Updates from: 04/01/2021 03:10:26
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Azure Monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/azure-monitor.md
The following diagram depicts the components you'll configure in your Azure AD a
![Resource group projection](./media/azure-monitor/resource-group-projection.png)
-During this deployment, you'll configure both your Azure AD B2C tenant and Azure AD tenant where the Log Analytics workspace will be hosted. The Azure AD B2C account should be assigned the [Global Administrator](../active-directory/roles/permissions-reference.md#limit-use-of-global-administrator) role on the Azure AD B2C tenant. The Azure AD account used to run the deployment must be assigned the [Owner](../role-based-access-control/built-in-roles.md#owner) role in the Azure AD subscription.It's also important to make sure you're signed in to the correct directory as you complete each step as described.
+During this deployment, you'll configure both your Azure AD B2C tenant and Azure AD tenant where the Log Analytics workspace will be hosted. The Azure AD B2C account should be assigned the [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) role on the Azure AD B2C tenant. The Azure AD account used to run the deployment must be assigned the [Owner](../role-based-access-control/built-in-roles.md#owner) role in the Azure AD subscription.It's also important to make sure you're signed in to the correct directory as you complete each step as described.
## 1. Create or choose resource group
active-directory-b2c Custom Policy Reference Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/custom-policy-reference-sso.md
Azure AD B2C has defined a number of SSO session providers that can be used:
||| |[NoopSSOSessionProvider](#noopssosessionprovider) | None | |[DefaultSSOSessionProvider](#defaultssosessionprovider) | Azure AD B2C internal session manager. |
-|[ExternalLoginSSOSessionProvider](#externalloginssosessionprovider) | Between Azure AD B2C and OAuth1, OAuth2, or OpenId Connect identity provider. | |
+|[ExternalLoginSSOSessionProvider](#externalloginssosessionprovider) | Between Azure AD B2C and OAuth1, OAuth2, or OpenId Connect identity provider. |
|[OAuthSSOSessionProvider](#oauthssosessionprovider) | Between an OAuth2 or OpenId connect relying party application and Azure AD B2C. | |[SamlSSOSessionProvider](#samlssosessionprovider) | Between Azure AD B2C and SAML identity provider. And between a SAML service provider (relying party application) and Azure AD B2C. |
active-directory-b2c Data Residency https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/data-residency.md
Previously updated : 10/20/2020 Last updated : 03/31/2021
Region availability and data residency are two very different concepts that apply differently to Azure AD B2C from the rest of Azure. This article explains the differences between these two concepts, and compares how they apply to Azure versus Azure AD B2C.
-Azure AD B2C is **generally available worldwide** with the option for **data residency** in the **United States, Europe, or Asia Pacific**.
+Azure AD B2C is **generally available worldwide** with the option for **data residency** in the **United States, Europe, or Asia Pacific**. Azure AD B2C is in **public preview** in Australia.
[Region availability](#region-availability) refers to where a service is available for use.
Data resides in **Europe** for the following countries/regions:
Data resides in **Asia Pacific** for the following countries/regions:
-> Afghanistan (AF), Hong Kong SAR (HK), India (IN), Indonesia (ID), Japan (JP), Korea (KR), Malaysia (MY), Philippines (PH), Singapore (SG), Sri Lanka (LK), Taiwan (TW), and Thailand (TH).
+> Afghanistan (AF), Hong Kong SAR (HK), India (IN), Indonesia (ID), Japan (JP), Korea (KR), Malaysia (MY), Philippines (PH), Singapore (SG), Sri Lanka (LK), Taiwan (TW), and Thailand (TH)
+
+Data resides in **Australia** (Preview) for the following countries/regions:
+
+> Australia and New Zealand
The following countries/regions are in the process of being added to the list. For now, you can still use Azure AD B2C by picking any of the countries/regions above.
-> Argentina, Australia, Brazil, Chile, Colombia, Ecuador, Iraq, New Zealand, Paraguay, Peru, Uruguay, and Venezuela.
+> Argentina, Brazil, Chile, Colombia, Ecuador, Iraq, Paraguay, Peru, Uruguay, and Venezuela
## Remote profile solution
With Azure AD B2C [custom policies](custom-policy-overview.md), you can integrat
After sign-up, profile editing, or sign-in is complete, Azure AD B2C includes the user profile in the access token that is returned to the application. For more information, see the [Azure AD B2C Remote profile sample solution](https://github.com/azure-ad-b2c/samples/tree/master/policies/remote-profile) in GitHub.
-## Preview tenant
-
-If you had created a B2C tenant during Azure AD B2C's preview period, it's likely that your **Tenant type** says **Preview tenant**.
-
-If this is the case, you must use your tenant ONLY for development and testing purposes. DO NOT use a preview tenant for production applications.
-
-**There is no migration path** from a preview B2C tenant to a production-scale B2C tenant. You must create a new B2C tenant for your production applications.
-
-There are known issues when you delete a preview B2C tenant and create a production-scale B2C tenant with the same domain name. *You must create a production-scale B2C tenant with a different domain name*.
-
-![Screenshot of a tenant type, as preview tenant.](./media/data-residency/preview-b2c-tenant.png)
- ## Next steps - [Create an Azure AD B2C tenant](tutorial-create-tenant.md).
active-directory Concept Authentication Oath Tokens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-authentication-oath-tokens.md
Previously updated : 03/26/2021 Last updated : 03/31/2021
Depending on the size of the CSV file, it may take a few minutes to process. Sel
Once any errors have been addressed, the administrator then can activate each key by selecting **Activate** for the token and entering the OTP displayed on the token. You can activate a maximum of 200 OATH tokens every 5 minutes.
-Users may have a combination of up to five OATH hardware tokens or authenticator applications, such as the Microsoft Authenticator app, configured for use at any time.
+Users may have a combination of up to five OATH hardware tokens or authenticator applications, such as the Microsoft Authenticator app, configured for use at any time. Hardware OATH tokens cannot be assigned to guest users in the resource tenant.
## Next steps
active-directory Tutorial Enable Sspr https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/tutorial-enable-sspr.md
Title: Enable Azure Active Directory self-service password reset description: In this tutorial, you learn how to enable Azure Active Directory self-service password reset for a group of users and test the password reset process.- Previously updated : 03/23/2021- Last updated : 03/25/2021 - - # Customer intent: As an Azure AD Administrator, I want to learn how to enable and use self-service password reset so that my end-users can unlock their accounts or reset their passwords through a web browser. + # Tutorial: Enable users to unlock their account or reset passwords using Azure Active Directory self-service password reset
-Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work. This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application. Here's a video on [How to configure and enable self-service password reset in your tenant](https://www.youtube.com/watch?v=rA8TvhNcCvQ) (**Recommended**). We also have a video for IT administrators on [resolving the six most common end-user error messages with SSPR](https://www.youtube.com/watch?v=9RPrNVLzT8I).
+Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If Azure AD locks a user's account or they forget their password, they can follow prompts to unblock themselves and get back to work. This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application. We recommend this video on [How to enable and configure SSPR in Azure AD](https://www.youtube.com/watch?v=rA8TvhNcCvQ). We also have a video for IT administrators on [resolving the six most common end-user error messages with SSPR](https://www.youtube.com/watch?v=9RPrNVLzT8I).
> [!IMPORTANT]
-> This tutorial shows an administrator how to enable self-service password reset. If you're an end user already registered for self-service password reset and need to get back into your account, go to https://aka.ms/sspr.
+> This tutorial shows an administrator how to enable self-service password reset. If you're an end user already registered for self-service password reset and need to get back into your account, go to the [Microsoft Online password reset](https://passwordreset.microsoftonline.com/) page.
> > If your IT team hasn't enabled the ability to reset your own password, reach out to your helpdesk for additional assistance.
In this tutorial you learn how to:
> [!div class="checklist"] > * Enable self-service password reset for a group of Azure AD users
-> * Configure authentication methods and registration options
+> * Set up authentication methods and registration options
> * Test the SSPR process as a user ## Prerequisites
-To complete this tutorial, you need the following resources and privileges:
+To finish this tutorial, you need the following resources and privileges:
-* A working Azure AD tenant with at least an Azure AD Free or trial license enabled. In the Free tier, SSPR only works for cloud users in Azure AD.
- * For later tutorials in this series, an Azure AD Premium P1 or trial license is required for on-premises password writeback.
- * If needed, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+* A working Azure AD tenant with at least an Azure AD free or trial license enabled. In the Free tier, SSPR only works for cloud users in Azure AD.
+ * For later tutorials in this series, you'll need an Azure AD Premium P1 or trial license for on-premises password writeback.
+ * If needed, [create an Azure account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
* An account with *Global Administrator* privileges.
-* A non-administrator user with a password you know, such as *testuser*. You test the end-user SSPR experience using this account in this tutorial.
+* A non-administrator user with a password you know, like *testuser*. You'll test the end-user SSPR experience using this account in this tutorial.
* If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).
-* A group that the non-administrator user is a member of, such as *SSPR-Test-Group*. You enable SSPR for this group in this tutorial.
- * If you need to create a group, see how to [Create a group and add members in Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md).
+* A group that the non-administrator user is a member of, likes *SSPR-Test-Group*. You'll enable SSPR for this group in this tutorial.
+ * If you need to create a group, see [Create a basic group and add members using Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md).
## Enable self-service password reset
-Azure AD lets you enable SSPR for *None*, *Selected*, or *All* users. This granular ability lets you choose a subset of users to test the SSPR registration process and workflow. When you're comfortable with the process and can communicate the requirements with a broader set of users, you can select a group of users to enable for SSPR. Or, you can enable SSPR for everyone in the Azure AD tenant.
+Azure AD lets you enable SSPR for *None*, *Selected*, or *All* users. This granular ability lets you choose a subset of users to test the SSPR registration process and workflow. When you're comfortable with the process and the time is right to communicate the requirements with a broader set of users, you can select a group of users to enable for SSPR. Or, you can enable SSPR for everyone in the Azure AD tenant.
> [!NOTE]
->
-> Only one Azure AD group can currently be enabled for SSPR using the Azure portal. As part of a wider deployment of SSPR, nested groups are supported. Make sure that the users in the group(s) you choose have the appropriate licenses assigned. There's currently no validation process of these licensing requirements.
+> Currently, you can only enable one Azure AD group for SSPR using the Azure portal. As part of a wider deployment of SSPR, Azure AD supports nested groups. Make sure that the users in the group(s) you choose have the appropriate licenses assigned. There's currently no validation process of these licensing requirements.
-In this tutorial, configure SSPR for a set of users in a test group. In the following example, the group *SSPR-Test-Group* is used. Provide your own Azure AD group as needed:
+In this tutorial, set up SSPR for a set of users in a test group. Use the *SSPR-Test-Group* and provide your own Azure AD group as needed:
1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.
-1. Search for and select **Azure Active Directory**, then choose **Password reset** from the menu on the left-hand side.
-1. From the **Properties** page, under the option *Self service password reset enabled*, choose **Select group**
-1. Browse for and select your Azure AD group, such as *SSPR-Test-Group*, then choose *Select*.
+1. Search for and select **Azure Active Directory**, then select **Password reset** from the menu on the left side.
+1. From the **Properties** page, under the option *Self service password reset enabled*, select **Select group**
+1. Browse for and select your Azure AD group, like *SSPR-Test-Group*, then choose *Select*.
- [ ![Select a group in the Azure portal to enable for self-service password reset](media/tutorial-enable-sspr/enable-sspr-for-group-cropped.png) ](media/tutorial-enable-sspr/enable-sspr-for-group.png#lightbox)
+ [![Select a group in the Azure portal to enable for self-service password reset](media/tutorial-enable-sspr/enable-sspr-for-group-cropped.png)](media/tutorial-enable-sspr/enable-sspr-for-group.png#lightbox)
1. To enable SSPR for the select users, select **Save**. ## Select authentication methods and registration options
-When users need to unlock their account or reset their password, they're prompted for an additional confirmation method. This additional authentication factor makes sure that only approved SSPR events are completed. You can choose which authentication methods to allow, based on the registration information the user provides.
+When users need to unlock their account or reset their password, they're prompted for another confirmation method. This extra authentication factor makes sure that Azure AD finished only approved SSPR events. You can choose which authentication methods to allow, based on the registration information the user provides.
-1. On the **Authentication methods** page from the menu in the left-hand side, set the **Number of methods required to reset** to *1*.
+1. From the menu on the left side of the **Authentication methods** page, set the **Number of methods required to reset** to *1*.
To improve security, you can increase the number of authentication methods required for SSPR.
When users need to unlock their account or reset their password, they're prompte
* *Email* * *Mobile phone*
- Additional authentication methods, such as *Office phone* or *Security questions*, can be enabled as needed to fit your business requirements.
+ You can enable other authentication methods, like *Office phone* or *Security questions*, as needed to fit your business requirements.
1. To apply the authentication methods, select **Save**.
-Before users can unlock their account or reset a password, they must register their contact information. This contact information is used for the different authentication methods configured in the previous steps.
+Before users can unlock their account or reset a password, they must register their contact information. Azure AD uses this contact information for the different authentication methods set up in the previous steps.
+
+An administrator can manually provide this contact information, or users can go to a registration portal to provide the information themselves. In this tutorial, set up Azure AD to prompt the users for registration the next time they sign in.
-An administrator can manually provide this contact information, or users can go to a registration portal to provide the information themselves. In this tutorial, configure the users to be prompted for registration when they next sign in.
+1. From the menu on the left side of the **Registration** page, select *Yes* for **Require users to register when signing in**.
+1. Set **Number of days before users are asked to reconfirm their authentication information** to *180*.
-1. On the **Registration** page from the menu in the left-hand side, select *Yes* for **Require users to register when signing in**.
-1. It's important that contact information is kept up to date. If the contact information is outdated when an SSPR event is started, the user may not be able to unlock their account or reset their password.
+ It's important to keep the contact information up to date. If outdated contact information exists when an SSPR event starts, the user may not be able to unlock their account or reset their password.
- Set **Number of days before users are asked to reconfirm their authentication information** to *180*.
1. To apply the registration settings, select **Save**.
-## Configure notifications and customizations
+## Set up notifications and customizations
-To keep users informed about account activity, you can configure e-mail notifications to be sent when an SSPR event happens. These notifications can cover both regular user accounts and admin accounts. For admin accounts, this notification provides an additional layer of awareness when a privileged administrator account password is reset using SSPR. All global admins would be notified when SSPR is used on an admin account.
+To keep users informed about account activity, you can set up Azure AD to send email notifications when an SSPR event happens. These notifications can cover both regular user accounts and admin accounts. For admin accounts, this notification provides another layer of awareness when a privileged administrator account password is reset using SSPR. Azure AD will notify all global admins when someone uses SSPR on an admin account.
-1. On the **Notifications** page from the menu in the left-hand side, configure the following options:
+1. From the menu on the left side of the **Notifications** page, set up the following options:
* Set **Notify users on password resets** option to *Yes*. * Set **Notify all admins when other admins reset their password** to *Yes*. 1. To apply the notification preferences, select **Save**.
-If users need additional help with the SSPR process, you can customize the link for "Contact your administrator". This link is used in the SSPR registration process and when a user unlocks their account or resets their password. To make sure your users get the support needed, it's highly recommended to provide a custom helpdesk email or URL.
+If users need more help with the SSPR process, you can customize the "Contact your administrator" link. The user can select this link in the SSPR registration process and when they unlock their account or resets their password. To make sure your users get the support needed, we highly recommend you provide a custom helpdesk email or URL.
-1. On the **Customization** page from the menu in the left-hand side, set *Customize helpdesk link* to **Yes**.
-1. In the **Custom helpdesk email or URL** field, provide an email address or web page URL where your users can get additional help from your organization, such as *`https://support.contoso.com/`*
+1. From the menu on the left side of the **Customization** page, set **Customize helpdesk link** to *Yes*.
+1. In the **Custom helpdesk email or URL** field, provide an email address or web page URL where your users can get more help from your organization, like *https:\//support.contoso.com/*
1. To apply the custom link, select **Save**. ## Test self-service password reset
-With SSPR enabled and configured, test the SSPR process with a user that's part of the group you selected in the previous section, such as *Test-SSPR-Group*. In the following example, the *testuser* account is used. Provide your own user account that's part of the group you enabled for SSPR in the first section of this tutorial.
+With SSPR enabled and set up, test the SSPR process with a user that's part of the group you selected in the previous section, like *Test-SSPR-Group*. The following example uses the *testuser* account. Provide your own user account. It's part of the group you enabled for SSPR in the first section of this tutorial.
> [!NOTE]
-> When you test self-service password reset, use a non-administrator account. By default, admins are enabled for self-service password reset and are required to use two authentication methods to reset their password. For more information, see [Administrator reset policy differences](concept-sspr-policy.md#administrator-reset-policy-differences).
+> When you test self-service password reset, use a non-administrator account. By default, Azure AD enables self-service password reset for admins. They're required to use two authentication methods to reset their password. For more information, see [Administrator reset policy differences](concept-sspr-policy.md#administrator-reset-policy-differences).
-1. To see the manual registration process, open a new browser window in InPrivate or incognito mode, and browse to [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup). Users should be directed to this registration portal when they next sign-in.
-1. Sign in with a non-administrator test user, such as *testuser*, and register your authentication methods contact information.
-1. Once complete, select the button marked **Looks good** and close the browser window.
-1. Open a new browser window in InPrivate or incognito mode, and browse to [https://aka.ms/sspr](https://aka.ms/sspr).
-1. Enter your non-administrator test users' account information, such as *testuser*, the characters from the CAPTCHA, and then select **Next**.
+1. To see the manual registration process, open a new browser window in InPrivate or incognito mode, and browse to *https:\//aka.ms/ssprsetup*. Azure AD will direct users to this registration portal when they sign in next time.
+1. Sign in with a non-administrator test user, like *testuser*, and register your authentication methods contact information.
+1. Once finished, select the button marked **Looks good** and close the browser window.
+1. Open a new browser window in InPrivate or incognito mode, and browse to *https:\//aka.ms/sspr*.
+1. Enter your non-administrator test users' account information, like *testuser*, the characters from the CAPTCHA, and then select **Next**.
![Enter user account information to reset the password](media/tutorial-enable-sspr/password-reset-page.png)
-1. Follow the verification steps to reset your password. When complete, you should receive an e-mail notification that your password was reset.
+1. Follow the verification steps to reset your password. When finished, you'll receive an email notification that your password was reset.
## Clean up resources
-In a following tutorial in this series, you configure password writeback. This feature writes password changes from Azure AD SSPR back to an on-premises AD environment. If you want to continue with this tutorial series to configure password writeback, don't disable SSPR now.
+In a later tutorial in this series, you'll set up password writeback. This feature writes password changes from Azure AD SSPR back to an on-premises AD environment. If you want to continue with this tutorial series to set up password writeback, don't disable SSPR now.
-If you no longer want to use the SSPR functionality you have configured as part of this tutorial, set the SSPR status to **None** using the following steps:
+If you no longer want to use the SSPR functionality you have set up as part of this tutorial, set the SSPR status to **None** using the following steps:
1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Search for and select **Azure Active Directory**, then choose **Password reset** from the menu on the left-hand side.
-1. From the **Properties** page, under the option *Self service password reset enabled*, choose **None**.
+1. Search for and select **Azure Active Directory**, then select **Password reset** from the menu on the left side.
+1. From the **Properties** page, under the option *Self service password reset enabled*, select **None**.
1. To apply the SSPR change, select **Save**. ## FAQs
In this tutorial, you enabled Azure AD self-service password reset for a selecte
> [!div class="checklist"] > * Enable self-service password reset for a group of Azure AD users
-> * Configure authentication methods and registration options
+> * Set up authentication methods and registration options
> * Test the SSPR process as a user > [!div class="nextstepaction"]
active-directory Active Directory Devhowto Adal Error Handling https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/azuread-dev/active-directory-devhowto-adal-error-handling.md
In cases of failure, an application can present UI to allow the end user to perf
Error handling in native applications can be defined by two cases:
-| | |
+| Case | Description |
||-| | **Case 1**:<br>Non-Retryable Error (most cases) | 1. Do not attempt immediate retry. Present the end-user UI based on the specific error that invokes a retry (for example, "Try to Sign in again" or "Download Azure AD broker application"). | | **Case 2**:<br>Retryable Error | 1. Perform a single retry as the end user may have entered a state that results in a success.<br><br>2. If retry fails, present the end-user UI based on the specific error that invokes a retry ("Try to Sign in again", "Download Azure AD broker app", etc.). |
If you're building a single-page application using adal.js with AcquireToken, th
A failed AcquireToken has the following cases:
-| | |
+| Case | Description |
||-| | **Case 1**:<br>Resolvable with an interactive request | 1. If login() fails, do not perform immediate retry. Only retry after user action prompts a retry.| | **Case 2**:<br>Not Resolvable with an interactive request. Error is retryable. | 1. Perform a single retry as the end user major have entered a state that results in a success.<br><br>2. If retry fails, present the end user with an action based on the specific error that can invoke a retry ("Try to Sign in again"). |
active-directory Sample V1 Code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/azuread-dev/sample-v1-code.md
The following samples illustrate Web applications signing users. Some of these a
The following samples show how to implement role-based access control (RBAC). RBAC is used to restrict the permissions of certain features in a web application to certain users. The users are authorized depending on whether they belong to an **Azure AD group** or have a given application **role**.
-| Platform | Sample |
-|--|--|
+| Platform | Sample | Description |
+|--|--|--|
| ![This image shows the ASP.NET Framework logo](media/sample-v2-code/logo-netframework.png)</p> ASP.NET 4.5 | [dotnet-webapp-groupclaims](https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims) </p> [dotnet-webapp-roleclaims](https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims) | A .NET 4.5 MVC web app that uses Azure AD **roles** for authorization | ## Desktop and mobile public client applications calling Microsoft Graph or a Web API
For samples and tutorials that demonstrate different usage patterns for the Micr
- [Azure Active Directory Developer's Guide](v1-overview.md) - [Azure Active Directory Authentication libraries](active-directory-authentication-libraries.md)-- [Microsoft Graph API conceptual and reference](/graph/use-the-api)
+- [Microsoft Graph API conceptual and reference](/graph/use-the-api)
active-directory Reference Error Codes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/reference-error-codes.md
The following is a list of error codes and their description
|HybridIdentityServiceAgentSignalingError|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.92d2e8750f37407fa2301c9e52ad7e9b.efb835ef-62e8-42e3-b495-18d5272eb3f9. Additional details: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration).|Service Bus is not able to send a message to the agent. Could be an outage in service bus, or the agent is not responsive.|If this issue persists, please contact support with Job ID (from status pane of your configuration).| |AzureDirectoryServiceServerBusy|Error Message: An error occurred. Error Code: 81. Error Description: Azure Active Directory is currently busy. This operation will be retried automatically. If this issue persists for more than 24 hours, contact Technical Support. Tracking ID: 8a4ab3b5-3664-4278-ab64-9cff37fd3f4f Server Name:|Azure Active Directory is currently busy.|If this issue persists for more than 24 hours, contact Technical Support.| |AzureActiveDirectoryInvalidCredential|Error Message: We found an issue with the service account that is used to run Azure AD Connect Cloud Sync. You can repair the cloud service account by following the instructions at [here](./how-to-troubleshoot.md). If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsInvalid AADSTS50034: The user account {EmailHidden} does not exist in the skydrive365.onmicrosoft.com directory. To sign into this application, the account must be added to the directory. Trace ID: 14b63033-3bc9-4bd4-b871-5eb4b3500200 Correlation ID: 57d93ed1-be4d-483c-997c-a3b6f03deb00 Timestamp: 2021-01-12 21:08:29Z |This error is thrown when the sync service account ADToAADSyncServiceAccount doesn't exist in the tenant. It can be due to accidental deletion of the account.|Use [Repair-AADCloudSyncToolsAccount](reference-powershell.md#repair-aadcloudsynctoolsaccount) to fix the service account.|
-|AzureActiveDirectoryExpiredCredentials|Error Message: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsExpired AADSTS50055: The password is expired. Trace ID: 989b1841-dbe5-49c9-ab6c-9aa25f7b0e00 Correlation ID: 1c69b196-1c3a-4381-9187-c84747807155 Timestamp: 2021-01-12 20:59:31Z | Response status code does not indicate success: 401 (Unauthorized).|AAD Sync service account credentials are expired.|You can repair the cloud service account by following the instructions at https://go.microsoft.com/fwlink/?linkid=2150988. If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: Your administrative Azure Active Directory tenant credentials were exchanged for an OAuth token that has since expired."|
+|AzureActiveDirectoryExpiredCredentials|Error Message: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsExpired AADSTS50055: The password is expired. Trace ID: 989b1841-dbe5-49c9-ab6c-9aa25f7b0e00 Correlation ID: 1c69b196-1c3a-4381-9187-c84747807155 Timestamp: 2021-01-12 20:59:31Z | Response status code does not indicate success: 401 (Unauthorized).<br> AAD Sync service account credentials are expired.|You can repair the cloud service account by following the instructions at https://go.microsoft.com/fwlink/?linkid=2150988. If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: Your administrative Azure Active Directory tenant credentials were exchanged for an OAuth token that has since expired."|
|AzureActiveDirectoryAuthenticationFailed|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.60b943e88f234db2b887f8cb91dee87c.707be0d2-c6a9-405d-a3b9-de87761dc3ac. Additional details: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: UnexpectedError.|Unknown error.|If this issue persists, please contact support with Job ID (from status pane of your configuration).| ## Next steps - [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Active Directory Claims Mapping https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-claims-mapping.md
The ID element identifies which property on the source provides the value for th
| User | streetaddress | Street Address | | User | postalcode | Postal Code | | User | preferredlanguage | Preferred Language |
-| User | onpremisesuserprincipalname | On-premises UPN |*
+| User | onpremisesuserprincipalname | On-premises UPN |
| User | mailnickname | Mail Nickname | | User | extensionattribute1 | Extension Attribute 1 | | User | extensionattribute2 | Extension Attribute 2 |
active-directory Howto Modify Supported Accounts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/howto-modify-supported-accounts.md
+
+ Title: "How to: Change the account types supported by an application | Azure"
+
+description: In this how-to, you configure an application registered with the Microsoft identity platform to change who, or what accounts, can access the application.
++++++++ Last updated : 11/15/2020+++
+# Customer intent: As an application developer, I need to know how to modify which account types can sign in to or access my application or API.
++
+# How to modify the accounts supported by an application
+
+When you registered your application with the Microsoft identity platform, you specified who--which account types--can access it. For example, you might've specified accounts only in your organization, which is a *single-tenant* app. Or, you might've specified accounts in any organization (including yours), which is a *multi-tenant* app.
+
+In the following sections, you learn how to modify your app's registration in the Azure portal to change who, or what types of accounts, can access the application.
+
+## Prerequisites
+
+* An [application registered in your Azure AD tenant](quickstart-register-app.md)
+
+## Change the application registration to support different accounts
+
+To specify a different setting for the account types supported by an existing app registration:
+
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
+1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.
+1. Search for and select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations**, then select your application.
+1. Now, specify who can use the application, sometimes referred to as the *sign-in audience*.
+
+ | Supported account types | Description |
+ |-|-|
+ | **Accounts in this organizational directory only** | Select this option if you're building an application for use only by users (or guests) in *your* tenant.<br><br>Often called a *line-of-business* (LOB) application, this is a **single-tenant** application in the Microsoft identity platform. |
+ | **Accounts in any organizational directory** | Select this option if you'd like users in *any* Azure AD tenant to be able to use your application. This option is appropriate if, for example, you're building a software-as-a-service (SaaS) application that you intend to provide to multiple organizations.<br><br>This is known as a **multi-tenant** application in the Microsoft identity platform. |
+1. Select **Save**.
+
+### Why changing to multi-tenant can fail
+
+Switching an app registration from single- to multi-tenant can sometimes fail due to Application ID URI (App ID URI) name collisions. An example App ID URI is `https://contoso.onmicrosoft.com/myapp`.
+
+The App ID URI is one of the ways an application is identified in protocol messages. For a single-tenant application, the App ID URI need only be unique within that tenant. For a multi-tenant application, it must be globally unique so Azure AD can find the app across all tenants. Global uniqueness is enforced by requiring that the App ID URI's host name matches one of the Azure AD tenant's [verified publisher domains](howto-configure-publisher-domain.md).
+
+For example, if the name of your tenant is *contoso.onmicrosoft.com*, then `https://contoso.onmicrosoft.com/myapp` is a valid App ID URI. If your tenant has a verified domain of *contoso.com*, then a valid App ID URI would also be `https://contoso.com/myapp`. If the App ID URI doesn't follow the second pattern, `https://contoso.com/myapp`, converting the app registration to multi-tenant fails.
+
+For more information about configuring a verified publisher domain, see [Configure a verified domain](howto-configure-publisher-domain.md).
+
+## Next steps
+
+Learn more about the requirements for [converting an app from single- to multi-tenant](howto-convert-app-to-be-multi-tenant.md).
active-directory Howto Remove App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/howto-remove-app.md
+
+ Title: "How to: Remove a registered app from the Microsoft identity platform | Azure"
+
+description: In this how-to, you learn how to remove an application registered with the Microsoft identity platform.
++++++++ Last updated : 11/15/2020+++
+#Customer intent: As an application developer, I want to know how to remove my application from the Microsoft identity registered.
++
+# How to remove an application registered with the Microsoft identity platform
+
+Enterprise developers and software-as-a-service (SaaS) providers who have registered applications with the Microsoft identity platform may need to remove an application's registration.
+
+In the following sections, you learn how to:
+
+* Remove an application authored by you or your organization
+* Remove an application authored by another organization
+
+## Prerequisites
+
+* An [application registered in your Azure AD tenant](quickstart-register-app.md)
+
+## Remove an application authored by you or your organization
+
+Applications that you or your organization have registered are represented by both an application object and service principal object in your tenant. For more information, see [Application Objects and Service Principal Objects](./app-objects-and-service-principals.md).
+
+> [!NOTE]
+> Deleting an application will also delete its service principal object in the application's home directory. For multi-tenant applications, service principal objects in other directories will not be deleted.
+
+To delete an application, be listed as an owner of the application or have admin privileges.
+
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
+1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which the app is registered.
+1. Search and select the **Azure Active Directory**.
+1. Under **Manage**, select **App registrations** and select the application that you want to configure. Once you've selected the app, you'll see the application's **Overview** page.
+1. From the **Overview** page, select **Delete**.
+1. Read the deletion consequences. Check the box if one appears at the bottom of the pane.
+1. Select **Delete** to confirm that you want to delete the app.
+
+## Remove an application authored by another organization
+
+If you are viewing **App registrations** in the context of a tenant, a subset of the applications that appear under the **All apps** tab are from another tenant and were registered into your tenant during the consent process. More specifically, they are represented by only a service principal object in your tenant, with no corresponding application object. For more information on the differences between application and service principal objects, see [Application and service principal objects in Azure AD](./app-objects-and-service-principals.md).
+
+In order to remove an applicationΓÇÖs access to your directory (after having granted consent), the company administrator must remove its service principal. The administrator must have Global Admininstrator access, and can remove the application through the Azure portal or use the [Azure AD PowerShell Cmdlets](/previous-versions/azure/jj151815(v=azure.100)) to remove access.
+
+## Next steps
+
+Learn more about [application and service principal objects](app-objects-and-service-principals.md) in the Microsoft identity platform.
active-directory Howto Restore App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/howto-restore-app.md
+
+ Title: "How to: Restore or remove a recently deleted application with the Microsoft identity platform | Azure"
+
+description: In this how-to, you learn how to restore or permanently delete a recently deleted application registered with the Microsoft identity platform.
++++++++ Last updated : 3/22/2021++
+#Customer intent: As an application developer, I want to know how to restore or permanently delete my recently deleted application from the Microsoft identity platform.
++
+# Restore or remove a recently deleted application with the Microsoft identity platform
+After you delete an app registration, the app remains in a suspended state for 30 days. During that 30-day window, the app registration can be restored, along with all its properties. After that 30-day window passes, app registrations cannot be restored and the permanent deletion process may be automatically started. This functionality only applies to applications associated to a directory. It is not available for applications from a personal Microsoft account, which cannot be restored.
+
+You can view your deleted applications, restore a deleted application, or permanently delete an application using the App registrations experience under Azure Active Directory (Azure AD) in the Azure portal.
+
+Note that neither you nor Microsoft customer support can restore a permanently deleted application or an application deleted more than 30 days ago.
+
+> [!IMPORTANT]
+> The deleted applications portal UI feature [!INCLUDE [PREVIEW BOILERPLATE](../../../includes/active-directory-develop-preview.md)]
+
+## Required permissions
+You must have one of the following roles to permanently delete applications.
+
+- Global administrator
+- Application administrator
+- Cloud application administrator
+- Hybrid identity administrator
+- Application owner
+
+You must have one of the following roles to restore applications.
+
+- Global administrator
+- Application owner
+
+### View your deleted applications
+You can see all the applications in a soft deleted state. Only applications deleted less than 30 days ago can be restored.
+
+#### To view your restorable applications
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+2. Search and select **Azure Active Directory**, select **App registrations**, and then select the **Deleted applications (Preview)** tab.
+
+Review the list of applications. Only applications that have been deleted in the past 30 days are available to restore. If using the App registrations search preview, you can filter by the 'Deleted date' column to see only these applications.
+
+## Restore a recently deleted application
+
+When an app registration is deleted from the organization, the app is in a suspended state and its configurations are preserved. When you restore an app registration, its configurations are also restored. However, if there were any organization-specific settings in **Enterprise applications** for the application's home tenant, those will not be restored.
+
+This is because organization-specific settings are stored on a separate object, called the service principal. Settings held on the service principal include permission consents and user and group assignments for a certain organization; these configurations will not be restored when the app is restored. For more information, see [Application and service principal objects](app-objects-and-service-principals.md).
++
+### To restore an application
+1. On the **Deleted applications (Preview)** tab, search for and select one of the applications deleted less than 30 days ago.
+2. Select **Restore app registration**.
+
+## Permanently delete an application
+You can manually permanently delete an application from your organization. A permanently deleted application can't be restored by you, another administrator, or by Microsoft customer support.
+
+### To permanently delete an application
+
+1. On the **Deleted applications (Preview)** tab, search for and select one of the available applications.
+2. Select **Delete permanently**.
+3. Read the warning text and select **Yes**.
+
+## Next steps
+After you've restored or permanently deleted your app, you can:
+
+- [Add an application](quickstart-register-app.md).
+- Learn more about [application and service principal objects](app-objects-and-service-principals.md) in the Microsoft identity platform.
active-directory Quickstart V2 Windows Desktop https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-windows-desktop.md
See [How the sample works](#how-the-sample-works) for an illustration.
> > Where: > - `Enter_the_Application_Id_here` - is the **Application (client) ID** for the application you registered.
+>
+> To find the value of **Application (client) ID**, go to the app's **Overview** page in the Azure portal.
> - `Enter_the_Tenant_Info_Here` - is set to one of the following options: > - If your application supports **Accounts in this organizational directory**, replace this value with the **Tenant Id** or **Tenant name** (for example, contoso.microsoft.com) > - If your application supports **Accounts in any organizational directory**, replace this value with `organizations`
-> - If your application supports **Accounts in any organizational directory and personal Microsoft accounts**, replace this value with `common`
+> - If your application supports **Accounts in any organizational directory and personal Microsoft accounts**, replace this value with `common`.
+>
+> To find the values of **Directory (tenant) ID** and **Supported account types**, go to the app's **Overview** page in the Azure portal.
>
-> > [!TIP]
-> > To find the values of **Application (client) ID**, **Directory (tenant) ID**, and **Supported account types**, go to the app's **Overview** page in the Azure portal.
## More information
PublicClientApplicationBuilder.Create(ClientId)
.Build(); ```
-> |Where: | Description |
-> |||
-> | `ClientId` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. |
+|Where: | Description |
+|||
+| `ClientId` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. |
### Requesting tokens
authResult = await App.PublicClientApp.AcquireTokenInteractive(_scopes)
.ExecuteAsync(); ```
-> |Where:| Description |
-> |||
-> | `_scopes` | Contains the scopes being requested, such as `{ "user.read" }` for Microsoft Graph or `{ "api://<Application ID>/access_as_user" }` for custom web APIs. |
+|Where:| Description |
+|||
+| `_scopes` | Contains the scopes being requested, such as `{ "user.read" }` for Microsoft Graph or `{ "api://<Application ID>/access_as_user" }` for custom web APIs. |
#### Get a user token silently
authResult = await App.PublicClientApp.AcquireTokenSilent(scopes, firstAccount)
.ExecuteAsync(); ```
-> |Where: | Description |
-> |||
-> | `scopes` | Contains the scopes being requested, such as `{ "user.read" }` for Microsoft Graph or `{ "api://<Application ID>/access_as_user" }` for custom web APIs. |
-> | `firstAccount` | Specifies the first user in the cache (MSAL support multiple users in a single app). |
+|Where: | Description |
+|||
+| `scopes` | Contains the scopes being requested, such as `{ "user.read" }` for Microsoft Graph or `{ "api://<Application ID>/access_as_user" }` for custom web APIs. |
+| `firstAccount` | Specifies the first user in the cache (MSAL support multiple users in a single app). |
[!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)]
active-directory Sample V2 Code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/sample-v2-code.md
The following samples illustrate web applications that sign in users. Some sampl
| -- | - | | | ![This image shows the ASP.NET Core logo](media/sample-v2-code/logo_NETcore.png)</p>ASP.NET Core | [ASP.NET Core WebApp signs-in users tutorial](https://aka.ms/aspnetcore-webapp-sign-in) | Same sample in the [ASP.NET Core web app calls Microsoft Graph](https://aka.ms/aspnetcore-webapp-call-msgraph) phase</p>Advanced sample [Accessing the logged-in user's token cache from background apps, APIs and services](https://github.com/Azure-Samples/ms-identity-dotnet-advanced-token-cache) | | ![This image shows the ASP.NET Framework logo](media/sample-v2-code/logo_NETframework.png)</p>ASP.NET Core | [AD FS to Azure AD application migration playbook for developers](https://github.com/Azure-Samples/ms-identity-dotnet-adfs-to-aad) to learn how to safely and securely migrate your applications integrated with Active Directory Federation Services (AD FS) to Azure Active Directory (Azure AD) | |
-| ![This image shows the ASP.NET Framework logo](media/sample-v2-code/logo_NETframework.png)</p> ASP.NET | [ASP.NET Quickstart](https://github.com/AzureAdQuickstarts/AppModelv2-WebApp-OpenIDConnect-DotNet) </p> [dotnet-webapp-openidconnect-v2](https://github.com/azure-samples/active-directory-dotnet-webapp-openidconnect-v2) | [dotnet-admin-restricted-scopes-v2](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2) </p> |[msgraph-training-aspnetmvcapp](https://github.com/microsoftgraph/msgraph-training-aspnetmvcapp)
+| ![This image shows the ASP.NET Framework logo](media/sample-v2-code/logo_NETframework.png)</p> ASP.NET | [ASP.NET Quickstart](https://github.com/AzureAdQuickstarts/AppModelv2-WebApp-OpenIDConnect-DotNet) </p> [dotnet-webapp-openidconnect-v2](https://github.com/azure-samples/active-directory-dotnet-webapp-openidconnect-v2) | [dotnet-admin-restricted-scopes-v2](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2) </p> [msgraph-training-aspnetmvcapp](https://github.com/microsoftgraph/msgraph-training-aspnetmvcapp) |
| ![This image shows the Java logo](medi) Sign in with AAD| | | ![This image shows the Java logo](medi) Sign in with B2C | | ![This image shows the Java logo](medi) Sign in with AAD and call Graph|
active-directory Scenario Desktop Acquire Token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-acquire-token.md
WithParentActivityOrWindow(IWin32Window window)
// Mac WithParentActivityOrWindow(NSWindow window)
-// .Net Standard (this will be on all platforms at runtime, but only on NetStandard at build time)
+// .NET Standard (this will be on all platforms at runtime, but only on NetStandard at build time)
WithParentActivityOrWindow(object parent). ``` Remarks: -- On .NET Standard, the expected `object` is `Activity` on Android, `UIViewController` on iOS, `NSWindow` on MAC, and `IWin32Window` or `IntPr` on Windows.
+- On .NET Standard, the expected `object` is `Activity` on Android, `UIViewController` on iOS, `NSWindow` on Mac, and `IWin32Window` or `IntPr` on Windows.
- On Windows, you must call `AcquireTokenInteractive` from the UI thread so that the embedded browser gets the appropriate UI synchronization context. Not calling from the UI thread might cause messages to not pump properly and deadlock scenarios with the UI. One way of calling Microsoft Authentication Libraries (MSALs) from the UI thread if you aren't on the UI thread already is to use the `Dispatcher` on WPF. - If you're using WPF, to get a window from a WPF control, you can use the `WindowInteropHelper.Handle` class. Then the call is from a WPF control (`this`):
Remarks:
`WithPrompt()` is used to control the interactivity with the user by specifying a prompt.
-![Image showing the fields in the Prompt structure. These constant values control interactivity with the user by defining the type of prompt displayed by the WithPrompt() method.](https://user-images.githubusercontent.com/13203188/53438042-3fb85700-39ff-11e9-9a9e-1ff9874197b3.png)
+![Image showing the fields in the Prompt structure. These constant values control interactivity with the user by defining the type of prompt displayed by the WithPrompt() method.](https://user-images.githubusercontent.com/34331512/112267137-3f1c3a00-8c32-11eb-97fb-33604311329a.png)
The class defines the following constants: - ``SelectAccount`` forces the STS to present the account selection dialog box that contains accounts for which the user has a session. This option is useful when application developers want to let users choose among different identities. This option drives MSAL to send ``prompt=select_account`` to the identity provider. This option is the default. It does a good job of providing the best possible experience based on the available information, such as account and presence of a session for the user. Don't change it unless you have good reason to do it. - ``Consent`` enables the application developer to force the user to be prompted for consent, even if consent was granted before. In this case, MSAL sends `prompt=consent` to the identity provider. This option can be used in some security-focused applications where the organization governance demands that the user is presented with the consent dialog box each time the application is used. - ``ForceLogin`` enables the application developer to have the user prompted for credentials by the service, even if this user prompt might not be needed. This option can be useful to let the user sign in again if acquiring a token fails. In this case, MSAL sends `prompt=login` to the identity provider. Sometimes it's used in security-focused applications where the organization governance demands that the user re-signs in each time they access specific parts of an application.
+- ``Create`` triggers a sign-up experience, which is used for External Identities, by sending `prompt=create` to the identity provider. This prompt should not be sent for Azure AD B2C apps. For more information, see [Add a self-service sign-up user flow to an app](https://aka.ms/msal-net-prompt-create).
- ``Never`` (for .NET 4.5 and WinRT only) won't prompt the user, but instead tries to use the cookie stored in the hidden embedded web view. For more information, see web views in MSAL.NET. Using this option might fail. In that case, `AcquireTokenInteractive` throws an exception to notify that a UI interaction is needed. You'll need to use another `Prompt` parameter. - ``NoPrompt`` won't send any prompt to the identity provider. This option is useful only for Azure Active Directory (Azure AD) B2C edit profile policies. For more information, see [Azure AD B2C specifics](https://aka.ms/msal-net-b2c-specificities).
+#### WithUseEmbeddedWebView
+
+This method enables you to specify if you want to force the usage of an embedded WebView or the system WebView (when available). For more information, see [Usage of web browsers](msal-net-web-browsers.md).
+
+ ```csharp
+ var result = await app.AcquireTokenInteractive(scopes)
+ .WithUseEmbeddedWebView(true)
+ .ExecuteAsync();
+ ```
+ #### WithExtraScopeToConsent This modifier is used in an advanced scenario where you want the user to pre-consent to several resources upfront, and you don't want to use incremental consent, which is normally used with MSAL.NET/the Microsoft identity platform. For more information, see [Have the user consent upfront for several resources](scenario-desktop-production.md#have-the-user-consent-upfront-for-several-resources).
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/whats-new-docs.md
Welcome to what's new in the Microsoft identity platform documentation. This article lists new docs that have been added and those that have had significant updates in the last three months.
+## March 2021
+
+### New articles
+
+- [Restore or remove a recently deleted application with the Microsoft identity platform](quickstart-restore-app.md)
+
+### Updated articles
+
+- [Admin consent on the Microsoft identity platform](v2-admin-consent.md)
+- [Configuration requirements and troubleshooting tips for Xamarin Android with MSAL.NET](msal-net-xamarin-android-considerations.md)
+- [Daemon app that calls web APIs - acquire a token](scenario-daemon-acquire-token.md)
+- [Daemon app that calls web APIs - code configuration](scenario-daemon-app-configuration.md)
+- [Daemon app that calls web APIs - call a web API from the app](scenario-daemon-call-api.md)
+- [Daemon app that calls web APIs - move to production](scenario-daemon-production.md)
+- [Desktop app that calls web APIs: Acquire a token](scenario-desktop-acquire-token.md)
+- [Desktop app that calls web APIs: Code configuration](scenario-desktop-app-configuration.md)
+- [Desktop app that calls web APIs: Call a web API](scenario-desktop-call-api.md)
+- [How to: Customize claims emitted in tokens for a specific app in a tenant (Preview)](active-directory-claims-mapping.md)
+- [Logging in MSAL for Python](msal-logging-python.md)
+- [Microsoft Enterprise SSO plug-in for Apple devices (preview)](apple-sso-plugin.md)
+- [Quickstart: Add Microsoft identity platform sign-in to an ASP.NET web app](quickstart-v2-aspnet-webapp.md)
+- [Quickstart: Add sign-in with Microsoft to an ASP.NET Core web app](quickstart-v2-aspnet-core-webapp.md)
+- [Quickstart: Get a token and call the Microsoft Graph API by using a console app's identity](quickstart-v2-netcore-daemon.md)
+- [Quickstart: Protect an ASP.NET Core web API with the Microsoft identity platform](quickstart-v2-aspnet-core-web-api.md)
+- [Quickstart: Sign in users and get an access token in an Angular single-page application](quickstart-v2-angular.md)
+- [Support and help options for developers](developer-support-help-options.md)
+- [Web app that signs in users: Code configuration](scenario-web-app-sign-user-app-configuration.md)
+- [Web app that signs in users: Sign-in and sign-out](scenario-web-app-sign-user-sign-in.md)
+ ## February 2021 ### New articles
Welcome to what's new in the Microsoft identity platform documentation. This art
- [Configure token lifetime policies (preview)](configure-token-lifetimes.md) - [Microsoft identity platform authentication libraries](reference-v2-libraries.md) - [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md)-
-## December 2020
-
-### New articles
--- [Quickstart: ASP.NET Core web app that signs in users and calls Microsoft Graph on their behalf](quickstart-v2-aspnet-core-webapp-calls-graph.md)-- [Handle errors and exceptions in MSAL.NET](msal-error-handling-dotnet.md)-- [Handle errors and exceptions in MSAL for iOS/macOS](msal-error-handling-ios.md)-- [Handle errors and exceptions in MSAL for Java](msal-error-handling-java.md)-- [Handle errors and exceptions in MSAL.js](msal-error-handling-js.md)-- [Handle errors and exceptions in MSAL for Python](msal-error-handling-python.md)-- [Microsoft identity platform token exchange scenarios with SAML and OIDC/OAuth](scenario-token-exchange-saml-oauth.md)-
-### Updated articles
--- [Quickstart: Add sign-in with Microsoft to a Java web app](quickstart-v2-java-webapp.md)-- [Tutorial: Build a multi-tenant daemon that uses the Microsoft identity platform](tutorial-v2-aspnet-daemon-web-app.md)-- [Web app that signs in users: App registration](scenario-web-app-sign-user-app-registration.md)-- [Microsoft identity platform and implicit grant flow](v2-oauth2-implicit-grant-flow.md)-- [Microsoft identity platform access tokens](access-tokens.md)-- [A web API that calls web APIs: Acquire a token for the app](scenario-web-api-call-api-acquire-token.md)-
active-directory Howto Device Identity Virtual Desktop Infrastructure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure.md
When deploying non-persistent VDI, Microsoft recommends that IT administrators i
- Once you have a strategy to identify your non-persistent Hybrid Azure AD joined devices (e.g. using computer display name prefix), you should be more aggressive on the clean-up of these devices to ensure your directory does not get consumed with lots of stale devices. - For non-persistent VDI deployments on Windows current and down-level, you should delete devices that have **ApproximateLastLogonTimestamp** of older than 15 days.
+> [!NOTE]
+> When using non-persistent VDI, if you want to prevent a device join state ensure the following registry key is set:
+> `HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: "BlockAADWorkplaceJoin"=dword:00000001`
+>
+> Ensure you are running Windows 10, version 1803 or higher.
+>
+> Roaming any data under the path `%localappdata%` is not supported. If you choose to move content under `%localappdata%`, make sure that the content of the following folders and registry keys **never** leaves the device under any condition. For example: Profile migration tools must skip the following folders and keys:
+>
+> * `%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy`
+> * `%localappdata%\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy`
+> * `%localappdata%\Packages\<any app package>\AC\TokenBroker`
+> * `%localappdata%\Microsoft\TokenBroker`
+> * `HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL`
+> * `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AAD`
+>
++ ### Persistent VDI When deploying persistent VDI, Microsoft recommends that IT administrators implement the guidance below. Failure to do so will result in deployment and authentication issues.
active-directory Plan Device Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/plan-device-deployment.md
Review supported and unsupported platforms for integrated devices:
| Device management tools| Azure AD registered| Azure AD join| Hybrid Azure AD join| | - | - | - | - |
-| [Mobile Device Management (MDM) ](/windows/client-management/mdm/azure-active-directory-integration-with-mdm) <br>Example: Microsoft Intune| ![Checkmark for these values.](./media/plan-device-deployment/check.png)| ![Checkmark for these values.](./media/plan-device-deployment/check.png)| ![Checkmark for these values.](./media/plan-device-deployment/check.png)| |
-| [Co management with Microsoft Intune and Microsoft Endpoint Configuration Manager](/mem/configmgr/comanage/overview) <br>(Windows 10 and later)| | ![Checkmark for these values.](./media/plan-device-deployment/check.png)| ![Checkmark for these values.](./media/plan-device-deployment/check.png)| |
-| [Group policy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11))<br>(Windows only)| | | ![Checkmark for these values.](./media/plan-device-deployment/check.png)| |
+| [Mobile Device Management (MDM) ](/windows/client-management/mdm/azure-active-directory-integration-with-mdm) <br>Example: Microsoft Intune| ![Checkmark for these values.](./media/plan-device-deployment/check.png)| ![Checkmark for these values.](./media/plan-device-deployment/check.png)| ![Checkmark for these values.](./media/plan-device-deployment/check.png)|
+| [Co management with Microsoft Intune and Microsoft Endpoint Configuration Manager](/mem/configmgr/comanage/overview) <br>(Windows 10 and later)| | ![Checkmark for these values.](./media/plan-device-deployment/check.png)| ![Checkmark for these values.](./media/plan-device-deployment/check.png)|
+| [Group policy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11))<br>(Windows only)| | | ![Checkmark for these values.](./media/plan-device-deployment/check.png)|
If you experience issues with completing hybrid Azure AD join for domain-joined
* [Plan your Azure AD Join implementation](azureadjoin-plan.md) * [Plan your hybrid Azure AD Join implementation](hybrid-azuread-join-plan.md)
-* [Manage device identities](device-management-azure-portal.md)
+* [Manage device identities](device-management-azure-portal.md)
active-directory Resilience With Continuous Access Evaluation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilience-with-continuous-access-evaluation.md
Microsoft is working with the industry to build [standards](https://openid.net/w
## How do I implement CAE?
+* [Update your code to use CAE-enabled APIs](../develop/app-resilience-continuous-access-evaluation.md).
+ * [Enable CAE](../conditional-access/concept-continuous-access-evaluation.md) in the Azure AD Security Configuration. * Ensure that your organization is using [compatible versions](../conditional-access/concept-continuous-access-evaluation.md) of Microsoft Office native applications.
Resilience resources for developers
* [Build IAM resilience in your applications](resilience-app-development-overview.md)
-* [Build resilience in your CIAM systems](resilience-b2c.md)
+* [Build resilience in your CIAM systems](resilience-b2c.md)
active-directory Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new-archive.md
Previously updated : 1/29/2021 Last updated : 3/31/2021
The What's new in Azure Active Directory? release notes provide information abou
- Plans for changes +
+## September 2020
+
+### New provisioning connectors in the Azure AD Application Gallery - September 2020
+
+**Type:** New feature
+**Service category:** App Provisioning
+**Product capability:** 3rd Party Integration
+
+You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
+
+- [Coda](../saas-apps/coda-provisioning-tutorial.md)
+- [Cofense Recipient Sync](../saas-apps/cofense-provision-tutorial.md)
+- [InVision](../saas-apps/invision-provisioning-tutorial.md)
+- [myday](../saas-apps/myday-provision-tutorial.md)
+- [SAP Analytics Cloud](../saas-apps/sap-analytics-cloud-provisioning-tutorial.md)
+- [Webroot Security Awareness](../saas-apps/webroot-security-awareness-training-provisioning-tutorial.md)
+
+For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).
+
+
+### Cloud Provisioning Public Preview Refresh
+
+**Type:** New feature
+**Service category:** Azure AD Cloud Provisioning
+**Product capability:** Identity Lifecycle Management
+
+Azure AD Connect Cloud Provisioning public preview refresh features two major enhancements developed from customer feedback:
+
+- Attribute Mapping Experience through Azure portal
+
+ With this feature, IT Admins can map user, group, or contact attributes from AD to Azure AD using various mapping types present today. Attribute mapping is a feature used for standardizing the values of the attributes that flow from Active Directory to Azure Active Directory. One can determine whether to directly map the attribute value as it is from AD to Azure AD or use expressions to transform the attribute values when provisioning users. [Learn more](../cloud-sync/how-to-attribute-mapping.md)
+
+- On-demand Provisioning or Test User experience
+
+ Once you have setup your configuration, you might want to test to see if the user transformation is working as expected before applying it to all your users in scope. With on-demand provisioning, IT Admins can enter the Distinguished Name (DN) of an AD user and see if they're getting synced as expected. On-demand provisioning provides a great way to ensure that the attribute mappings you did previously work as expected. [Learn More](../cloud-sync/how-to-on-demand-provision.md)
+
++
+### Audited BitLocker Recovery in Azure AD - Public Preview
+
+**Type:** New feature
+**Service category:** Device Access Management
+**Product capability:** Device Lifecycle Management
+
+When IT admins or end users read BitLocker recovery key(s) they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with.
+
+End users can [access their recovery keys via My Account](../user-help/my-account-portal-devices-page.md#view-a-bitlocker-key). IT admins can access recovery keys via the [BitLocker recovery key API in beta](/graph/api/resources/bitlockerrecoverykey?view=graph-rest-beta) or via the Azure AD Portal. To learn more, see [View or copy BitLocker keys in the Azure AD Portal](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys).
+++
+### Teams Devices Administrator built-in role
+
+**Type:** New feature
+**Service category:** RBAC
+**Product capability:** Access Control
+
+Users with the [Teams Devices Administrator](../roles/permissions-reference.md#teams-devices-administrator) role can manage [Teams-certified devices](https://www.microsoft.com/microsoft-365/microsoft-teams/across-devices/devices) from the Teams Admin Center.
+
+This role allows the user to view all devices at single glance, with the ability to search and filter devices. The user can also check the details of each device including logged-in account and the make and model of the device. The user can change the settings on the device and update the software versions. This role doesn't grant permissions to check Teams activity and call quality of the device.
+
++
+### Advanced query capabilities for Directory Objects
+
+**Type:** New feature
+**Service category:** MS Graph
+**Product capability:** Developer Experience
+
+All the new query capabilities introduced for Directory Objects in Azure AD APIs are now available in the v1.0 endpoint and production-ready. Developers can Count, Search, Filter, and Sort Directory Objects and related links using the standard OData operators.
+
+To learn more, see the documentation [here](https://aka.ms/BlogPostMezzoGA), and you can also send feedback with this [brief survey](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR_yN8EPoGo5OpR1hgmCp1XxUMENJRkNQTk5RQkpWTE44NEk2U0RIV0VZRy4u).
+
++
+### Public preview: continuous access evaluation for tenants who configured Conditional Access policies
+
+**Type:** New feature
+**Service category:** Authentications (Logins)
+**Product capability:** Identity Security & Protection
+
+Continuous access evaluation (CAE) is now available in public preview for Azure AD tenants with Conditional Access policies. With CAE, critical security events and policies are evaluated in real time. This includes account disable, password reset, and location change. To learn more, see [Continuous access evaluation](../conditional-access/concept-continuous-access-evaluation.md).
+++
+### Public preview: ask users requesting an access package additional questions to improve approval decisions
+
+**Type:** New feature
+**Service category:** User Access Management
+**Product capability:** Entitlement Management
+
+Administrators can now require that users requesting an access package answer additional questions beyond just business justification in Azure AD Entitlement management's My Access portal. The users' answers will then be shown to the approvers to help them make a more accurate access approval decision. To learn more, see [Collect additional requestor information for approval (preview)](../governance/entitlement-management-access-package-approval-policy.md#collect-additional-requestor-information-for-approval-preview).
+
++
+### Public preview: Enhanced user management
+
+**Type:** New feature
+**Service category:** User Management
+**Product capability:** User Management
+
+
+The Azure AD portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include:
+- More visible user properties including object ID, directory sync status, creation type, and identity issuer.
+- Search now allows combined search of names, emails, and object IDs.
+- Enhanced filtering by user type (member, guest, and none), directory sync status, creation type, company name, and domain name.
+- New sorting capabilities on properties like name, user principal name and deletion date.
+- A new total users count that updates with any searches or filters.
+
+For more information, please see [User management enhancements (preview) in Azure Active Directory](../enterprise-users/users-search-enhanced.md).
+++
+### New notes field for Enterprise applications
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** SSO
+
+You can add free text notes to Enterprise applications. You can add any relevant information that will help you manager applications under Enterprise applications. For more information, see [Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant](../manage-apps/add-application-portal-configure.md).
+++
+### New Federated Apps available in Azure AD Application gallery - September 2020
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** 3rd Party Integration
+
+In September 2020 we have added following 34 new applications in our App gallery with Federation support:
+
+[VMware Horizon - Unified Access Gateway](), [Pulse Secure PCS](../saas-apps/vmware-horizon-unified-access-gateway-tutorial.md), [Inventory360](../saas-apps/pulse-secure-pcs-tutorial.md), [Frontitude](https://services.enteksystems.de/sso/microsoft/signup), [BookWidgets](https://www.bookwidgets.com/sso/office365), [ZVD_Server](https://zaas.zenmutech.com/user/signin), [HashData for Business](https://hashdata.app/login.xhtml), [SecureLogin](https://securelogin.securelogin.nu/sso/azure/login), [CyberSolutions MAILBASEΣ/CMSS](../saas-apps/cybersolutions-mailbase-tutorial.md), [CyberSolutions CYBERMAILΣ](../saas-apps/cybersolutions-cybermail-tutorial.md), [LimbleCMMS](https://auth.limblecmms.com/), [Glint Inc](../saas-apps/glint-inc-tutorial.md), [zeroheight](../saas-apps/zeroheight-tutorial.md), [Gender Fitness](https://app.genderfitness.com/), [Coeo Portal](https://my.coeo.com/), [Grammarly](../saas-apps/grammarly-tutorial.md), [Fivetran](../saas-apps/fivetran-tutorial.md), [Kumolus](../saas-apps/kumolus-tutorial.md), [RSA Archer Suite](../saas-apps/rsa-archer-suite-tutorial.md), [TeamzSkill](../saas-apps/teamzskill-tutorial.md), [raumfürraum](../saas-apps/raumfurraum-tutorial.md), [Saviynt](../saas-apps/saviynt-tutorial.md), [BizMerlinHR](https://marketplace.bizmerlin.net/bmone/signup), [Mobile Locker](../saas-apps/mobile-locker-tutorial.md), [Zengine](../saas-apps/zengine-tutorial.md), [CloudCADI](https://app.cloudcadi.com/login), [Simfoni Analytics](https://simfonianalytics.com/accounts/microsoft/login/), [Priva Identity & Access Management](https://my.priva.com/), [Nitro Pro](https://www.gonitro.com/nps/product-details/downloads), [Eventfinity](../saas-apps/eventfinity-tutorial.md), [Fexa](../saas-apps/fexa-tutorial.md), [Secured Signing Enterprise Portal](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Secured Signing Enterprise Portal AAD Setup](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Wistec Online](https://wisteconline.com/auth/oidc), [Oracle PeopleSoft - Protected by F5 BIG-IP APM](../saas-apps/oracle-peoplesoft-protected-by-f5-big-ip-apm-tutorial.md)
+
+You can also find the documentation of all the applications from here: https://aka.ms/AppsTutorial.
+
+For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest.
+++
+### New delegation role in Azure AD entitlement management: Access package assignment manager
+
+**Type:** New feature
+**Service category:** User Access Management
+**Product capability:** Entitlement Management
+
+A new Access Package Assignment Manager role has been added in Azure AD entitlement management to provide granular permissions to manage assignments. You can now delegate tasks to a user in this role, who can delegate assignments management of an access package to a business owner. However, an Access Package Assignment Manager can't alter the access package policies or other properties that are set by the administrators.
+
+With this new role, you benefit from the least privileges needed to delegate management of assignments and maintain administrative control on all other access package configurations. To learn more, see [Entitlement management roles](../governance/entitlement-management-delegate.md#entitlement-management-roles).
+
++
+### Changes to Privileged Identity Management's onboarding flow
+
+**Type:** Changed feature
+**Service category:** Privileged Identity Management
+**Product capability:** Privileged Identity Management
+
+Previously, onboarding to Privileged Identity Management (PIM) required user consent and an onboarding flow in PIM's blade that included enrollment in Azure AD MFA. With the recent integration of PIM experience into the Azure AD roles and administrators blade, we are removing this experience. Any tenant with valid P2 license will be auto-onboarded to PIM.
+
+Onboarding to PIM does not have any direct adverse effect on your tenant. You can expect the following changes:
+- Additional assignment options such as active vs. eligible with start and end time when you make an assignment in either PIM or Azure AD roles and administrators blade.
+- Additional scoping mechanisms, like Administrative Units and custom roles, introduced directly into the assignment experience.
+- If you are a global administrator or privileged role administrator, you may start getting a few additional emails like the PIM weekly digest.
+- You might also see ms-pim service principal in the audit log related to role assignment. This expected change shouldn't affect your regular workflow.
+
+ For more information, see [Start using Privileged Identity Management](../privileged-identity-management/pim-getting-started.md).
+++
+### Azure AD Entitlement Management: The Select pane of access package resources now shows by default the resources currently in the selected catalog
+
+**Type:** Changed feature
+**Service category:** User Access Management
+**Product capability:** Entitlement Management
+
+
+In the access package creation flow, under the Resource roles tab, the Select pane behavior is changing. Currently, the default behavior is to show all resources that are owned by the user and resources added to the selected catalog.
+
+This experience will be changed to display only the resources currently added in the catalog by default, so that users can easily pick resources from the catalog. The update will help with discoverability of the resources to add to access packages, and reduce risk of inadvertently adding resources owned by the user that aren't part of the catalog. To learn more, see [Create a new access package in Azure AD entitlement management](../governance/entitlement-management-access-package-create.md#resource-roles).
+
++ ## August 2020 ### Updates to Azure Multi-Factor Authentication Server firewall requirements
For more information about how to create an access review, see [Create an access
**Service category:** AD Sync **Product capability:** Platform
-Azure AD Connect is in the process of transitioning our email alert system(s), potentially showing some customers a new email sender. To address this, you must add `azure-noreply@microsoft.com` to your organization's allow list or you won't be able to continue receiving important alerts from your Office 365, Azure, or your Sync services.
+Azure AD Connect is in the process of transitioning our email alert system(s), potentially showing some customers a new email sender. To address this, you must add `azure-noreply@microsoft.com` to your organization's allowlist or you won't be able to continue receiving important alerts from your Office 365, Azure, or your Sync services.
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new.md
Previously updated : 3/4/2021 Last updated : 3/31/2021
Azure AD receives improvements on an ongoing basis. To stay up to date with the
This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [Archive for What's new in Azure Active Directory](whats-new-archive.md). +
+## March 2021
+
+### Guidance on how to enable support for TLS 1.2 in your environment, in preparation for upcoming Azure AD TLS 1.0/1.1 deprecation
+
+**Type:** Plan for change
+**Service category:** N/A
+**Product capability:** Standards
+
+Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting June 30, 2021:
++
+- TLS 1.0
+- TLS 1.1
+- 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)
+
+Affected environments include:
+
+- Azure Commercial Cloud
+- Office 365 GCC and WW
+
+For additional guidance, refer to [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](https://docs.microsoft.com/troubleshoot/azure/active-directory/enable-support-tls-environment).
+++
+### Public Preview - Azure AD Entitlement management now supports multi-geo SharePoint Online
+
+**Type:** New feature
+**Service category:** Other
+**Product capability:** Entitlement Management
+
+For organizations using multi-geo SharePoint Online, you can now include sites from specific multi-geo environments to your Entitlement management access packages. [Learn more](../governance/entitlement-management-catalog-create.md#add-a-multi-geo-sharepoint-site-preview).
+++
+### Public Preview - Restore deleted apps from App registrations
+
+**Type:** New feature
+**Service category:** Other
+**Product capability:** Developer Experience
+
+Customers can now view, restore, and permanently remove deleted app registrations from the Azure portal. This applies only to applications associated to a directory, not applications from a personal Microsoft account. [Learn more](../develop/quickstart-restore-app.md).
+
++
+### Public preview - New "User action" in Conditional Access for registering or joining devices
+
+**Type:** New feature
+**Service category:** Conditional Access
+**Product capability:** Identity Security & Protection
+
+ A new user action called "Register or join devices" in Conditional access is available. This user action allows you to control Multi-factor authentication (MFA) policies for Azure AD device registration.
+
+Currently, this user action only allows you to enable MFA as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration are disabled with this user action. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions).
+
++
+### Public Preview - Optimize connector groups to use the closest Application Proxy cloud service
+
+**Type:** New feature
+**Service category:** App Proxy
+**Product capability:** Access Control
+
+With this new capability, connector groups can be assigned to the closest regional Application Proxy service an application is hosted in. This can improve app performance in scenarios where apps are hosted in regions other than the home tenantΓÇÖs region. [Learn more](../manage-apps/application-proxy-network-topology.md#optimize-connector-groups-to-use-closest-application-proxy-cloud-service-preview).
+
++
+### Public Preview - External Identities Self-Service Sign-up in AAD using Email One-Time Passcode accounts
+
+**Type:** New feature
+**Service category:** B2B
+**Product capability:** B2B/B2C
+
+External users will now be able to use Email One-Time Passcode accounts to sign up in to Azure AD 1st party and LOB apps. [Learn more](../external-identities/one-time-passcode.md).
+++
+### Public Preview - Availability of AD FS Sign-Ins in Azure AD
+
+**Type:** New feature
+**Service category:** Authentications (Logins)
+**Product capability:** Monitoring & Reporting
+
+AD FS sign-in activity can now be integrated with Azure AD activity reporting, providing a unified view of hybrid identity infrastructure. Using the Azure AD Sign-Ins report, Log Analytics, and Azure Monitor Workbooks, it's possible to perform in-depth analysis for both AAD and AD FS sign-in scenarios such as AD FS account lockouts, bad password attempts, and spikes of unexpected sign-in attempts.
+
+To learn more, visit [AD FS sign-ins in Azure AD with Connect Health](../hybrid/how-to-connect-health-ad-fs-sign-in.md).
+++
+### General availability - Staged rollout to cloud authentication
+
+**Type:** New feature
+**Service category:** AD Connect
+**Product capability:** User Authentication
+
+Staged rollout to cloud authentication is now generally available. The staged rollout feature allows you to selectively test groups of users with cloud authentication methods, such as Passthrough Authentication (PTA) or Password Hash Sync (PHS). Meanwhile, all other users in the federated domains continue to use federation services, such as AD FS or any other federation services to authenticate users. [Learn more](../hybrid/how-to-connect-staged-rollout.md).
+++
+### General Availability - User Type attribute can now be updated in the Azure admin portal
+
+**Type:** New feature
+**Service category:** User Experience and Management
+**Product capability:** User Management
+
+Customers can now update the user type of Azure AD users when they update their user profile information from the Azure admin portal. The user type can be updated from Microsoft Graph also. To learn more, see [Add or update user profile information](active-directory-users-profile-azure-portal.md).
+
++
+### General Availability - Replica Sets for Azure Active Directory Domain Services
+
+**Type:** New feature
+**Service category:** Azure AD Domain Services
+**Product capability:** Azure AD Domain Services
+
+The capability of replica sets in Azure AD DS is now generally available. [Learn more](https://docs.microsoft.com/azure/active-directory-domain-services/concepts-replica-sets).
+
++
+### General availability - Collaborate with your partners using Email One-Time Passcode in the Azure Government cloud
+
+**Type:** New feature
+**Service category:** B2B
+**Product capability:** B2B/B2C
+
+Organizations in the Microsoft Azure Government cloud can now enable their guests to redeem invitations with Email One-Time Passcode. This ensures that any guest users with no Azure AD, Microsoft, or Gmail accounts in the Azure Government cloud can still collaborate with their partners by requesting and entering a temporary code to sign in to shared resources. [Learn more](../external-identities/one-time-passcode.md#note-for-azure-us-government-customers).
+++
+### New Federated Apps available in Azure AD Application gallery - March 2021
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** 3rd Party Integration
+
+In March 2021 we have added following 37 new applications in our App gallery with Federation support:
+
+[Bambuser Live Video Shopping](https://lcx.bambuser.com/), [DeepDyve Inc](https://www.deepdyve.com/azure-sso), [Moqups](../saas-apps/moqups-tutorial.md), [RICOH Spaces Mobile](https://ricohspaces.app/welcome), [Flipgrid](https://auth.flipgrid.com/), [hCaptcha Enterprise](../saas-apps/hcaptcha-enterprise-tutorial.md), [SchoolStream ASA](https://jsd.schoolstreamk12.com/AS)
+
+You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial
+
+For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest
+++
+### New provisioning connectors in the Azure AD Application Gallery - March 2021
+
+**Type:** New feature
+**Service category:** App Provisioning
+**Product capability:** 3rd Party Integration
+
+You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
+
+- [AWS Single Sign-on](../saas-apps/aws-single-sign-on-provisioning-tutorial.md)
+- [Bpanda](../saas-apps/bpanda-provisioning-tutorial.md)
+- [Britive](../saas-apps/britive-provisioning-tutorial.md)
+- [GitHub Enterprise Managed User](../saas-apps/github-enterprise-managed-user-provisioning-tutorial.md)
+- [Grammarly](../saas-apps/grammarly-provisioning-tutorial.md)
+- [LogicGate](../saas-apps/logicgate-provisioning-tutorial.md)
+- [SecureLogin](../saas-apps/secure-login-provisioning-tutorial.md)
+- [TravelPerk](../saas-apps/travelperk-provisioning-tutorial.md)
+
+For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).
+
++
+### Introducing MS Graph API for Company Branding
+
+**Type:** Changed feature
+**Service category:** MS Graph
+**Product capability:** B2B/B2C
+
+[MS Graph API for the Company Branding](https://docs.microsoft.com/graph/api/resources/organizationalbrandingproperties?view=graph-rest-1.0) is available for the Azure AD or Microsoft 365 login experience to allow the management of the branding parameters programmatically.
+++
+### General availability - Header-based authentication SSO with Application Proxy
+
+**Type:** Changed feature
+**Service category:** App Proxy
+**Product capability:** Access Control
+
+Azure AD Application Proxy native support for header-based authentication is now in general availability. With this feature, you can configure the user attributes required as HTTP headers for the application without additional components needed to deploy. [Learn more](../manage-apps/application-proxy-configure-single-sign-on-with-headers.md).
+++
+### Two-way SMS for MFA Server is no longer supported
+
+**Type:** Deprecated
+**Service category:** MFA
+**Product capability:** Identity Security & Protection
+
+
+Two-way SMS for MFA Server was originally deprecated in 2018, and will not be supported after February 24, 2021. Administrators should enable another method for users who still use two-way SMS.
+
+Email notifications and Azure Portal Service Health notifications were sent to affected admins on December 8, 2020 and January 28, 2021. The alerts went to the Owner, Co-Owner, Admin, and Service Admin RBAC roles tied to the subscriptions. [Learn more](../authentication/how-to-authentication-two-way-sms-unsupported.md).
+
+
+
## February 2021 ### Email one-time passcode authentication on by default starting October 2021
For more information, go to [Change approval settings for an access package in A
**Service category:** All Azure AD applications **Product capability:** Standards
-Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions by June 30, 2021:
+Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting June 30, 2021:
- TLS 1.0 - TLS 1.1
Affected environments are:
Related announcement All client-server and browser-server combinations should use TLS 1.2 and modern cipher suites to maintain a secure connection to Azure Active Directory for Azure, Office 365, and Microsoft 365 services. This is change is related to [Azure Active Directory TLS 1.0 & 1.1, and 3DES Cipher Suite Deprecation in US Gov Cloud](whats-new.md#azure-active-directory-tls-10-tls-11-and-3des-deprecation-in-us-gov-cloud).
