** - -```kusto -EC2_Instance -| extend State = tolower(tostring(Record.State.Name.Value)) -| extend StoppedTime = todatetime(tostring(Record.StateTransitionReason)) -| extend HealthStatus = iff(not(State == 'stopped' and StoppedTime < ago(30d)), 'HEALTHY', 'UNHEALTHY') -``` --**EC2 subnets should not automatically assign public IP addresses** - --```kusto -EC2_Subnet -| extend MapPublicIpOnLaunch = tolower(tostring(Record.MapPublicIpOnLaunch)) -| extend HealthStatus = iff(MapPublicIpOnLaunch == 'false' ,'HEALTHY', 'UNHEALTHY') -``` --**EC2 instances should not use multiple ENIs** - -```kusto -EC2_Instance -| extend NetworkInterfaces = parse_json(Record)['NetworkInterfaces'] -| extend NetworkInterfaceCount = array_length(parse_json(NetworkInterfaces)) -| extend HealthStatus = iff(NetworkInterfaceCount == 1 ,'HEALTHY', 'UNHEALTHY') -``` --You can use the following links to learn more about Kusto queries: -- [KQL quick reference](/azure/data-explorer/kql-quick-reference)-- [Kusto Query Language (KQL) overview](/azure/data-explorer/kusto/query/)-- [Must Learn KQL](https://azurecloudai.blog/2021/11/17/must-learn-kql-part-1-tools-and-resources/)+1. Select **Yes**. ## Next steps |
defender-for-cloud | How To Manage Cloud Security Explorer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/how-to-manage-cloud-security-explorer.md | -# Cloud security explorer +# Build queries with cloud security explorer Defender for Cloud's contextual security capabilities assist security teams in reducing the risk of impactful breaches. Defender for Cloud uses environmental context to perform a risk assessment of your security issues, identifies the biggest security risks, and distinguishes them from less risky issues. |
defender-for-cloud | How To Manage Gcp Assessments Standards | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/how-to-manage-gcp-assessments-standards.md | Title: Manage GCP assessments and standards -description: Learn how to create custom security assessments and standards for your GCP environment. +description: Learn how to create standards for your GCP environment. Previously updated : 01/24/2023 Last updated : 03/08/2023 # Manage GCP assessments and standards Security standards contain comprehensive sets of security recommendations to help secure your cloud environments. Security teams can use the readily available regulatory standards such as GCP CIS 1.1.0, GCP CIS and 1.2.0, or create custom standards to meet specific internal requirements. -There are three types of resources that are needed to create and manage assessments: +There are two types of resources that are needed to create and manage standards: -- Assessment:- - assessment details such as name, description, severity, remediation logic, etc. - - assessment logic in KQL - - the standard it belongs to - Standard: defines a set of assessments-- Standard assignment: defines the scope, which the standard will evaluate. For example, specific GCP projects.+- Standard assignment: defines the scope, which the standard evaluates. For example, specific GCP projects. -You can either use the built-in compliance standards or create your own custom standards or built-in assessments. +## Create a custom compliance standard to your GCP project -## Assign a built-in compliance standard to your GCP project --**To assign a built-in compliance standard to your GCP project**: +**To create a custom compliance standard to your GCP project**: 1. Sign in to the [Azure portal](https://portal.azure.com/). You can either use the built-in compliance standards or create your own custom s 1. Select the relevant GCP project. -1. Select **Standards** > **Add** > **Standard**. +1. Select **Standards** > **+ Create** > **Standard**. :::image type="content" source="media/how-to-manage-assessments-standards/gcp-standard.png" alt-text="Screenshot that shows you where to navigate to, to add a GCP standard." lightbox="media/how-to-manage-assessments-standards/gcp-standard-zoom.png"::: -1. Select a built-in standard from the drop-down menu. +1. Enter a name, description and select built-in recommendations from the drop-down menu. :::image type="content" source="media/how-to-manage-assessments-standards/drop-down-menu.png" alt-text="Screenshot that shows you the standard options you can choose from the drop-down menu." lightbox="media/how-to-manage-assessments-standards/drop-down-menu.png"::: -1. Select **Save**. --## Create a new custom standard for your GCP project --**To create a new custom standard for your GCP project**: --1. Sign in to the [Azure portal](https://portal.azure.com/). --1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**. --1. Select the relevant GCP project. --1. Select **Standards** > **Add** > **Standard**. --1. Select **New standard**. --1. Enter a name, description and select which assessments you want to add. --1. Select **Save**. +1. Select **Create**. -## Assign a built-in assessment to your GCP project +## Assign a built-in compliance standard to your GCP project -**To assign a built-in assessment to your GCP project**: +**To assign a built-in compliance standard to your GCP project**: 1. Sign in to the [Azure portal](https://portal.azure.com/). You can either use the built-in compliance standards or create your own custom s 1. Select the relevant GCP project. -1. Select **Standards** > **Add** > **Assessment**. -- :::image type="content" source="media/how-to-manage-assessments-standards/gcp-assessment.png" alt-text="Screenshot that shows where to navigate to, to select GCP assessment." lightbox="media/how-to-manage-assessments-standards/gcp-assessment.png"::: --1. Select **Existing assessment**. --1. Select all relevant assessments from the drop-down menu. --1. Select the standards from the drop-down menu. --1. Select **Save**. --## How to build a query --The last row of the query should return all the original columns (don’t use ‘project’, ‘project-away). End the query with an iff statement that defines the healthy or unhealthy conditions: `| extend HealthStatus = iff([boolean-logic-here], 'UNHEALTHY','HEALTHY')`. --### Sample KQL queries --**Ensure that Cloud Storage buckets have uniform bucket-level access enabled** --```kusto -let UnhealthyBuckets = Storage_Bucket -| extend RetentionPolicy = Record.retentionPolicy -| where isnull(RetentionPolicy) or isnull(RetentionPolicy.isLocked) or tobool(RetentionPolicy.isLocked)==false -| project BucketName = RecordIdentifierInfo.CloudNativeResourceName; Logging_LogSink -| extend Destination = split(Record.destination,'/')[0] -| where Destination == 'storage.googleapis.com' -| extend LogBucketName = split(Record.destination,'/')[1] -| extend HealthStatus = iff(LogBucketName in(UnhealthyBuckets), 'UNHEALTHY', 'HEALTHY')" -``` --**Ensure VM disks for critical VMs are encrypted** --```kusto -Compute_Disk -| extend DiskEncryptionKey = Record.diskEncryptionKey -| extend IsVmNotEncrypted = isempty(tostring(DiskEncryptionKey.sha256)) -| extend HealthStatus = iff(IsVmNotEncrypted ,'UNHEALTHY' ,'HEALTHY')" -``` +1. Select **Standards**. -**Ensure Compute instances are launched with Shielded VM enabled** +1. Select the **three dot button** for the built-in standard you want to assign. -```kusto -Compute_Instance -| extend InstanceName = tostring(Record.id) -| extend ShieldedVmExist = tostring(Record.shieldedInstanceConfig.enableIntegrityMonitoring) =~ 'true' and tostring(Record.shieldedInstanceConfig.enableVtpm) =~ 'true' -| extend HealthStatus = iff(ShieldedVmExist, 'HEALTHY', 'UNHEALTHY')" -``` + :::image type="content" source="media/how-to-manage-assessments-standards/gcp-built-in.png" alt-text="Screenshot that shows where the three dot button is located on the screen." lightbox="media/how-to-manage-assessments-standards/gcp-built-in.png"::: -You can use the following links to learn more about Kusto queries: -- [KQL quick reference](/azure/data-explorer/kql-quick-reference)-- [Kusto Query Language (KQL) overview](/azure/data-explorer/kusto/query/)-- [Must Learn KQL](https://azurecloudai.blog/2021/11/17/must-learn-kql-part-1-tools-and-resources/)+1. Select **Assign standard**. +1. Select **Yes**. + ## Next steps In this article, you learned how to manage your assessments and standards in Defender for Cloud. |
defender-for-cloud | Secure Score Security Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/secure-score-security-controls.md | Title: Security posture for Microsoft Defender for Cloud + Title: Secure score description: Description of Microsoft Defender for Cloud's secure score and its security controls Previously updated : 01/15/2023 Last updated : 03/05/2023 -# Security posture for Microsoft Defender for Cloud +# Secure score ## Overview of secure score |
defender-for-cloud | Sql Azure Vulnerability Assessment Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/sql-azure-vulnerability-assessment-manage.md | To change an Azure SQL database from the express vulnerability assessment config -RecurringScansInterval Weekly ` -ScanResultsContainerName "vulnerability-assessment" ```+ + You may have tweak `Update-AzSqlServerVulnerabilityAssessmentSetting` according to [Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets](/azure/azure-sql/database/sql-database-vulnerability-assessment-storage?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&view=azuresql). ### Errors Possible causes: - Switching to express configuration failed due to a database policy error. Database policies aren't visible in the Azure portal for Defender for SQL vulnerability assessment, so we check for them during the validation stage of switching to express configuration. **Solution**: Disable all database policies for the relevant server and then try to switch to express configuration again.+ Cosnider using the [provided PowerShell script](powershell-sample-vulnerability-assessment-azure-sql.md) for assistance. ### [Classic configuration](#tab/classic) |
defender-for-cloud | Sql Azure Vulnerability Assessment Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/sql-azure-vulnerability-assessment-overview.md | Configuration modes benefits and limitations comparison: ## Next steps - Enable [SQL vulnerability assessments](sql-azure-vulnerability-assessment-enable.md)+- Express configuration [FAQ](sql-azure-vulnerability-assessment-manage.md?tabs=express#faq) and [Troubleshooting](sql-azure-vulnerability-assessment-manage.md?tabs=express#troubleshooting). - Learn more about [Microsoft Defender for Azure SQL](defender-for-sql-introduction.md). - Learn more about [data discovery and classification](/azure/azure-sql/database/data-discovery-and-classification-overview). - Learn more about [storing vulnerability assessment scan results in a storage account accessible behind firewalls and VNets](/azure/azure-sql/database/sql-database-vulnerability-assessment-storage). |
defender-for-cloud | Support Matrix Defender For Cloud | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/support-matrix-defender-for-cloud.md | Title: Microsoft Defender for Cloud interoperability with Azure services and Azure clouds -description: Learn about the Azure cloud environments where Defender for Cloud can be used and the Azure services that Defender for Cloud protects. + Title: Microsoft Defender for Cloud interoperability with Azure services, Azure clouds, and client operating systems +description: Learn about the Azure cloud environments where Defender for Cloud can be used, the Azure services that Defender for Cloud protects, and the client operating systems that Defender for Cloud supports. Previously updated : 02/07/2023 Last updated : 03/08/2023 -# Microsoft Defender for Cloud interoperability with Azure services and Azure clouds +# Support matrices for Defender for Cloud -This article indicates the Azure clouds and Azure services that are supported by Microsoft Defender for Cloud. +This article indicates the Azure clouds, Azure services, and client operating systems that are supported by Microsoft Defender for Cloud. ## Security benefits for Azure services Microsoft Defender for Cloud is available in the following Azure cloud environme <sup><a name="footnote7"></a>7</sup> Partially GA: Support for Arc-enabled Kubernetes clusters (and therefore AWS EKS too) is in public preview and not available on Azure Government. Run-time visibility of vulnerabilities in container images is also a preview feature. +## Supported operating systems ++Defender for Cloud depends on the [Azure Monitor Agent](/azure/azure-monitor/agents/agents-overview) or the [Log Analytics agent](/azure/azure-monitor/agents/log-analytics-agent). Make sure that your machines are running one of the supported operating systems as described on the following pages: ++- Azure Monitor Agent + - [Azure Monitor Agent for Windows supported operating systems](/azure/azure-monitor/agents/agents-overview#windows) + - [Azure Monitor Agent for Linux supported operating systems](/azure/azure-monitor/agents/agents-overview#linux) +- Log Analytics agent + - [Log Analytics agent for Windows supported operating systems](/azure/azure-monitor/agents/agents-overview#windows) + - [Log Analytics agent for Linux supported operating systems](/azure/azure-monitor/agents/agents-overview#linux) ++Also ensure your Log Analytics agent is [properly configured to send data to Defender for Cloud](working-with-log-analytics-agent.md#manual-agent). ++To learn more about the specific Defender for Cloud features available on Windows and Linux, see: ++- Defender for Servers support for [Windows](support-matrix-defender-for-servers.md#windows-machines) and [Linux](support-matrix-defender-for-servers.md#linux-machines) machines +- Defender for Containers [support for Windows and Linux containers](support-matrix-defender-for-containers.md#defender-for-containers-feature-availability) ++> [!NOTE] +> Even though Microsoft Defender for Servers is designed to protect servers, most of its features are supported for Windows 10 machines. One feature that isn't currently supported is [Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](integration-defender-for-endpoint.md). + ## Next steps This article explained how Microsoft Defender for Cloud is supported in the Azure, Azure Government, and Azure China 21Vianet clouds. Now that you're familiar with the Defender for Cloud capabilities supported in your cloud, learn how to: |
defender-for-iot | Alert Engine Messages | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/alert-engine-messages.md | Title: Microsoft Defender for IoT alert reference description: This article provides a reference of all alerts that are generated by Microsoft Defender for IoT network sensors, inclduing a list of all alert types and descriptions. Last updated 11/23/2022 + # Microsoft Defender for IoT alert reference -This article provides a reference of the [alerts](how-to-manage-cloud-alerts.md) that are generated by Microsoft Defender for IoT network sensors, inclduing a list of all alert types and descriptions. You might use this reference to [map alerts into playbooks](iot-advanced-threat-monitoring.md#automate-response-to-defender-for-iot-alerts), [define forwarding rules](how-to-forward-alert-information-to-partners.md) on an OT network sensor, or other custom activity. +This article provides a reference of the [alerts](how-to-manage-cloud-alerts.md) that are generated by Microsoft Defender for IoT network sensors, including a list of all alert types and descriptions. You might use this reference to [map alerts into playbooks](iot-advanced-threat-monitoring.md#automate-response-to-defender-for-iot-alerts), [define forwarding rules](how-to-forward-alert-information-to-partners.md) on an OT network sensor, or other custom activity. > [!IMPORTANT] > The **Alerts** page in the Azure portal is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - ## OT alerts turned off by default Several alerts are turned off by default, as indicated by asterisks (*) in the tables below. OT sensor **Admin** users can enable or disable alerts from the **Support** page on a specific OT network sensor. |
defender-for-iot | Alerts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/alerts.md | Title: Microsoft Defender for IoT alerts description: Learn about Microsoft Defender for IoT alerts across the Azure portal, OT network sensors, and on-premises management consoles. Last updated 12/12/2022 + # Microsoft Defender for IoT alerts |
defender-for-iot | Billing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/billing.md | Title: Subscription billing description: Learn how you're billed for the Microsoft Defender for IoT service on your Azure subscription. Last updated 10/30/2022+ # Defender for IoT subscription billing |
defender-for-iot | Concept Enterprise | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/concept-enterprise.md | Title: Securing IoT devices in the enterprise with Microsoft Defender for Endpoi description: Learn how integrating Microsoft Defender for Endpoint and Microsoft Defender for IoT's security content and network sensors enhances your IoT network security. Last updated 10/19/2022+ # Securing IoT devices in the enterprise |
defender-for-iot | Concept Supported Protocols | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/concept-supported-protocols.md | Title: Protocols supported by Microsoft Defender for IoT description: Learn about protocols that Microsoft Defender for IoT supports. Last updated 01/30/2023 + # Microsoft Defender for IoT - supported IoT, OT, ICS, and SCADA protocols |
defender-for-iot | Eiot Defender For Endpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/eiot-defender-for-endpoint.md | Title: Enable Enterprise IoT security in Microsoft 365 with Defender for Endpoin description: Learn how to start integrating between Microsoft Defender for IoT and Microsoft Defender for Endpoint in Microsoft 365 Defender. Last updated 10/19/2022+ # Enable Enterprise IoT security with Defender for Endpoint |
defender-for-iot | Eiot Sensor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/eiot-sensor.md | Title: Enhance device discovery with a Microsoft Defender for IoT Enterprise IoT description: Learn how to register an Enterprise IoT network sensor in Defender for IoT for extra device visibility not covered by Defender for Endpoint. Last updated 10/19/2022+ # Discover Enterprise IoT devices with an Enterprise IoT network sensor (Public preview) |
defender-for-iot | Extra Deploy Enterprise Iot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/extra-deploy-enterprise-iot.md | Title: Extra deployment steps and samples for Enterprise IoT deployment - Micros description: Describes extra deployment and validation procedures to use when deploying an Enterprise IoT network sensor. Last updated 08/08/2022+ # Extra steps and samples for Enterprise IoT deployment |
defender-for-iot | Faqs Eiot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/faqs-eiot.md | Title: FAQs for Enterprise IoT networks - Microsoft Defender for IoT description: Find answers to the most frequently asked questions about Microsoft Defender for IoT Enterprise IoT networks. Last updated 07/07/2022+ # Enterprise IoT network security frequently asked questions |
defender-for-iot | How To Manage Cloud Alerts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-cloud-alerts.md | Title: View and manage alerts on the Azure portal - Microsoft Defender for IoT description: Learn about viewing and managing alerts triggered by cloud-connected Microsoft Defender for IoT network sensors on the Azure portal. Last updated 12/12/2022 + # View and manage alerts from the Azure portal |
defender-for-iot | How To Manage Device Inventory For Organizations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-device-inventory-for-organizations.md | Title: Manage your device inventory from the Azure portal description: Learn how to view and manage OT and IoT devices (assets) from the Device inventory page in the Azure portal. Last updated 06/27/2022 + # Manage your device inventory from the Azure portal |
defender-for-iot | How To Manage Sensors On The Cloud | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-sensors-on-the-cloud.md | Title: Manage sensors with Defender for IoT in the Azure portal description: Learn how to onboard, view, and manage sensors with Defender for IoT in the Azure portal. Last updated 11/13/2022 + # Manage sensors with Defender for IoT in the Azure portal |