+For guidance to remove deprecating protocols dependencies, please refer to [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](https://docs.microsoft.com/troubleshoot/azure/active-directory/enable-support-tls-environment).
+ ### New Federated Apps available in Azure AD Application gallery - November 2020
If you have an environment with firewall rules set to allow outbound calls to on
**Service category:** All Azure AD applications **Product capability:** Standards
-Azure Active Directory will deprecate the following protocols by March 31, 2021:
+Azure Active Directory will deprecate the following protocols starting March 31, 2021:
- TLS 1.0 - TLS 1.1 - 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)
All client-server and browser-server combinations should use TLS 1.2 and modern
Affected environments are: - Azure US Gov - [Office 365 GCC High & DoD](/microsoft-365/compliance/tls-1-2-in-office-365-gcc)+
+For guidance to remove deprecating protocols dependencies, please refer to [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](https://docs.microsoft.com/troubleshoot/azure/active-directory/enable-support-tls-environment).
-### Assign applications to roles on AU and object scope
+### Assign applications to roles on administrative unit and object scope
**Type:** New feature **Service category:** RBAC **Product capability:** Access Control
-This feature enables the ability to assign an application (SPN) to an administrator role on the Administrative Unit scope. To learn more, refer to [Assign scoped roles to an administrative unit](../roles/admin-units-assign-roles.md).
+This feature enables the ability to assign an application (SPN) to an administrator role on the administrative unit scope. To learn more, refer to [Assign scoped roles to an administrative unit](../roles/admin-units-assign-roles.md).
We've recently updated the [remember Multi-Factor Authentication (MFA)](../authe
For the optimal user experience, we recommend using Conditional Access sign-in frequency to extend session lifetimes on trusted devices, locations, or low-risk sessions as an alternative to the remember MFA on a trusted device setting. To get started, review our [latest guidance on optimizing the reauthentication experience](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md). -
-## September 2020
-
-### New provisioning connectors in the Azure AD Application Gallery - September 2020
-
-**Type:** New feature
-**Service category:** App Provisioning
-**Product capability:** 3rd Party Integration
-
-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
--- [Coda](../saas-apps/coda-provisioning-tutorial.md)-- [Cofense Recipient Sync](../saas-apps/cofense-provision-tutorial.md)-- [InVision](../saas-apps/invision-provisioning-tutorial.md)-- [myday](../saas-apps/myday-provision-tutorial.md)-- [SAP Analytics Cloud](../saas-apps/sap-analytics-cloud-provisioning-tutorial.md)-- [Webroot Security Awareness](../saas-apps/webroot-security-awareness-training-provisioning-tutorial.md)-
-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).
-
-
-### Cloud Provisioning Public Preview Refresh
-
-**Type:** New feature
-**Service category:** Azure AD Cloud Provisioning
-**Product capability:** Identity Lifecycle Management
-
-Azure AD Connect Cloud Provisioning public preview refresh features two major enhancements developed from customer feedback:
--- Attribute Mapping Experience through Azure portal-
- With this feature, IT Admins can map user, group, or contact attributes from AD to Azure AD using various mapping types present today. Attribute mapping is a feature used for standardizing the values of the attributes that flow from Active Directory to Azure Active Directory. One can determine whether to directly map the attribute value as it is from AD to Azure AD or use expressions to transform the attribute values when provisioning users. [Learn more](../cloud-sync/how-to-attribute-mapping.md)
--- On-demand Provisioning or Test User experience-
- Once you have setup your configuration, you might want to test to see if the user transformation is working as expected before applying it to all your users in scope. With on-demand provisioning, IT Admins can enter the Distinguished Name (DN) of an AD user and see if they're getting synced as expected. On-demand provisioning provides a great way to ensure that the attribute mappings you did previously work as expected. [Learn More](../cloud-sync/how-to-on-demand-provision.md)
-
--
-### Audited BitLocker Recovery in Azure AD - Public Preview
-
-**Type:** New feature
-**Service category:** Device Access Management
-**Product capability:** Device Lifecycle Management
-
-When IT admins or end users read BitLocker recovery key(s) they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with.
-
-End users can [access their recovery keys via My Account](../user-help/my-account-portal-devices-page.md#view-a-bitlocker-key). IT admins can access recovery keys via the [BitLocker recovery key API in beta](/graph/api/resources/bitlockerrecoverykey?view=graph-rest-beta) or via the Azure AD Portal. To learn more, see [View or copy BitLocker keys in the Azure AD Portal](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys).
---
-### Teams Devices Administrator built-in role
-
-**Type:** New feature
-**Service category:** RBAC
-**Product capability:** Access Control
-
-Users with the [Teams Devices Administrator](../roles/permissions-reference.md#teams-devices-administrator) role can manage [Teams-certified devices](https://www.microsoft.com/microsoft-365/microsoft-teams/across-devices/devices) from the Teams Admin Center.
-
-This role allows the user to view all devices at single glance, with the ability to search and filter devices. The user can also check the details of each device including logged-in account and the make and model of the device. The user can change the settings on the device and update the software versions. This role doesn't grant permissions to check Teams activity and call quality of the device.
-
--
-### Advanced query capabilities for Directory Objects
-
-**Type:** New feature
-**Service category:** MS Graph
-**Product capability:** Developer Experience
-
-All the new query capabilities introduced for Directory Objects in Azure AD APIs are now available in the v1.0 endpoint and production-ready. Developers can Count, Search, Filter, and Sort Directory Objects and related links using the standard OData operators.
-
-To learn more, see the documentation [here](https://aka.ms/BlogPostMezzoGA), and you can also send feedback with this [brief survey](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR_yN8EPoGo5OpR1hgmCp1XxUMENJRkNQTk5RQkpWTE44NEk2U0RIV0VZRy4u).
-
--
-### Public preview: continuous access evaluation for tenants who configured Conditional Access policies
-
-**Type:** New feature
-**Service category:** Authentications (Logins)
-**Product capability:** Identity Security & Protection
-
-Continuous access evaluation (CAE) is now available in public preview for Azure AD tenants with Conditional Access policies. With CAE, critical security events and policies are evaluated in real time. This includes account disable, password reset, and location change. To learn more, see [Continuous access evaluation](../conditional-access/concept-continuous-access-evaluation.md).
---
-### Public preview: ask users requesting an access package additional questions to improve approval decisions
-
-**Type:** New feature
-**Service category:** User Access Management
-**Product capability:** Entitlement Management
-
-Administrators can now require that users requesting an access package answer additional questions beyond just business justification in Azure AD Entitlement management's My Access portal. The users' answers will then be shown to the approvers to help them make a more accurate access approval decision. To learn more, see [Collect additional requestor information for approval (preview)](../governance/entitlement-management-access-package-approval-policy.md#collect-additional-requestor-information-for-approval-preview).
-
--
-### Public preview: Enhanced user management
-
-**Type:** New feature
-**Service category:** User Management
-**Product capability:** User Management
-
-
-The Azure AD portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include:
-- More visible user properties including object ID, directory sync status, creation type, and identity issuer.-- Search now allows combined search of names, emails, and object IDs.-- Enhanced filtering by user type (member, guest, and none), directory sync status, creation type, company name, and domain name.-- New sorting capabilities on properties like name, user principal name and deletion date.-- A new total users count that updates with any searches or filters.-
-For more information, please see [User management enhancements (preview) in Azure Active Directory](../enterprise-users/users-search-enhanced.md).
---
-### New notes field for Enterprise applications
-
-**Type:** New feature
-**Service category:** Enterprise Apps
-**Product capability:** SSO
-
-You can add free text notes to Enterprise applications. You can add any relevant information that will help you manager applications under Enterprise applications. For more information, see [Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant](../manage-apps/add-application-portal-configure.md).
---
-### New Federated Apps available in Azure AD Application gallery - September 2020
-
-**Type:** New feature
-**Service category:** Enterprise Apps
-**Product capability:** 3rd Party Integration
-
-In September 2020 we have added following 34 new applications in our App gallery with Federation support:
-
-[VMware Horizon - Unified Access Gateway](), [Pulse Secure PCS](../saas-apps/vmware-horizon-unified-access-gateway-tutorial.md), [Inventory360](../saas-apps/pulse-secure-pcs-tutorial.md), [Frontitude](https://services.enteksystems.de/sso/microsoft/signup), [BookWidgets](https://www.bookwidgets.com/sso/office365), [ZVD_Server](https://zaas.zenmutech.com/user/signin), [HashData for Business](https://hashdata.app/login.xhtml), [SecureLogin](https://securelogin.securelogin.nu/sso/azure/login), [CyberSolutions MAILBASEΣ/CMSS](../saas-apps/cybersolutions-mailbase-tutorial.md), [CyberSolutions CYBERMAILΣ](../saas-apps/cybersolutions-cybermail-tutorial.md), [LimbleCMMS](https://auth.limblecmms.com/), [Glint Inc](../saas-apps/glint-inc-tutorial.md), [zeroheight](../saas-apps/zeroheight-tutorial.md), [Gender Fitness](https://app.genderfitness.com/), [Coeo Portal](https://my.coeo.com/), [Grammarly](../saas-apps/grammarly-tutorial.md), [Fivetran](../saas-apps/fivetran-tutorial.md), [Kumolus](../saas-apps/kumolus-tutorial.md), [RSA Archer Suite](../saas-apps/rsa-archer-suite-tutorial.md), [TeamzSkill](../saas-apps/teamzskill-tutorial.md), [raumfürraum](../saas-apps/raumfurraum-tutorial.md), [Saviynt](../saas-apps/saviynt-tutorial.md), [BizMerlinHR](https://marketplace.bizmerlin.net/bmone/signup), [Mobile Locker](../saas-apps/mobile-locker-tutorial.md), [Zengine](../saas-apps/zengine-tutorial.md), [CloudCADI](https://app.cloudcadi.com/login), [Simfoni Analytics](https://simfonianalytics.com/accounts/microsoft/login/), [Priva Identity & Access Management](https://my.priva.com/), [Nitro Pro](https://www.gonitro.com/nps/product-details/downloads), [Eventfinity](../saas-apps/eventfinity-tutorial.md), [Fexa](../saas-apps/fexa-tutorial.md), [Secured Signing Enterprise Portal](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Secured Signing Enterprise Portal AAD Setup](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Wistec Online](https://wisteconline.com/auth/oidc), [Oracle PeopleSoft - Protected by F5 BIG-IP APM](../saas-apps/oracle-peoplesoft-protected-by-f5-big-ip-apm-tutorial.md)
-
-You can also find the documentation of all the applications from here: https://aka.ms/AppsTutorial.
-
-For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest.
---
-### New delegation role in Azure AD entitlement management: Access package assignment manager
-
-**Type:** New feature
-**Service category:** User Access Management
-**Product capability:** Entitlement Management
-
-A new Access Package Assignment Manager role has been added in Azure AD entitlement management to provide granular permissions to manage assignments. You can now delegate tasks to a user in this role, who can delegate assignments management of an access package to a business owner. However, an Access Package Assignment Manager can't alter the access package policies or other properties that are set by the administrators.
-
-With this new role, you benefit from the least privileges needed to delegate management of assignments and maintain administrative control on all other access package configurations. To learn more, see [Entitlement management roles](../governance/entitlement-management-delegate.md#entitlement-management-roles).
-
--
-### Changes to Privileged Identity Management's onboarding flow
-
-**Type:** Changed feature
-**Service category:** Privileged Identity Management
-**Product capability:** Privileged Identity Management
-
-Previously, onboarding to Privileged Identity Management (PIM) required user consent and an onboarding flow in PIM's blade that included enrollment in Azure AD MFA. With the recent integration of PIM experience into the Azure AD roles and administrators blade, we are removing this experience. Any tenant with valid P2 license will be auto-onboarded to PIM.
-
-Onboarding to PIM does not have any direct adverse effect on your tenant. You can expect the following changes:
-- Additional assignment options such as active vs. eligible with start and end time when you make an assignment in either PIM or Azure AD roles and administrators blade. -- Additional scoping mechanisms, like Administrative Units and custom roles, introduced directly into the assignment experience. -- If you are a global administrator or privileged role administrator, you may start getting a few additional emails like the PIM weekly digest. -- You might also see ms-pim service principal in the audit log related to role assignment. This expected change shouldn't affect your regular workflow.-
- For more information, see [Start using Privileged Identity Management](../privileged-identity-management/pim-getting-started.md).
---
-### Azure AD Entitlement Management: The Select pane of access package resources now shows by default the resources currently in the selected catalog
-
-**Type:** Changed feature
-**Service category:** User Access Management
-**Product capability:** Entitlement Management
-
-
-In the access package creation flow, under the Resource roles tab, the Select pane behavior is changing. Currently, the default behavior is to show all resources that are owned by the user and resources added to the selected catalog.
-
-This experience will be changed to display only the resources currently added in the catalog by default, so that users can easily pick resources from the catalog. The update will help with discoverability of the resources to add to access packages, and reduce risk of inadvertently adding resources owned by the user that aren't part of the catalog. To learn more, see [Create a new access package in Azure AD entitlement management](../governance/entitlement-management-access-package-create.md#resource-roles).
-
-
active-directory Concept Adsync Service Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/concept-adsync-service-account.md
Legend:
- sMSA - [standalone Managed Service account](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10)) - gMSA - [group Managed Service account](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11))
- ||**LocalDB</br> Express**|**LocalDB/LocalSQL</br> Custom**|**Remote SQL</br> Custom**|
+|Machine type |**LocalDB</br> Express**|**LocalDB/LocalSQL</br> Custom**|**Remote SQL</br> Custom**|
|--|--|--|--| |**domain-joined machine**|**VSA**|**VSA**</br> *sMSA*</br> *gMSA*</br> Local account</br> Domain account| *gMSA* </br>Domain account| |Domain Controller| **sMSA**|**sMSA** </br>*gMSA*</br> Domain account|*gMSA*</br>Domain account|
active-directory How To Connect Install Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-install-prerequisites.md
Before you install Azure AD Connect, there are a few things that you need.
* An Azure AD tenant allows, by default, 50,000 objects. When you verify your domain, the limit increases to 300,000 objects. If you need even more objects in Azure AD, open a support case to have the limit increased even further. If you need more than 500,000 objects, you need a license, such as Microsoft 365, Azure AD Premium, or Enterprise Mobility + Security. ### Prepare your on-premises data
-* Use [IdFix](https://support.office.com/article/Install-and-run-the-Office-365-IdFix-tool-f4bd2439-3e41-4169-99f6-3fabdfa326ac) to identify errors such as duplicates and formatting problems in your directory before you synchronize to Azure AD and Microsoft 365.
+* Use [IdFix](https://github.com/Microsoft/idfix) to identify errors such as duplicates and formatting problems in your directory before you [synchronize to Azure AD and Microsoft 365](https://support.office.com/article/Install-and-run-the-Office-365-IdFix-tool-f4bd2439-3e41-4169-99f6-3fabdfa326ac).
* Review [optional sync features you can enable in Azure AD](how-to-connect-syncservice-features.md), and evaluate which features you should enable. ### On-premises Active Directory
active-directory Reference Connect Version History https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/reference-connect-version-history.md
Please follow this link to read more about [auto upgrade](how-to-connect-install
> >For version history information on retired versions, see [Azure AD Connect version release history archive](reference-connect-version-history-archive.md)
+## 1.6.4.0
+
+### Release status
+3/31/2021: Released for download only, not available for auto upgrade
+
+### Bug fixes
+- This release fixes a bug in version 1.6.2.4 where, after upgrade to that release, the Azure AD Connect Health feature was not registered correctly and did not work. Customers who have deployed build 1.6.2.4 are requested to update their Azure AD Connect server with this build, which will correctly register the Health feature.
## 1.6.2.4 >[!IMPORTANT]
Please follow this link to read more about [auto upgrade](how-to-connect-install
> - This release defaults the AADConnect server to the new V2 end point. Note that this end point is not supported in the German national cloud, the Chinese national cloud and the US government cloud and if you need to deploy this version in these clouds you need to follow [these instructions](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-endpoint-api-v2#rollback) to switch back to the V1 end point. Failure to do so will result in errors in synchronization. ### Release status
-3/19/2021: Released for download
+3/19/2021: Released for download, not available for auto upgrade
### Functional changes
active-directory Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/best-practices.md
+
+ Title: Best practices for Azure AD roles - Azure Active Directory
+description: Best practices for using Azure Active Directory roles.
+++++++ Last updated : 03/28/2021++++++
+# Best practices for Azure AD roles
+
+This article describes some of the best practices for using Azure Active Directory role-based access control (Azure AD RBAC). These best practices are derived from our experience with Azure AD RBAC and the experiences of customers like yourself. We encourage you to also read our detailed security guidance at [Securing privileged access for hybrid and cloud deployments in Azure AD](security-planning.md).
+
+## 1. Manage to least privilege
+
+When planning your access control strategy, it's a best practice to manage to least privilege. Least privilege means you grant your administrators exactly the permission they need to do their job. There are three aspects to consider when you assign a role to your administrators: a specific set of permissions, over a specific scope, for a specific period of time. Avoid assigning broader roles at broader scopes even if it initially seems more convenient to do so. By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised. Azure AD RBAC supports over 65 [built-in roles](permissions-reference.md). There are Azure AD roles to manage directory objects like users, groups, and applications, and also to manage Microsoft 365 services like Exchange, SharePoint, and Intune. To better understand Azure AD built-in roles, see [Understand roles in Azure Active Directory](concept-understand-roles.md). If there isn't a built-in role that meets your need, you can create your own [custom roles](custom-create.md).
+
+### Finding the right roles
+
+Follow these steps to help you find the right role.
+
+1. In the Azure portal, open [Roles and administrators](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) to see the list of Azure AD roles.
+
+1. Use the **Service** filter to narrow down the list of roles.
+
+ ![Roles and administrators page in Azure AD with Service filter open](./media/best-practices/roles-administrators.png)
+
+1. Refer to the [Azure AD built-in roles](permissions-reference.md) documentation. Permissions associated with each role are listed together for better readability. To understand the structure and meaning of role permissions, see [How to understand role permissions](permissions-reference.md#how-to-understand-role-permissions).
+
+1. Refer to the [Least privileged role by task](delegate-by-task.md) documentation.
+
+## 2. Use Privileged Identity Management to grant just-in-time access
+
+One of the principles of least privilege is that access should be granted only for a specific period of time. [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) lets you grant just-in-time access to your administrators. Microsoft recommends that you enable PIM in Azure AD. Using PIM, a user can be made an eligible member of an Azure AD role. The can then activate their role for a limited timeframe every time the needs to use it. Privileged access is automatically removed when the timeframe expires. You can also [configure PIM settings](../privileged-identity-management/pim-how-to-change-default-settings.md) to require approval or receive notification emails when someone activates their role assignment. Notifications provide an alert when new users are added to highly privileged roles.
+
+## 3. Turn on multi-factor authentication for all your administrator accounts
+
+[Based on our studies](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984), your account is 99.9% less likely to be compromised if you use multi-factor authentication (MFA).
+
+You can enable MFA on Azure AD roles using two methods:
+- [Role settings](../privileged-identity-management/pim-how-to-change-default-settings.md) in Privileged Identity Management
+- [Conditional Access](../conditional-access/howto-conditional-access-policy-admin-mfa.md)
+
+## 4. Configure recurring access reviews to revoke unneeded permissions over time
+
+Access reviews enable organizations to review administrator's access regularly to make sure only the right people have continued access. Regular auditing your administrators is crucial because of following reasons:
+- A malicious actor can compromise an account.
+- People move teams within a company. If there is no auditing, they can amass unnecessary access over time.
+
+For information about access reviews for roles, see [Create an access review of Azure AD roles in PIM](../privileged-identity-management/pim-how-to-start-security-review.md). For information about access reviews of groups that are assigned roles, see [Create an access review of groups and applications in Azure AD access reviews](../governance/create-access-review.md).
+
+## 5. Limit the number of Global Administrators to less than 5
+
+As a best practice, Microsoft recommends that you assign the Global Administrator role to **fewer than five** people in your organization. Global Administrators hold keys to the kingdom, and it is in your best interest to keep the attack surface low. As stated previously, all of these accounts should be protected with multi-factor authentication.
+
+By default, when a user signs up for a Microsoft cloud service, an Azure AD tenant is created and the user is made a member of the Global Administrators role. Users who are assigned the Global Administrator role can read and modify every administrative setting in your Azure AD organization. With a few exceptions, Global Administrators can also read and modify all configuration settings in your Microsoft 365 organization. Global Administrators also have the ability to elevate their access to read data.
+
+Microsoft recommends that you keep two break glass accounts that are permanently assigned to the Global Administrator role. Make sure that these accounts don't require the same multi-factor authentication mechanism as your normal administrative accounts to sign in, as described in [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md).
+
+## 6. Use groups for Azure AD role assignments and delegate the role assignment
+
+If you have an external governance system that takes advantage of groups, then you should consider assigning roles to Azure AD groups, instead of individual users. You can also manage role-assignable groups in PIM to ensure that there are no standing owners or members in these privileged groups. For more information, see [Management capabilities for privileged access Azure AD groups](../privileged-identity-management/groups-features.md).
+
+You can assign an owner to role-assignable groups. That owner decides who is added to or removed from the group, so indirectly, decides who gets the role assignment. In this way, a Global Administrator or Privileged Role Administrator can delegate role management on a per-role basis by using groups. For more information, see [Use cloud groups to manage role assignments in Azure Active Directory](groups-concept.md).
+
+## 7. Activate multiple roles at once using privileged access groups
+
+It may be the case that an individual has five or six eligible assignments to Azure AD roles through PIM. They will have to activate each role individually, which can reduce productivity. Worse still, they can also have tens or hundreds of Azure resources assigned to them, which aggravates the problem.
+
+In this case, you should use [privileged access groups](../privileged-identity-management/groups-features.md). Create a privileged access group and grant it permanent access to multiple roles (Azure AD and/or Azure). Make that user an eligible member or owner of this group. With just one activation, they will have access to all the linked resources.
+
+![Privileged access group diagram showing activating multiple roles at once](./media/best-practices/privileged-access-group.png)
+
+## 8. Use cloud native accounts for Azure AD roles
+
+Avoid using on-premises synced accounts for Azure AD role assignments. If your on-premises account is compromised, it can compromise your Azure AD resources as well.
+
+## Next steps
+
+- [Securing privileged access for hybrid and cloud deployments in Azure AD](security-planning.md)
active-directory Groups Create Eligible https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/groups-create-eligible.md
Add-AzureADGroupMember -ObjectId $roleAssignablegroup.Id -RefObjectId $member.Ob
```http POST https://graph.microsoft.com/beta/groups {
-"description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD.",
-"displayName": "Contoso_Helpdesk_Administrators",
-"groupTypes": [
-"Unified"
-],
-"mailEnabled": true,
-"securityEnabled": true
-"mailNickname": "contosohelpdeskadministrators",
-"isAssignableToRole": true,
+ "description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD.",
+ "displayName": "Contoso_Helpdesk_Administrators",
+ "groupTypes": [
+ "Unified"
+ ],
+ "isAssignableToRole": true,
+ "mailEnabled": true,
+ "securityEnabled": true,
+ "mailNickname": "contosohelpdeskadministrators",
+ "visibility" : "Private"
} ```
active-directory Permissions Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/permissions-reference.md
In Azure Active Directory (Azure AD), if another administrator or non-administra
This article lists the Azure AD built-in roles you can assign to allow management of Azure AD resources. For information about how to assign roles, see [Assign Azure AD roles to users](manage-roles-portal.md).
-## Limit use of Global Administrator
-
-Users who are assigned to the Global Administrator role can read and modify every administrative setting in your Azure AD organization. By default, when a user signs up for a Microsoft cloud service, an Azure AD tenant is created and the user is made a member of the Global Administrators role. When you add a subscription to an existing tenant, you aren't assigned to the Global Administrator role. Only Global Administrators and Privileged Role administrators can delegate administrator roles. To reduce the risk to your business, we recommend that you assign this role to the fewest possible people in your organization.
-
-As a best practice, we recommend that you assign this role to fewer than five people in your organization. If you have more than five admins assigned to the Global Administrator role in your organization, here are some ways to reduce its use.
- ## All roles > [!div class="mx-tableFixed"]
This administrator manages federation between Azure AD organizations and externa
Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities like Microsoft 365 security center, Microsoft 365 compliance center, Exchange Online, SharePoint Online, and Skype for Business Online. Furthermore, Global Administrators can [elevate their access](../../role-based-access-control/elevate-access-global-admin.md) to manage all Azure subscriptions and management groups. This allows Global Administrators to get full access to all Azure resources using the respective Azure AD Tenant. The person who signs up for the Azure AD organization becomes a Global Administrator. There can be more than one Global Administrator at your company. Global Administrators can reset the password for any user and all other administrators.
+> [!NOTE]
+> As a best practice, Microsoft recommends that you assign the Global Administrator role to fewer than five people in your organization. For more information, see [Best practices for Azure AD roles](best-practices.md).
+ > [!div class="mx-tableFixed"] > | Actions | Description | > | | |
Users with this role can create users, and manage all aspects of users with some
> | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests | > | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
+## How to understand role permissions
+
+The schema for permissions loosely follows the REST format of Microsoft Graph:
+
+`<namespace>/<entity>/<propertySet>/<action>`
+
+For example:
+
+`microsoft.directory/applications/credentials/update`
+
+| Permission element | Description |
+| | |
+| namespace | Product or service that exposes the task and is prepended with `microsoft`. For example, all tasks in Azure AD use the `microsoft.directory` namespace. |
+| entity | Logical feature or component exposed by the service in Microsoft Graph. For example, Azure AD exposes User and Groups, OneNote exposes Notes, and Exchange exposes Mailboxes and Calendars. There is a special `allEntities` keyword for specifying all entities in a namespace. This is often used in roles that grant access to an entire product. |
+| propertySet | Specific properties or aspects of the entity for which access is being granted. For example, `microsoft.directory/applications/authentication/read` grants the ability to read the reply URL, logout URL, and implicit flow property on the application object in Azure AD.<ul><li>`allProperties` designates all properties of the entity, including privileged properties.</li><li>`standard` designates common properties, but excludes privileged ones related to `read` action. For example, `microsoft.directory/user/standard/read` includes the ability to read standard properties like public phone number and email address, but not the private secondary phone number or email address used for multi-factor authentication.</li><li>`basic` designates common properties, but excludes privileged ones related to the `update` action. The set of properties that you can read may be different from what you can update. ThatΓÇÖs why there are `standard` and `basic` keywords to reflect that.</li></ul> |
+| action | Operation being granted, most typically create, read, update, or delete (CRUD). There is a special `allTasks` keyword for specifying all of the above abilities (create, read, update, and delete). |
+ ## Deprecated roles The following roles should not be used. They have been deprecated and will be removed from Azure AD in the future.
active-directory Workday Mobile Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/workday-mobile-tutorial.md
To ensure that iOS devices are only able to sign in through Workday managed by m
| Scenario | Key value pairs | |- |--|
-| Automatically populate the Tenant and Web Address fields for:<br>ΓùÅ Workday on Android when you enable Android for work profiles.<br>ΓùÅ Workday on iPad and iPhone. | Use these values to configure your Tenant: <br>ΓùÅ Configuration Key = `UserGroupCode`<br>ΓùÅ Value Type = String <br>ΓùÅ Configuration Value = Your tenant name. Example: `gms`<br>Use these values to configure your Web Address:<br>ΓùÅ Configuration Key = `AppServiceHost`<br>ΓùÅ Value Type = String<br>ΓùÅ Configuration Value = The base URL for your tenant. Example: `https://www.myworkday.com` | |
+| Automatically populate the Tenant and Web Address fields for:<br>ΓùÅ Workday on Android when you enable Android for work profiles.<br>ΓùÅ Workday on iPad and iPhone. | Use these values to configure your Tenant: <br>ΓùÅ Configuration Key = `UserGroupCode`<br>ΓùÅ Value Type = String <br>ΓùÅ Configuration Value = Your tenant name. Example: `gms`<br>Use these values to configure your Web Address:<br>ΓùÅ Configuration Key = `AppServiceHost`<br>ΓùÅ Value Type = String<br>ΓùÅ Configuration Value = The base URL for your tenant. Example: `https://www.myworkday.com` |
| Disable these actions for Workday on iPad and iPhone:<br>ΓùÅ Cut, Copy, and Paste<br>ΓùÅ Print | Set the value (Boolean) to `False` on these keys to disable the functionality:<br>ΓùÅ `AllowCutCopyPaste`<br>ΓùÅ `AllowPrint` | | Disable screenshots for Workday on Android. |Set the value (Boolean) to `False` on the `AllowScreenshots` key to disable functionality.| | Disable suggested updates for your users.|Set the value (Boolean) to `False` on the `AllowSuggestedUpdates` key to disable functionality.| |Customize the app store URL to direct mobile users to the app store of your choice.|Use these values to change the app store URL:<br>ΓùÅ Configuration Key = `AppUpdateURL`<br>ΓùÅ Value Type = String<br> ΓùÅ Configuration Value = App store URL|
-| |
- ## iOS configuration policies
To ensure that iOS devices are only able to sign in through Workday managed by m
5. Enter a name. 6. Under **Platform**, choose **Android**. 7. Under **Associated App**, choose the Workday for Android app that you added.
-8. Select **Configuration Settings**. Under **Configuration settings format**, select **Enter JSON Data**.
+8. Select **Configuration Settings**. Under **Configuration settings format**, select **Enter JSON Data**.
active-directory Yuhu Property Management Platform Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/yuhu-property-management-platform-tutorial.md
Follow these steps to enable Azure AD SSO in the Azure portal.
| Name | Source Attribute| | | | | firstName | user.givenname |
- | lastName | user.surname ||
+ | lastName | user.surname |
| email | user.mail | 1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Raw)** and select **Download** to download the certificate and save it on your computer.
When you click the Yuhu Property Management Platform tile in the Access Panel, y
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try Yuhu Property Management Platform with Azure AD](https://aad.portal.azure.com/)
+- [Try Yuhu Property Management Platform with Azure AD](https://aad.portal.azure.com/)
aks Kubernetes Walkthrough https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-walkthrough.md
To learn more about AKS, and walk through a complete code to deployment example,
[kubernetes-concepts]: concepts-clusters-workloads.md [aks-monitor]: ../azure-monitor/containers/container-insights-onboard.md [aks-tutorial]: ./tutorial-kubernetes-prepare-app.md
-[az-aks-browse]: /cli/azure/aks#az-aks-browse
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
-[az-aks-install-cli]: /cli/azure/aks#az-aks-install-cli
-[az-group-create]: /cli/azure/group#az-group-create
-[az-group-delete]: /cli/azure/group#az-group-delete
-[azure-cli-install]: /cli/azure/install-azure-cli
+[az-aks-browse]: /cli/azure/aks#az_aks_browse
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az-aks-install-cli]: /cli/azure/aks#az_aks_install_cli
+[az-group-create]: /cli/azure/group#az_group_create
+[az-group-delete]: /cli/azure/group#az_group_delete
+[azure-cli-install]: /cli/azure/install_azure_cli
[azure-monitor-containers]: ../azure-monitor/containers/container-insights-overview.md [sp-delete]: kubernetes-service-principal.md#additional-considerations [azure-portal]: https://portal.azure.com [kubernetes-deployment]: concepts-clusters-workloads.md#deployments-and-yaml-manifests [kubernetes-service]: concepts-network.md#services [kubernetes-dashboard]: kubernetes-dashboard.md
-[windows-container-cli]: windows-container-cli.md
+[windows-container-cli]: windows-container-cli.md
aks Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/policy-reference.md
Title: Built-in policy definitions for Azure Kubernetes Service description: Lists Azure Policy built-in policy definitions for Azure Kubernetes Service. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
aks Security Baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/security-baseline.md
description: The Azure Kubernetes Service security baseline provides procedural
Previously updated : 02/17/2021 Last updated : 03/30/2021
# Azure security baseline for Azure Kubernetes Service
-This security
-baseline applies guidance from the [Azure Security Benchmark version
-1.0](../security/benchmarks/overview-v1.md) to Azure Kubernetes. The Azure Security Benchmark
-provides recommendations on how you can secure your cloud solutions on Azure.
-The content is grouped by the **security controls** defined by the Azure
-Security Benchmark and the related guidance applicable to Azure Kubernetes. **Controls** not applicable to Azure Kubernetes have been excluded.
+This security baseline applies guidance from the [Azure Security Benchmark version1.0](../security/benchmarks/overview-v1.md) to Azure Kubernetes. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the **security controls** defined by the Azure Security Benchmark and the related guidance applicable to Azure Kubernetes. **Controls** not applicable to Azure Kubernetes, or for which the responsibility is Microsoft's, have been excluded.
-
-To see how Azure Kubernetes completely maps to the Azure
-Security Benchmark, see the [full Azure Kubernetes security baseline mapping
-file](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Offer%20Security%20Baselines).
+To see how Azure Kubernetes completely maps to the Azure Security Benchmark, see the [full Azure Kubernetes security baseline mapping file](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Offer%20Security%20Baselines).
## Network Security
Network Watcher is enabled automatically in your virtual network's region when y
If intrusion detection and/or prevention based on payload inspection or behavior analytics is not a requirement, an Azure Application Gateway with WAF can be used and configured in "detection mode" to log alerts and threats, or "prevention mode" to actively block detected intrusions and attacks. -- [Understand best practices for securing your AKS cluster with a WAF](./operator-best-practices-network.md#secure-traffic-with-a-web-application-firewall-waf)
+- [Understand best practices for securing your AKS cluster with a WAF](https://docs.microsoft.com/azure/aks/operator-best-practices-network#secure-traffic-with-a-web-application-firewall-waf)
- [How to deploy Azure Application Gateway (Azure WAF)](../web-application-firewall/ag/application-gateway-web-application-firewall-portal.md)
Additional information is available at the referenced links.
- [How to configure and manage Azure Policy](../governance/policy/tutorials/create-and-manage.md) -- [Azure Policy samples for networking](../governance/policy/samples/built-in-policies.md#network)
+- [Azure Policy samples for networking](https://docs.microsoft.com/azure/governance/policy/samples/built-in-policies#network)
**Responsibility**: Customer
Create alerts within Azure Monitor that will trigger when changes to critical ne
Use Azure Monitor logs to enable and query the logs from AKS the master components, kube-apiserver and kube-controller-manager. Create and manage the nodes that run the kubelet with container runtime and deploy their applications through the managed Kubernetes API server. -- [How to view and retrieve Azure Activity Log events](../azure-monitor/essentials/activity-log.md#view-the-activity-log)
+- [How to view and retrieve Azure Activity Log events](/azure/azure-monitor/platform/activity-log#view-the-activity-log)
-- [How to create alerts in Azure Monitor](../azure-monitor/alerts/alerts-activity-log.md)
+- [How to create alerts in Azure Monitor](/azure/azure-monitor/platform/alerts-activity-log)
-- [Enable and review Kubernetes master node logs in Azure Kubernetes Service (AKS)](./view-control-plane-logs.md)
+- [Enable and review Kubernetes master node logs in Azure Kubernetes Service (AKS)](/azure/aks/view-master-logs)
**Responsibility**: Customer
Export these logs to Log Analytics or another storage platform. In Azure Monitor
Enable and on-board this data to Azure Sentinel or a third-party SIEM based on your organizational business requirements. -- [Review the Log schema including log roles here](./view-control-plane-logs.md)
+- [Review the Log schema including log roles here](/azure/aks/view-master-logs)
-- [Understand Azure Monitor for Containers](../azure-monitor/containers/container-insights-overview.md)
+- [Understand Azure Monitor for Containers](/azure/azure-monitor/insights/container-insights-overview)
-- [How to enable Azure Monitor for Containers](../azure-monitor/containers/container-insights-onboard.md)
+- [How to enable Azure Monitor for Containers](/azure/azure-monitor/insights/container-insights-onboard)
-- [Enable and review Kubernetes master node logs in Azure Kubernetes Service (AKS)](./view-control-plane-logs.md)
+- [Enable and review Kubernetes master node logs in Azure Kubernetes Service (AKS)](/azure/aks/view-master-logs)
**Responsibility**: Customer
Enable audit logs on AKS master components, such as:
Turn on other audit logs such as kube-audit as well. -- [How to enable and review Kubernetes master node logs in AKS](./view-control-plane-logs.md)
+- [How to enable and review Kubernetes master node logs in AKS](/azure/aks/view-master-logs)
**Responsibility**: Customer
Data collection is required to provide visibility into missing updates, misconfi
**Guidance**: Onboard your Azure Kubernetes Service (AKS) instances to Azure Monitor and set the corresponding Azure Log Analytics workspace retention period according to your organization's compliance requirements. -- [How to set log retention parameters for Log Analytics Workspaces](../azure-monitor/logs/manage-cost-storage.md#change-the-data-retention-period)
+- [How to set log retention parameters for Log Analytics Workspaces](/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period)
**Responsibility**: Customer
Use Azure Monitor's Log Analytics workspace to review logs and perform queries o
View the logs generated by AKS master components (kube-apiserver and kube-controllermanager) for troubleshooting your application and services. Enable and on-board data to Azure Sentinel or a third-party SIEM for centralized log management and monitoring. -- [How to enable and review Kubernetes master node logs in AKS](./view-control-plane-logs.md)
+- [How to enable and review Kubernetes master node logs in AKS](/azure/aks/view-master-logs)
- [How to onboard Azure Sentinel](../sentinel/quickstart-onboard.md) -- [How to perform custom queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md)
+- [How to perform custom queries in Azure Monitor](/azure/azure-monitor/log-query/get-started-queries)
**Responsibility**: Customer
Review Security Center alerts on threats and malicious activity detected at the
- [Security alerts reference guide](../security-center/alerts-reference.md) -- [Alerts for containers - Azure Kubernetes Service clusters](../security-center/alerts-reference.md#alerts-akscluster)
+- [Alerts for containers - Azure Kubernetes Service clusters](https://docs.microsoft.com/azure/security-center/alerts-reference#alerts-akscluster)
**Responsibility**: Customer
Create policies and procedures around the use of dedicated administrative accoun
**Guidance**: Use single sign-on for Azure Kubernetes Service (AKS) with Azure Active Directory (Azure AD) integrated authentication for an AKS cluster. -- [How to view Kubernetes logs, events, and pod metrics in real-time](../azure-monitor/containers/container-insights-livedata-overview.md)
+- [How to view Kubernetes logs, events, and pod metrics in real-time](/azure/azure-monitor/insights/container-insights-livedata-overview)
**Responsibility**: Customer
Be aware of roles used for support or troubleshooting purposes. For example, any
**Guidance**: Integrate user authentication for Azure Kubernetes Service (AKS) with Azure Active Directory (Azure AD). Create Diagnostic Settings for Azure AD, sending the audit and sign-in logs to an Azure Log Analytics workspace. Configure desired Alerts (such as when a deactivated account attempts to log in) within an Azure Log Analytics workspace. - [How to integrate Azure Activity Logs into Azure Monitor](../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) -- [How to create, view, and manage log alerts using Azure Monitor](../azure-monitor/alerts/alerts-log.md)
+- [How to create, view, and manage log alerts using Azure Monitor](/azure/azure-monitor/platform/alerts-log)
**Responsibility**: Customer
Configure alerts for proactive notification or log creation when CPU and memory
Use Azure Activity Log to monitor your AKS clusters and related resources at a high level. Integrate with Prometheus to view application and workload metrics it collects from nodes and Kubernetes using queries to create custom alerts, dashboards, and detailed perform detailed analysis. -- [Understand Azure Monitor for Containers](../azure-monitor/containers/container-insights-overview.md)
+- [Understand Azure Monitor for Containers](/azure/azure-monitor/insights/container-insights-overview)
-- [How to enable Azure Monitor for containers](../azure-monitor/containers/container-insights-onboard.md)
+- [How to enable Azure Monitor for containers](/azure/azure-monitor/insights/container-insights-onboard)
-- [How to view and retrieve Azure Activity Log events](../azure-monitor/essentials/activity-log.md#view-the-activity-log)
+- [How to view and retrieve Azure Activity Log events](/azure/azure-monitor/platform/activity-log#view-the-activity-log)
**Responsibility**: Customer
Note that the process to keep Windows Server nodes up to date differs from nodes
- [Understand how updates are applied to AKS cluster nodes running Linux](node-updates-kured.md) -- [How to upgrade an AKS node pool for AKS clusters that use Windows Server nodes](./use-multiple-node-pools.md#upgrade-a-node-pool)
+- [How to upgrade an AKS node pool for AKS clusters that use Windows Server nodes](https://docs.microsoft.com/azure/aks/use-multiple-node-pools#upgrade-a-node-pool)
- [Azure Kubernetes Service (AKS) node image upgrades](node-image-upgrade.md)
Taints, labels or tags can be used to reconcile inventory on a regular basis and
- [Managed Clusters - Update Tags](/rest/api/aks/managedclusters/updatetags) -- [Specify a taint, label, or tag for a node pool](./use-multiple-node-pools.md#specify-a-taint-label-or-tag-for-a-node-pool)
+- [Specify a taint, label, or tag for a node pool](https://docs.microsoft.com/azure/aks/use-multiple-node-pools#specify-a-taint-label-or-tag-for-a-node-pool)
**Responsibility**: Customer
Use Azure Resource Graph to query/discover resources within your subscriptions.
- [How to configure and manage Azure Policy](../governance/policy/tutorials/create-and-manage.md) -- [How to deny a specific resource type with Azure Policy](../governance/policy/samples/built-in-policies.md#general)
+- [How to deny a specific resource type with Azure Policy](https://docs.microsoft.com/azure/governance/policy/samples/built-in-policies#general)
**Responsibility**: Customer
Refer to the list of Center for Internet Security (CIS) controls which are built
- [Security hardening for AKS agent node host OS](security-hardened-vm-host-image.md) -- [Understand state configuration of AKS clusters](./concepts-clusters-workloads.md#control-plane)
+- [Understand state configuration of AKS clusters](https://docs.microsoft.com/azure/aks/concepts-clusters-workloads#control-plane)
- [Understand security hardening in AKS virtual machine hosts](security-hardened-vm-host-image.md)
Create custom policies to audit, and enforce system configurations. Develop a pr
- [How to configure and manage Azure Policy](../governance/policy/tutorials/create-and-manage.md) -- [How to use aliases](../governance/policy/concepts/definition-structure.md#aliases)
+- [How to use aliases](https://docs.microsoft.com/azure/governance/policy/concepts/definition-structure#aliases)
**Responsibility**: Customer
Refer to the list of Center for Internet Security (CIS) controls which are built
- [Understand security hardening in AKS virtual machine hosts](security-hardened-vm-host-image.md) -- [Understand state configuration of AKS clusters](./concepts-clusters-workloads.md#control-plane)
+- [Understand state configuration of AKS clusters](https://docs.microsoft.com/azure/aks/concepts-clusters-workloads#control-plane)
**Responsibility**: Customer
Avoid the use of fixed or shared credentials.
- [Security concepts for applications and clusters in Azure Kubernetes Service (AKS)](concepts-security.md) -- [How to use Key Vault with your AKS cluster](./developer-best-practices-pod-security.md#limit-credential-exposure)
+- [How to use Key Vault with your AKS cluster](https://docs.microsoft.com/azure/aks/developer-best-practices-pod-security#limit-credential-exposure)
**Responsibility**: Customer
Note that Pod managed identities are intended for use with Linux pods and contai
Service principals can also be used in AKS clusters. However, clusters using service principals eventually may reach a state in which the service principal must be renewed to keep the cluster working. Managing service principals adds complexity, which is why it's easier to use managed identities instead. The same permission requirements apply for both service principals and managed identities. -- [Understand Managed Identities and Key Vault with Azure Kubernetes Service (AKS)](./developer-best-practices-pod-security.md#limit-credential-exposure)
+- [Understand Managed Identities and Key Vault with Azure Kubernetes Service (AKS)](https://docs.microsoft.com/azure/aks/developer-best-practices-pod-security#limit-credential-exposure)
- [Azure AD Pod Identity](https://github.com/Azure/aad-pod-identity)
Limit credential exposure by not defining credentials in your application code.
- [Security alerts reference guide](../security-center/alerts-reference.md) -- [Alerts for containers - Azure Kubernetes Service clusters](../security-center/alerts-reference.md#alerts-akscluster)
+- [Alerts for containers - Azure Kubernetes Service clusters](https://docs.microsoft.com/azure/security-center/alerts-reference#alerts-akscluster)
-- [AKS shared responsibility and Daemon Sets](./support-policies.md#shared-responsibility)
+- [AKS shared responsibility and Daemon Sets](https://docs.microsoft.com/azure/aks/support-policies#shared-responsibility)
**Responsibility**: Shared
Limit credential exposure by not defining credentials in your application code.
- [Security alerts reference guide](../security-center/alerts-reference.md) -- [Alerts for containers - Azure Kubernetes Service clusters](../security-center/alerts-reference.md#alerts-akscluster)
+- [Alerts for containers - Azure Kubernetes Service clusters](https://docs.microsoft.com/azure/security-center/alerts-reference#alerts-akscluster)
-- [AKS shared responsibility and Daemon Sets](./support-policies.md#shared-responsibility)
+- [AKS shared responsibility and Daemon Sets](https://docs.microsoft.com/azure/aks/support-policies#shared-responsibility)
**Responsibility**: Shared
Perform regular automated backups of Key Vault Certificates, Keys, Managed Stora
- [How to backup Key Vault Secrets](/powershell/module/azurerm.keyvault/backup-azurekeyvaultsecret) -- [How to enable Azure Backup](../backup/index.yml)
+- [How to enable Azure Backup](/azure/backup/)
**Responsibility**: Customer
Perform regular automated backups of Key Vault Certificates, Keys, Managed Stora
Periodically perform data restoration of Key Vault Certificates, Keys, Managed Storage Accounts, and Secrets, with PowerShell commands. -- [How to restore Key Vault Certificates](/powershell/module/az.keyvault/restore-azkeyvaultcertificate?amp;preserve-view=true&view=azps-4.8.0)
+- [How to restore Key Vault Certificates](/powershell/module/az.keyvault/restore-azkeyvaultcertificate)
-- [How to restore Key Vault Keys](/powershell/module/az.keyvault/restore-azkeyvaultkey?amp;preserve-view=true&view=azps-4.8.0)
+- [How to restore Key Vault Keys](/powershell/module/az.keyvault/restore-azkeyvaultkey)
- [How to restore Key Vault Managed Storage Accounts](/powershell/module/az.keyvault/backup-azkeyvaultmanagedstorageaccount) -- [How to restore Key Vault Secrets](/powershell/module/az.keyvault/restore-azkeyvaultsecret?amp;preserve-view=true&view=azps-4.8.0)
+- [How to restore Key Vault Secrets](/powershell/module/az.keyvault/restore-azkeyvaultsecret)
-- [How to recover files from Azure Virtual Machine backup](../backup/backup-azure-restore-files-from-vm.md)
+- [How to recover files from Azure Virtual Machine backup](/azure/backup/backup-azure-restore-files-from-vm)
**Responsibility**: Customer
Enable Soft-Delete in Key Vault to protect keys against accidental or malicious
- [Understand Azure Storage Service Encryption](../storage/common/storage-service-encryption.md) -- [How to enable Soft-Delete in Key Vault](../storage/blobs/soft-delete-blob-overview.md?tabs=azure-portal)
+- [How to enable Soft-Delete in Key Vault](https://docs.microsoft.com/azure/storage/blobs/soft-delete-blob-overview?tabs=azure-portal)
**Responsibility**: Customer
Choose the Security Center data connector to stream the alerts to Azure Sentinel
## Next steps -- See the [Azure Security Benchmark V2 overview](../security/benchmarks/overview.md)-- Learn more about [Azure security baselines](../security/benchmarks/security-baselines-overview.md)
+- See the [Azure Security Benchmark V2 overview](/azure/security/benchmarks/overview)
+- Learn more about [Azure security baselines](/azure/security/benchmarks/security-baselines-overview)
aks Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Kubernetes Service (AKS) description: Lists Azure Policy Regulatory Compliance controls available for Azure Kubernetes Service (AKS). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
aks Servicemesh Osm About https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/servicemesh-osm-about.md
+
+ Title: Open Service Mesh (Preview)
+description: Open Service Mesh (OSM) in Azure Kubernetes Service (AKS)
++ Last updated : 3/12/2021++
+zone_pivot_groups: client-operating-system
++
+# Open Service Mesh AKS add-on (Preview)
+
+## Overview
+
+[Open Service Mesh (OSM)](https://docs.openservicemesh.io/) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
+
+OSM runs an Envoy-based control plane on Kubernetes, can be configured with [SMI](https://smi-spec.io/) APIs, and works by injecting an Envoy proxy as a sidecar container next to each instance of your application. The Envoy proxy contains and executes rules around access control policies, implements routing configuration, and captures metrics. The control plane continually configures proxies to ensure policies and routing rules are up to date and ensures proxies are healthy.
++
+## Capabilities and Features
+
+OSM provides the following set of capabilities and features to provide a cloud native service mesh for your Azure Kubernetes Service (AKS) clusters:
+
+- Secure service to service communication by enabling mTLS
+
+- Easily onboard applications onto the mesh by enabling automatic sidecar injection of Envoy proxy
+
+- Easily and transparent configurations for traffic shifting on deployments
+
+- Ability to define and execute fine grained access control policies for services
+
+- Observability and insights into application metrics for debugging and monitoring services
+
+- Integration with external certificate management services/solutions with a pluggable interface
+
+## Scenarios
+
+OSM can assist your AKS deployments with the following scenarios:
+
+- Provide encrypted communications between service endpoints deployed in the cluster
+
+- Traffic authorization of both HTTP/HTTPS and TCP traffic in the mesh
+
+- Configuration of weighted traffic controls between two or more services for A/B or canary deployments
+
+- Collection and viewing of KPIs from application traffic
+
+## OSM Service Quotas and Limits (Preview)
+
+OSM preview limitations for service quotas and limits can be found on the AKS [Quotas and regional limits page](https://docs.microsoft.com/azure/aks/quotas-skus-regions).
++++++++++
+> [!WARNING]
+> Do not attempt to install OSM from the binary using `osm install`. This will result in a installation of OSM that is not integrated as an add-on for AKS.
+
+### Register the `AKS-OpenServiceMesh` preview feature
+
+To create an AKS cluster that can use the Open Service Mesh add-on, you must enable the `AKS-OpenServiceMesh` feature flag on your subscription.
+
+Register the `AKS-OpenServiceMesh` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
+
+```azurecli-interactive
+az feature register --namespace "Microsoft.ContainerService" --name "AKS-OpenServiceMesh"
+```
+
+It takes a few minutes for the status to show _Registered_. Verify the registration status by using the [az feature list][az-feature-list] command:
+
+```azurecli-interactive
+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKS-OpenServiceMesh')].{Name:name,State:properties.state}"
+```
+
+When ready, refresh the registration of the _Microsoft.ContainerService_ resource provider by using the [az provider register][az-provider-register] command:
+
+```azurecli-interactive
+az provider register --namespace Microsoft.ContainerService
+```
++
+## Install Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on for a new AKS cluster
+
+For a new AKS cluster deployment scenario, you will start with a brand new deployment of an AKS cluster enabling the OSM add-on at the cluster create operation.
+
+### Create a resource group
+
+In Azure, you allocate related resources to a resource group. Create a resource group by using [az group create](/cli/azure/group#az-group-create). The following example creates a resource group named _myOsmAksGroup_ in the _eastus2_ location (region):
+
+```azurecli-interactive
+az group create --name <myosmaksgroup> --location <eastus2>
+```
+
+### Deploy an AKS cluster with the OSM add-on enabled
+
+You'll now deploy a new AKS cluster with the OSM add-on enabled.
+
+> [!NOTE]
+> Please be aware the following AKS deployment command utilizes OS ephemeral disks. You can find more information here about [Ephemeral OS disks for AKS](https://docs.microsoft.com/azure/aks/cluster-configuration#ephemeral-os)
+
+```azurecli-interactive
+az aks create -n osm-addon-cluster -g <myosmaksgroup> --kubernetes-version 1.19.6 --node-osdisk-type Ephemeral --node-osdisk-size 30 --network-plugin azure --enable-managed-identity -a open-service-mesh
+```
+
+#### Get AKS Cluster Access Credentials
+
+Get access credentials for the new managed Kubernetes cluster.
+
+```azurecli-interactive
+az aks get-credentials -n <myosmakscluster> -g <myosmaksgroup>
+```
+
+## Enable Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on for an existing AKS cluster
+
+For an existing AKS cluster scenario, you will enable the OSM add-on to an existing AKS cluster that has already been deployed.
+
+### Enable the OSM add-on to existing AKS cluster
+
+To enable the AKS OSM add-on, you will need to run the `az aks enable-addons --addons` command passing the parameter `open-service-mesh`
+
+```azurecli-interactive
+az aks enable-addons --addons open-service-mesh -g <resource group name> -n <AKS cluster name>
+```
+
+You should see output similar to the output shown below to confirm the AKS OSM add-on has been installed.
+
+```json
+{- Finished ..
+ "aadProfile": null,
+ "addonProfiles": {
+ "KubeDashboard": {
+ "config": null,
+ "enabled": false,
+ "identity": null
+ },
+ "openServiceMesh": {
+ "config": {},
+ "enabled": true,
+ "identity": {
+...
+```
+
+## Validate the AKS OSM add-on installation
+
+There are several commands to run to check all of the components of the AKS OSM add-on are enabled and running:
+
+First we can query the add-on profiles of the cluster to check the enabled state of the add-ons installed. The following command should return "true".
+
+```azurecli-interactive
+az aks list -g <resource group name> -o json | jq -r '.[].addonProfiles.openServiceMesh.enabled'
+```
+
+The following `kubectl` commands will report the status of the osm-controller.
+
+```azurecli-interactive
+kubectl get deployments -n kube-system --selector app=osm-controller
+kubectl get pods -n kube-system --selector app=osm-controller
+kubectl get services -n kube-system --selector app=osm-controller
+```
+
+## Accessing the AKS OSM add-on
+
+Currently you can access and configure the OSM controller configuration via the configmap. To view the OSM controller configuration settings, query the osm-config configmap via `kubectl` to view its configuration settings.
+
+```azurecli-interactive
+kubectl get configmap -n kube-system osm-config -o json | jq '.data'
+```
+
+Output of the OSM configmap should look like the following:
+
+```json
+{
+ "egress": "true",
+ "enable_debug_server": "true",
+ "enable_privileged_init_container": "false",
+ "envoy_log_level": "error",
+ "outbound_ip_range_exclusion_list": "169.254.169.254/32,168.63.129.16/32,<YOUR_API_SERVER_PUBLIC_IP>/32",
+ "permissive_traffic_policy_mode": "true",
+ "prometheus_scraping": "false",
+ "service_cert_validity_duration": "24h",
+ "use_https_ingress": "false"
+}
+```
+
+Notice the **permissive_traffic_policy_mode** is configured to **true**. Permissive traffic policy mode in OSM is a mode where the [SMI](https://smi-spec.io/) traffic policy enforcement is bypassed. In this mode, OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
+
+> [!WARNING]
+> Before proceeding please verify that your permissive traffic policy mode is set to true, if not please change it to **true** using the command below
+
+```OSM Permissive Mode to True
+kubectl patch ConfigMap -n kube-system osm-config --type merge --patch '{"data":{"permissive_traffic_policy_mode":"true"}}'
+```
+
+## Deploy a new application to be managed by the Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on
+
+### Before you begin
+
+The steps detailed in this walkthrough assume that you've created an AKS cluster (Kubernetes `1.19+` and above, with Kubernetes RBAC enabled), have established a `kubectl` connection with the cluster (If you need help with any of these items, then see the [AKS quickstart](./kubernetes-walkthrough.md), and have installed the AKS OSM add-on.
+
+You must have the following resources installed:
+
+- The Azure CLI, version 2.20.0 or later
+- The `aks-preview` extension version 0.5.5 or later
+- OSM version v0.8.0 or later
+- apt-get install jq
+
+### Create namespaces for the application
+
+In this walkthrough, we will be using the OSM bookstore application that has the following Kubernetes
+
+- bookbuyer
+- bookthief
+- bookstore
+- bookwarehouse
+
+Create namespaces for each of these application components.
+
+```azurecli-interactive
+for i in bookstore bookbuyer bookthief bookwarehouse; do kubectl create ns $i; done
+```
+
+You should see the following output:
+
+```Output
+namespace/bookstore created
+namespace/bookbuyer created
+namespace/bookthief created
+namespace/bookwarehouse created
+```
+
+### Onboard the namespaces to be managed by OSM
+
+When you add the namespaces to the OSM mesh, this will allow the OSM controller to automatically inject the Envoy sidecar proxy containers with your application. Run the following command to onboard the OSM bookstore application namespaces.
+
+```azurecli-interactive
+osm namespace add bookstore bookbuyer bookthief bookwarehouse
+```
+
+You should see the following output:
+
+```Output
+Namespace [bookstore] successfully added to mesh [osm]
+Namespace [bookbuyer] successfully added to mesh [osm]
+Namespace [bookthief] successfully added to mesh [osm]
+Namespace [bookwarehouse] successfully added to mesh [osm]
+```
+
+### Deploy the Bookstore application to the AKS cluster
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookbuyer.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookthief.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookstore.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookwarehouse.yaml
+```
+
+All of the deployment outputs are summarized below.
+
+```Output
+serviceaccount/bookbuyer created
+service/bookbuyer created
+deployment.apps/bookbuyer created
+
+serviceaccount/bookthief created
+service/bookthief created
+deployment.apps/bookthief created
+
+service/bookstore created
+serviceaccount/bookstore created
+deployment.apps/bookstore created
+
+serviceaccount/bookwarehouse created
+service/bookwarehouse created
+deployment.apps/bookwarehouse created
+```
+
+### Checkpoint: What got installed?
+
+The example Bookstore application is a multi-tiered app that consists of four services, being the bookbuyer, bookthief, bookstore, and bookwarehouse. Both the bookbuyer and bookthief service communicate to the bookstore service to retrieve books from the bookstore service. The bookstore service retrieves books out of the bookwarehouse service to supply the bookbuyer and bookthief. This is a simple multi-tiered application that works well in showing how a service mesh can be used to protect and authorize communications between the applications services. As we continue through the walkthrough, we will be enabling and disabling Service Mesh Interface (SMI) policies to both allow and disallow the services to communicate via OSM. Below is an architecture diagram of what got installed for the bookstore application.
+
+![OSM bookbuyer app architecture](./media/aks-osm-addon/osm-bookstore-app-arch.png)
+
+### Verify the Bookstore application running inside the AKS cluster
+
+As of now we have deployed the bookstore mulit-container application, but it is only accessible from within the AKS cluster. Later tutorials will assist you in exposing the application outside the cluster via an ingress controller. For now we will be utilizing port forwarding to access the bookbuyer application inside the AKS cluster to verify it is buying books from the bookstore service.
+
+To verify that the application is running inside the cluster, we will use a port forward to view both the bookbuyer and bookthief components UI.
+
+First let's get the bookbuyer pod's name
+
+```azurecli-interactive
+kubectl get pod -n bookbuyer
+```
+
+You should see output similar to the following. Your bookbuyer pod will have a unique name appended.
+
+```Output
+NAME READY STATUS RESTARTS AGE
+bookbuyer-7676c7fcfb-mtnrz 2/2 Running 0 7m8s
+```
+
+Once we have the pod's name, we can now use the port-forward command to set up a tunnel from our local system to the application inside the AKS cluster. Run the following command to set up the port forward for the local system port 8080. Again use your specified bookbuyer pod name.
+
+> [!NOTE]
+> For all port forwarding commands it is best to use an additional terminal so that you can continue to work through this walkthrough and not disconnect the tunnel. It is also best that you establish the port forward tunnel outside of the Azure Cloud Shell.
+
+```Bash
+kubectl port-forward bookbuyer-7676c7fcfb-mtnrz -n bookbuyer 8080:14001
+```
+
+You should see output similar to this.
+
+```Output
+Forwarding from 127.0.0.1:8080 -> 14001
+Forwarding from [::1]:8080 -> 14001
+```
+
+While the port forwarding session is in place, navigate to the following url from a browser `http://localhost:8080`. You should now be able to see the bookbuyer application UI in the browser similar to the image below.
+
+![OSM bookbuyer app UI image](./media/aks-osm-addon/osm-bookbuyer-service-ui.png)
+
+You will also notice that the total books bought number continues to increment to the bookstore v1 service. The bookstore v2 service has not been deployed yet. We will deploy the bookstore v2 service when we demonstrate the SMI traffic split policies.
+
+You can also check the same for the bookthief service.
+
+```azurecli-interactive
+kubectl get pod -n bookthief
+```
+
+You should see output similar to the following. Your bookthief pod will have a unique name appended.
+
+```Output
+NAME READY STATUS RESTARTS AGE
+bookthief-59549fb69c-cr8vl 2/2 Running 0 15m54s
+```
+
+Port forward to bookthief pod.
+
+```Bash
+kubectl port-forward bookthief-59549fb69c-cr8vl -n bookthief 8080:14001
+```
+
+Navigate to the following url from a browser `http://localhost:8080`. You should see the bookthief is currently stealing books from the bookstore service! Later on we will implement a traffic policy to stop the bookthief.
+
+![OSM bookthief app UI image](./media/aks-osm-addon/osm-bookthief-service-ui.png)
+
+### Disable OSM Permissive Traffic Mode for the mesh
+
+As mentioned earlier when viewing the OSM cluster configuration, the OSM configuration defaults to enabling permissive traffic mode policy. In this mode traffic policy enforcement is bypassed and OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
+
+We will now disable the permissive traffic mode policy and OSM will need explicit [SMI](https://smi-spec.io/) policies deployed to the cluster to allow communications in the mesh from each service. To disable permissive traffic mode, run the following command to update the configmap property changing the value from `true` to `false`.
+
+```azurecli-interactive
+kubectl patch ConfigMap -n kube-system osm-config --type merge --patch '{"data":{"permissive_traffic_policy_mode":"false"}}'
+```
+
+You should see output similar to the following. Your bookthief pod will have a unique name appended.
+
+```Output
+configmap/osm-config patched
+```
+
+To verify permissive traffic mode has been disabled, port forward back into either the bookbuyer or bookthief pod to view their UI in the browser and see if the books bought or books stolen is no longer incrementing. Ensure to refresh the browser. If the incrementing has stopped, the policy was applied correctly. You have successfully stopped the bookthief from stealing books, but neither the bookbuyer can purchase from the bookstore nor the bookstore can retrieve books from the bookwarehouse. Next we will implement [SMI](https://smi-spec.io/) policies to allow only the services in the mesh you'd like to communicate to do so.
+
+### Apply Service Mesh Interface (SMI) traffic access policies
+
+Now that we have disabled all communications in the mesh, let's allow our bookbuyer service to communicate to our bookstore service for purchasing books, and allow our bookstore service to communicate to our bookwarehouse service to retrieving books to sell.
+
+Deploy the following [SMI](https://smi-spec.io/) policies.
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+
+apiVersion: access.smi-spec.io/v1alpha3
+kind: TrafficTarget
+metadata:
+ name: bookbuyer-access-bookstore
+ namespace: bookstore
+spec:
+ destination:
+ kind: ServiceAccount
+ name: bookstore
+ namespace: bookstore
+ rules:
+ - kind: HTTPRouteGroup
+ name: bookstore-service-routes
+ matches:
+ - buy-a-book
+ - books-bought
+ sources:
+ - kind: ServiceAccount
+ name: bookbuyer
+ namespace: bookbuyer
+
+apiVersion: specs.smi-spec.io/v1alpha4
+kind: HTTPRouteGroup
+metadata:
+ name: bookstore-service-routes
+ namespace: bookstore
+spec:
+ matches:
+ - name: books-bought
+ pathRegex: /books-bought
+ methods:
+ - GET
+ headers:
+ - "user-agent": ".*-http-client/*.*"
+ - "client-app": "bookbuyer"
+ - name: buy-a-book
+ pathRegex: ".*a-book.*new"
+ methods:
+ - GET
+ - name: update-books-bought
+ pathRegex: /update-books-bought
+ methods:
+ - POST
+
+kind: TrafficTarget
+apiVersion: access.smi-spec.io/v1alpha3
+metadata:
+ name: bookstore-access-bookwarehouse
+ namespace: bookwarehouse
+spec:
+ destination:
+ kind: ServiceAccount
+ name: bookwarehouse
+ namespace: bookwarehouse
+ rules:
+ - kind: HTTPRouteGroup
+ name: bookwarehouse-service-routes
+ matches:
+ - restock-books
+ sources:
+ - kind: ServiceAccount
+ name: bookstore
+ namespace: bookstore
+ - kind: ServiceAccount
+ name: bookstore-v2
+ namespace: bookstore
+
+apiVersion: specs.smi-spec.io/v1alpha4
+kind: HTTPRouteGroup
+metadata:
+ name: bookwarehouse-service-routes
+ namespace: bookwarehouse
+spec:
+ matches:
+ - name: restock-books
+ methods:
+ - POST
+ headers:
+ - host: bookwarehouse.bookwarehouse
+EOF
+```
+
+You should see output similar to the following.
+
+```Output
+traffictarget.access.smi-spec.io/bookbuyer-access-bookstore-v1 created
+httproutegroup.specs.smi-spec.io/bookstore-service-routes created
+traffictarget.access.smi-spec.io/bookstore-access-bookwarehouse created
+httproutegroup.specs.smi-spec.io/bookwarehouse-service-routes created
+```
+
+You can now set up a port forwarding session on either the bookbuyer or bookstore pods and see that both the books bought and books sold metrics are back incrementing. You can also do the same for the bookthief pod to verify it is still no longer able to steal books.
+
+### Apply Service Mesh Interface (SMI) traffic split policies
+
+For our final demonstration, we will create an [SMI](https://smi-spec.io/) traffic split policy to configure the weight of communications from one service to multiple services as a backend. The traffic split functionality allows you to progressively move connections to one service over to another by weighting the traffic on a scale of 0 to 100.
+
+The below graphic is a diagram of the [SMI](https://smi-spec.io/) Traffic Split policy to be deployed. We will deploy an additional Bookstore version 2 and then split the incoming traffic from the bookbuyer, weighting 25% of the traffic to the bookstore v1 service and 75% to the bookstore v2 service.
+
+![OSM bookbuyer traffic split diagram](./media/aks-osm-addon/osm-bookbuyer-traffic-split-diagram.png)
+
+Deploy the bookstore v2 service.
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: bookstore-v2
+ namespace: bookstore
+ labels:
+ app: bookstore-v2
+spec:
+ ports:
+ - port: 14001
+ name: bookstore-port
+ selector:
+ app: bookstore-v2
+
+# Deploy bookstore-v2 Service Account
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: bookstore-v2
+ namespace: bookstore
+
+# Deploy bookstore-v2 Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: bookstore-v2
+ namespace: bookstore
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: bookstore-v2
+ template:
+ metadata:
+ labels:
+ app: bookstore-v2
+ spec:
+ serviceAccountName: bookstore-v2
+ containers:
+ - name: bookstore
+ image: openservicemesh/bookstore:v0.8.0
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 14001
+ name: web
+ command: ["/bookstore"]
+ args: ["--path", "./", "--port", "14001"]
+ env:
+ - name: BOOKWAREHOUSE_NAMESPACE
+ value: bookwarehouse
+ - name: IDENTITY
+ value: bookstore-v2
+
+kind: TrafficTarget
+apiVersion: access.smi-spec.io/v1alpha3
+metadata:
+ name: bookbuyer-access-bookstore-v2
+ namespace: bookstore
+spec:
+ destination:
+ kind: ServiceAccount
+ name: bookstore-v2
+ namespace: bookstore
+ rules:
+ - kind: HTTPRouteGroup
+ name: bookstore-service-routes
+ matches:
+ - buy-a-book
+ - books-bought
+ sources:
+ - kind: ServiceAccount
+ name: bookbuyer
+ namespace: bookbuyer
+EOF
+```
+
+You should see the following output.
+
+```Output
+service/bookstore-v2 configured
+serviceaccount/bookstore-v2 created
+deployment.apps/bookstore-v2 created
+traffictarget.access.smi-spec.io/bookstore-v2 created
+```
+
+Now deploy the traffic split policy to split the bookbuyer traffic between the two bookstore v1 and v2 service.
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+apiVersion: split.smi-spec.io/v1alpha2
+kind: TrafficSplit
+metadata:
+ name: bookstore-split
+ namespace: bookstore
+spec:
+ service: bookstore.bookstore
+ backends:
+ - service: bookstore
+ weight: 25
+ - service: bookstore-v2
+ weight: 75
+EOF
+```
+
+You should see the following output.
+
+```Output
+trafficsplit.split.smi-spec.io/bookstore-split created
+```
+
+Set up a port forward tunnel to the bookbuyer pod and you should now see books being purchased from the bookstore v2 service. If you continue to watch the increment of purchases you should notice a faster increment of purchases happening through the bookstore v2 service.
+
+![OSM bookbuyer books boough UI](./media/aks-osm-addon/osm-bookbuyer-traffic-split-ui.png)
+
+## Manage existing deployed applications to be managed by the Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on
+
+### Before you begin
+
+The steps detailed in this walkthrough assume that you have previously enabled the OSM AKS add-on for your AKS cluster. If not, review the section [Enable Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on for an existing AKS cluster](#enable-open-service-mesh-osm-azure-kubernetes-service-aks-add-on-for-an-existing-aks-cluster) before proceeding. Also, your AKS cluster needs to be version Kubernetes `1.19+` and above, have Kubernetes RBAC enabled, and have established a `kubectl` connection with the cluster (If you need help with any of these items, then see the [AKS quickstart](./kubernetes-walkthrough.md), and have installed the AKS OSM add-on.
+
+You must have the following resources installed:
+
+- The Azure CLI, version 2.20.0 or later
+- The `aks-preview` extension version 0.5.5 or later
+- OSM version v0.8.0 or later
+- apt-get install jq
+
+### Verify the Open Service Mesh (OSM) Permissive Traffic Mode Policy
+
+The OSM Permissive Traffic Policy mode is a mode where the [SMI](https://smi-spec.io/) traffic policy enforcement is bypassed. In this mode, OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
+
+To verify the current permissive traffic mode of OSM for your cluster, run the following command:
+
+```azurecli-interactive
+kubectl get configmap -n kube-system osm-config -o json | jq '.data'
+```
+
+Output of the OSM configmap should look like the following:
+
+```Output
+{
+ "egress": "true",
+ "enable_debug_server": "true",
+ "envoy_log_level": "error",
+ "permissive_traffic_policy_mode": "true",
+ "prometheus_scraping": "false",
+ "service_cert_validity_duration": "24h",
+ "use_https_ingress": "false"
+}
+```
+
+If the **permissive_traffic_policy_mode** is configured to **true**, you can safely onboard your namespaces without any disruption to your service-to-service communications. If the **permissive_traffic_policy_mode** is configured to **false**, You will need to ensure you have the correct [SMI](https://smi-spec.io/) traffic access policy manifests deployed as well as ensuring you have a service account representing each service deployed in the namespace. Please follow the guidance for [Onboard existing deployed applications with Open Service Mesh (OSM) Permissive Traffic Policy configured as False](#onboard-existing-deployed-applications-with-open-service-mesh-osm-permissive-traffic-policy-configured-as-false)
+
+### Onboard existing deployed applications with Open Service Mesh (OSM) Permissive Traffic Policy configured as True
+
+The first thing we'll do is add the deployed application namespace(s) to OSM to manage.
+
+```azurecli-interactive
+osm namespace add bookstore
+```
+
+You should see the following output:
+
+```Output
+Namespace [bookstore] successfully added to mesh [osm]
+```
+
+Next we will take a look at the current pod deployment in the namespace. Run the following command to view the pods in the designated namespace.
+
+```azurecli-interactive
+kubectl get pod -n bookbuyer
+```
+
+You should see the following similar output:
+
+```Output
+NAME READY STATUS RESTARTS AGE
+bookbuyer-78666dcff8-wh6wl 1/1 Running 0 43s
+```
+
+Notice the **READY** column showing **1/1**, meaning that the application pod has only one container. Next we will need to restart your application deployments so that OSM can inject the Envoy sidecar proxy container with your application pod. Let's get a list of deployments in the namespace.
+
+```azurecli-interactive
+kubectl get deployment -n bookbuyer
+```
+
+You should see the following output:
+
+```Output
+NAME READY UP-TO-DATE AVAILABLE AGE
+bookbuyer 1/1 1 1 23h
+```
+
+Now we will restart the deployment to inject the Envoy sidecar proxy container with your application pod. Run the following command.
+
+```azurecli-interactive
+kubectl rollout restart deployment bookbuyer -n bookbuyer
+```
+
+You should see the following output:
+
+```Output
+deployment.apps/bookbuyer restarted
+```
+
+If we take a look at the pods in the namespace again:
+
+```azurecli-interactive
+kubectl get pod -n bookbuyer
+```
+
+You will now notice that the **READY** column is now showing **2/2** containers being ready for your pod. The second container is the Envoy sidecar proxy.
+
+```Output
+NAME READY STATUS RESTARTS AGE
+bookbuyer-84446dd5bd-j4tlr 2/2 Running 0 3m30s
+```
+
+We can further inspect the pod to view the Envoy proxy by running the describe command to view the configuration.
+
+```azurecli-interactive
+kubectl describe pod bookbuyer-84446dd5bd-j4tlr -n bookbuyer
+```
+
+```Output
+Containers:
+ bookbuyer:
+ Container ID: containerd://b7503b866f915711002292ea53970bd994e788e33fb718f1c4f8f12cd4a88198
+ Image: openservicemesh/bookbuyer:v0.8.0
+ Image ID: docker.io/openservicemesh/bookbuyer@sha256:813874bd2dc9c5a259b9657995348cf0822b905e29c4e86f21fdefa0ef21dcee
+ Port: <none>
+ Host Port: <none>
+ Command:
+ /bookbuyer
+ State: Running
+ Started: Tue, 23 Mar 2021 10:52:53 -0400
+ Ready: True
+ Restart Count: 0
+ Environment:
+ BOOKSTORE_NAMESPACE: bookstore
+ BOOKSTORE_SVC: bookstore
+ Mounts:
+ /var/run/secrets/kubernetes.io/serviceaccount from bookbuyer-token-zft2r (ro)
+ envoy:
+ Container ID: containerd://f5f1cb5db8d5304e23cc984eb08146ea162a3e82d4262c4472c28d5579c25e10
+ Image: envoyproxy/envoy-alpine:v1.17.1
+ Image ID: docker.io/envoyproxy/envoy-alpine@sha256:511e76b9b73fccd98af2fbfb75c34833343d1999469229fdfb191abd2bbe3dfb
+ Ports: 15000/TCP, 15003/TCP, 15010/TCP
+ Host Ports: 0/TCP, 0/TCP, 0/TCP
+```
+
+Verify your application is still functional after the Envoy sidecar proxy injection.
+
+### Onboard existing deployed applications with Open Service Mesh (OSM) Permissive Traffic Policy configured as False
+
+When the OSM configuration for the permissive traffic policy is set to `false`, OSM will require explicit [SMI](https://smi-spec.io/) traffic access policies deployed for the service-to-service communication to happen within your cluster. Currently, OSM also uses Kubernetes service accounts as part of authorizing service-to-service communications as well. To ensure your existing deployed applications will communicate when managed by the OSM mesh, we will need to verify the existence of a service account to utilize, update the application deployment with the service account information, apply the [SMI](https://smi-spec.io/) traffic access policies.
+
+#### Verify Kubernetes Service Accounts
+
+Verify if you have a kubernetes service account in the namespace your application is deployed to.
+
+```azurecli-interactive
+kubectl get serviceaccounts -n bookbuyer
+```
+
+In the following there is a service account named `bookbuyer` in the bookbuyer namespace.
+
+```Output
+NAME SECRETS AGE
+bookbuyer 1 25h
+default 1 25h
+```
+
+If you do not have a service account listed other than the default account, you will need to create one for your application. Use the following command as an example to create a service account in the application's deployed namespace.
+
+```azurecli-interactive
+kubectl create serviceaccount myserviceaccount -n bookbuyer
+```
+
+```Output
+serviceaccount/myserviceaccount created
+```
+
+#### View your application's current deployment specification
+
+If you had to create a service account from the earlier section, chances are your application deployment is not configured with a specific `serviceAccountName` in the deployment spec. We can view your application's deployment spec with the following commands:
+
+```azurecli-interactive
+kubectl get deployment -n bookbuyer
+```
+
+A list of deployments will be listed in the output.
+
+```Output
+NAME READY UP-TO-DATE AVAILABLE AGE
+bookbuyer 1/1 1 1 25h
+```
+
+We will now describe the deployment as a check to see if there is a service account listed in the Pod Template section.
+
+```azurecli-interactive
+kubectl describe deployment bookbuyer -n bookbuyer
+```
+
+In this particular deployment you can see that there is a service account associated with the deployment listed under the Pod Template section. This deployment is using the service account bookbuyer. If you do not see the **Serivce Account:** property, your deployment is not configured to use a service account.
+
+```Output
+Pod Template:
+ Labels: app=bookbuyer
+ version=v1
+ Annotations: kubectl.kubernetes.io/restartedAt: 2021-03-23T10:52:49-04:00
+ Service Account: bookbuyer
+ Containers:
+ bookbuyer:
+ Image: openservicemesh/bookbuyer:v0.8.0
+
+```
+
+There are several techniques to update your deployment to add a kubernetes service account. Review the Kubernetes documentation on [Updating a Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment) inline, or [Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/). Once you have updated your deployment spec with the service account, redeploy (kubectl apply -f your-deployment.yaml) your deployment to the cluster.
+
+#### Deploy the necessary Service Mesh Interface (SMI) Policies
+
+The last step to allowing authorized traffic to flow in the mesh is to deploy the necessary [SMI](https://smi-spec.io/) traffic access policies for your application. The amount of configuration you can achieve with [SMI](https://smi-spec.io/) traffic access policies is beyond the scope of this walkthrough, but we will detail some of the common components of the specification and show how to configure both a simple TrafficTarget and HTTPRouteGroup policy to enable service-to-service communication for your application.
+
+The [SMI](https://smi-spec.io/) [**Traffic Access Control**](https://github.com/servicemeshinterface/smi-spec/blob/main/apis/traffic-access/v1alpha3/traffic-access.md#traffic-access-control) specification allows users to define the access control policy for their applications. We will focus on the **TrafficTarget** and **HTTPRoutGroup** api resources.
+
+The TrafficTarget resource consists of three main configuration settings destination, rules, and sources. An example TrafficTarget is shown below.
+
+```TrafficTarget Example spec
+apiVersion: access.smi-spec.io/v1alpha3
+kind: TrafficTarget
+metadata:
+ name: bookbuyer-access-bookstore-v1
+ namespace: bookstore
+spec:
+ destination:
+ kind: ServiceAccount
+ name: bookstore
+ namespace: bookstore
+ rules:
+ - kind: HTTPRouteGroup
+ name: bookstore-service-routes
+ matches:
+ - buy-a-book
+ - books-bought
+ sources:
+ - kind: ServiceAccount
+ name: bookbuyer
+ namespace: bookbuyer
+```
+
+In the above TrafficTarget spec, the `destination` denotes the service account that is configured for the destination source service. Remember the service account that was added to the deployment earlier will be used to authorize access to the deployment it is attached to. The `rules` section , in this particular example, defines the type of HTTP traffic that is allowed over the connection. You can configure fine grain regex patterns for the HTTP headers to be specific on what traffic is allowed via HTTP. The `sources` section is the service originating communications. This spec reads bookbuyer needs to communicate to the bookstore.
+
+The HTTPRouteGroup resource consists of one or an array of matches of HTTP header information and is a requirement for the TrafficTarget spec. In the example below, you can see that the HTTPRouteGroup is authorizing three HTTP actions, two GET and one POST.
+
+```HTTPRouteGroup Example Spec
+apiVersion: specs.smi-spec.io/v1alpha4
+kind: HTTPRouteGroup
+metadata:
+ name: bookstore-service-routes
+ namespace: bookstore
+spec:
+ matches:
+ - name: books-bought
+ pathRegex: /books-bought
+ methods:
+ - GET
+ headers:
+ - "user-agent": ".*-http-client/*.*"
+ - "client-app": "bookbuyer"
+ - name: buy-a-book
+ pathRegex: ".*a-book.*new"
+ methods:
+ - GET
+ - name: update-books-bought
+ pathRegex: /update-books-bought
+ methods:
+ - POST
+```
+
+If you are not familiar with the type of HTTP traffic your front-end application makes to other tiers of the application, since the TrafficTarget spec requires a rule, you can create the equivalent of an allow all rule using the below spec for HTTPRouteGroup.
+
+```HTTPRouteGroup Allow All Example
+apiVersion: specs.smi-spec.io/v1alpha4
+kind: HTTPRouteGroup
+metadata:
+ name: allow-all
+ namespace: yournamespace
+spec:
+ matches:
+ - name: allow-all
+ pathRegex: '.*'
+ methods: ["GET","PUT","POST","DELETE","PATCH"]
+```
+
+Once you configure your TrafficTarget and HTTPRouteGroup spec, you can put them together as one YAML and deploy. Below is the bookstore example configuration.
+
+```Bookstore Example TrafficTarget and HTTPRouteGroup configuration
+kubectl apply -f - <<EOF
+
+apiVersion: access.smi-spec.io/v1alpha3
+kind: TrafficTarget
+metadata:
+ name: bookbuyer-access-bookstore-v1
+ namespace: bookstore
+spec:
+ destination:
+ kind: ServiceAccount
+ name: bookstore
+ namespace: bookstore
+ rules:
+ - kind: HTTPRouteGroup
+ name: bookstore-service-routes
+ matches:
+ - buy-a-book
+ - books-bought
+ sources:
+ - kind: ServiceAccount
+ name: bookbuyer
+ namespace: bookbuyer
+
+apiVersion: specs.smi-spec.io/v1alpha4
+kind: HTTPRouteGroup
+metadata:
+ name: bookstore-service-routes
+ namespace: bookstore
+spec:
+ matches:
+ - name: books-bought
+ pathRegex: /books-bought
+ methods:
+ - GET
+ headers:
+ - "user-agent": ".*-http-client/*.*"
+ - "client-app": "bookbuyer"
+ - name: buy-a-book
+ pathRegex: ".*a-book.*new"
+ methods:
+ - GET
+ - name: update-books-bought
+ pathRegex: /update-books-bought
+ methods:
+ - POST
+EOF
+```
+
+Visit the [SMI](https://smi-spec.io/) site for more detailed information on the specification.
+
+### Manage the application's namespace with OSM
+
+Next we will configure OSM to manage the namespace and restart the deployments to get the Envoy sidecar proxy injected with the application.
+
+Run the following command to configure the `azure-vote` namespace to be managed my OSM.
+
+```azurecli-interactive
+osm namespace add azure-vote
+```
+
+```Output
+Namespace [azure-vote] successfully added to mesh [osm]
+```
+
+Next restart both the `azure-vote-front` and `azure-vote-back` deployments with the following commands.
+
+```azurecli-interactive
+kubectl rollout restart deployment azure-vote-front -n azure-vote
+kubectl rollout restart deployment azure-vote-back -n azure-vote
+```
+
+```Output
+deployment.apps/azure-vote-front restarted
+deployment.apps/azure-vote-back restarted
+```
+
+If we view the pods for the `azure-vote` namespace, we will see the **READY** stage of both the `azure-vote-front` and `azure-vote-back` as 2/2, meaning the Envoy sidecar proxy has been injected alongside the application.
+
+## Tutorial: Deploy an application managed by Open Service Mesh (OSM) with NGINX ingress
+
+Open Service Mesh (OSM) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
+
+In this tutorial, you will:
+
+> [!div class="checklist"]
+>
+> - View the current OSM cluster configuration
+> - Create the namespace(s) for OSM to manage deployed applications in the namespace(s)
+> - Onboard the namespaces to be managed by OSM
+> - Deploy the sample application
+> - Verify the application running inside the AKS cluster
+> - Create a NGINX ingress controller used for the appliction
+> - Expose a service via the Azure Application Gateway ingress to the internet
+
+### Before you begin
+
+The steps detailed in this article assume that you've created an AKS cluster (Kubernetes `1.19+` and above, with Kubernetes RBAC enabled), have established a `kubectl` connection with the cluster (If you need help with any of these items, then see the [AKS quickstart](./kubernetes-walkthrough.md), and have installed the AKS OSM add-on.
+
+You must have the following resources installed:
+
+- The Azure CLI, version 2.20.0 or later
+- The `aks-preview` extension version 0.5.5 or later
+- OSM version v0.8.0 or later
+- apt-get install jq
+
+### View and verify the current OSM cluster configuration
+
+Once the OSM add-on for AKS has been enabled on the AKS cluster, you can view the current configuration parameters in the osm-config Kubernetes ConfigMap. Run the following command to view the ConfigMap properties:
+
+```azurecli-interactive
+kubectl get configmap -n kube-system osm-config -o json | jq '.data'
+```
+
+Output shows the current OSM configuration for the cluster.
+
+```json
+{
+ "egress": "true",
+ "enable_debug_server": "true",
+ "enable_privileged_init_container": "false",
+ "envoy_log_level": "error",
+ "outbound_ip_range_exclusion_list": "169.254.169.254,168.63.129.16,20.193.57.43",
+ "permissive_traffic_policy_mode": "false",
+ "prometheus_scraping": "false",
+ "service_cert_validity_duration": "24h",
+ "use_https_ingress": "false"
+}
+```
+
+Notice the **permissive_traffic_policy_mode** is configured to **true**. Permissive traffic policy mode in OSM is a mode where the [SMI](https://smi-spec.io/) traffic policy enforcement is bypassed. In this mode, OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
+
+### Create namespaces for the application
+
+In this tutorial we will be using the OSM bookstore application that has the following application components:
+
+- bookbuyer
+- bookthief
+- bookstore
+- bookwarehouse
+
+Create namespaces for each of these application components.
+
+```azurecli-interactive
+for i in bookstore bookbuyer bookthief bookwarehouse; do kubectl create ns $i; done
+```
+
+You should see the following output:
+
+```Output
+namespace/bookstore created
+namespace/bookbuyer created
+namespace/bookthief created
+namespace/bookwarehouse created
+```
+
+### Onboard the namespaces to be managed by OSM
+
+Adding the namespaces to the OSM mesh will allow the OSM controller to automatically inject the Envoy sidecar proxy containers with your application. Run the following command to onboard the OSM bookstore application namespaces.
+
+```azurecli-interactive
+osm namespace add bookstore bookbuyer bookthief bookwarehouse
+```
+
+You should see the following output:
+
+```Output
+Namespace [bookstore] successfully added to mesh [osm]
+Namespace [bookbuyer] successfully added to mesh [osm]
+Namespace [bookthief] successfully added to mesh [osm]
+Namespace [bookwarehouse] successfully added to mesh [osm]
+```
+
+### Deploy the Bookstore application to the AKS cluster
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookbuyer.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookthief.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookstore.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookwarehouse.yaml
+```
+
+All of the deployment outputs are summarized below.
+
+```Output
+serviceaccount/bookbuyer created
+service/bookbuyer created
+deployment.apps/bookbuyer created
+
+serviceaccount/bookthief created
+service/bookthief created
+deployment.apps/bookthief created
+
+service/bookstore created
+serviceaccount/bookstore created
+deployment.apps/bookstore created
+
+serviceaccount/bookwarehouse created
+service/bookwarehouse created
+deployment.apps/bookwarehouse created
+```
+
+### Update the Bookbuyer Service
+
+Update the bookbuyer service to the correct inbound port configuration with the following service manifest.
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Service
+metadata:
+ name: bookbuyer
+ namespace: bookbuyer
+ labels:
+ app: bookbuyer
+spec:
+ ports:
+ - port: 14001
+ name: inbound-port
+ selector:
+ app: bookbuyer
+EOF
+```
+
+### Verify the Bookstore application running inside the AKS cluster
+
+As of now we have deployed the bookstore mulit-container application, but it is only accessible from within the AKS cluster. Later we will add the Azure Application Gateway ingress controller to expose the application outside the AKS cluster. To verify that the application is running inside the cluster, we will use a port forward to view the bookbuyer component UI.
+
+First let's get the bookbuyer pod's name
+
+```azurecli-interactive
+kubectl get pod -n bookbuyer
+```
+
+You should see output similar to the following. Your bookbuyer pod will have a unique name appended.
+
+```Output
+NAME READY STATUS RESTARTS AGE
+bookbuyer-7676c7fcfb-mtnrz 2/2 Running 0 7m8s
+```
+
+Once we have the pod's name, we can now use the port-forward command to set up a tunnel from our local system to the application inside the AKS cluster. Run the following command to set up the port forward for the local system port 8080. Again use your specified bookbuyer pod name.
+
+```azurecli-interactive
+kubectl port-forward bookbuyer-7676c7fcfb-mtnrz -n bookbuyer 8080:14001
+```
+
+You should see output similar to this.
+
+```Output
+Forwarding from 127.0.0.1:8080 -> 14001
+Forwarding from [::1]:8080 -> 14001
+```
+
+While the port forwarding session is in place, navigate to the following url from a browser `http://localhost:8080`. You should now be able to see the bookbuyer application UI in the browser similar to the image below.
+
+![OSM bookbuyer app for NGINX UI image](./media/aks-osm-addon/osm-agic-bookbuyer-img.png)
+
+### Create an NGINX ingress controller in Azure Kubernetes Service (AKS)
+
+An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and TLS termination for Kubernetes services. Kubernetes ingress resources are used to configure the ingress rules and routes for individual Kubernetes services. Using an ingress controller and ingress rules, a single IP address can be used to route traffic to multiple services in a Kubernetes cluster.
+
+We will utilize the ingress controller to expose the application managed by OSM to the internet. To create the ingress controller, use Helm to install nginx-ingress. For added redundancy, two replicas of the NGINX ingress controllers are deployed with the `--set controller.replicaCount` parameter. To fully benefit from running replicas of the ingress controller, make sure there's more than one node in your AKS cluster.
+
+The ingress controller also needs to be scheduled on a Linux node. Windows Server nodes shouldn't run the ingress controller. A node selector is specified using the `--set nodeSelector` parameter to tell the Kubernetes scheduler to run the NGINX ingress controller on a Linux-based node.
+
+> [!TIP]
+> The following example creates a Kubernetes namespace for the ingress resources named _ingress-basic_. Specify a namespace for your own environment as needed.
+
+```azurecli-interactive
+# Create a namespace for your ingress resources
+kubectl create namespace ingress-basic
+
+# Add the ingress-nginx repository
+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+
+# Update the helm repo(s)
+helm repo update
+
+# Use Helm to deploy an NGINX ingress controller in the ingress-basic namespace
+helm install nginx-ingress ingress-nginx/ingress-nginx \
+ --namespace ingress-basic \
+ --set controller.replicaCount=1 \
+ --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
+ --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
+ --set controller.admissionWebhooks.patch.nodeSelector."beta\.kubernetes\.io/os"=linux
+```
+
+When the Kubernetes load balancer service is created for the NGINX ingress controller, a dynamic public IP address is assigned, as shown in the following example output:
+
+```Output
+$ kubectl --namespace ingress-basic get services -o wide -w nginx-ingress-ingress-nginx-controller
+
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
+nginx-ingress-ingress-nginx-controller LoadBalancer 10.0.74.133 EXTERNAL_IP 80:32486/TCP,443:30953/TCP 44s app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx
+```
+
+No ingress rules have been created yet, so the NGINX ingress controller's default 404 page is displayed if you browse to the internal IP address. Ingress rules are configured in the following steps.
+
+### Expose the bookbuyer service to the internet
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: bookbuyer-ingress
+ namespace: bookbuyer
+ annotations:
+ kubernetes.io/ingress.class: nginx
+
+spec:
+
+ rules:
+ - host: bookbuyer.contoso.com
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: bookbuyer
+ servicePort: 14001
+
+ backend:
+ serviceName: bookbuyer
+ servicePort: 14001
+EOF
+```
+
+You should see the following output:
+
+```Output
+Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
+ingress.extensions/bookbuyer-ingress created
+```
+
+### View the NGINX logs
+
+```azurecli-interactive
+POD=$(kubectl get pods -n ingress-basic | grep 'nginx-ingress' | awk '{print $1}')
+
+kubectl logs $POD -n ingress-basic -f
+```
+
+Output shows the NGINX ingress controller status when ingress rule has been applied successfully:
+
+```Output
+I0321 <date> 6 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-basic", Name:"nginx-ingress-ingress-nginx-controller-54cf6c8bf4-jdvrw", UID:"3ebbe5e5-50ef-481d-954d-4b82a499ebe1", APIVersion:"v1", ResourceVersion:"3272", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
+I0321 <date> 6 event.go:282] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"bookbuyer", Name:"bookbuyer-ingress", UID:"e1018efc-8116-493c-9999-294b4566819e", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"5460", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
+I0321 <date> 6 controller.go:146] "Configuration changes detected, backend reload required"
+I0321 <date> 6 controller.go:163] "Backend successfully reloaded"
+I0321 <date> 6 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-basic", Name:"nginx-ingress-ingress-nginx-controller-54cf6c8bf4-jdvrw", UID:"3ebbe5e5-50ef-481d-954d-4b82a499ebe1", APIVersion:"v1", ResourceVersion:"3272", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
+```
+
+### View the NGINX services and bookbuyer service externally
+
+```azurecli-interactive
+kubectl get services -n ingress-basic
+```
+
+```Output
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+nginx-ingress-ingress-nginx-controller LoadBalancer 10.0.100.23 20.193.1.74 80:31742/TCP,443:32683/TCP 4m15s
+nginx-ingress-ingress-nginx-controller-admission ClusterIP 10.0.163.98 <none> 443/TCP 4m15s
+```
+
+Since the host name in the ingress manifest is a psuedo name used for testing, the DNS name will not be available on the internet. We can alternatively use the curl program and past the hostname header to the NGINX public IP address and receive a 200 code successfully connecting us to the bookbuyer service.
+
+```azurecli-interactive
+curl -H 'Host: bookbuyer.contoso.com' http://EXTERNAL-IP/
+```
+
+You should see the following output:
+
+```Output
+<!doctype html>
+<html itemscope="" itemtype="http://schema.org/WebPage" lang="en">
+ <head>
+ <meta content="Bookbuyer" name="description">
+ <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
+ <title>Bookbuyer</title>
+ <style>
+ #navbar {
+ width: 100%;
+ height: 50px;
+ display: table;
+ border-spacing: 0;
+ white-space: nowrap;
+ line-height: normal;
+ background-color: #0078D4;
+ background-position: left top;
+ background-repeat-x: repeat;
+ background-image: none;
+ color: white;
+ font: 2.2em "Fira Sans", sans-serif;
+ }
+ #main {
+ padding: 10pt 10pt 10pt 10pt;
+ font: 1.8em "Fira Sans", sans-serif;
+ }
+ li {
+ padding: 10pt 10pt 10pt 10pt;
+ font: 1.2em "Consolas", sans-serif;
+ }
+ </style>
+ <script>
+ setTimeout(function(){window.location.reload(1);}, 1500);
+ </script>
+ </head>
+ <body bgcolor="#fff">
+ <div id="navbar">
+ &#128214; Bookbuyer
+ </div>
+ <div id="main">
+ <ul>
+ <li>Total books bought: <strong>1833</strong>
+ <ul>
+ <li>from bookstore V1: <strong>277</strong>
+ <li>from bookstore V2: <strong>1556</strong>
+ </ul>
+ </li>
+ </ul>
+ </div>
+
+ <br/><br/><br/><br/>
+ <br/><br/><br/><br/>
+ <br/><br/><br/><br/>
+
+ Current Time: <strong>Fri, 26 Mar 2021 15:02:53 UTC</strong>
+ </body>
+</html>
+```
+
+## Tutorial: Deploy an application managed by Open Service Mesh (OSM) using Azure Application Gateway ingress AKS add-on
+
+Open Service Mesh (OSM) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
+
+In this tutorial, you will:
+
+> [!div class="checklist"]
+>
+> - View the current OSM cluster configuration
+> - Create the namespace(s) for OSM to manage deployed applications in the namespace(s)
+> - Onboard the namespaces to be managed by OSM
+> - Deploy the sample application
+> - Verify the application running inside the AKS cluster
+> - Create an Azure Application Gateway to be used as the ingress controller for the appliction
+> - Expose a service via the Azure Application Gateway ingress to the internet
+
+### Before you begin
+
+The steps detailed in this article assume that you've created an AKS cluster (Kubernetes `1.19+` and above, with Kubernetes RBAC enabled), have established a `kubectl` connection with the cluster (If you need help with any of these items, then see the [AKS quickstart](./kubernetes-walkthrough.md), have installed the AKS OSM add-on, and will be creating a new Azure Application Gateway for ingress.
+
+You must have the following resources installed:
+
+- The Azure CLI, version 2.20.0 or later
+- The `aks-preview` extension version 0.5.5 or later
+- AKS cluster version 1.19+ using Azure CNI networking (Attached to an Azure Vnet)
+- OSM version v0.8.0 or later
+- apt-get install jq
+
+### View and verify the current OSM cluster configuration
+
+Once the OSM add-on for AKS has been enabled on the AKS cluster, you can view the current configuration parameters in the osm-config Kubernetes ConfigMap. Run the following command to view the ConfigMap properties:
+
+```azurecli-interactive
+kubectl get configmap -n kube-system osm-config -o json | jq '.data'
+```
+
+Output shows the current OSM configuration for the cluster.
+
+```json
+{
+ "egress": "true",
+ "enable_debug_server": "true",
+ "enable_privileged_init_container": "false",
+ "envoy_log_level": "error",
+ "outbound_ip_range_exclusion_list": "169.254.169.254,168.63.129.16,20.193.57.43",
+ "permissive_traffic_policy_mode": "false",
+ "prometheus_scraping": "false",
+ "service_cert_validity_duration": "24h",
+ "use_https_ingress": "false"
+}
+```
+
+Notice the **permissive_traffic_policy_mode** is configured to **true**. Permissive traffic policy mode in OSM is a mode where the [SMI](https://smi-spec.io/) traffic policy enforcement is bypassed. In this mode, OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
+
+### Create namespaces for the application
+
+In this tutorial we will be using the OSM bookstore application that has the following application components:
+
+- bookbuyer
+- bookthief
+- bookstore
+- bookwarehouse
+
+Create namespaces for each of these application components.
+
+```azurecli-interactive
+for i in bookstore bookbuyer bookthief bookwarehouse; do kubectl create ns $i; done
+```
+
+You should see the following output:
+
+```Output
+namespace/bookstore created
+namespace/bookbuyer created
+namespace/bookthief created
+namespace/bookwarehouse created
+```
+
+### Onboard the namespaces to be managed by OSM
+
+When you add the namespaces to the OSM mesh, this will allow the OSM controller to automatically inject the Envoy sidecar proxy containers with your application. Run the following command to onboard the OSM bookstore application namespaces.
+
+```azurecli-interactive
+osm namespace add bookstore bookbuyer bookthief bookwarehouse
+```
+
+You should see the following output:
+
+```Output
+Namespace [bookstore] successfully added to mesh [osm]
+Namespace [bookbuyer] successfully added to mesh [osm]
+Namespace [bookthief] successfully added to mesh [osm]
+Namespace [bookwarehouse] successfully added to mesh [osm]
+```
+
+### Deploy the Bookstore application to the AKS cluster
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookbuyer.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookthief.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookstore.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookwarehouse.yaml
+```
+
+All of the deployment outputs are summarized below.
+
+```Output
+serviceaccount/bookbuyer created
+service/bookbuyer created
+deployment.apps/bookbuyer created
+
+serviceaccount/bookthief created
+service/bookthief created
+deployment.apps/bookthief created
+
+service/bookstore created
+serviceaccount/bookstore created
+deployment.apps/bookstore created
+
+serviceaccount/bookwarehouse created
+service/bookwarehouse created
+deployment.apps/bookwarehouse created
+```
+
+### Update the Bookbuyer Service
+
+Update the bookbuyer service to the correct inbound port configuration with the following service manifest.
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Service
+metadata:
+ name: bookbuyer
+ namespace: bookbuyer
+ labels:
+ app: bookbuyer
+spec:
+ ports:
+ - port: 14001
+ name: inbound-port
+ selector:
+ app: bookbuyer
+EOF
+```
+
+### Verify the Bookstore application running inside the AKS cluster
+
+As of now we have deployed the bookstore multi-container application, but it is only accessible from within the AKS cluster. Later we will add the Azure Application Gateway ingress controller to expose the application outside the AKS cluster. To verify that the application is running inside the cluster, we will use a port forward to view the bookbuyer component UI.
+
+First let's get the bookbuyer pod's name
+
+```azurecli-interactive
+kubectl get pod -n bookbuyer
+```
+
+You should see output similar to the following. Your bookbuyer pod will have a unique name appended.
+
+```Output
+NAME READY STATUS RESTARTS AGE
+bookbuyer-7676c7fcfb-mtnrz 2/2 Running 0 7m8s
+```
+
+Once we have the pod's name, we can now use the port-forward command to set up a tunnel from our local system to the application inside the AKS cluster. Run the following command to set up the port forward for the local system port 8080. Again use your specific bookbuyer pod name.
+
+```azurecli-interactive
+kubectl port-forward bookbuyer-7676c7fcfb-mtnrz -n bookbuyer 8080:14001
+```
+
+You should see output similar to this.
+
+```Output
+Forwarding from 127.0.0.1:8080 -> 14001
+Forwarding from [::1]:8080 -> 14001
+```
+
+While the port forwarding session is in place, navigate to the following url from a browser `http://localhost:8080`. You should now be able to see the bookbuyer application UI in the browser similar to the image below.
+
+![OSM bookbuyer app for App Gateway UI image](./media/aks-osm-addon/osm-agic-bookbuyer-img.png)
+
+### Create an Azure Application Gateway to expose the bookbuyer application outside the AKS cluster
+
+> [!NOTE]
+> The following directions will create a new instance of the Azure Application Gateway to be used for ingress. If you have an existing Azure Application Gateway you wish to use, skip to the section for enabling the Application Gateway Ingress Controller add-on.
+
+#### Deploy a new Application Gateway
+
+> [!NOTE]
+> We are referencing existing documentation for enabling the Application Gateway Ingress Controller add-on for an existing AKS cluster. Some modifications have been made to suit the OSM materials. More detailed documentation on the subject can be found [here](https://docs.microsoft.com/azure/application-gateway/tutorial-ingress-controller-add-on-existing).
+
+You'll now deploy a new Application Gateway, to simulate having an existing Application Gateway that you want to use to load balance traffic to your AKS cluster, _myCluster_. The name of the Application Gateway will be _myApplicationGateway_, but you will need to first create a public IP resource, named _myPublicIp_, and a new virtual network called _myVnet_ with address space 11.0.0.0/8, and a subnet with address space 11.1.0.0/16 called _mySubnet_, and deploy your Application Gateway in _mySubnet_ using _myPublicIp_.
+
+When using an AKS cluster and Application Gateway in separate virtual networks, the address spaces of the two virtual networks must not overlap. The default address space that an AKS cluster deploys in is 10.0.0.0/8, so we set the Application Gateway virtual network address prefix to 11.0.0.0/8.
+
+```azurecli-interactive
+az group create --name myResourceGroup --location eastus2
+az network public-ip create -n myPublicIp -g MyResourceGroup --allocation-method Static --sku Standard
+az network vnet create -n myVnet -g myResourceGroup --address-prefix 11.0.0.0/8 --subnet-name mySubnet --subnet-prefix 11.1.0.0/16
+az network application-gateway create -n myApplicationGateway -l eastus2 -g myResourceGroup --sku Standard_v2 --public-ip-address myPublicIp --vnet-name myVnet --subnet mySubnet
+```
+
+> [!NOTE]
+> Application Gateway Ingress Controller (AGIC) add-on **only** supports Application Gateway v2 SKUs (Standard and WAF), and **not** the Application Gateway v1 SKUs.
+
+#### Enable the AGIC add-on for an existing AKS cluster through Azure CLI
+
+If you'd like to continue using Azure CLI, you can continue to enable the AGIC add-on in the AKS cluster you created, _myCluster_, and specify the AGIC add-on to use the existing Application Gateway you created, _myApplicationGateway_.
+
+```azurecli-interactive
+appgwId=$(az network application-gateway show -n myApplicationGateway -g myResourceGroup -o tsv --query "id")
+az aks enable-addons -n myCluster -g myResourceGroup -a ingress-appgw --appgw-id $appgwId
+```
+
+You can verify the Azure Application Gateway AKS add-on has been enabled by the following command.
+
+```azurecli-interactive
+az aks list -g osm-aks-rg -o json | jq -r .[].addonProfiles.ingressApplicationGateway.enabled
+```
+
+This command should show the output as `true`.
+
+#### Peer the two virtual networks together
+
+Since we deployed the AKS cluster in its own virtual network and the Application Gateway in another virtual network, you'll need to peer the two virtual networks together in order for traffic to flow from the Application Gateway to the pods in the cluster. Peering the two virtual networks requires running the Azure CLI command two separate times, to ensure that the connection is bi-directional. The first command will create a peering connection from the Application Gateway virtual network to the AKS virtual network; the second command will create a peering connection in the other direction.
+
+```azurecli-interactive
+nodeResourceGroup=$(az aks show -n myCluster -g myResourceGroup -o tsv --query "nodeResourceGroup")
+aksVnetName=$(az network vnet list -g $nodeResourceGroup -o tsv --query "[0].name")
+
+aksVnetId=$(az network vnet show -n $aksVnetName -g $nodeResourceGroup -o tsv --query "id")
+az network vnet peering create -n AppGWtoAKSVnetPeering -g myResourceGroup --vnet-name myVnet --remote-vnet $aksVnetId --allow-vnet-access
+
+appGWVnetId=$(az network vnet show -n myVnet -g myResourceGroup -o tsv --query "id")
+az network vnet peering create -n AKStoAppGWVnetPeering -g $nodeResourceGroup --vnet-name $aksVnetName --remote-vnet $appGWVnetId --allow-vnet-access
+```
+
+### Expose the bookbuyer service to the internet
+
+Apply the following ingress manifest to the AKS cluster to expose the bookbuyer service to the internet via the Azure Application Gateway.
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: bookbuyer-ingress
+ namespace: bookbuyer
+ annotations:
+ kubernetes.io/ingress.class: azure/application-gateway
+
+spec:
+
+ rules:
+ - host: bookbuyer.contoso.com
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: bookbuyer
+ servicePort: 14001
+
+ backend:
+ serviceName: bookbuyer
+ servicePort: 14001
+EOF
+```
+
+You should see the following output
+
+```Output
+Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
+ingress.extensions/bookbuyer-ingress created
+```
+
+Since the host name in the ingress manifest is a pseudo name used for testing, the DNS name will not be available on the internet. We can alternatively use the curl program and past the hostname header to the Azure Application Gateway public IP address and receive a 200 code successfully connecting us to the bookbuyer service.
+
+```azurecli-interactive
+appGWPIP=$(az network public-ip show -g MyResourceGroup -n myPublicIp -o tsv --query "ipAddress")
+curl -H 'Host: bookbuyer.contoso.com' http://$appGWPIP/
+```
+
+You should see the following output
+
+```Output
+<!doctype html>
+<html itemscope="" itemtype="http://schema.org/WebPage" lang="en">
+ <head>
+ <meta content="Bookbuyer" name="description">
+ <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
+ <title>Bookbuyer</title>
+ <style>
+ #navbar {
+ width: 100%;
+ height: 50px;
+ display: table;
+ border-spacing: 0;
+ white-space: nowrap;
+ line-height: normal;
+ background-color: #0078D4;
+ background-position: left top;
+ background-repeat-x: repeat;
+ background-image: none;
+ color: white;
+ font: 2.2em "Fira Sans", sans-serif;
+ }
+ #main {
+ padding: 10pt 10pt 10pt 10pt;
+ font: 1.8em "Fira Sans", sans-serif;
+ }
+ li {
+ padding: 10pt 10pt 10pt 10pt;
+ font: 1.2em "Consolas", sans-serif;
+ }
+ </style>
+ <script>
+ setTimeout(function(){window.location.reload(1);}, 1500);
+ </script>
+ </head>
+ <body bgcolor="#fff">
+ <div id="navbar">
+ &#128214; Bookbuyer
+ </div>
+ <div id="main">
+ <ul>
+ <li>Total books bought: <strong>5969</strong>
+ <ul>
+ <li>from bookstore V1: <strong>277</strong>
+ <li>from bookstore V2: <strong>5692</strong>
+ </ul>
+ </li>
+ </ul>
+ </div>
+
+ <br/><br/><br/><br/>
+ <br/><br/><br/><br/>
+ <br/><br/><br/><br/>
+
+ Current Time: <strong>Fri, 26 Mar 2021 16:34:30 UTC</strong>
+ </body>
+</html>
+```
+
+### Troubleshooting
+
+- [AGIC Troubleshooting Documentation](https://docs.microsoft.com/azure/application-gateway/ingress-controller-troubleshoot)
+- [Additional troubleshooting tools are available on AGIC's GitHub repo](https://github.com/Azure/application-gateway-kubernetes-ingress/blob/master/docs/troubleshootings/troubleshooting-installing-a-simple-application.md)
+
+## Open Service Mesh (OSM) Monitoring and Observability using Azure Monitor and Applications Insights
+
+Both Azure Monitor and Azure Application Insights helps you maximize the availability and performance of your applications and services by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.
+
+The OSM AKS add-on will have deep integrations into both of these Azure services, and provide a seemless Azure experience for viewing and responding to critical KPIs provided by OSM metrics. For more information on how to enable and configure these services for the OSM AKS add-on, visit the [Azure Monitor for OSM](https://aka.ms/azmon/osmpreview) page for more information.
+
+## Tutorial: Manually deploy Prometheus, Grafana, and Jaeger to view Open Service Mesh (OSM) metrics for observability
+
+> [!WARNING]
+> The installation of Prometheus, Grafana and Jaeger are provided as general guidance to show how these tools can be utilized to view OSM metric data. The installation guidance is not to be utilized for a production setup. Please refer to each tool's documentation on how best to suit thier installations to your needs. Most notable will be the lack of persistent storage, meaning that all data is lost once a Prometheus Grafana, and/or Jaeger pod(s) are terminated.
+
+Open Service Mesh (OSM) generates detailed metrics related to all traffic within the mesh. These metrics provide insights into the behavior of applications in the mesh helping users to troubleshoot, maintain, and analyze their applications.
+
+As of today OSM collects metrics directly from the sidecar proxies (Envoy). OSM provides rich metrics for incoming and outgoing traffic for all services in the mesh. With these metrics, the user can get information about the overall volume of traffic, errors within traffic and the response time for requests.
+
+OSM uses Prometheus to gather and store consistent traffic metrics and statistics for all applications running in the mesh. Prometheus is an open-source monitoring and alerting toolkit, which is commonly used on (but not limited to) Kubernetes and Service Mesh environments.
+
+Each application that is part of the mesh runs in a Pod that contains an Envoy sidecar that exposes metrics (proxy metrics) in the Prometheus format. Furthermore, every Pod that is a part of the mesh has Prometheus annotations, which makes it possible for the Prometheus server to scrape the application dynamically. This mechanism automatically enables scraping of metrics whenever a new namespace/pod/service is added to the mesh.
+
+OSM metrics can be viewed with Grafana, which is an open-source visualization and analytics software. It allows you to query, visualize, alert on, and explore your metrics.
+
+In this tutorial, you will:
+
+> [!div class="checklist"]
+>
+> - Create and deploy a Prometheus instance
+> - Configure OSM to allow Prometheus scraping
+> - Update the Prometheus Configmap
+> - Create and deploy a Grafana instance
+> - Configure Grafana with the Prometheus datasource
+> - Import OSM dashboard for Grafana
+> - Create and deploy a Jaeger instance
+> - Configure Jaeger tracing for OSM
+
+### Deploy and configure a Prometheus instance for OSM
+
+We will use Helm to deploy the Prometheus instance. Run the following commands to install Prometheus via Helm:
+
+```azurecli-interactive
+helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+helm repo update
+helm install stable prometheus-community/prometheus
+```
+
+You should see similar output below if the installation was successful. Make note of the Prometheus server port and cluster DNS name. This information will be used later for to configure Prometheus as a data source for Grafana.
+
+```Output
+NAME: stable
+LAST DEPLOYED: Fri Mar 26 13:34:51 2021
+NAMESPACE: default
+STATUS: deployed
+REVISION: 1
+TEST SUITE: None
+NOTES:
+The Prometheus server can be accessed via port 80 on the following DNS name from within your cluster:
+stable-prometheus-server.default.svc.cluster.local
++
+Get the Prometheus server URL by running these commands in the same shell:
+ export POD_NAME=$(kubectl get pods --namespace default -l "app=prometheus,component=server" -o jsonpath="{.items[0].metadata.name}")
+ kubectl --namespace default port-forward $POD_NAME 9090
++
+The Prometheus alertmanager can be accessed via port 80 on the following DNS name from within your cluster:
+stable-prometheus-alertmanager.default.svc.cluster.local
++
+Get the Alertmanager URL by running these commands in the same shell:
+ export POD_NAME=$(kubectl get pods --namespace default -l "app=prometheus,component=alertmanager" -o jsonpath="{.items[0].metadata.name}")
+ kubectl --namespace default port-forward $POD_NAME 9093
+#################################################################################
+###### WARNING: Pod Security Policy has been moved to a global property. #####
+###### use .Values.podSecurityPolicy.enabled with pod-based #####
+###### annotations #####
+###### (e.g. .Values.nodeExporter.podSecurityPolicy.annotations) #####
+#################################################################################
++
+The Prometheus PushGateway can be accessed via port 9091 on the following DNS name from within your cluster:
+stable-prometheus-pushgateway.default.svc.cluster.local
++
+Get the PushGateway URL by running these commands in the same shell:
+ export POD_NAME=$(kubectl get pods --namespace default -l "app=prometheus,component=pushgateway" -o jsonpath="{.items[0].metadata.name}")
+ kubectl --namespace default port-forward $POD_NAME 9091
+
+For more information on running Prometheus, visit:
+https://prometheus.io/
+```
+
+#### Configure OSM to allow Prometheus scraping
+
+To ensure that the OSM components are configured for Prometheus scrapes, we'll want to check the **prometheus_scraping** configuration located in the osm-config config file. View the configuration with the following command:
+
+```azurecli-interactive
+kubectl get configmap -n kube-system osm-config -o json | jq '.data.prometheus_scraping'
+```
+
+The output of the previous command should return `true` if OSM is configured for Prometheus scraping. If the returned value is `false`, we will need to update the configuration to be `true`. Run the following command to turn **on** OSM Prometheus scraping:
+
+```azurecli-interactive
+kubectl patch ConfigMap -n kube-system osm-config --type merge --patch '{"data":{"prometheus_scraping":"true"}}'
+```
+
+You should see the following output.
+
+```Output
+configmap/osm-config patched
+```
+
+#### Update the Prometheus Configmap
+
+The default installation of Prometheus will contain two Kubernetes configmaps. You can view the list of Prometheus configmaps with the following command.
+
+```azurecli-interactive
+kubectl get configmap | grep prometheus
+```
+
+```Output
+stable-prometheus-alertmanager 1 4h34m
+stable-prometheus-server 5 4h34m
+```
+
+We will need to replace the prometheus.yml configuration located in the **stable-prometheus-server** configmap with the following OSM configuration. There are several file editing techniques to accomplish this task. A simple and safe way is to export the configmap, create a copy of it for backup, then edit it with an editor such as Visual Studio code.
+
+> [!NOTE]
+> If you do not have Visual Studio Code installed you can go download and install it [here](https://code.visualstudio.com/Download).
+
+Let's first export out the **stable-prometheus-server** configmap and then make a copy for backup.
+
+```azurecli-interactive
+kubectl get configmap stable-prometheus-server -o yaml > cm-stable-prometheus-server.yml
+cp cm-stable-prometheus-server.yml cm-stable-prometheus-server.yml.copy
+```
+
+Next let's open the file using Visual Studio Code to edit.
+
+```azurecli-interactive
+code cm-stable-prometheus-server.yml
+```
+
+Once you have the configmap opened in the Visual Studio Code editor, replace the prometheus.yml file with the OSM configuration below and save the file.
+
+> [!WARNING]
+> It is extremely important that you ensure you keep the indention structure of the yaml file. Any changes to the yaml file structure could result in the configmap not being able to be re-applied.
+
+```OSM Prometheus Configmap Configuration
+prometheus.yml: |
+ global:
+ scrape_interval: 10s
+ scrape_timeout: 10s
+ evaluation_interval: 1m
+
+ scrape_configs:
+ - job_name: 'kubernetes-apiservers'
+ kubernetes_sd_configs:
+ - role: endpoints
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ # TODO need to remove this when the CA and SAN match
+ insecure_skip_verify: true
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ metric_relabel_configs:
+ - source_labels: [__name__]
+ regex: '(apiserver_watch_events_total|apiserver_admission_webhook_rejection_count)'
+ action: keep
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: default;kubernetes;https
+
+ - job_name: 'kubernetes-nodes'
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ kubernetes_sd_configs:
+ - role: node
+ relabel_configs:
+ - action: labelmap
+ regex: __meta_kubernetes_node_label_(.+)
+ - target_label: __address__
+ replacement: kubernetes.default.svc:443
+ - source_labels: [__meta_kubernetes_node_name]
+ regex: (.+)
+ target_label: __metrics_path__
+ replacement: /api/v1/nodes/${1}/proxy/metrics
+
+ - job_name: 'kubernetes-pods'
+ kubernetes_sd_configs:
+ - role: pod
+ metric_relabel_configs:
+ - source_labels: [__name__]
+ regex: '(envoy_server_live|envoy_cluster_upstream_rq_xx|envoy_cluster_upstream_cx_active|envoy_cluster_upstream_cx_tx_bytes_total|envoy_cluster_upstream_cx_rx_bytes_total|envoy_cluster_upstream_cx_destroy_remote_with_active_rq|envoy_cluster_upstream_cx_connect_timeout|envoy_cluster_upstream_cx_destroy_local_with_active_rq|envoy_cluster_upstream_rq_pending_failure_eject|envoy_cluster_upstream_rq_pending_overflow|envoy_cluster_upstream_rq_timeout|envoy_cluster_upstream_rq_rx_reset|^osm.*)'
+ action: keep
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
+ action: keep
+ regex: true
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
+ action: replace
+ target_label: __metrics_path__
+ regex: (.+)
+ - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
+ action: replace
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:$2
+ target_label: __address__
+ - source_labels: [__meta_kubernetes_namespace]
+ action: replace
+ target_label: source_namespace
+ - source_labels: [__meta_kubernetes_pod_name]
+ action: replace
+ target_label: source_pod_name
+ - regex: '(__meta_kubernetes_pod_label_app)'
+ action: labelmap
+ replacement: source_service
+ - regex: '(__meta_kubernetes_pod_label_osm_envoy_uid|__meta_kubernetes_pod_label_pod_template_hash|__meta_kubernetes_pod_label_version)'
+ action: drop
+ # for non-ReplicaSets (DaemonSet, StatefulSet)
+ # __meta_kubernetes_pod_controller_kind=DaemonSet
+ # __meta_kubernetes_pod_controller_name=foo
+ # =>
+ # workload_kind=DaemonSet
+ # workload_name=foo
+ - source_labels: [__meta_kubernetes_pod_controller_kind]
+ action: replace
+ target_label: source_workload_kind
+ - source_labels: [__meta_kubernetes_pod_controller_name]
+ action: replace
+ target_label: source_workload_name
+ # for ReplicaSets
+ # __meta_kubernetes_pod_controller_kind=ReplicaSet
+ # __meta_kubernetes_pod_controller_name=foo-bar-123
+ # =>
+ # workload_kind=Deployment
+ # workload_name=foo-bar
+ # deplyment=foo
+ - source_labels: [__meta_kubernetes_pod_controller_kind]
+ action: replace
+ regex: ^ReplicaSet$
+ target_label: source_workload_kind
+ replacement: Deployment
+ - source_labels:
+ - __meta_kubernetes_pod_controller_kind
+ - __meta_kubernetes_pod_controller_name
+ action: replace
+ regex: ^ReplicaSet;(.*)-[^-]+$
+ target_label: source_workload_name
+
+ - job_name: 'smi-metrics'
+ kubernetes_sd_configs:
+ - role: pod
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
+ action: keep
+ regex: true
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
+ action: replace
+ target_label: __metrics_path__
+ regex: (.+)
+ - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
+ action: replace
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:$2
+ target_label: __address__
+ metric_relabel_configs:
+ - source_labels: [__name__]
+ regex: 'envoy_.*osm_request_(total|duration_ms_(bucket|count|sum))'
+ action: keep
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_(\d{3})_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
+ target_label: response_code
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_(.*)_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
+ target_label: source_namespace
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_(.*)_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
+ target_label: source_kind
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_(.*)_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
+ target_label: source_name
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_(.*)_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
+ target_label: source_pod
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_(.*)_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
+ target_label: destination_namespace
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_(.*)_destination_name_.*_destination_pod_.*_osm_request_total
+ target_label: destination_kind
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_(.*)_destination_pod_.*_osm_request_total
+ target_label: destination_name
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_(.*)_osm_request_total
+ target_label: destination_pod
+ - source_labels: [__name__]
+ action: replace
+ regex: .*(osm_request_total)
+ target_label: __name__
+
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_(.*)_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
+ target_label: source_namespace
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_.*_source_kind_(.*)_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
+ target_label: source_kind
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_.*_source_kind_.*_source_name_(.*)_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
+ target_label: source_name
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_(.*)_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
+ target_label: source_pod
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_(.*)_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
+ target_label: destination_namespace
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_(.*)_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
+ target_label: destination_kind
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_(.*)_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
+ target_label: destination_name
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_(.*)_osm_request_duration_ms_(bucket|sum|count)
+ target_label: destination_pod
+ - source_labels: [__name__]
+ action: replace
+ regex: .*(osm_request_duration_ms_(bucket|sum|count))
+ target_label: __name__
+
+ - job_name: 'kubernetes-cadvisor'
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ kubernetes_sd_configs:
+ - role: node
+ metric_relabel_configs:
+ - source_labels: [__name__]
+ regex: '(container_cpu_usage_seconds_total|container_memory_rss)'
+ action: keep
+ relabel_configs:
+ - action: labelmap
+ regex: __meta_kubernetes_node_label_(.+)
+ - target_label: __address__
+ replacement: kubernetes.default.svc:443
+ - source_labels: [__meta_kubernetes_node_name]
+ regex: (.+)
+ target_label: __metrics_path__
+ replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
+```
+
+Apply the updated configmap yaml file with the following command.
+
+```azurecli-interactive
+kubectl apply -f cm-stable-prometheus-server.yml
+```
+
+```Output
+configmap/stable-prometheus-server configured
+```
+
+> [!NOTE]
+> You may receive a message about a missing kubernetes annotation needed. This can be ignored for now.
+
+#### Verify Prometheus is configured to scrape the OSM mesh and API endpoints
+
+To verify that Prometheus is correctly configured to scrape the OSM mesh and API endpoints, we will port forward to the Prometheus pod and view the target configuration. Run the following commands.
+
+```azurecli-interactive
+PROM_POD_NAME=$(kubectl get pods -l "app=prometheus,component=server" -o jsonpath="{.items[0].metadata.name}")
+kubectl --namespace <promNamespace> port-forward $PROM_POD_NAME 9090
+```
+
+Open a browser up to `http://localhost:9090/targets`
+
+If you scroll down you should see all the SMI metric endpoints state being **UP** as well as other OSM metrics defined as pictured below.
+
+![OSM Prometheus Target Metrics UI image](./media/aks-osm-addon/osm-prometheus-smi-metrics-target-scrape.png)
+
+### Deploy and configure a Grafana Instance for OSM
+
+We will use Helm to deploy the Grafana instance. Run the following commands to install Grafana via Helm:
+
+```
+helm repo add grafana https://grafana.github.io/helm-charts
+helm repo update
+helm install osm-grafana grafana/grafana
+```
+
+Next we'll retrieve the default Grafana password to log into the Grafana site.
+
+```azurecli-interactive
+kubectl get secret --namespace default osm-grafana -o jsonpath="{.data.admin-password}" | base64 --decode ; echo
+```
+
+Make note of the Grafana password.
+
+Next we will retrieve the Grafana pod to port forward to the Grafana dashboard to login.
+
+```azurecli-interactive
+GRAF_POD_NAME=$(kubectl get pods -l "app.kubernetes.io/name=grafana" -o jsonpath="{.items[0].metadata.name}")
+kubectl port-forward $GRAF_POD_NAME 3000
+```
+
+Open a browser up to `http://localhost:3000`
+
+At the login screen pictured below, enter **admin** as the username and use the Grafana password captured earlier.
+
+![OSM Grafana Login Page UI image](./media/aks-osm-addon/osm-grafana-ui-login.png)
+
+#### Configure the Grafana Prometheus data source
+
+Once you have successfully logged into Grafana, the next step is to add Prometheus as data sources for Grafana. To do so, navigate on the configuration icon on the left menu and select Data Sources as shown below.
+
+![OSM Grafana Datasources Page UI image](./media/aks-osm-addon/osm-grafana-ui-datasources.png)
+
+Click the **Add data source** button and select Prometheus under time series databases.
+
+![OSM Grafana Datasources Selection Page UI image](./media/aks-osm-addon/osm-grafana-ui-datasources-select-prometheus.png)
+
+On the **Configure your Prometheus data source below** page, enter the Kubernetes cluster FQDN for the Prometheus service for the HTTP URL setting. The default FQDN should be `stable-prometheus-server.default.svc.cluster.local`. Once you have entered that Prometheus service endpoint, scroll to the bottom of the page and select **Save & Test**. You should receive a green checkbox indicating the data source is working.
+
+#### Importing OSM Dashboards
+
+OSM Dashboards are available both through:
+
+- [Our repository](/charts/osm/grafana), and are importable as json blobs through the web admin portal
+- or [online at Grafana.com](https://grafana.com/grafana/dashboards/14145)
+
+To import a dashboard, look for the `+` sign on the left menu and select `import`.
+You can directly import dashboard by their ID on `Grafana.com`. For example, our `OSM Mesh Details` dashboard uses ID `14145`, you can use the ID directly on the form and select `import`:
+
+![OSM Grafana Dashboard Import Page UI image](./media/aks-osm-addon/osm-grafana-dashboard-import.png)
+
+As soon as you select import, it will bring you automatically to your imported dashboard.
+
+![OSM Grafana Dashboard Mesh Details Page UI image](./media/aks-osm-addon/osm-grafana-mesh-dashboard-details.png)
+
+### Deploy and configure a Jaeger Operator on Kubernetes for OSM
+
+[Jaeger](https://www.jaegertracing.io/) is an open-source tracing system used for monitoring and troubleshooting distributed systems. It can be deployed with OSM as a new instance or you may bring your own instance. The following instructions deploy a new instance of Jaeger to the `jaeger` namespace on the AKS cluster.
+
+#### Deploy Jaeger to the AKS cluster
+
+Apply the following manifest to install Jaeger:
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: jaeger
+ namespace: jaeger
+ labels:
+ app: jaeger
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: jaeger
+ template:
+ metadata:
+ labels:
+ app: jaeger
+ spec:
+ containers:
+ - name: jaeger
+ image: jaegertracing/all-in-one
+ args:
+ - --collector.zipkin.host-port=9411
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 9411
+ resources:
+ limits:
+ cpu: 500m
+ memory: 512M
+ requests:
+ cpu: 100m
+ memory: 256M
+
+kind: Service
+apiVersion: v1
+metadata:
+ name: jaeger
+ namespace: jaeger
+ labels:
+ app: jaeger
+spec:
+ selector:
+ app: jaeger
+ ports:
+ - protocol: TCP
+ # Service port and target port are the same
+ port: 9411
+ type: ClusterIP
+EOF
+```
+
+```Output
+deployment.apps/jaeger created
+service/jaeger created
+```
+
+#### Enable Tracing for the OSM add-on
+
+Next we will need to enable tracing for the OSM add-on.
+
+> [!NOTE]
+> As of now the tracing properties are not visable in the osm-config configmap at this time. This will be made visable in a new release of the OSM AKS add-on.
+
+Run the following command to enable tracing for the OSM add-on:
+
+```azurecli-interactive
+kubectl patch configmap osm-config -n kube-system -p '{"data":{"tracing_enable":"true", "tracing_address":"jaeger.jaeger.svc.cluster.local", "tracing_port":"9411", "tracing_endpoint":"/api/v2/spans"}}' --type=merge
+```
+
+```Output
+configmap/osm-config patched
+```
+
+#### View the Jaeger UI with port forwarding
+
+Jaeger's UI is running on port 16686. To view the web UI, you can use kubectl port-forward:
+
+```azurecli-interactive
+JAEGER_POD=$(kubectl get pods -n jaeger --no-headers --selector app=jaeger | awk 'NR==1{print $1}')
+kubectl port-forward -n jaeger $JAEGER_POD 16686:16686
+http://localhost:16686/
+```
+
+In the browser, you should see a Service dropdown, which allows you to select from the various applications deployed by the bookstore demo. Select a service to view all spans from it. For example, if you select bookbuyer with a Lookback of one hour, you can see its interactions with bookstore-v1 and bookstore-v2 sorted by time.
+
+![OSM Jaeger Tracing Page UI image](./media/aks-osm-addon/osm-jaeger-trace-view-ui.png)
+
+Select any item to view it in further detail. Select multiple items to compare traces. For example, you can compare the bookbuyer's interactions with bookstore and bookstore-v2 at a particular moment in time.
+
+You can also select the System Architecture tab to view a graph of how the various applications have been interacting/communicating. This provides an idea of how traffic is flowing between the applications.
+
+![OSM Jaeger System Architecture UI image](./media/aks-osm-addon/osm-jaeger-sys-arc-view-ui.png)
+
+## Open Service Mesh (OSM) AKS add-on Troubleshooting Guides
+
+When you deploy the OSM AKS add-on, you might occasionally experience a problem. The following guides will assist you on how to troubleshoot errors and resolve common problems.
+
+### Verifying and Troubleshooting OSM components
+
+#### Check OSM Controller Deployment
+
+```azurecli-interactive
+kubectl get deployment -n kube-system --selector app=osm-controller
+```
+
+A healthy OSM Controller would look like this:
+
+```Output
+NAME READY UP-TO-DATE AVAILABLE AGE
+osm-controller 1/1 1 1 59m
+```
+
+#### Check the OSM Controller Pod
+
+```azurecli-interactive
+kubectl get pods -n kube-system --selector app=osm-controller
+```
+
+A healthy OSM Pod would look like this:
+
+```Output
+NAME READY STATUS RESTARTS AGE
+osm-controller-b5bd66db-wglzl 0/1 Evicted 0 61m
+osm-controller-b5bd66db-wvl9w 1/1 Running 0 31m
+```
+
+Even though we had one controller evicted at some point, we have another one that is READY 1/1 and Running with 0 restarts. If the column READY is anything other than 1/1 the service mesh would be in a broken state.
+Column READY with 0/1 indicates the control plane container is crashing - we need to get logs. See Get OSM Controller Logs from Azure Support Center section below. Column READY with a number higher than 1 after the / would indicate that there are sidecars installed. OSM Controller would most likely not work with any sidecars attached to it.
+
+> [!NOTE]
+> As of version v0.8.2 the OSM Controller is not in HA mode and will run in a deployed with replica count of 1 - single pod. The pod does have health probes and will be restarted by the kubelet if needed.
+
+#### Check OSM Controller Service
+
+```azurecli-interactive
+kubectl get service -n kube-system osm-controller
+```
+
+A healthy OSM Controller service would look like this:
+
+```Output
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+osm-controller ClusterIP 10.0.31.254 <none> 15128/TCP,9092/TCP 67m
+```
+
+> [!NOTE]
+> The CLUSTER-IP would be different. The service NAME and PORT(S) must be the same as the example above.
+
+#### Check OSM Controller Endpoints
+
+```azurecli-interactive
+kubectl get endpoints -n kube-system osm-controller
+```
+
+A healthy OSM Controller endpoint(s) would look like this:
+
+```Output
+NAME ENDPOINTS AGE
+osm-controller 10.240.1.115:9092,10.240.1.115:15128 69m
+```
+
+#### Check OSM Injector Deployment
+
+```azurecli-interactive
+kubectl get pod -n kube-system --selector app=osm-injector
+```
+
+A healthy OSM Injector deployment would look like this:
+
+```Output
+NAME READY STATUS RESTARTS AGE
+osm-injector-5986c57765-vlsdk 1/1 Running 0 73m
+```
+
+#### Check OSM Injector Pod
+
+```azurecli-interactive
+kubectl get pod -n kube-system --selector app=osm-injector
+```
+
+A healthy OSM Injector pod would look like this:
+
+```Output
+NAME READY STATUS RESTARTS AGE
+osm-injector-5986c57765-vlsdk 1/1 Running 0 73m
+```
+
+#### Check OSM Injector Service
+
+```azurecli-interactive
+kubectl get service -n kube-system osm-injector
+```
+
+A healthy OSM Injector service would look like this:
+
+```Output
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+osm-injector ClusterIP 10.0.39.54 <none> 9090/TCP 75m
+```
+
+#### Check OSM Endpoints
+
+```azurecli-interactive
+kubectl get endpoints -n kube-system osm-injector
+```
+
+A healthy OSM endpoint would look like this:
+
+```Output
+NAME ENDPOINTS AGE
+osm-injector 10.240.1.172:9090 75m
+```
+
+#### Check Validating and Mutating webhooks
+
+```azurecli-interactive
+kubectl get ValidatingWebhookConfiguration --selector app=osm-controller
+```
+
+A healthy OSM Validating Webhook would look like this:
+
+```Output
+NAME WEBHOOKS AGE
+aks-osm-webhook-osm 1 81m
+```
+
+```azurecli-interactive
+kubectl get MutatingWebhookConfiguration --selector app=osm-injector
+```
+
+A healthy OSM Mutating Webhook would look like this:
+
+```Output
+NAME WEBHOOKS AGE
+aks-osm-webhook-osm 1 102m
+```
+
+#### Check for the service and the CA bundle of the Validating webhook
+
+```azurecli-interactive
+kubectl get ValidatingWebhookConfiguration aks-osm-webhook-osm -o json | jq '.webhooks[0].clientConfig.service'
+```
+
+A well configured Validating Webhook Configuration would look exactly like this:
+
+```json
+{
+ "name": "osm-config-validator",
+ "namespace": "kube-system",
+ "path": "/validate-webhook",
+ "port": 9093
+}
+```
+
+#### Check for the service and the CA bundle of the Mutating webhook
+
+```azurecli-interactive
+kubectl get MutatingWebhookConfiguration aks-osm-webhook-osm -o json | jq '.webhooks[0].clientConfig.service'
+```
+
+A well configured Mutating Webhook Configuration would look exactly like this:
+
+```json
+{
+ "name": "osm-injector",
+ "namespace": "kube-system",
+ "path": "/mutate-pod-creation",
+ "port": 9090
+}
+```
+
+#### Check whether OSM Controller has given the Validating (or Mutating) Webhook a CA Bundle
+
+> [!NOTE]
+> As of v0.8.2 It is important to know that AKS RP installs the Validating Webhook, AKS Reconciler ensures it exists, but OSM Controller is the one that fills the CA Bundle.
+
+```azurecli-interactive
+kubectl get ValidatingWebhookConfiguration aks-osm-webhook-osm -o json | jq -r '.webhooks[0].clientConfig.caBundle' | wc -c
+```
+
+```azurecli-interactive
+kubectl get MutatingWebhookConfiguration aks-osm-webhook-osm -o json | jq -r '.webhooks[0].clientConfig.caBundle' | wc -c
+```
+
+```Example Output
+1845
+```
+
+This number indicates the number of bytes, or the size of the CA Bundle. If this is empty, 0, or some number under 1000 it would indicate that the CA Bundle is not correctly provisioned. Without a correct CA Bundle, the Validating Webhook would be erroring out and prohibiting the user from making changes to the osm-config ConfigMap in the kube-system namespace.
+
+A sample error when the CA Bundle is incorrect:
+
+- An attempt to change the osm-config ConfigMap:
+
+```azurecli-interactive
+kubectl patch ConfigMap osm-config -n kube-system --type merge --patch '{"data":{"config_resync_interval":"2m"}}'
+```
+
+- Error:
+
+```
+Error from server (InternalError): Internal error occurred: failed calling webhook "osm-config-webhook.k8s.io": Post https://osm-config-validator.kube-system.svc:9093/validate-webhook?timeout=30s: x509: certificate signed by unknown authority
+```
+
+Work around for when the **Validating** Webhook Configuration has a bad certificate:
+
+- Option 1 - Restart OSM Controller - this will restart the OSM Controller. On start, it will overwrite the CA Bundle of both the Mutating and Validating webhooks.
+
+```azurecli-interactive
+kubectl rollout restart deployment -n kube-system osm-controller
+```
+
+- Option 2 - Option 2. Delete the Validating Webhook - removing the Validating Webhook makes mutations of the `osm-config` ConfigMap no longer validated. Any patch will go through. The AKS Reconciler will at some point ensure the Validating Webhook exists and will recreate it. The OSM Controller may have to be restarted to quickly rewrite the CA Bundle.
+
+```azurecli-interactive
+kubectl delete ValidatingWebhookConfiguration aks-osm-webhook-osm
+```
+
+- Option 3 - Delete and Patch: The following command will delete the validating webhook, allowing us to add any values, and will immediately try to apply a patch. Most likely the AKS Reconciler will not have enough time to reconcile and restore the Validating Webhook giving us the opportunity to apply a change as a last resort:
+
+```azurecli-interactive
+kubectl delete ValidatingWebhookConfiguration aks-osm-webhook-osm; kubectl patch ConfigMap osm-config -n kube-system --type merge --patch '{"data":{"config_resync_interval":"15s"}}'
+```
+
+#### Check the `osm-config` **ConfigMap**
+
+> [!NOTE]
+> The OSM Controller does not require for the `osm-config` ConfigMap to be present in the kube-system namespace. The controller has reasonable default values for the config and can operate without it.
+
+Check for the existence:
+
+```azurecli-interactive
+kubectl get ConfigMap -n kube-system osm-config
+```
+
+Check the content of the osm-config ConfigMap
+
+```azurecli-interactive
+kubectl get ConfigMap -n kube-system osm-config -o json | jq '.data'
+```
+
+```json
+{
+ "egress": "true",
+ "enable_debug_server": "true",
+ "enable_privileged_init_container": "false",
+ "envoy_log_level": "error",
+ "outbound_ip_range_exclusion_list": "169.254.169.254,168.63.129.16,20.193.20.233",
+ "permissive_traffic_policy_mode": "true",
+ "prometheus_scraping": "false",
+ "service_cert_validity_duration": "24h",
+ "use_https_ingress": "false"
+}
+```
+
+`osm-config` ConfigMap values:
+
+| Key | Type | Allowed Values | Default Value | Function |
+| -- | | - | -- | |
+| egress | bool | true, false | `"false"` | Enables egress in the mesh. |
+| enable_debug_server | bool | true, false | `"true"` | Enables a debug endpoint on the osm-controller pod to list information regarding the mesh such as proxy connections, certificates, and SMI policies. |
+| enable_privileged_init_container | bool | true, false | `"false"` | Enables privileged init containers for pods in mesh. When false, init containers only have NET_ADMIN. |
+| envoy_log_level | string | trace, debug, info, warning, warn, error, critical, off | `"error"` | Sets the logging verbosity of Envoy proxy sidecar, only applicable to newly created pods joining the mesh. To update the log level for existing pods, restart the deployment with `kubectl rollout restart`. |
+| outbound_ip_range_exclusion_list | string | comma-separated list of IP ranges of the form a.b.c.d/x | `-` | Global list of IP address ranges to exclude from outbound traffic interception by the sidecar proxy. |
+| permissive_traffic_policy_mode | bool | true, false | `"false"` | Setting to `true`, enables allow-all mode in the mesh i.e. no traffic policy enforcement in the mesh. If set to `false`, enables deny-all traffic policy in mesh i.e. an `SMI Traffic Target` is necessary for services to communicate. |
+| prometheus_scraping | bool | true, false | `"true"` | Enables Prometheus metrics scraping on sidecar proxies. |
+| service_cert_validity_duration | string | 24h, 1h30m (any time duration) | `"24h"` | Sets the service certificate validity duration, represented as a sequence of decimal numbers each with optional fraction and a unit suffix. |
+| tracing_enable | bool | true, false | `"false"` | Enables Jaeger tracing for the mesh. |
+| tracing_address | string | jaeger.mesh-namespace.svc.cluster.local | `jaeger.kube-system.svc.cluster.local` | Address of the Jaeger deployment, if tracing is enabled. |
+| tracing_endpoint | string | /api/v2/spans | /api/v2/spans | Endpoint for tracing data, if tracing enabled. |
+| tracing_port | int | any non-zero integer value | `"9411"` | Port on which tracing is enabled. |
+| use_https_ingress | bool | true, false | `"false"` | Enables HTTPS ingress on the mesh. |
+| config_resync_interval | string | under 1 minute disables this | 0 (disabled) | When a value above 1m (60s) is provided, OSM Controller will send all available config to each connected Envoy at the given interval |
+
+#### Check Namespaces
+
+> [!NOTE]
+> The kube-system namespace will never participate in a service mesh and will never be labeled and/or annotated with the key/values below.
+
+We use the `osm namespace add` command to join namespaces to a given service mesh.
+When a k8s namespace is part of the mesh (or for it to be part of the mesh) the following must be true:
+
+View the annotations with
+
+```azurecli-interactive
+kubectl get namespace bookbuyer -o json | jq '.metadata.annotations'
+```
+
+The following annotation must be present:
+
+```Output
+{
+ "openservicemesh.io/sidecar-injection": "enabled"
+}
+```
+
+View the labels with
+
+```azurecli-interactive
+kubectl get namespace bookbuyer -o json | jq '.metadata.labels'
+```
+
+The following label must be present:
+
+```Output
+{
+ "openservicemesh.io/monitored-by": "osm"
+}
+```
+
+If a namespace is not annotated with `"openservicemesh.io/sidecar-injection": "enabled"` or not labeled with `"openservicemesh.io/monitored-by": "osm"` the OSM Injector will not add Envoy sidecars.