defender-for-iot | How To Work With The Sensor Device Map | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-work-with-the-sensor-device-map.md | The following table lists available responses for each notification, and when we | **New subnets** | New subnets were discovered. |- **Learn**: Automatically add the subnet.<br />- **Open Subnet Configuration**: Add all missing subnet information.<br />- **Dismiss**<br />Remove the notification. |**Dismiss** | | **Device type changes** | A new device type has been associated with the device. | - **Set as {…}**: Associate the new type with the device.<br />- **Dismiss**: Remove the notification. |No automatic handling| -The following legacy notifications were removed in version 22.3.6. If you have an earlier OT sensor version installed, you may still have these notifications to resolve: --| Type | Description | Available responses | -|--|--|--| -| **Inactive devices** | Traffic wasn't detected on a specific device for more than 60 days. | We recommend removing the device from your network if it's no longer needed. <br><br>**Dismiss**: If the device is part of your network but currently inactive, such as if it's mistakenly disconnected from the network, dismiss the notification and reconnect the device. | -| **New OT devices** | A subnet includes an OT device that's not defined in an ICS subnet. <br><br> Each subnet that contains at least one OT device can be defined as an ICS subnet. This helps differentiate between OT and IT devices on the map. | **Set as ICS Subnet** <br><br>**Dismiss**: Remove the notification if the device isn't part of the subnet. - ## View a device map for a specific zone If you're working with an on-premises management console with sites and zones configured, device maps are also available for each zone. |
defender-for-iot | Integrate Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/integrate-overview.md | Title: Integrations with partner services - Microsoft Defender for IoT description: Learn about supported integrations with Microsoft Defender for IoT. Last updated 08/02/2022 + # Integrations with Microsoft and partner services Integrate Microsoft Defender for Iot with partner services to view partner data ## Aruba ClearPass - |Name |Description |Support scope |Supported by |Learn more | |||||| |**Aruba ClearPass** | Share Defender for IoT data with ClearPass Security Exchange and update the ClearPass Policy Manager Endpoint Database with Defender for IoT data. | - OT networks<br>- Locally managed sensors and on-premises management consoles | Microsoft | [Integrate ClearPass with Microsoft Defender for IoT](tutorial-clearpass.md) | Integrate Microsoft Defender for Iot with partner services to view partner data |**Defender for IoT data connector in Microsoft Sentinel** | Displays Defender for IoT cloud data in Microsoft Sentinel, supporting end-to-end SOC investigations for Defender for IoT alerts. | - OT and Enterprise IoT networks <br>- Cloud-connected sensors | Microsoft | [Integrate Microsoft Sentinel and Microsoft Defender for IoT](../../sentinel/iot-solution.md?tabs=use-out-of-the-box-analytics-rules-recommended) | |**Microsoft Sentinel** | Send Defender for IoT alerts from on-premises resources to Microsoft Sentinel. | - OT networks <br>- Locally managed sensors and on-premises management consoles | Microsoft | [Connect on-premises OT network sensors to Microsoft Sentinel](integrations/on-premises-sentinel.md) | - ## Palo Alto |Name |Description |Support scope |Supported by |Learn more | |||||| |**Palo Alto** | Use Defender for IoT data to block critical threats with Palo Alto firewalls, either with automatic blocking or with blocking recommendations. | - OT networks<br>- Locally managed sensors and on-premises management consoles | Microsoft | [Integrate Palo-Alto with Microsoft Defender for IoT](tutorial-palo-alto.md) | - ## RSA NetWitness |Name |Description |Support scope |Supported by |Learn more | Integrate Microsoft Defender for Iot with partner services to view partner data |||||| |**Skybox** | Import vulnerability occurrence data discovered by Defender for IoT in your Skybox platform. | - OT networks<br>- Locally managed sensors and on-premises management consoles | Skybox | [Skybox documentation](https://docs.skyboxsecurity.com) <br><br> [Skybox integration page](https://www.skyboxsecurity.com/products/integrations) | - ## Splunk |Name |Description |Support scope |Supported by |Learn more | |
defender-for-iot | Iot Solution | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/iot-solution.md | Title: Connect Microsoft Defender for IoT with Microsoft Sentinel description: This tutorial describes how to integrate Microsoft Sentinel and Microsoft Defender for IoT with the Microsoft Sentinel data connector to secure your entire environment. Detect and respond to threats, including multistage attacks that may cross IT and OT boundaries. Last updated 06/20/2022+ # Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel |
defender-for-iot | Manage Subscriptions Enterprise | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/manage-subscriptions-enterprise.md | Title: Manage Enterprise IoT plans on Azure subscriptions description: Manage Defender for IoT plans for Enterprise IoT monitoring on your Azure subscriptions. Last updated 07/06/2022 + # Manage Defender for IoT plans for Enterprise IoT security monitoring |
defender-for-iot | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/overview.md | Title: Overview - Microsoft Defender for IoT for organizations description: Learn about Microsoft Defender for IoT's features for end-user organizations and comprehensive IoT security for OT and Enterprise IoT networks. Last updated 12/25/2022+ # Welcome to Microsoft Defender for IoT for organizations |
defender-for-iot | Recommendations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/recommendations.md | Title: Enhance security posture with security recommendations - Microsoft Defend description: Learn about how to find security recommendations for devices detected by Microsoft Defender for IoT. Last updated 12/12/2022 + # Enhance security posture with security recommendations |
defender-for-iot | References Work With Defender For Iot Cli Commands | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/references-work-with-defender-for-iot-cli-commands.md | -This article provides an introduction to the Microsoft Defender for IoT command line interface (CLI). The CLI is a text-based user interface that allows you to access your OT and Enterprise IoT sensors, and the on-premises management console, for advanced configuration, troubleshooting, and support. +This article provides an introduction to the Microsoft Defender for IoT command line interface (CLI). The CLI is a text-based user interface that allows you to access your OT sensors and the on-premises management console for advanced configuration, troubleshooting, and support. To access the Defender for IoT CLI, you'll need access to the sensor or on-premises management console. |
defender-for-iot | Roles Azure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/roles-azure.md | Title: Azure user roles and permissions for Microsoft Defender for IoT description: Learn about the Azure user roles and permissions available for OT and Enterprise IoT monitoring with Microsoft Defender for IoT on the Azure portal. Last updated 09/19/2022 + - zerotrust-services |
defender-for-iot | Tutorial Onboarding | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/tutorial-onboarding.md | Before you start, make sure that you have the following: | **Maximum bandwidth** | 2.5 Gb/sec | 800 Mb/sec | 160 Mb/sec | | **Maximum protected devices** | 12,000 | 10,000 | 800 | +- An understanding of [OT monitoring with virtual appliances](ot-virtual-appliances.md). + - Details for the following network parameters to use for your sensor appliance: - A management network IP address |
defender-for-iot | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/whats-new.md | Title: What's new in Microsoft Defender for IoT description: This article describes features available in Microsoft Defender for IoT, across both OT and Enterprise IoT networks, and both on-premises and in the Azure portal. Last updated 02/22/2023+ # What's new in Microsoft Defender for IoT? |
devtest-labs | Create Lab Windows Vm Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/quickstarts/create-lab-windows-vm-terraform.md | In this article, you learn how to: 1. Get the Azure resource name in which the lab was created. - ```azurecli + ```console echo "$(terraform output resource_group_name)" ``` 1. Get the lab name. - ```azurecli + ```console echo "$(terraform output lab_name)" ``` |
digital-twins | Concepts Data History | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/concepts-data-history.md | For more of an introduction to data history, including a quick demo, watch the f ## Resources and data flow Data history requires the following resources:-* Azure Digital Twins instance, with a [system-assigned managed identity](concepts-security.md#managed-identity-for-accessing-other-resources) enabled -* [Event Hubs](../event-hubs/event-hubs-about.md) namespace containing an event hub -* [Azure Data Explorer](/azure/data-explorer/data-explorer-overview) cluster containing a database +* Azure Digital Twins instance, with a [system-assigned managed identity](concepts-security.md#managed-identity-for-accessing-other-resources) enabled. +* [Event Hubs](../event-hubs/event-hubs-about.md) namespace containing an event hub. +* [Azure Data Explorer](/azure/data-explorer/data-explorer-overview) cluster containing a database. The cluster must have public network access enabled. These resources are connected into the following flow: |