+
+> Note: After `osm namespace add` is called only **new** pods will be injected with an Envoy sidecar. Existing pods must be restarted with `kubectl rollout restart deployment ...`
+
+#### Verify the SMI CRDs:
+
+Check whether the cluster has the required CRDs:
+
+```azurecli-interactive
+kubectl get crds
+```
+
+We must have the following installed on the cluster:
+
+- httproutegroups.specs.smi-spec.io
+- tcproutes.specs.smi-spec.io
+- trafficsplits.split.smi-spec.io
+- traffictargets.access.smi-spec.io
+- udproutes.specs.smi-spec.io
+
+Get the versions of the CRDs installed with this command:
+
+```azurecli-interactive
+for x in $(kubectl get crds --no-headers | awk '{print $1}' | grep 'smi-spec.io'); do
+ kubectl get crd $x -o json | jq -r '(.metadata.name, "-" , .spec.versions[].name, "\n")'
+done
+```
+
+Expected output:
+
+```Output
+httproutegroups.specs.smi-spec.io
+-
+v1alpha4
+v1alpha3
+v1alpha2
+v1alpha1
++
+tcproutes.specs.smi-spec.io
+-
+v1alpha4
+v1alpha3
+v1alpha2
+v1alpha1
++
+trafficsplits.split.smi-spec.io
+-
+v1alpha2
++
+traffictargets.access.smi-spec.io
+-
+v1alpha3
+v1alpha2
+v1alpha1
++
+udproutes.specs.smi-spec.io
+-
+v1alpha4
+v1alpha3
+v1alpha2
+v1alpha1
+```
+
+OSM Controller v0.8.2 requires the following versions:
+
+- traffictargets.access.smi-spec.io - [v1alpha3](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-access/v1alpha3/traffic-access.md)
+- httproutegroups.specs.smi-spec.io - [v1alpha4](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-specs/v1alpha4/traffic-specs.md#httproutegroup)
+- tcproutes.specs.smi-spec.io - [v1alpha4](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-specs/v1alpha4/traffic-specs.md#tcproute)
+- udproutes.specs.smi-spec.io - Not supported
+- trafficsplits.split.smi-spec.io - [v1alpha2](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-split/v1alpha2/traffic-split.md)
+- \*.metrics.smi-spec.io - [v1alpha1](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-metrics/v1alpha1/traffic-metrics.md)
+
+If CRDs are missing use the following commands to install these on the cluster:
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/v0.8.2/charts/osm/crds/access.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/v0.8.2/charts/osm/crds/specs.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/v0.8.2/charts/osm/crds/split.yaml
+```
+
+## Disable Open Service Mesh (OSM) add-on for your AKS cluster
+
+To disable the OSM add-on, run the following command:
+
+```azurecli-interactive
+az aks disable-addons -n <AKS-cluster-name> -g <AKS-resource-group-name> -a open-service-mesh
+```
+
+<!-- LINKS - internal -->
+
+[kubernetes-service]: concepts-network.md#services
+[az-feature-register]: /cli/azure/feature?view=azure-cli-latest&preserve-view=true#az_feature_register
+[az-feature-list]: /cli/azure/feature?view=azure-cli-latest&preserve-view=true#az_feature_list
+[az-provider-register]: /cli/azure/provider?view=azure-cli-latest&preserve-view=true#az_provider_register
api-management Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/policy-reference.md
Title: Built-in policy definitions for Azure API Management description: Lists Azure Policy built-in policy definitions for Azure API Management. These built-in policy definitions provide approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
api-management Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure API Management description: Lists Azure Policy Regulatory Compliance controls available for Azure API Management. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
app-service App Service Authentication How To https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-authentication-how-to.md
Title: Advanced usage of AuthN/AuthZ description: Learn to customize the authentication and authorization feature in App Service for different scenarios, and get user claims and different tokens. Previously updated : 07/08/2020 Last updated : 03/29/2021
This article shows you how to customize the built-in [authentication and authori
To get started quickly, see one of the following tutorials: * [Tutorial: Authenticate and authorize users end-to-end in Azure App Service](tutorial-auth-aad.md)
-* [How to configure your app to use Azure Active Directory login](configure-authentication-provider-aad.md)
+* [How to configure your app to use Microsoft Identity Platform login](configure-authentication-provider-aad.md)
* [How to configure your app to use Facebook login](configure-authentication-provider-facebook.md) * [How to configure your app to use Google login](configure-authentication-provider-google.md)
-* [How to configure your app to use Microsoft Account login](configure-authentication-provider-microsoft.md)
* [How to configure your app to use Twitter login](configure-authentication-provider-twitter.md) * [How to configure your app to login using an OpenID Connect provider (Preview)](configure-authentication-provider-openid-connect.md) * [How to configure your app to login using an Sign in with Apple (Preview)](configure-authentication-provider-apple.md)
In **Action to take when request is not authenticated**, select **Allow Anonymou
In the sign-in page, or the navigation bar, or any other location of your app, add a sign-in link to each of the providers you enabled (`/.auth/login/<provider>`). For example: ```html
-<a href="/.auth/login/aad">Log in with Azure AD</a>
-<a href="/.auth/login/microsoftaccount">Log in with Microsoft Account</a>
+<a href="/.auth/login/aad">Log in with the Microsoft Identity Platform</a>
<a href="/.auth/login/facebook">Log in with Facebook</a> <a href="/.auth/login/google">Log in with Google</a> <a href="/.auth/login/twitter">Log in with Twitter</a>
From your server code, the provider-specific tokens are injected into the reques
| Azure Active Directory | `X-MS-TOKEN-AAD-ID-TOKEN` <br/> `X-MS-TOKEN-AAD-ACCESS-TOKEN` <br/> `X-MS-TOKEN-AAD-EXPIRES-ON` <br/> `X-MS-TOKEN-AAD-REFRESH-TOKEN` | | Facebook Token | `X-MS-TOKEN-FACEBOOK-ACCESS-TOKEN` <br/> `X-MS-TOKEN-FACEBOOK-EXPIRES-ON` | | Google | `X-MS-TOKEN-GOOGLE-ID-TOKEN` <br/> `X-MS-TOKEN-GOOGLE-ACCESS-TOKEN` <br/> `X-MS-TOKEN-GOOGLE-EXPIRES-ON` <br/> `X-MS-TOKEN-GOOGLE-REFRESH-TOKEN` |
-| Microsoft Account | `X-MS-TOKEN-MICROSOFTACCOUNT-ACCESS-TOKEN` <br/> `X-MS-TOKEN-MICROSOFTACCOUNT-EXPIRES-ON` <br/> `X-MS-TOKEN-MICROSOFTACCOUNT-AUTHENTICATION-TOKEN` <br/> `X-MS-TOKEN-MICROSOFTACCOUNT-REFRESH-TOKEN` |
| Twitter | `X-MS-TOKEN-TWITTER-ACCESS-TOKEN` <br/> `X-MS-TOKEN-TWITTER-ACCESS-TOKEN-SECRET` | |||
When your provider's access token (not the [session token](#extend-session-token
- **Google**: Append an `access_type=offline` query string parameter to your `/.auth/login/google` API call. If using the Mobile Apps SDK, you can add the parameter to one of the `LogicAsync` overloads (see [Google Refresh Tokens](https://developers.google.com/identity/protocols/OpenIDConnect#refresh-tokens)). - **Facebook**: Doesn't provide refresh tokens. Long-lived tokens expire in 60 days (see [Facebook Expiration and Extension of Access Tokens](https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension)). - **Twitter**: Access tokens don't expire (see [Twitter OAuth FAQ](https://developer.twitter.com/en/docs/authentication/faq)).-- **Microsoft Account**: When [configuring Microsoft Account Authentication Settings](configure-authentication-provider-microsoft.md), select the `wl.offline_access` scope. - **Azure Active Directory**: In [https://resources.azure.com](https://resources.azure.com), do the following steps: 1. At the top of the page, select **Read/Write**. 2. In the left browser, navigate to **subscriptions** > **_\<subscription\_name_** > **resourceGroups** > **_\<resource\_group\_name>_** > **providers** > **Microsoft.Web** > **sites** > **_\<app\_name>_** > **config** > **authsettings**.
The identity provider may provide certain turn-key authorization. For example:
If either of the other levels don't provide the authorization you need, or if your platform or identity provider isn't supported, you must write custom code to authorize users based on the [user claims](#access-user-claims).
-## Updating the configuration version (preview)
+## Updating the configuration version
-There are two versions of the management API for the Authentication / Authorization feature. The preview V2 version is required for the "Authentication (preview)" experience in the Azure portal. An app already using the V1 API can upgrade to the V2 version once a few changes have been made. Specifically, secret configuration must be moved to slot-sticky application settings. Configuration of the Microsoft Account provider is also not supported in V2 presently.
+There are two versions of the management API for the Authentication / Authorization feature. The V2 version is required for the "Authentication" experience in the Azure portal. An app already using the V1 API can upgrade to the V2 version once a few changes have been made. Specifically, secret configuration must be moved to slot-sticky application settings. This can be done automatically from the "Authentication" section of the portal for your app.
> [!WARNING]
-> Migration to the V2 preview will disable management of the App Service Authentication / Authorization feature for your application through some clients, such as its existing experience in the Azure portal, Azure CLI, and Azure PowerShell. This cannot be reversed. During the preview, migration of production workloads is not encouraged or supported. You should only follow the steps in this section for test applications.
+> Migration to V2 will disable management of the App Service Authentication / Authorization feature for your application through some clients, such as its existing experience in the Azure portal, Azure CLI, and Azure PowerShell. This cannot be reversed.
-### Moving secrets to application settings
+The V2 API does not support creation or editing of Microsoft Account as a distinct provider as was done in V1. Rather, it leverages the converged [Microsoft Identity Platform](../active-directory/develop/v2-overview.md) to sign-in users with both Azure AD and personal Microsoft accounts. When switching to the V2 API, the V1 Azure Active Directory configuration is used to configure the Microsoft Identity Platform provider. The V1 Microsoft Account provider will be carried forward in the migration process and continue to operate as normal, but it is recommended that you move to the newer Microsoft Identity Platform model. See [Support for Microsoft Account provider registrations](#support-for-microsoft-account-provider-registrations) to learn more.
+
+The automated migration process will move provider secrets into application settings and then convert the rest of the configuration into the new format. To use the automatic migration:
+
+1. Navigate to your app in the portal and select the **Authentication** menu option.
+1. If the app is configured using the V1 model, you will see an **Upgrade** button.
+1. Review the description in the confirmation prompt. If you are ready to perform the migration, click **Upgrade** in the prompt.
+
+### Manually managing the migration
+
+The following steps will allow you to manually migrate the application to the V2 API if you do not wish to use the automatic version mentioned above.
+
+#### Moving secrets to application settings
1. Get your existing configuration by using the V1 API:
There are two versions of the management API for the Authentication / Authorizat
You have now migrated the app to store identity provider secrets as application settings.
-### Support for Microsoft account registrations
-
-The V2 API does not currently support Microsoft Account as a distinct provider. Rather, it leverages the converged [Microsoft Identity Platform](../active-directory/develop/v2-overview.md) to sign-in users with personal Microsoft accounts. When switching to the V2 API, the V1 Azure Active Directory configuration is used to configure the Microsoft Identity Platform provider.
+#### Support for Microsoft Account provider registrations
If your existing configuration contains a Microsoft Account provider and does not contain an Azure Active Directory provider, you can switch the configuration over to the Azure Active Directory provider and then perform the migration. To do this:
If your existing configuration contains a Microsoft Account provider and does no
1. At this point, you have successfully copied the configuration over, but the existing Microsoft Account provider configuration remains. Before you remove it, make sure that all parts of your app reference the Azure Active Directory provider through login links, etc. Verify that all parts of your app work as expected. 1. Once you have validated that things work against the AAD Azure Active Directory provider, you may remove the Microsoft Account provider configuration.
-Some apps may already have separate registrations for Azure Active Directory and Microsoft Account. Those apps cannot be migrated at this time.
- > [!WARNING] > It is possible to converge the two registrations by modifying the [supported account types](../active-directory/develop/supported-accounts-validation.md) for the AAD app registration. However, this would force a new consent prompt for Microsoft Account users, and those users' identity claims may be different in structure, `sub` notably changing values since a new App ID is being used. This approach is not recommended unless thoroughly understood. You should instead wait for support for the two registrations in the V2 API surface.
-### Switching to V2
+#### Switching to V2
Once the above steps have been performed, navigate to the app in the Azure portal. Select the "Authentication (preview)" section.
app-service App Service Key Vault References https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-key-vault-references.md
In order to read secrets from Key Vault, you need to have a vault created and gi
1. Create an [access policy in Key Vault](../key-vault/general/secure-your-key-vault.md#key-vault-access-policies) for the application identity you created earlier. Enable the "Get" secret permission on this policy. Do not configure the "authorized application" or `applicationId` settings, as this is not compatible with a managed identity.
- > [!IMPORTANT]
- > Key Vault references are not presently able to resolve secrets stored in a key vault with [network restrictions](../key-vault/general/overview-vnet-service-endpoints.md) unless the app is hosted within an [App Service Environment](./environment/intro.md).
+### Access network-restricted vaults
+
+> [!NOTE]
+> Linux-based applications are not presently able to resolve secrets from a network-restricted key vault unless the app is hosted within an [App Service Environment](./environment/intro.md).
+
+If your vault is configured with [network restrictions](../key-vault/general/overview-vnet-service-endpoints.md), you will also need to ensure that the application has network access.
+
+1. Make sure the application has outbound networking capabilities configured, as described in [App Service networking features](./networking-features.md) and [Azure Functions networking options](../azure-functions/functions-networking-options.md).
+
+2. Make sure that the vault's configuration accounts for the network or subnet through which your app will access it.
+
+> [!IMPORTANT]
+> Accessing a vault through virtual network integration is currently incompatible with [automatic updates for secrets without a specified version](#rotation).
## Reference syntax
Alternatively:
## Rotation
+> [!IMPORTANT]
+> [Accessing a vault through virtual network integration](#access-network-restricted-vaults) is currently incompatible with automatic updates for secrets without a specified version.
+ If a version is not specified in the reference, then the app will use the latest version that exists in Key Vault. When newer versions become available, such as with a rotation event, the app will automatically update and begin using the latest version within one day. Any configuration changes made to the app will cause an immediate update to the latest versions of all referenced secrets. ## Source Application Settings from Key Vault
app-service Configure Authentication Provider Aad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-authentication-provider-aad.md
[!INCLUDE [app-service-mobile-selector-authentication](../../includes/app-service-mobile-selector-authentication.md)]
-This article shows you how to configure authentication for Azure App Service or Azure Functions so that your app signs in users with Azure Active Directory (Azure AD) as the authentication provider.
+This article shows you how to configure authentication for Azure App Service or Azure Functions so that your app signs in users with the [Microsoft Identity Platform](../active-directory/develop/v2-overview.md) (Azure AD) as the authentication provider.
-## <a name="express"> </a>Configure with express settings
+The App Service Authentication feature can automatically create an app registration with the Microsoft Identity Platform. You can also use a registration that you or a directory admin creates separately.
-The **Express** option is designed to make enabling authentication simple and requires just a few clicks.
-
-The express settings will automatically create an application registration that uses the Azure Active Directory V1 endpoint. To use [Azure Active Directory v2.0](../active-directory/develop/v2-overview.md) (including [MSAL](../active-directory/develop/msal-overview.md)), follow the [advanced configuration instructions](#advanced).
+- [Create a new app registration automatically](#express)
+- [Use an existing registration created separately](#advanced)
> [!NOTE]
-> The **Express** option is not available for government clouds.
-
-To enable authentication using the **Express** option, follow these steps:
+> The option to create a new registration is not available for government clouds. Instead, [define a registration separately](#advanced).
-1. In the [Azure portal], search for and select **App Services**, and then select your app.
-2. From the left navigation, select **Authentication / Authorization** > **On**.
-3. Select **Azure Active Directory** > **Express**.
+## <a name="express"> </a>Create a new app registration automatically
- If you want to choose an existing app registration instead:
+This option is designed to make enabling authentication simple and requires just a few clicks.
- 1. Choose **Select Existing AD app**, then click **Azure AD App**.
- 2. Choose an existing app registration and click **OK**.
+1. Sign in to the [Azure portal] and navigate to your app.
+1. Select **Authentication** in the menu on the left. Click **Add identity provider**.
+1. Select **Microsoft** in the identity provider dropdown. The option to create a new registration is selected by default. You can change the name of the registration or the supported account types.
-4. Select **OK** to register the App Service app in Azure Active Directory. A new app registration is created.
+ A client secret will be created and stored as a slot-sticky [application setting](./configure-common.md#configure-app-settings) named `MICROSOFT_PROVIDER_AUTHENTICATION_SECRET`. You can update that setting later to use [Key Vault references](./app-service-key-vault-references.md) if you wish to manage the secret in Azure Key Vault.
- ![Express settings in Azure Active Directory](./media/configure-authentication-provider-aad/express-settings.png)
+1. If this is the first identity provider configured for the application, you will also be prompted with an **App Service authentication settings** section. Otherwise, you may move on to the next step.
+
+ These options determine how your application responds to unauthenticated requests, and the default selections will redirect all requests to log in with this new provider. You can change customize this behavior now or adjust these settings later from the main **Authentication** screen by choosing **Edit** next to **Authentication settings**. To learn more about these options, see [Authentication flow](overview-authentication-authorization.md#authentication-flow).
-5. (Optional) By default, App Service provides authentication but doesn't restrict authorized access to your site content and APIs. You must authorize users in your app code. To restrict app access only to users authenticated by Azure Active Directory, set **Action to take when request is not authenticated** to **Log in with Azure Active Directory**. When you set this functionality, your app requires all requests to be authenticated. It also redirects all unauthenticated to Azure Active Directory for authentication.
+1. (Optional) Click **Next: Permissions** and add any scopes needed by the application. These will be added to the app registration, but you can also change them later.
+1. Click **Add**.
- > [!CAUTION]
- > Restricting access in this way applies to all calls to your app, which might not be desirable for apps that have a publicly available home page, as in many single-page applications. For such applications, **Allow anonymous requests (no action)** might be preferred, with the app manually starting login itself. For more information, see [Authentication flow](overview-authentication-authorization.md#authentication-flow).
-6. Select **Save**.
+You're now ready to use the Microsoft Identity Platform for authentication in your app. The provider will be listed on the **Authentication** screen. From there, you can edit or delete this provider configuration.
For an example of configuring Azure AD login for a web app that accesses Azure Storage and Microsoft Graph, see [this tutorial](scenario-secure-app-authentication-app-service.md).
-## <a name="advanced"> </a>Configure with advanced settings
+## <a name="advanced"> </a>Use an existing registration created separately
-In order for Azure AD to act as the authentication provider for your app, you must register your app with it. The Express option does this for you automatically. The Advanced option allows you to manually register your app, customizing the registration and manually inputting the registration details back to the App Service. This is useful, for example, if you want to use an app registration from a different Azure AD tenant than the one your App Service is in.
+You can also manually register your application for the Microsoft Identity Platform, customizing the registration and configuring App Service Authentication with the registration details. This is useful, for example, if you want to use an app registration from a different Azure AD tenant than the one your application is in.
### <a name="register"> </a>Create an app registration in Azure AD for your App Service app
To register the app, perform the following steps:
### <a name="secrets"> </a>Enable Azure Active Directory in your App Service app
-1. In the [Azure portal], search for and select **App Services**, and then select your app.
-1. In the left pane, under **Settings**, select **Authentication / Authorization** > **On**.
-1. (Optional) By default, App Service authentication allows unauthenticated access to your app. To enforce user authentication, set **Action to take when request is not authenticated** to **Log in with Azure Active Directory**.
-1. Under **Authentication Providers**, select **Azure Active Directory**.
-1. In **Management mode**, select **Advanced** and configure App Service authentication according to the following table:
+1. Sign in to the [Azure portal] and navigate to your app.
+1. Select **Authentication** in the menu on the left. Click **Add identity provider**.
+1. Select **Microsoft** in the identity provider dropdown.
+1. For **App registration type**, you can choose to **Pick an existing app registration in this directory** which will automatically gather the necessary app information. If your registration is from another tenant or you do not have permission to view the registration object, choose **Provide the details of an existing app registration**. For this option, you will need to fill in the following configuration details:
|Field|Description| |-|-|
- |Client ID| Use the **Application (client) ID** of the app registration. |
- |Issuer Url| Use `<authentication-endpoint>/<tenant-id>/v2.0`, and replace *\<authentication-endpoint>* with the [authentication endpoint for your cloud environment](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints) (e.g., "https://login.microsoftonline.com" for global Azure), also replacing *\<tenant-id>* with the **Directory (tenant) ID** in which the app registration was created. This value is used to redirect users to the correct Azure AD tenant, as well as to download the appropriate metadata to determine the appropriate token signing keys and token issuer claim value for example. For applications that use Azure AD v1 and for Azure Functions apps, omit `/v2.0` in the URL.|
+ |Application (client) ID| Use the **Application (client) ID** of the app registration. |
|Client Secret (Optional)| Use the client secret you generated in the app registration. With a client secret, hybrid flow is used and the App Service will return access and refresh tokens. When the client secret is not set, implicit flow is used and only an id token is returned. These tokens are sent by the provider and stored in the EasyAuth token store.|
+ |Issuer Url| Use `<authentication-endpoint>/<tenant-id>/v2.0`, and replace *\<authentication-endpoint>* with the [authentication endpoint for your cloud environment](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints) (e.g., "https://login.microsoftonline.com" for global Azure), also replacing *\<tenant-id>* with the **Directory (tenant) ID** in which the app registration was created. This value is used to redirect users to the correct Azure AD tenant, as well as to download the appropriate metadata to determine the appropriate token signing keys and token issuer claim value for example. For applications that use Azure AD v1 and for Azure Functions apps, omit `/v2.0` in the URL.|
|Allowed Token Audiences| If this is a cloud or server app and you want to allow authentication tokens from a web app, add the **Application ID URI** of the web app here. The configured **Client ID** is *always* implicitly considered to be an allowed audience.|
-2. Select **OK**, and then select **Save**.
+ The client secret will be stored as a slot-sticky [application setting](./configure-common.md#configure-app-settings) named `MICROSOFT_PROVIDER_AUTHENTICATION_SECRET`. You can update that setting later to use [Key Vault references](./app-service-key-vault-references.md) if you wish to manage the secret in Azure Key Vault.
+
+1. If this is the first identity provider configured for the application, you will also be prompted with an **App Service authentication settings** section. Otherwise, you may move on to the next step.
+
+ These options determine how your application responds to unauthenticated requests, and the default selections will redirect all requests to log in with this new provider. You can change customize this behavior now or adjust these settings later from the main **Authentication** screen by choosing **Edit** next to **Authentication settings**. To learn more about these options, see [Authentication flow](overview-authentication-authorization.md#authentication-flow).
+
+1. Click **Add**.
-You're now ready to use Azure Active Directory for authentication in your App Service app.
+You're now ready to use the Microsoft Identity Platform for authentication in your app. The provider will be listed on the **Authentication** screen. From there, you can edit or delete this provider configuration.
## Configure client apps to access your App Service
app-service Configure Authentication Provider Facebook https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-authentication-provider-facebook.md
Title: Configure Facebook authentication
description: Learn how to configure Facebook authentication as an identity provider for your App Service or Azure Functions app. ms.assetid: b6b4f062-fcb4-47b3-b75a-ec4cb51a62fd Previously updated : 06/06/2019 Last updated : 03/29/2021
To complete the procedure in this article, you need a Facebook account that has
## <a name="secrets"> </a>Add Facebook information to your application
-1. Sign in to the [Azure portal] and navigate to your App Service app.
-1. Select **Settings** > **Authentication / Authorization**, and make sure that **App Service Authentication** is **On**.
-1. Select **Facebook**, and then paste in the App ID and App Secret values that you obtained previously. Enable any scopes needed by your application.
-1. Select **OK**.
+1. Sign in to the [Azure portal] and navigate to your app.
+1. Select **Authentication** in the menu on the left. Click **Add identity provider**.
+1. Select **Facebook** in the identity provider dropdown. Paste in the App ID and App Secret values that you obtained previously.
- ![Screenshot of Mobile App Facebook Settings][0]
+ The secret will be stored as a slot-sticky [application setting](./configure-common.md#configure-app-settings) named `FACEBOOK_PROVIDER_AUTHENTICATION_SECRET`. You can update that setting later to use [Key Vault references](./app-service-key-vault-references.md) if you wish to manage the secret in Azure Key Vault.
- By default, App Service provides authentication, but it doesn't restrict authorized access to your site content and APIs. You need to authorize users in your app code.
-1. (Optional) To restrict access only to users authenticated by Facebook, set **Action to take when request is not authenticated** to **Facebook**. When you set this functionality, your app requires all requests to be authenticated. It also redirects all unauthenticated requests to Facebook for authentication.
+1. If this is the first identity provider configured for the application, you will also be prompted with an **App Service authentication settings** section. Otherwise, you may move on to the next step.
+
+ These options determine how your application responds to unauthenticated requests, and the default selections will redirect all requests to log in with this new provider. You can change customize this behavior now or adjust these settings later from the main **Authentication** screen by choosing **Edit** next to **Authentication settings**. To learn more about these options, see [Authentication flow](overview-authentication-authorization.md#authentication-flow).
- > [!CAUTION]
- > Restricting access in this way applies to all calls to your app, which might not be desirable for apps that have a publicly available home page, as in many single-page applications. For such applications, **Allow anonymous requests (no action)** might be preferred so that the app manually starts authentication itself. For more information, see [Authentication flow](overview-authentication-authorization.md#authentication-flow).
+1. (Optional) Click **Next: Scopes** and add any scopes needed by the application. These will be requested at login time for browser-based flows.
+1. Click **Add**.
-1. Select **Save**.
-
-You're now ready to use Facebook for authentication in your app.
+You're now ready to use Facebook for authentication in your app. The provider will be listed on the **Authentication** screen. From there, you can edit or delete this provider configuration.
## <a name="related-content"> </a>Next steps [!INCLUDE [app-service-mobile-related-content-get-started-users](../../includes/app-service-mobile-related-content-get-started-users.md)]
-<!-- Images. -->
-[0]: ./media/app-service-mobile-how-to-configure-facebook-authentication/mobile-app-facebook-settings.png
- <!-- URLs. --> [Facebook Developers]: https://go.microsoft.com/fwlink/p/?LinkId=268286 [facebook.com]: https://go.microsoft.com/fwlink/p/?LinkId=268285
app-service Configure Authentication Provider Google https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-authentication-provider-google.md
Title: Configure Google authentication
description: Learn how to configure Google authentication as an identity provider for your App Service or Azure Functions app. ms.assetid: 2b2f9abf-9120-4aac-ac5b-4a268d9b6e2b Previously updated : 09/02/2019 Last updated : 03/29/2021
To complete the procedure in this topic, you must have a Google account that has
## <a name="secrets"> </a>Add Google information to your application
-1. In the [Azure portal], go to your App Service app.
-1. Select **Settings** > **Authentication / Authorization**, and make sure that **App Service Authentication** is **On**.
-1. Select **Google**, then paste in the App ID and App Secret values that you obtained previously. Enable any scopes needed by your application.
-1. Select **OK**.
+1. Sign in to the [Azure portal] and navigate to your app.
+1. Select **Authentication** in the menu on the left. Click **Add identity provider**.
+1. Select **Google** in the identity provider dropdown. Paste in the App ID and App Secret values that you obtained previously.
- App Service provides authentication but doesn't restrict authorized access to your site content and APIs. For more information, see [Authorize or deny users](app-service-authentication-how-to.md#authorize-or-deny-users).
+ The secret will be stored as a slot-sticky [application setting](./configure-common.md#configure-app-settings) named `GOOGLE_PROVIDER_AUTHENTICATION_SECRET`. You can update that setting later to use [Key Vault references](./app-service-key-vault-references.md) if you wish to manage the secret in Azure Key Vault.
-1. (Optional) To restrict site access only to users authenticated by Google, set **Action to take when request is not authenticated** to **Google**. When you set this functionality, your app requires that all requests be authenticated. It also redirects all unauthenticated requests to Google for authentication.
+1. If this is the first identity provider configured for the application, you will also be prompted with an **App Service authentication settings** section. Otherwise, you may move on to the next step.
+
+ These options determine how your application responds to unauthenticated requests, and the default selections will redirect all requests to log in with this new provider. You can change customize this behavior now or adjust these settings later from the main **Authentication** screen by choosing **Edit** next to **Authentication settings**. To learn more about these options, see [Authentication flow](overview-authentication-authorization.md#authentication-flow).
- > [!CAUTION]
- > Restricting access in this way applies to all calls to your app, which might not be desirable for apps that have a publicly available home page, as in many single-page applications. For such applications, **Allow anonymous requests (no action)** might be preferred so that the app manually starts authentication itself. For more information, see [Authentication flow](overview-authentication-authorization.md#authentication-flow).
+1. (Optional) Click **Next: Scopes** and add any scopes needed by the application. These will be requested at login time for browser-based flows.
+1. Click **Add**.
-1. Select **Save**.
-
-You are now ready to use Google for authentication in your app.
+You are now ready to use Google for authentication in your app. The provider will be listed on the **Authentication** screen. From there, you can edit or delete this provider configuration.
## <a name="related-content"> </a>Next steps
app-service Configure Authentication Provider Microsoft https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-authentication-provider-microsoft.md
Title: Configure Microsoft authentication
description: Learn how to configure Microsoft Account authentication as an identity provider for your App Service or Azure Functions app. ms.assetid: ffbc6064-edf6-474d-971c-695598fd08bf Previously updated : 08/08/2019 Last updated : 03/29/2021
This topic shows you how to configure Azure App Service or Azure Functions to use AAD to support personal Microsoft account logins.
-> [!NOTE]
-> Both personal Microsoft accounts and organizational accounts use the AAD identity provider. At this time, is not possible to configure this identity provider to support both types of log-ins.
+> [!IMPORTANT]
+> While the Microsoft Account provider is still supported, it is recommended that apps instead use the [Microsoft Identity Platform provider (Azure AD)](./configure-authentication-provider-aad.md). The Microsoft Identity Platform offers support for both organizational accounts and personal Microsoft accounts.
## <a name="register-microsoft-account"> </a>Register your app with Microsoft Account
app-service Configure Authentication Provider Twitter https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-authentication-provider-twitter.md
Title: Configure Twitter authentication
description: Learn how to configure Twitter authentication as an identity provider for your App Service or Azure Functions app. ms.assetid: c6dc91d7-30f6-448c-9f2d-8e91104cde73 Previously updated : 02/28/2020 Last updated : 03/29/2021
To complete the procedure in this article, you need a Twitter account that has a
- API key - API secret key
- > [!NOTE]
+ > [!IMPORTANT]
> The API secret key is an important security credential. Do not share this secret with anyone or distribute it with your app. ## <a name="secrets"> </a>Add Twitter information to your application
-1. Go to your application in the [Azure portal].
-1. Select **Settings** > **Authentication / Authorization**, and make sure that **App Service Authentication** is **On**.
-1. Select **Twitter**.
-1. Paste in the `API key` and `API secret key` values that you obtained previously.
-1. Select **OK**.
+1. Sign in to the [Azure portal] and navigate to your app.
+1. Select **Authentication** in the menu on the left. Click **Add identity provider**.
+1. Select **Twitter** in the identity provider dropdown. Paste in the `API key` and `API secret key` values that you obtained previously.
- ![Screenshot of Mobile App Twitter settings][1]
+ The secret will be stored as a slot-sticky [application setting](./configure-common.md#configure-app-settings) named `TWITTER_PROVIDER_AUTHENTICATION_SECRET`. You can update that setting later to use [Key Vault references](./app-service-key-vault-references.md) if you wish to manage the secret in Azure Key Vault.
- By default, App Service provides authentication but doesn't restrict authorized access to your site content and APIs. You must authorize users in your app code.
+1. If this is the first identity provider configured for the application, you will also be prompted with an **App Service authentication settings** section. Otherwise, you may move on to the next step.
+
+ These options determine how your application responds to unauthenticated requests, and the default selections will redirect all requests to log in with this new provider. You can change customize this behavior now or adjust these settings later from the main **Authentication** screen by choosing **Edit** next to **Authentication settings**. To learn more about these options, see [Authentication flow](overview-authentication-authorization.md#authentication-flow).
-1. (Optional) To restrict access to your site to only users authenticated by Twitter, set **Action to take when request is not authenticated** to **Twitter**. When you set this functionality, your app requires all requests to be authenticated. It also redirects all unauthenticated requests to Twitter for authentication.
+1. Click **Add**.
- > [!CAUTION]
- > Restricting access in this way applies to all calls to your app, which might not be desirable for apps that have a publicly available home page, as in many single-page applications. For such applications, **Allow anonymous requests (no action)** might be preferred so that the app manually starts authentication itself. For more information, see [Authentication flow](overview-authentication-authorization.md#authentication-flow).
-
-1. Select **Save**.
-
-You are now ready to use Twitter for authentication in your app.
+You're now ready to use Twitter for authentication in your app. The provider will be listed on the **Authentication** screen. From there, you can edit or delete this provider configuration.
## <a name="related-content"> </a>Next steps [!INCLUDE [app-service-mobile-related-content-get-started-users](../../includes/app-service-mobile-related-content-get-started-users.md)]
-<!-- Images. -->
-
-[0]: ./media/app-service-mobile-how-to-configure-twitter-authentication/app-service-twitter-redirect.png
-[1]: ./media/app-service-mobile-how-to-configure-twitter-authentication/mobile-app-twitter-settings.png
- <!-- URLs. --> [Twitter Developers]: https://go.microsoft.com/fwlink/p/?LinkId=268300
app-service Overview Authentication Authorization https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-authentication-authorization.md
Title: Authentication and authorization
description: Find out about the built-in authentication and authorization support in Azure App Service and Azure Functions, and how it can help secure your app against unauthorized access. ms.assetid: b7151b57-09e5-4c77-a10c-375a262f17e5 Previously updated : 07/08/2020 Last updated : 03/29/2021
App Service uses [federated identity](https://en.wikipedia.org/wiki/Federated_id
| Provider | Sign-in endpoint | How-To guidance | | - | - | - |
-| [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) | `/.auth/login/aad` | [App Service Azure AD login](configure-authentication-provider-aad.md) |
-| [Microsoft Account](../active-directory/develop/v2-overview.md) | `/.auth/login/microsoftaccount` | [App Service Microsoft Account login](configure-authentication-provider-microsoft.md) |
+| [Microsoft Identity Platform](../active-directory/fundamentals/active-directory-whatis.md) | `/.auth/login/aad` | [App Service Microsoft Identity Platform login](configure-authentication-provider-aad.md) |
| [Facebook](https://developers.facebook.com/docs/facebook-login) | `/.auth/login/facebook` | [App Service Facebook login](configure-authentication-provider-facebook.md) | | [Google](https://developers.google.com/identity/choose-auth) | `/.auth/login/google` | [App Service Google login](configure-authentication-provider-google.md) | | [Twitter](https://developer.twitter.com/en/docs/basics/authentication) | `/.auth/login/twitter` | [App Service Twitter login](configure-authentication-provider-twitter.md) |
For client browsers, App Service can automatically direct all unauthenticated us
#### Authorization behavior
-In the [Azure portal](https://portal.azure.com), you can configure App Service authorization with a number of behaviors when incoming request is not authenticated.
+In the [Azure portal](https://portal.azure.com), you can configure App Service with a number of behaviors when incoming request is not authenticated. The following headings describe the options.
-![A screenshot showing the "Action to take when request is not authenticated" dropdown](media/app-service-authentication-overview/authorization-flow.png)
-
-The following headings describe the options.
-
-**Allow Anonymous requests (no action)**
+**Allow unauthenticated requests**
This option defers authorization of unauthenticated traffic to your application code. For authenticated requests, App Service also passes along authentication information in the HTTP headers. This option provides more flexibility in handling anonymous requests. For example, it lets you [present multiple sign-in providers](app-service-authentication-how-to.md#use-multiple-sign-in-providers) to your users. However, you must write code.
-**Allow only authenticated requests**
+**Require authentication**
-The option is **Log in with \<provider>**. App Service redirects all anonymous requests to `/.auth/login/<provider>` for the provider you choose. If the anonymous request comes from a native mobile app, the returned response is an `HTTP 401 Unauthorized`.
+This option will reject any unauthenticated traffic to your application. This rejection can be a redirect action to one of the configured identity providers. In these cases, a browser client is redirected to `/.auth/login/<provider>` for the provider you choose. If the anonymous request comes from a native mobile app, the returned response is an `HTTP 401 Unauthorized`. You can also configure the rejection to be an `HTTP 401 Unauthorized` or `HTTP 403 Forbidden` for all requests.
With this option, you don't need to write any authentication code in your app. Finer authorization, such as role-specific authorization, can be handled by inspecting the user's claims (see [Access user claims](app-service-authentication-how-to.md#access-user-claims)).
app-service Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/policy-reference.md
Title: Built-in policy definitions for Azure App Service description: Lists Azure Policy built-in policy definitions for Azure App Service. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
app-service Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure App Service description: Lists Azure Policy Regulatory Compliance controls available for Azure App Service. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
application-gateway Add Http Header Rewrite Rule Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/add-http-header-rewrite-rule-powershell.md
In this example, we'll modify a redirection URL by rewriting the location header
```azurepowershell $responseHeaderConfiguration = New-AzApplicationGatewayRewriteRuleHeaderConfiguration -HeaderName "Location" -HeaderValue "{http_resp_Location_1}://contoso.com{http_resp_Location_2}"
-$actionSet = New-AzApplicationGatewayRewriteRuleActionSet -RequestHeaderConfiguration $requestHeaderConfiguration -ResponseHeaderConfiguration $responseHeaderConfiguration
+$actionSet = New-AzApplicationGatewayRewriteRuleActionSet -ResponseHeaderConfiguration $responseHeaderConfiguration
$condition = New-AzApplicationGatewayRewriteRuleCondition -Variable "http_resp_Location" -Pattern "(https?):\/\/.*azurewebsites\.net(.*)$" -IgnoreCase
-$rewriteRule = New-AzApplicationGatewayRewriteRule -Name LocationHeader -ActionSet $actionSet
+$rewriteRule = New-AzApplicationGatewayRewriteRule -Name LocationHeader -ActionSet $actionSet -Condition $condition
$rewriteRuleSet = New-AzApplicationGatewayRewriteRuleSet -Name LocationHeaderRewrite -RewriteRule $rewriteRule ```
$reqRoutingRule = Get-AzApplicationGatewayRequestRoutingRule -Name rule1 -Applic
## Update the application gateway with the configuration for rewriting HTTP headers
+In this example, the rewrite set would be associated instantly against a basic routing rule. In case of a path based routing rule, the association would not be enabled by default. The rewrite set can be enabled either via checking the paths on which it needs to be applied via portal or by providing a URL path map config specifying the RewriteRuleSet against each path option.
+ ```azurepowershell
-Add-AzApplicationGatewayRewriteRuleSet -ApplicationGateway $appgw -Name LocationHeaderRewrite -RewriteRule $rewriteRuleSet.RewriteRules
-Set-AzApplicationGatewayRequestRoutingRule -ApplicationGateway $appgw -Name rule1 -RuleType $reqRoutingRule.RuleType -BackendHttpSettingsId $reqRoutingRule.BackendHttpSettings.Id -HttpListenerId $reqRoutingRule.HttpListener.Id -BackendAddressPoolId $reqRoutingRule.BackendAddressPool.Id -RewriteRuleSetId $rewriteRuleSet.Id
+Add-AzApplicationGatewayRewriteRuleSet -ApplicationGateway $appgw -Name $rewriteRuleSet.Name -RewriteRule $rewriteRuleSet.RewriteRules
+Set-AzApplicationGatewayRequestRoutingRule -ApplicationGateway $appgw -Name $reqRoutingRule.Name -RuleType $reqRoutingRule.RuleType -BackendHttpSettingsId $reqRoutingRule.BackendHttpSettings.Id -HttpListenerId $reqRoutingRule.HttpListener.Id -BackendAddressPoolId $reqRoutingRule.BackendAddressPool.Id -RewriteRuleSetId $rewriteRuleSet.Id
Set-AzApplicationGateway -ApplicationGateway $appgw ```
application-gateway Application Gateway Backend Health Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/application-gateway-backend-health-troubleshooting.md
here:
| **Error** | **Actions** | | | |
-| Probe status code mismatch: Received 401 | Check whether the backend server requires authentication. Application Gateway probes can't pass credentials for authentication. Either allow \"HTTP 401\" in a probe status code match or probe to a path where the server doesn't require authentication. | |
-| Probe status code mismatch: Received 403 | Access forbidden. Check whether access to the path is allowed on the backend server. | |
-| Probe status code mismatch: Received 404 | Page not found. Check whether the host name path is accessible on the backend server. Change the host name or path parameter to an accessible value. | |
-| Probe status code mismatch: Received 405 | The probe requests for Application Gateway use the HTTP GET method. Check whether your server allows this method. | |
-| Probe status code mismatch: Received 500 | Internal server error. Check the backend server's health and whether the services are running. | |
-| Probe status code mismatch: Received 503 | Service unavailable. Check the backend server's health and whether the services are running. | |
+| Probe status code mismatch: Received 401 | Check whether the backend server requires authentication. Application Gateway probes can't pass credentials for authentication. Either allow \"HTTP 401\" in a probe status code match or probe to a path where the server doesn't require authentication. |
+| Probe status code mismatch: Received 403 | Access forbidden. Check whether access to the path is allowed on the backend server. |
+| Probe status code mismatch: Received 404 | Page not found. Check whether the host name path is accessible on the backend server. Change the host name or path parameter to an accessible value. |
+| Probe status code mismatch: Received 405 | The probe requests for Application Gateway use the HTTP GET method. Check whether your server allows this method. |
+| Probe status code mismatch: Received 500 | Internal server error. Check the backend server's health and whether the services are running. |
+| Probe status code mismatch: Received 503 | Service unavailable. Check the backend server's health and whether the services are running. |
Or, if you think the response is legitimate and you want Application Gateway to accept other status codes as Healthy, you can create a custom probe. This approach is useful in situations where the backend website needs authentication. Because the probe requests don't carry any user credentials, they will fail, and an HTTP 401 status code will be returned by the backend server.
attestation Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/attestation/policy-reference.md
Title: Built-in policy definitions for Azure Attestation description: Lists Azure Policy built-in policy definitions for Azure Attestation. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
automation Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/policy-reference.md
Title: Built-in policy definitions for Azure Automation description: Lists Azure Policy built-in policy definitions for Azure Automation. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
automation Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Automation description: Lists Azure Policy Regulatory Compliance controls available for Azure Automation. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-app-configuration Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/policy-reference.md
Title: Built-in policy definitions for Azure App Configuration description: Lists Azure Policy built-in policy definitions for Azure App Configuration. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-app-configuration Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure App Configuration description: Lists Azure Policy Regulatory Compliance controls available for Azure App Configuration. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-arc Managed Instance Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/managed-instance-features.md
Azure Arc enabled SQL Managed Instance share a common code base with the latest
| Feature | Azure Arc enabled SQL Managed Instance | |--|--| | JSON | Yes |
-| Query Store | Yes | |
-| Temporal | Yes | |
-| Native XML support | Yes | |
-| XML indexing | Yes | |
-| MERGE & UPSERT capabilities | Yes | |
-| Date and Time datatypes | Yes | |
-| Internationalization support | Yes | |
+| Query Store | Yes |
+| Temporal | Yes |
+| Native XML support | Yes |
+| XML indexing | Yes |
+| MERGE & UPSERT capabilities | Yes |
+| Date and Time datatypes | Yes |
+| Internationalization support | Yes |
| Full-text and semantic search | No |
-| Specification of language in query | Yes | |
-| Service Broker (messaging) | Yes | |
-| Transact-SQL endpoints | Yes | |
-| Graph | Yes | |
-| Machine Learning Services | No | |
+| Specification of language in query | Yes |
+| Service Broker (messaging) | Yes |
+| Transact-SQL endpoints | Yes |
+| Graph | Yes |
+| Machine Learning Services | No |
| PolyBase | No |
The following features and services are not available for Azure Arc enabled SQL
| **High Availability** | Database mirroring | | **Security** | Extensible Key Management | | &nbsp; | AD Authentication for Linked Servers |
-| &nbsp; | AD Authentication for Availability Groups (AGs) |
+| &nbsp; | AD Authentication for Availability Groups (AGs) |
azure-arc Sizing Guidance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/sizing-guidance.md
Each SQL managed instance pod that is created has three containers:
|Container name|CPU Request|Memory Request|CPU Limit|Memory Limit|Notes| |||||||
-|fluentbit|100m|100Mi|Not specified|Not specified|The fluentbit container resource requests are _in addition to_ the requests specified for the SQL managed instance.||
-|arc-sqlmi|User specified or not specified.|User specified or not specified.|User specified or not specified.|User specified or not specified.||
-|collectd|Not specified|Not specified|Not specified|Not specified||
+|fluentbit|100m|100Mi|Not specified|Not specified|The fluentbit container resource requests are _in addition to_ the requests specified for the SQL managed instance.|
+|arc-sqlmi|User specified or not specified.|User specified or not specified.|User specified or not specified.|User specified or not specified.|
+|collectd|Not specified|Not specified|Not specified|Not specified|
The default volume size for all persistent volumes is 5Gi.
azure-arc Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/policy-reference.md
Title: Built-in policy definitions for Azure Arc enabled Kubernetes description: Lists Azure Policy built-in policy definitions for Azure Arc enabled Kubernetes. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021 #
azure-arc Tutorial Gitops Ci Cd https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/tutorial-gitops-ci-cd.md
This tutorial assumes familiarity with Azure DevOps, Azure Repos and Pipelines,
## Import application and GitOps repos into Azure Repos
-Import an [application repo](https://docs.microsoft.com/azure/azure-arc/kubernetes/conceptual-gitops-cicd#application-repo) and a [GitOps repo](https://docs.microsoft.com/azure/azure-arc/kubernetes/conceptual-gitops-cicd#gitops-repo) into Azure Repos. For this tutorial, use the following example repos:
+Import an [application repo](https://docs.microsoft.com/azure/azure-arc/kubernetes/conceptual-gitops-ci-cd#application-repo) and a [GitOps repo](https://docs.microsoft.com/azure/azure-arc/kubernetes/conceptual-gitops-ci-cd#gitops-repo) into Azure Repos. For this tutorial, use the following example repos:
* **arc-cicd-demo-src** application repo * URL: https://github.com/Azure/arc-cicd-demo-src
In this tutorial, you have set up a full CI/CD workflow that implements DevOps f
Advance to our conceptual article to learn more about GitOps and configurations with Azure Arc enabled Kubernetes. > [!div class="nextstepaction"]
-> [CI/CD Workflow using GitOps - Azure Arc enabled Kubernetes](https://docs.microsoft.com/azure/azure-arc/kubernetes/conceptual-gitops-cicd)
+> [CI/CD Workflow using GitOps - Azure Arc enabled Kubernetes](https://docs.microsoft.com/azure/azure-arc/kubernetes/conceptual-gitops-ci-cd)
azure-arc Agent Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/agent-release-notes.md
Title: What's new with Azure Arc enabled servers agent description: This article has release notes for Azure Arc enabled servers agent. For many of the summarized issues, there are links to more details. Previously updated : 03/15/2021 Last updated : 03/31/2021 # What's new with Azure Arc enabled servers agent
Version 1.4
## New feature -- Added support for private endpoints.
+- Added support for private endpoints, which is currently in limited preview.
- Expanded list of exit codes for azcmagent.-- Agent configuration parameters can now be read from a file with the --config parameter.
+- Agent configuration parameters can now be read from a file with the `--config` parameter.
## Fixed
azure-arc Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/policy-reference.md
Title: Built-in policy definitions for Azure Arc enabled servers description: Lists Azure Policy built-in policy definitions for Azure Arc enabled servers (preview). These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-arc Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Arc enabled servers (preview) description: Lists Azure Policy Regulatory Compliance controls available for Azure Arc enabled servers (preview). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-cache-for-redis Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/policy-reference.md
Title: Built-in policy definitions for Azure Cache for Redis description: Lists Azure Policy built-in policy definitions for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-cache-for-redis Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Cache for Redis description: Lists Azure Policy Regulatory Compliance controls available for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-functions Dotnet Isolated Process Developer Howtos https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/dotnet-isolated-process-developer-howtos.md
At this point, you can run the `func start` command from the root of your projec
1. Into your browser's address bar, type your local function URL, which looks like the following, and run the request.
- <http://localhost:7071/api/HttpExample>
+ `http://localhost:7071/api/HttpExample`
You should see trace output from the request written to the running terminal. Code execution stops at any break points you set in your function code.
azure-functions Durable Functions Unit Testing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/durable/durable-functions-unit-testing.md
The examples in this article require knowledge of the following concepts and fra
Mocking is supported via the following interface:
-* [IDurableOrchestrationClient](/dotnet/api/microsoft.azure.webjobs.IDurableOrchestrationClient), [IDurableEntityClient](/dotnet/api/microsoft.azure.webjobs.IDurableEntityClient) and [IDurableClient](/dotnet/api/microsoft.azure.webjobs.IDurableClient)
+* [IDurableOrchestrationClient](/dotnet/api/microsoft.azure.webjobs.extensions.durabletask.idurableorchestrationclient), [IDurableEntityClient](/dotnet/api/microsoft.azure.webjobs.extensions.durabletask.idurableentityclient) and [IDurableClient](/dotnet/api/microsoft.azure.webjobs.extensions.durabletask.idurableclient)
-* [IDurableOrchestrationContext](/dotnet/api/microsoft.azure.webjobs.IDurableOrchestrationContext)
+* [IDurableOrchestrationContext](/dotnet/api/microsoft.azure.webjobs.extensions.durabletask.idurableorchestrationcontext)
-* [IDurableActivityContext](/dotnet/api/microsoft.azure.webjobs.IDurableActivityContext)
+* [IDurableActivityContext](/dotnet/api/microsoft.azure.webjobs.extensions.durabletask.idurableactivitycontext)
-* [IDurableEntityContext](/dotnet/api/microsoft.azure.webjobs.IDurableEntityContext)
+* [IDurableEntityContext](/dotnet/api/microsoft.azure.webjobs.extensions.durabletask.idurableentitycontext)
These interfaces can be used with the various trigger and bindings supported by Durable Functions. When executing your Azure Functions, the functions runtime will run your function code with a concrete implementation of these interfaces. For unit testing, you can pass in a mocked version of these interfaces to test your business logic.
azure-functions Functions Create Vnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-create-vnet.md
Create the private endpoints for Azure Files storage and Azure Blob Storage by u
| Setting | Suggested value | Description | | | - | - | | **Subscription** | Your subscription | The subscription under which your resources are created. |
- | **[Resource group](../azure-resource-manager/management/overview.md)** | myResourceGroup | Choose the resource group you created with your function app. | |
+ | **[Resource group](../azure-resource-manager/management/overview.md)** | myResourceGroup | Choose the resource group you created with your function app. |
| **Name** | file-endpoint | The name of the private endpoint for files from your storage account. | | **[Region](https://azure.microsoft.com/regions/)** | myFunctionRegion | Choose the region where you created your storage account. |
Use the following links to learn more about the available networking features:
> [!div class="nextstepaction"]
-> [Azure Functions Premium plan](./functions-premium-plan.md)
+> [Azure Functions Premium plan](./functions-premium-plan.md)
azure-functions Functions Reference Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-reference-powershell.md
Logging in PowerShell functions works like regular PowerShell logging. You can u
| - | -- | | Error | **`Write-Error`** | | Warning | **`Write-Warning`** |
-| Information | **`Write-Information`** <br/> **`Write-Host`** <br /> **`Write-Output`** | Information | Writes to _Information_ level logging. |
+| Information | **`Write-Information`** <br/> **`Write-Host`** <br /> **`Write-Output`** <br/> Writes to _Information_ level logging. |
| Debug | **`Write-Debug`** | | Trace | **`Write-Progress`** <br /> **`Write-Verbose`** |
For more information, see the following resources:
* [Azure Functions developer reference](functions-reference.md) * [Azure Functions triggers and bindings](functions-triggers-bindings.md)
-[host.json reference]: functions-host-json.md
+[host.json reference]: functions-host-json.md
azure-functions Deploy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/start-stop-vms/deploy.md
+
+ Title: Deploy Start/Stop VMs v2 (preview)
+description: This article tells how to deploy the Start/Stop VMs v2 (preview) feature for your Azure VMs in your Azure subscription.
++ Last updated : 03/29/2021+++
+# Deploy Start/Stop VMs v2 (preview)
+
+Perform the steps in this topic in sequence to install the Start/Stop VMs v2 (preview) feature. After completing the setup process, configure the schedules to customize it to your requirements.
+
+## Deploy feature
+
+The deployment is initiated from the Start/Stop VMs v2 GitHub organization [here](https://github.com/microsoft/startstopv2-deployments/blob/main/README.md). While this feature is intended to manage all of your VMs in your subscription across all resource groups from a single deployment within the subscription, you can install another instance of it based on the operations model or requirements of your organization. It also can be configured to centrally manage VMs across multiple subscriptions.
+
+To simplify management and removal, we recommend you deploy Start/Stop VMs v2 (preview) to a dedicated resource group.
+
+> [!NOTE]
+> Currently this preview does not support specifying an existing Storage account or Application Insights resource.
+
+1. Open your browser and navigate to the Start/Stop VMs v2 [GitHub organization](https://github.com/microsoft/startstopv2-deployments/blob/main/README.md).
+1. Select the deployment option based on the Azure cloud environment your Azure VMs are created in. This will open the custom Azure Resource Manager deployment page in the Azure portal.
+1. If prompted, sign in to the [Azure portal](https://portal.azure.com).
+1. Enter the following values:
+
+ |Name |Value |
+ |--||
+ |Region |Select a region near you for new resources.|
+ |Resource Group Name |Specify the resource group name that will contain the individual resources for Start/Stop VMs. |
+ |Resource Group Region |Specify the region for the resource group. For example, **Central US**.|
+ |Azure Function App Name |Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. |
+ |Application Insights Name |Specify the name of your Application Insights instance that will hold the analytics for Start/Stop VMs. |
+ |Application Insights Region |Specify the region for the Application Insights instance.|
+ |Storage Account Name |Specify the name of the Azure Storage account to store Start/Stop VMs execution telemetry. |
+ |Email Address |Specify one or more email addresses to receive status notifications, separated by a comma (,).|
+
+ :::image type="content" source="media/deploy/deployment-template-details.png" alt-text="Start/Stop VMs template deployment configuration":::
+
+1. Select **Review + create** on the bottom of the page.
+1. Select **Create** to start the deployment.
+1. Select the bell icon (notifications) from the top of the screen to see the deployment status. You shall see **Deployment in progress**. Wait until the deployment is completed.
+1. Select **Go to resource group** from the notification pane. You shall see a screen similar to:
+
+ :::image type="content" source="media/deploy/deployment-results-resource-list.png" alt-text="Start/Stop VMs template deployment resource list":::
+
+## Enable multiple subscriptions
+
+After the Start/Stop deployment completes, perform the following steps to enable Start/Stop VMs v2 (preview) to take action across multiple subscriptions.
+
+1. Copy the value for the Azure Function App Name that you specified during the deployment.
+
+1. In the portal, navigate to your secondary subscription. Select the subscription, and then select **Access Control (IAM)**
+
+1. Select **Add** and then select **Add role assignment**.
+
+1. Select the **Contributor** role from the **Role** drop down list.
+
+1. Enter the Azure Function Application Name in the **Select** field. Select the function name in the results.
+
+1. Select **Save** to commit your changes.
+
+## Configure schedules overview
+
+To manage the automation method to control the start and stop of your VMs, you configure one or more of the included logic apps based on your requirements.
+
+- Scheduled - Start and stop actions are based on a schedule you specify against Azure Resource Manager and classic VMs.**ststv2_vms_Scheduled_start** and **ststv2_vms_Scheduled_stop** configure the scheduled start and stop.
+
+- Sequenced - Start and stop actions are based on a schedule targeting VMs with pre-defined sequencing tags. Only two named tags are supported - **sequencestart** and **sequencestop**. **ststv2_vms_Sequenced_start** and **ststv2_vms_Sequenced_stop** configure the sequenced start and stop.
+
+ > [!NOTE]
+ > This scenario only supports Azure Resource Manager VMs.
+
+- AutoStop - This functionality is only used for performing a stop action against both Azure Resource Manager and classic VMs based on its CPU utilization. It can also be a scheduled-based *take action*, which creates alerts on VMs and based on the condition, the alert is triggered to perform the stop action.**ststv2_vms_AutoStop** configures the auto-stop functionality.
+
+If you need additional schedules, you can duplicate one of the Logic Apps provided using the **Clone** option in the Azure portal.
++
+## Scheduled start and stop scenario
+
+Perform the following steps to configure the scheduled start and stop action for Azure Resource Manager and classic VMs. For example, you can configure the **ststv2_vms_Scheduled_start** schedule to start them in the morning when you are in the office, and stop all VMs across a subscription when you leave work in the evening based on the **ststv2_vms_Scheduled_stop** schedule.
+
+Configuring the logic app to just start the VMs is supported.
+
+For each scenario, you can target the action against one or more subscriptions, single or multiple resource groups, and specify one or more VMs in an inclusion or exclusion list. You cannot specify them together in the same logic app.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) and then navigate to **Logic apps**.
+
+1. From the list of Logic apps, to configure scheduled start, select **ststv2_vms_Scheduled_start**. To configure scheduled stop, select **ststv2_vms_Scheduled_stop**.
+
+1. Select **Logic app designer** from the left-hand pane.
+
+1. After Logic App Designer appears, in the designer pane, select **Recurrence** to configure the logic app schedule. To learn about the specific recurrence options, see [Schedule recurring task](../../connectors/connectors-native-recurrence.md#add-the-recurrence-trigger).
+
+ :::image type="content" source="media/deploy/schedule-recurrence-property.png" alt-text="Configure the recurrence frequency for logic app":::
+
+1. In the designer pane, select **Function-Try** to configure the target settings. In the request body, if you want to manage VMs across all resource groups in the subscription, modify the request body as shown in the following example.
+
+ ```json
+ {
+ "Action": "start",
+ "EnableClassic": false,
+ "RequestScopes": {
+ "ExcludedVMLists": [],
+ "Subscriptions": [
+ "/subscriptions/12345678-1234-5678-1234-123456781234/"
+ ]
+ }
+ }
+ ```
+
+ Specify multiple subscriptions in the `subscriptions` array with each value separated by a comma as in the following example.
+
+ ```json
+ "Subscriptions": [
+ "/subscriptions/12345678-1234-5678-1234-123456781234/",
+ "/subscriptions/11111111-0000-1111-2222-444444444444/"
+ ]
+ ```
+
+ In the request body, if you want to manage VMs for specific resource groups, modify the request body as shown in the following example. Each resource path specified must be separated by a comma. You can specify one resource group or more if required.
+
+ This example also demonstrates excluding a virtual machine. You can exclude the VM by specifying the VMs resource path or by wildcard.
+
+ ```json
+ {
+ "Action": "start",
+ "EnableClassic": false,
+ "RequestScopes": {
+ "ResourceGroups": [
+ "/subscriptions/12345678-1234-5678-1234-123456781234/resourceGroups/rg1/",
+ "/subscriptions/11111111-0000-1111-2222-444444444444/resourceGroups/rg2/"
+ ],
+ "ExcludedVMLists": [
+ "/subscriptions/12345678-1111-2222-3333-1234567891234/resourceGroups/vmrg1/providers/Microsoft.Compute/virtualMachines/vm1"
+ ]
+ }
+ }
+ ```
+
+ Here the action will be performed on all the VMs except on the VM name starts with Az and Bz in both subscriptions.
+
+ ```json
+ {
+ "Action": "start",
+ "EnableClassic": false,
+ "RequestScopes": {
+ "ExcludedVMLists": [ΓÇ£Az*ΓÇ¥,ΓÇ£Bz*ΓÇ¥],
+ "Subscriptions": [
+ "/subscriptions/12345678-1234-5678-1234-123456781234/",
+ "/subscriptions/11111111-0000-1111-2222-444444444444/"
+
+ ]
+ }
+ }
+ ```
+
+ In the request body, if you want to manage a specific set of VMs within the subscription, modify the request body as shown in the following example. Each resource path specified must be separated by a comma. You can specify one VM if required.
+
+ ```json
+ {
+ "Action": "start",
+ "EnableClassic": true,
+ "RequestScopes": {
+ "ExcludedVMLists": [],
+ "VMLists": [
+ "/subscriptions/12345678-1234-5678-1234-123456781234/resourceGroups/rg1/providers/Microsoft.Compute/virtualMachines/vm1",
+ "/subscriptions/12345678-1234-5678-1234-123456781234/resourceGroups/rg3/providers/Microsoft.Compute/virtualMachines/vm2",
+ "/subscriptions/11111111-0000-1111-2222-444444444444/resourceGroups/rg2/providers/Microsoft.ClassicCompute/virtualMachines/vm30"
+
+ ]
+ }
+ ```
+
+## Sequenced start and stop scenario
+
+In an environment that includes two or more components on multiple Azure Resource Manager VMs in a distributed application architecture, supporting the sequence in which components are started and stopped in order is important.
+
+1. From the list of Logic apps, to configure sequenced start, select **ststv2_vms_Sequenced_start**. To configure sequenced stop, select **ststv2_vms_Sequenced_stop**.
+
+1. Select **Logic app designer** from the left-hand pane.
+
+1. After Logic App Designer appears, in the designer pane, select **Recurrence** to configure the logic app schedule. To learn about the specific recurrence options, see [Schedule recurring task](../../connectors/connectors-native-recurrence.md#add-the-recurrence-trigger).
+
+ :::image type="content" source="media/deploy/schedule-recurrence-property.png" alt-text="Configure the recurrence frequency for logic app":::
+
+1. In the designer pane, select **Function-Try** to configure the target settings. In the request body, if you want to manage VMs across all resource groups in the subscription, modify the request body as shown in the following example.
+
+ ```json
+ {
+ "Action": "start",
+ "EnableClassic": false,
+ "RequestScopes": {
+ "ExcludedVMLists": [],
+ "Subscriptions": [
+ "/subscriptions/12345678-1234-5678-1234-123456781234/"
+ ]
+ },
+ "Sequenced": true
+ }
+ ```
+
+ Specify multiple subscriptions in the `subscriptions` array with each value separated by a comma as in the following example.
+
+ ```json
+ "Subscriptions": [
+ "/subscriptions/12345678-1234-5678-1234-123456781234/",
+ "/subscriptions/11111111-0000-1111-2222-444444444444/"
+ ]
+ ```
+
+ In the request body, if you want to manage VMs for specific resource groups, modify the request body as shown in the following example. Each resource path specified must be separated by a comma. You can specify one resource group if required.
+
+ This example also demonstrates excluding a virtual machine by its resource path compared to the example for scheduled start/stop, which used wildcards.
+
+ ```json
+ {
+ "Action": "start",
+ "EnableClassic": false,
+ "RequestScopes": {
+ "ResourceGroups": [
+ "/subscriptions/12345678-1234-5678-1234-123456781234/resourceGroups/rg1/",
+ "/subscriptions/11111111-0000-1111-2222-444444444444/resourceGroups/rg2/"
+ ],
+ "ExcludedVMLists": [
+ "/subscriptions/12345678-1111-2222-3333-1234567891234/resourceGroups/vmrg1/providers/Microsoft.Compute/virtualMachines/vm1"
+ ]
+ },
+ "Sequenced": true
+ }
+ ```
+
+ In the request body, if you want to manage a specific set of VMs within a subscription, modify the request body as shown in the following example. Each resource path specified must be separated by a comma. You can specify one VM if required.
+
+ ```json
+ {
+ "Action": "start",
+ "EnableClassic": true,
+ "RequestScopes": {
+ "ExcludedVMLists": [],
+ "VMLists": [
+ "/subscriptions/12345678-1234-5678-1234-123456781234/resourceGroups/rg1/providers/Microsoft.Compute/virtualMachines/vm1",
+ "/subscriptions/12345678-1234-5678-1234-123456781234/resourceGroups/rg2/providers/Microsoft.ClassicCompute/virtualMachines/vm2",
+ "/subscriptions/11111111-0000-1111-2222-444444444444/resourceGroups/rg2/providers/Microsoft.ClassicCompute/virtualMachines/vm30"
+ ]
+ },
+ "Sequenced": true
+ }
+ ```
+
+## Auto stop scenario
+
+Start/Stop VMs v2 (preview) can help manage the cost of running Azure Resource Manager and classic VMs in your subscription by evaluating machines that aren't used during non-peak periods, such as after hours, and automatically shutting them down if processor utilization is less than a specified percentage.
+
+The following metric alert properties in the request body support customization:
+
+- AutoStop_MetricName
+- AutoStop_Condition
+- AutoStop_Threshold
+- AutoStop_Description
+- AutoStop_Frequency
+- AutoStop_Severity
+- AutoStop_Threshold
+- AutoStop_TimeAggregationOperator
+- AutoStop_TimeWindow
+
+To learn more about how Azure Monitor metric alerts work and how to configure them see [Metric alerts in Azure Monitor](../../azure-monitor/alerts/alerts-metric-overview.md).
+
+1. From the list of Logic apps, to configure auto stop, select **ststv2_vms_AutoStop**.
+
+1. Select **Logic app designer** from the left-hand pane.
+
+1. After Logic App Designer appears, in the designer pane, select **Recurrence** to configure the logic app schedule. To learn about the specific recurrence options, see [Schedule recurring task](../../connectors/connectors-native-recurrence.md#add-the-recurrence-trigger).
+
+ :::image type="content" source="media/deploy/schedule-recurrence-property.png" alt-text="Configure the recurrence frequency for logic app":::
+
+1. In the designer pane, select **Function-Try** to configure the target settings. In the request body, if you want to manage VMs across all resource groups in the subscription, modify the request body as shown in the following example.
+
+ ```json
+ {
+ "Action": "stop",
+ "EnableClassic": false,
+ "AutoStop_MetricName": "Percentage CPU",
+ "AutoStop_Condition": "LessThan",
+ "AutoStop_Description": "Alert to stop the VM if the CPU % exceed the threshold",
+ "AutoStop_Frequency": "00:05:00",
+ "AutoStop_Severity": "2",
+ "AutoStop_Threshold": "5",
+ "AutoStop_TimeAggregationOperator": "Average",
+ "AutoStop_TimeWindow": "06:00:00",
+ "RequestScopes":{
+ "Subscriptions":[
+ "/subscriptions/12345678-1111-2222-3333-1234567891234/",
+ "/subscriptions/12345678-2222-4444-5555-1234567891234/"
+ ],
+ "ExcludedVMLists":[]
+ }
+ }
+ ```
+
+ In the request body, if you want to manage VMs for specific resource groups, modify the request body as shown in the following example. Each resource path specified must be separated by a comma. You can specify one resource group if required.
+
+ ```json
+ {
+ "Action": "stop",
+ "AutoStop_Condition": "LessThan",
+ "AutoStop_Description": "Alert to stop the VM if the CPU % exceed the threshold",
+ "AutoStop_Frequency": "00:05:00",
+ "AutoStop_MetricName": "Percentage CPU",
+ "AutoStop_Severity": "2",
+ "AutoStop_Threshold": "5",
+ "AutoStop_TimeAggregationOperator": "Average",
+ "AutoStop_TimeWindow": "06:00:00",
+ "EnableClassic": true,
+ "RequestScopes": {
+ "ExcludedVMLists": [],
+ "ResourceGroups": [
+ "/subscriptions/12345678-1111-2222-3333-1234567891234/resourceGroups/vmrg1/",
+ "/subscriptions/12345678-1111-2222-3333-1234567891234/resourceGroupsvmrg2/",
+ "/subscriptions/12345678-2222-4444-5555-1234567891234/resourceGroups/VMHostingRG/"
+ ]
+ }
+ }
+ ```
+
+ In the request body, if you want to manage a specific set of VMs within the subscription, modify the request body as shown in the following example. Each resource path specified must be separated by a comma. You can specify one VM if required.
+
+ ```json
+ {
+ "Action": "stop",
+ "AutoStop_Condition": "LessThan",
+ "AutoStop_Description": "Alert to stop the VM if the CPU % exceed the threshold",
+ "AutoStop_Frequency": "00:05:00",
+ "AutoStop_MetricName": "Percentage CPU",
+ "AutoStop_Severity": "2",
+ "AutoStop_Threshold": "5",
+ "AutoStop_TimeAggregationOperator": "Average",
+ "AutoStop_TimeWindow": "06:00:00",
+ "EnableClassic": true,
+ "RequestScopes": {
+ "ExcludedVMLists": [],
+ "VMLists": [
+ "/subscriptions/12345678-1111-2222-3333-1234567891234/resourceGroups/rg3/providers/Microsoft.ClassicCompute/virtualMachines/Clasyvm11",
+ "/subscriptions/12345678-1111-2222-3333-1234567891234/resourceGroups/vmrg1/providers/Microsoft.Compute/virtualMachines/vm1"
+ ]
+ }
+ }
+ ```
+
+## Next steps
+
+To learn how to monitor status of your Azure VMs managed by the Start/Stop VMs v2 (preview) feature and perform other management tasks, see the [Manage Start/Stop VMs](manage.md) article.
azure-functions Manage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/start-stop-vms/manage.md
+
+ Title: Manage Start/Stop VMs v2 (preview)
+description: This article tells how to monitor status of your Azure VMs managed by the Start/Stop VMs v2 (preview) feature and perform other management tasks.
++ Last updated : 03/16/2021+++
+# How to manage Start/Stop VMs v2 (preview)
+
+## Azure dashboard
+
+Start/Stop VMs v2 (preview) includes a [dashboard](../../azure-monitor/visualizations.md#azure-dashboards) to help you understand the management scope and recent operations against your VMs. It is a quick and easy way to verify the status of each operation thatΓÇÖs performed on your Azure VMs. The visualization in each tile is based on a Log query and to see the query, select the **Open in logs blade** option in the right-hand corner of the tile. This opens the [Log Analytics](../../azure-monitor/logs/log-analytics-overview.md#starting-log-analytics) tool in the Azure portal, and from here you can evaluate the query and modify to support your needs, such as custom [log alerts](../../azure-monitor/alerts/alerts-log.md), a custom [workbook](../../azure-monitor/visualize/workbooks-overview.md), etc.
+
+The log data each tile in the dashboard displays is refreshed every hour, with a manual refresh option on demand by clicking the **Refresh** icon on a given visualization, or by refreshing the full dashboard.
+
+To learn about working with a log-based dashboard, see the following [tutorial](../../azure-monitor/visualize/tutorial-logs-dashboards.md).
+
+## Configure email notifications
+
+To change email notifications after Start/Stop VMs v2 (preview) is deployed, you can modify the action group created during deployment.
+
+1. In the Azure portal, navigate to **Monitor**, then **Alerts**. Select **Manage actions**.
+
+1. On the **Manage actions** page, select the action group called **StartStopV2_VM_Notication**.
+
+ :::image type="content" source="media/manage/alerts-action-groups.png" alt-text="Screenshot of the Action groups page.":::
+
+1. On the **StartStopV2_VM_Notification** page, you can modify the Email/SMS/Push/Voice notification options. Add other actions or update your existing configuration to this action group and then click **OK** to save your changes.
+
+ :::image type="content" source="media/manage/email-notification-type-example.png" alt-text="Screenshot of the Email/SMS/Push/Voice page showing an example email address updated.":::
+
+ To learn more about action groups, see [action groups](../../azure-monitor/alerts/action-groups.md)
+
+The following screenshot is an example email that is sent when the feature shuts down virtual machines.
++
+## Next steps
+
+To handle problems during VM management, see [Troubleshoot Start/Stop VMs v2](troubleshoot.md) (preview) issues.
azure-functions Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/start-stop-vms/overview.md
+
+ Title: Start/Stop VMs v2 (preview) overview
+description: This article describes version two of the Start/Stop VMs (preview) feature, which starts or stops Azure Resource Manager and classic VMs on a schedule.
+++ Last updated : 03/29/2021++
+# Start/Stop VMs v2 (preview) overview
+
+The Start/Stop VMs v2 (preview) feature starts or stops Azure virtual machines (VMs) across multiple subscriptions. It starts or stops Azure VMs on user-defined schedules, provides insights through [Azure Application Insights](../../azure-monitor/app/app-insights-overview.md), and send optional notifications by using [action groups](../../azure-monitor/alerts/action-groups.md). The feature can manage both Azure Resource Manager VMs and classic VMs for most scenarios.
+
+This new version of Start/Stop VMs v2 (preview) provides a decentralized low-cost automation option for customers who want to optimize their VM costs. It offers all of the same functionality as the [original version](../../automation/automation-solution-vm-management.md) available with Azure Automation, but it is designed to take advantage of newer technology in Azure.
+
+## Overview
+
+Start/Stop VMs v2 (preview) is redesigned and it doesn't depend on Azure Automation or Azure Monitor Logs, as required by the [previous version](../../automation/automation-solution-vm-management.md). This version relies on [Azure Functions](../../azure-functions/functions-overview.md) to handle the VM start and stop execution.
+
+A managed identity is created in Azure Active Directory (Azure AD) for this Azure Functions application and allows Start/Stop VMs v2 (preview) to easily access other Azure AD-protected resources, such as the logic apps and Azure VMs. For more about managed identities in Azure AD, see [Managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md).
+
+An HTTP trigger endpoint function is created to support the schedule and sequence scenarios included with the feature, as shown in the following table.
+
+|Name |Trigger |Description |
+|--|--||
+|AlertAvailabilityTest |Timer |This function is performs the availability test to make sure the primary function **AutoStopVM** is always available.|
+|AutoStop |HTTP |This function supports the **AutoStop** scenario, which is the entry point function that is called from Logic App.|
+|AutoStopAvailabilityTest |Timer |This function performs the availability test to make sure the primary function **AutoStop** is always available.|
+|AutoStopVM |HTTP |This function is triggered automatically by the VM alert when the alert condition is true.|
+|CreateAutoStopAlertExecutor |Queue |This function gets the payload information from the **AutoStop** function to create the alert on the VM.|
+|Scheduled |HTTP |This function is for both scheduled and sequenced scenario (differentiated by the payload schema). It is the entry point function called from the Logic App and takes the payload to process the VM start or stop operation. |
+|ScheduledAvailabilityTest |Timer |This function performs the availability test to make sure the primary function **Scheduled** is always available.|
+|VirtualMachineRequestExecutor |Queue |This function performs the actual start and stop operation on the VM.|
+|VirtualMachineRequestOrchestrator |Queue |This function gets the payload information from the **Scheduled** function and orchestrates the VM start and stop requests.|
+
+For example, **Scheduled** HTTP trigger function is used to handle schedule and sequence scenarios. Similarly, **AutoStop** HTTP trigger function handles the auto stop scenario.
+
+The queue-based trigger functions are required in support of this feature. All timer-based triggers are used to perform the availability test and to monitor the health of the system.
+
+ [Azure Logic Apps](../../logic-apps/logic-apps-overview.md) is used to configure and manage the start and stop schedules for the VM take action by calling the function using a JSON payload. By default, during initial deployment it creates a total of five Logic Apps for the following scenarios:
+
+- Scheduled - Start and stop actions are based on a schedule you specify against Azure Resource Manager and classic VMs. **ststv2_vms_Scheduled_start** and **ststv2_vms_Scheduled_stop** configure the scheduled start and stop.
+
+- Sequenced - Start and stop actions are based on a schedule targeting VMs with pre-defined sequencing tags. Only two named tags are supported - **sequencestart** and **sequencestop**. **ststv2_vms_Sequenced_start** and **ststv2_vms_Sequenced_stop** configure the sequenced start and stop.
+
+ > [!NOTE]
+ > This scenario only supports Azure Resource Manager VMs.
+
+- AutoStop - This functionality is only used for performing a stop action against both Azure Resource Manager and classic VMs based on its CPU utilization. It can also be a scheduled-based *take action*, which creates alerts on VMs and based on the condition, the alert is triggered to perform the stop action. **ststv2_vms_AutoStop** configures the auto stop functionality.
+
+Each Start/Stop action supports assignment of one or more subscriptions, resource groups, or a list of VMs.
+
+An Azure Storage account, which is required by Functions, is also used by Start/Stop VMs v2 (preview) for two purposes:
+
+ - Uses Azure Table Storage to store the execution operation metadata (that is, the start/stop VM action).
+
+ - Uses Azure Queue Storage to support the Azure Functions queue-based triggers.
+
+All telemetry data, that is trace logs from the function app execution, is sent to your connected Application Insights instance. You can view the telemetry data stored in Application Insights from a set of pre-defined visualizations presented in a shared [Azure dashboard](../../azure-portal/azure-portal-dashboards.md).
++
+Email notifications are also sent as a result of the actions performed on the VMs.
+
+## New releases
+
+When a new version of Start/Stop VMs v2 (preview) is released, your instance is auto-updated without having to manually redeploy.