digital-twins | Concepts Data Ingress Egress | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/concepts-data-ingress-egress.md | You can also integrate Azure Digital Twins into a [Microsoft Power Platform](/po You may want to send Azure Digital Twins data to other downstream services for storage or additional processing. -Digital twin data can be sent to most Azure services using *endpoints*. If your destination is [Azure Data Explorer](/azure/data-explorer/data-explorer-overview), you can use *data history* instead to automatically send graph updates to an Azure Data Explorer cluster, where they are stored as historical data and can be queried as such. The rest of this section describes these capabilities in more detail. +There are two main egress options in Azure Digital Twins. Digital twin data can be sent to most Azure services using *endpoints*. Or, if your destination is [Azure Data Explorer](/azure/data-explorer/data-explorer-overview), you can use *data history* to automatically send graph updates to an Azure Data Explorer cluster, where they are stored as historical data and can be queried as such. ->[!NOTE] ->Azure Digital Twins implements *at least once* delivery for data emitted to egress services. +In order for Azure Digital Twins to send data to other Azure services via endpoints or data history, the receiving service must have public network access enabled. Azure Digital Twins currently does not support any outbound communication to resources that have public network access disabled. ++Once the connection is set up, Azure Digital Twins implements *at least once* delivery for data emitted to egress services. ++The rest of this section describes the two egress options in more detail. ### Endpoints |
digital-twins | How To Create Data History Connection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/how-to-create-data-history-connection.md | Next, create a Kusto (Azure Data Explorer) cluster and database to receive the d As part of the [data history connection setup](#set-up-data-history-connection) later, you'll grant the Azure Digital Twins instance the *Contributor* role on at least the database (it can also be scoped to the cluster), and the *Admin* role on the database. +>[!IMPORTANT] +>Make sure that the cluster has public network access enabled. If the Azure Data Explorer cluster has [public network access disabled](/azure/data-explorer/security-network-restrict-public-access), Azure Digital Twins will be unable to configure the tables and other required artifacts, and data history setup will fail. + # [CLI](#tab/cli) Use the following CLI commands to create the required resources. The commands use several local variables (`$location`, `$resourcegroup`, `$clustername`, and `$databasename`) that were created earlier in [Set up local variables for CLI session](#set-up-local-variables-for-cli-session). When executing the above command, you'll be given the option of assigning the ne For regular data plane operation, these roles can be reduced to a single Azure Event Hubs Data Sender role, if desired. ->[!NOTE] -> If you encounter the error "Could not create Azure Digital Twins instance connection. Unable to create table and mapping rule in database. Check your permissions for the Azure Database Explorer and run `az login` to refresh your credentials," resolve the error by adding yourself as an *AllDatabasesAdmin* under Permissions in your Azure Data Explorer cluster. -> ->If you're using the Cloud Shell and encounter the error "Failed to connect to MSI. Please make sure MSI is configured correctly," try running the command with a local Azure CLI installation instead. - # [Portal](#tab/portal) Start by navigating to your Azure Digital Twins instance in the Azure portal (you can find the instance by entering its name into the portal search bar). Then complete the following steps. After setting up the data history connection, you can optionally remove the role >[!NOTE] >Once the connection is set up, the default settings on your Azure Data Explorer cluster will result in an ingestion latency of approximately 10 minutes or less. You can reduce this latency by enabling [streaming ingestion](/azure/data-explorer/ingest-data-streaming) (less than 10 seconds of latency) or an [ingestion batching policy](/azure/data-explorer/kusto/management/batchingpolicy). For more information about Azure Data Explorer ingestion latency, see [End-to-end ingestion latency](concepts-data-history.md#end-to-end-ingestion-latency). +### Troubleshoot connection setup ++Here are a few common errors you might encounter when setting up a data history connection, and how to resolve them. ++* If you have public network access disabled for your Azure Data Explorer cluster, you'll encounter an error that the service failed to create the data history connection, with the message "The resource could not ACT due to an internal server error." Data history setup will fail if the Azure Data Explorer cluster has [public network access disabled](/azure/data-explorer/security-network-restrict-public-access), since Azure Digital Twins will be unable to configure the tables and other required artifacts. +* (CLI users) If you encounter the error "Could not create Azure Digital Twins instance connection. Unable to create table and mapping rule in database. Check your permissions for the Azure Database Explorer and run `az login` to refresh your credentials," resolve the error by adding yourself as an *AllDatabasesAdmin* under Permissions in your Azure Data Explorer cluster. +* (Cloud Shell users) If you're using the Cloud Shell and encounter the error "Failed to connect to MSI. Please make sure MSI is configured correctly," try running the command with a local Azure CLI installation instead. + ## Verify with a sample twin graph Now that your data history connection is set up, you can test it with data from your digital twins. |
energy-data-services | How To Manage Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/energy-data-services/how-to-manage-users.md | Copy the `access_token` value from the response. You'll need it to pass as one o ## User management activities -You can manage users' access to your Microsoft Energy Data Services instance or data partitions. As a prerequisite for this step, you need to find the 'object-id' (OID) of the user(s) first. If you are managing an application's access to your instance or data partition, then you must find and use the application ID (or client ID) instead of the OID. +You can manage users' access to your Azure Data Manager for Energy Preview instance or data partitions. As a prerequisite for this step, you need to find the 'object-id' (OID) of the user(s) first. If you are managing an application's access to your instance or data partition, then you must find and use the application ID (or client ID) instead of the OID. -You'll need to input the `object-id` (OID) of the users (or the application or client ID if managing access for an application) as parameters in the calls to the Entitlements API of your Microsoft Energy Data Services Preview Instance. `object-id` (OID) is the Azure Active Directory User Object ID. +You'll need to input the `object-id` (OID) of the users (or the application or client ID if managing access for an application) as parameters in the calls to the Entitlements API of your Azure Data Manager for Energy Preview Instance. `object-id` (OID) is the Azure Active Directory User Object ID. :::image type="content" source="media/how-to-manage-users/azure-active-directory-object-id.png" alt-text="Screenshot of finding the object-id from Azure Active Directory."::: |
event-hubs | Event Hubs About | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-about.md | Title: What is Azure Event Hubs? - a Big Data ingestion service | Microsoft Docs + Title: What is Azure Event Hubs? - a Big Data ingestion service description: Learn about Azure Event Hubs, a Big Data streaming service that ingests millions of events per second. Previously updated : 02/28/2022- Last updated : 03/07/2023 -# Azure Event Hubs ΓÇö A big data streaming platform and event ingestion service -Azure Event Hubs is a big data streaming platform and event ingestion service. It can receive and process millions of events per second. Data sent to an event hub can be transformed and stored by using any real-time analytics provider or batching/storage adapters. --The following scenarios are some of the scenarios where you can use Event Hubs: --- Anomaly detection (fraud/outliers)-- Application logging-- Analytics pipelines, such as clickstreams-- Live dashboards-- Archiving data-- Transaction processing-- User telemetry processing-- Device telemetry streaming+# Azure Event HubsΓÇöA big data streaming platform and event ingestion service +Event Hubs is a modern big data streaming platform and event ingestion service that can seamlessly integrate with other Azure and Microsoft services, such as Stream Analytics, Power BI, and Event Grid, along with outside services like Apache Spark. The service can process millions of events per second with low latency. The data sent to an event hub (Event Hubs instance) can be transformed and stored by using any real-time analytics providers or batching or storage adapters. ## Why use Event Hubs? Data is valuable only when there's an easy way to process and get timely insights from data sources. Event Hubs provides a distributed stream processing platform with low latency and seamless integration, with data and analytics services inside and outside Azure to build your complete big data pipeline. -Event Hubs represents the "front door" for an event pipeline, often called an *event ingestor* in solution architectures. An event ingestor is a component or service that sits between event publishers and event consumers to decouple the production of an event stream from the consumption of those events. Event Hubs provides a unified streaming platform with time retention buffer, decoupling event producers from event consumers. -+Event Hubs represents the "front door" for an event pipeline, often called an **event ingestor** in solution architectures. An event ingestor is a component or service that sits between event publishers and event consumers to decouple the production of an event stream from the consumption of those events. Event Hubs provides a unified streaming platform with time retention buffer, decoupling event producers from event consumers. The following sections describe key features of the Azure Event Hubs service: Ingest, buffer, store, and process your stream in real time to get actionable in With Event Hubs, you can start with data streams in megabytes, and grow to gigabytes or terabytes. The [Auto-inflate](event-hubs-auto-inflate.md) feature is one of the many options