+
+## Supported scoping options
+
+### Subscription
+
+Scoping to a subscription can be used when you need to perform the start and stop action on all the VMs in an entire subscription, and you can select multiple subscriptions if necessary.
+
+You can also specify a list of VMs to exclude and it will ignore them from the action. You can also use wildcard characters to specify all the names that simultaneously can be ignored.
+
+### Resource group
+
+Scoping to a resource group can be used when you need to perform the start and stop action on all the VMs by specifying one or more resource group names, and across one or more subscriptions.
+
+You can also specify a list of VMs to exclude and it will ignore them from the action. You can also use wildcard characters to specify all the names that simultaneously can be ignored.
+
+### VMList
+
+Specifying a list of VMs can be used when you need to perform the start and stop action on a specific set of virtual machines, and across multiple subscriptions. This option does not support specifying a list of VMs to exclude.
+
+## Prerequisites
+
+- You must have an Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).
+
+- Your account has been granted the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) permission in the subscription.
+
+- Start/Stop VMs v2 (preview) is available in all Azure global regions that are listed in [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?regions=all&products=functions) page for Azure Functions. For the Azure Government cloud, it is available only in the US Government Virginia region.
+
+## Next steps
+
+To deploy this feature, see [Deploy Start/Stop VMs](deploy.md) (preview).
azure-functions Remove https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/start-stop-vms/remove.md
+
+ Title: Remove Start/Stop VMs v2 (preview) overview
+description: This article describes how to remove the Start/Stop VMs v2 (preview) feature.
++ Last updated : 03/30/2021+++
+# How to remove Start/Stop VMs v2 (preview)
+
+After you enable the Start/Stop VMs v2 (preview) feature to manage the running state of your Azure VMs, you may decide to stop using it. Removing this feature can be done by deleting the resource group dedicated to store the following resources in support of Start/Stop VMs v2 (preview):
+
+- The Azure Functions applications
+- Schedules in Azure Logic Apps
+- The Application Insights instance
+- Azure Storage account
+
+## Delete the dedicated resource group
+
+To delete the resource group, follow the steps outlined in the [Azure Resource Manager resource group and resource deletion](../../azure-resource-manager/management/delete-resource-group.md) article.
+
+## Next steps
+
+To re-deploy this feature, see [Deploy Start/Stop v2](deploy.md) (preview).
azure-functions Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/start-stop-vms/troubleshoot.md
+
+ Title: Troubleshoot Start/Stop VMs (preview)
+description: This article tells how to troubleshoot issues encountered with the Start/Stop VMs (preview) feature for your Azure VMs.
++ Last updated : 03/31/2021+++
+# Troubleshoot common issues with Start/Stop VMs (preview)
+
+This article provides information on troubleshooting and resolving issues that may occur while attempting to install and configure Start/Stop VMs (preview). For general information, see [Start/Stop VMs overview](overview.md).
+
+## General validation and troubleshooting
+
+This section covers how to troubleshoot general issues with the schedules scenarios and help identify the root cause.
+
+### Azure dashboard
+
+You can start by reviewing the Azure shared dashboard. The Azure shared dashboard deployed as part of Start/Stop VMs v2 (preview) is a quick and easy way to verify the status of each operation that's performed on your VMs. Refer to the **Recently attempted actions on VMs** tile to see all the recent operations executed on your VMs. There is some latency, around five minutes, for data to show up in the report as it pulls data from the Application Insights resource.
+
+### Logic Apps
+
+Depending on which Logic Apps you have enabled to support your start/stop scenario, you can review its run history to help identify why the scheduled startup/shutdown scenario did not complete successfully for one or more target VMs. To learn how to review this in detail, see [Logic Apps run history](../../logic-apps/monitor-logic-apps.md#review-runs-history).
+
+### Azure Storage
+
+You can review the details for the operations performed on the VMs that are written to the table **requestsstoretable** in the Azure storage account used for Start/Stop VMs v2 (preview). Perform the following steps to view those records.
+
+1. Navigate to the storage account in the Azure portal and in the account select **Storage Explorer (preview) from the left-hand pane.
+1. Select **TABLES** and then select **requeststoretable**.
+1. Each record in the table represents the start/stop action performed against an Azure VM based on the target scope defined in the logic app scenario. You can filter the results by any one of the record properties (for example, TIMESTAMP, ACTION, or TARGETTOPLEVELRESOURCENAME).
+
+### Azure Functions
+
+You can review the latest invocation details for any of the Azure Functions responsible for the VM start and stop execution. First let's review the execution flow.
+
+The execution flow for both **Scheduled** and **Sequenced** scenario is controlled by the same function. The payload schema is what determines which scenario is performed. For the **Scheduled** scenario, the execution flow is - **Scheduled** HTTP > **VirtualMachineRequestOrchestrator** Queue > **VirtualMachineRequestExecutor** Queue.
+
+From the logic app, the **Scheduled** HTTP function is invoked with Payload schema. Once the **Scheduled** HTTP function receives the request, it sends the information to the **Orchestrator** queue function, which in turn creates several queues for each VM to perform the action.
+
+Perform the following steps to see the invocation details.
+
+1. In the Azure portal, navigate to **Azure Functions**.
+1. Select the Function app for Start/Stop VMs v2 (preview) from the list.
+1. Select **Functions** from the left-hand pane.
+1. In the list, you see several functions associated for each scenario. Select the **Scheduled** HTTP function.
+1. Select **Monitor** from the left-hand pane.
+1. Select the latest execution trace to see the invocation details and the message section for detailed logging.
+1. Repeat the same steps for each function described as part of reviewing the execution flow earlier.
+
+To learn more about monitoring Azure Functions, see [Analyze Azure Functions telemetry in Application Insights](../../azure-functions/analyze-telemetry-data.md).
+
+## Next steps
+
+Learn more about monitoring Azure Functions and logic apps:
+
+* [Monitor Azure Functions](../../azure-functions/functions-monitoring.md).
+
+* [How to configure monitoring for Azure Functions](../../azure-functions/configure-monitoring.md).
+
+* [Monitor logic apps](../../logic-apps/monitor-logic-apps.md).
azure-government Documentation Government Csp List https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-csp-list.md
Below you can find a list of all the authorized Cloud Solution Providers, AOS-G
|[Secure-24](https://www.secure-24.com)| |[Selex Galileo Inc](http://www.selexgalileo.com/)| |[Sev1Tech](https://www.sev1tech.com/)|
-|[Sevatec Inc.](https://www.sevatec.com/)|.
+|[Sevatec Inc.](https://www.sevatec.com/)|
|[Shadow-Soft, LLC.](https://shadow-soft.com)| |[SHI International Corp](https://www.shi.com)| |[SHR Consulting Group LLC](https://www.shrgroupllc.com)|
azure-maps Migrate From Google Maps Web Services https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/migrate-from-google-maps-web-services.md
The table shows the Azure Maps service APIs, which have a similar functionality
| Geocoding | [Search](/rest/api/maps/search) | | Places Search | [Search](/rest/api/maps/search) | | Place Autocomplete | [Search](/rest/api/maps/search) |
-| Snap to Road | See [Calculate routes and directions](#calculate-routes-and-directions) section.
-| Speed Limits | See [Reverse geocode a coordinate](#reverse-geocode-a-coordinate) section.
+| Snap to Road | See [Calculate routes and directions](#calculate-routes-and-directions) section. |
+| Speed Limits | See [Reverse geocode a coordinate](#reverse-geocode-a-coordinate) section. |
| Static Map | [Render](/rest/api/maps/render/getmapimage) | | Time Zone | [Time Zone](/rest/api/maps/timezone) |
-| Elevation | [Elevation (Preview)](/rest/api/maps/elevation) | |
+| Elevation | [Elevation (Preview)](/rest/api/maps/elevation) |
The following service APIs aren't currently available in Azure Maps:
azure-maps Routing Coverage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/routing-coverage.md
The following table provides coverage information for Azure Maps routing.
| Rwanda | Γ£ô | | | | Senegal | Γ£ô | | | | Seychelles | Γ£ô | | |
-| South Africa | Γ£ô || Γ£ô | |
+| South Africa | Γ£ô | Γ£ô | |
| Swaziland | Γ£ô | | | | Tanzania | Γ£ô | | | | Togo | Γ£ô | | |
The following table provides coverage information for Azure Maps routing.
## Next steps
-For more information about Azure Maps routing, see the [Routing](/rest/api/maps/route) reference pages.
+For more information about Azure Maps routing, see the [Routing](/rest/api/maps/route) reference pages.
azure-monitor Agent Linux Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/agent-linux-troubleshoot.md
We've seen that a clean re-install of the Agent will fix most issues. In fact th
| Error Code | Meaning | | | |
-| NOT_DEFINED | Because the necessary dependencies are not installed, the auoms auditd plugin will not be installed | Installation of auoms failed, install package auditd. |
+| NOT_DEFINED | Because the necessary dependencies are not installed, the auoms auditd plugin will not be installed. Installation of auoms failed, install package auditd. |
| 2 | Invalid option provided to the shell bundle. Run `sudo sh ./omsagent-*.universal*.sh --help` for usage | | 3 | No option provided to the shell bundle. Run `sudo sh ./omsagent-*.universal*.sh --help` for usage. | | 4 | Invalid package type OR invalid proxy settings; omsagent-*rpm*.sh packages can only be installed on RPM-based systems, and omsagent-*deb*.sh packages can only be installed on Debian-based systems. It is recommend you use the universal installer from the [latest release](../vm/quick-collect-linux-computer.md#install-the-agent-for-linux). Also review to verify your proxy settings. | | 5 | The shell bundle must be executed as root OR there was 403 error returned during onboarding. Run your command using `sudo`. |
-| 6 | Invalid package architecture OR there was error 200 error returned during onboarding; omsagent-*x64.sh packages can only be installed on 64-bit systems, and omsagent-*x86.sh packages can only be installed on 32-bit systems. Download the correct package for your architecture from the [latest release](https://github.com/Microsoft/OMS-Agent-for-Linux/releases/latest). |
+| 6 | Invalid package architecture OR there was error 200 error returned during onboarding; omsagent-\*x64.sh packages can only be installed on 64-bit systems, and omsagent-\*x86.sh packages can only be installed on 32-bit systems. Download the correct package for your architecture from the [latest release](https://github.com/Microsoft/OMS-Agent-for-Linux/releases/latest). |
| 17 | Installation of OMS package failed. Look through the command output for the root failure. | | 18 | Installation of OMSConfig package failed. Look through the command output for the root failure. | | 19 | Installation of OMI package failed. Look through the command output for the root failure. |
azure-monitor App Insights Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/app-insights-overview.md
Application Insights is aimed at the development team, to help you understand ho
There are plenty of ways to explore your data. Check out these articles:
-| | |
+| Article description | Image |
| | | | [**Smart detection and manual alerts**](./proactive-diagnostics.md)<br/>Set up automatic alerts that adapt to your app's normal patterns of telemetry and trigger when there's something outside the usual pattern. You can also [set alerts](../alerts/alerts-log.md) on particular levels of custom or standard metrics. |![Alert sample](./media/app-insights-overview/alerts-tn.png) | | [**Application map**](./app-map.md)<br/>Explore the components of your app, with key metrics and alerts. |![Application map](./media/app-insights-overview/appmap-tn.png) |
azure-monitor Pricing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/pricing.md
Previously updated : 2/7/2021 Last updated : 3/30/2021 -+ # Manage usage and costs for Application Insights
If you have questions about how pricing works for Application Insights, you can
## Pricing model
-The pricing for [Azure Application Insights][start] is a **Pay-As-You-Go** model based on data volume ingested and optionally for longer data retention. Each Application Insights resource is charged as a separate service and contributes to the bill for your Azure subscription. Data volume is measured as the size of the uncompressed JSON data package that's received by Application Insights from your application. There is no data volume charge for using the [Live Metrics Stream](./live-stream.md).
+The pricing for [Azure Application Insights][start] is a **Pay-As-You-Go** model based on data volume ingested and optionally for longer data retention. Each Application Insights resource is charged as a separate service and contributes to the bill for your Azure subscription. Data volume is measured as the size of the uncompressed JSON data package that's received by Application Insights from your application. Data volume is measured in GB (10^9 bytes). There is no data volume charge for using the [Live Metrics Stream](./live-stream.md).
[Multi-step web tests](./availability-multistep.md) incur an additional charge. Multi-step web tests are web tests that perform a sequence of actions. There's no separate charge for *ping tests* of a single page. Telemetry from ping tests and multi-step tests is charged the same as other telemetry from your app.
There are two approaches to address this: use of default monitoring and adaptive
### Data collection when using sampling
-With the ASP.NET SDK's [adaptive sampling](sampling.md#adaptive-sampling), the data volume is adjusted automatically to keep within a specified maximum rate of traffic for default Application Insights monitoring. If the application produces a low amount of telemetry, such as when debugging or due to low usage, items won't be dropped by the sampling processor as long as volume is below the configured events per second level. For a high volume application, with the default threshold of five events per second, adaptive sampling will limit the number of daily events to 432,000. Using a typical average event size of 1 KB, this corresponds to 13.4 GB of telemetry per 31-day month per node hosting your application (since the sampling is done local to each node.)
+With the ASP.NET SDK's [adaptive sampling](sampling.md#adaptive-sampling), the data volume is adjusted automatically to keep within a specified maximum rate of traffic for default Application Insights monitoring. If the application produces a low amount of telemetry, such as when debugging or due to low usage, items won't be dropped by the sampling processor as long as volume is below the configured events per second level. For a high volume application, with the default threshold of five events per second, adaptive sampling will limit the number of daily events to 432,000. Using a typical average event size of 1 KB, this corresponds to 13.4 GB of telemetry per 31-day month per node hosting your application since the sampling is done local to each node.
+
+> [!NOTE]
+> Azure Monitor log data size is calculated in GB (1 GB = 10^9 bytes).
For SDKs that don't support adaptive sampling, you can employ [ingestion sampling](./sampling.md#ingestion-sampling), which samples when the data is received by Application Insights based on a percentage of data to retain, or [fixed-rate sampling for ASP.NET, ASP.NET Core, and Java websites](sampling.md#fixed-rate-sampling) to reduce the traffic sent from your web server and web browsers
azure-monitor Platform Logs Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/essentials/platform-logs-overview.md
You can send platform logs to one or more of the destinations in the following t
| Destination | Description | |:|:|
-| Log Analytics workspace | Analyze the logs of all your Azure resources together and take advantage of all the features available to [Azure Monitor Logs](../logs/data-platform-logs.md) including [log queries](../logs/log-query-overview.md) and [log alerts](../alerts/alerts-log.md). Pin the results of a log query to an Azure dashboard or include it in a workbook as part of an interactive report. | |
-| Event hub | Send platform log data outside of Azure, for example to a third-party SIEM or custom telemetry platform.
+| Log Analytics workspace | Analyze the logs of all your Azure resources together and take advantage of all the features available to [Azure Monitor Logs](../logs/data-platform-logs.md) including [log queries](../logs/log-query-overview.md) and [log alerts](../alerts/alerts-log.md). Pin the results of a log query to an Azure dashboard or include it in a workbook as part of an interactive report. |
+| Event hub | Send platform log data outside of Azure, for example to a third-party SIEM or custom telemetry platform. |
| Azure storage | Archive the logs for audit or backup. | - For details on creating a diagnostic setting for activity log or resource logs, see [Create diagnostic settings to send platform logs and metrics to different destinations](../essentials/diagnostic-settings.md).
You can send platform logs to one or more of the destinations in the following t
## Next steps * [Read more details about the Activity log](../essentials/activity-log.md)
-* [Read more details about resource logs](./resource-logs.md)
+* [Read more details about resource logs](./resource-logs.md)
azure-monitor Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/policy-reference.md
Title: Built-in policy definitions for Azure Monitor description: Lists Azure Policy built-in policy definitions for Azure Monitor. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-monitor Security Baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/security-baseline.md
description: The Azure Monitor security baseline provides procedural guidance an
Previously updated : 02/17/2021 Last updated : 03/30/2021
# Azure security baseline for Azure Monitor
-This security
-baseline applies guidance from the [Azure Security Benchmark version
-1.0](../security/benchmarks/overview-v1.md) to Azure Monitor. The Azure Security Benchmark
-provides recommendations on how you can secure your cloud solutions on Azure.
-The content is grouped by the **security controls** defined by the Azure
-Security Benchmark and the related guidance applicable to Azure Monitor. **Controls** not applicable to Azure Monitor have been excluded.
+This security baseline applies guidance from the [Azure Security Benchmark version1.0](../security/benchmarks/overview-v1.md) to Azure Monitor. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the **security controls** defined by the Azure Security Benchmark and the related guidance applicable to Azure Monitor. **Controls** not applicable to Azure Monitor, or for which the responsibility is Microsoft's, have been excluded.
-
-To see how Azure Monitor completely maps to the Azure
-Security Benchmark, see the [full Azure Monitor security baseline mapping
-file](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Offer%20Security%20Baselines).
+To see how Azure Monitor completely maps to the Azure Security Benchmark, see the [full Azure Monitor security baseline mapping file](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Offer%20Security%20Baselines).
## Network Security
Virtual network rules enable Azure Monitor to only accept communications that ar
Use Log Analytics gateway to send data to a Log Analytics workspace in Azure Monitor on behalf of the computers that cannot directly connect to the internet preventing need of computers to be connected to internet. -- [How to set up Private Link for Azure Monitor](./logs/private-link-security.md)
+- [How to set up Private Link for Azure Monitor](/azure/azure-monitor/platform/private-link-security)
-- [Connect computers without internet access by using the Log Analytics gateway in Azure Monitor](./agents/gateway.md)
+- [Connect computers without internet access by using the Log Analytics gateway in Azure Monitor](/azure/azure-monitor/platform/gateway)
**Responsibility**: Customer
Use Log Analytics gateway to send data to a Log Analytics workspace in Azure Mon
When using Azure Monitor with Private Link, you get access to network logging such as 'Data processed by the Private Endpoint (IN/OUT)'. -- [Network requirements for Azure Monitor agents](./agents/log-analytics-agent.md#network-requirements)
+- [Network requirements for Azure Monitor agents](/azure/azure-monitor/platform/log-analytics-agent#network-requirements)
-- [Connect computers without internet access by using the Log Analytics gateway in Azure Monitor](./agents/gateway.md)
+- [Connect computers without internet access by using the Log Analytics gateway in Azure Monitor](/azure/azure-monitor/platform/gateway)
- [How to enable network security group flow logs](../network-watcher/network-watcher-nsg-flow-logging-portal.md)
When using Azure Monitor with Private Link, you get access to network logging su
**Guidance**: Azure Monitor is part of the Azure core services and cannot be deployed as a service separately. Azure Monitor components, including the Azure Monitor Agent, and Application Insights SDK may be deployed with your resources, and this may impact the security posture of those resources. -- [Network requirements for Azure Monitor agents](./agents/log-analytics-agent.md#network-requirements)
+- [Network requirements for Azure Monitor agents](/azure/azure-monitor/platform/log-analytics-agent#network-requirements)
-- [Connect computers without internet access by using the Log Analytics gateway in Azure Monitor](./agents/gateway.md)
+- [Connect computers without internet access by using the Log Analytics gateway in Azure Monitor](/azure/azure-monitor/platform/gateway)
-- [See getting started with Application Insights](./app/app-insights-overview.md#get-started)
+- [See getting started with Application Insights](https://docs.microsoft.com/azure/azure-monitor/app/app-insights-overview#get-started)
- [How to set up availability web tests](app/monitor-web-app-availability.md)
When using Azure Monitor with Private Link, you get access to network logging su
**Guidance**: Use the Azure Activity Log to monitor resource configurations and detect changes to your network resources related to Azure Monitor. Create alerts within Azure Monitor that will trigger when changes to those critical network resources take place. -- [How to view and retrieve Azure Activity Log events](./essentials/activity-log.md#view-the-activity-log)
+- [How to view and retrieve Azure Activity Log events](/azure/azure-monitor/platform/activity-log#view-the-activity-log)
-- [How to create alerts in Azure Monitor](./alerts/alerts-activity-log.md)
+- [How to create alerts in Azure Monitor](/azure/azure-monitor/platform/alerts-activity-log)
**Responsibility**: Customer
When using Azure Monitor with Private Link, you get access to network logging su
Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM. -- [How to collect platform logs and metrics with Azure Monitor](./essentials/diagnostic-settings.md)
+- [How to collect platform logs and metrics with Azure Monitor](/azure/azure-monitor/platform/diagnostic-settings)
-- [How to collect Azure Virtual Machine internal host logs with Azure Monitor](./vm/quick-collect-azurevm.md)
+- [How to collect Azure Virtual Machine internal host logs with Azure Monitor](/azure/azure-monitor/learn/quick-collect-azurevm)
- [How to onboard Azure Sentinel](../sentinel/quickstart-onboard.md)
Alternatively, you may enable and on-board data to Azure Sentinel or a third-par
**Guidance**: Azure Monitor uses Activity logs, the Activity Log is automatically enabled and logs operations taken on Azure Monitor resources, such as: who started the operation, when the operation occurred, the status of the operation and other useful audit information. -- [How to collect platform logs and metrics with Azure Monitor](./essentials/diagnostic-settings.md)
+- [How to collect platform logs and metrics with Azure Monitor](/azure/azure-monitor/platform/diagnostic-settings)
-- [Understand logging and different log types in Azure](./essentials/platform-logs-overview.md)
+- [Understand logging and different log types in Azure](/azure/azure-monitor/platform/platform-logs-overview)
**Responsibility**: Customer
Alternatively, you may enable and on-board data to Azure Sentinel or a third-par
**Guidance**: In Azure Monitor, set your Log Analytics workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for any long-term/archival storage of your logs. -- [Change the data retention period in Log Analytics](./logs/manage-cost-storage.md#change-the-data-retention-period)
+- [Change the data retention period in Log Analytics](/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period)
-- [How to configure retention policy for Azure Storage account logs](../storage/common/manage-storage-analytics-logs.md#configure-logging)
+- [How to configure retention policy for Azure Storage account logs](/azure/storage/common/storage-monitor-storage-account#configure-logging)
**Responsibility**: Customer
Alternatively, you can enable and on-board data to Azure Sentinel or a third-par
- [How to onboard Azure Sentinel](../sentinel/quickstart-onboard.md) -- [Getting started with Log Analytics queries](./logs/log-analytics-tutorial.md)
+- [Getting started with Log Analytics queries](/azure/azure-monitor/log-query/log-analytics-tutorial)
-- [How to perform custom queries in Azure Monitor](./logs/get-started-queries.md)
+- [How to perform custom queries in Azure Monitor](/azure/azure-monitor/log-query/get-started-queries)
**Responsibility**: Customer
Alternatively, you can enable and on-board data to Azure Sentinel or a third-par
- [How to manage alerts in Azure Security Center](../security-center/security-center-managing-and-responding-alerts.md) -- [How to alert on log analytics log data](./alerts/tutorial-response.md)
+- [How to alert on log analytics log data](/azure/azure-monitor/learn/tutorial-response)
**Responsibility**: Customer
Alternatively, you can enable and on-board data to Azure Sentinel or a third-par
**Guidance**: Azure role-based access control (Azure RBAC) allows you to manage access to Azure resources through role assignments. You can assign these roles to users, groups service principals and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell or the Azure portal. -- [How to get a directory role in Azure Active Directory (Azure AD) with PowerShell](/powershell/module/azuread/get-azureaddirectoryrole?amp;preserve-view=true&view=azureadps-2.0)
+- [How to get a directory role in Azure Active Directory (Azure AD) with PowerShell](/powershell/module/azuread/get-azureaddirectoryrole)
-- [How to get members of a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrolemember?amp;preserve-view=true&view=azureadps-2.0)
+- [How to get members of a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrolemember)
**Responsibility**: Customer
You can also enable a Just-In-Time / Just-Enough-Access by using Azure Active Di
**Guidance**: Azure Active Directory (Azure AD) provides logs to help discover stale accounts. In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right Users have continued access. -- [Understand Azure AD reporting](../active-directory/reports-monitoring/index.yml)
+- [Understand Azure AD reporting](/azure/active-directory/reports-monitoring/)
- [How to use Azure Identity Access Reviews](../active-directory/governance/access-reviews-overview.md)
You can also enable a Just-In-Time / Just-Enough-Access by using Azure Active Di
**Guidance**: You have access to Azure Active Directory (Azure AD) Sign-in Activity, Audit and Risk Event log sources, which allow you to integrate with any SIEM/Monitoring tool. You can streamline this process by creating Diagnostic Settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics Workspace. You can configure desired Alerts within Log Analytics Workspace. -- [How to integrate Azure Activity Logs into Azure Monitor](../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)
+- [How to integrate Azure Activity Logs into Azure Monitor](/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics)
**Responsibility**: Customer
You can also enable a Just-In-Time / Just-Enough-Access by using Azure Active Di
- [How to create and use tags](../azure-resource-manager/management/tag-resources.md) -- [Manage access to log data and workspaces in Azure Monitor](./logs/manage-access.md)
+- [Manage access to log data and workspaces in Azure Monitor](/azure/azure-monitor/platform/manage-access)
**Responsibility**: Customer
You can also enable a Just-In-Time / Just-Enough-Access by using Azure Active Di
Application Insights and Log Analytics both continue to allow TLS 1.1 and TLS 1.0 data to be ingested. Data may be restricted to TLS 1.2 by configuring on the client side. -- [How to send data securely using TLS 1.2](./logs/data-security.md#sending-data-securely-using-tls-12)
+- [How to send data securely using TLS 1.2](/azure/azure-monitor/platform/data-security#sending-data-securely-using-tls-12)
**Responsibility**: Shared
For the underlying platform which is managed by Microsoft, Microsoft treats all
**Guidance**: Use Azure role-based access control (RBAC) to manage access to Azure Monitor. -- [Roles, permissions, and security in Azure Monitor](./roles-permissions-security.md)
+- [Roles, permissions, and security in Azure Monitor](/azure/azure-monitor/platform/roles-permissions-security)
- [How to configure Azure RBAC](../role-based-access-control/role-assignments-portal.md)
For the underlying platform which is managed by Microsoft, Microsoft treats all
**Guidance**: Azure Monitor ensures that all data and saved queries are encrypted at rest using Microsoft-managed keys (MMK). Azure Monitor also provides an option for encryption using your own key that is stored in your Azure Key Vault and accessed by storage using system-assigned managed identity authentication. This customer-managed key (CMK) can be either software or hardware-HSM protected. -- [Azure Monitor customer-managed keys](./logs/customer-managed-keys.md)
+- [Azure Monitor customer-managed keys](/azure/azure-monitor/platform/customer-managed-keys)
-- [Log Analytics data security](./logs/data-security.md)
+- [Log Analytics data security](/azure/azure-monitor/platform/data-security)
- [Data collection, retention, and storage in Application Insights](app/data-retention-privacy.md)
For the underlying platform which is managed by Microsoft, Microsoft treats all
**Guidance**: Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place in Azure Monitor and related resources. -- [How to create alerts for Azure Activity Log events](./alerts/alerts-activity-log.md)
+- [How to create alerts for Azure Activity Log events](/azure/azure-monitor/platform/alerts-activity-log)
**Responsibility**: Customer
For the underlying platform which is managed by Microsoft, Microsoft treats all
**Guidance**: Use Azure CLI to query and discover Azure Monitor resources within your subscriptions. Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions. -- [Azure Monitor CLI](/cli/azure/monitor)
+- [Azure Monitor CLI](https://docs.microsoft.com/cli/azure/monitor?view=azure-cli-latest&amp;preserve-view=true)
-- [How to view your Azure Subscriptions](/powershell/module/az.accounts/get-azsubscription?preserve-view=true&view=azps-4.8.0)
+- [How to view your Azure Subscriptions](https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscription?view=azps-4.8.0&amp;preserve-view=true)
- [Understand Azure RBAC](../role-based-access-control/overview.md) -- [Roles, permissions, and security in Azure Monitor](./roles-permissions-security.md)
+- [Roles, permissions, and security in Azure Monitor](/azure/azure-monitor/platform/roles-permissions-security)
**Responsibility**: Customer
Use Azure Resource Graph to query for and discover resources within their subscr
**Guidance**: Reconcile inventory on a regular basis and ensure unauthorized Azure Monitor related resources are deleted from the subscription in a timely manner. -- [Delete Azure Log Analytics workspace](./logs/delete-workspace.md)
+- [Delete Azure Log Analytics workspace](/azure/azure-monitor/platform/delete-workspace)
**Responsibility**: Customer
Use Azure Resource Graph to query for and discover resources within their subscr
- [How to configure and manage Azure Policy](../governance/policy/tutorials/create-and-manage.md) -- [How to deny a specific resource type with Azure Policy](../governance/policy/samples/built-in-policies.md#general)
+- [How to deny a specific resource type with Azure Policy](https://docs.microsoft.com/azure/governance/policy/samples/built-in-policies#general)
**Responsibility**: Customer
You may also use recommendations from Azure Security Center as a secure configur
If using live streaming APM capabilities, make the channel secure with a secret API key in addition to the instrumentation key. -- [Secure APM Live Metrics Stream](./app/live-stream.md#secure-the-control-channel)
+- [Secure APM Live Metrics Stream](https://docs.microsoft.com/azure/azure-monitor/app/live-stream#secure-the-control-channel)
-- [How to view available Azure Policy Aliases](/powershell/module/az.resources/get-azpolicyalias?amp;preserve-view=true&view=azps-4.8.0)
+- [How to view available Azure Policy Aliases](https://docs.microsoft.com/powershell/module/az.resources/get-azpolicyalias?view=azps-4.8.0&amp;preserve-view=true)
- [Tutorial: Create and manage policies to enforce compliance](../governance/policy/tutorials/create-and-manage.md)
If using live streaming APM capabilities, make the channel secure with a secret
**Guidance**: Use Azure DevOps to securely store and manage your code like custom Azure policies and Azure Resource Manager templates. To access the resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if integrated with Azure DevOps, or Active Directory if integrated with TFS. -- [How to store code in Azure DevOps](/azure/devops/repos/git/gitworkflow?amp;preserve-view=true&view=azure-devops)
+- [How to store code in Azure DevOps](/azure/devops/repos/git/gitworkflow)
- [About permissions and groups in Azure DevOps](/azure/devops/organizations/security/about-permissions)
If using live streaming APM capabilities, make the channel secure with a secret
- [How to configure and manage Azure Policy](../governance/policy/tutorials/create-and-manage.md) -- [Azure Policy aliases](../governance/policy/concepts/definition-structure.md#aliases)
+- [Azure Policy aliases](https://docs.microsoft.com/azure/governance/policy/concepts/definition-structure#aliases)
**Responsibility**: Customer
If using live streaming APM capabilities, make the channel secure with a secret
- [How to create a Key Vault](../key-vault/secrets/quick-create-portal.md) -- [How to provide Key Vault authentication with a managed identity](/azure/key-vault/general/assign-access-policy-portal)
+- [How to provide Key Vault authentication with a managed identity](/azure/key-vault/general/assign-access=policy-portal)
**Responsibility**: Customer
Use Azure Security Center's Threat detection for data services to detect malware
**Guidance**: Use Azure Resource Manager to export the Azure Monitor and related resources in a JavaScript Object Notation (JSON) template which can be used as backup for Azure Monitor and related configurations. Use Azure Automation to run the backup scripts automatically. -- [Manage Log Analytics workspace using Azure Resource Manager templates](./logs/resource-manager-workspace.md)
+- [Manage Log Analytics workspace using Azure Resource Manager templates](/azure/azure-monitor/samples/resource-manager-workspace)
- [Single and multi-resource export to a template in Azure portal](../azure-resource-manager/templates/export-template-portal.md)
Use Azure Security Center's Threat detection for data services to detect malware
**Guidance**: Use Azure Resource Manager to export the Azure Monitor and related resources in a JavaScript Object Notation (JSON) template which can be used as backup for Azure Monitor and related configurations. Backup customer-managed keys within Azure Key Vault if Azure Monitor related resources are using customer-managed keys, -- [Manage Log Analytics workspace using Azure Resource Manager templates](./logs/resource-manager-workspace.md)
+- [Manage Log Analytics workspace using Azure Resource Manager templates](/azure/azure-monitor/platform/template-workspace-configuration)
- [Single and multi-resource export to a template in Azure portal](../azure-resource-manager/templates/export-template-portal.md) -- [How to backup key vault keys in Azure](/powershell/module/az.keyvault/backup-azkeyvaultkey?amp;preserve-view=true&view=azps-4.8.0)
+- [How to backup key vault keys in Azure](/powershell/module/az.keyvault/backup-azkeyvaultkey)
**Responsibility**: Customer
Use Azure Security Center's Threat detection for data services to detect malware
**Guidance**: Ensure ability to periodically perform restoration using Azure Resource Manager backed template files. Test restoration of backed up customer-managed keys. -- [Manage Log Analytics workspace using Azure Resource Manager templates](./logs/resource-manager-workspace.md)
+- [Manage Log Analytics workspace using Azure Resource Manager templates](/azure/azure-monitor/samples/resource-manager-workspace)
-- [How to restore key vault keys in Azure](/powershell/module/az.keyvault/restore-azkeyvaultkey?amp;preserve-view=true&view=azps-4.8.0)
+- [How to restore key vault keys in Azure](/powershell/module/az.keyvault/restore-azkeyvaultkey)
**Responsibility**: Customer
Use Azure Security Center's Threat detection for data services to detect malware
Additionally, Enable Soft-Delete and purge protection in Key Vault to protect keys against accidental or malicious deletion. If Azure Storage is used to store Azure Resource Manager template backups, enable soft delete to save and recover your data when blobs or blob snapshots are deleted. -- [How to store code in Azure DevOps](/azure/devops/repos/git/gitworkflow?amp;preserve-view=true&view=azure-devops)
+- [How to store code in Azure DevOps](/azure/devops/repos/git/gitworkflow)
- [About permissions and groups in Azure DevOps](/azure/devops/organizations/security/about-permissions)
Additionally, clearly mark subscriptions (for ex. production, non-prod) using ta
## Next steps -- See the [Azure Security Benchmark V2 overview](../security/benchmarks/overview.md)-- Learn more about [Azure security baselines](../security/benchmarks/security-baselines-overview.md)
+- See the [Azure Security Benchmark V2 overview](/azure/security/benchmarks/overview)
+- Learn more about [Azure security baselines](/azure/security/benchmarks/security-baselines-overview)
azure-monitor Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Monitor description: Lists Azure Policy Regulatory Compliance controls available for Azure Monitor. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-monitor Workbooks Automate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/visualize/workbooks-automate.md
There are two types of workbook resources that can be managed programmatically:
### Galleries
-| Gallery | Resource type | Workbook type |
-| : |:|:--|
-| Workbooks in Azure Monitor | `Azure Monitor` | `workbook` |
-| VM Insights in Azure Monitor | `Azure Monitor` | `vm-insights` |
-| Workbooks in Log analytics workspace | `microsoft.operationalinsights/workspaces` | `workbook` |
-| Workbooks in Application Insights | `microsoft.insights/component` | `workbook` |
-| Troubleshooting guides in Application Insights | `microsoft.insights/component` | `tsg` |
-| Usage in Application Insights | `microsoft.insights/component` | `usage` |
-| Workbooks in Kubernetes service | `Microsoft.ContainerService/managedClusters` | `workbook` |
-| Workbooks in Resource groups | `microsoft.resources/subscriptions/resourcegroups` | `workbook` |
-| Workbooks in Azure Active Directory | `microsoft.aadiam/tenant` | `workbook` |
-| VM Insights in Virtual machines | `microsoft.compute/virtualmachines` | `insights` |
-| VM Insights in virtual machine scale sets | `microsoft.compute/virtualmachinescalesets` | `insights` |
+| Gallery | Resource type | Workbook type |
+|:--|:-|:--|
+| Workbooks in Azure Monitor | `Azure Monitor` | `workbook` |
+| VM Insights in Azure Monitor | `Azure Monitor` | `vm-insights` |
+| Workbooks in Log analytics workspace | `microsoft.operationalinsights/workspaces` | `workbook` |
+| Workbooks in Application Insights | `microsoft.insights/components` | `workbook` |
+| Troubleshooting guides in Application Insights | `microsoft.insights/components` | `tsg` |
+| Usage in Application Insights | `microsoft.insights/components` | `usage` |
+| Workbooks in Kubernetes service | `Microsoft.ContainerService/managedClusters` | `workbook` |
+| Workbooks in Resource groups | `microsoft.resources/subscriptions/resourcegroups` | `workbook` |
+| Workbooks in Azure Active Directory | `microsoft.aadiam/tenant` | `workbook` |
+| VM Insights in Virtual machines | `microsoft.compute/virtualmachines` | `insights` |
+| VM Insights in virtual machine scale sets | `microsoft.compute/virtualmachinescalesets` | `insights` |
## Azure Resource Manager template for deploying a workbook instance
azure-percept Vision Solution Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/vision-solution-troubleshooting.md
If the runtime status of **azureeyemodule** is not listed as **running**, click
:::image type="content" source="./media/vision-solution-troubleshooting/firmware-desired-status-stopped.png" alt-text="Module setting configuration screen.":::
-### Update TelemetryInterval
+### Update TelemetryIntervalNeuralNetworkMs
-If you encounter the following count limitation error, the TelemetryInterval value in the azureeyemodule module twin settings will need to be updated.
+If you encounter the following count limitation error, the TelemetryIntervalNeuralNetworkMs value in the azureeyemodule module twin settings will need to be updated.
|Error Message| || |Total number of messages on IotHub 'xxxxxxxxx' exceeded the allocated quota. Max allowed message count: '8000', current message count: 'xxxx'. Send and Receive operations are blocked for this hub until the next UTC day. Consider increasing the units for this hub to increase the quota.|
-TelemetryInterval determines how often to send messages (in milliseconds) from the neural network. Azure subscriptions have a limited number of messages per day, depending on your subscription tier. If you find yourself locked out due to having sent too many messages, increase this to a higher number. 12000 (meaning once every 12 seconds) will give you a nice round 7200 messages per day, which is under the 8000 message limit for the free subscription.
+TelemetryIntervalNeuralNetworkMs determines how often to send messages (in milliseconds) from the neural network. Azure subscriptions have a limited number of messages per day, depending on your subscription tier. If you find yourself locked out due to having sent too many messages, increase this to a higher number. 12000 (meaning once every 12 seconds) will give you a nice round 7200 messages per day, which is under the 8000 message limit for the free subscription.
-To update your TelemetryInterval value, follow these steps:
+To update your TelemetryIntervalNeuralNetworkMs value, follow these steps:
1. Log in to the [Azure portal](https://ms.portal.azure.com/?feature.canmodifystamps=true&Microsoft_Azure_Iothub=aduprod#home) and open **All resources**.
To update your TelemetryInterval value, follow these steps:
:::image type="content" source="./media/vision-solution-troubleshooting/module-identity-twin-inline.png" alt-text="Screenshot of module twin properties." lightbox= "./media/vision-solution-troubleshooting/module-identity-twin.png":::
-1. Update the **TelemetryInterval** value as desired and click the **Save** icon.
+1. Update the **TelemetryIntervalNeuralNetworkMs** value as desired and click the **Save** icon.
## View device RTSP video stream
azure-portal Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-portal/policy-reference.md
Title: Built-in policy definitions for Azure portal description: Lists Azure Policy built-in policy definitions for Azure portal. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-relay Diagnostic Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/diagnostic-logs.md
Here's a sample hybrid connections event in JSON format.
## Events and operations captured in diagnostic logs
-| Operation | Description |
-| | -- |
-| AuthorizationFailed | Authorization failed.|
-| InvalidSasToken | Invalid SAS token. |
-| ListenerAcceptingConnection | The listener is accepting connection. |
-| ListenerAcceptingConnectionTimeout | The listener accepting connection has timed out. |
-| ListenerAcceptingHttpRequestFailed | The listener accepting HTTP request failed due to an exception. |
-| ListenerAcceptingRequestTimeout | The listener accepting request has timed out. |  
-| ListenerClosingFromExpiredToken | The listener is closing because the security token has expired. | 
-| ListenerRejectedConnection | The listener has rejected the connection. |
-| ListenerReturningHttpResponse | The listener is returning an HTTP response. |  
-| ListenerReturningHttpResponseFailed | The listener is returning an HTTP response with a failure code. |
- ListenerSentHttpResponse | Relay service has received an HTTP response from the listener. |
-| ListenerUnregistered | The listener is unregistered. |
-| ListenerUnresponsive | The listener is unresponsive when returning a response. |
-| MessageSendingToListener | Message is being sent to listener. |
-| MessageSentToListener | Message is sent to listener. |
-| NewListenerRegistered | New listener registered. |
-| NewSenderRegistering | New sender is registering. |
-| ProcessingRequestFailed | The processing of a Hybrid Connection operation has failed. |
-| SenderConnectionClosed | The sender connection is closed. |
-| SenderListenerConnectionEstablished | The sender and listener established connection successfully. |
-| SenderSentHttpRequest | The sender sent an HTTP request. |
+| Operation | Description |
+|-|--|
+| AuthorizationFailed | Authorization failed. |
+| InvalidSasToken | Invalid SAS token. |
+| ListenerAcceptingConnection | The listener is accepting connection. |
+| ListenerAcceptingConnectionTimeout | The listener accepting connection has timed out. |
+| ListenerAcceptingHttpRequestFailed | The listener accepting HTTP request failed due to an exception. |
+| ListenerAcceptingRequestTimeout | The listener accepting request has timed out. |
+| ListenerClosingFromExpiredToken | The listener is closing because the security token has expired. |
+| ListenerRejectedConnection | The listener has rejected the connection. |
+| ListenerReturningHttpResponse | The listener is returning an HTTP response. |
+| ListenerReturningHttpResponseFailed | The listener is returning an HTTP response with a failure code. |
+| ListenerSentHttpResponse | Relay service has received an HTTP response from the listener. |
+| ListenerUnregistered | The listener is unregistered. |
+| ListenerUnresponsive | The listener is unresponsive when returning a response. |
+| MessageSendingToListener | Message is being sent to listener. |
+| MessageSentToListener | Message is sent to listener. |
+| NewListenerRegistered | New listener registered. |
+| NewSenderRegistering | New sender is registering. |
+| ProcessingRequestFailed | The processing of a Hybrid Connection operation has failed. |
+| SenderConnectionClosed | The sender connection is closed. |
+| SenderListenerConnectionEstablished | The sender and listener established connection successfully. |
+| SenderSentHttpRequest | The sender sent an HTTP request. |
## Next steps
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/custom-providers/policy-reference.md
Title: Built-in policy definitions for Azure Custom Resource Providers description: Lists Azure Policy built-in policy definitions for Azure Custom Resource Providers. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/managed-applications/policy-reference.md
Title: Built-in policy definitions for Azure Managed Applications description: Lists Azure Policy built-in policy definitions for Azure Managed Applications. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-resource-manager Async Operations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/async-operations.md
The response body contains the status of the operation:
### Deploy resources (201 with Azure-AsyncOperation)
-This example shows how to determine the status of [deployments operation for deploying resources](/rest/api/resources/resources/deployments/createorupdate) to Azure. The initial request is in the following format:
+This example shows how to determine the status of [deployments operation for deploying resources](/rest/api/resources/deployments/createorupdate) to Azure. The initial request is in the following format:
```HTTP PUT
azure-resource-manager Delete Resource Group https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/delete-resource-group.md
If you have the required access, but the delete request fails, it may be because
## Next steps * To understand Resource Manager concepts, see [Azure Resource Manager overview](overview.md).
-* For deletion commands, see [PowerShell](/powershell/module/az.resources/Remove-AzResourceGroup), [Azure CLI](/cli/azure/group#az-group-delete), and [REST API](/rest/api/resources/resources/resourcegroups/delete).
+* For deletion commands, see [PowerShell](/powershell/module/az.resources/Remove-AzResourceGroup), [Azure CLI](/cli/azure/group#az-group-delete), and [REST API](/rest/api/resources/resourcegroups/delete).
azure-resource-manager Lock Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/lock-resources.md
az lock delete --ids $lockid
### REST API
-You can lock deployed resources with the [REST API for management locks](/rest/api/resources/managementlocks/managementlocks). The REST API enables you to create and delete locks, and retrieve information about existing locks.
+You can lock deployed resources with the [REST API for management locks](/rest/api/resources/managementlocks). The REST API enables you to create and delete locks, and retrieve information about existing locks.
To create a lock, run:
azure-resource-manager Move Resource Group And Subscription https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/move-resource-group-and-subscription.md
For illustration purposes, we have only one dependent resource.
## Validate move
-The [validate move operation](/rest/api/resources/resources/resources/moveresources) lets you test your move scenario without actually moving the resources. Use this operation to check if the move will succeed. Validation is automatically called when you send a move request. Use this operation only when you need to predetermine the results. To run this operation, you need the:
+The [validate move operation](/rest/api/resources/resources/moveresources) lets you test your move scenario without actually moving the resources. Use this operation to check if the move will succeed. Validation is automatically called when you send a move request. Use this operation only when you need to predetermine the results. To run this operation, you need the:
* name of the source resource group * resource ID of the target resource group
If you get an error, see [Troubleshoot moving Azure resources to new resource gr
## Use REST API
-To move existing resources to another resource group or subscription, use the [Move resources](/rest/api/resources/resources/resources/moveresources) operation.
+To move existing resources to another resource group or subscription, use the [Move resources](/rest/api/resources/resources/moveresources) operation.
```HTTP POST https://management.azure.com/subscriptions/{source-subscription-id}/resourcegroups/{source-resource-group-name}/moveResources?api-version={api-version}
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/policy-reference.md
Title: Built-in policy definitions for Azure Resource Manager description: Lists Azure Policy built-in policy definitions for Azure Resource Manager. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-resource-manager Resource Manager Personal Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/resource-manager-personal-data.md
For deployments, Resource Manager retains parameter values and status messages i
To list **deployments** in the history, use:
-* [List By Resource Group](/rest/api/resources/resources/deployments/listbyresourcegroup)
+* [List By Resource Group](/rest/api/resources/deployments/listbyresourcegroup)
* [Get-AzResourceGroupDeployment](/powershell/module/az.resources/Get-AzResourceGroupDeployment) * [az deployment group list](/cli/azure/deployment/group#az_deployment_group_list) To delete **deployments** from the history, use:
-* [Delete](/rest/api/resources/resources/deployments/delete)
+* [Delete](/rest/api/resources/deployments/delete)
* [Remove-AzResourceGroupDeployment](/powershell/module/az.resources/Remove-AzResourceGroupDeployment) * [az deployment group delete](/cli/azure/deployment/group#az_deployment_group_delete)
The name of the resource group persists until you delete the resource group. To
To list **resource groups**, use:
-* [List](/rest/api/resources/resources/resourcegroups/list)
+* [List](/rest/api/resources/resourcegroups/list)
* [Get-AzResourceGroup](/powershell/module/az.resources/Get-AzResourceGroup) * [az group list](/cli/azure/group#az-group-list) To delete **resource groups**, use:
-* [Delete](/rest/api/resources/resources/resourcegroups/delete)
+* [Delete](/rest/api/resources/resourcegroups/delete)
* [Remove-AzResourceGroup](/powershell/module/az.resources/Remove-AzResourceGroup) * [az group delete](/cli/azure/group#az-group-delete)
Tags names and values persist until you delete or modify the tag. To see if you
To list **tags**, use:
-* [List](/rest/api/resources/resources/tags/list)
+* [List](/rest/api/resources/tags/list)
* [Get-AzTag](/powershell/module/az.resources/Get-AzTag) * [az tag list](/cli/azure/tag#az-tag-list) To delete **tags**, use:
-* [Delete](/rest/api/resources/resources/tags/delete)
+* [Delete](/rest/api/resources/tags/delete)
* [Remove-AzTag](/powershell/module/az.resources/Remove-AzTag) * [az tag delete](/cli/azure/tag#az-tag-delete)
azure-resource-manager Resource Name Rules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/resource-name-rules.md
In the following tables, the term alphanumeric refers to:
> | Entity | Scope | Length | Valid Characters | > | | | | | > | deployments | resource group | 1-64 | Alphanumerics, underscores, parentheses, hyphens, and periods. |
-> | resourcegroups | subscription | 1-90 | Alphanumerics, underscores, parentheses, hyphens, periods, and unicode characters that match the [regex documentation](/rest/api/resources/resources/resourcegroups/createorupdate).<br><br>Can't end with period. |
+> | resourcegroups | subscription | 1-90 | Alphanumerics, underscores, parentheses, hyphens, periods, and unicode characters that match the [regex documentation](/rest/api/resources/resourcegroups/createorupdate).<br><br>Can't end with period. |
> | tagNames | resource | 1-512 | Can't use:<br>`<>%&\?/` | > | tagNames / tagValues | tag name | 1-256 | All characters. | > | templateSpecs | resource group | 1-90 | Alphanumerics, underscores, parentheses, hyphens, and periods. |
azure-resource-manager Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Resource Manager description: Lists Azure Policy Regulatory Compliance controls available for Azure Resource Manager. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-resource-manager Tag Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/tag-resources.md
The following template adds the tags from an object to either a resource group o
To work with tags through the Azure REST API, use:
-* [Tags - Create Or Update At Scope](/rest/api/resources/resources/tags/createorupdateatscope) (PUT operation)
-* [Tags - Update At Scope](/rest/api/resources/resources/tags/updateatscope) (PATCH operation)
-* [Tags - Get At Scope](/rest/api/resources/resources/tags/getatscope) (GET operation)
-* [Tags - Delete At Scope](/rest/api/resources/resources/tags/deleteatscope) (DELETE operation)
+* [Tags - Create Or Update At Scope](/rest/api/resources/tags/createorupdateatscope) (PUT operation)
+* [Tags - Update At Scope](/rest/api/resources/tags/updateatscope) (PATCH operation)
+* [Tags - Get At Scope](/rest/api/resources/tags/getatscope) (GET operation)
+* [Tags - Delete At Scope](/rest/api/resources/tags/deleteatscope) (DELETE operation)
## Inherit tags
azure-resource-manager Bicep File https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/bicep-file.md
+
+ Title: Bicep file structure and syntax
+description: Describes the structure and properties of a Bicep file using declarative syntax.
+ Last updated : 03/31/2021++
+# Understand the structure and syntax of Bicep files
+
+This article describes the structure of a Bicep file. It presents the different sections of the file and the properties that are available in those sections.
+
+This article is intended for users who have some familiarity with Bicep files. It provides detailed information about the structure of the template. For a step-by-step tutorial that guides you through the process of creating a Bicep file, see [Tutorial: Create and deploy first Azure Resource Manager Bicep file](bicep-tutorial-create-first-bicep.md).
+
+## Template format
+
+A Bicep file has the following elements. The elements can appear in any order.
+
+```bicep
+targetScope = '<scope>'
+
+@<decorator>(<argument>)
+param <parameter-name> <parameter-data-type> = <default-value>
+
+var <variable-name> = <variable-value>
+
+module <module-symbolic-name> '<path-to-file>' = {
+ name: '<linked-deployment-name>'
+ params: {
+ <parameter-names-and-values>
+ }
+}
+
+resource <resource-symbolic-name> '<resource-type>@<api-version>' = {
+ <resource-properties>
+}
+
+resource <resource-symbolic-name> '<resource-type>@<api-version>' = if (<condition-to-deploy>) {
+ <resource-properties>
+}
+
+output <output-name> <output-data-type> = <output-value>
+```
+
+The following example shows an implementation of these elements.
+
+```bicep
+@minLength(3)
+@maxLength(11)
+param storagePrefix string
+
+param storageSKU string = 'Standard_LRS'
+param location string = resourceGroup().location
+
+var uniqueStorageName = '${storagePrefix}${uniqueString(resourceGroup().id)}'
+
+resource stg 'Microsoft.Storage/storageAccounts@2019-04-01' = {
+ name: uniqueStorageName
+ location: location
+ sku: {
+ name: storageSKU
+ }
+ kind: 'StorageV2'
+ properties: {
+ supportsHttpsTrafficOnly: true
+ }
+}
+
+module webModule './webApp.bicep' = {
+ name: 'webDeploy'
+ params: {
+ skuName: 'S1'
+ location: location
+ }
+}
+
+output storageEndpoint object = stg.properties.primaryEndpoints
+```
+
+## Target scope
+
+By default, the target scope is set to `resourceGroup`. If you're deploying at the resource group level, you don't need to set the target scope in your Bicep file.
+
+The allowed values are:
+
+* **resourceGroup** - default value, used for [resource group deployments](deploy-to-resource-group.md).
+* **subscription** - used for [subscription deployments](deploy-to-subscription.md).
+* **managementGroup** - used for [management group deployments](deploy-to-management-group.md).
+* **tenant** - used for [tenant deployments](deploy-to-tenant.md).
+
+## Parameters
+
+Use parameters for values that need to vary for different deployments. You can define a default value for the parameter that is used if no value is provided during deployment.
+
+For example, you might add a SKU parameter to specify different sizes for a resource. You can use template functions for creating the default value, such as getting the resource group location.
+
+```bicep
+param storageSKU string = 'Standard_LRS'
+param location string = resourceGroup().location
+```
+
+For the available data types, see [Data types in templates](data-types.md).
+
+For more information, see [Parameters in templates](template-parameters.md).
+
+## Parameter decorators
+
+You can add one or more decorators for each parameter. These decorators define the values that are allowed for the parameter. The following example specifies the SKUs that can be deployed through the Bicep file.
+
+```bicep
+@allowed([
+ 'Standard_LRS'
+ 'Standard_GRS'
+ 'Standard_ZRS'
+ 'Premium_LRS'
+])
+param storageSKU string = 'Standard_LRS'
+```
+
+The following table describes the available decorators and how to use them.
+
+| Decorator | Apply to | Argument | Description |
+| | - | -- | - |
+| allowed | all | array | Allowed values for the parameter. Use this decorator to make sure the user provides correct values. |
+| description | all | string | Text that explains how to use the parameter. The description is displayed to users through the portal. |
+| maxLength | array, string | int | The maximum length for string and array parameters. The value is inclusive. |
+| maxValue | int | int | The maximum value for the integer parameter. This value is inclusive. |
+| metadata | all | object | Custom properties to apply to the parameter. Can include a description property that is equivalent to the description decorator. |
+| minLength | array, string | int | The minimum length for string and array parameters. The value is inclusive. |
+| minValue | int | int | The minimum value for the integer parameter. This value is inclusive. |
+| secure | string, object | none | Marks the parameter as secure. The value for a secure parameter isn't saved to the deployment history and isn't logged. For more information, see [Secure strings and objects](data-types.md#secure-strings-and-objects). |
+
+## Variables
+
+Use variables for complex expressions that are repeated in a Bicep file. For example, you might add a variable for a resource name that is constructed by concatenating several values together.
+
+```bicep
+var uniqueStorageName = '${storagePrefix}${uniqueString(resourceGroup().id)}'
+```
+
+You don't specify a [data type](data-types.md) for a variable. Instead, the data type is inferred from the value.
+
+For more information, see [Variables in templates](template-variables.md).
+
+## Modules
+
+Use modules to link to other Bicep files that contain code you want to reuse. The module contains one or more resources to deploy. Those resources are deployed along with any other resources in your Bicep file.
+
+```bicep
+module webModule './webApp.bicep' = {
+ name: 'webDeploy'
+ params: {
+ skuName: 'S1'
+ location: location
+ }
+}
+```
+
+The symbolic name enables you to reference the module from somewhere else in the file. For example, you can get an output value from a module by using the symbolic name and the name of the output value.
+
+For more information, see [Use Bicep modules](bicep-modules.md).
+
+## Resource
+
+Use the `resource` keyword to define a resource to deploy. Your resource declaration includes a symbolic name for the resource. You'll use this symbolic name in other parts of the Bicep file if you need to get a value from the resource.
+
+The resource declaration also includes the resource type and API version.
+
+```bicep
+resource stg 'Microsoft.Storage/storageAccounts@2019-06-01' = {
+ name: uniqueStorageName
+ location: location
+ sku: {
+ name: storageSKU
+ }
+ kind: 'StorageV2'
+ properties: {
+ supportsHttpsTrafficOnly: true
+ }
+}
+```
+
+In your resource declaration, you include properties for the resource type. These properties are unique to each resource type.
+
+To [conditionally deploy a resource](conditional-resource-deployment.md), add an `if` statement.
+
+```bicep
+resource sa 'Microsoft.Storage/storageAccounts@2019-06-01' = if (newOrExisting == 'new') {
+ name: uniqueStorageName
+ location: location
+ sku: {
+ name: storageSKU
+ }
+ kind: 'StorageV2'
+ properties: {
+ supportsHttpsTrafficOnly: true
+ }
+}
+```
+
+For more information, see [Resource declaration in templates](resource-declaration.md).
+
+## Outputs
+
+Use outputs to return value from the deployment. Typically, you return a value from a deployed resource when you need to reuse that value for another operation.
+
+```bicep
+output storageEndpoint object = stg.properties.primaryEndpoints
+```
+
+Specify a [data type](data-types.md) for the output value.
+
+For more information, see [Outputs in templates](template-outputs.md).
+
+## Comments
+
+Use `//` for single-line comments or `/* ... */` for multi-line comments
+
+The following example shows a single-line comment.
+
+```bicep
+// This is your primary NIC.
+resource nic1 'Microsoft.Network/networkInterfaces@2020-06-01' = {
+ ...
+}
+```
+
+The following example shows a multi-line comment.
+
+```bicep
+/*
+ This template assumes the key vault already exists and
+ is in same subscription and resource group as the deployment.
+*/
+param existingKeyVaultName string
+```
+
+## Multi-line strings
+
+You can break a string into multiple lines. Use three single quote characters `'''` to start and end the multi-line string.
+
+Characters within the multi-line string are handled as-is. Escape characters are unnecessary. You can't include `'''` in the multi-line string. String interpolation isn't currently supported.
+
+You can either start your string right after the opening `'''` or include a new line. In either case, the resulting string doesn't include a new line. Depending on the line endings in your Bicep file, new lines are interpreted as `\r\n` or `\n`.
+
+The following example shows a multi-line string.
+
+```bicep
+var stringVar = '''
+this is multi-line
+ string with formatting
+ preserved.
+'''
+```
+
+The preceding example is equivalent to the following JSON.
+
+```json
+"variables": {
+ "stringVar": "this is multi-line\r\n string with formatting\r\n preserved.\r\n"
+}
+```
+
+## Next steps
+
+For an introduction to Bicep, see [What is Bicep?](bicep-overview.md).
azure-resource-manager Deploy Rest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-rest.md
You can either include your template in the request body or link to a file. When
You can target your deployment to a resource group, Azure subscription, management group, or tenant. Depending on the scope of the deployment, you use different commands. -- To deploy to a **resource group**, use [Deployments - Create](/rest/api/resources/resources/deployments/createorupdate). The request is sent to:
+- To deploy to a **resource group**, use [Deployments - Create](/rest/api/resources/deployments/createorupdate). The request is sent to:
```HTTP PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2020-10-01 ``` -- To deploy to a **subscription**, use [Deployments - Create At Subscription Scope](/rest/api/resources/resources/deployments/createorupdateatsubscriptionscope). The request is sent to:
+- To deploy to a **subscription**, use [Deployments - Create At Subscription Scope](/rest/api/resources/deployments/createorupdateatsubscriptionscope). The request is sent to:
```HTTP PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2020-10-01
You can target your deployment to a resource group, Azure subscription, manageme
For more information about subscription level deployments, see [Create resource groups and resources at the subscription level](deploy-to-subscription.md). -- To deploy to a **management group**, use [Deployments - Create At Management Group Scope](/rest/api/resources/resources/deployments/createorupdateatmanagementgroupscope). The request is sent to:
+- To deploy to a **management group**, use [Deployments - Create At Management Group Scope](/rest/api/resources/deployments/createorupdateatmanagementgroupscope). The request is sent to:
```HTTP PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/{groupId}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2020-10-01
You can target your deployment to a resource group, Azure subscription, manageme
For more information about management group level deployments, see [Create resources at the management group level](deploy-to-management-group.md). -- To deploy to a **tenant**, use [Deployments - Create Or Update At Tenant Scope](/rest/api/resources/resources/deployments/createorupdateattenantscope). The request is sent to:
+- To deploy to a **tenant**, use [Deployments - Create Or Update At Tenant Scope](/rest/api/resources/deployments/createorupdateattenantscope). The request is sent to:
```HTTP PUT https://management.azure.com/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2020-10-01
The examples in this article use resource group deployments.
1. Set [common parameters and headers](/rest/api/azure/), including authentication tokens.
-1. If you're deploying to a resource group that doesn't exist, create the resource group. Provide your subscription ID, the name of the new resource group, and location that you need for your solution. For more information, see [Create a resource group](/rest/api/resources/resources/resourcegroups/createorupdate).
+1. If you're deploying to a resource group that doesn't exist, create the resource group. Provide your subscription ID, the name of the new resource group, and location that you need for your solution. For more information, see [Create a resource group](/rest/api/resources/resourcegroups/createorupdate).
```HTTP PUT https://management.azure.com/subscriptions/<YourSubscriptionId>/resourcegroups/<YourResourceGroupName>?api-version=2020-06-01
The examples in this article use resource group deployments.
} ```
-1. To get the status of the template deployment, use [Deployments - Get](/rest/api/resources/resources/deployments/get).
+1. To get the status of the template deployment, use [Deployments - Get](/rest/api/resources/deployments/get).
```HTTP GET https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2020-10-01
azure-resource-manager Deployment History Deletions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deployment-history-deletions.md
az feature unregister --namespace Microsoft.Resources --name DisableDeploymentGr
# [REST](#tab/rest)
-For REST API, use [Features - Register](/rest/api/resources/features/features/register).
+For REST API, use [Features - Register](/rest/api/resources/features/register).
```rest POST https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Features/providers/Microsoft.Resources/features/DisableDeploymentGrooming/register?api-version=2015-12-01
To see the current status of your subscription, use:
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Features/providers/Microsoft.Resources/features/DisableDeploymentGrooming/register?api-version=2015-12-01 ```
-To reenable automatic deletions, use [Features - Unregister](/rest/api/resources/features/features/unregister)
+To reenable automatic deletions, use [Features - Unregister](/rest/api/resources/features/unregister)
```rest POST https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Features/providers/Microsoft.Resources/features/DisableDeploymentGrooming/unregister?api-version=2015-12-01
azure-resource-manager Deployment History https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deployment-history.md
az deployment group show --resource-group ExampleGroup --name ExampleDeployment
# [HTTP](#tab/http)
-To list the deployments for a resource group, use the following operation. For the latest API version number to use in the request, see [Deployments - List By Resource Group](/rest/api/resources/resources/deployments/listbyresourcegroup).
+To list the deployments for a resource group, use the following operation. For the latest API version number to use in the request, see [Deployments - List By Resource Group](/rest/api/resources/deployments/listbyresourcegroup).
``` GET https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Resources/deployments/?api-version={api-version} ```
-To get a specific deployment. use the following operation. For the latest API version number to use in the request, see [Deployments - Get](/rest/api/resources/resources/deployments/get).
+To get a specific deployment. use the following operation. For the latest API version number to use in the request, see [Deployments - Get](/rest/api/resources/deployments/get).
``` GET https://management.azure.com/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/microsoft.resources/deployments/{deployment-name}?api-version={api-version}
az deployment operation group list --resource-group ExampleGroup --name ExampleD
# [HTTP](#tab/http)
-To get deployment operations, use the following operation. For the latest API version number to use in the request, see [Deployment Operations - List](/rest/api/resources/resources/deploymentoperations/list).
+To get deployment operations, use the following operation. For the latest API version number to use in the request, see [Deployment Operations - List](/rest/api/resources/deploymentoperations/list).
``` GET https://management.azure.com/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/microsoft.resources/deployments/{deployment-name}/operations?$skiptoken={skiptoken}&api-version={api-version}
azure-resource-manager Export Template Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/export-template-portal.md
To assist with creating Azure Resource Manager templates, you can export a templ
Resource Manager enables you to pick one or more resources for exporting to a template. You can focus on exactly the resources you need in the template.
-This article shows how to export templates through the portal. You can also use [Azure CLI](../management/manage-resource-groups-cli.md#export-resource-groups-to-templates), [Azure PowerShell](../management/manage-resource-groups-powershell.md#export-resource-groups-to-templates), or [REST API](/rest/api/resources/resources/resourcegroups/exporttemplate).
+This article shows how to export templates through the portal. You can also use [Azure CLI](../management/manage-resource-groups-cli.md#export-resource-groups-to-templates), [Azure PowerShell](../management/manage-resource-groups-powershell.md#export-resource-groups-to-templates), or [REST API](/rest/api/resources/resourcegroups/exporttemplate).
## Choose the right export option
You can export the template that was used to deploy existing resources. The temp
## Next steps -- Learn how to export templates with [Azure CLI](../management/manage-resource-groups-cli.md#export-resource-groups-to-templates), [Azure PowerShell](../management/manage-resource-groups-powershell.md#export-resource-groups-to-templates), or [REST API](/rest/api/resources/resources/resourcegroups/exporttemplate).
+- Learn how to export templates with [Azure CLI](../management/manage-resource-groups-cli.md#export-resource-groups-to-templates), [Azure PowerShell](../management/manage-resource-groups-powershell.md#export-resource-groups-to-templates), or [REST API](/rest/api/resources/resourcegroups/exporttemplate).
- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](template-syntax.md). - To learn how to develop templates, see the [step-by-step tutorials](../index.yml). - To view the Azure Resource Manager template schemas, see [template reference](/azure/templates/).
azure-resource-manager Template Deploy What If https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-deploy-what-if.md
If you want to return the results without colors, open your [Azure CLI configura
For REST API, use:
-* [Deployments - What If](/rest/api/resources/resources/deployments/whatif) for resource group deployments
-* [Deployments - What If At Subscription Scope](/rest/api/resources/resources/deployments/whatifatsubscriptionscope) for subscription deployments
-* [Deployments - What If At Management Group Scope](/rest/api/resources/resources/deployments/whatifatmanagementgroupscope) for management group deployments
-* [Deployments - What If At Tenant Scope](/rest/api/resources/resources/deployments/whatifattenantscope) for tenant deployments.
+* [Deployments - What If](/rest/api/resources/deployments/whatif) for resource group deployments
+* [Deployments - What If At Subscription Scope](/rest/api/resources/deployments/whatifatsubscriptionscope) for subscription deployments
+* [Deployments - What If At Management Group Scope](/rest/api/resources/deployments/whatifatmanagementgroupscope) for management group deployments
+* [Deployments - What If At Tenant Scope](/rest/api/resources/deployments/whatifattenantscope) for tenant deployments.
## Change types
azure-signalr Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/policy-reference.md
Title: Built-in policy definitions for Azure SignalR description: Lists Azure Policy built-in policy definitions for Azure SignalR. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-signalr Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure SignalR description: Lists Azure Policy Regulatory Compliance controls available for Azure SignalR. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-sql-edge Tutorial Set Up Iot Edge Modules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql-edge/tutorial-set-up-iot-edge-modules.md
Now, specify the container credentials in the IoT Edge module.
4. Under **Container Registry Credentials**, enter the following values:
- _Field_|_Value_
- -|-
- Name|Registry name
- Address|Login server
- User Name|Username
- Password|Password
+ | _Field_ | _Value_ |
+ | - | - |
+ | Name | Registry name |
+ | Address | Login server |
+ | User Name | Username |
+ | Password | Password |
## Build, push, and deploy the Data Generator Module
In this tutorial, we deployed the data generator module and the SQL Edge module.
## Next Steps -- [Deploy ML model on Azure SQL Edge using ONNX](tutorial-run-ml-model-on-sql-edge.md)
+- [Deploy ML model on Azure SQL Edge using ONNX](tutorial-run-ml-model-on-sql-edge.md)
azure-sql Always Encrypted Enclaves Configure Attestation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/always-encrypted-enclaves-configure-attestation.md
The above policy verifies:
- The security version number (SVN) of the library is greater than 0. > The SVN allows Microsoft to respond to potential security bugs identified in the enclave code. In case a security issue is dicovered and fixed, Microsoft will deploy a new version of the enclave with a new (incremented) SVN. The above recommended policy will be updated to reflect the new SVN. By updating your policy to match the recommended policy you can ensure that if a malicious administrator tries to load an older and insecure enclave, attestation will fail. - The library in the enclave has been signed using the Microsoft signing key (the value of the x-ms-sgx-mrsigner claim is the hash of the signing key).
- > One of the main goals of attestation is to convince clients that the binary running in the enclave is the binary that is supposed to run. Attestation policies provide two mechanisms for this purpose. One is the **mrenclave** claim which is the hash of the binary that is supposed to run in an enclave. The problem with the **mrenclave** is that the binary hash changes even with trivial changes to the code, which makes it hard to rev the code running in the enclave. Hence, we recommend the use of the **mrsigner**, which is a hash of a key that is used to sign the enclave binary. When Microsoft revs the enclave, the **mrsigner** stays the same as long as the signing key does not change. In this way, it becomes feasible to deploy updated binaries without breaking customersΓÇÖ applications.
+ > One of the main goals of attestation is to convince clients that the binary running in the enclave is the binary that is supposed to run. Attestation policies provide two mechanisms for this purpose. One is the **mrenclave** claim which is the hash of the binary that is supposed to run in an enclave. The problem with the **mrenclave** is that the binary hash changes even with trivial changes to the code, which makes it hard to rev the code running in the enclave. Hence, we recommend the use of the **mrsigner**, which is a hash of a key that is used to sign the enclave binary. When Microsoft revs the enclave, the **mrsigner** stays the same as long as the signing key does not change. In this way, it becomes feasible to deploy updated binaries without breaking customers' applications.
> [!IMPORTANT] > An attestation provider gets created with the default policy for Intel SGX enclaves, which does not validate the code running inside the enclave. Microsoft strongly advises you set the above recommended policy, and not use the default policy, for Always Encrypted with secure enclaves.
Use the following script to determine your attestation URL:
```powershell $attestationProvider = Get-AzAttestation -Name $attestationProviderName -ResourceGroupName $attestationResourceGroupName
-$attestationUrl = $attestationProvider.AttestUri + ΓÇ£/attest/SgxEnclaveΓÇ¥
+$attestationUrl = $attestationProvider.AttestUri + "/attest/SgxEnclave"
Write-Host "Your attestation URL is: " $attestationUrl ```
See the below screenshot for an example.
```powershell $serverResourceGroupName = "<server resource group name>" $serverName = "<server name>"
-$server = Get-AzSqlServer -ServerName $serverName -ResourceGroupName
+$server = Get-AzSqlServer -ServerName $serverName -ResourceGroupName $serverResourceGroupName
``` 2. Assign the server to the Attestation Reader role for the resource group containing your attestation provider.
azure-sql Configure Max Degree Of Parallelism https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/configure-max-degree-of-parallelism.md
+
+ Title: "Configure the max degree of parallelism (MAXDOP)"
+
+description: Learn about the max degree of parallelism (MAXDOP).
Last updated : "03/29/2021"+
+dev_langs:
+ - "TSQL"
+++
+ms.devlang: tsql
+++++
+# Configure the max degree of parallelism (MAXDOP) in Azure SQL Database
+
+ This article describes the **max degree of parallelism (MAXDOP)** in Azure SQL Database, and how it can be configured.
+
+> [!NOTE]
+> **This content is focused on Azure SQL Database.** Azure SQL Database is based on the latest stable version of the Microsoft SQL Server database engine, so much of the content is similar though troubleshooting and configuration options differ. For more on MAXDOP in SQL Server, see [Configure the max degree of parallelism Server Configuration Option](/sql/database-engine/configure-windows/configure-the-max-degree-of-parallelism-server-configuration-option).
+
+## Overview
+ In Azure SQL Database, the default MAXDOP setting for each new single database and elastic pool database is 8. This means the database engine may execute queries using multiple threads. Unlike SQL Server, where the default server-wide MAXDOP is 0 (unlimited), by default new databases in Azure SQL Database are set to MAXDOP 8. This default prevents unnecessary resource utilization and ensures consistent customer experience. It is not typically necessary to further configure the MAXDOP in Azure SQL Database workloads, but it may provide benefits as an advanced performance tuning exercise.
+
+> [!Note]
+> In September 2020, based on years of telemetry in the Azure SQL Database service [MAXDOP 8 was chosen](https://techcommunity.microsoft.com/t5/azure-sql/changing-default-maxdop-in-azure-sql-database-and-azure-sql/ba-p/1538528) as the default for new databases as an optimal value for the widest variety of customer workloads. This default has helped to prevent performance problems due to excessive parallelism. Prior to that, the default setting for new databases was MAXDOP 0. The MAXDOP database scoped configuration option was not changed for existing databases created prior to September 2020.
+
+ In general, if the database engine chooses to execute a query using parallelism, execution time is faster. However, excess parallelism can consume excess processor resources without improving query performance. At scale, excess parallelism can negatively affect query performance for all queries executing on the same database engine instance, so setting an upper boundary for parallelism has been a common performance tuning exercise in SQL Server workloads.