available to scale the number of throughput units or processing units to meet your usage needs. ## Rich ecosystem--With a broad ecosystem based on the industry-standard AMQP 1.0 protocol and available in various languages [.NET](https://github.com/Azure/azure-sdk-for-net/), [Java](https://github.com/Azure/azure-sdk-for-java/), [Python](https://github.com/Azure/azure-sdk-for-python/), [JavaScript](https://github.com/Azure/azure-sdk-for-js/), you can easily start processing your streams from Event Hubs. All supported client languages provide low-level integration. The ecosystem also provides you with seamless integration with Azure services like Azure Stream Analytics and Azure Functions and thus enables you to build serverless architectures. +With a broad ecosystem available for the industry-standard AMQP 1.0 protocol and SDKs available in various languages: [.NET](https://github.com/Azure/azure-sdk-for-net/), [Java](https://github.com/Azure/azure-sdk-for-java/), [Python](https://github.com/Azure/azure-sdk-for-python/), [JavaScript](https://github.com/Azure/azure-sdk-for-js/), you can easily start processing your streams from Event Hubs. All supported client languages provide low-level integration. The ecosystem also provides you with seamless integration with Azure services like Azure Stream Analytics and Azure Functions and thus enables you to build serverless architectures. ## Event Hubs for Apache Kafka [Event Hubs for Apache Kafka ecosystems](azure-event-hubs-kafka-overview.md) furthermore enables [Apache Kafka (1.0 and later)](https://kafka.apache.org/) clients and applications to talk to Event Hubs. You don't need to set up, configure, and manage your own Kafka and Zookeeper clusters or use some Kafka-as-a-Service offering not native to Azure. Event Hubs **premium** caters to high-end streaming needs that require superior Event Hubs **dedicated** tier offers single-tenant deployments for customers with the most demanding streaming needs. This single-tenant offering has a guaranteed 99.99% SLA and is available only on our dedicated pricing tier. An Event Hubs cluster can ingress millions of events per second with guaranteed capacity and subsecond latency. Namespaces and event hubs created within the dedicated cluster include all features of the premium offering and more. For more information, see [Event Hubs Dedicated](event-hubs-dedicated-overview.md). -See [comparison between Event Hubs tiers](event-hubs-quotas.md) for more details. +For more information, see [comparison between Event Hubs tiers](event-hubs-quotas.md). ## Event Hubs on Azure Stack Hub-Event Hubs on Azure Stack Hub allows you to realize hybrid cloud scenarios. Streaming and event-based solutions are supported, for both on-premises and Azure cloud processing. Whether your scenario is hybrid (connected), or disconnected, your solution can support processing of events/streams at large scale. Your scenario is only bound by the Event Hubs cluster size, which you can provision according to your needs. +The Event Hubs service on Azure Stack Hub allows you to realize hybrid cloud scenarios. Streaming and event-based solutions are supported for both on-premises and Azure cloud processing. Whether your scenario is hybrid (connected), or disconnected, your solution can support processing of events/streams at large scale. Your scenario is only bound by the Event Hubs cluster size, which you can provision according to your needs. The Event Hubs editions (on Azure Stack Hub and on Azure) offer a high degree of feature parity. This parity means SDKs, samples, PowerShell, CLI, and portals offer a similar experience, with few differences. For more information, see [Event Hubs on Azure Stack Hub overview](/azure-stack/user/event-hubs-overview). ## Key architecture components-Event Hubs contains the following [key components](event-hubs-features.md): +Event Hubs contains the following key components. -- **Event producers**: Any entity that sends data to an event hub. Event publishers can publish events using HTTPS or AMQP 1.0 or Apache Kafka (1.0 and above)-- **Partitions**: Each consumer only reads a specific subset, or partition, of the message stream.-- **Consumer groups**: A view (state, position, or offset) of an entire event hub. Consumer groups enable consuming applications to each have a separate view of the event stream. They read the stream independently at their own pace and with their own offsets.-- [Throughput units (standard tier)](event-hubs-scalability.md#throughput-units) or [processing units (premium tier)](event-hubs-scalability.md#processing-units) or [capacity units (dedicated)](event-hubs-dedicated-overview.md) : Pre-purchased units of capacity that control the throughput capacity of Event Hubs.-- **Event receivers**: Any entity that reads event data from an event hub. All Event Hubs consumers connect via the AMQP 1.0 session. The Event Hubs service delivers events through a session as they become available. All Kafka consumers connect via the Kafka protocol 1.0 and later.+| Component | Description | +| | -- | +| Event producers | Any entity that sends data to an event hub. Event publishers can publish events using HTTPS or AMQP 1.0 or Apache Kafka (1.0 and above). | +| Partitions | Each consumer only reads a specific subset, or a partition, of the message stream. | +| Consumer groups | A view (state, position, or offset) of an entire event hub. Consumer groups enable consuming applications to each have a separate view of the event stream. They read the stream independently at their own pace and with their own offsets. | +| Event receivers | Any entity that reads event data from an event hub. All Event Hubs consumers connect via the AMQP 1.0 session. The Event Hubs service delivers events through a session as they become available. All Kafka consumers connect via the Kafka protocol 1.0 and later. | +| [Throughput units (standard tier)](event-hubs-scalability.md#throughput-units) or [processing units (premium tier)](event-hubs-scalability.md#processing-units) or [capacity units (dedicated)](event-hubs-dedicated-overview.md) | Pre-purchased units of capacity that control the throughput capacity of Event Hubs. | The following figure shows the Event Hubs stream processing architecture:-  +> [!NOTE] +> For more information, see [Event Hubs features or components](event-hubs-features.md). + ## Next steps |
event-hubs | Event Hubs Kafka Spark Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-kafka-spark-tutorial.md | Title: Connect with your Apache Spark app - Azure Event Hubs | Microsoft Docs description: This article provides information on how to use Apache Spark with Azure Event Hubs for Kafka. Previously updated : 09/28/2021 Last updated : 03/09/2023 ms.devlang: scala val df_write = df.writeStream .start() ``` +If you receive an error similar to the following error, add `.option("spark.streaming.kafka.allowNonConsecutiveOffsets", "true")` to the `spark.readStream` call and try again. ++```bash +IllegalArgumentException: requirement failed: Got wrong record for <spark job name> even after seeking to offset 4216 got offset 4217 instead. If this is a compacted topic, consider enabling spark.streaming.kafka.allowNonConsecutiveOffsets +``` + ## Write to Event Hubs for Kafka You can also write to Event Hubs the same way you write to Kafka. Don't forget to update your configuration to change **BOOTSTRAP_SERVERS** and **EH_SASL** with information from your Event Hubs namespace. For the full sample code, see sparkProducer.scala file on the GitHub. |
external-attack-surface-management | Deploying The Defender Easm Azure Resource | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/external-attack-surface-management/deploying-the-defender-easm-azure-resource.md | Before you create a Defender EASM resource group, we recommend that you are fami After you create a resource group, you can create EASM resources within the group by searching for EASM within the Azure portal. -1. Select ΓÇ£Create a resourceΓÇ¥ in the Azure portal. + +1. In the search box, type **Microsoft Defender EASM**, and then press Enter. -  --2. In the search box, type **Microsoft Defender EASM**, and then press Enter. --3. Select the **Create** button to create an EASM resource. +2. Select the **Create** button to create an EASM resource.  -4. Select or enter the following property values: +3. Select or enter the following property values: - **Subscription**: Select an Azure subscription. - **Resource Group**: Select the Resource Group created in the earlier step, or you can create a new one as part of the process of creating this resource. After you create a resource group, you can create EASM resources within the grou  -5. Select **Review + Create**. +4. Select **Review + Create**. -6. Review the values, and then select **Create**. +5. Review the values, and then select **Create**. -7. Select **Refresh** to see the status of the resource creation. Once finished, you can go to the Resource to get started. +6. Select **Refresh** to see the status of the resource creation. Once finished, you can go to the Resource to get started. ## Next steps |
frontdoor | Front Door Wildcard Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-wildcard-domain.md | When configuring a routing rule, you can select a wildcard domain as a front-end ## Next steps ++- Learn how to [create an Azure Front Door profile](create-front-door-portal.md). +- Learn how to [add a custom domain](standard-premium/how-to-add-custom-domain.md) to your Azure Front Door. +- Learn how to [enable HTTPS on a custom domain](standard-premium/how-to-configure-https-custom-domain.md). +++ - Learn how to [create an Azure Front Door profile](quickstart-create-front-door.md). - Learn how to [add a custom domain](front-door-custom-domain.md) to your Azure Front Door. - Learn how to [enable HTTPS on a custom domain](front-door-custom-domain-https.md).+ |
healthcare-apis | Convert Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/convert-data.md | Title: Data conversion for Azure API for FHIR description: Use the $convert-data endpoint and customize-converter templates to convert data in Azure API for FHIR. -+ Previously updated : 06/03/2022- Last updated : 03/09/2023+ # Converting your data to FHIR for Azure API for FHIR Currently the `$convert-data` custom endpoint supports `four` types of data conv |C-CDA | FHIR | |HL7v2 | FHIR| |JSON | FHIR|-|FHIR STU3 | FHIR R4 **(new!)**| +|FHIR STU3 | FHIR R4 | > [!NOTE] $convert-data takes a [Parameter](http://hl7.org/fhir/parameters.html) resource | -- | -- | -- | | inputData | Data to be converted. | For `Hl7v2`: string <br> For `Ccda`: XML <br> For `Json`: JSON <br> For `FHIR STU3`: JSON| | inputDataType | Data type of input. | ```HL7v2```, ``Ccda``, ``Json``, ``Fhir``|-| templateCollectionReference | Reference to an [OCI image ](https://github.com/opencontainers/image-spec) template collection on [Azure Container Registry (ACR)](https://azure.microsoft.com/services/container-registry/). It's the image containing Liquid templates to use for conversion. It can be a reference either to the default templates or a custom template image that is registered within the FHIR service. See below to learn about customizing the templates, hosting those on ACR, and registering to the FHIR service. | For ***default/sample*** templates: <br> **HL7v2** templates: <br>```microsofthealth/fhirconverter:default``` <br>``microsofthealth/hl7v2templates:default``<br> **C-CDA** templates: <br> ``microsofthealth/ccdatemplates:default`` <br> **JSON** templates: <br> ``microsofthealth/jsontemplates:default`` <br> **FHIR-STU3** templates: <br> ``microsofthealth/stu3tor4templates:default`` <br><br> For ***custom*** templates: <br> \<RegistryServer\>/\<imageName\>@\<imageDigest\>, \<RegistryServer\>/\<imageName\>:\<imageTag\> | -| rootTemplate | The root template to use while transforming the data. | For **HL7v2**:<br> "ADT_A01", "ADT_A02", "ADT_A03", "ADT_A04", "ADT_A05", "ADT_A08", "ADT_A11", "ADT_A13", "ADT_A14", "ADT_A15", "ADT_A16", "ADT_A25", "ADT_A26", "ADT_A27", "ADT_A28", "ADT_A29", "ADT_A31", "ADT_A47", "ADT_A60", "OML_O21", "ORU_R01", "ORM_O01", "VXU_V04", "SIU_S12", "SIU_S13", "SIU_S14", "SIU_S15", "SIU_S16", "SIU_S17", "SIU_S26", "MDM_T01", "MDM_T02"<br><br> For **C-CDA**:<br> "CCD", "ConsultationNote", "DischargeSummary", "HistoryandPhysical", "OperativeNote", "ProcedureNote", "ProgressNote", "ReferralNote", "TransferSummary" <br><br> For **JSON**: <br> "ExamplePatient", "Stu3ChargeItem" <br><br> **For FHIR STU3 to R4**": <br>Name of the root template that is the same as the STU3 resource name e.g., "Patient", "Observation", "Organization". | +| templateCollectionReference | Reference to an [OCI image ](https://github.com/opencontainers/image-spec) template collection on [Azure Container Registry (ACR)](https://azure.microsoft.com/services/container-registry/). It's the image containing Liquid templates to use for conversion. It can be a reference either to the default templates or a custom template image that is registered within the FHIR service. See below to learn about customizing the templates, hosting those on ACR, and registering to the FHIR service. | For ***default/sample*** templates: <br> **HL7v2** templates: <br>```microsofthealth/fhirconverter:default``` <br>``microsofthealth/hl7v2templates:default``<br> **C-CDA** templates: <br> ``microsofthealth/ccdatemplates:default`` <br> **JSON** templates: <br> ``microsofthealth/jsontemplates:default`` <br> **FHIR STU3** templates: <br> ``microsofthealth/stu3tor4templates:default`` <br><br> For ***custom*** templates: <br> \<RegistryServer\>/\<imageName\>@\<imageDigest\>, \<RegistryServer\>/\<imageName\>:\<imageTag\> | +| rootTemplate | The root template to use while transforming the data. | For **HL7v2**:<br> "ADT_A01", "ADT_A02", "ADT_A03", "ADT_A04", "ADT_A05", "ADT_A08", "ADT_A11", "ADT_A13", "ADT_A14", "ADT_A15", "ADT_A16", "ADT_A25", "ADT_A26", "ADT_A27", "ADT_A28", "ADT_A29", "ADT_A31", "ADT_A47", "ADT_A60", "OML_O21", "ORU_R01", "ORM_O01", "VXU_V04", "SIU_S12", "SIU_S13", "SIU_S14", "SIU_S15", "SIU_S16", "SIU_S17", "SIU_S26", "MDM_T01", "MDM_T02"<br><br> For **C-CDA**:<br> "CCD", "ConsultationNote", "DischargeSummary", "HistoryandPhysical", "OperativeNote", "ProcedureNote", "ProgressNote", "ReferralNote", "TransferSummary" <br><br> For **JSON**: <br> "ExamplePatient", "Stu3ChargeItem" <br><br> **FHIR STU3**": <br> STU3 Resource Name e.g., "Patient", "Observation", "Organization". | ++> [!NOTE] +> FHIR STU3 to R4 templates are "diff" Liquid templates that provide mappings of field differences only between STU3 resource and its equivalent resource in FHIR R4 standard.Some of the STU3 resources are renamed or removed from R4. Please refer to [Resource differences and constraints for STU3 to R4 conversion](https://github.com/microsoft/FHIR-Converter/blob/main/docs/Stu3R4-resources-differences.md). > [!NOTE] > JSON templates are sample templates for use, not "default" templates that adhere to any pre-defined JSON message types. JSON doesn't have any standardized message types, unlike HL7v2 messages or C-CDA documents. Therefore, instead of default templates we provide you with some sample templates that you can use as a starting guide for your own customized templates. $convert-data takes a [Parameter](http://hl7.org/fhir/parameters.html) resource You can use the [FHIR Converter extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-health-fhir-converter) for Visual Studio Code to customize the templates as per your needs. The extension provides an interactive editing experience, and makes it easy to download Microsoft-published templates and sample data. Refer to the documentation in the extension for more details. +> [!NOTE] +> FHIR Converter extension for Visual Studio Code is available for HL7v2, C-CDA and JSON Liquid templates. FHIR STU3 to R4 Liquid templates are currently not supported. + ## Host and use templates It's recommended that you host your own copy of templates on ACR. There are four steps involved in hosting your own copy of templates and using those in the $convert-data operation: In the table below, you'll find the IP address for the Azure region where the Az |**Azure Region** |**Public IP Address** | |:-|:-|-| Australia East | 20.53.44.80 | -| Canada Central | 20.48.192.84 | -| Central US | 52.182.208.31 | -| East US | 20.62.128.148 | -| East US 2 | 20.49.102.228 | -| East US 2 EUAP | 20.39.26.254 | -| Germany North | 51.116.51.33 | -| Germany West Central | 51.116.146.216 | -| Japan East | 20.191.160.26 | -| Korea Central | 20.41.69.51 | -| North Central US | 20.49.114.188 | -| North Europe | 52.146.131.52 | -| South Africa North | 102.133.220.197 | -| South Central US | 13.73.254.220 | -| Southeast Asia | 23.98.108.42 | -| Switzerland North | 51.107.60.95 | -| UK South | 51.104.30.170 | -| UK West | 51.137.164.94 | -| West Central US | 52.150.156.44 | -| West Europe | 20.61.98.66 | -| West US 2 | 40.64.135.77 | +| Australia East | 20.53.47.210 | +| Brazil South | 191.238.72.227 | +| Canada Central | 20.48.197.161 | +| Central India | 20.192.47.66 | +| East US | 20.62.134.242, 20.62.134.244, 20.62.134.245 | +| East US 2 | 20.62.60.115, 20.62.60.116, 20.62.60.117 | +| France Central | 51.138.211.19 | +| Germany North | 51.116.60.240 | +| Germany West Central | 20.52.88.224 | +| Japan East | 20.191.167.146 | +| Japan West | 20.189.228.225 | +| Korea Central | 20.194.75.193 | +| North Central US | 52.162.111.130, 20.51.0.209 | +| North Europe | 52.146.137.179 | +| Qatar Central | 20.21.36.225 | +| South Africa North | 102.133.220.199 | +| South Central US | 20.65.134.83 | +| Southeast Asia | 20.195.67.208 | +| Sweden Central | 51.12.28.100 | +| Switzerland North | 51.107.247.97 | +| UK South | 51.143.213.211 | +| UK West | 51.140.210.86 | +| West Central US | 13.71.199.119 | +| West Europe | 20.61.103.243, 20.61.103.244 | +| West US 2 | 20.51.13.80, 20.51.13.84, 20.51.13.85 | +| West US 3 | 20.150.245.165 | > [!NOTE] |
healthcare-apis | Convert Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/convert-data.md | Title: Convert your data to FHIR in Azure Health Data Services description: This article describes how to use the $convert-data endpoint and custom converter templates to convert data to FHIR in Azure Health Data Services. -+ Last updated 08/15/2022-+ The following table lists the IP addresses for the Azure regions where the FHIR | Azure region | Public IP address | |:-|:-|-| Australia East | 20.53.44.80 | -| Canada Central | 20.48.192.84 | -| Central US | 52.182.208.31 | -| East US | 20.62.128.148 | -| East US 2 | 20.49.102.228 | -| East US 2 EUAP | 20.39.26.254 | -| Germany North | 51.116.51.33 | -| Germany West Central | 51.116.146.216 | -| Japan East | 20.191.160.26 | -| Korea Central | 20.41.69.51 | -| North Central US | 20.49.114.188 | -| North Europe | 52.146.131.52 | -| South Africa North | 102.133.220.197 | -| South Central US | 13.73.254.220 | -| Southeast Asia | 23.98.108.42 | -| Switzerland North | 51.107.60.95 | -| UK South | 51.104.30.170 | -| UK West | 51.137.164.94 | -| West Central US | 52.150.156.44 | -| West Europe | 20.61.98.66 | -| West US 2 | 40.64.135.77 | +| Australia East | 20.53.47.210 | +| Brazil South | 191.238.72.227 | +| Canada Central | 20.48.197.161 | +| Central India | 20.192.47.66 | +| East US | 20.62.134.242, 20.62.134.244, 20.62.134.245 | +| East US 2 | 20.62.60.115, 20.62.60.116, 20.62.60.117 | +| France Central | 51.138.211.19 | +| Germany North | 51.116.60.240 | +| Germany West Central | 20.52.88.224 | +| Japan East | 20.191.167.146 | +| Japan West | 20.189.228.225 | +| Korea Central | 20.194.75.193 | +| North Central US | 52.162.111.130, 20.51.0.209 | +| North Europe | 52.146.137.179 | +| Qatar Central | 20.21.36.225 | +| South Africa North | 102.133.220.199 | +| South Central US | 20.65.134.83 | +| Southeast Asia | 20.195.67.208 | +| Sweden Central | 51.12.28.100 | +| Switzerland North | 51.107.247.97 | +| UK South | 51.143.213.211 | +| UK West | 51.140.210.86 | +| West Central US | 13.71.199.119 | +| West Europe | 20.61.103.243, 20.61.103.244 | +| West US 2 | 20.51.13.80, 20.51.13.84, 20.51.13.85 | +| West US 3 | 20.150.245.165 | > [!NOTE] > The preceding steps are similar to the configuration steps in [Configure export settings and set up a storage account](./configure-export-data.md). |