+
+ The following table describes database engine behavior when executing queries with different MAXDOP values:
+
+| MAXDOP | Behavior |
+|--|--|
+| = 1 | The database engine does not execute queries using multiple concurrent threads. |
+| > 1 | The database engine sets an upper boundary for the number of parallel threads. The database engine chooses the number of extra worker threads to use. The total number of worker threads used to execute a query may be higher than specified MAXDOP value. |
+| = 0 | The database engine can use a number of parallel threads with an upper boundary dependent on the total number of logical processors. The database engine chooses the number of parallel threads to use.|
+| | |
+
+## <a name="Considerations"></a> Considerations
+
+- In Azure SQL Database, you can change the default MAXDOP value:
+ - At the query level, using the **MAXDOP** [query hint](/sql/t-sql/queries/hints-transact-sql-query).
+ - At the database level, using the **MAXDOP** [database scoped configuration](/sql/t-sql/statements/alter-database-scoped-configuration-transact-sql).
+
+- Long-standing SQL Server MAXDOP considerations and [recommendations](/sql/database-engine/configure-windows/configure-the-max-degree-of-parallelism-server-configuration-option#Guidelines) are applicable to Azure SQL Database.
+
+- MAXDOP is enforced per [task](/sql/relational-databases/system-dynamic-management-views/sys-dm-os-tasks-transact-sql). It is not enforced per [request](/sql/relational-databases/system-dynamic-management-views/sys-dm-exec-requests-transact-sql) or per query. This means that during a parallel query execution, a single request can spawn multiple tasks with an upper boundary determined by the MAXDOP. For more information, see the *Scheduling parallel tasks* section in the [Thread and Task Architecture Guide](/sql/relational-databases/thread-and-task-architecture-guide).
+
+- Index operations that create or rebuild an index, or that drop a clustered index, can be resource intensive. You can override the database max degree of parallelism value for index operations by specifying the MAXDOP index option in the `CREATE INDEX` or `ALTER INDEX` statement. The MAXDOP value is applied to the statement at execution time and is not stored in the index metadata. For more information, see [Configure Parallel Index Operations](/sql/relational-databases/indexes/configure-parallel-index-operations).
+
+- In addition to queries and index operations, the database scoped configuration option for MAXDOP also controls the parallelism of DBCC CHECKTABLE, DBCC CHECKDB, and DBCC CHECKFILEGROUP.
+
+## <a name="Security"></a> Recommendations
+
+ Changing MAXDOP for the database can have major impact on query performance and resource utilization, both positive and negative. However, there is no single MAXDOP value that is optimal for all workloads. The recommendations for setting MAXDOP are nuanced, and depend on many factors.
+
+ Some peak concurrent workloads may operate better with a different MAXDOP than others. A properly configured MAXDOP should reduce the risk of performance and availability incidents, and in some cases reduce costs by being able to avoid unnecessary resource utilization, and thus scale down to a lower service objective.
+
+### Excessive parallelism
+
+ A higher MAXDOP often reduces duration for CPU-intensive queries. However, excessive parallelism can worsen other concurrent workload performance by starving other queries of CPU and worker thread resources. In extreme cases, excessive parallelism can consume all database or elastic pool resources, causing query timeouts, errors, and application outages.
+
+ We recommend that customers avoid MAXDOP 0 even if it does not appear to cause problems currently. Excessive parallelism becomes most problematic when the CPU and worker threads are receiving more concurrent requests than can be supported by the service objective. Avoid MAXDOP 0 to reduce the risk of potential future problems due to excessive parallelism if a database is scaled up, or if future hardware generations in Azure SQL Database provide more cores for the same database service objective.
+
+### Modifying MAXDOP
+
+ If you determine that a different MAXDOP setting is optimal for your Azure SQL Database workload, you can use the `ALTER DATABASE SCOPED CONFIGURATION` T-SQL statement. For examples, see the [Examples using Transact-SQL](#examples) section below. Add this step to the deployment process to change MAXDOP after database creation.
+
+ If non-default MAXDOP benefits only a subset of queries in the workload, you can override MAXDOP at the query level by adding the OPTION (MAXDOP) hint. For examples, see the [Examples using Transact-SQL](#examples) section below.
+
+ Thoroughly test your MAXDOP configuration changes with load testing involving realistic concurrent query loads.
+
+ The MAXDOP for the primary and secondary replicas can be configured independently to take advantage of different optimal MAXDOP settings for read-write and read-only workloads. This applies to Azure SQL Database [read scale-out](read-scale-out.md), [geo-replication](active-geo-replication-overview.md), and [Azure SQL Database Hyperscale secondary replicas](service-tier-hyperscale.md). By default, all secondary replicas inherit the MAXDOP configuration of the primary replica.
+
+## <a name="Security"></a> Security
+
+### <a name="Permissions"></a> Permissions
+ The `ALTER DATABASE SCOPED CONFIGURATION` statement must be executed as the server admin, as a member of the database role `db_owner`, or a user that has been granted the `ALTER ANY DATABASE SCOPED CONFIGURATION` permission.
+
+## Examples
+
+ These examples use the latest **AdventureWorksLT** sample database when the `SAMPLE` option is chosen for a new single database of Azure SQL Database.
+
+### PowerShell
+
+#### MAXDOP database scoped configuration
+
+ This example shows how to use [ALTER DATABASE SCOPED CONFIGURATION](/sql/t-sql/statements/alter-database-scoped-configuration-transact-sql) statement to configure the `max degree of parallelism` option to `2`. The setting takes effect immediately. The PowerShell cmdlet [Invoke-SqlCmd](/powershell/module/sqlserver/invoke-sqlcmd) executes the T-SQL queries to set and the return the MAXDOP database scoped configuration.
+
+```powershell
+$dbName = "sample"
+$serverName = <server name here>
+$serveradminLogin = <login here>
+$serveradminPassword = <password here>
+$desiredMAXDOP = 8
+
+$params = @{
+ 'database' = $dbName
+ 'serverInstance' = $serverName
+ 'username' = $serveradminLogin
+ 'password' = $serveradminPassword
+ 'outputSqlErrors' = $true
+ 'query' = 'ALTER DATABASE SCOPED CONFIGURATION SET MAXDOP = ' + $desiredMAXDOP + ';
+ SELECT [value] FROM sys.database_scoped_configurations WHERE [name] = ''MAXDOP'';'
+ }
+ Invoke-SqlCmd @params
+```
+
+This example is for use with Azure SQL Databases with [read scale-out replicas enabled](read-scale-out.md), [geo-replication](active-geo-replication-overview.md), and [Azure SQL Database hyperscale secondary replicas](service-tier-hyperscale.md). As an example, the primary replica is set to a different default MAXDOP as the secondary replica, anticipating that there may be differences between a read-write and a read-only workload.
+
+```powershell
+$dbName = "sample"
+$serverName = <server name here>
+$serveradminLogin = <login here>
+$serveradminPassword = <password here>
+$desiredMAXDOP_primary = 8
+$desiredMAXDOP_secondary_readonly = 1
+
+$params = @{
+ 'database' = $dbName
+ 'serverInstance' = $serverName
+ 'username' = $serveradminLogin
+ 'password' = $serveradminPassword
+ 'outputSqlErrors' = $true
+ 'query' = 'ALTER DATABASE SCOPED CONFIGURATION SET MAXDOP = ' + $desiredMAXDOP + ';
+ ALTER DATABASE SCOPED CONFIGURATION FOR SECONDARY SET MAXDOP = ' + $desiredMAXDOP_secondary_readonly + ';
+ SELECT [value], value_for_secondary FROM sys.database_scoped_configurations WHERE [name] = ''MAXDOP'';'
+ }
+ Invoke-SqlCmd @params
+```
+
+### Transact-SQL
+
+ You can use the [Azure portal query editor](connect-query-portal.md), [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms), or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio) to execute T-SQL queries against your Azure SQL Database.
+
+1. Connect to the Azure SQL Database. You cannot change the database scoped configurations in the master database.
+
+2. From the Standard bar, select **New Query**.
+
+3. Copy and paste the following example into the query window and select **Execute**.
++
+#### MAXDOP database scoped configuration
+
+ This example shows how to determine the current database MAXDOP database scoped configuration using the [sys.database_scoped_configurations](/sql/relational-databases/system-catalog-views/sys-database-scoped-configurations-transact-sql) system catalog view.
+
+```sql
+SELECT [value] FROM sys.database_scoped_configurations WHERE [name] = 'MAXDOP';
+```
+
+ This example shows how to use [ALTER DATABASE SCOPED CONFIGURATION](/sql/t-sql/statements/alter-database-scoped-configuration-transact-sql) statement to configure the `max degree of parallelism` option to `8`. The setting takes effect immediately.
+
+```sql
+ALTER DATABASE SCOPED CONFIGURATION SET MAXDOP = 8;
+```
+
+This example is for use with Azure SQL Databases with [read scale-out replicas enabled](read-scale-out.md), [geo-replication](active-geo-replication-overview.md), and [Azure SQL Database Hyperscale secondary replicas](service-tier-hyperscale.md). As an example, the primary replica is set to a different default MAXDOP as the secondary replica, anticipating that there may be differences between a read-write and a read-only workload. The `value_for_secondary` column of the `sys.database_scoped_configurations` contains settings for the secondary replica.
+
+```sql
+ALTER DATABASE SCOPED CONFIGURATION SET MAXDOP = 8;
+ALTER DATABASE SCOPED CONFIGURATION FOR SECONDARY SET MAXDOP = 1;
+SELECT [value], value_for_secondary FROM sys.database_scoped_configurations WHERE [name] = 'MAXDOP';
+```
+
+#### MAXDOP query hint
+
+ This example shows how to execute a query using the query hint to force the `max degree of parallelism` to `2`.
+
+```sql
+SELECT ProductID, OrderQty, SUM(LineTotal) AS Total
+FROM SalesLT.SalesOrderDetail
+WHERE UnitPrice < 5
+GROUP BY ProductID, OrderQty
+ORDER BY ProductID, OrderQty
+OPTION (MAXDOP 2);
+GO
+```
+#### MAXDOP index option
+
+ This example shows how to rebuild an index using the index option to force the `max degree of parallelism` to `12`.
+
+```sql
+ALTER INDEX ALL ON SalesLT.SalesOrderDetail
+REBUILD WITH
+ ( MAXDOP = 12
+ , SORT_IN_TEMPDB = ON
+ , ONLINE = ON);
+```
+
+## See also
+* [ALTER DATABASE SCOPED CONFIGURATION &#40;Transact-SQL&#41;](/sql/t-sql/statements/alter-database-scoped-configuration-transact-sql)
+* [sys.database_scoped_configurations (Transact-SQL)](/sql/relational-databases/system-catalog-views/sys-database-scoped-configurations-transact-sql)
+* [Configure Parallel Index Operations](/sql/relational-databases/indexes/configure-parallel-index-operations)
+* [Query Hints &#40;Transact-SQL&#41;](/sql/t-sql/queries/hints-transact-sql-query)
+* [Set Index Options](/sql/relational-databases/indexes/set-index-options)
+* [Understand and resolve Azure SQL Database blocking problems](understand-resolve-blocking.md)
+
+## Next steps
+
+* [Monitor and Tune for Performance](/sql/relational-databases/performance/monitor-and-tune-for-performance)
azure-sql High Availability Sla https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/high-availability-sla.md
For more information on high availability in Hyperscale, see [Database High Avai
## Testing application fault resiliency
-High availability is a fundamental part of the SQL Database and SQL Managed Instance platform that works transparently for your database application. However, we recognize that you may want to test how the automatic failover operations initiated during planned or unplanned events would impact an application before you deploy it to production. You can manually trigger a failover by calling a special API to restart a database, an elastic pool, or a managed instance. In the case of a zone redundant database or elastic pool, the API call would result in redirecting client connections to the new primary in an Availability Zone different from the Availability Zone of the old primary. So in addition to testing how failover impacts existing database sessions, you can also verify if it changes the end-to-end performance due to changes in network latency. Because the restart operation is intrusive and a large number of them could stress the platform, only one failover call is allowed every 15 minutes for each database, elastic pool, or managed instance.
+High availability is a fundamental part of the SQL Database and SQL Managed Instance platform that works transparently for your database application. However, we recognize that you may want to test how the automatic failover operations initiated during planned or unplanned events would impact an application before you deploy it to production. You can manually trigger a failover by calling a special API to restart a database, an elastic pool, or a managed instance. In the case of a zone redundant serverless or provisioned General Purpose database or elastic pool, the API call would result in redirecting client connections to the new primary in an Availability Zone different from the Availability Zone of the old primary. So in addition to testing how failover impacts existing database sessions, you can also verify if it changes the end-to-end performance due to changes in network latency. Because the restart operation is intrusive and a large number of them could stress the platform, only one failover call is allowed every 15 minutes for each database, elastic pool, or managed instance.
A failover can be initiated using PowerShell, REST API, or Azure CLI:
azure-sql Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/policy-reference.md
Title: Built-in policy definitions for Azure SQL Database description: Lists Azure Policy built-in policy definitions for Azure SQL Database and SQL Managed Instance. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-sql Security Baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/security-baseline.md
description: The Azure SQL Database security baseline provides procedural guidan
Previously updated : 02/17/2021 Last updated : 03/30/2021
# Azure security baseline for Azure SQL Database
-This security baseline applies guidance from the [Azure Security Benchmark version 1.0](../../security/benchmarks/overview.md) to Azure SQL Database. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the **security controls** defined by the Azure Security Benchmark and the related guidance applicable to Azure SQL Database. **Controls** not applicable to Azure SQL Database have been excluded.
-
-To see how Azure SQL Database completely maps to the Azure Security Benchmark, see the [full Azure SQL Database security baseline mapping file](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Offer%20Security%20Baselines).
+This security baseline applies guidance from the [Azure Security Benchmark version1.0](../../security/benchmarks/overview-v1.md) to Azure SQL Database. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the **security controls** defined by the Azure Security Benchmark and the related guidance applicable to Azure SQL Database. **Controls** not applicable to Azure SQL Database, or for which the responsibility is Microsoft's, have been excluded. To see how Azure SQL Database completely maps to the Azure Security Benchmark, see the [full Azure Monitor security baseline mapping file](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Offer%20Security%20Baselines).
## Network Security
To allow traffic to reach Azure SQL Database, use the SQL service tags to allow
Virtual network rules enable Azure SQL Database to only accept communications that are sent from selected subnets inside a virtual network. -- [How to set up Private Link for Azure SQL Database](./private-endpoint-overview.md#how-to-set-up-private-link-for-azure-sql-database)
+- [How to set up Private Link for Azure SQL Database](/azure/sql-database/sql-database-private-endpoint-overview#how-to-set-up-private-link-for-azure-sql-database)
-- [How to use virtual network service endpoints and rules for database servers](./vnet-service-endpoint-rule-overview.md)
+- [How to use virtual network service endpoints and rules for database servers](/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview)
**Responsibility**: Customer
You may also send NSG flow logs to a Log Analytics workspace and use Traffic Ana
**Guidance**: Enable DDoS Protection Standard on the Virtual Networks associated with your SQL Server instances for protections from distributed denial-of-service attacks. Use Azure Security Center Integrated Threat Intelligence to deny communications with known malicious or unused Internet IP addresses. -- [How to configure DDoS protection](../../ddos-protection/manage-ddos-protection.md)
+- [How to configure DDoS protection](/azure/virtual-network/manage-ddos-protection)
-- [Understand Azure Security Center Integrated Threat Intelligence](../../security-center/azure-defender.md)
+- [Understand Azure Security Center Integrated Threat Intelligence](/azure/security-center/security-center-alerts-data-services)
**Responsibility**: Customer
You may also send NSG flow logs to a Log Analytics workspace and use Traffic Ana
**Guidance**: Enable Advanced Threat Protection (ATP) for Azure SQL Database. Users receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access and queries patterns. Advanced Threat Protection also integrates alerts with Azure Security Center. -- [Understand and using Advanced Threat Protection for Azure SQL Database](./threat-detection-overview.md)
+- [Understand and using Advanced Threat Protection for Azure SQL Database](/azure/sql-database/sql-database-threat-detection-overview)
**Responsibility**: Customer
You may also send NSG flow logs to a Log Analytics workspace and use Traffic Ana
When using service endpoints for Azure SQL Database, outbound to Azure SQL Database Public IP addresses is required: Network Security Groups (NSGs) must be opened to Azure SQL Database IPs to allow connectivity. You can do this by using NSG service tags for Azure SQL Database. -- [Understand Service Tags with Service Endpoints for Azure SQL Database](./vnet-service-endpoint-rule-overview.md#limitations)
+- [Understand Service Tags with Service Endpoints for Azure SQL Database](/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview#limitations)
- [Understand and using Service Tags](../../virtual-network/service-tags-overview.md)
Use any of the built-in Azure Policy definitions related to tagging, such as "Re
You may use Azure PowerShell or Azure CLI to look up or perform actions on resources based on their tags. -- [How to create and use tags](../../azure-resource-manager/management/tag-resources.md)
+- [How to create and use tags](/azure/azure-resource-manager/resource-group-using-tags)
**Responsibility**: Customer
You may use Azure PowerShell or Azure CLI to look up or perform actions on resou
**Guidance**: Use Azure Activity Log to monitor network resource configurations and detect changes for network resources related to your Azure SQL Database server instances. Create alerts within Azure Monitor that will trigger when changes to critical network resources take place. -- [How to view and retrieve Azure Activity Log events](../../azure-monitor/essentials/activity-log.md#view-the-activity-log)
+- [How to view and retrieve Azure Activity Log events](/azure/azure-monitor/platform/activity-log-view)
-- [How to create alerts in Azure Monitor](../../azure-monitor/alerts/alerts-activity-log.md)
+- [How to create alerts in Azure Monitor](/azure/azure-monitor/platform/alerts-activity-log)
**Responsibility**: Customer
You may use Azure PowerShell or Azure CLI to look up or perform actions on resou
In addition, you can stream Azure SQL diagnostics telemetry into Azure SQL Analytics, a cloud solution that monitors the performance of Azure SQL Databases and Azure SQL Managed Instances at scale and across multiple subscriptions. It can help you collect and visualize Azure SQL Database performance metrics, and it has built-in intelligence for performance troubleshooting. -- [How to setup auditing for your Azure SQL Database](./auditing-overview.md)
+- [How to setup auditing for your Azure SQL Database](/azure/sql-database/sql-database-auditing)
-- [How to collect platform logs and metrics with Azure Monitor](./metrics-diagnostic-telemetry-logging-streaming-export-configure.md)
+- [How to collect platform logs and metrics with Azure Monitor](/azure/sql-database/sql-database-metrics-diag-logging)
-- [How to stream diagnostics into Azure SQL Analytics](./metrics-diagnostic-telemetry-logging-streaming-export-configure.md#stream-into-sql-analytics)
+- [How to stream diagnostics into Azure SQL Analytics](/azure/sql-database/sql-database-metrics-diag-logging#stream-into-azure-sql-analytics)
**Responsibility**: Customer
In addition, you can stream Azure SQL diagnostics telemetry into Azure SQL Analy
**Guidance**: Enable auditing on your Azure SQL Database server instance and choose a storage location for the audit logs (Azure Storage, Log Analytics, or Event Hub). -- [How to enable auditing for Azure SQL Server](./auditing-overview.md)
+- [How to enable auditing for Azure SQL Server](/azure/sql-database/sql-database-auditing)
**Responsibility**: Customer
In addition, you can stream Azure SQL diagnostics telemetry into Azure SQL Analy
**Guidance**: When storing your Azure SQL Database logs in a Log Analytics workspace, set log retention period according to your organization's compliance regulations. -- [How to set log retention parameters](../../azure-monitor/logs/manage-cost-storage.md#change-the-data-retention-period)
+- [How to set log retention parameters](/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period)
**Responsibility**: Customer
In addition, you can stream Azure SQL diagnostics telemetry into Azure SQL Analy
**Guidance**: Analyze and monitor logs for anomalous behaviors and regularly review results. Use Azure Security Center's Advanced Threat Protection to alert on unusual activity related to your Azure SQL Database instance. Alternatively, configure alerts based on Metric Values or Azure Activity Log entries related to your Azure SQL Database instances. -- [Understand Advanced Threat Protection and alerting for Azure SQL Server](./threat-detection-overview.md)
+- [Understand Advanced Threat Protection and alerting for Azure SQL Server](/azure/sql-database/sql-database-threat-detection-overview)
- [How to configure custom alerts for Azure SQL Database](alerts-insights-configure-portal.md)
In addition, you can stream Azure SQL diagnostics telemetry into Azure SQL Analy
**Guidance**: Use Azure Security Center Advanced Threat Protection for Azure SQL Databases for monitoring and alerting on anomalous activity. Enable Azure Defender for SQL for your SQL Databases. Azure Defender for SQL includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. -- [Understand Advanced Threat Protection and alerting for Azure SQL Database](./threat-detection-overview.md)
+- [Understand Advanced Threat Protection and alerting for Azure SQL Database](/azure/sql-database/sql-database-threat-detection-overview)
- [How to enable Azure Defender for SQL for Azure SQL Database](azure-defender-for-sql.md)
In addition, you can stream Azure SQL diagnostics telemetry into Azure SQL Analy
**Guidance**: Azure Active Directory (Azure AD) has built-in roles that must be explicitly assigned and are queryable. Use the Azure AD PowerShell module to perform ad-hoc queries to discover accounts that are members of administrative groups. -- [How to get a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrole?amp;preserve-view=true&view=azureadps-2.0)
+- [How to get a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrole)
-- [How to get members of a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrolemember?amp;preserve-view=true&view=azureadps-2.0)
+- [How to get members of a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrolemember)
**Responsibility**: Customer
In addition, you can stream Azure SQL diagnostics telemetry into Azure SQL Analy
**Guidance**: Azure Active Directory (Azure AD) does not have the concept of default passwords. When provisioning an Azure SQL Database instance, it is recommended that you choose to integrate authentication with Azure AD. -- [How to configure and manage Azure AD authentication with Azure SQL](/azure/azure-sql/database/authentication-aad-configure)
+- [How to configure and manage Azure AD authentication with Azure SQL](/azure/sql-database/azure-sql/database/authentication-aad-configure)
**Responsibility**: Customer
In addition, you can stream Azure SQL diagnostics telemetry into Azure SQL Analy
Use Advanced Threat Protection for Azure SQL Database to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. -- [How to identify Azure AD users flagged for risky activity](../../active-directory/identity-protection/overview-identity-protection.md)
+- [How to identify Azure AD users flagged for risky activity](/azure/active-directory/reports-monitoring/concept-user-at-risk)
- [How to monitor users identity and access activity in Azure Security Center](../../security-center/security-center-identity-access.md) -- [Review Advanced Threat Protection and potential alerts](./threat-detection-overview.md#alerts)
+- [Review Advanced Threat Protection and potential alerts](https://docs.microsoft.com/azure/azure-sql/database/threat-detection-overview#alerts)
**Responsibility**: Customer
Use Advanced Threat Protection for Azure SQL Database to detect anomalous activi
**Guidance**: Use Azure Active Directory (Azure AD) Identity Protection and risk detections to configure automated responses to detected suspicious actions related to user identities. Additionally, you can ingest data into Azure Sentinel for further investigation. -- [How to view Azure AD risk sign-ins](../../active-directory/identity-protection/overview-identity-protection.md)
+- [How to view Azure AD risk sign-ins](/azure/active-directory/reports-monitoring/concept-risky-sign-ins)
- [How to configure and enable Identity Protection risk policies](../../active-directory/identity-protection/howto-identity-protection-configure-risk-policies.md)
Use Advanced Threat Protection for Azure SQL Database to detect anomalous activi
**Guidance**: Use tags to assist in tracking Azure resources that store or process sensitive information. -- [How to create and use tags](../../azure-resource-manager/management/tag-resources.md)
+- [How to create and use tags](/azure/azure-resource-manager/resource-group-using-tags)
**Responsibility**: Customer
Use Advanced Threat Protection for Azure SQL Database to detect anomalous activi
**Guidance**: Implement separate subscriptions and/or management groups for development, test, and production. Resources should be separated by Vnet/Subnet, tagged appropriately, and secured within an NSG or Azure Firewall. Resources storing or processing sensitive data should be isolated. Use Private Link; deploy Azure SQL Server inside your Vnet and connect privately using Private Endpoints. -- [How to create additional Azure subscriptions](../../cost-management-billing/manage/create-subscription.md)
+- [How to create additional Azure subscriptions](/azure/billing/billing-create-subscription)
-- [How to create Management Groups](../../governance/management-groups/create-management-group-portal.md)
+- [How to create Management Groups](/azure/governance/management-groups/create)
-- [How to create and use Tags](../../azure-resource-manager/management/tag-resources.md)
+- [How to create and use Tags](/azure/azure-resource-manager/resource-group-using-tags)
-- [How to set up Private Link for Azure SQL Database](./private-endpoint-overview.md#how-to-set-up-private-link-for-azure-sql-database)
+- [How to set up Private Link for Azure SQL Database](/azure/sql-database/sql-database-private-endpoint-overview#how-to-set-up-private-link-for-azure-sql-database)
**Responsibility**: Customer
Use Advanced Threat Protection for Azure SQL Database to detect anomalous activi
For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities. -- [How to configure Private Link and NSGs to prevent data exfiltration on your Azure SQL Database instances](./private-endpoint-overview.md)
+- [How to configure Private Link and NSGs to prevent data exfiltration on your Azure SQL Database instances](/azure/sql-database/sql-database-private-endpoint-overview)
- [Understand customer data protection in Azure](../../security/fundamentals/protection-customer-data.md)
For the underlying platform which is managed by Microsoft, Microsoft treats all
**Guidance**: Use the Azure SQL Database data discovery and classification feature. Data discovery and classification provides advanced capabilities built into Azure SQL Database for discovering, classifying, labeling &amp; protecting the sensitive data in your databases. -- [How to use data discovery and classification for Azure SQL Server](./data-discovery-and-classification-overview.md)
+- [How to use data discovery and classification for Azure SQL Server](/azure/sql-database/sql-database-data-discovery-and-classification)
**Responsibility**: Customer
For the underlying platform which is managed by Microsoft, Microsoft treats all
**Guidance**: Use Azure Active Directory (Azure AD) for authenticating and controlling access to Azure SQL Database instances. -- [How to integrate Azure SQL Server with Azure AD for authentication](./authentication-aad-overview.md)
+- [How to integrate Azure SQL Server with Azure AD for authentication](/azure/sql-database/sql-database-aad-authentication)
-- [How to control access in Azure SQL Server](./logins-create-manage.md)
+- [How to control access in Azure SQL Server](/azure/sql-database/sql-database-control-access)
**Responsibility**: Customer
For the underlying platform which is managed by Microsoft, Microsoft treats all
**Guidance**: Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL managed instance, and Azure Data Warehouse against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. By default, TDE is enabled for all newly deployed databases in SQL Database and SQL Managed Instance. The TDE encryption key can be managed by either Microsoft or the customer. -- [How to manage transparent data encryption and use your own encryption keys](./transparent-data-encryption-tde-overview.md?tabs=azure-portal#manage-transparent-data-encryption)
+- [How to manage transparent data encryption and use your own encryption keys](https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-azure-sql?tabs=azure-portal#manage-transparent-data-encryption)
**Responsibility**: Customer
For the underlying platform which is managed by Microsoft, Microsoft treats all
**Guidance**: Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place to production instances of Azure SQL Database and other critical or related resources. -- [How to create alerts for Azure Activity Log events](../../azure-monitor/alerts/alerts-activity-log.md)
+- [How to create alerts for Azure Activity Log events](/azure/azure-monitor/platform/alerts-activity-log)
**Responsibility**: Customer
For the underlying platform which is managed by Microsoft, Microsoft treats all
**Guidance**: Enable Azure Defender for SQL for Azure SQL Database and follow recommendations from Azure Security Center on performing vulnerability assessments on your Azure SQL Servers. -- [How to run vulnerability assessments on Azure SQL Database](./sql-vulnerability-assessment.md)
+- [How to run vulnerability assessments on Azure SQL Database](/azure/sql-database/sql-vulnerability-assessment)
- [How to enable Azure Defender for SQL](azure-defender-for-sql.md) -- [How to implement Azure Security Center vulnerability assessment recommendations](../../security-center/deploy-vulnerability-assessment-vm.md)
+- [How to implement Azure Security Center vulnerability assessment recommendations](/azure/security-center/security-center-vulnerability-assessment-recommendations)
**Responsibility**: Customer
For the underlying platform which is managed by Microsoft, Microsoft treats all
**Guidance**: Enable periodic recurring scans for your Azure SQL Database instances; this will configure a vulnerability assessment to automatically run a scan on your database once per week. A scan result summary will be sent to the email address(es) you provide. Compare the results to verify that vulnerabilities have been remediated. -- [How to export a vulnerability assessment report in Azure Security Center](./sql-vulnerability-assessment.md#export-an-assessment-report)
+- [How to export a vulnerability assessment report in Azure Security Center](/azure/sql-database/sql-vulnerability-assessment#implementing-vulnerability-assessment)
**Responsibility**: Customer
For the underlying platform which is managed by Microsoft, Microsoft treats all
**Guidance**: Use the default risk ratings (Secure Score) provided by Azure Security Center. -- [Understand Azure Security Center Secure Score](../../security-center/secure-score-security-controls.md)
+- [Understand Azure Security Center Secure Score](/azure/security-center/security-center-secure-score)
**Responsibility**: Customer
Although classic Azure resources may be discovered via Resource Graph, it is hig
- [How to create queries with Azure Resource Graph](../../governance/resource-graph/first-query-portal.md) -- [How to view your Azure Subscriptions](/powershell/module/az.accounts/get-azsubscription?amp;preserve-view=true&view=azps-4.8.0)
+- [How to view your Azure Subscriptions](/powershell/module/az.accounts/get-azsubscription)
- [Understand Azure RBAC](../../role-based-access-control/overview.md)
Although classic Azure resources may be discovered via Resource Graph, it is hig
**Guidance**: Apply tags to Azure resources giving metadata to logically organize them into a taxonomy. -- [How to create and use Tags](../../azure-resource-manager/management/tag-resources.md)
+- [How to create and use Tags](/azure/azure-resource-manager/resource-group-using-tags)
**Responsibility**: Customer
Although classic Azure resources may be discovered via Resource Graph, it is hig
**Guidance**: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track assets. Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner. -- [How to create additional Azure subscriptions](../../cost-management-billing/manage/create-subscription.md)
+- [How to create additional Azure subscriptions](/azure/billing/billing-create-subscription)
-- [How to create Management Groups](../../governance/management-groups/create-management-group-portal.md)
+- [How to create Management Groups](/azure/governance/management-groups/create)
-- [How to create and use Tags](../../azure-resource-manager/management/tag-resources.md)
+- [How to create and use Tags](/azure/azure-resource-manager/resource-group-using-tags)
**Responsibility**: Customer
Use Azure Resource Graph to query/discover resources within your subscription(s)
- [How to configure and manage Azure Policy](../../governance/policy/tutorials/create-and-manage.md) -- [How to deny a specific resource type with Azure Policy](../../governance/policy/samples/built-in-policies.md#general)
+- [How to deny a specific resource type with Azure Policy](https://docs.microsoft.com/azure/governance/policy/samples/built-in-policies#general)
**Responsibility**: Customer
Use Azure Resource Graph to query/discover resources within your subscription(s)
**Guidance**: If using custom Azure Policy definitions, use Azure DevOps or Azure Repos to securely store and manage your code. -- [How to store code in Azure DevOps](/azure/devops/repos/git/gitworkflow?amp;preserve-view=true&view=azure-devops)
+- [How to store code in Azure DevOps](/azure/devops/repos/git/gitworkflow)
-- [Azure Repos Documentation](/azure/devops/repos/?amp;preserve-view=true&view=azure-devops)
+- [Azure Repos Documentation](/azure/devops/repos/)
**Responsibility**: Customer
Use Azure Resource Graph to query/discover resources within your subscription(s)
**Guidance**: Leverage Azure Security Center to perform baseline scans for your Azure SQL Servers and Databases. -- [How to remediate recommendations in Azure Security Center](../../security-center/security-center-remediate-recommendations.md)
+- [How to remediate recommendations in Azure Security Center](/azure/security-center/security-center-sql-service-recommendations)
**Responsibility**: Customer
Use Azure Resource Graph to query/discover resources within your subscription(s)
**Guidance**: Use Azure Key Vault to store encryption keys for Azure SQL Database Transparent Data Encryption (TDE). -- [How to protect sensitive data being stored in Azure SQL Server and store the encryption keys in Azure Key Vault](./always-encrypted-azure-key-vault-configure.md)
+- [How to protect sensitive data being stored in Azure SQL Server and store the encryption keys in Azure Key Vault](/azure/sql-database/sql-database-always-encrypted-azure-key-vault)
**Responsibility**: Customer
Pre-scan any content being uploaded to non-compute Azure resources, such as App
To meet different compliance requirements, you can select different retention periods for weekly, monthly and/or yearly backups. The storage consumption depends on the selected frequency of backups and the retention period(s). -- [Understand backups and business continuity with Azure SQL Server](./business-continuity-high-availability-disaster-recover-hadr-overview.md)
+- [Understand backups and business continuity with Azure SQL Server](/azure/sql-database/sql-database-business-continuity)
**Responsibility**: Shared
To meet different compliance requirements, you can select different retention pe
If using customer-managed keys for Transparent Data Encryption, ensure your keys are being backed up. -- [Understand backups in Azure SQL Server](./automated-backups-overview.md?tabs=single-database)
+- [Understand backups in Azure SQL Server](https://docs.microsoft.com/azure/sql-database/sql-database-automated-backups?tabs=single-database)
-- [How to backup key vault keys in Azure](/powershell/module/az.keyvault/backup-azkeyvaultkey?amp;preserve-view=true&view=azps-4.8.0)
+- [How to backup key vault keys in Azure](/powershell/module/az.keyvault/backup-azkeyvaultkey)
**Responsibility**: Customer
If using customer-managed keys for Transparent Data Encryption, ensure your keys
**Guidance**: Ensure ability to periodically perform data restoration of content within Azure Backup. If necessary, test restore content to an isolated VLAN. Test restoration of backed up customer-managed keys. -- [How to restore key vault keys in Azure](/powershell/module/az.keyvault/restore-azkeyvaultkey?amp;preserve-view=true&view=azps-4.8.0)
+- [How to restore key vault keys in Azure](/powershell/module/az.keyvault/restore-azkeyvaultkey)
-- [How to recover Azure SQL Database backups using point-in-time restore](./recovery-using-backups.md#point-in-time-restore)
+- [How to recover Azure SQL Database backups using point-in-time restore](/azure/sql-database/sql-database-recovery-using-backups#point-in-time-restore)
**Responsibility**: Customer
If using customer-managed keys for Transparent Data Encryption, ensure your keys
**Guidance**: Enable soft delete in Azure Key Vault to protect keys against accidental or malicious deletion. -- [How to enable soft delete in Key Vault](../../storage/blobs/soft-delete-blob-overview.md?tabs=azure-portal)
+- [How to enable soft delete in Key Vault](https://docs.microsoft.com/azure/storage/blobs/storage-blob-soft-delete?tabs=azure-portal)
**Responsibility**: Customer
If using customer-managed keys for Transparent Data Encryption, ensure your keys
## Next steps -- See the [Azure Security Benchmark V2 overview](../../security/benchmarks/overview.md)-- Learn more about [Azure security baselines](../../security/benchmarks/security-baselines-overview.md)
+- See the [Azure Security Benchmark V2 overview](/azure/security/benchmarks/overview)
+- Learn more about [Azure security baselines](/azure/security/benchmarks/security-baselines-overview)
azure-sql Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure SQL Database description: Lists Azure Policy Regulatory Compliance controls available for Azure SQL Database and SQL Managed Instance. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
azure-sql Single Database Scale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/single-database-scale.md
The estimated latency to change the service tier, scale the compute size of a si
> > To determine if a database is using PFS storage, execute the following query in the context of the database. If the value in the AccountType column is `PremiumFileStorage` or `PremiumFileStorage-ZRS`, the database is using PFS storage.
-[!NOTE]
- The zone redundant property will remain the same by default when scaling from the Business Critical to the General Purpose tier. Latency for this downgrade when zone redundancy is enabled as well as latency for switching to zone redundancy for the General Purpose tier will be proportional to database size.
- ```sql SELECT s.file_id, s.type_desc,
FROM sys.database_files AS s
WHERE s.type_desc IN ('ROWS', 'LOG'); ```
+> [!NOTE]
+> The zone redundant property will remain the same by default when scaling from the Business Critical to the General Purpose tier. Latency for this downgrade when zone redundancy is enabled as well as latency for switching to zone redundancy for the General Purpose tier will be proportional to database size.
+ > [!TIP] > To monitor in-progress operations, see: [Manage operations using the SQL REST API](/rest/api/sql/operations/list), [Manage operations using CLI](/cli/azure/sql/db/op), [Monitor operations using T-SQL](/sql/relational-databases/system-dynamic-management-views/sys-dm-operation-status-azure-sql-database) and these two PowerShell commands: [Get-AzSqlDatabaseActivity](/powershell/module/az.sql/get-azsqldatabaseactivity) and [Stop-AzSqlDatabaseActivity](/powershell/module/az.sql/stop-azsqldatabaseactivity).
azure-sql Understand Resolve Blocking https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/understand-resolve-blocking.md
The `wait_type`, `open_transaction_count`, and `status` columns refer to informa
* [Deliver consistent performance with Azure SQL](/learn/modules/azure-sql-performance/) * [Troubleshooting connectivity issues and other errors with Azure SQL Database and Azure SQL Managed Instance](troubleshoot-common-errors-issues.md) * [Transient Fault Handling](/aspnet/aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/transient-fault-handling)
+* [Configure the max degree of parallelism (MAXDOP) in Azure SQL Database](configure-max-degree-of-parallelism.md)
azure-sql Identify Query Performance Issues https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/identify-query-performance-issues.md
A recompilation (or fresh compilation after cache eviction) can still result in
- **Changed physical design**: For example, newly created indexes more effectively cover the requirements of a query. The new indexes might be used on a new compilation if the query optimizer decides that using that new index is more optimal than using the data structure that was originally selected for the first version of the query execution. Any physical changes to the referenced objects might result in a new plan choice at compile time. -- **Server resource differences**: When a plan in one system differs from the plan in another system, resource availability, such as the number of available processors, can influence which plan gets generated. For example, if one system has more processors, a parallel plan might be chosen.
+- **Server resource differences**: When a plan in one system differs from the plan in another system, resource availability, such as the number of available processors, can influence which plan gets generated. For example, if one system has more processors, a parallel plan might be chosen. For more information on parallelism in Azure SQL Database, see [Configure the max degree of parallelism (MAXDOP) in Azure SQL Database](database/configure-max-degree-of-parallelism.md).
- **Different statistics**: The statistics associated with the referenced objects might have changed or might be materially different from the original system's statistics. If the statistics change and a recompilation happens, the query optimizer uses the statistics starting from when they changed. The revised statistics' data distributions and frequencies might differ from those of the original compilation. These changes are used to create cardinality estimates. (*Cardinality estimates* are the number of rows that are expected to flow through the logical query tree.) Changes to cardinality estimates might lead you to choose different physical operators and associated orders of operations. Even minor changes to statistics can result in a changed query execution plan.
It's not always easy to identify a workload volume change that's driving a CPU p
Use Intelligent Insights to detect [workload increases](database/intelligent-insights-troubleshoot-performance.md#workload-increase) and [plan regressions](database/intelligent-insights-troubleshoot-performance.md#plan-regression).
+- **Parallelism**: Excessive parallelism can worsen cause other concurrent workload performance by starving other queries of CPU and worker thread resources. For more information on parallelism in Azure SQL Database, see [Configure the max degree of parallelism (MAXDOP) in Azure SQL Database](database/configure-max-degree-of-parallelism.md).
+ ## Waiting-related problems Once you have eliminated a suboptimal plan and *Waiting-related* problems that are related to execution problems, the performance problem is generally the queries are probably waiting for some resource. Waiting-related problems might be caused by:
DMVs that track Query Store and wait statistics show results for only successful
> - [TigerToolbox waits and latches](https://github.com/Microsoft/tigertoolbox/tree/master/Waits-and-Latches) > - [TigerToolbox usp_whatsup](https://github.com/Microsoft/tigertoolbox/tree/master/usp_WhatsUp)
+## See also
+
+* [Configure the max degree of parallelism (MAXDOP) in Azure SQL Database](database/configure-max-degree-of-parallelism.md)
+* [Understand and resolve Azure SQL Database blocking problems in Azure SQL Database](database/understand-resolve-blocking.md)
+ ## Next steps
-[SQL Database monitoring and tuning overview](database/monitor-tune-overview.md)
+* [SQL Database monitoring and tuning overview](database/monitor-tune-overview.md)
azure-sql Log Replay Service Migrate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/log-replay-service-migrate.md
Previously updated : 03/29/2021 Last updated : 03/31/2021 # Migrate databases from SQL Server to SQL Managed Instance by using Log Replay Service (Preview)
You might consider using LRS in the following cases:
- The Database Migration Service executable file doesn't have file access to database backups. - No access to the host OS is available, or there are no administrator privileges. - You can't open network ports from your environment to Azure.
+- Network throttling, or proxy blocking issues in your environment.
- Backups are stored directly to Azure Blob Storage through the `TO URL` option. - You need to use differential backups.
azure-sql Sql Server To Managed Instance Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-overview.md
The following table lists alternative migration tools:
|**Technology** |**Description** | |||
-|[Transactional replication](../../managed-instance/replication-transactional-overview.md) | Replicate data from source SQL Server database tables to SQL Managed Instance by providing a publisher-subscriber type migration option while maintaining transactional consistency. | |
+|[Transactional replication](../../managed-instance/replication-transactional-overview.md) | Replicate data from source SQL Server database tables to SQL Managed Instance by providing a publisher-subscriber type migration option while maintaining transactional consistency. |
|[Bulk copy](/sql/relational-databases/import-export/import-and-export-bulk-data-by-using-the-bcp-utility-sql-server)| The [bulk copy program (bcp) tool](/sql/tools/bcp-utility) copies data from an instance of SQL Server into a data file. Use the tool to export the data from your source and import the data file into the target SQL managed instance. </br></br> For high-speed bulk copy operations to move data to Azure SQL Managed Instance, you can use the [Smart Bulk Copy tool](/samples/azure-samples/smartbulkcopy/smart-bulk-copy/) to maximize transfer speed by taking advantage of parallel copy tasks. | |[Import Export Wizard/BACPAC](../../database/database-import.md?tabs=azure-powershell)| [BACPAC](/sql/relational-databases/data-tier-applications/data-tier-applications#bacpac) is a Windows file with a .bacpac extension that encapsulates a database's schema and data. You can use BACPAC to both export data from a SQL Server source and import the data back into Azure SQL Managed Instance. | |[Azure Data Factory](../../../data-factory/connector-azure-sql-managed-instance.md)| The [Copy activity](../../../data-factory/copy-activity-overview.md) in Azure Data Factory migrates data from source SQL Server databases to SQL Managed Instance by using built-in connectors and an [integration runtime](../../../data-factory/concepts-integration-runtime.md).</br> </br> Data Factory supports a wide range of [connectors](../../../data-factory/connector-overview.md) to move data from SQL Server sources to SQL Managed Instance. |
azure-sql Business Continuity High Availability Disaster Recovery Hadr Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview.md
You can have a high-availability solution for SQL Server at a database level wit
| Technology | Example architectures | | | | | **Availability groups** |Availability replicas running in Azure VMs in the same region provide high availability. You need to configure a domain controller VM, because Windows failover clustering requires an Active Directory domain.<br/><br/> For higher redundancy and availability, the Azure VMs can be deployed in different [availability zones](../../../availability-zones/az-overview.md) as documented in the [availability group overview](availability-group-overview.md). If the SQL Server VMs in an availability group are deployed in availability zones, then use [Azure Standard Load Balancer](../../../load-balancer/load-balancer-overview.md) for the listener, as documented in the [Azure SQL VM CLI](./availability-group-az-commandline-configure.md) and [Azure Quickstart templates](availability-group-quickstart-template-configure.md) articles.<br/> ![Diagram that shows the "Domain Controller" above the "WSFC Cluster" made of the "Primary Replica", "Secondary Replica", and "File Share Witness".](./medi). |
-| **Failover cluster instances** |Failover cluster instances are supported on SQL Server VMs. Because the FCI feature requires shared storage, five solutions will work with SQL Server on Azure VMs: <br/><br/> - Using [Azure shared disks](failover-cluster-instance-azure-shared-disks-manually-configure.md) for Windows Server 2019. Shared managed disks are an Azure product that allow attaching a managed disk to multiple virtual machines simultaneously. VMs in the cluster can read or write to your attached disk based on the reservation chosen by the clustered application through SCSI Persistent Reservations (SCSI PR). SCSI PR is an industry-standard storage solution that's used by applications running on a storage area network (SAN) on-premises. Enabling SCSI PR on a managed disk allows you to migrate these applications to Azure as is. <br/><br/>- Using [Storage Spaces Direct \(S2D\)](failover-cluster-instance-storage-spaces-direct-manually-configure.md) to provide a software-based virtual SAN for Windows Server 2016 and later.<br/><br/>- Using a [Premium file share](failover-cluster-instance-premium-file-share-manually-configure.md) for Windows Server 2012 and later. Premium file shares are SSD backed, have consistently low latency, and are fully supported for use with FCI.<br/><br/>- Using storage supported by a partner solution for clustering. For a specific example that uses SIOS DataKeeper, see the blog entry [Failover clustering and SIOS DataKeeper](https://azure.microsoft.com/blog/high-availability-for-a-file-share-using-wsfc-ilb-and-3rd-party-software-sios-datakeeper/).<br/><br/>- Using shared block storage for a remote iSCSI target via Azure ExpressRoute. For example, NetApp Private Storage (NPS) exposes an iSCSI target via ExpressRoute with Equinix to Azure VMs.<br/><br/>For shared storage and data replication solutions from Microsoft partners, contact the vendor for any issues related to accessing data on failover.<br/><br/>||
+| **Failover cluster instances** |Failover cluster instances are supported on SQL Server VMs. Because the FCI feature requires shared storage, five solutions will work with SQL Server on Azure VMs: <br/><br/> - Using [Azure shared disks](failover-cluster-instance-azure-shared-disks-manually-configure.md) for Windows Server 2019. Shared managed disks are an Azure product that allow attaching a managed disk to multiple virtual machines simultaneously. VMs in the cluster can read or write to your attached disk based on the reservation chosen by the clustered application through SCSI Persistent Reservations (SCSI PR). SCSI PR is an industry-standard storage solution that's used by applications running on a storage area network (SAN) on-premises. Enabling SCSI PR on a managed disk allows you to migrate these applications to Azure as is. <br/><br/>- Using [Storage Spaces Direct \(S2D\)](failover-cluster-instance-storage-spaces-direct-manually-configure.md) to provide a software-based virtual SAN for Windows Server 2016 and later.<br/><br/>- Using a [Premium file share](failover-cluster-instance-premium-file-share-manually-configure.md) for Windows Server 2012 and later. Premium file shares are SSD backed, have consistently low latency, and are fully supported for use with FCI.<br/><br/>- Using storage supported by a partner solution for clustering. For a specific example that uses SIOS DataKeeper, see the blog entry [Failover clustering and SIOS DataKeeper](https://azure.microsoft.com/blog/high-availability-for-a-file-share-using-wsfc-ilb-and-3rd-party-software-sios-datakeeper/).<br/><br/>- Using shared block storage for a remote iSCSI target via Azure ExpressRoute. For example, NetApp Private Storage (NPS) exposes an iSCSI target via ExpressRoute with Equinix to Azure VMs.<br/><br/>For shared storage and data replication solutions from Microsoft partners, contact the vendor for any issues related to accessing data on failover.<br/><br/>|
## Azure only: Disaster recovery solutions You can have a disaster recovery solution for your SQL Server databases in Azure by using availability groups, database mirroring, or backup and restore with storage blobs.
If you don't have the option to disable geo-replication on the storage account,
## Next steps
-Decide if an [availability group](availability-group-overview.md) or a [failover cluster instance](failover-cluster-instance-overview.md) is the best business continuity solution for your business. Then review the [best practices](hadr-cluster-best-practices.md) for configuring your environment for high availability and disaster recovery.
+Decide if an [availability group](availability-group-overview.md) or a [failover cluster instance](failover-cluster-instance-overview.md) is the best business continuity solution for your business. Then review the [best practices](hadr-cluster-best-practices.md) for configuring your environment for high availability and disaster recovery.
azure-vmware Concepts Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/concepts-identity.md
To prevent the creation of roles that can't be assigned or deleted, Azure VMware
## NSX-T Manager access and identity
+>[!NOTE]
+>NSX-T 2.5 is currently supported.
+ Use the *administrator* account to access NSX-T Manager. It has full privileges and lets you create and manage Tier-1 (T1) Gateways, segments (logical switches), and all services. The privileges give you access to the NSX-T Tier-0 (T0) Gateway. A change to the T0 Gateway could result in degraded network performance or no private cloud access. Open a support request in the Azure portal to request any changes to your NSX-T T0 Gateway.
azure-vmware Configure Alerts For Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/configure-alerts-for-azure-vmware-solution.md
+
+ Title: Configure alerts and work with metrics in Azure VMware Solution
+description: Learn how to use alerts to receive notifications. Also learn how to work with metrics to gain deeper insights into your Azure VMware Solution private cloud.
+ Last updated : 04/02/2021++
+# Configure Azure Alerts in Azure VMware Solution
+
+In this article, you'll learn how to configure [Azure Action Groups](/azure/azure-monitor/alerts/action-groups) in [Microsoft Azure Alerts](/azure/azure-monitor/alerts/alerts-overvie) to receive notifications of triggered events that you define. You'll also learn about using [Azure Monitor Metrics](/azure/azure-monitor/essentials/data-platform-metrics) to gain deeper insights into your Azure VMware Solution private cloud.
++
+## Supported metrics and activities
+
+The following metrics are visible through Azure Monitor Metrics.
+
+| **Signal name** | **Signal type** | **Monitor service** |
+|-|--||
+| Datastore Disk Total Capacity | Metric | Platform |
+| Percentage Datastore Disk Used | Metric | Platform |
+| Percentage CPU | Metric | Platform |
+| Average Effective Memory | Metric | Platform |
+| Average Memory Overhead | Metric | Platform |
+| Average Total Memory | Metric | Platform |
+| Average Memory Usage | Metric | Platform |
+| Datastore Disk Used | Metric | Platform |
+| All Administrative operations | Activity Log | Administrative |
+| Register Microsoft.AVS resource provider. (Microsoft.AVS/privateClouds) | Activity Log | Administrative |
+| Create or update a PrivateCloud. (Microsoft.AVS/privateClouds) | Activity Log | Administrative |
+| Delete a PrivateCloud. (Microsoft.AVS/privateClouds) | Activity Log | Administrative |
+
+## Configure an alert rule
+1. From your Azure VMware Solution private cloud, select **Monitoring** > **Alerts**, and then **New alert rule**.
+
+ :::image type="content" source="media/configure-alerts-for-azure-vmware-solution/create-new-alert-rule.png" alt-text="Screenshot that shows where to configure an alert rule in your Azure VMware Solution private cloud." lightbox="media/configure-alerts-for-azure-vmware-solution/create-new-alert-rule.png":::
+
+ A new configuration screen opens where you'll:
+ - Define the Scope
+ - Configure a Condition
+ - Set up the Action Group
+ - Define the Alert rule details
+
+ :::image type="content" source="media/configure-alerts-for-azure-vmware-solution/create-alert-rule-details.png" alt-text="Screenshot that shows the Create alert rule window." lightbox="media/configure-alerts-for-azure-vmware-solution/create-alert-rule-details.png":::
+
+1. Under **Scope**, select the target resource you want to monitor. By default, the Azure VMware Solution private cloud from where you opened the Alerts menu has been defined.
+
+1. Under **Condition**, select **Add condition**, and in the window that opens, selects the signal you want to create for the alert rule.
+
+ In our example, we've selected **Percentage Datastore Disk Used**, which is relevant from an [Azure VMware Solution SLA](https://aka.ms/avs/sla) perspective.
+
+ :::image type="content" source="media/configure-alerts-for-azure-vmware-solution/configure-signal-logic-options.png" alt-text="Screenshot that shows the Configure signal logic window with predefined signal names.":::
+
+1. Define the logic that will trigger the alert and then select **Done**.
+
+ In our example, only the **Threshold** and **Frequency of evaluation** have been adjusted.
+
+ :::image type="content" source="media/configure-alerts-for-azure-vmware-solution/define-alert-logic-threshold.png" alt-text="Screenshot that shows the information for the selected signal logic.":::
+
+1. Under **Actions**, select **Add action groups**. The action group defines *how* the notification is received and *who* receives it. You can receive notifications by email, SMS, [Azure Mobile App Push Notification](https://azure.microsoft.com/features/azure-portal/mobile-app/) or voice message.
+
+ :::image type="content" source="media/configure-alerts-for-azure-vmware-solution/create-action-group.png" alt-text="Screenshot that shows the existing action groups and where to create a new action group.":::
+
+1. In the window that opens, select **Create action group**.
+
+ >[!TIP]
+ > You can also use an existing action group.
+
+ :::image type="content" source="media/configure-alerts-for-azure-vmware-solution/select-action-group-for-alert-rule.png" alt-text="Screenshot that shows the action groups to select for the alert.":::
+
+
+
+
+1. In the window that opens, on the **Basics** tab, give the action group a name and a display name.
+
+1. Select the **Notifications** tab, select a **Notification Type** and **Name**. Then select **OK**.
+
+ Our example is based on email notification.
+
+ :::image type="content" source="media/configure-alerts-for-azure-vmware-solution/create-action-group-notification-settings.png" alt-text="Screenshot that shows the email, SMS message, push, and voice settings for the alert." lightbox="media/configure-alerts-for-azure-vmware-solution/create-action-group-notification-settings.png":::
+
+1. (Optional) Configure the **Actions** if you want to take proactive actions and receive notification on the event. Select an available **Action type** and then select **Review + create**.
+ - Automation Runbooks
+ - Azure Functions ΓÇô for custom event-driven serverless code execution
+ - ITSM ΓÇô to integrate with a service provider like ServiceNow to create a ticket
+ - Logic App - for more complex workflow orchestration
+ - Webhooks - to trigger a process in another service
+
+ :::image type="content" source="media/configure-alerts-for-azure-vmware-solution/create-action-group-action-type.png" alt-text="Screenshot that shows the Create action group window with a focus on the Action type drop-down." lightbox="media/configure-alerts-for-azure-vmware-solution/create-action-group-action-type.png":::
+
+1. Under the **Alert rule details**, provide a name, description, resource group to store the alert rule, the severity. Then select **Create alert rule**.
+
+ :::image type="content" source="media/configure-alerts-for-azure-vmware-solution/alert-rule-details.png" alt-text="Screenshot that shows the details for the alert rule.":::
+
+ The alert rule is visible and can be managed from the Azure portal.
+
+ :::image type="content" source="media/configure-alerts-for-azure-vmware-solution/existing-alert-rule.png" alt-text="Screenshot that shows the new alert rule in the Rules window." lightbox="media/configure-alerts-for-azure-vmware-solution/existing-alert-rule.png":::
+
+ As soon as a metric reaches the threshold as defined in an alert rule, the **Alerts** menu is updated and made visible.
+
+ :::image type="content" source="media/configure-alerts-for-azure-vmware-solution/threshold-alert.png" alt-text="Screenshot that shows the alert after reaching the threshold defined." lightbox="media/configure-alerts-for-azure-vmware-solution/threshold-alert.png":::
+
+ Depending on the configured Action Group, you'll receive a notification through the configured medium. In our example, we've configured email.
+
+ :::image type="content" source="media/configure-alerts-for-azure-vmware-solution/alert-notification.png" alt-text="Screenshot of an Azure Monitor Alert with the error string, and the date and time event was triggered.":::
+
+## Work with metrics
+
+1. From your Azure VMware Solution private cloud, select **Monitoring** > **Metrics**. Then select the metric you want from the drop-down.
+
+ :::image type="content" source="media/configure-alerts-for-azure-vmware-solution/monitoring-metrics.png" alt-text="Screenshot that shows the Metrics window and a focus on the Metric drop-down." lightbox="media/configure-alerts-for-azure-vmware-solution/monitoring-metrics.png":::
+
+1. You can change the diagram's parameters, such as the **Time range** or the **Time granularity**.
+
+ Other options are:
+ - **Drill into Logs** and query the data in the related Log Analytics workspace
+ - **Pin this diagram** to an Azure Dashboard for convenience.
+
+ :::image type="content" source="media/configure-alerts-for-azure-vmware-solution/monitoring-metrics-time-range-granularity.png" alt-text="Screenshot that shows the time range and time granularity options for metric." lightbox="media/configure-alerts-for-azure-vmware-solution/monitoring-metrics-time-range-granularity.png":::
+
+
+## Next steps
+
+Now that you've configured an alert rule for your Azure VMware Solution private cloud, you may want to learn even more about:
+- [Azure Monitor Metrics](/azure/azure-monitor/essentials/data-platform-metrics)
+- [Azure Monitor Alerts](/azure/azure-monitor/alerts/alerts-overview)
+- [Azure Action Groups](/azure/azure-monitor/alerts/action-groups)
+
+You can also continue with one of the other [Azure VMware Solution](index.yml) how-to guides.
+++++
azure-vmware Introduction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/introduction.md
The diagram shows the adjacency between private clouds and VNets in Azure, Azure
![Image of Azure VMware Solution private cloud adjacency to Azure and on-premises](./media/adjacency-overview-drawing-final.png)
-## Customer communication
-Service issues, planned maintenance, health advisories, security advisories notifications are published through **Service Health** in the Azure portal. You can take timely actions when you set up activity log alerts for these notifications. For more information, see [Create service health alerts using the Azure portal](../service-health/alerts-activity-log-service-notifications-portal.md#create-service-health-alert-using-azure-portal).
-- ## Hosts, clusters, and private clouds Azure VMware Solution private clouds and clusters are built from a bare-metal, hyper-converged Azure infrastructure host. The high-end hosts have 576-GB RAM and dual Intel 18 core, 2.3-GHz processors. The HE hosts have two vSAN diskgroups with 15.36 TB (SSD) of raw vSAN capacity tier and a 3.2 TB (NVMe) vSAN cache tier.
In your private cloud, you can:
Monitoring patterns inside the Azure VMware Solution are similar to Azure VMs within the IaaS platform. For more information and how-tos, see [Monitoring Azure VMs with Azure Monitor](../azure-monitor/vm/monitor-vm-azure.md).
+## Customer communication
+ ## Next steps The next step is to learn key [private cloud and cluster concepts](concepts-private-clouds-clusters.md).
The next step is to learn key [private cloud and cluster concepts](concepts-priv
<!-- LINKS - internal --> [concepts-private-clouds-clusters]: ./concepts-private-clouds-clusters.md++
azure-vmware Reset Vsphere Credentials https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/reset-vsphere-credentials.md
Title: Reset vSphere credentials for Azure VMware Solution description: Learn how to reset vSphere credentials for your Azure VMware Solution private cloud and ensure the HCX connector has the latest vSphere credentials. Previously updated : 03/16/2021 Last updated : 03/31/2021 # Reset vSphere credentials for Azure VMware Solution In this article, we'll walk through the steps to reset the vCenter Server and NSX-T Manager credentials for your Azure VMware Solution private cloud. This will allow you to ensure the HCX connector has the latest vCenter Server credentials.
+In addition to this how-to, you can also view the video for [resetting the vCenter CloudAdmin & NSX-T Admin password](https://youtu.be/cK1qY3knj88).
+ ## Reset your Azure VMware Solution credentials First let's reset your Azure VMare Solution components credentials. Your vCenter Server CloudAdmin and NSX-T admin credentials donΓÇÖt expire; however, you can follow these steps to generate new passwords for these accounts.
backup Backup Azure Diagnostics Mode Data Model https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-diagnostics-mode-data-model.md
This table provides details about policy-related fields.
| MonthlyRetentionDaysOfTheWeek_s |Text ||Days of the week selected for monthly retention | | MonthlyRetentionWeeksOfTheMonth_s |Text ||Weeks of the month when monthly retention is configured, for example, First, Last | | YearlyRetentionDuration_s |Decimal Number ||Total retention duration in years for configured backups |
-| YearlyRetentionTimes_s |Text ||Date and time when yearly retention is configured |
-| YearlyRetentionMonthsOfTheYear_s |Text ||Months of the year selected for yearly retention |
-| YearlyRetentionFormat_s |Text ||Type of configuration for yearly retention, for example, daily for day based, weekly for week based | |
+| YearlyRetentionTimes_s |Text | | Date and time when yearly retention is configured |
+| YearlyRetentionMonthsOfTheYear_s |Text | | Months of the year selected for yearly retention |
+| YearlyRetentionFormat_s |Text ||Type of configuration for yearly retention, for example, daily for day based, weekly for week based |
| YearlyRetentionDaysOfTheMonth_s |Text ||Dates of the month selected for yearly retention | | SynchronisationFrequencyPerDay_s |Whole Number |v2|Number of times in a day a file backup is synchronized for SC DPM and MABS | | DiffBackupFormat_s |Text |v2|Format for Differential backups for SQL in Azure VM backup |
backup Encryption At Rest With Cmk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/encryption-at-rest-with-cmk.md
This article discusses the following:
- This feature isn't related to [Azure Disk Encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md), which uses guest-based encryption of a VM's disks using BitLocker (for Windows) and DM-Crypt (for Linux) -- The Recovery Services vault can be encrypted only with keys stored in an Azure Key Vault, located in the **same region**. Also, keys must be **RSA 2048 keys** only and should be in **enabled** state.
+- The Recovery Services vault can be encrypted only with keys stored in an Azure Key Vault, located in the **same region**. Also, keys must be **RSA keys** only and should be in **enabled** state.
- Moving CMK encrypted Recovery Services vault across Resource Groups and Subscriptions isn't currently supported. - When you move a Recovery Services vault already encrypted with customer-managed keys to a new tenant, you'll need to update the Recovery Services vault to recreate and reconfigure the vaultΓÇÖs managed identity and CMK (which should be in the new tenant). If this isn't done, the backup and restore operations will start failing. Also, any role-based access control (RBAC) permissions set up within the subscription will need to be reconfigured.
This section involves the following steps:
It's necessary that all these steps are followed in the order mentioned above to achieve the intended results. Each step is discussed in detail below.
-### Enable managed identity for your Recovery Services vault
+## Enable managed identity for your Recovery Services vault
-Azure Backup uses system assigned managed identity to authenticate the Recovery Services vault to access encryption keys stored in the Azure Key Vault. To enable managed identity for your Recovery Services vault, follow the steps mentioned below.
+Azure Backup uses system assigned managed identities and user-assigned managed identities to authenticate the Recovery Services vault to access encryption keys stored in the Azure Key Vault. To enable managed identity for your Recovery Services vault, follow the steps mentioned below.
>[!NOTE] >Once enabled, the managed identity must **not** be disabled (even temporarily). Disabling the managed identity may lead to inconsistent behavior.
+### Enable system-assigned managed identity for the vault
+ **In the portal:** 1. Go to your Recovery Services vault -> **Identity**
- ![Identity settings](./media/encryption-at-rest-with-cmk/managed-identity.png)
+ ![Identity settings](media/encryption-at-rest-with-cmk/enable-system-assigned-managed-identity-for-vault.png)
+
+1. Navigate to the **System assigned** tab.
+
+1. Change the **Status** to **On**.
+
+1. Click **Save** to enable the identity for the vault.
+
+An Object ID is generated, which is the system-assigned managed identity of the vault.
-1. Change the **Status** to **On** and select **Save**.
+>[!NOTE]
+>Once enabled, the managed identity must not be disabled (even temporarily). Disabling the managed identity may lead to inconsistent behavior.
-1. An Object ID is generated, which is the system-assigned managed identity of the vault.
**With PowerShell:**
TenantId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Type : SystemAssigned ```
-### Assign permissions to the Recovery Services vault to access the encryption key in the Azure Key Vault
+### Assign user-assigned managed identity to the vault
+
+To assign the user-assigned managed identity for your Recovery Services vault, perform the following steps:
+
+1. Go to your Recovery Services vault -> **Identity**
+
+ ![Assign user-assigned managed identity to the vault](media/encryption-at-rest-with-cmk/assign-user-assigned-managed-identity-to-vault.png)
+
+1. Navigate to the **User assigned** tab.
+
+1. Click **+Add** to add a user-assigned managed identity.
+
+1. In the **Add user assigned managed identity** blade that opens, select the subscription for your identity.
+
+1. Select the identity from the list. You can also filter by the name of the identity or the resource group.
+
+1. Once done, click **Add** to finish assigning the identity.
+
+## Assign permissions to the Recovery Services vault to access the encryption key in the Azure Key Vault
+
+>[!Note]
+>If you are using user-assigned identities, the same permissions must be assigned to the user-assigned identity.
You now need to permit the Recovery Services vault to access the Azure Key Vault that contains the encryption key. This is done by allowing the Recovery Services vaultΓÇÖs managed identity to access the Key Vault.
You now need to permit the Recovery Services vault to access the Azure Key Vault
1. Select **Save** to save changes made to the access policy of the Azure Key Vault.
-### Enable soft-delete and purge protection on the Azure Key Vault
+## Enable soft-delete and purge protection on the Azure Key Vault
You need to **enable soft delete and purge protection** on your Azure Key Vault that stores your encryption key. You can do this from the Azure Key Vault UI as shown below. (Alternatively, these properties can be set while creating the Key Vault). Read more about these Key Vault properties [here](../key-vault/general/soft-delete-overview.md).
You can also enable soft delete and purge protection through PowerShell using th
Set-AzResource -resourceid $resource.ResourceId -Properties $resource.Properties ```
-### Assign encryption key to the RS vault
+## Assign encryption key to the RS vault
>[!NOTE] > Before proceeding further, ensure the following:
You can also enable soft delete and purge protection through PowerShell using th
Once the above are ensured, continue with selecting the encryption key for your vault.
-#### To assign the key in the portal
+### To assign the key in the portal
1. Go to your Recovery Services vault -> **Properties**
Once the above are ensured, continue with selecting the encryption key for your
1. Browse and select the key from the Key Vault in the key picker pane. >[!NOTE]
- >When specifying the encryption key using the key picker pane, the key will be auto-rotated whenever a new version for the key is enabled.
+ >When specifying the encryption key using the key picker pane, the key will be auto-rotated whenever a new version for the key is enabled. [Learn more](#enabling-auto-rotation-of-encryption-keys) on enabling auto-rotation of encryption keys.
![Select key from key vault](./media/encryption-at-rest-with-cmk/key-vault.png)
Once the above are ensured, continue with selecting the encryption key for your
![Activity log](./media/encryption-at-rest-with-cmk/activity-log.png)
-#### To assign the key with PowerShell
+### To assign the key with PowerShell
Use the [Set-AzRecoveryServicesVaultProperty](/powershell/module/az.recoveryservices/set-azrecoveryservicesvaultproperty) command to enable encryption using customer-managed keys, and to assign or update the encryption key to be used.
Before proceeding to configure protection, we strongly recommend you ensure the
> Before proceeding to configure protection, you must have **successfully** completed the following steps: > >1. Created your Backup vault
->1. Enabled the Backup vaultΓÇÖs system-assigned Managed Identity
->1. Assigned permissions to your Backup Vault to access encryption keys from your Key Vault
+>1. Enabled the Recovery Services vault's system-assigned managed identity or assigned a user-assigned managed identity to the vault
+>1. Assigned permissions to your Backup Vault (or the user-assigned managed identity) to access encryption keys from your Key Vault
>1. Enabled soft delete and purge protection for your Key Vault >1. Assigned a valid encryption key for your Backup vault >
When performing a file restore, the restored data will be encrypted with the key
When restoring from a backed-up SAP HANA/SQL database running in an Azure VM, the restored data will be encrypted using the encryption key used at the target storage location. It may be a customer-managed key or a platform-managed key used for encrypting the disks of the VM.
+## Additional topics
+
+### Enable encryption using customer-managed keys at vault creation (in preview)
+
+>[!NOTE]
+>Enabling encryption at vault creation using customer managed keys is in limited public preview and requires allow-listing of subscriptions. To sign up for the preview, fill the [form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR0H3_nezt2RNkpBCUTbWEapURDNTVVhGOUxXSVBZMEwxUU5FNDkyQkU4Ny4u) and write to us at [AskAzureBackupTeam@microsoft.com](mailto:AskAzureBackupTeam@microsoft.com).
+
+When your subscription is allow-listed, the **Backup Encryption** tab will display. This allows you to enable encryption on the backup using customer-managed keys during the creation of a new Recovery Services vault. To enable the encryption, perform the following steps:
+
+1. Next to the **Basics** tab, on the **Backup Encryption** tab, specify the encryption key and the identity to use for encryption.
+
+ ![Enable encryption at vault level](media/encryption-at-rest-with-cmk/enable-encryption-using-cmk-at-vault.png)
++
+ >[!NOTE]
+ >The settings apply to Backup only and are optional.
+
+1. Select **Use customer-managed key** as the Encryption type.
+
+1. To specify the key to be used for encryption, select the appropriate option.
+
+ You can provide the URI for the encryption key, or browse and select the key. When you specify the key using the **Select the Key Vault** option, auto-rotation of the encryption key will enable automatically. [Learn more on auto-rotation](#enabling-auto-rotation-of-encryption-keys).
+
+1. Specify the user assigned managed identity to manage encryption with customer-managed keys. Click **Select** to browse and select the required identity.
+
+1. Once done, proceed to add Tags (optional) and continue creating the vault.
+
+### Enabling auto-rotation of encryption keys
+
+When you specify the customer-managed key that must be used to encrypt backups, use the following methods to specify it:
+
+- Enter the key URI
+- Select from Key Vault
+
+Using the **Select from Key Vault** option helps to enable auto-rotation for the selected key. This eliminates the manual effort to update to the next version. However, using this option:
+- Key version update may take up to an hour to take effect.
+- When a new version of the key takes effect, the old version should also be available (in enabled state) for at least one subsequent backup job after the key update has taken effect.
+
+### Using Azure Policies for auditing and enforcing encryption utilizing customer-managed keys (in preview)
+
+Azure Backup allows you to use Azure Polices to audit and enforce encryption, using customer-managed keys, of data in the Recovery Services vault. Using the Azure Policies:
+
+- The audit policy can be used for auditing vaults with encryption using customer-managed keys, enabled after 3/31/2021. For vaults with the CMK encryption enabled before this date, the policy may fail to apply or may show false negatives results (that is, these vaults may be reported as non-compliant, despite having the CMK encryption enabled).
+- To use the audit policy for auditing vaults with the CMK encryption enabled before 3/31/2021, use the Azure portal to update an encryption key. This helps to upgrade to the new model. If you do not want to change the encryption key, provide the same key again through the key URI or the key selection option.
+
+ >[!Warning]
+ >For users using PowerShell for managing encryption keys for Backup, it is not recommended to upgrade to the new model.<br></br>If you update the key from the portal, you canΓÇÖt use PowerShell to update the encryption key further, till a PowerShell update to support the new model is available. However, you can continue updating the key from the Azure portal.
+ ## Frequently asked questions ### Can I encrypt an existing Backup vault with customer-managed keys?
backup Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/policy-reference.md
Title: Built-in policy definitions for Azure Backup description: Lists Azure Policy built-in policy definitions for Azure Backup. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
backup Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Backup description: Lists Azure Policy Regulatory Compliance controls available for Azure Backup. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
batch Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/policy-reference.md
Title: Built-in policy definitions for Azure Batch description: Lists Azure Policy built-in policy definitions for Azure Batch. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
batch Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Batch description: Lists Azure Policy Regulatory Compliance controls available for Azure Batch. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
blockchain Ethereum Poa Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/templates/ethereum-poa-deployment.md
Parameter | Description | Example value
Monitoring | Option to enable monitoring | Enable Connect to existing Azure Monitor logs | Option to create a new Azure Monitor logs instance or join an existing instance | Create new Location | The region where the new instance is deployed | East US
-Existing log analytics workspace ID (Connect to existing Azure Monitor logs = Join Existing)|Workspace ID of the existing Azure Monitor logs instance||NA
-Existing log analytics primary key (Connect to existing Azure Monitor logs = Join Existing)|The primary key used to connect to the existing Azure Monitor logs instance||NA
+Existing log analytics workspace ID (Connect to existing Azure Monitor logs = Join Existing)|Workspace ID of the existing Azure Monitor logs instance|NA
+Existing log analytics primary key (Connect to existing Azure Monitor logs = Join Existing)|The primary key used to connect to the existing Azure Monitor logs instance|NA
Select **OK**.
certification Program Requirements Edge Secured Core https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/certification/program-requirements-edge-secured-core.md
Edge Secured-core is an incremental certification in the Azure Certified Device
|Name|SecuredCore.Encryption.Storage| |:|:| |Status|Required|
-|Description|The purpose of the test to validate that sensitive data can be encrypted on non-volitile storage.|
+|Description|The purpose of the test to validate that sensitive data can be encrypted on non-volatile storage.|
|Target Availability|2021| |Applies To|Any device| |OS|Agnostic|
cloud-services-extended-support Generate Template Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/generate-template-portal.md
# Generate ARM Template for Cloud Services (extended support) using the Azure portal
-This article explains how to download the ARM template and parameter file from the [Azure portal](https://portal.azure.com) after the Cloud Service (extended support) is deployed. The ARM template and parameter file can be used in future deployments to upgrade or update a cloud service (extended support)
+This article explains how to download the ARM template and parameter file from the [Azure portal](https://portal.azure.com) for your Cloud Service. The ARM template and parameter file can be used in deployments via Powershell to create or update a cloud service
## Get ARM template via portal
- 1. Go to your resource group, and select deployments.