iot-edge | How To Configure Proxy Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-edge/how-to-configure-proxy-support.md | To configure the IoT Edge agent and IoT Edge hub modules, select **Runtime Setti Add the **https_proxy** environment variable to both the IoT Edge agent and IoT Edge hub module definitions. If you included the **UpstreamProtocol** environment variable in the config file on your IoT Edge device, add that to the IoT Edge agent module definition too. All other modules that you add to a deployment manifest follow the same pattern. Select **Apply** to save your changes. |
iot-edge | How To Create Iot Edge Device | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-edge/how-to-create-iot-edge-device.md | If you want more information about how to choose the right option for you, conti >[!NOTE] >The following table reflects the supported scenarios for IoT Edge version 1.4. -| | Linux containers on Linux hosts | -|--| -- | -| **Manual provisioning (single device)** | [X.509 certificates](how-to-provision-single-device-linux-x509.md)<br><br>[Symmetric keys](how-to-provision-single-device-linux-symmetric.md) | -| **Autoprovisioning (devices at scale)** | [X.509 certificates](how-to-provision-devices-at-scale-linux-x509.md)<br><br>[TPM](how-to-provision-devices-at-scale-linux-tpm.md)<br><br>[Symmetric keys](how-to-provision-devices-at-scale-linux-symmetric.md) | - | | Linux containers on Linux hosts | Linux containers on Windows hosts | |--| -- | - | | **Manual provisioning (single device)** | [X.509 certificates](how-to-provision-single-device-linux-x509.md)<br><br>[Symmetric keys](how-to-provision-single-device-linux-symmetric.md) | [X.509 certificates](how-to-provision-single-device-linux-on-windows-x509.md)<br><br>[Symmetric keys](how-to-provision-single-device-linux-on-windows-symmetric.md) | |
iot-hub-device-update | Device Update Agent Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub-device-update/device-update-agent-provisioning.md | Follow these instructions to provision the Device Update agent on [IoT Edge enab 1. Install the Device Update image update agent. - We provide sample images in the [Assets here](https://github.com/Azure/iot-hub-device-update/releases) repository. The swUpdate file is the base image that you can flash onto a Raspberry Pi B3+ board. The .gz file is the update you would import through Device Update for IoT Hub. For an example, see [How to flash the image to your IoT Hub device](./device-update-raspberry-pi.md#flash-an-sd-card-with-the-image). + We provide sample images in the [Assets here](https://github.com/Azure/iot-hub-device-update/releases) repository. The swUpdate file is the base image that you can flash onto a Raspberry Pi B3+ board. The .gz file is the update you would import through Device Update for IoT Hub. For an example, see [How to flash the image to your IoT Hub device](./device-update-raspberry-pi.md). 1. Install the Device Update package update agent. Follow these instructions to provision the Device Update agent on [IoT Edge enab ```shell sudo nano /etc/adu/du-config.json ```- Change the connectionType to "AIS" for agents who will be using the IoT Identity Service for provisioning. The ConnectionData field must be a empty string. Please note that all values with the 'Place value here' tag must be set. See [Configuring a DU agent](./device-update-configuration-file.md#example-du-configjson-file-contents). + Change the connectionType to "AIS" for agents who will be using the IoT Identity Service for provisioning. The ConnectionData field must be an empty string. Please note that all values with the 'Place value here' tag must be set. See [Configuring a DU agent](./device-update-configuration-file.md#example-du-configjson-file-contents). 5. You are now ready to start the Device Update agent on your IoT device. Follow these instructions to provision the Device Update agent on your IoT Linux 2. Configure the IoT Identity Service by following the instructions in [Configuring the Azure IoT Identity Service](https://azure.github.io/iot-identity-service/configuration.html). -3. Finally install the Device Update agent. We provide sample images in [Assets here](https://github.com/Azure/iot-hub-device-update/releases), the swUpdate file is the base image that you can flash onto a Raspberry Pi B3+ board, and the .gz file is the update you would import through Device Update for IoT Hub. See example of [how to flash the image to your IoT Hub device](./device-update-raspberry-pi.md#flash-an-sd-card-with-the-image). +3. Finally install the Device Update agent. We provide sample images in [Assets here](https://github.com/Azure/iot-hub-device-update/releases), the swUpdate file is the base image that you can flash onto a Raspberry Pi B3+ board, and the .gz file is the update you would import through Device Update for IoT Hub. See example of [how to flash the image to your IoT Hub device](./device-update-raspberry-pi.md). 4. After you've installed the device update agent, you will need to edit the configuration file for Device Update by running the command below. ```shell sudo nano /etc/adu/du-config.json ```- Change the connectionType to "AIS" for agents who will be using the IoT Identity Service for provisioning. The ConnectionData field must be a empty string. Please note that all values with the 'Place value here' tag must be set. See [Configuring a DU agent](./device-update-configuration-file.md#example-du-configjson-file-contents). + Change the connectionType to "AIS" for agents who will be using the IoT Identity Service for provisioning. The ConnectionData field must be an empty string. Please note that all values with the 'Place value here' tag must be set. See [Configuring a DU agent](./device-update-configuration-file.md#example-du-configjson-file-contents). 5. You are now ready to start the Device Update agent on your IoT device. Follow these instructions to provision the Device Update agent on your IoT Linux The Device Update agent can also be configured without the IoT Identity service for testing or on constrained devices. Follow the below steps to provision the Device Update agent using a connection string (from the Module or Device). -1. We provide sample images in the [Assets here](https://github.com/Azure/iot-hub-device-update/releases) repository. The swUpdate file is the base image that you can flash onto a Raspberry Pi B3+ board. The .gz file is the update you would import through Device Update for IoT Hub. For an example, see [How to flash the image to your IoT Hub device](./device-update-raspberry-pi.md#flash-an-sd-card-with-the-image). +1. We provide sample images in the [Assets here](https://github.com/Azure/iot-hub-device-update/releases) repository. The swUpdate file is the base image that you can flash onto a Raspberry Pi B3+ board. The .gz file is the update you would import through Device Update for IoT Hub. For an example, see [How to flash the image to your IoT Hub device](./device-update-raspberry-pi.md). 1. Log onto the machine or IoT Edge device/IoT device. The Device Update agent can also be configured without the IoT Identity service This section describes how to start and verify the Device Update agent as a module identity running successfully on your IoT device. -1. Log into the machine or device that has the Device Update agent installed. +1. Log in to the machine or device that has the Device Update agent installed. 1. Open a Terminal window, and enter the command below. This section describes how to start and verify the Device Update agent as a modu ## How to build and run Device Update Agent -You can also build and modify your own customer Device Update agent. --Follow the instructions to [build](https://github.com/Azure/iot-hub-device-update/blob/main/docs/agent-reference/how-to-build-agent-code.md) the Device Update Agent -from source. +You can also build and modify your own customer Device Update agent. Follow the instructions to [build](https://github.com/Azure/iot-hub-device-update/blob/main/docs/agent-reference/how-to-build-agent-code.md) the Device Update Agent from source. Once the agent is successfully building, it's time to [run](https://github.com/Azure/iot-hub-device-update/blob/main/docs/agent-reference/how-to-run-agent.md)-the agent. --Now, make the changes needed to incorporate the agent into your image. Look at how to +the agent. Now, make the changes needed to incorporate the agent into your image. Look at how to [modify](https://github.com/Azure/iot-hub-device-update/blob/main/docs/agent-reference/how-to-modify-the-agent-code.md) the Device Update Agent for guidance. - ## Troubleshooting guide If you run into issues, review the Device Update for IoT Hub [Troubleshooting Guide](troubleshoot-device-update.md) to help unblock any possible issues and collect necessary information to provide to Microsoft. If you run into issues, review the Device Update for IoT Hub [Troubleshooting Gu You can use the following tutorials for a simple demonstration of Device Update for IoT Hub: -- [Image Update: Getting Started with Raspberry Pi 3 B+ Reference Yocto Image](device-update-raspberry-pi.md) extensible via open source to build you own images for other architecture as needed.+- [Image Update: Getting Started with Raspberry Pi 3 B+ Reference Yocto Image](device-update-raspberry-pi.md) extensible via open source to build your own images for other architecture as needed. - [Package Update: Getting Started using Ubuntu Server 18.04 x64 Package agent](device-update-ubuntu-agent.md) |