- :::image type="content" source="media/generate-template-portal-1.png" alt-text="Image shows selecting deployments under resource group on the Azure portal.":::
+ 1. Go to the Azure portal and [create a new cloud service](deploy-portal.md). Add your cloud service configuration, package and definition files.
+ :::image type="content" source="media/deploy-portal-4.png" alt-text="Image shows the upload section of the basics tab during creation.":::
- 2. Select your cloud service (extended support) and click on template.
- :::image type="content" source="media/generate-template-portal-2.png" alt-text="Image shows selecting template under cloud service (extended support) on the Azure portal.":::
+ 2. Once all fields have been completed, move to the Review and Create tab to validate your deployment configuration and click on **Download template for automation** your Cloud Service (extended support).
+ :::image type="content" source="media/download-template-portal-1.png" alt-text="Image shows downloading the template under cloud service (extended support) on the Azure portal.":::
- 3. Download your template and parameter files. These can be used for future deployments via PowerShell.
- :::image type="content" source="media/generate-template-portal-3.png" alt-text="Image shows downloading template file on the Azure portal.":::
+ 3. Download your template and parameter files.
+ :::image type="content" source="media/generate-template-portal-3.png" alt-text="Image shows downloading template file on the Azure portal.":::
+
+ 4. Copy the Package SAS URI and Configuration SAS URI from the review and create tab and add them to the parameter.json file. These files can now be used to create a new cloud service via PowerShell.
+ :::image type="content" source="media/download-template-portal-2.png" alt-text="Image shows the package SAS URI and configuration SAS URI parameters on the Azure portal.":::
## Next steps - Review [frequently asked questions](faq.md) for Cloud Services (extended support).
cloud-services Cloud Services Troubleshoot Location Not Found For Role Size https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services/cloud-services-troubleshoot-location-not-found-for-role-size.md
In this scenario, you should select a different region or SKU to deploy your Clo
### List SKUs in region using Azure CLI
-You can use the [az vm list-skus](/cli/azure/vm.html#az_vm_list_skus) command.
+You can use the [az vm list-skus](/cli/azure/vm?view=azure-cli-latest
+#az_vm_list_skus) command.
- Use the `--location` parameter to filter output to location you're using. - Use the `--size` parameter to search by a partial size name.
For more allocation failure solutions and to better understand how they're gener
> [!div class="nextstepaction"] > [Allocation failures - Cloud service (classic)](cloud-services-allocation-failures.md)
-If your Azure issue isn't addressed in this article, visit the Azure forums on [MSDN and Stack Overflow](https://azure.microsoft.com/support/forums/). You can post your issue in these forums, or post to [@AzureSupport on Twitter](https://twitter.com/AzureSupport). You also can submit an Azure support request. To submit a support request, on the [Azure support](https://azure.microsoft.com/support/options/) page, select *Get support*.
+If your Azure issue isn't addressed in this article, visit the Azure forums on [MSDN and Stack Overflow](https://azure.microsoft.com/support/forums/). You can post your issue in these forums, or post to [@AzureSupport on Twitter](https://twitter.com/AzureSupport). You also can submit an Azure support request. To submit a support request, on the [Azure support](https://azure.microsoft.com/support/options/) page, select *Get support*.
cognitive-services Spatial Analysis Container https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/spatial-analysis-container.md
Next, register the host computer as an IoT Edge device in your IoT Hub instance,
You need to connect the IoT Edge device to your Azure IoT Hub. You need to copy the connection string from the IoT Edge device you created earlier. Alternatively, you can run the below command in the Azure CLI. ```bash
-sudo az iot hub device-identity show-connection-string --device-id my-edge-device --hub-name test-iot-hub-123
+sudo az iot hub device-identity connection-string show --device-id my-edge-device --hub-name test-iot-hub-123
``` On the host computer open `/etc/iotedge/config.yaml` for editing. Replace `ADD DEVICE CONNECTION STRING HERE` with the connection string. Save and close the file.
Open the [Create a Virtual Machine](https://ms.portal.azure.com/#create/Microsof
Give your VM a name and select the region to be (US) West US 2. Be sure to set `Availability Options` to "No infrastructure redundancy required". Refer to the below figure for the complete configuration and the next step for help locating the correct VM size. To locate the VM size, select "See all sizes" and then view the list for "Non-premium storage VM sizes", shown below.
Next, register the VM as an IoT Edge device in your IoT Hub instance, using a [c
You need to connect the IoT Edge device to your Azure IoT Hub. You need to copy the connection string from the IoT Edge device you created earlier. Alternatively, you can run the below command in the Azure CLI. ```bash
-sudo az iot hub device-identity show-connection-string --device-id my-edge-device --hub-name test-iot-hub-123
+sudo az iot hub device-identity connection-string show --device-id my-edge-device --hub-name test-iot-hub-123
``` On the VM open `/etc/iotedge/config.yaml` for editing. Replace `ADD DEVICE CONNECTION STRING HERE` with the connection string. Save and close the file.
Once the deployment is complete and the container is running, the **host compute
You will need to use [spatial analysis operations](spatial-analysis-operations.md) to configure the container to use connected cameras, configure the operations, and more. For each camera device you configure, the operations for spatial analysis will generate an output stream of JSON messages, sent to your instance of Azure IoT Hub.
-## Redeploy or delete the deployment
-
-If you need to update the deployment, you need to make sure your previous deployments are successfully deployed, or you need to delete IoT Edge device deployments that did not complete. Otherwise, those deployments will continue, leaving the system in a bad state. You can use the Azure portal, or the [Azure CLI](../cognitive-services-apis-create-account-cli.md?tabs=windows).
- ## Use the output generated by the container If you want to start consuming the output generated by the container, see the following articles:
In this article, you learned concepts and workflow for downloading, installing,
* [Configure spatial analysis operations](spatial-analysis-operations.md) * [Logging and troubleshooting](spatial-analysis-logging.md) * [Camera placement guide](spatial-analysis-camera-placement.md)
-* [Zone and line placement guide](spatial-analysis-zone-line-placement.md)
+* [Zone and line placement guide](spatial-analysis-zone-line-placement.md)
cognitive-services Spatial Analysis Logging https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/spatial-analysis-logging.md
Once the telegraf module is deployed, the reported metrics can be accessed eithe
### System health events
-| Event Name | Description|
-|||
-|archon_exit  |Sent when a user changes the spatial analysis module status from *running* to *stopped*. |
-|archon_error  |Sent when any of the processes inside the container crash. This is a critical error.  |
-|InputRate  |The rate at which the graph processes video input. Reported every 5 minutes. | 
-|OutputRate  |The rate at which the graph outputs AI insights. Reported every 5 minutes. |
-|archon_allGraphsStarted | Sent when all graphs have finished starting up. |
-|archon_configchange  | Sent when a graph configuration has changed. |
-|archon_graphCreationFailed  |Sent when the graph with the reported `graphId` fails to start. |
-|archon_graphCreationSuccess  |Sent when the graph with the reported `graphId` starts successfully. |
-|archon_graphCleanup  | Sent when the graph with the reported `graphId` cleans up and exits. |
-|archon_graphHeartbeat  |Heartbeat sent every minute for every graph of a skill. |
-|archon_apiKeyAuthFail |Sent when the Computer Vision resource key fails to authenticate the container for more than 24 hours, due to the following reasons: Out of Quota, Invalid, Offline. |
-|VideoIngesterHeartbeat  |Sent every hour to indicate that video is streamed from the Video source, with the number of errors in that hour. Reported for each graph. |
-|VideoIngesterState | Reports *Stopped* or *Started* for video streaming. Reported for each graph. |
+| Event Name | Description |
+|--|-|
+| archon_exit | Sent when a user changes the spatial analysis module status from *running* to *stopped*. |
+| archon_error | Sent when any of the processes inside the container crash. This is a critical error. |
+| InputRate | The rate at which the graph processes video input. Reported every 5 minutes. |
+| OutputRate | The rate at which the graph outputs AI insights. Reported every 5 minutes. |
+| archon_allGraphsStarted | Sent when all graphs have finished starting up. |
+| archon_configchange | Sent when a graph configuration has changed. |
+| archon_graphCreationFailed | Sent when the graph with the reported `graphId` fails to start. |
+| archon_graphCreationSuccess | Sent when the graph with the reported `graphId` starts successfully. |
+| archon_graphCleanup | Sent when the graph with the reported `graphId` cleans up and exits. |
+| archon_graphHeartbeat | Heartbeat sent every minute for every graph of a skill. |
+| archon_apiKeyAuthFail | Sent when the Computer Vision resource key fails to authenticate the container for more than 24 hours, due to the following reasons: Out of Quota, Invalid, Offline. |
+| VideoIngesterHeartbeat | Sent every hour to indicate that video is streamed from the Video source, with the number of errors in that hour. Reported for each graph. |
+| VideoIngesterState | Reports *Stopped* or *Started* for video streaming. Reported for each graph. |
## Troubleshooting an IoT Edge Device
cognitive-services Spatial Analysis Operations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/spatial-analysis-operations.md
The spatial analysis container implements the following operations:
| cognitiveservices.vision.spatialanalysis-personcrossingline | Tracks when a person crosses a designated line in the camera's field of view. <br>Emits a _personLineEvent_ event when the person crosses the line and provides directional info. | cognitiveservices.vision.spatialanalysis-personcrossingpolygon | Emits a _personZoneEnterExitEvent_ event when a person enters or exits the zone and provides directional info with the numbered side of the zone that was crossed. Emits a _personZoneDwellTimeEvent_ when the person exits the zone and provides directional info as well as the number of milliseconds the person spent inside the zone. | | cognitiveservices.vision.spatialanalysis-persondistance | Tracks when people violate a distance rule. <br> Emits a _personDistanceEvent_ periodically with the location of each distance violation. |
+| cognitiveservices.vision.spatialanalysis | Generic operation which can be used to run all scenarios mentioned above. This option is more useful when you want to run multiple scenarios on the same camera or use system resources (e.g. GPU) more efficiently. |
All above the operations are also available in the `.debug` version, which have the capability to visualize the video frames as they are being processed. You will need to run `xhost +` on the host computer to enable the visualization of video frames and events.
All above the operations are also available in the `.debug` version, which have
| cognitiveservices.vision.spatialanalysis-personcrossingline.debug | Tracks when a person crosses a designated line in the camera's field of view. <br>Emits a _personLineEvent_ event when the person crosses the line and provides directional info. | cognitiveservices.vision.spatialanalysis-personcrossingpolygon.debug | Emits a _personZoneEnterExitEvent_ event when a person enters or exits the zone and provides directional info with the numbered side of the zone that was crossed. Emits a _personZoneDwellTimeEvent_ when the person exits the zone and provides directional info as well as the number of milliseconds the person spent inside the zone. | | cognitiveservices.vision.spatialanalysis-persondistance.debug | Tracks when people violate a distance rule. <br> Emits a _personDistanceEvent_ periodically with the location of each distance violation. |
+| cognitiveservices.vision.spatialanalysis.debug | Generic operation which can be used to run all scenarios mentioned above. This option is more useful when you want to run multiple scenarios on the same camera or use system resources (e.g. GPU) more efficiently. |
Spatial analysis can also be run with [Live Video Analytics](../../media-services/live-video-analytics-edge/spatial-analysis-tutorial.md) as their Video AI module.
Spatial analysis can also be run with [Live Video Analytics](../../media-service
| cognitiveservices.vision.spatialanalysis-personcrossingline.livevideoanalytics | Tracks when a person crosses a designated line in the camera's field of view. <br>Emits a _personLineEvent_ event when the person crosses the line and provides directional info. | cognitiveservices.vision.spatialanalysis-personcrossingpolygon.livevideoanalytics | Emits a _personZoneEnterExitEvent_ event when a person enters or exits the zone and provides directional info with the numbered side of the zone that was crossed. Emits a _personZoneDwellTimeEvent_ when the person exits the zone and provides directional info as well as the number of milliseconds the person spent inside the zone. | | cognitiveservices.vision.spatialanalysis-persondistance.livevideoanalytics | Tracks when people violate a distance rule. <br> Emits a _personDistanceEvent_ periodically with the location of each distance violation. |
+| cognitiveservices.vision.spatialanalysis.livevideoanalytics | Generic operation which can be used to run all scenarios mentioned above. This option is more useful when you want to run multiple scenarios on the same camera or use system resources (e.g. GPU) more efficiently. |
Live Video Analytics operations are also available in the `.debug` version (e.g. cognitiveservices.vision.spatialanalysis-personcount.livevideoanalytics.debug) which has the capability to visualize the video frames as being processed. You will need to run `xhost +` on the host computer to enable the visualization of the video frames and events
These are the parameters required by each of these spatial analysis operations.
| VIDEO_SOURCE_ID | A friendly name for the camera device or video stream. This will be returned with the event JSON output.| | VIDEO_IS_LIVE| True for camera devices; false for recorded videos.| | VIDEO_DECODE_GPU_INDEX| Which GPU to decode the video frame. By default it is 0. Should be the same as the `gpu_index` in other node config like `VICA_NODE_CONFIG`, `DETECTOR_NODE_CONFIG`.|
-| INPUT_VIDEO_WIDTH | Input video/stream's frame width (e.g. 1920). Its an optional field and if provided frame will be scaled to this dimension but will still preserve the aspect ratio.|
-| DETECTOR_NODE_CONFIG | JSON indicating which GPU to run the detector node on. Should be in the following format: `"{ \"gpu_index\": 0 }",`|
+| INPUT_VIDEO_WIDTH | Input video/stream's frame width (e.g. 1920). This is an optional field and if provided, the frame will be scaled to this dimension while preserving the aspect ratio.|
+| DETECTOR_NODE_CONFIG | JSON indicating which GPU to run the detector node on. It should be in the following format: `"{ \"gpu_index\": 0 }",`|
| SPACEANALYTICS_CONFIG | JSON configuration for zone and line as outlined below.|
-| ENABLE_FACE_MASK_CLASSIFIER | `True` to enable detecting people wearing face masks in the video stream, `False` to disable it. By default this is disabled. Face mask detection requires input video width parameter to be 1920 `"INPUT_VIDEO_WIDTH": 1920`. The face mask attribute will not be returned if detected people are not facing the camera or are too far from it. Refer to [camera placement](spatial-analysis-camera-placement.md) guide for more information |
+| ENABLE_FACE_MASK_CLASSIFIER | `True` to enable detecting people wearing face masks in the video stream, `False` to disable it. By default this is disabled. Face mask detection requires input video width parameter to be 1920 `"INPUT_VIDEO_WIDTH": 1920`. The face mask attribute will not be returned if detected people are not facing the camera or are too far from it. Refer to the [camera placement](spatial-analysis-camera-placement.md) guide for more information |
+### Detector Node Parameter Settings
This is an example of the DETECTOR_NODE_CONFIG parameters for all spatial analysis operations. ```json
This is an example of the DETECTOR_NODE_CONFIG parameters for all spatial analys
"do_calibration": true, "enable_recalibration": true, "calibration_quality_check_frequency_seconds":86400,
-"calibration_quality_check_sampling_num": 80,
-"calibration_quality_check_sampling_times": 5,
"calibration_quality_check_sample_collect_frequency_seconds": 300, "calibration_quality_check_one_round_sample_collect_num":10,
-"calibration_quality_check_queue_max_size":1000,
-"recalibration_score": 75
+"calibration_quality_check_queue_max_size":1000
} ```
This is an example of the DETECTOR_NODE_CONFIG parameters for all spatial analys
| `do_calibration` | string | Indicates that calibration is turned on. `do_calibration` must be true for **cognitiveservices.vision.spatialanalysis-persondistance** to function properly. do_calibration is set by default to True. | | `enable_recalibration` | bool | Indicates whether automatic recalibration is turned on. Default is `true`.| | `calibration_quality_check_frequency_seconds` | int | Minimum number of seconds between each quality check to determine whether or not recalibration is needed. Default is `86400` (24 hours). Only used when `enable_recalibration=True`.|
-| `calibration_quality_check_sampling_num` | int | Number of randomly selected stored data samples to use per quality check error measurement. Default is `80`. Only used when `enable_recalibration=True`.|
-| `calibration_quality_check_sampling_times` | int | Number of times error measurements will be performed on different sets of randomly selected data samples per quality check. Default is `5`. Only used when `enable_recalibration=True`.|
| `calibration_quality_check_sample_collect_frequency_seconds` | int | Minimum number of seconds between collecting new data samples for recalibration and quality checking. Default is `300` (5 minutes). Only used when `enable_recalibration=True`.| | `calibration_quality_check_one_round_sample_collect_num` | int | Minimum number of new data samples to collect per round of sample collection. Default is `10`. Only used when `enable_recalibration=True`.| | `calibration_quality_check_queue_max_size` | int | Maximum number of data samples to store when camera model is calibrated. Default is `1000`. Only used when `enable_recalibration=True`.|
-| `recalibration_score` | int | Maximum quality threshold to begin recalibration. Default is `75`. Only used when `enable_recalibration=True`. Calibration quality is calculated based on an inverse relationship with image target reprojection error. Given detected targets in 2D image frames, the targets are projected into 3D space and re-projected back to the 2D image frame using existing camera calibration parameters. The reprojection error is measured by the average distances between the detected targets and the re-projected targets.|
| `enable_breakpad`| bool | Indicates whether you want to enable breakpad, which is used to generate crash dump for debug use. It is `false` by default. If you set it to `true`, you also need to add `"CapAdd": ["SYS_PTRACE"]` in the `HostConfig` part of container `createOptions`. By default, the crash dump is uploaded to the [RealTimePersonTracking](https://appcenter.ms/orgs/Microsoft-Organization/apps/RealTimePersonTracking/crashes/errors?version=&appBuild=&period=last90Days&status=&errorType=all&sortCol=lastError&sortDir=desc) AppCenter app, if you want the crash dumps to be uploaded to your own AppCenter app, you can override the environment variable `RTPT_APPCENTER_APP_SECRET` with your app's app secret. -
+## Spatial analysis operations configuration and output
### Zone configuration for cognitiveservices.vision.spatialanalysis-personcount This is an example of a JSON input for the SPACEANALYTICS_CONFIG parameter that configures a zone. You may configure multiple zones for this operation.
This is an example of a JSON input for the SPACEANALYTICS_CONFIG parameter that
"output_frequency":1, "minimum_distance_threshold":6.0, "maximum_distance_threshold":35.0,
+ "aggregation_method": "average"
"threshold": 16.00, "focus": "footprint" }
This is an example of a JSON input for the SPACEANALYTICS_CONFIG parameter that
| `output_frequency` | int | The rate at which events are egressed. When `output_frequency` = X, every X event is egressed, ex. `output_frequency` = 2 means every other event is output. The `output_frequency` is applicable to both `event` and `interval`.| | `minimum_distance_threshold` | float| A distance in feet that will trigger a "TooClose" event when people are less than that distance apart.| | `maximum_distance_threshold` | float| A distance in feet that will trigger a "TooFar" event when people are greater than that distance apart.|
+| `aggregation_method` | string| The method for aggregate persondistance result. The aggregation_method is applicable to both `mode` and `average`.|
| `focus` | string| The point location within person's bounding box used to calculate events. Focus's value can be `footprint` (the footprint of person), `bottom_center` (the bottom center of person's bounding box), `center` (the center of person's bounding box).|
-See the [camera placement](spatial-analysis-camera-placement.md) guidelines to learn about zone and line configurations.
+### Configuration for cognitiveservices.vision.spatialanalysis
+This is an example of a JSON input for the SPACEANALYTICS_CONFIG parameter that configures a line and zone for **cognitiveservices.vision.spatialanalysis**. You may configure multiple lines/zones for this operation and each line/zone can have different events.
+
+ ```
+{
+ "lines": [
+ {
+ "name": "doorcamera",
+ "line": {
+ "start": {
+ "x": 0,
+ "y": 0.5
+ },
+ "end": {
+ "x": 1,
+ "y": 0.5
+ }
+ },
+ "events": [
+ {
+ "type": "linecrossing",
+ "config": {
+ "trigger": "event",
+ "threshold": 16.00,
+ "focus": "footprint"
+ }
+ }
+ ]
+ }
+ ],
+ "zones": [
+ {
+ "name": "lobbycamera",
+ "polygon": [[0.3, 0.3],[0.3, 0.9],[0.6, 0.9],[0.6, 0.3],[0.3, 0.3]],
+ "events": [
+ {
+ "type": "persondistance",
+ "config": {
+ "trigger": "event",
+ "output_frequency": 1,
+ "minimum_distance_threshold": 6.0,
+ "maximum_distance_threshold": 35.0,
+ "threshold": 16.00,
+ "focus": "footprint"
+ }
+ },
+ {
+ "type": "count",
+ "config": {
+ "trigger": "event",
+ "output_frequency": 1,
+ "threshold": 16.00,
+ "focus": "footprint"
+ }
+ },
+ {
+ "type": "zonecrossing",
+ "config": {
+ "threshold": 48.00,
+ "focus": "footprint"
+ }
+ },
+ {
+ "type": "zonedwelltime",
+ "config": {
+ "threshold": 16.00,
+ "focus": "footprint"
+ }
+ }
+ ]
+ }
+ ]
+}
+```
+## Camera configuration
+
+See the [camera placement](spatial-analysis-camera-placement.md) guidelines to learn about more about how to configure zones and lines.
## Spatial analysis Operation Output
Sample JSON for an event output by this operation.
}, "metadata": { "attributes": {
- "face_Mask": 0.99
+ "face_mask": 0.99
} } },
Sample JSON for an event output by this operation.
}, "metadata":{ "attributes": {
- "face_noMask": 0.99
+ "face_nomask": 0.99
} } }
Sample JSON for an event output by this operation.
| `type` | string| Type of region| | `points` | collection| Top left and bottom right points when the region type is RECTANGLE | | `confidence` | float| Algorithm confidence|
-| `face_Mask` | float | The attribute confidence value with range (0-1) indicates the detected person is wearing a face mask |
-| `face_noMask` | float | The attribute confidence value with range (0-1) indicates the detected person is **not** wearing a face mask |
+| `face_mask` | float | The attribute confidence value with range (0-1) indicates the detected person is wearing a face mask |
+| `face_nomask` | float | The attribute confidence value with range (0-1) indicates the detected person is **not** wearing a face mask |
| SourceInfo Field Name | Type| Description| ||||
Sample JSON for an event output by this operation.
| `focalLength` | float | The focal length of the camera in pixels. This is inferred from auto-calibration. | | `tiltUpAngle` | float | The camera tilt angle from vertical. This is inferred from auto-calibration.|
-| SourceInfo Field Name | Type| Description|
-||||
-| `id` | string| Camera ID|
-| `timestamp` | date| UTC date when the JSON payload was emitted|
-| `width` | int | Video frame width|
-| `height` | int | Video frame height|
-| `frameId` | int | Frame identifier|
- ### JSON format for cognitiveservices.vision.spatialanalysis-personcrossingline AI Insights
Sample JSON for detections output by this operation.
"confidence": 0.9005028605461121, "metadata": { "attributes": {
- "face_Mask": 0.99
+ "face_mask": 0.99
} } }
Sample JSON for detections output by this operation.
| `detectionsId` | array| Array of size 1 of unique identifier of the person detection that triggered this event| | `properties` | collection| Collection of values| | `trackinId` | string| Unique identifier of the person detected|
-| `status` | string| Direction of line crossings, either 'CrossLeft' or 'CrossRight'|
+| `status` | string| Direction of line crossings, either 'CrossLeft' or 'CrossRight'. Direction is based on imagining standing at the "start" facing the "end" of the line. CrossRight is crossing from left to right. CrossLeft is crossing from right to left.|
| `zone` | string | The "name" field of the line that was crossed| | Detections Field Name | Type| Description|
Sample JSON for detections output by this operation.
| `type` | string| Type of region| | `points` | collection| Top left and bottom right points when the region type is RECTANGLE | | `confidence` | float| Algorithm confidence|
-| `face_Mask` | float | The attribute confidence value with range (0-1) indicates the detected person is wearing a face mask |
-| `face_noMask` | float | The attribute confidence value with range (0-1) indicates the detected person is **not** wearing a face mask |
+| `face_mask` | float | The attribute confidence value with range (0-1) indicates the detected person is wearing a face mask |
+| `face_nomask` | float | The attribute confidence value with range (0-1) indicates the detected person is **not** wearing a face mask |
| SourceInfo Field Name | Type| Description| ||||
Sample JSON for detections output by this operation with `zonecrossing` type SPA
"confidence": 0.6267998814582825, "metadata": { "attributes": {
- "face_Mask": 0.99
+ "face_mask": 0.99
} }
Sample JSON for detections output by this operation with `zonedwelltime` type SP
| `properties` | collection| Collection of values| | `trackinId` | string| Unique identifier of the person detected| | `status` | string| Direction of polygon crossings, either 'Enter' or 'Exit'|
-| `side` | int| The number of the side of the polygon that the person crossed. Each side is a numbered edge between the two vertices of the polygon that represents your zone. The edge between the first two vertices of the polygon represent first side|
+| `side` | int| The number of the side of the polygon that the person crossed. Each side is a numbered edge between the two vertices of the polygon that represents your zone. The edge between the first two vertices of the polygon represent first side. 'Side' is empty when the event isn't associated with a specific side due to occlusion. For example, an exit occurred when a person disappears but wasn't seen crossing a side of the zone or an enter occurred when a person appeared in the zone but wasn't seen crossing a side.|
| `durationMs` | float | The number of milliseconds that represent the time the person spent in the zone. This field is provided when the event type is _personZoneDwellTimeEvent_| | `zone` | string | The "name" field of the polygon that represents the zone that was crossed|
Sample JSON for detections output by this operation with `zonedwelltime` type SP
| `type` | string| Type of region| | `points` | collection| Top left and bottom right points when the region type is RECTANGLE | | `confidence` | float| Algorithm confidence|
-| `face_Mask` | float | The attribute confidence value with range (0-1) indicates the detected person is wearing a face mask |
-| `face_noMask` | float | The attribute confidence value with range (0-1) indicates the detected person is **not** wearing a face mask |
+| `face_mask` | float | The attribute confidence value with range (0-1) indicates the detected person is wearing a face mask |
+| `face_nomask` | float | The attribute confidence value with range (0-1) indicates the detected person is **not** wearing a face mask |
### JSON format for cognitiveservices.vision.spatialanalysis-persondistance AI Insights
In this example, `centerGroundPoint` is `{x: 4, y: 5}`. This means there's a per
| `focalLength` | float | The focal length of the camera in pixels. This is inferred from auto-calibration. | | `tiltUpAngle` | float | The camera tilt angle from vertical. This is inferred from auto-calibration.|
+### JSON format for cognitiveservices.vision.spatialanalysis AI Insights
+
+Output of this operation depends on configured `events`, for example if the there is a `zonecrossing` event configured for this operation then output will be same as `cognitiveservices.vision.spatialanalysis-personcrossingpolygon`.
## Use the output generated by the container
cognitive-services Spatial Analysis Web App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/spatial-analysis-web-app.md
docker tag rtvsofficial.azurecr.io/acceleratorapp.personcount:1.0 [desired local
docker push [desired local image name] ```
-To install the container, create a new Azure Web App for Containers and fill in the required parameters. Then go to the **Docker** Tab and select **Single Container**, then **Azure Container Registry**. Use your instance of Azure Container Registry where you pushed the image above.
+To install the container, create a new Azure App Service and fill in the required parameters. Then go to the **Docker** Tab and select **Single Container**, then **Azure Container Registry**. Use your instance of Azure Container Registry where you pushed the image above.
![Enter image details](./media/spatial-analysis/solution-app-create-screen.png)
Once these 2 settings are added, click **Save**. Then click **Authentication/Aut
### Test the app
-Go to the Azure Web App and verify the deployment was successful, and the web app is running. Navigate to the configured url: `<yourapp>.azurewebsites.net` to view the running app.
+Go to the Azure Service and verify the deployment was successful, and the web app is running. Navigate to the configured url: `<yourapp>.azurewebsites.net` to view the running app.
![Test the deployment](./media/spatial-analysis/solution-app-output.png)
cognitive-services Releasenotes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Face/ReleaseNotes.md
- Previously updated : 03/05/2021+ Last updated : 03/30/2021 + # What's new in Face service?
The Azure Face service is updated on an ongoing basis. Use this article to stay
## February 2021
-* New Face API detection model: The new detection 03 model is the most accurate detection model currently available. If you're a new a customer, we recommend using this model. Detection 03 improves both recall and precision on smaller faces found within images (64x64 pixels). Additional improvements include an overall reduction in false positives and improved detection on rotated face orientations. Combining detection 03 with the new recognition 04 will provide improved recognition accuracy as well. See [Specify a face detection model](./face-api-how-to-topics/specify-detection-model.md) for more details.
-* Face mask attribute: The face mask attribute is available with the latest detection 03 model, along with the additional attribute `"noseAndMouthCovered"` which detects whether the face mask is worn as intended, covering both the nose and mouth. To use the latest mask detection capability, users need to specify the detection model in the API request: assign the model version with the _detectionModel_ parameter to `detection_03`. See [Specify a face detection model](./face-api-how-to-topics/specify-detection-model.md) for more details.
-* New Face API Recognition Model: The new recognition 04 model is the most accurate recognition model currently available. If you're a new customer, we recommend using this model for verification and identification. It improves upon the accuracy of recognition 03, including improved recognition for enrolled users wearing face covers (surgical masks, N95 masks, cloth masks). Now customers can build safe and seamless user experiences that detect whether an enrolled user is wearing a face cover with the latest detection 03 model, and recognize who they are with the latest recognition 04 model. See [Specify a face recognition model](./face-api-how-to-topics/specify-recognition-model.md) for more details.
+### New Face API detection model
+* The new Detection 03 model is the most accurate detection model currently available. If you're a new a customer, we recommend using this model. Detection 03 improves both recall and precision on smaller faces found within images (64x64 pixels). Additional improvements include an overall reduction in false positives and improved detection on rotated face orientations. Combining Detection 03 with the new Recognition 04 model will provide improved recognition accuracy as well. See [Specify a face detection model](./face-api-how-to-topics/specify-detection-model.md) for more details.
+### New detectable Face attributes
+* The `faceMask` attribute is available with the latest Detection 03 model, along with the additional attribute `"noseAndMouthCovered"` which detects whether the face mask is worn as intended, covering both the nose and mouth. To use the latest mask detection capability, users need to specify the detection model in the API request: assign the model version with the _detectionModel_ parameter to `detection_03`. See [Specify a face detection model](./face-api-how-to-topics/specify-detection-model.md) for more details.
+### New Face API Recognition Model
+* The new Recognition 04 model is the most accurate recognition model currently available. If you're a new customer, we recommend using this model for verification and identification. It improves upon the accuracy of Recognition 03, including improved recognition for enrolled users wearing face covers (surgical masks, N95 masks, cloth masks). Now customers can build safe and seamless user experiences that detect whether an enrolled user is wearing a face cover with the latest Detection 03 model, and recognize who they are with the latest Recognition 04 model. See [Specify a face recognition model](./face-api-how-to-topics/specify-recognition-model.md) for more details.
## January 2021
-* Mitigate latency when using the Face API: The Face team published a new article detailing potential causes of latency when using the service and possible mitigation strategies. See [Mitigate latency when using the Face service](./face-api-how-to-topics/how-to-mitigate-latency.md).
+### Mitigate latency
+* The Face team published a new article detailing potential causes of latency when using the service and possible mitigation strategies. See [Mitigate latency when using the Face service](./face-api-how-to-topics/how-to-mitigate-latency.md).
## December 2020
-* Customer configuration for Face ID storage: While the Face Service does not store customer images, the extracted face feature(s) will be stored on server. The Face ID is an identifier of the face feature and will be used in [Face - Identify](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395239), [Face - Verify](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523a), and [Face - Find Similar](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395237). The stored face features will expire and be deleted 24 hours after the original detection call. Customers can now determine the length of time these Face IDs are cached. The maximum value is still up to 24 hours, but a minimum value of 60 seconds can now be set. The new time ranges for Face IDs being cached is any value between 60 seconds and 24 hours. More details can be found in the [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) API reference (the *faceIdTimeToLive* parameter).
+### Customer configuration for Face ID storage
+* While the Face Service does not store customer images, the extracted face feature(s) will be stored on server. The Face ID is an identifier of the face feature and will be used in [Face - Identify](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395239), [Face - Verify](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523a), and [Face - Find Similar](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395237). The stored face features will expire and be deleted 24 hours after the original detection call. Customers can now determine the length of time these Face IDs are cached. The maximum value is still up to 24 hours, but a minimum value of 60 seconds can now be set. The new time ranges for Face IDs being cached is any value between 60 seconds and 24 hours. More details can be found in the [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) API reference (the *faceIdTimeToLive* parameter).
## November 2020
-* Published a sample face enrollment app to demonstrate best practices for establishing meaningful consent and creating high-accuracy face recognition systems through high-quality enrollments. The open-source sample can be found in the [Build an enrollment app](build-enrollment-app.md) guide and on [GitHub](https://github.com/Azure-Samples/cognitive-services-FaceAPIEnrollmentSample), ready for developers to deploy or customize.
+### Sample Face enrollment app
+* The team published a sample Face enrollment app to demonstrate best practices for establishing meaningful consent and creating high-accuracy face recognition systems through high-quality enrollments. The open-source sample can be found in the [Build an enrollment app](build-enrollment-app.md) guide and on [GitHub](https://github.com/Azure-Samples/cognitive-services-FaceAPIEnrollmentSample), ready for developers to deploy or customize.
## August 2020
-* Customer-managed encryption of data at rest: The Face service automatically encrypts your data when persisting it to the cloud. The Face service encryption protects your data to help you meet your organizational security and compliance commitments. By default, your subscription uses Microsoft-managed encryption keys. There is also a new option to manage your subscription with your own keys called customer-managed keys (CMK). More details can be found at [Customer-managed keys](./encrypt-data-at-rest.md).
+### Customer-managed encryption of data at rest
+* The Face service automatically encrypts your data when persisting it to the cloud. The Face service encryption protects your data to help you meet your organizational security and compliance commitments. By default, your subscription uses Microsoft-managed encryption keys. There is also a new option to manage your subscription with your own keys called customer-managed keys (CMK). More details can be found at [Customer-managed keys](./encrypt-data-at-rest.md).
## April 2020
-* New Face API Recognition Model: The new recognition 03 model is the most accurate model currently available. If you're a new customer, we recommend using this model. Recognition 03 will provide improved accuracy for both similarity comparisons and person-matching comparisons. More details can be found at [Specify a face recognition model](./face-api-how-to-topics/specify-recognition-model.md).
+### New Face API Recognition Model
+* The new recognition 03 model is the most accurate model currently available. If you're a new customer, we recommend using this model. Recognition 03 will provide improved accuracy for both similarity comparisons and person-matching comparisons. More details can be found at [Specify a face recognition model](./face-api-how-to-topics/specify-recognition-model.md).
## June 2019
-* Added a new face detection model with improved accuracy on small, side-view, occluded, and blurry faces. Use it through [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236), [FaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395250), [LargeFaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/5a158c10d2de3616c086f2d3), [PersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523b) and [LargePersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/599adf2a3a7b9412a4d53f42) by specifying the new face detection model name `detection_02` in `detectionModel` parameter. More details in [How to specify a detection model](Face-API-How-to-Topics/specify-detection-model.md).
+### New Face API detection model
+* The new Detection 02 model features improved accuracy on small, side-view, occluded, and blurry faces. Use it through [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236), [FaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395250), [LargeFaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/5a158c10d2de3616c086f2d3), [PersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523b) and [LargePersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/599adf2a3a7b9412a4d53f42) by specifying the new face detection model name `detection_02` in `detectionModel` parameter. More details in [How to specify a detection model](Face-API-How-to-Topics/specify-detection-model.md).
## April 2019
+### Improved attribute accuracy
* Improved overall accuracy of the `age` and `headPose` attributes. The `headPose` attribute is also updated with the `pitch` value enabled now. Use these attributes by specifying them in the `returnFaceAttributes` parameter of [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) `returnFaceAttributes` parameter. -
-* Improved speed of [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236), [FaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395250), [LargeFaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/5a158c10d2de3616c086f2d3), [PersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523b) and [LargePersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/599adf2a3a7b9412a4d53f42).
+### Improved processing speeds
+* Improved speeds of [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236), [FaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395250), [LargeFaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/5a158c10d2de3616c086f2d3), [PersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523b) and [LargePersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/599adf2a3a7b9412a4d53f42) operations.
## March 2019
-* Added a new face recognition model with improved accuracy. Use it through [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236), [FaceList - Create](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039524b), [LargeFaceList - Create](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/5a157b68d2de3616c086f2cc), [PersonGroup - Create](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395244) and [LargePersonGroup - Create](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/599acdee6ac60f11b48b5a9d) by specifying the new face recognition model name `recognition_02` in `recognitionModel` parameter. More details in [How to specify a recognition model](Face-API-How-to-Topics/specify-recognition-model.md).
+### New Face API recognition model
+* The Recognition 02 model has improved accuracy. Use it through [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236), [FaceList - Create](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039524b), [LargeFaceList - Create](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/5a157b68d2de3616c086f2cc), [PersonGroup - Create](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395244) and [LargePersonGroup - Create](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/599acdee6ac60f11b48b5a9d) by specifying the new face recognition model name `recognition_02` in `recognitionModel` parameter. More details in [How to specify a recognition model](Face-API-How-to-Topics/specify-recognition-model.md).
## January 2019
-* Added Snapshot feature to support data migration across subscriptions: [Snapshot](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/snapshot-get). More details in [How to Migrate your face data to a different Face subscription](Face-API-How-to-Topics/how-to-migrate-face-data.md).
+### Face Snapshot feature
+* This feature allows the service to support data migration across subscriptions: [Snapshot](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/snapshot-get). More details in [How to Migrate your face data to a different Face subscription](Face-API-How-to-Topics/how-to-migrate-face-data.md).
## October 2018
+### API messages
* Refined description for `status`, `createdDateTime`, `lastActionDateTime`, and `lastSuccessfulTrainingDateTime` in [PersonGroup - Get Training Status](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395247), [LargePersonGroup - Get Training Status](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/599ae32c6ac60f11b48b5aa5), and [LargeFaceList - Get Training Status](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/5a1582f8d2de3616c086f2cf). ## May 2018
-* Improved `gender` attribute significantly and also improved `age`, `glasses`, `facialHair`, `hair`, `makeup` attributes. Use them through [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) `returnFaceAttributes` parameter.
-
+### Improved attribute accuracy
+* Improved `gender` attribute significantly and also improved `age`, `glasses`, `facialHair`, `hair`, `makeup` attributes. Use them through [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) `returnFaceAttributes` parameter.
+### Increased file size limit
* Increased input image file size limit from 4 MB to 6 MB in [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236), [FaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395250), [LargeFaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/5a158c10d2de3616c086f2d3), [PersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523b) and [LargePersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/599adf2a3a7b9412a4d53f42). ## March 2018
-* Added Million-Scale Container: [LargeFaceList](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/5a157b68d2de3616c086f2cc) and [LargePersonGroup](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/599acdee6ac60f11b48b5a9d). More details in [How to use the large-scale feature](Face-API-How-to-Topics/how-to-use-large-scale.md).
-
+### New data structure
+* [LargeFaceList](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/5a157b68d2de3616c086f2cc) and [LargePersonGroup](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/599acdee6ac60f11b48b5a9d). More details in [How to use the large-scale feature](Face-API-How-to-Topics/how-to-use-large-scale.md).
* Increased [Face - Identify](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395239) `maxNumOfCandidatesReturned` parameter from [1, 5] to [1, 100] and default to 10. ## May 2017
+### New detectable Face attributes
* Added `hair`, `makeup`, `accessory`, `occlusion`, `blur`, `exposure`, and `noise` attributes in [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) `returnFaceAttributes` parameter.- * Supported 10K persons in a PersonGroup and [Face - Identify](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395239).- * Supported pagination in [PersonGroup Person - List](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395241) with optional parameters: `start` and `top`.- * Supported concurrency in adding/deleting faces against different FaceLists and different persons in PersonGroup. ## March 2017
-* Added `emotion` attribute in [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) `returnFaceAttributes` parameter.
-
-* Fixed the face could not be redetected with rectangle returned from [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) as `targetFace` in [FaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395250) and [PersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523b).
-* Fixed the detectable face size to make sure it is strictly between 36x36 to 4096x4096 pixels.
+### New detectable Face attribute
+* Added `emotion` attribute in [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) `returnFaceAttributes` parameter.
+### Fixed issues
+* Face could not be re-detected with rectangle returned from [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) as `targetFace` in [FaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395250) and [PersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523b).
+* The detectable face size is set to ensure it is strictly between 36x36 to 4096x4096 pixels.
## November 2016
+### New subscription tier
* Added Face Storage Standard subscription to store additional persisted faces when using [PersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523b) or [FaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395250) for identification or similarity matching. The stored images are charged at $0.5 per 1000 faces and this rate is prorated on a daily basis. Free tier subscriptions continue to be limited to 1,000 total persons. ## October 2016
-* Changed the error message of more than one face in the targetFace from 'There are more than one face in the image' to 'There is more than one face in the image' in [FaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395250) and [PersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523b).
+### API messages
+* Changed the error message of more than one face in the `targetFace` from 'There are more than one face in the image' to 'There is more than one face in the image' in [FaceList - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395250) and [PersonGroup Person - Add Face](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523b).
## July 2016
+### New features
* Supported Face to Person object authentication in [Face - Verify](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523a).- * Added optional `mode` parameter enabling selection of two working modes: `matchPerson` and `matchFace` in [Face - Find Similar](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395237) and default is `matchPerson`.- * Added optional `confidenceThreshold` parameter for user to set the threshold of whether one face belongs to a Person object in [Face - Identify](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395239).- * Added optional `start` and `top` parameters in [PersonGroup - List](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395248) to enable user to specify the start point and the total PersonGroups number to list. ## V1.0 changes from V0 * Updated service root endpoint from ```https://westus.api.cognitive.microsoft.com/face/v0/``` to ```https://westus.api.cognitive.microsoft.com/face/v1.0/```. Changes applied to: [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236), [Face - Identify](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395239), [Face - Find Similar](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395237) and [Face - Group](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395238).- * Updated the minimal detectable face size to 36x36 pixels. Faces smaller than 36x36 pixels will not be detected.- * Deprecated the PersonGroup and Person data in Face V0. Those data cannot be accessed with the Face V1.0 service.- * Deprecated the V0 endpoint of Face API on June 30, 2016.
cognitive-services Luis Reference Prebuilt Domains https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/luis-reference-prebuilt-domains.md
This reference provides information about the [prebuilt domains](./howto-add-pre
The table below summarizes the currently supported domains. Support for English is usually more complete than others.
-| Entity Type | EN-US | ZH-CN | DE | FR | ES | IT | PT-BR | JP | KO | NL | TR |
-|:--:|:-:|:-:|:--:|::|:--:|:-:| :-:| :-:| :-:| :-:| :-:|
-| Calendar | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
-|Communication | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
-| Email | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
-| HomeAutomation | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
-| Notes | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
-| Places | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
-| RestaurantReservation | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
-| ToDo | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
-| Utilities | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
-| Weather | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
-| Web | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
+| Entity Type | EN-US | ZH-CN | DE | FR | ES | IT | PT-BR | JP | KO | NL | TR |
+|::|:--:|:--:|:--:|:--:|:--:|:--:|:|:|:|:|:|
+| Calendar | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
+| Communication | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
+| Email | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
+| HomeAutomation | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
+| Notes | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
+| Places | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
+| RestaurantReservation | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
+| ToDo | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
+| Utilities | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
+| Weather | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
+| Web | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
Prebuilt domains are **not supported** in:
Prebuilt domains are **not supported** in:
## Next steps
-Learn the [simple entity](reference-entity-simple.md).
+Learn the [simple entity](reference-entity-simple.md).
cognitive-services How To Develop Custom Commands Application https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-develop-custom-commands-application.md
Start by editing the existing `TurnOn` command to turn on and turn off multiple
| **Is Global** | Unselected | | **Required** | Selected | | **Response for required parameter** | **Simple editor** > `Which device do you want to control?` |
- | **Type** | **String** | |
+ | **Type** | **String** |
| **Configuration** | **Accept predefined input values from an internal catalog** | | **Predefined input values** | `tv`, `fan` | | **Aliases** (`tv`) | `television`, `telly` |
cognitive-services Speech Ssml Phonetic Sets https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/speech-ssml-phonetic-sets.md
The Speech service phone set puts stress after the vowel of the stressed syllabl
| `sapi` | `ipa` | Example 1 | Example 2 | Example 3 | |--|--|--|--|--|
-| b | `b` | **B**ank | | [<sup>1</sup>](#de-c-1)Pu**b** | |
+| b | `b` | **B**ank | | [<sup>1</sup>](#de-c-1)Pu**b** |
| c | `ç` | **Ch**emie | mögli**ch**st | [<sup>2</sup>](#de-c-2)i**ch** |
-| d | `d` | **d**anken | [<sup>3</sup>](#de-c-3)Len**d**l | [<sup>4</sup>](#de-c-4)Clau**d**e | |
+| d | `d` | **d**anken | [<sup>3</sup>](#de-c-3)Len**d**l | [<sup>4</sup>](#de-c-4)Clau**d**e |
| jh | `ʤ` | **J**eff | gemana**g**t | [<sup>5</sup>](#de-c-5)Chan**g**e |
-| f | `f` | **F**ahrtdauer | angri**ff**slustig | abbruchrei**f** | |
-| g | `g` | **g**ut | | [<sup>6</sup>](#de-c-6)Gre**g** | |
-| h | `h` | **H**ausanbau | | | |
-| y | `j` | **J**od | Reakt**i**on | hu**i** | |
-| k | `k` | **K**oma | Aspe**k**t | Flec**k** | |
-| l | `l` | **l**au | ähne**l**n | zuvie**l** | |
-| m | `m` | **M**ut | A**m**t | Leh**m** | |
-| n | `n` | **n**un | u**n**d | Huh**n** | |
-| ng | `ŋ` | [<sup>7</sup>](#de-c-7)**Ng**uyen | Schwa**nk** | R**ing** | |
-| p | `p` | **P**artner | abru**p**t | Ti**p** | |
-| pf | `pf` | **Pf**erd | dam**pf**t | To**pf** | |
-| r | `ʀ`, `r`, `ʁ` | **R**eise | knu**rr**t | Haa**r** | |
-| s | `s` | [<sup>8</sup>](#de-c-8)**S**taccato | bi**s**t | mie**s** | |
-| sh | `ʃ` | **Sch**ule | mi**sch**t | lappi**sch** | |
-| t | `t` | **T**raum | S**t**raße | Mu**t** | |
-| ts | `ts` | **Z**ug | Ar**z**t | Wit**z** | |
-| ch | `tʃ` | **Tsch**echien | aufgepu**tsch**t | bundesdeu**tsch** | |
-| v | `v` | **w**inken | Q**u**alle | [<sup>9</sup>](#de-c-9)Gr**oo**ve | |
+| f | `f` | **F**ahrtdauer | angri**ff**slustig | abbruchrei**f** |
+| g | `g` | **g**ut | [<sup>6</sup>](#de-c-6)Gre**g** | |
+| h | `h` | **H**ausanbau | | |
+| y | `j` | **J**od | Reakt**i**on | hu**i** |
+| k | `k` | **K**oma | Aspe**k**t | Flec**k** |
+| l | `l` | **l**au | ähne**l**n | zuvie**l** |
+| m | `m` | **M**ut | A**m**t | Leh**m** |
+| n | `n` | **n**un | u**n**d | Huh**n** |
+| ng | `ŋ` | [<sup>7</sup>](#de-c-7)**Ng**uyen | Schwa**nk** | R**ing** |
+| p | `p` | **P**artner | abru**p**t | Ti**p** |
+| pf | `pf` | **Pf**erd | dam**pf**t | To**pf** |
+| r | `ʀ`, `r`, `ʁ` | **R**eise | knu**rr**t | Haa**r** |
+| s | `s` | [<sup>8</sup>](#de-c-8)**S**taccato | bi**s**t | mie**s** |
+| sh | `ʃ` | **Sch**ule | mi**sch**t | lappi**sch** |
+| t | `t` | **T**raum | S**t**raße | Mu**t** |
+| ts | `ts` | **Z**ug | Ar**z**t | Wit**z** |
+| ch | `tʃ` | **Tsch**echien | aufgepu**tsch**t | bundesdeu**tsch** |
+| v | `v` | **w**inken | Q**u**alle | [<sup>9</sup>](#de-c-9)Gr**oo**ve |
| x | [<sup>10</sup>](#de-c-10)`x`,[<sup>11</sup>](#de-c-11)`ç` | [<sup>12</sup>](#de-c-12)Ba**ch**erach | Ma**ch**t mögli**ch**st | Schma**ch** 'i**ch** |
-| z | `z` | **s**uper | | | |
+| z | `z` | **s**uper | | |
| zh | `ʒ` | **G**enre | B**re**ezinski | Edvi**g**e | <a id="de-c-1"></a>
The Speech service phone set for `ja-JP` is based on the native phone <a href="h
| 所有者 | ショュ'ウ?ャ | ɕjojɯˈwɯɕja | | 最適化 | サィテキカ+ | sajitecikaˌ |
-***
+***
cognitive-services Cognitive Services And Machine Learning https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/cognitive-services-and-machine-learning.md
Cognitive Services provides machine learning capabilities to solve general probl
|[Search](https://azure.microsoft.com/services/cognitive-services/directory/search/)|Add Bing Search APIs to your apps and harness the ability to comb billions of webpages, images, videos, and news with a single API call.| |[Speech](https://azure.microsoft.com/services/cognitive-services/directory/speech/)|Convert speech into text and text into natural-sounding speech. Translate from one language to another and enable speaker verification and recognition.| |[Vision](https://azure.microsoft.com/services/cognitive-services/directory/vision/)|Recognize, identify, caption, index, and moderate your pictures, videos, and digital ink content.|
-||||
Use Cognitive Services when you:
Cognitive Services that provide exported models for other machine learning tools
* Learn how to [authenticate](authentication.md) to a Cognitive Service. * Use [diagnostic logging](diagnostic-logging.md) for issue identification and debugging. * Deploy a Cognitive Service in a Docker [container](cognitive-services-container-support.md).
-* Keep up to date with [service updates](https://azure.microsoft.com/updates/?product=cognitive-services).
+* Keep up to date with [service updates](https://azure.microsoft.com/updates/?product=cognitive-services).
cognitive-services Container Image Tags https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/containers/container-image-tags.md
Previously updated : 11/17/2020 Last updated : 03/25/2020
This container image has the following tags available. You can also find a full
| `3.0-nl` | Sentiment Analysis v3 (Dutch) | | `2.1` | Sentiment Analysis v2 | +
+## Text Analytics for health
+
+The [Text Analytics for health][ta-he] container image can be found on the `mcr.microsoft.com` container registry syndicate. It resides within the `azure-cognitive-services/textanalytics/` repository and is named `healthcare`. The fully qualified container image name is `mcr.microsoft.com/azure-cognitive-services/textanalytics/healthcare`
+
+This container image has the following tags available. You can also find a full list of [tags on the MCR](https://mcr.microsoft.com/v2/azure-cognitive-services/textanalytics/healthcare/tags/list).
++
+Release notes for `3.0.015490002-onprem-amd64`:
+
+* new model-version `2021-03-01`
+* Container released to MCR.
+
+| Image Tags | Notes |
+||:-|
+| `latest` | |
+| `3.0.015490002-onprem-amd64` | |
+ [ad-containers]: ../anomaly-Detector/anomaly-detector-container-howto.md [cv-containers]: ../computer-vision/computer-vision-how-to-install-containers.md [fa-containers]: ../face/face-how-to-install-containers.md
This container image has the following tags available. You can also find a full
[ta-kp]: ../text-analytics/how-tos/text-analytics-how-to-install-containers.md?tabs=keyphrase [ta-la]: ../text-analytics/how-tos/text-analytics-how-to-install-containers.md?tabs=language [ta-se]: ../text-analytics/how-tos/text-analytics-how-to-install-containers.md?tabs=sentiment
+[ta-he]: ../text-analytics/how-tos/text-analytics-how-to-install-containers.md?tabs=healthcare
cognitive-services Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/policy-reference.md
Title: Built-in policy definitions for Azure Cognitive Services description: Lists Azure Policy built-in policy definitions for Azure Cognitive Services. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
cognitive-services Security Baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/security-baseline.md
description: The Cognitive Services security baseline provides procedural guidan
Previously updated : 02/17/2021 Last updated : 03/30/2021
# Azure security baseline for Cognitive Services
-This security
-baseline applies guidance from the [Azure Security Benchmark version
-1.0](../security/benchmarks/overview-v1.md) to Cognitive Services. The Azure Security Benchmark
-provides recommendations on how you can secure your cloud solutions on Azure.
-The content is grouped by the **security controls** defined by the Azure
-Security Benchmark and the related guidance applicable to Cognitive Services. **Controls** not applicable to Cognitive Services have been excluded.
+This security baseline applies guidance from the [Azure Security Benchmark version1.0](../security/benchmarks/overview-v1.md) to Cognitive Services. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the **security controls** defined by the Azure Security Benchmark and the related guidance applicable to Cognitive Services. **Controls** not applicable to Cognitive Services, or for which the responsibility is Microsoft's, have been excluded.
-
-To see how Cognitive Services completely maps to the Azure
-Security Benchmark, see the [full Cognitive Services security baseline mapping
-file](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Offer%20Security%20Baselines).
+To see how Cognitive Services completely maps to the Azure Security Benchmark, see the [full Cognitive Services security baseline mapping file](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Offer%20Security%20Baselines).
## Network Security
file](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Of
Virtual network and service endpoint support for Cognitive Services is limited to a specific set of regions. -- [How to configure Azure Cognitive Services virtual networks](./cognitive-services-virtual-networks.md?tabs=portal)
+- [How to configure Azure Cognitive Services virtual networks](https://docs.microsoft.com/azure/cognitive-services/cognitive-services-virtual-networks?tabs=portal)
- [Overview of Azure Virtual Networks](../virtual-network/virtual-networks-overview.md)
Bear in mind that Cognitive Services containers are required to submit metering
Also note that you must disable deep packet inspection for your firewall solution on the secure channels that the Cognitive Services containers create to Microsoft servers. Failure to do so will prevent the container from functioning correctly. -- [Understand Azure Cognitive Services container security](./cognitive-services-container-support.md#azure-cognitive-services-container-security)
+- [Understand Azure Cognitive Services container security](https://docs.microsoft.com/azure/cognitive-services/cognitive-services-container-support#azure-cognitive-services-container-security)
**Responsibility**: Customer
If you are using Cognitive Services within a container, you may augment your con
- [How to create an Azure Blueprint](../governance/blueprints/create-blueprint-portal.md) -- [Understand Azure Cognitive Services container security](./cognitive-services-container-support.md#azure-cognitive-services-container-security)
+- [Understand Azure Cognitive Services container security](https://docs.microsoft.com/azure/cognitive-services/cognitive-services-container-support#azure-cognitive-services-container-security)
**Responsibility**: Customer
Bear in mind that Cognitive Services containers are required to submit metering
Also note that you must disable deep packet inspection for your firewall solution on the secure channels that the Cognitive Services containers create to Microsoft servers. Failure to do so will prevent the container from functioning correctly. -- [Understand Azure Cognitive Services container security](./cognitive-services-container-support.md#azure-cognitive-services-container-security)
+- [Understand Azure Cognitive Services container security](https://docs.microsoft.com/azure/cognitive-services/cognitive-services-container-support#azure-cognitive-services-container-security)
- [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/?term=Firewall)
Bear in mind that Cognitive Services containers are required to submit metering
Also note that you must disable deep packet inspection for your firewall solution on the secure channels that the Cognitive Services containers create to Microsoft servers. Failure to do so will prevent the container from functioning correctly. -- [Understand Azure Cognitive Services container security](./cognitive-services-container-support.md#azure-cognitive-services-container-security)
+- [Understand Azure Cognitive Services container security](https://docs.microsoft.com/azure/cognitive-services/cognitive-services-container-support#azure-cognitive-services-container-security)
**Responsibility**: Customer
You may also use application security groups to help simplify complex security c
- [Virtual network service tags](../virtual-network/service-tags-overview.md) -- [Application Security Groups](../virtual-network/network-security-groups-overview.md#application-security-groups)
+- [Application Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview#application-security-groups)
**Responsibility**: Customer
You can also use Azure Blueprints to simplify large-scale Azure deployments by p
**Guidance**: Use the Azure Activity log to monitor network resource configurations and detect changes for network resources related to your Cognitive Services container. Create alerts within Azure Monitor that will trigger when changes to critical network resources take place. -- [How to view and retrieve Azure Activity Log events](../azure-monitor/essentials/activity-log.md#view-the-activity-log)
+- [How to view and retrieve Azure Activity Log events](/azure/azure-monitor/platform/activity-log#view-the-activity-log)
-- [How to create alerts in Azure Monitor](../azure-monitor/alerts/alerts-activity-log.md)
+- [How to create alerts in Azure Monitor](/azure/azure-monitor/platform/alerts-activity-log)
**Responsibility**: Customer
You can also use Azure Blueprints to simplify large-scale Azure deployments by p
**Guidance**: Enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace, Azure event hub, or Azure storage account for archive. Activity logs provide insight into the operations that were performed on your Cognitive Services container at the control plane level. Using Azure Activity Log data, you can determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed at the control plane level for your Azure Cache for Redis instances. -- [How to enable Diagnostic Settings for Azure Activity Log](../azure-monitor/essentials/activity-log.md)
+- [How to enable Diagnostic Settings for Azure Activity Log](/azure/azure-monitor/platform/activity-log)
**Responsibility**: Customer
You can also use Azure Blueprints to simplify large-scale Azure deployments by p
Additionally, Cognitive Services sends diagnostics events that can be collected and used for the purposes of analysis, alerting and reporting. You can configure diagnostics settings for a Cognitive Services container via the Azure portal. You can send one or more diagnostics events to a Storage Account, Event Hub, or a Log Analytics workspace. -- [How to enable Diagnostic Settings for Azure Activity Log](../azure-monitor/essentials/activity-log.md)
+- [How to enable Diagnostic Settings for Azure Activity Log](/azure/azure-monitor/platform/diagnostic-settings-legacy)
- [Using diagnostic settings to for Azure Cognitive Services](diagnostic-logging.md)
Additionally, Cognitive Services sends diagnostics events that can be collected
**Guidance**: Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. Use Azure Storage accounts for long-term/archival storage. -- [How to set log retention parameters for Log Analytics Workspaces](../azure-monitor/logs/manage-cost-storage.md#change-the-data-retention-period)
+- [How to set log retention parameters for Log Analytics Workspaces](/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period)
**Responsibility**: Customer
Additionally, Cognitive Services sends diagnostics events that can be collected
**Guidance**: Enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace. These logs provide rich, frequent data about the operation of a resource that are used for issue identification and debugging. Perform queries in Log Analytics to search terms, identify trends, analyze patterns, and provide many other insights based on the Activity Log Data that may have been collected for Azure Cognitive Services. -- [How to enable Diagnostic Settings for Azure Activity Log](../azure-monitor/essentials/activity-log.md)
+- [How to enable Diagnostic Settings for Azure Activity Log](/azure/azure-monitor/platform/activity-log)
-- [How to collect and analyze Azure activity logs in Log Analytics workspace in Azure Monitor](../azure-monitor/essentials/activity-log.md)
+- [How to collect and analyze Azure activity logs in Log Analytics workspace in Azure Monitor](/azure/azure-monitor/platform/activity-log)
**Responsibility**: Customer
Configure diagnostic settings for your Cognitive Services container and send log
- [How to onboard Azure Sentinel](../sentinel/quickstart-onboard.md) -- [Create, view, and manage log alerts using Azure Monitor](../azure-monitor/alerts/alerts-log.md)
+- [Create, view, and manage log alerts using Azure Monitor](/azure/azure-monitor/platform/alerts-log)
**Responsibility**: Customer
Configure diagnostic settings for your Cognitive Services container and send log
**Guidance**: Azure Active Directory (Azure AD) has built-in roles that must be explicitly assigned and are queryable. Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups. -- [How to get a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrole?amp;preserve-view=true&view=azureadps-2.0)
+- [How to get a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrole)
-- [How to get members of a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrolemember?amp;preserve-view=true&view=azureadps-2.0)
+- [How to get members of a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrolemember)
**Responsibility**: Customer
Data plane access to Cognitive Services is controlled through access keys. These
It is not recommended that you build default passwords into your application. Instead, you can store your passwords in Azure Key Vault and then use Azure AD to retrieve them. -- [How to regenerate Azure Cache for Redis access keys](../azure-cache-for-redis/cache-configure.md#settings)
+- [How to regenerate Azure Cache for Redis access keys](https://docs.microsoft.com/azure/azure-cache-for-redis/cache-configure#settings)
**Responsibility**: Customer
In addition, use Azure AD risk detections to view alerts and reports on risky us
Currently, only the Computer Vision API, Face API, Text Analytics API, Immersive Reader, Form Recognizer, Anomaly Detector, and all Bing services except Bing Custom Search support authentication using Azure AD. -- [How to authenticate requests to Cognitive Services](./authentication.md#authenticate-with-azure-active-directory)
+- [How to authenticate requests to Cognitive Services](https://docs.microsoft.com/azure/cognitive-services/authentication#authenticate-with-azure-active-directory)
**Responsibility**: Customer
Customer to maintain inventory of API Management user accounts, reconcile access
- [How to manage user accounts in Azure API Management](../api-management/api-management-howto-create-or-invite-developers.md) -- [How to get list of API Management users](/powershell/module/az.apimanagement/get-azapimanagementuser?amp;preserve-view=true&view=azps-4.8.0)
+- [How to get list of API Management users](/powershell/module/az.apimanagement/get-azapimanagementuser)
- [How to use Azure Identity Access Reviews](../active-directory/governance/access-reviews-overview.md)
You can streamline this process by creating diagnostic settings for Azure AD use
**Guidance**: Not available for Cognitive Services. Customer Lockbox is not yet supported for Cognitive Services. -- [List of Customer Lockbox-supported services](../security/fundamentals/customer-lockbox-overview.md#supported-services-and-scenarios-in-general-availability)
+- [List of Customer Lockbox-supported services](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview#supported-services-and-scenarios-in-general-availability)
**Responsibility**: Customer
Microsoft manages the underlying platform and treats all customer content as sen
You may also use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. -- [List of services that encrypt information at rest](./encryption/cognitive-services-encryption-keys-portal.md)
+- [List of services that encrypt information at rest](/azure/cognitive-services/encryption/cognitive-services-encryption-keys-portal)
**Responsibility**: Customer
You may also use Azure Key Vault to store your customer-managed keys. You can ei
**Guidance**: Use Azure Monitor with the Azure Activity log to create alerts for when changes take place to production instances of Cognitive Services and other critical or related resources. -- [How to create alerts for Azure Activity Log events](../azure-monitor/alerts/alerts-activity-log.md)
+- [How to create alerts for Azure Activity Log events](/azure/azure-monitor/platform/alerts-activity-log)
**Responsibility**: Customer
Although classic Azure resources may be discovered via Resource Graph, it is hig
- [How to create queries with Azure Resource Graph](../governance/resource-graph/first-query-portal.md) -- [How to view your Azure Subscriptions](/powershell/module/az.accounts/get-azsubscription?amp;preserve-view=true&view=azps-4.8.0)
+- [How to view your Azure Subscriptions](/powershell/module/az.accounts/get-azsubscription)
- [Understand Azure RBAC](../role-based-access-control/overview.md)
In addition, use Azure Resource Graph to query or discover resources within the
- [How to configure and manage Azure Policy](../governance/policy/tutorials/create-and-manage.md) -- [How to deny a specific resource type with Azure Policy](../governance/policy/samples/built-in-policies.md#general)
+- [How to deny a specific resource type with Azure Policy](https://docs.microsoft.com/azure/governance/policy/samples/built-in-policies#general)
**Responsibility**: Customer
In addition, use Azure Resource Graph to query or discover resources within the
**Guidance**: Define and implement standard security configurations for your Cognitive Services container with Azure Policy. Use Azure Policy aliases in the "Microsoft.CognitiveServices" namespace to create custom policies to audit or enforce the configuration of your Azure Cache for Redis instances. -- [How to view available Azure Policy Aliases](/powershell/module/az.resources/get-azpolicyalias?amp;preserve-view=true&view=azps-4.8.0)
+- [How to view available Azure Policy Aliases](/powershell/module/az.resources/get-azpolicyalias)
- [How to configure and manage Azure Policy](../governance/policy/tutorials/create-and-manage.md)
In addition, use Azure Resource Graph to query or discover resources within the
**Guidance**: If you are using custom Azure Policy definitions or Azure Resource Manager templates for your Cognitive Services containers and related resources, use Azure Repos to securely store and manage your code. -- [How to store code in Azure DevOps](/azure/devops/repos/git/gitworkflow?amp;preserve-view=true&view=azure-devops)
+- [How to store code in Azure DevOps](/azure/devops/repos/git/gitworkflow)
-- [Azure Repos Documentation](/azure/devops/repos/?amp;preserve-view=true&view=azure-devops)
+- [Azure Repos Documentation](/azure/devops/repos/)
**Responsibility**: Customer
In addition, use Azure Resource Graph to query or discover resources within the
- [How to integrate with Azure Managed Identities](../azure-app-configuration/howto-integrate-azure-managed-service-identity.md) -- [How to create a Key Vault](../key-vault/secrets/quick-create-portal.md)
+- [How to create a Key Vault](/azure/key-vault/quick-create-portal)
- [How to authenticate to Key Vault](../key-vault/general/authentication.md)
You can also use lifecycle management feature to back up data to the Archive tie
- [Overview of Azure Resource Manager](../azure-resource-manager/management/overview.md) -- [How to create a Cognitive Services resource using an Azure Resource Manager template](./create-account-resource-manager-template.md?tabs=portal)
+- [How to create a Cognitive Services resource using an Azure Resource Manager template](https://docs.microsoft.com/azure/cognitive-services/resource-manager-template?tabs=portal)
- [Single and multi-resource export to a template in Azure portal](../azure-resource-manager/templates/export-template-portal.md)
You can also use lifecycle management feature to back up data to the Archive tie
- [Introduction to Azure Automation](../automation/automation-intro.md) -- [How to backup key vault keys in Azure](/powershell/module/az.keyvault/backup-azkeyvaultkey?amp;preserve-view=true&view=azps-4.8.0)
+- [How to backup key vault keys in Azure](/powershell/module/az.keyvault/backup-azkeyvaultkey)
**Responsibility**: Customer
You can also use lifecycle management feature to back up data to the Archive tie
- [Deploy resources with ARM templates and Azure portal](../azure-resource-manager/templates/deploy-portal.md) -- [How to restore key vault keys in Azure](/powershell/module/az.keyvault/restore-azkeyvaultkey?amp;preserve-view=true&view=azps-4.8.0)
+- [How to restore key vault keys in Azure](/powershell/module/az.keyvault/restore-azkeyvaultkey)
**Responsibility**: Customer
You can also use lifecycle management feature to back up data to the Archive tie
Use Azure role-based access control to protect customer-managed keys. Enable Soft-Delete and purge protection in Key Vault to protect keys against accidental or malicious deletion. -- [How to store code in Azure DevOps](/azure/devops/repos/git/gitworkflow?amp;preserve-view=true&view=azure-devops)
+- [How to store code in Azure DevOps](/azure/devops/repos/git/gitworkflow)
- [About permissions and groups in Azure DevOps](/azure/devops/organizations/security/about-permissions)
Additionally, clearly mark subscriptions (for ex. production, non-prod) and crea
## Next steps -- See the [Azure Security Benchmark V2 overview](../security/benchmarks/overview.md)-- Learn more about [Azure security baselines](../security/benchmarks/security-baselines-overview.md)
+- See the [Azure Security Benchmark V2 overview](/azure/security/benchmarks/overview)
+- Learn more about [Azure security baselines](/azure/security/benchmarks/security-baselines-overview)
cognitive-services Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Cognitive Services description: Lists Azure Policy Regulatory Compliance controls available for Azure Cognitive Services. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
cognitive-services Text Analytics How To Install Containers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/how-tos/text-analytics-how-to-install-containers.md
Previously updated : 03/02/2021 Last updated : 03/25/2021 keywords: on-premises, Docker, container, sentiment analysis, natural language processing
You must meet the following prerequisites before using Text Analytics containers
[!INCLUDE [Gathering required parameters](../../containers/includes/container-gathering-required-parameters.md)]
+If you're using the Text Analytics for health container, the [responsible AI](https://docs.microsoft.com/legal/cognitive-services/text-analytics/transparency-note-health) (RAI) acknowledgment must also be present with a value of `accept`.
+ ## The host computer [!INCLUDE [Host Computer requirements](../../../../includes/cognitive-services-containers-host-computer.md)]
cognitive-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/whats-new.md
Previously updated : 03/18/2021 Last updated : 03/25/2021
The Text Analytics API is updated on an ongoing basis. To stay up-to-date with r
* A new `Date` entity type. * Assertion detection which replaces negation detection (only available in API v3.1-preview.4). * A new preferred `name` property for linked entities that is normalized from various ontologies and coding systems (only available in API v3.1-preview.4).
-* A new container image with tag `3.0.015370001-onprem-amd64` and the new model-version `2021-03-01` has been released to the container preview repository.
-* The Text Analytics for health container image will be moving to a new repository next month. Please watch for an email communication on the location of its new home.
+* A new container image with tag `3.0.015490002-onprem-amd64` and the new model-version `2021-03-01` has been released to the container preview repository.
+ * This container image will no longer be available for download from `containerpreview.azurecr.io` after April 26th, 2021.
+* A new Text Analytics for health container image with this same model-version is now available at `mcr.microsoft.com/azure-cognitive-services/textanalytics/healthcare`. Starting April 26th, you will only be able to download the container from this repository.
+ > [!div class="nextstepaction"] > [Learn more about Text Analytics for health](how-tos/text-analytics-for-health.md)
->
### Text Analytics resource portal update * **Processed Text Records** is now available as a metric in the **Monitoring** section for your Text Analytics resource in the Azure portal.
communication-services Known Issues https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/known-issues.md
-# Known issues: Azure Communication Services SDKs
-This article provides information about limitations and known issues related to the Azure Communication Services SDKs.
+# Known issues: Azure Communication Services Calling SDKs
+This article provides information about limitations and known issues related to the Azure Communication Services Calling SDKs.
> [!IMPORTANT] > There are multiple factors that can affect the quality of your calling experience. Refer to the **[network requirements](https://docs.microsoft.com/azure/communication-services/concepts/voice-video-calling/network-requirements)** documentation to learn more about Communication Services network configuration and testing best practices.
Applications can't enumerate/select mic/speaker devices (like Bluetooth) on Safa
If you're using Safari on macOS, your app will not be able to enumerate/select speakers through the Communication Services Device Manager. In this scenario, devices must be selected via the OS. If you use Chrome on macOS, the app can enumerate/select devices through the Communication Services Device Manager. ### Audio connectivity is lost when receiving SMS messages or calls during an ongoing VoIP call
-Mobile browsers don't maintain connectivity while in the background state. This can lead to a degraded call experience if the VoIP call was interrupted by an event that pushes your application into the background.
+This problem may occur due to multiple reasons:
+
+- Some mobile browsers don't maintain connectivity while in the background state. This can lead to a degraded call experience if the VoIP call was interrupted by an event that pushes your application into the background.
+- Sometimes, an SMS or PSTN call captures the audio sound, and doesn't release audio back to the VoIP call. Apple fixed this issue in iOS versions 14.4.1+.
<br/>Client library: Calling (JavaScript) <br/>Browsers: Safari, Chrome
communication-services Pricing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/pricing.md
Alice made a group call with her colleagues, Bob and Charlie. Alice and Bob used
**Total cost for the group call**: $0.48 + $0.172 = $0.652 +
+### Pricing example: Outbound Call from app using JS SDK to a PSTN number
+
+Alice makes a PSTN Call from an app to Bob on his US phone number beginning with `+1-425`.
+
+- Alice used the JS SDK to build the app.
+- The call lasts a total of 5 minutes.
+
+**Cost calculations**
+
+- 1 participant on the VoIP leg (Alice) from App to Communication Services servers x 10 minutes x $0.004 per participant leg per minute = $0.04
+- 1 participant on the PSTN outbound leg (Charlie) from Communication Services servers to a US telephone number x 10 minutes x $0.013 per participant leg per minute = $0.13.
+
+Note: USA mixed rates to `+1-425` is $0.013. Refer to the following link for details: https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)
+
+**Total cost for the group call**: $0.04 + $0.13 = $0.17
++
+### Pricing example: Group audio call using JS SDK and 1 PSTN leg
+
+Alice and Bob are on a VOIP Call. Bob escalated the call to Charlie on Charlie's PSTN number, a US phone number beginning with `+1-425`.
+
+- Alice used the JS SDK to build the app. They spoke for 10 minutes before calling Charlie on the PSTN number.
+- Once Bob escalated the call to Charlie on his PSTN number, the three of them spoke for another 10 minutes.
+
+**Cost calculations**
+
+- 2 participants on the VoIP leg (Alice and Bob) from App to Communication Services servers x 20 minutes x $0.004 per participant leg per minute = $0.16
+- 1 participant on the PSTN outbound leg (Charlie) from Communication Services servers to US Telephone number x 10 minutes x $0.013 per participant leg per minute = $0.13
+
+Note: USA mixed rates to `+1-425` is $0.013. Refer to the following link for details: https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)
+
+**Total cost for the VoIP + escalation call**: $0.16 + $0.13 = $.29
++ ### Pricing example: A user of the Communication Services JavaScript SDK joins a scheduled Microsoft Teams meeting Alice is a doctor meeting with her patient, Bob. Alice will be joining the visit from the Teams Desktop application. Bob will receive a link to join using the healthcare provider website, which connects to the meeting using the Communication Services JavaScript SDK. Bob will use his mobile phone to enter the meeting using a web browser (iPhone with Safari). Chat will be available during the virtual visit.
communication-services Calling Sdk Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/voice-video-calling/calling-sdk-features.md
# Calling SDK overview
-There are two separate families of Calling SDKs, for *clients* and *services.* Currently available SDKs are intended for end-user experiences: websites and native apps.
+The Calling SDK enables end-user devices to drive voice and video communication experiences. This page provides detailed descriptions of Calling features, including platform and browser support information. To get started right away, please check out [Calling quickstarts](../../quickstarts/voice-video-calling/getting-started-with-calling.md) or [Calling hero sample](../../samples/calling-hero-sample.md).
-The Service SDKs are not yet available, and provide access to the raw voice and video data planes, suitable for integration with bots and other services.
+Once you've started development, check out the [known issues page](../known-issues.md) to find bugs we're working on.
-## Calling SDK capabilities
+Key features of the Calling SDK:
+
+- **Addressing** - Azure Communication Services provides generic [identities](../identity-model.md) that are used to address communication endpoints. Clients use these identities to authenticate to the service and communicate with each other. These identities are used in Calling APIs that provides clients visibility into who is connected to a call (the roster).
+- **Encryption** - The Calling SDK encrypts traffic and prevents tampering on the wire.
+- **Device Management and Media** - The Calling SDK provides facilities for binding to audio and video devices, encodes content for efficient transmission over the communications dataplane, and renders content to output devices and views that you specify. APIs are also provided for screen and application sharing.
+- **PSTN** - The Calling SDK can receive and initiate voice calls with the traditional publically switched telephony system, [using phone numbers you acquire in the Azure portal](../../quickstarts/telephony-sms/get-phone-number.md) or programmatically.
+- **Teams Meetings** - The Calling SDK can [join Teams meetings](../../quickstarts/voice-video-calling/get-started-teams-interop.md) and interact with the Teams voice and video dataplane.
+- **Notifications** - The Calling SDK provides APIs allowing clients to be notified of an incoming call. In situations where your app is not running in the foreground, patterns are available to [fire pop-up notifications](../notifications.md) ("toasts") to inform end-users of an incoming call.
+
+## Detailed capabilities
The following list presents the set of features which are currently available in the Azure Communication Services Calling SDKs.
The following list presents the set of features which are currently available in
| | Promote a one-to-one call with two users into a group call with more than two users | ✔️ | ✔️ | ✔️ | | Join a group call after it has started | ✔️ | ✔️ | ✔️ | | Invite another VoIP participant to join an ongoing group call | ✔️ | ✔️ | ✔️
-| Mid call control | Turn your video on/off | ✔️ | ✔️ | ✔️
-| | Mute/Unmute mic | ✔️ | ✔️ | ✔️
-| | Switch between cameras | ✔️ | ✔️ | ✔️
-| | Local hold/un-hold | ✔️ | ✔️ | ✔️
-| | Active speaker | ✔️ | ✔️ | ✔️
-| | Choose speaker for calls | ✔️ | ✔️ | ✔️
-| | Choose microphone for calls | ✔️ | ✔️ | ✔️
-| | Show state of a participant<br/>*Idle, Early media, Connecting, Connected, On hold, In Lobby, Disconnected* | ✔️ | ✔️ | ✔️
-| | Show state of a call<br/>*Early Media, Incoming, Connecting, Ringing, Connected, Hold, Disconnecting, Disconnected* | ✔️ | ✔️ | ✔️
-| | Show if a participant is muted | ✔️ | ✔️ | ✔️
-| | Show the reason why a participant left a call | ✔️ | ✔️ | ✔️
-| Screen sharing | Share the entire screen from within the application | ✔️ | ❌ | ❌
-| | Share a specific application (from the list of running applications) | ✔️ | ❌ | ❌
-| | Share a web browser tab from the list of open tabs | ✔️ | ❌ | ❌
-| | Participant can view remote screen share | ✔️ | ✔️ | ✔️
-| Roster | List participants | ✔️ | ✔️ | ✔️
-| | Remove a participant | ✔️ | ✔️ | ✔️
-| PSTN | Place a one-to-one call with a PSTN participant | ✔️ | ✔️ | ✔️
+| Mid call control | Turn your video on/off | ✔️ | ✔️ | ✔️
+| | Mute/Unmute mic | ✔️ | ✔️ | ✔️
+| | Switch between cameras | ✔️ | ✔️ | ✔️
+| | Local hold/un-hold | ✔️ | ✔️ | ✔️
+| | Active speaker | ✔️ | ✔️ | ✔️
+| | Choose speaker for calls | ✔️ | ✔️ | ✔️
+| | Choose microphone for calls | ✔️ | ✔️ | ✔️
+| | Show state of a participant<br/>*Idle, Early media, Connecting, Connected, On hold, In Lobby, Disconnected* | ✔️ | ✔️ | ✔️
+| | Show state of a call<br/>*Early Media, Incoming, Connecting, Ringing, Connected, Hold, Disconnecting, Disconnected* | ✔️ | ✔️ | ✔️
+| | Show if a participant is muted | ✔️ | ✔️ | ✔️
+| | Show the reason why a participant left a call | ✔️ | ✔️ | ✔️
+| Screen sharing | Share the entire screen from within the application | ✔️ | ❌ | ❌
+| | Share a specific application (from the list of running applications) | ✔️ | ❌ | ❌
+| | Share a web browser tab from the list of open tabs | ✔️ | ❌ | ❌
+| | Participant can view remote screen share | ✔️ | ✔️ | ✔️
+| Roster | List participants | ✔️ | ✔️ | ✔️
+| | Remove a participant | ✔️ | ✔️ | ✔️
+| PSTN | Place a one-to-one call with a PSTN participant | ✔️ | ✔️ | ✔️
| | Place a group call with PSTN participants | ✔️ | ✔️ | ✔️ | | Promote a one-to-one call with a PSTN participant into a group call | ✔️ | ✔️ | ✔️
-| | Dial-out from a group call as a PSTN participant | ✔️ | ✔️ | ✔️
-| General | Test your mic, speaker, and camera with an audio testing service (available by calling 8:echo123) | ✔️ | ✔️ | ✔️
+| | Dial-out from a group call as a PSTN participant | ✔️ | ✔️ | ✔️
+| General | Test your mic, speaker, and camera with an audio testing service (available by calling 8:echo123) | ✔️ | ✔️ | ✔️
| Device Management | Ask for permission to use audio and/or video | ✔️ | ✔️ | ✔️
-| | Get camera list | ✔️ | ✔️ | ✔️
+| | Get camera list | ✔️ | ✔️ | ✔️
| | Set camera | ✔️ | ✔️ | ✔️ | | Get selected camera | ✔️ | ✔️ | ✔️ | | Get microphone list | ✔️ | ✔️ | ✔️
The following list presents the set of features which are currently available in
| | Set speaker | ✔️ | ✔️ | ✔️ | | Get selected speaker | ✔️ | ✔️ | ✔️ | Video Rendering | Render single video in many places (local camera or remote stream) | ✔️ | ✔️ | ✔️
-| | Set / update scaling mode | ✔️ | ✔️ | ✔️
+| | Set / update scaling mode | ✔️ | ✔️ | ✔️
| | Render remote video stream | ✔️ | ✔️ | ✔️ ## Calling SDK streaming support
The following timeouts apply to the Communication Services Calling SDKs:
The following table represents the set of supported browsers which are currently available. We support the most recent three versions of the browser unless otherwise indicated.
-| Platform | Chrome | Safari* | Edge (Chromium) |
+| Platform | Chrome | Safari* | Edge (Chromium) |
| -- | -| | -- | | Android | ✔️ | ❌ | ❌ | | iOS | ❌ | ✔️**** | ❌ |
The following table represents the set of supported browsers which are currently
| Windows*** | ✔️ | ❌ | ✔️ | | Ubuntu/Linux | ✔️ | ❌ | ❌ |
-*Safari versions 13.1+ are supported, 1:1 calls are not supported on Safari.
+*Safari versions 13.1+ are supported, 1:1 calls are not supported on Safari.
-**Safari 14+/macOS 11+ needed for outgoing video support.
+**Safari 14+/macOS 11+ needed for outgoing video support.
***Outgoing screen sharing is supported only on desktop platforms (Windows, macOS, and Linux), regardless of the browser version, and is not supported on any mobile platform (Android, iOS, iPad, and tablets).
For example, this iframe allows both camera and microphone access:
For more information, see the following articles: - Familiarize yourself with general [call flows](../call-flows.md) - Learn about [call types](../voice-video-calling/about-call-types.md)-- [Plan your PSTN solution](../telephony-sms/plan-solution.md)
+- [Plan your PSTN solution](../telephony-sms/plan-solution.md)
communication-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/overview.md
> Applications that you build using Azure Communication Services can talk to Microsoft Teams. To learn more, visit our [Teams Interop](./quickstarts/voice-video-calling/get-started-teams-interop.md) documentation.
-Azure Communication Services allows you to easily add real-time multimedia voice, video, and telephony-over-IP communications features to your applications. The Communication Services SDKs also allow you to add chat and SMS functionality to your communications solutions.
+Azure Communication Services allows you to easily add real-time multimedia voice, video, and telephony-over-IP communications features to your applications. The Communication Services SDK libraries also allow you to add chat and SMS functionality to your communications solutions.
<br>
Mixed scenarios are supported. For example, a Communication Services application
## Common scenarios
-The following resources are a great place to get started with Azure Communication Services.
+The following resources are a great place to get started with Azure Communication Services.
<br> | Resource |Description | | | | |**[Create a Communication Services resource](./quickstarts/create-communication-resource.md)**|You can begin using Azure Communication Services by using the Azure portal or Communication Services SDK to provision your first Communication Services resource. Once you have your Communication Services resource connection string, you can provision your first user access tokens.| |**[Get a phone number](./quickstarts/telephony-sms/get-phone-number.md)**|You can use Azure Communication Services to provision and release telephone numbers. These telephone numbers can be used to initiate outbound calls and build SMS communications solutions.|
-|**[Send an SMS from your app](./quickstarts/telephony-sms/send.md)**|The Azure Communication Services SMS SDK allows you to send and receive SMS messages from your .NET and JavaScript applications.|
After creating an Communication Services resource you can start building client scenarios, such as voice and video calling or text chat.
After creating an Communication Services resource you can start building client
|**[Get started with voice and video calling](./quickstarts/voice-video-calling/getting-started-with-calling.md)**| Azure Communication Services allows you to add voice and video calling to your apps using the Calling SDK. This library is powered by WebRTC and allows you to establish peer-to-peer, multimedia, real-time communications within your applications.| |**[Join your calling app to a Teams meeting](./quickstarts/voice-video-calling/get-started-teams-interop.md)**|Azure Communication Services can be used to build custom meeting experiences that interact with Microsoft Teams. Users of your Communication Services solution(s) can interact with Teams participants over voice, video, chat, and screen sharing.| |**[Get started with chat](./quickstarts/chat/get-started.md)**|The Azure Communication Services Chat SDK can be used to integrate real-time chat into your applications.|
+|**[Send an SMS from your app](./quickstarts/telephony-sms/send.md)**|The Azure Communication Services SMS SDK allows you to send and receive SMS messages from your .NET and JavaScript applications.|
## Samples
-The following samples demonstrate end-to-end utilization of the Azure Communication Services SDKs. Feel free to use these samples to bootstrap your own Communication Services solutions.
+The following samples demonstrate end-to-end utilization of the Azure Communication Services SDK libraries. Feel free to use these samples to bootstrap your own Communication Services solutions.
<br> | Sample name | Description | | | |
-|**[The Group Calling Hero Sample](./samples/calling-hero-sample.md)**|See how the Communication Services SDKs can be used to build a group calling experience.|
-|**[The Group Chat Hero Sample](./samples/chat-hero-sample.md)**|See how the Communication Services SDKs can be used to build a group chat experience.|
+|**[The Group Calling Hero Sample](./samples/calling-hero-sample.md)**|See how the Communication Services SDK libraries can be used to build a group calling experience.|
+|**[The Group Chat Hero Sample](./samples/chat-hero-sample.md)**|See how the Communication Services SDK libraries can be used to build a group chat experience.|
-## Platforms and SDKs
+## Platforms and SDK libraries
-The following resources will help you learn about the Azure Communication Services SDKs:
+The following resources will help you learn about the Azure Communication Services SDK libraries:
| Resource | Description | | | |
-|**[SDKs and REST APIs](./concepts/sdk-options.md)**|Azure Communication Services capabilities are conceptually organized into six areas, each represented by an SDK. You can decide which SDKs to use based on your real-time communication needs.|
+|**[SDK libraries and REST APIs](./concepts/sdk-options.md)**|Azure Communication Services capabilities are conceptually organized into six areas, each represented by an SDK. You can decide which SDK libraries to use based on your real-time communication needs.|
|**[Calling SDK overview](./concepts/voice-video-calling/calling-sdk-features.md)**|Review the Communication Services Calling SDK overview.| |**[Chat SDK overview](./concepts/chat/sdk-features.md)**|Review the Communication Services Chat SDK overview.| |**[SMS SDK overview](./concepts/telephony-sms/sdk-features.md)**|Review the Communication Services SMS SDK overview.|
-## Compare Azure Communication Services
+## Other Microsoft Communication Services
There are two other Microsoft communication products you may consider leveraging that are not directly interoperable with Communication Services at this time:
communication-services Calling Client Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/quickstarts/voice-video-calling/calling-client-samples.md
Title: Quickstart - Use the Azure Communication Services Calling SDK description: Learn about the Communication Services Calling SDK capabilities.--++ -+ Last updated 03/10/2021
communication-services Get Started Teams Interop https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/quickstarts/voice-video-calling/get-started-teams-interop.md
Get started with Azure Communication Services by connecting your calling solutio
[!INCLUDE [Calling with iOS](./includes/teams-interop-ios.md)] ::: zone-end
+Functionality described in this document uses the General Availablity version of the Communication Services SDKs. Teams Interoperability requires the Beta version of the Communication Services SDKs. The Beta SDKs can be explored on the [release notes page](https://github.com/Azure/Communication/tree/master/releasenotes).
+
+When executing the "Install package" step with the Beta SDKs, modify the version of your package to the latest Beta release by specifying version `@1.0.0-beta.10` (version at the moment of writing this article) in the `communication-calling` package name. You don't need to modify the `communication-common` package command. For example:
+
+```console
+npm install @azure/communication-calling@1.0.0-beta.10 --save
+```
+ ## Clean up resources If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it. Learn more about [cleaning up resources](../create-communication-resource.md#clean-up-resources).
communication-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/samples/overview.md
Azure Communication Services has many samples available, which you can use to te
| Sample Name | Description | Languages/Platforms Available | | : | : | : |
-| [Group Calling Hero Sample](./calling-hero-sample.md) | Provides a sample of creating a group calling application. | Web, iOS, Android |
-| [Web Calling Sample](./web-calling-sample.md) | A step by step walk-through of ACS Calling features within the Web. | Web |
-| [Chat Hero Sample](./chat-hero-sample.md) | Provides a sample of creating a chat application. | Web & C# .NET |
+| [Group Calling Hero Sample](./calling-hero-sample.md) | Provides a sample of creating a group calling application. | [Web](https://github.com/Azure-Samples/communication-services-web-calling-hero), [iOS](https://github.com/Azure-Samples/communication-services-ios-calling-hero), [Android](https://github.com/Azure-Samples/communication-services-android-calling-hero) |
+| [Web Calling Sample](./web-calling-sample.md) | A step by step walk-through of ACS Calling features within the Web. | [Web](https://github.com/Azure-Samples/communication-services-web-calling-tutorial/) |
+| [Chat Hero Sample](./chat-hero-sample.md) | Provides a sample of creating a chat application. | [Web](https://github.com/Azure-Samples/communication-services-web-chat-hero) |
| [Contoso Medical App](https://github.com/Azure-Samples/communication-services-contoso-med-app) | Sample app demonstrating a patient-doctor flow. | Web & Node.js | | [Contoso Retail App](https://github.com/Azure-Samples/communication-services-contoso-retail-app) | Sample app demonstrating a retail support flow. | ASP.NET, .NET Core, JavaScript/Web | | [WPF Calling Sample](https://github.com/Azure-Samples/communication-services-web-calling-wpf-sample) | Sample app for Windows demonstrating calling functionality | WPF / Node.js |
confidential-computing How To Fortanix Confidential Computing Manager Node Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/confidential-computing/how-to-fortanix-confidential-computing-manager-node-agent.md
+
+ Title: How To - Run an application with Fortanix Confidential Computing Manager
+description: Learn how to use Fortanix Confidential Computing Manager to convert your containerized images
++++++ Last updated : 03/24/2021++
+# How To: Run an application with Fortanix Confidential Computing Manager
+
+Start running your application in Azure confidential computing using [Fortanix Confidential Computing Manager](https://azuremarketplace.microsoft.com/marketplace/apps/fortanix.enclave_manager?tab=Overview) and [Fortanix Node Agent](https://azuremarketplace.microsoft.com/marketplace/apps/fortanix.rte_node_agent) from [Fortanix](https://www.fortanix.com/).
++
+Fortanix is a third-party software vendor with products and services built on top of Azure infrastructure. There are other third-party providers offering similar confidential computing services on Azure.
+
+> [!Note]
+> The products referenced in this document are not under the control of Microsoft. Microsoft is providing this information to you only as a convenience, and the reference to these non-Microsoft products do not imply endorsement by Microsoft.
+
+This tutorial shows you how to convert your application image to a confidential compute-protected image. This environment uses [Fortanix](https://www.fortanix.com/) software, powered by Azure's DCsv2-Series Intel SGX-enabled virtual machines. This solution orchestrates critical security policies such as identity verification and data access control.
+
+For Fortanix-specific support, join the [Fortanix Slack community](https://fortanix.com/community/) and use the channel `#enclavemanager`.
+
+## Prerequisites
+
+1. If you don't have a Fortanix Confidential Computing Manager account, [sign-up](https://ccm.fortanix.com/auth/sign-up) before you begin.
+1. A private [Docker](https://docs.docker.com/) registry to push converted application images.
+1. If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go/) before you begin.
+
+> [!NOTE]
+> Free trial accounts do not have access to the virtual machines used in this tutorial. Please upgrade to a Pay-As-You-Go subscription.
+
+## Add an application to Fortanix Confidential Computing Manager
+
+1. Sign in to [Fortanix Confidential Computing Manager (Fortanix CCM)](https://ccm.fortanix.com).
+1. Go to the **Accounts** page and select **ADD ACCOUNT** to create a new account.
+
+ :::image type="content" source="media/how-to-fortanix-confidential-computing-manager-node-agent/create-account-new.png" alt-text="Screenshot that shows how to create an account.":::
+
+1. After your account is created, hit **SELECT** to select the newly created account. Now we can start enrolling the compute nodes and creating applications.
+1. Select the **+ APPLICATION** button to add an application. In this example, we'll be adding a Flask Server Enclave OS application.
+
+1. Select the **ADD** button for the Enclave OS Application.
+
+ :::image type="content" source="media/how-to-fortanix-confidential-computing-manager-node-agent/add-enclave-application.png" alt-text="Screenshot that shows how to add an application.":::
+
+ > [!NOTE]
+ > This tutorial covers adding Enclave OS Applications only. [Learn more](https://support.fortanix.com/hc/en-us/articles/360044746932-Bringing-EDP-Rust-Apps-to-Confidential-Computing-Manager) about bringing EDP Rust Applications to Fortanix Confidential Computing Manager.
+
+1. In this tutorial, we'll use Fortanix's docker registry for the sample application. Fill in the details from the following information. Use your private docker registry to keep the output image.
+
+ - **Application name**: Python Application Server
+ - **Description**: Python Flask Server
+ - **Input image name**: fortanix/python-flask
+ - **Output image name**: fortanx-private/python-flask-sgx
+ - **ISVPRODID**: 1
+ - **ISVSVM**: 1
+ - **Memory size**: 1 GB
+ - **Thread count**: 128
+
+ *Optional*: Run the application.
+ - **Docker Hub**: [https://hub.docker.com/u/fortanix](https://hub.docker.com/u/fortanix)
+ - **App**: fortanix/python-flask
+
+ Run the following command:
+
+ ```bash
+ sudo docker run fortanix/python-flask
+ ```
+
+1. Add a certificate. Fill in the information using the details below and then select **NEXT**:
+ - **Domain**: myapp.domain.dom
+ - **Type**: Certificate Issued by Confidential Computing Manager
+ - **Key path**: /appkey.pem
+ - **Key type**: RSA
+ - **Certificate path**: /appcert.pem
+ - **RSA Key Size**: 2048 Bits
+
+## Create an image
+
+A Fortanix CCM Image is a software release or version of an application. Each image is associated with one enclave hash (MRENCLAVE).
+
+1. On the **Add Image** page, enter the **REGISTRY CREDENTIALS** for **Output image name**. These credentials are used to access the private docker registry where the image will be pushed.
+
+ :::image type="content" source="media/how-to-fortanix-confidential-computing-manager-node-agent/create-image.png" alt-text="Screenshot that shows how to create an image.":::
+
+1. Provide the image tag and select **Create**.
+
+ :::image type="content" source="media/how-to-fortanix-confidential-computing-manager-node-agent/add-tag.png" alt-text="Screenshot that shows how to add a tag.":::
+
+## Domain and image allowlist
+
+An application whose domain is added to the allowlist, will get a TLS Certificate from Fortanix Confidential Computing Manager. Similarly, when an application runs from the converted image, it will try to contact Fortanix Confidential Computing Manager. The application will then ask for a TLS Certificate.
+
+Switch to the **Tasks** tab on the left and approve the pending requests to allow the domain and image.
+
+## Enroll compute node agent in Azure
+
+### Generate and copy join token
+
+In Fortanix Confidential Computing Manager, you'll create a token. This token allows a compute node in Azure to authenticate itself. You'll need to give this token to your Azure virtual machine.
+
+1. In the management console, select the **+ ENROLL NODE** button.
+1. Select **GENERATE TOKEN** to generate the Join token. Copy the token.
+
+### Enroll nodes into Fortanix Node Agent in Azure Marketplace
+
+Creating a Fortanix Node Agent will deploy a virtual machine, network interface, virtual network, network security group, and a public IP address into your Azure resource group. Your Azure subscription will be billed hourly for the virtual machine. Before you create a Fortanix Node Agent, review the Azure [virtual machine pricing page](https://azure.microsoft.com/pricing/details/virtual-machines/linux/) for DCsv2-Series. Delete Azure resources when not in use.
+
+1. Go to the [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/) and sign in with your Azure credentials.
+1. In the search bar, type **Fortanix Confidential Computing Node Agent**. Select the App that shows up in the search box called **Fortanix Confidential Computing Node Agent** to go to the offering's home page.
+
+ ![search marketplace](media/how-to-fortanix-confidential-computing-manager-node-agent/search-fortanix-marketplace.png)
+1. Select **Get It Now**, fill in your information if necessary, and select **Continue**. You'll be redirected to the Azure portal.
+1. Select **Create** to enter the Fortanix Confidential Computing Node Agent deployment page.
+1. On this page, you'll be entering information to deploy a virtual machine. Specifically, this VM is a DCsv2-Series Intel SGX-enabled virtual machine from Azure with Fortanix Node Agent software installed. The Node Agent will allow your converted image to run securely on Intel SGX nodes in Azure. Select the **subscription** and **resource group** where you want to deploy the virtual machine and associated resources.
+
+ > [!NOTE]
+ > There are constraints when deploying DCsv2-Series virtual machines in Azure. You may need to request quota for additional cores. Read about [confidential computing solutions on Azure VMs](./virtual-machine-solutions.md) for more information.
+
+1. Select an available region.
+1. Enter a name for your virtual machine in **Node Name**.
+1. Enter a username and password (or SSH Key) for authenticating into the virtual machine.
+1. Leave the default OS Disk Size as 200 and select a VM size (Standard_DC4s_v2 will suffice for this tutorial).
+1. Paste the token generated earlier in **Join Token**.
+
+ :::image type="content" source="media/how-to-fortanix-confidential-computing-manager-node-agent/deploy-fortanix-node-agent-protocol.png" alt-text="Screenshot that shows how to deploy a resource.":::
+
+1. Select **Review + Create**. Ensure the validation passes and then select **Create**. When all the resources deploy, the compute node is now enrolled in Fortanix Confidential Computing Manager.
+
+## Run the application image on the compute node
+
+Run the application by executing the following command. Ensure you change the Node IP, Port, and Converted Image Name as inputs for your specific application.
+
+In this tutorial, the command to execute is:
+
+```bash
+ sudo docker run `
+ --device /dev/isgx:/dev/isgx `
+ --device /dev/gsgx:/dev/gsgx `
+ -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket `
+ -e NODE_AGENT_BASE_URL=http://52.152.206.164:9092/v1/ fortanix-private/python-flask-sgx
+```
+
+Where:
+
+- *52.152.206.164* is the Node Agent Host IP
+- *9092* is the port that Node Agent listens up
+- *fortanix-private/python-flask-sgx* is the converted app that can be found in the Images tab under the **Image Name** column in the **Images** table in the Fortanix Confidential Computing Manager Web Portal.
+
+## Verify and monitor the running application
+
+1. Return to [Fortanix Confidential Computing Manager](https://ccm.fortanix.com/console).
+1. Ensure you're working inside the **Account** where you enrolled the node.
+1. Go to the **Management Console** by selecting the top icon on the left navigation pane.
+1. Select the **Application** tab.
+1. Verify that there's a running application with an associated compute node.
+
+## Clean up resources
+
+When they are no longer needed, you can delete the resource group, virtual machine, and associated resources. Deleting the resource group will unenroll the nodes associated with your converted image.
+
+Select the resource group for the virtual machine, then select **Delete**. Confirm the name of the resource group to finish deleting the resources.
+
+To delete the Fortanix Confidential Computing Manager account you created, go the [Accounts Page](https://ccm.fortanix.com/accounts) in the Fortanix Confidential Computing Manager. Hover over the account you want to delete. Select the vertical black dots in the upper right-hand corner and select **Delete Account**.
++
+## Next steps
+
+In this quickstart, you used Fortanix tooling to convert your application image to run on top of a confidential computing virtual machine. For more information about confidential computing virtual machines on Azure, see [Solutions on Virtual Machines](virtual-machine-solutions.md).
+
+To learn more about Azure's confidential computing offerings, see [Azure confidential computing overview](overview.md).
+
+Learn how to complete similar tasks using other third-party offerings on Azure, like [Anjuna](https://azuremarketplace.microsoft.com/marketplace/apps/anjuna-5229812.aee-az-v1) and [Scone](https://sconedocs.github.io).
connectors Connectors Native Http Swagger https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/connectors/connectors-native-http-swagger.md
Here is more information about the outputs from an HTTP + Swagger trigger or act
| Property name | Type | Description | |||-| | headers | object | The headers from the request |
-| body | object | JSON object | The object with the body content from the request |
+| body | object | The object with the body content from the request |
| status code | int | The status code from the request |
-|||
+||||
| Status code | Description | |-|-|
connectors Connectors Native Webhook https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/connectors/connectors-native-webhook.md
Here is more information about the outputs from an HTTP Webhook trigger or actio
| Property name | Type | Description | |||-| | headers | object | The headers from the request |
-| body | object | JSON object | The object with the body content from the request |
+| body | object | The object with the body content from the request |
| status code | int | The status code from the request |
-|||
+||||
| Status code | Description | |-|-|
container-instances Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-instances/policy-reference.md
Title: Built-in policy definitions for Azure Container Instances description: Lists Azure Policy built-in policy definitions for Azure Container Instances. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
container-instances Security Baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-instances/security-baseline.md
description: The Container Instances security baseline provides procedural guida
Previously updated : 02/17/2021 Last updated : 03/30/2021
# Azure security baseline for Container Instances
-This security
-baseline applies guidance from the [Azure Security Benchmark version
-1.0](../security/benchmarks/overview-v1.md) to Container Instances. The Azure Security Benchmark
-provides recommendations on how you can secure your cloud solutions on Azure.
-The content is grouped by the **security controls** defined by the Azure
-Security Benchmark and the related guidance applicable to Container Instances. **Controls** not applicable to Container Instances have been excluded.
+This security baseline applies guidance from the [Azure Security Benchmark version1.0](../security/benchmarks/overview-v1.md) to Container Instances. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the **security controls** defined by the Azure Security Benchmark and the related guidance applicable to Container Instances. **Controls** not applicable to Container Instances, or for which the responsibility is Microsoft's, have been excluded.
-
-To see how Container Instances completely maps to the Azure
-Security Benchmark, see the [full Container Instances security baseline mapping
-file](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Offer%20Security%20Baselines).
+To see how Container Instances completely maps to the Azure Security Benchmark, see the [full Container Instances security baseline mapping file](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Offer%20Security%20Baselines).
## Network Security
file](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Of
Control outbound network access from a subnet delegated to Azure Container Instances by using Azure Firewall. -- [Deploy container instances into an Azure virtual network](/azure/container-instances/container-instances-vnet)
+- [Deploy container instances into an Azure virtual network](/azure/container-instances/container-instance-vnet)
- [How to deploy and configure Azure Firewall](../firewall/tutorial-firewall-deploy-portal.md)
Control outbound network access from a subnet delegated to Azure Container Insta
You may use Azure Security Center Just In Time Network access to configure NSGs to limit exposure of endpoints to approved IP addresses for a limited period. Also , use Azure Security Center Adaptive Network Hardening to recommend NSG configurations that limit Ports and Source IPs based on actual traffic and threat intelligence. -- [How to configure DDoS protection](../ddos-protection/manage-ddos-protection.md)
+- [How to configure DDoS protection](/azure/virtual-network/manage-ddos-protection)
- [How to deploy Azure Firewall](../firewall/tutorial-firewall-deploy-portal.md)
Deploy the firewall solution of your choice at each of your organization's netwo
**Guidance**: If using a cloud-based private registry like Azure container registry with Azure Container Instances, for resources that need access to your container registry, use virtual network service tags for the Azure Container Registry service to define network access controls on Network Security Groups or Azure Firewall. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name "AzureContainerRegistry" in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change. -- [Allow access by service tag](../container-registry/container-registry-firewall-access-rules.md#allow-access-by-service-tag)
+- [Allow access by service tag](https://docs.microsoft.com/azure/container-registry/container-registry-firewall-access-rules#allow-access-by-service-tag)
**Responsibility**: Customer
You can use Azure Blueprints to simplify large-scale Azure deployments by packag
**Guidance**: Use Azure Activity Log to monitor network resource configurations and detect changes for network resources related to your container registries. Create alerts within Azure Monitor that will trigger when changes to critical network resources take place. -- [How to view and retrieve Azure Activity Log events](../azure-monitor/essentials/activity-log.md#view-the-activity-log)
+- [How to view and retrieve Azure Activity Log events](/azure/azure-monitor/platform/activity-log#view-the-activity-log)
-- [How to create alerts in Azure Monitor](../azure-monitor/alerts/alerts-activity-log.md)
+- [How to create alerts in Azure Monitor](/azure/azure-monitor/platform/alerts-activity-log)
**Responsibility**: Customer
You can use Azure Blueprints to simplify large-scale Azure deployments by packag
**Guidance**: Within Azure Monitor, set your Log Analytics workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term/archival storage. -- [How to set log retention parameters for Log Analytics workspaces](../azure-monitor/logs/manage-cost-storage.md#change-the-data-retention-period)
+- [How to set log retention parameters for Log Analytics workspaces](/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period)
**Responsibility**: Customer
You can use Azure Blueprints to simplify large-scale Azure deployments by packag
**Guidance**: Analyze and monitor Azure Container Instances logs for anomalous behavior and regularly review results. Use Azure Monitor's Log Analytics workspace to review logs and perform queries on log data. -- [Understand Log Analytics workspace](../azure-monitor/logs/log-analytics-tutorial.md)
+- [Understand Log Analytics workspace](/azure/azure-monitor/log-query/log-analytics-tutorial)
-- [How to perform custom queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md)
+- [How to perform custom queries in Azure Monitor](/azure/azure-monitor/log-query/get-started-queries)
- [How to create a log-enabled container group and query logs](container-instances-log-analytics.md)
You can use Azure Blueprints to simplify large-scale Azure deployments by packag
- [Azure Container Registry logs for diagnostic evaluation and auditing](../container-registry/container-registry-diagnostics-audit-logs.md) -- [How to alert on log analytics log data](../azure-monitor/alerts/tutorial-response.md)
+- [How to alert on log analytics log data](/azure/azure-monitor/learn/tutorial-response)
**Responsibility**: Customer
You can use Azure Blueprints to simplify large-scale Azure deployments by packag
If using a cloud-based private registry like Azure container registry with Azure Container Instances, for each Azure container registry, track whether the built-in admin account is enabled or disabled. Disable the account when not in use. -- [How to get a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrole?amp;preserve-view=true&view=azureadps-2.0)
+- [How to get a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrole)
-- [How to get members of a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrolemember?amp;preserve-view=true&view=azureadps-2.0)
+- [How to get members of a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrolemember)
-- [Azure Container Registry admin account](../container-registry/container-registry-authentication.md#admin-account)
+- [Azure Container Registry admin account](https://docs.microsoft.com/azure/container-registry/container-registry-authentication#admin-account)
**Responsibility**: Customer
If using a cloud-based private registry like Azure container registry with Azure
If using a cloud-based private registry like Azure container registry with Azure Container Instances, if the default admin account of an Azure container registry is enabled, complex passwords are automatically created and should be rotated. Disable the account when not in use. -- [Azure Container Registry admin account](../container-registry/container-registry-authentication.md#admin-account)
+- [Azure Container Registry admin account](https://docs.microsoft.com/azure/container-registry/container-registry-authentication#admin-account)
**Responsibility**: Customer
If using a cloud-based private registry like Azure container registry with Azure
- [Understand Azure Security Center Identity and Access](../security-center/security-center-identity-access.md) -- [Azure Container Registry admin account](../container-registry/container-registry-authentication.md#admin-account)
+- [Azure Container Registry admin account](https://docs.microsoft.com/azure/container-registry/container-registry-authentication#admin-account)
**Responsibility**: Customer
If using a cloud-based private registry like Azure container registry with Azure
**Guidance**: Wherever possible, use Azure Active Directory (Azure AD) SSO instead of configuring individual stand-alone credentials per-service. Use Azure Security Center Identity and Access Management recommendations.
-If using a cloud-based private registry like Azure container registry with Azure Container Instances, for individual access to the container registry, use individual sign ins integrated with Azure AD.
+If using a cloud-based private registry like Azure container registry with Azure Container Instances, for individual access to the container registry, use individual sign inintegrated with Azure AD.
- [Understand SSO with Azure AD](../active-directory/manage-apps/what-is-single-sign-on.md) -- [Individual sign in to a container registry](../container-registry/container-registry-authentication.md#individual-login-with-azure-ad)
+- [Individual sign in to a container registry](https://docs.microsoft.com/azure/container-registry/container-registry-authentication#individual-login-with-azure-ad)
**Responsibility**: Customer
If using a cloud-based private registry like Azure container registry with Azure
**Guidance**: Azure Active Directory (Azure AD) provides logs to help discover stale accounts. In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right Users have continued access. -- [Understand Azure AD reporting](../active-directory/reports-monitoring/index.yml)
+- [Understand Azure AD reporting](/azure/active-directory/reports-monitoring/)
- [How to use Azure identity access reviews](../active-directory/governance/access-reviews-overview.md)
If using a cloud-based private registry like Azure container registry with Azure
You can streamline this process by creating Diagnostic Settings for Azure AD user accounts and sending the audit logs and sign in logs to a Log Analytics Workspace. You can configure desired Alerts within Log Analytics Workspace. -- [How to integrate Azure Activity Logs into Azure Monitor](../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)
+- [How to integrate Azure Activity Logs into Azure Monitor](/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics)
**Responsibility**: Customer
You can streamline this process by creating Diagnostic Settings for Azure AD use
**Guidance**: Not available; Customer Lockbox not currently supported for Azure Container Instances. -- [List of Customer Lockbox supported services](../security/fundamentals/customer-lockbox-overview.md#supported-services-and-scenarios-in-general-availability)
+- [List of Customer Lockbox supported services](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview#supported-services-and-scenarios-in-general-availability)
**Responsibility**: Customer
For the underlying platform which is managed by Microsoft, Microsoft treats all
Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable. -- [Understand encryption in transit with Azure](../security/fundamentals/encryption-overview.md#encryption-of-data-in-transit)
+- [Understand encryption in transit with Azure](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit)
**Responsibility**: Shared
For the underlying platform which is managed by Microsoft, Microsoft treats all
- [Understand encryption at rest in Azure](../security/fundamentals/encryption-atrest.md) -- [Customer-managed keys in Azure Container Registry](../container-registry/container-registry-customer-managed-keys.md)
+- [Customer-managed keys in Azure Container Registry](https://aka.ms/acr/cmk)
**Responsibility**: Customer
For the underlying platform which is managed by Microsoft, Microsoft treats all
- [Container monitoring and scanning security recommendations for Azure Container Instances](container-instances-image-security.md) -- [Azure Container Registry integration with Security Center](../security-center/defender-for-container-registries-introduction.md)
+- [Azure Container Registry integration with Security Center](/azure/security-center/azure-container-registry-integration)
**Responsibility**: Customer
Although classic Azure resources may be discovered via Resource Graph, it is hig
- [How to create queries with Azure Resource Graph](../governance/resource-graph/first-query-portal.md) -- [How to view your Azure Subscriptions](/powershell/module/az.accounts/get-azsubscription?amp;preserve-view=true&view=azps-4.8.0)
+- [How to view your Azure Subscriptions](/powershell/module/az.accounts/get-azsubscription)
- [Understand Azure RBAC](../role-based-access-control/overview.md)
Use Azure Resource Graph to query/discover resources within their subscription(s
- [Azure Container Registry logs for diagnostic evaluation and auditing](../container-registry/container-registry-diagnostics-audit-logs.md) -- [Understand Log Analytics Workspace](../azure-monitor/logs/log-analytics-tutorial.md)
+- [Understand Log Analytics Workspace](/azure/azure-monitor/log-query/log-analytics-tutorial)
-- [How to perform custom queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md)
+- [How to perform custom queries in Azure Monitor](/azure/azure-monitor/log-query/get-started-queries)
**Responsibility**: Customer
Use Azure Resource Graph to query/discover resources within their subscription(s
- [How to configure and manage Azure Policy](../governance/policy/tutorials/create-and-manage.md) -- [How to deny a specific resource type with Azure Policy](../governance/policy/samples/built-in-policies.md#general)
+- [How to deny a specific resource type with Azure Policy](https://docs.microsoft.com/azure/governance/policy/samples/built-in-policies#general)
**Responsibility**: Customer
Use Azure Resource Graph to query/discover resources within their subscription(s
**Guidance**: Use operating system specific configurations or third-party resources to limit users' ability to execute scripts within Azure compute resources. -- [For example, how to control PowerShell script execution in Windows Environments](/powershell/module/microsoft.powershell.security/set-executionpolicy?amp;preserve-view=true&view=powershell-7)
+- [For example, how to control PowerShell script execution in Windows Environments](/powershell/module/microsoft.powershell.security/set-executionpolicy)
**Responsibility**: Customer
If using a cloud-based private registry like Azure Container Registry (ACR) with
**Guidance**: If using custom Azure policy definitions, use Azure Repos to securely store and manage your code. -- [How to store code in Azure DevOps](/azure/devops/repos/git/gitworkflow?amp;preserve-view=true&view=azure-devops)
+- [How to store code in Azure DevOps](/azure/devops/repos/git/gitworkflow)
-- [Azure Repos Documentation](/azure/devops/repos/?amp;preserve-view=true&view=azure-devops)
+- [Azure Repos Documentation](/azure/devops/repos/)
**Responsibility**: Customer
Back up customer-managed keys in Azure Key Vault using Azure command-line tools
- [Import container images to a container registry](../container-registry/container-registry-import-images.md) -- [How to backup key vault keys in Azure](/powershell/module/az.keyvault/backup-azkeyvaultkey?amp;preserve-view=true&view=azps-4.8.0)
+- [How to backup key vault keys in Azure](/powershell/module/az.keyvault/backup-azkeyvaultkey)
- [Encrypting deployment data with Container Instances](container-instances-encrypt-data.md)
Back up customer-managed keys in Azure Key Vault using Azure command-line tools
**Guidance**: Test restoration of backed up customer-managed keys in Azure Key Vault using Azure command-line tools or SDKs. -- [How to restore Azure Key Vault keys in Azure](/powershell/module/az.keyvault/restore-azkeyvaultkey?amp;preserve-view=true&view=azps-4.8.0)
+- [How to restore Azure Key Vault keys in Azure](/powershell/module/az.keyvault/restore-azkeyvaultkey)
**Responsibility**: Customer
Additionally, mark subscriptions using tags and create a naming system to identi
- [Security alerts in Azure Security Center](../security-center/security-center-alerts-overview.md) -- [Use tags to organize your Azure resources](../azure-resource-manager/management/tag-resources.md)
+- [Use tags to organize your Azure resources](/azure/azure-resource-manager/resource-group-using-tags)
**Responsibility**: Customer
Additionally, mark subscriptions using tags and create a naming system to identi
## Next steps -- See the [Azure Security Benchmark V2 overview](../security/benchmarks/overview.md)-- Learn more about [Azure security baselines](../security/benchmarks/security-baselines-overview.md)
+- See the [Azure Security Benchmark V2 overview](/azure/security/benchmarks/overview)
+- Learn more about [Azure security baselines](/azure/security/benchmarks/security-baselines-overview)
container-registry Container Registry Image Tag Version https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/container-registry-image-tag-version.md
# Recommendations for tagging and versioning container images
-When pushing deploying container images to a container registry and then deploying them, you need a strategy for image tagging and versioning. This article discusses two approaches and where each fits during the container lifecycle:
+When pushing container images to a container registry and then deploying them, you need a strategy for image tagging and versioning. This article discusses two approaches and where each fits during the container lifecycle:
* **Stable tags** - Tags that you reuse, for example, to indicate a major or minor version such as *mycontainerimage:1.0*. * **Unique tags** - A different tag for each image you push to a registry, such as *mycontainerimage:abc123*.
container-registry Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/policy-reference.md
Title: Built-in policy definitions for Azure Container Registry description: Lists Azure Policy built-in policy definitions for Azure Container Registry. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
container-registry Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Container Registry description: Lists Azure Policy Regulatory Compliance controls available for Azure Container Registry. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
cosmos-db Create Graph Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/create-graph-python.md
Now let's switch to working with code. Let's clone a Gremlin API app from GitHub
1. Open a command prompt, create a new folder named git-samples, then close the command prompt. ```bash
- md "C:\git-samples"
+ mkdir "./git-samples"
``` 2. Open a git terminal window, such as git bash, and use the `cd` command to change to a folder to install the sample app. ```bash
- cd "C:\git-samples"
+ cd "./git-samples"
``` 3. Run the following command to clone the sample repository. This command creates a copy of the sample app on your computer.
Now let's switch to working with code. Let's clone a Gremlin API app from GitHub
This step is optional. If you're interested in learning how the database resources are created in the code, you can review the following snippets. The snippets are all taken from the *connect.py* file in the *C:\git-samples\azure-cosmos-db-graph-python-getting-started\\* folder. Otherwise, you can skip ahead to [Update your connection string](#update-your-connection-information).
-* The Gremlin `client` is initialized in line 104 in *connect.py*. Make sure to replace `<YOUR_DATABASE>` and `<YOUR_CONTAINER_OR_GRAPH>` with the values of your account's database name and graph name:
+* The Gremlin `client` is initialized in line 155 in *connect.py*. Make sure to replace `<YOUR_DATABASE>` and `<YOUR_CONTAINER_OR_GRAPH>` with the values of your account's database name and graph name:
```python ...
Now go back to the Azure portal to get your connection information and copy it i
:::image type="content" source="./media/create-graph-python/keys.png" alt-text="View and copy an access key in the Azure portal, Keys page":::
-2. Open the *connect.py* file and in line 104 paste the URI value over `<YOUR_ENDPOINT>` in here:
+2. Open the *connect.py* file and in line 155 paste the URI value over `<YOUR_ENDPOINT>` in here:
```python client = client.Client('wss://<YOUR_ENDPOINT>.gremlin.cosmosdb.azure.com:443/','g',
Now go back to the Azure portal to get your connection information and copy it i
1. In the git terminal window, `cd` to the azure-cosmos-db-graph-python-getting-started folder. ```git
- cd "C:\git-samples\azure-cosmos-db-graph-python-getting-started"
+ cd "./git-samples\azure-cosmos-db-graph-python-getting-started"
``` 2. In the git terminal window, use the following command to install the required Python packages.
cosmos-db Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/policy-reference.md
Title: Built-in policy definitions for Azure Cosmos DB description: Lists Azure Policy built-in policy definitions for Azure Cosmos DB. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
cosmos-db Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Cosmos DB description: Lists Azure Policy Regulatory Compliance controls available for Azure Cosmos DB. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
cost-management-billing Migrate Cost Management Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/costs/migrate-cost-management-api.md
EA APIs use an API key for authentication and authorization. MCA APIs use Azure
| Usage (CSV) | [/usagedetails/download](/rest/api/billing/enterprise/billing-enterprise-api-usage-detail#csv-format)[/usagedetails/submit](/rest/api/billing/enterprise/billing-enterprise-api-usage-detail#csv-format) | [Microsoft.Consumption/usageDetails/download](/rest/api/consumption/usagedetails)<sup>1</sup> | | Marketplace Usage (CSV) | [/marketplacecharges](/rest/api/billing/enterprise/billing-enterprise-api-marketplace-storecharge)[/marketplacechargesbycustomdate](/rest/api/billing/enterprise/billing-enterprise-api-marketplace-storecharge) | [Microsoft.Consumption/usageDetails/download](/rest/api/consumption/usagedetails)<sup>1</sup> | | Billing periods | [/billingperiods](/rest/api/billing/enterprise/billing-enterprise-api-billing-periods) | Microsoft.Billing/billingAccounts/billingProfiles/invoices |
-| Price sheet | [/pricesheet](/rest/api/billing/enterprise/billing-enterprise-api-pricesheet) | Microsoft.Billing/billingAccounts/billingProfiles/pricesheet/default/download format=json|csv Microsoft.Billing/billingAccounts/…/billingProfiles/…/invoices/… /pricesheet/default/download format=json|csv Microsoft.Billing/billingAccounts/../billingProfiles/../providers/Microsoft.Consumption/pricesheets/download |
+| Price sheet | [/pricesheet](/rest/api/billing/enterprise/billing-enterprise-api-pricesheet) | Microsoft.Billing/billingAccounts/billingProfiles/pricesheet/default/download format=json\|csv Microsoft.Billing/billingAccounts/…/billingProfiles/…/invoices/… /pricesheet/default/download format=json\|csv Microsoft.Billing/billingAccounts/../billingProfiles/../providers/Microsoft.Consumption/pricesheets/download |
| Reservation purchases | [/reservationcharges](/rest/api/billing/enterprise/billing-enterprise-api-reserved-instance-charges) | Microsoft.Billing/billingAccounts/billingProfiles/transactions | | Reservation recommendations | [/SharedReservationRecommendations](/rest/api/billing/enterprise/billing-enterprise-api-reserved-instance-recommendation#request-for-shared-reserved-instance-recommendations)[/](/rest/api/billing/enterprise/billing-enterprise-api-reserved-instance-recommendation#request-for-single-reserved-instance-recommendations)[SingleReservationRecommendations](/rest/api/billing/enterprise/billing-enterprise-api-reserved-instance-recommendation#request-for-single-reserved-instance-recommendations) | [Microsoft.Consumption/reservationRecommendations](/rest/api/consumption/reservationrecommendations/list) | | Reservation usage | [/reservationdetails](/rest/api/billing/enterprise/billing-enterprise-api-reserved-instance-usage#request-for-reserved-instance-usage-details)[/reservationsummaries](/rest/api/billing/enterprise/billing-enterprise-api-reserved-instance-usage) | [Microsoft.Consumption/reservationDetails](/rest/api/consumption/reservationsdetails)[Microsoft.Consumption/reservationSummaries](/rest/api/consumption/reservationssummaries) |
cost-management-billing Cancel Azure Subscription https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/cancel-azure-subscription.md
tags: billing
Previously updated : 12/14/2020 Last updated : 03/31/2021
If you have a free trial subscription, you don't have to wait 30 days for the su
1. Select the subscription that you want to delete. 1. Select **Overview**, and then select **Delete subscription**.
+## Delete other subscriptions
+
+The only subscription type that you can manually delete is a free trial subscription. All other subscription types, including pay-as-you-go subscriptions, are deleted only through the [subscription cancellation](#cancel-subscription-in-the-azure-portal) process. In other words, you can't delete a subscription directly unless it's a free trial subscription. However, after you cancel a subscription, you can create an [Azure support request](https://go.microsoft.com/fwlink/?linkid=2083458) to ask to have the subscription deleted immediately.
+ ## Reactivate a subscription If you cancel your subscription with Pay-As-You-Go rates accidentally, you can [reactivate it in the Azure portal](subscription-disabled.md).
You may not have the permissions required to cancel a subscription. See [Who can
## How do I delete my Azure Account?
-*I need to remove my account including all my personal information. I already canceled my active(Free Trial) subscriptions. I don't have any active subscriptions, and would like to totally delete my account*.
+*I need to remove my account including all my personal information. I already canceled my active (Free Trial) subscriptions. I don't have any active subscriptions, and would like to totally delete my account*.
* If you have an Azure Active Directory account via your organization, the Azure AD administrator could delete the account. After that, your services are disabled. That means your virtual machines are de-allocated, temporary IP addresses are freed, and storage is read-only. In summary, once you cancel, billing is stopped immediately.
data-factory Compute Linked Services https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/compute-linked-services.md
You create an Azure Machine Learning linked service to connect an Azure Machine
| subscriptionId | Azure subscription ID | Yes | | resourceGroupName | name | Yes | | mlWorkspaceName | Azure Machine Learning workspace name | Yes |
-| servicePrincipalId | Specify the application's client ID. | No |
-| servicePrincipalKey | Specify the application's key. | No |
+| servicePrincipalId | Specify the application's client ID. | Yes |
+| servicePrincipalKey | Specify the application's key. | Yes |
| tenant | Specify the tenant information (domain name or tenant ID) under which your application resides. You can retrieve it by hovering the mouse in the upper-right corner of the Azure portal. | Required if updateResourceEndpoint is specified | | connectVia | The Integration Runtime to be used to dispatch the activities to this linked service. You can use Azure Integration Runtime or Self-hosted Integration Runtime. If not specified, it uses the default Azure Integration Runtime. | No |
data-factory Connector Rest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-rest.md
The template defines two parameters:
| Property | Description | |: |: |
- | URL |Specify the url to retrieve OAuth bearer token from. for example, in the sample here it's https://login.microsoftonline.com/microsoft.onmicrosoft.com/oauth2/token |.
+ | URL |Specify the url to retrieve OAuth bearer token from. for example, in the sample here it's https://login.microsoftonline.com/microsoft.onmicrosoft.com/oauth2/token |
| Method | The HTTP method. Allowed values are **Post** and **Get**. | | Headers | Header is user-defined, which references one header name in the HTTP request. | | Body | The body for the HTTP request. |
data-factory Data Factory Private Link https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-factory-private-link.md
Enabling the Private Link service for each of the preceding communication channe
- The command communications between the self-hosted integration runtime and the Azure Data Factory service can be performed securely in a private network environment. The traffic between the self-hosted integration runtime and the Azure Data Factory service goes through Private Link. - **Not currently supported**: - Interactive authoring that uses a self-hosted integration runtime, such as test connection, browse folder list and table list, get schema, and preview data, goes through Private Link.
- - The new version of the self-hosted integration runtime can be automatically downloaded from Microsoft Download Center if you enable Auto-Update.
+ - The new version of the self-hosted integration runtime which can be automatically downloaded from Microsoft Download Center if you enable Auto-Update , is not supported at this time .
> [!NOTE] > For functionality that's not currently supported, you still need to configure the previously mentioned domain and port in the virtual network or your corporate firewall.
If you want to create private endpoint for authoring and monitoring the data fac
- [Create a data factory by using the Azure Data Factory UI](quickstart-create-data-factory-portal.md) - [Introduction to Azure Data Factory](introduction.md)-- [Visual authoring in Azure Data Factory](author-visually.md)
+- [Visual authoring in Azure Data Factory](author-visually.md)
data-factory Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/policy-reference.md
Previously updated : 03/24/2021 Last updated : 03/31/2021 # Azure Policy built-in definitions for Data Factory (Preview)
data-lake-analytics Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-analytics/policy-reference.md
Title: Built-in policy definitions for Azure Data Lake Analytics description: Lists Azure Policy built-in policy definitions for Azure Data Lake Analytics. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
data-lake-analytics Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-analytics/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Data Lake Analytics description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Lake Analytics. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
data-lake-store Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-store/policy-reference.md
Title: Built-in policy definitions for Azure Data Lake Storage Gen1 description: Lists Azure Policy built-in policy definitions for Azure Data Lake Storage Gen1. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
data-lake-store Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-store/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Data Lake Storage Gen1 description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Lake Storage Gen1. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
databox-online Azure Stack Edge Gpu Connect Powershell Interface https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-connect-powershell-interface.md
Previously updated : 03/08/2021 Last updated : 03/30/2021 # Manage an Azure Stack Edge Pro GPU device via Windows PowerShell
A Multi-Process Service (MPS) on Nvidia GPUs provides a mechanism where GPUs can
[!INCLUDE [Enable MPS](../../includes/azure-stack-edge-gateway-enable-mps.md)]
+> [!NOTE]
+> When the device software and the Kubernetes cluster are updated, the MPS setting is not retained for the workloads. You'll need to enable MPS again.
## Reset your device
databox-online Azure Stack Edge Gpu Deploy Virtual Machine Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-deploy-virtual-machine-portal.md
Previously updated : 02/22/2021 Last updated : 03/30/2021 # Customer intent: As an IT admin, I need to understand how to configure compute on Azure Stack Edge Pro device so I can use it to transform the data before sending it to Azure.
Follow these steps to create a VM after you have created a VM image.
|Parameter |Description | ||| |Virtual machine name | |
+ |Edge resource group | Create a new resource group for all the resources associated with the VM. |
|Image | Select from the VM images available on the device. | |Size | Choose from the [Supported VM sizes](azure-stack-edge-gpu-virtual-machine-sizes.md). |
- |Username | Use the default username *azureuser*. |
+ |Username | Use the default username *azureuser* for the admin to sign into the VM. |
|Authentication type | Choose from SSH public key or a user-defined password. | |Password | Enter a password to sign into the virtual machine. The password must be at least 12 characters long and meet the defined [Complexity requirements](../virtual-machines/windows/faq.md#what-are-the-password-requirements-when-creating-a-vm). | |Confirm password | Enter the password again. |
Follow these steps to create a VM after you have created a VM image.
![Add VM 4](media/azure-stack-edge-gpu-deploy-virtual-machine-portal/add-virtual-machine-disks-2.png)
- 1. Repeat the above to process to add more disks. After the disks are created, they show up in the **Disks** tab.
-
- ![Add VM 5](media/azure-stack-edge-gpu-deploy-virtual-machine-portal/add-virtual-machine-disks-3.png)
-
- Select **Next: Networking**.
+ 1. Repeat the above to process to add more disks. After the disks are created, they show up in the **Disks** tab. Select **Next: Networking**.
1. In the **Networking** tab, you will configure the network connectivity for your VM.
Follow these steps to create a VM after you have created a VM image.
Select **Next: Review + Create**.
+1. In the **Advanced** tab, you can specify the custom data or the cloud-init to customize your VM.
+
+ You can use cloud-init to customize a VM on its first boot. Use the cloud-init to install packages and write files, or to configure users and security. As cloud-init runs during the initial boot process, no additional steps are requires to apply your configuration. For detailed information on cloud-init, see [Cloud-init overview](../virtual-machines/linux/tutorial-automate-vm-deployment.md#cloud-init-overview).
+
+ ![Add VM 7](media/azure-stack-edge-gpu-deploy-virtual-machine-portal/add-virtual-machine-advanced-1.png)
+ 1. In the **Review + Create** tab, review the specifications for the VM and select **Create**.
- ![Add VM 7](media/azure-stack-edge-gpu-deploy-virtual-machine-portal/add-virtual-machine-review-create-1.png)
+ ![Add VM 8](media/azure-stack-edge-gpu-deploy-virtual-machine-portal/add-virtual-machine-review-create-1.png)
1. The VM creation starts and can take up to 20 minutes. You can go to **Deployments** to monitor the VM creation.
- ![Add VM 8](media/azure-stack-edge-gpu-deploy-virtual-machine-portal/add-virtual-machine-deployments-page-1.png)
+ ![Add VM 9](media/azure-stack-edge-gpu-deploy-virtual-machine-portal/add-virtual-machine-deployments-page-1.png)
1. After the VM is successfully created, the **Overview** page updates to display the new VM.
- ![Add VM 9](media/azure-stack-edge-gpu-deploy-virtual-machine-portal/add-virtual-machine-overview-page-1.png)
+ ![Add VM 10](media/azure-stack-edge-gpu-deploy-virtual-machine-portal/add-virtual-machine-overview-page-1.png)
1. Select the newly created VM to go to **Virtual machines**.
- ![Add VM 10](media/azure-stack-edge-gpu-deploy-virtual-machine-portal/add-virtual-machine-page-1.png)
+ ![Add VM 11](media/azure-stack-edge-gpu-deploy-virtual-machine-portal/add-virtual-machine-page-1.png)
Select the VM to see the details.
- ![Add VM 11](media/azure-stack-edge-gpu-deploy-virtual-machine-portal/add-virtual-machine-details-1.png)
+ ![Add VM 12](media/azure-stack-edge-gpu-deploy-virtual-machine-portal/add-virtual-machine-details-1.png)
## Connect to a VM
databox-online Azure Stack Edge Gpu Manage Virtual Machine Disks Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-manage-virtual-machine-disks-portal.md
+
+ Title: Manage VMs disks on Azure Stack Edge Pro GPU, Pro R, Mini R via Azure portal
+description: Learn how to manage disks including add or detach a data disk on VMs that are deployed on your Azure Stack Edge Pro GPU, Azure Stack Edge Pro R, and Azure Stack Edge Mini R via the Azure portal.
++++++ Last updated : 03/30/2021+
+Customer intent: As an IT admin, I need to understand how to manage disks on a VM running on an Azure Stack Edge Pro device so that I can use it to run applications using Edge compute before sending it to Azure.
++
+# Use the Azure portal to manage disks on the VMs on your Azure Stack Edge Pro GPU
++
+You can provision disks on the virtual machines (VMs) deployed on your Azure Stack Edge Pro device using the Azure portal. The disks are provisioned on the device via the local Azure Resource Manager and consume the device capacity. The operations such as adding a disk, detaching a disk can be done via the Azure portal, which in turn makes calls to the local Azure Resource Manager to provision the storage.
+
+This article explains how to add a data disk to an existing VM, detach a data disk, and finally resize the VM itself via the Azure portal.
+
+
+## About disks on VMs
+
+Your VM can have an OS disk and a data disk. Every virtual machine deployed on your device has one attached operating system disk. This OS disk has a pre-installed OS, which was selected when the VM was created. This disk contains the boot volume.
+
+> [!NOTE]
+> You cannot change the OS disk size for the VM on your device. The OS disk size is determined by the VM size that you have selected.
++
+A data disk on the other hand, is a managed disk attached to the VM running on your device. A data disk is used to store application data. Data disks are typically SCSI drives. The size of the VM determines how many data disks you can attach to a VM. By default, premium storage is used to host the disks.
+
+A VM deployed on your device may sometimes contain a temporary disk. The temporary disk provides short-term storage for applications and processes, and is intended to only store data such as page or swap files. Data on the temporary disk may be lost during a maintenance event or when you redeploy a VM. During a successful standard reboot of the VM, data on the temporary disk will persist.
++
+## Prerequisites
+
+Before you begin to manage disks on the VMs running on your device via the Azure portal, make sure that:
++
+1. You've access to an activated Azure Stack Edge Pro GPU device. You have also enabled a network interface for compute on your device. This action creates a virtual switch on that network interface on your VM.
+ 1. In the local UI of your device, go to **Compute**. Select the network interface that you will use to create a virtual switch.
+
+ > [!IMPORTANT]
+ > You can only configure one port for compute.
+
+ 1. Enable compute on the network interface. Azure Stack Edge Pro GPU creates and manages a virtual switch corresponding to that network interface.
+
+1. You have at least one VM deployed on your device. To create this VM, see the instructions in [Deploy VM on your Azure Stack Edge Pro via the Azure portal](azure-stack-edge-gpu-deploy-virtual-machine-portal.md).
+++
+## Add a data disk
+
+Follow these steps to add a disk to a virtual machine deployed on your device.
+
+1. Go to the virtual machine to which you want to add a data disk and then go to the **Overview** page. Select **Disks**.
+
+ ![Select Disks on Overview page](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/add-data-disk-1.png)
+
+1. In the **Disks** blade, under **Data Disks**, select **Create and attach a new disk**.
+
+ ![Create and attach a new disk](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/add-data-disk-2.png)
+
+1. In the **Create a new disk** blade, enter the following parameters:
+
+
+ |Field |Description |
+ |||
+ |Name | A unique name within the resource group. The name cannot be changed after the data disk is created. |
+ |Size| The size of your data disk in GiB. The maximum size of a data disk is determined by the VM size that you have selected. When provisioning a disk, you should also consider the actual space on your device and other VM workloads that are running that consume capacity. |
+
+ ![Create a new disk blade](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/add-data-disk-3.png)
+
+ Select **OK** and proceed.
+
+1. In the **Overview** page, under **Disks**, you'll see an entry corresponding to the new disk. Accept the default or assign a valid Logical Unit Number (LUN) to the disk and select **Save**. A LUN is a unique identifier for a SCSI disk. For more information, see [What is a LUN?](../virtual-machines/linux/azure-to-guest-disk-mapping.md#what-is-a-lun).
+
+ ![New disk on Overview page](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/add-data-disk-4.png)
+
+1. You'll see a notification that disk creation is in progress. After the disk is successfully created, the virtual machine is updated.
+
+ ![Notification for disk creation](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/add-data-disk-5.png)
+
+1. Navigate back to the **Overview** page. The list of disks updates to display the newly created data disk.
+
+ ![Updated list of data disks](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/add-data-disk-6.png)
++
+## Change a data disk
+
+Follow these steps to change a disk associated with a virtual machine deployed on your device.
+
+1. Go to the virtual machine which has the data disk to change and go to the **Overview** page. Select **Disks**.
+
+1. In the list of data disks, select the disk that you wish to change. In the far right of the disk selected, select the edit icon (pencil).
+
+ ![Select a disk to change](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/edit-data-disk-1.png)
+
+1. In the **Change disk** blade, you can only change the size of the disk. The name associated with the disk can't be changed once it is created. Change the **Size** and save the changes.
+
+ ![Change size of the data disk](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/edit-data-disk-2.png)
+
+ > [!NOTE]
+ > You can only expand a data disk, you can't shrink the disk.
+
+1. On the **Overview** page, the list of disks refreshes to display the updated disk.
++
+## Attach an existing disk
+
+Follow these steps to attach an existing disk to the virtual machine deployed on your device.
+
+1. Go to the virtual machine to which you wish to attach the existing disk and then go to the **Overview** page. Select **Disks**.
+
+ ![Select Disks ](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/list-data-disks-1.png)
+
+1. In the **Disks** blade, under **Data Disks**, select **Attach an existing disk**.
+
+ ![Select attach an existing disk](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/attach-existing-data-disk-1.png)
+
+1. Accept default LUN or assign a valid LUN. Choose an existing data disk from the dropdown list. Select Save.
+
+ ![Select an existing disk](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/attach-existing-data-disk-2.png)
+
+ Select **Save** and proceed.
+
+1. You'll see a notification that the virtual machine is updated. After the VM is updated, navigate back to the **Overview** page. Refresh the page to view the newly attached disk in the list of data disks.
+
+ ![View updated list of data disks on Overview page](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/list-data-disks-2.png)
++
+## Detach a data disk
+
+Follow these steps to detach or remove a data disk associated with a virtual machine deployed on your device.
+
+> [!NOTE]
+> - You can remove a data disk while the VM is running. Make sure that nothing is actively using the disk before detaching it from the VM.
+> - If you detach a disk, it is not automatically deleted.
+
+1. Go to the virtual machine from which you wish to detach a data disk and go to the **Overview** page. Select **Disks**.
+
+ ![Select Disks](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/list-data-disks-1.png)
+
+1. In the list of disks, select the disk that you wish to detach. In the far right of the disk selected, select the detach icon (cross). The selected entry will be detached. Select **Save**.
+
+ ![Select a disk to detach](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/detach-data-disk-1.png)
+
+1. After the disk is detached, the virtual machine is updated. Refresh the **Overview** page to view the updated list of data disks.
+
+ ![Select save](./media/azure-stack-edge-gpu-manage-virtual-machine-disks-portal/list-data-disks-2.png)
++
+## Next steps
+
+To learn how to deploy virtual machines on your Azure Stack Edge Pro device, see [Deploy virtual machines via the Azure portal](azure-stack-edge-gpu-deploy-virtual-machine-portal.md).
databox-online Azure Stack Edge Gpu Manage Virtual Machine Network Interfaces Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-manage-virtual-machine-network-interfaces-portal.md
Previously updated : 03/23/2021 Last updated : 03/30/2021 # Customer intent: As an IT admin, I need to understand how to manage network interfaces on an Azure Stack Edge Pro device so that I can use it to run applications using Edge compute before sending it to Azure.
Your device supports only one virtual switch but multiple virtual network interf
Before you begin to manage VMs on your device via the Azure portal, make sure that:
-1. You have enabled a network interface for compute on your device. This action creates a virtual switch on that network interface on your VM.
+1. You've access to an activated Azure Stack Edge Pro GPU device. You have enabled a network interface for compute on your device. This action creates a virtual switch on that network interface on your VM.
1. In the local UI of your device, go to **Compute**. Select the network interface that you will use to create a virtual switch. > [!IMPORTANT]
databox-online Azure Stack Edge Gpu Manage Virtual Machine Resize Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-manage-virtual-machine-resize-portal.md
+
+ Title: Resize VMs on Azure Stack Edge Pro GPU, Pro R, Mini R via the Azure portal
+description: Learn how to resize the virtual machines (VM) running on your Azure Stack Edge Pro GPU, Azure Stack Edge Pro R, Azure Stack Edge Mini R via the Azure portal.
++++++ Last updated : 03/30/2021+
+Customer intent: As an IT admin, I need to understand how to resize VMs running on an Azure Stack Edge Pro device so that I can use it to run applications using Edge compute before sending it to Azure.
++
+# Use the Azure portal to resize the VMs on your Azure Stack Edge Pro GPU
++
+This article explains how to resize the virtual machines (VMs) deployed on your Azure Stack Edge Pro GPU device.
+
+
+## About VM sizing
+
+The VM size determines the amount of compute resources (like CPU, GPU, and memory) that are made available to the VM. You should create virtual machines by using a VM size appropriate for your application workload.
+
+Even though all the machines will be running on the same hardware, machine sizes have different limits for disk access. This can help you manage overall disk access across your VMs. If a workload increases, you can also resize an existing virtual machine.
+
+For more information, see [Supported VM sizes for your device](azure-stack-edge-gpu-virtual-machine-sizes.md).
++
+## Prerequisites
+
+Before you resize a VM running on your device via the Azure portal, make sure that:
+
+1. You have at least one VM deployed on your device. To create this VM, see the instructions in [Deploy VM on your Azure Stack Edge Pro via the Azure portal](azure-stack-edge-gpu-deploy-virtual-machine-portal.md).
+
+1. Your VM should be in **Stopped** state. To stop your VM, go to **Virtual machines > Overview** and select the VM you want to stop. In the Overview page, select **Stop** and then select **Yes** when prompted for confirmation. Before you resize your VM, you must stop the VM.
+
+ ![Stop VM from Overview page](./media/azure-stack-edge-gpu-manage-virtual-machine-network-interfaces-portal/stop-vm-2.png)
++
+## Resize a VM
+
+Follow these steps to resize a virtual machine deployed on your device.
+
+1. Go to the virtual machine that you have stopped and then go to the **Overview** page. Select **VM size (change)**.
+
+ ![Select VM Size Change on Overview page](./media/azure-stack-edge-gpu-manage-virtual-machine-resize-portal/change-vm-size-1.png)
+
+2. In the **Change VM size** blade, from the command bar, select the **VM size** and then select **Change**.
+
+ ![Select new VM size](./media/azure-stack-edge-gpu-manage-virtual-machine-resize-portal/change-vm-size-2.png)
+
+3. You'll see a notification that the virtual machine is being updated. After the virtual machine is successfully updated, the **Overview** page refreshes to display the resized VM.
+
+ ![Resized VM ](./media/azure-stack-edge-gpu-manage-virtual-machine-resize-portal/change-vm-size-3.png)
++
+## Next steps
+
+To learn how to deploy virtual machines on your Azure Stack Edge Pro device, see [Deploy virtual machines via the Azure portal](azure-stack-edge-gpu-deploy-virtual-machine-portal.md).
databox-online Azure Stack Edge Gpu Virtual Machine Sizes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-virtual-machine-sizes.md
Previously updated : 02/22/2021 Last updated : 03/27/2021 #Customer intent: As an IT admin, I need to understand how to create and manage virtual machines (VMs) on my Azure Stack Edge Pro device by using APIs, so that I can efficiently manage my VMs.
databox-online Azure Stack Edge Pro R Safety https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-pro-r-safety.md
The following hazard icons are to be observed when setting up and running your A
| Icon | Description | |: |: | | ![Read All Instructions First](./media/azure-stack-edge-pro-r-safety/icon-safety-read-all-instructions.png) | Read All Instructions First |
-| ![Notice Icon](./media/azure-stack-edge-mini-r-safety/icon-safety-notice.png) **NOTICE:** | Indicates information considered important, but not hazard-related. || ![Hazard Symbol](./media/azure-stack-edge-pro-r-safety/icon-safety-warning.png) | Hazard Symbol |
+| ![Notice Icon](./media/azure-stack-edge-mini-r-safety/icon-safety-notice.png) **NOTICE:** | Indicates information considered important, but not hazard-related. |
+| ![Hazard Symbol](./media/azure-stack-edge-pro-r-safety/icon-safety-warning.png) | Hazard Symbol |
| ![Tip Hazard Icon](./media/azure-stack-edge-pro-r-safety/icon-safety-tip-hazard.png) | Tip Hazard| | ![Heavy Weight Icon](./media/azure-stack-edge-pro-r-safety/icon-safety-heavy-weight.png) | Heavy Weight Hazard| | ![Electrical Shock Icon](./media/azure-stack-edge-pro-r-safety/icon-safety-electric-shock.png) | Electric Shock Hazard |
The following hazard icons are to be observed when setting up and running your A
| ![Multiple Power Sources Icon](./media/azure-stack-edge-pro-r-safety/icon-safety-disconnect-all-power.png) | Multiple power sources. Disconnect all power cords to remove all power from the equipment. | | ![Pinching Points Icon](./media/azure-stack-edge-pro-r-safety/icon-pinching-points.png) | Pinching points are present. | | ![Hot Components or Surfaces Icon](./media/azure-stack-edge-pro-r-safety/icon-hot-component-surface.png) | Indicates hot components or surfaces. |
-|
+ ## Handling precautions and site selection
databox-online Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/policy-reference.md
Title: Built-in policy definitions for Azure Stack Edge description: Lists Azure Policy built-in policy definitions for Azure Stack Edge. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
databox Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/policy-reference.md
Title: Built-in policy definitions for Azure Data Box description: Lists Azure Policy built-in policy definitions for Azure Data Box. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
databox Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Data Box description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Box. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 03/24/2021 Last updated : 03/31/2021
digital-twins Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/overview.md
The following diagram shows where Azure Digital Twins lies in the context of a l
## Service limits
-For a l