iot-hub-device-update | Device Update Raspberry Pi | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub-device-update/device-update-raspberry-pi.md | Title: Device Update for IoT Hub tutorial using the Raspberry Pi 3 B+ reference Yocto image | Microsoft Docs description: Get started with Device Update for Azure IoT Hub by using the Raspberry Pi 3 B+ reference Yocto image.-- Previously updated : 1/26/2022++ Last updated : 3/8/2023 In this tutorial, you'll learn how to: > [!NOTE] > Image updates in this tutorial were validated on the Raspberry Pi B3 board. + ## Prerequisites If you haven't already done so, create a [Device Update account and instance](create-device-update-account.md) and configure an IoT hub.+Please note, this example requires an ethernet connection for the Raspberry Pi 3 B+ board. ++Download files in **Assets** on the [Device Update GitHub releases page](https://github.com/Azure/iot-hub-device-update/releases). The Tutorial_RaspberryPi.zip has all the required files for the tutorial. ++## Create a device or module in IoT Hub and get a connection string ++Now, add the device to IoT Hub. From within IoT Hub, a connection string is generated for the device. ++1. From the [Azure portal](https://portal.azure.com), navigate to your IoT hub. +1. On the left pane, select **Devices**. Then select **New**. +1. Under **Device ID**, enter a name for the device. Ensure that the **Autogenerate keys** checkbox is selected. +1. Select **Save**. On the **Devices** page, the device you created should be in the list. +1. Get the device connection string by using one of two options: ++ * Option 1: Use the Device Update agent with a module identity: On the same **Devices** page, select **Add Module Identity** at the top. Create a new Device Update module with the name **IoTHubDeviceUpdate**. Choose other options as they apply to your use case and then select **Save**. Select the newly created module. In the module view, select the **Copy** icon next to **Primary Connection String**. + * Option 2: Use the Device Update agent with the device identity: In the device view, select the **Copy** icon next to **Primary Connection String**. ++1. Paste the copied characters somewhere for later use in the following steps: ++ **This copied string is your device connection string**. + +## Set up Raspberry Pi -## Download the image +We provide base image and update files in **Assets** on the [Device Update GitHub releases page](https://github.com/Azure/iot-hub-device-update/releases). The Tutorial_RaspberryPi.zip has all the required files for the tutorial. +The .wic file is the base image that you can flash on to a Raspberry Pi 3 B+ board. The swUpdate(.swu) file, custom swupdate script and manifest are the update files you would import through Device Update for IoT Hub. -We provide sample images in **Assets** on the [Device Update GitHub releases page](https://github.com/Azure/iot-hub-device-update/releases). The .gz file is the base image that you can flash on to a Raspberry Pi 3 B+ board. The swUpdate file is the update you would import through Device Update for IoT Hub. +This base image uses a Yocto build(based on 3.4.4 release) with: +* SWUpdate which enables the dual partition update with DU +* Device Update agent -## Flash an SD card with the image +To learn more about the Yocto layers used, refer to [Device Update Yocto GitHub.](https://github.com/Azure/iot-hub-device-update-yocto). -Use your favorite OS flashing tool to install the Device Update base image (adu-base-image) on the SD card that will be used in the Raspberry Pi 3 B+ device. +You can use your favorite OS flashing tool to install the Device Update base image (adu-base-image) on the SD card that will be used in the Raspberry Pi 3 B+ device. Below are the instructions for using bmaptool to flash to the SD card. ### Use bmaptool to flash the SD card Device Update for Azure IoT Hub software is subject to the following license ter Read the license terms prior to using the agent. Your installation and use constitutes your acceptance of these terms. If you don't agree with the license terms, don't use the Device Update for IoT Hub agent. -## Create a device or module in IoT Hub and get a connection string --Now, add the device to IoT Hub. From within IoT Hub, a connection string is generated for the device. --1. From the [Azure portal](https://portal.azure.com), navigate to your IoT hub. -1. On the left pane, select **Devices**. Then select **New**. -1. Under **Device ID**, enter a name for the device. Ensure that the **Autogenerate keys** checkbox is selected. -1. Select **Save**. On the **Devices** page, the device you created should be in the list. -1. Get the device connection string by using one of two options: -- * Option 1: Use the Device Update agent with a module identity: On the same **Devices** page, select **Add Module Identity** at the top. Create a new Device Update module with the name **IoTHubDeviceUpdate**. Choose other options as they apply to your use case and then select **Save**. Select the newly created module. In the module view, select the **Copy** icon next to **Primary Connection String**. - * Option 2: Use the Device Update agent with the device identity: In the device view, select the **Copy** icon next to **Primary Connection String**. --1. Paste the copied characters somewhere for later use in the following steps: -- **This copied string is your device connection string**. --## Add a tag to your device --1. In the Azure portal, navigate to your IoT hub. -1. On the left pane, under **Devices**, find your IoT device and go to the device twin or module twin. -1. In the module twin of the Device Update agent module, delete any existing Device Update tag values by setting them to null. If you're using the device identity with the Device Update agent, make these changes on the device twin. -1. Add a new Device Update tag value, as shown: -- ```JSON - "tags": { - "ADUGroup": "<CustomTagValue>" - } - ``` - ## Prepare on-device configurations for Device Update for IoT Hub Two configuration files must be on the device so that Device Update for IoT Hub configures properly. The first file is the `du-config.json` file, which must exist at `/adu/du-config.json`. The second file is the `du-diagnostics-config.json` file, which must exist at `/adu/du-diagnostics-config.json`.--Here are two examples for the `du-config.json` and the `du-diagnostics-config.json` files: --### Example du-config.json --```JSON -{ - "schemaVersion": "1.0", - "aduShellTrustedUsers": [ - "adu", - "do" - ], - "manufacturer": "fabrikam", - "model": "vacuum", - "agents": [ - { - "name": "main", - "runas": "adu", - "connectionSource": { - "connectionType": "string", - "connectionData": "HostName=example-connection-string.azure-devices.net;DeviceId=example-device;SharedAccessKey=M5oK/rOP12aB5678YMWv5vFWHFGJFwE8YU6u0uTnrmU=" - }, - "manufacturer": "fabrikam", - "model": "vacuum" - } - ] -} -``` --### Example du-diagnostics-config.json --```JSON -{ - "logComponents":[ - { - "componentName":"adu", - "logPath":"/adu/logs/" - }, - { - "componentName":"do", - "logPath":"/var/log/deliveryoptimization-agent/" - } - ], - "maxKilobytesToUploadPerLogPath":50 -} -``` - ## Configure the Device Update agent on Raspberry Pi 1. Make sure that Raspberry Pi 3 is connected to the network.-1. Follow these instructions to add the configuration details: -- 1. First, SSH in to the machine by using the following command in the PowerShell window: +1. SSH into the Raspberry Pi 3 by using the following command in the PowerShell window: - ```shell - ssh raspberrypi3 -l root - ``` + ```shell + ssh raspberrypi3 -l root + ``` - 1. Create or open the `du-config.json` file for editing by using: +1. The DU configuration files (du-config.json and du-diagnostics-config.json) must be on the device so that Device Update for IoT Hub configures properly. + 1. To create or open the `du-config.json` file for editing by using: ```bash- nano /adu/du-config.json + nano /adu/du-config.json ``` - 1. After you run the command, you should see an open editor with the file. If you've never created the file, it will be empty. Now copy the preceding example du-config.json contents, and substitute the configurations required for your device. Then replace the example connection string with the one for the device you created in the preceding steps. - - 1. After you finish your changes, select `Ctrl+X` to exit the editor. Then enter `y` to save the changes. + 2. After you run the command, you should see an open editor with the file. If you've never created the file, it will be empty. Now copy the below du-config.json contents, and substitute the configurations required for your device. Then replace the example connection string with the one for the device you created in the preceding steps. ++ ### du-config.json ++ ```JSON + { + "schemaVersion": "1.0", + "aduShellTrustedUsers": [ + "adu", + "do" + ], + "manufacturer": "contoso", + "model": "virtual-vacuum-v2", + "agents": [ + { + "name": "main", + "runas": "adu", + "connectionSource": { + "connectionType": "string", + "connectionData": "HostName=example-connection-string.azure-devices.net;DeviceId=example-device;SharedAccessKey=M5oK/rOP12aB5678YMWv5vFWHFGJFwE8YU6u0uTnrmU=" + }, + "manufacturer": "contoso", + "model": "virtual-vacuum-v2" + } + ] + } + ``` - 1. Now you need to create the `du-diagnostics-config.json` file by using similar commands. Start by creating or opening the `du-diagnostics-config.json` file for editing by using: + 3. After you finish your changes, select `Ctrl+X` to exit the editor. Then enter `y` to save the changes. + +1. Now you need to create the `du-diagnostics-config.json` file by using similar commands. + 1. Start by creating or opening the `du-diagnostics-config.json` file for editing by using: ```bash- nano /adu/du-diagnostics-config.json + nano /adu/du-diagnostics-config.json ``` - 1. Copy the preceding example du-diagnostics-config.json contents, and substitute any configurations that differ from the default build. The example du-diagnostics-config.json file represents the default log locations for Device Update for IoT Hub. You only need to change these default values if your implementation differs. - 1. After you finish your changes, select `Ctrl+X` to exit the editor. Then enter `y` to save the changes. - 1. Use the following command to show the files located in the `/adu/` directory. You should see both of your configuration files.du-diagnostics-config.json files for editing by using: + 2. Copy the du-diagnostics-config.json contents provided below, and substitute any configurations that differ from the default build. The example du-diagnostics-config.json file represents the default log locations for Device Update for IoT Hub. You only need to change these default values if your implementation differs. ++ ### du-diagnostics-config.json ++ ```JSON + { + "logComponents":[ + { + "componentName":"adu", + "logPath":"/adu/logs/" + }, + { + "componentName":"do", + "logPath":"/var/log/deliveryoptimization-agent/" |