Updates from: 04/14/2021 03:10:19
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory User Provisioning Sync Attributes For Mapping https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md
For users in on-premises Active Directory, you must sync the users to Azure AD.
## Create an extension attribute on a cloud only user You can use Microsoft Graph and PowerShell to extend the user schema for users in Azure AD. These extension attributes are automatically discovered in most cases.
-When you've more than 1000 service principals, you may find extensions missing in the source attribute list. If an attribute you've created doesn't automatically appear, then verify the attribute was created and add it manually to your schema. To verify it was created, use Microsoft Graph and [Graph Explorer](/graph/graph-explorer/graph-explorer-overview.md). To add it manually to your schema, see [Editing the list of supported attributes](customize-application-attributes.md#editing-the-list-of-supported-attributes).
+When you've more than 1000 service principals, you may find extensions missing in the source attribute list. If an attribute you've created doesn't automatically appear, then verify the attribute was created and add it manually to your schema. To verify it was created, use Microsoft Graph and [Graph Explorer](/graph/graph-explorer/graph-explorer-overview). To add it manually to your schema, see [Editing the list of supported attributes](customize-application-attributes.md#editing-the-list-of-supported-attributes).
### Create an extension attribute on a cloud only user using Microsoft Graph
-You can extend the schema of Azure AD users using [Microsoft Graph](/graph/overview.md).
+You can extend the schema of Azure AD users using [Microsoft Graph](/graph/overview).
First, list the apps in your tenant to get the ID of the app you're working on. To learn more, see [List extensionProperties](/graph/api/application-list-extensionproperty?view=graph-rest-1.0&tabs=http&preserve-view=true).
Content-type: application/json
} ```
-The previous request created an extension attribute with the format `extension_appID_extensionName`. You can now update a user with this extension attribute. To learn more, see [Update user](/graph/api/user-update.md?view=graph-rest-1.0&tabs=http&preserve-view=true).
+The previous request created an extension attribute with the format `extension_appID_extensionName`. You can now update a user with this extension attribute. To learn more, see [Update user](/graph/api/user-update?view=graph-rest-1.0&tabs=http&preserve-view=true).
```json PATCH https://graph.microsoft.com/v1.0/users/{id} Content-type: application/json
Content-type: application/json
"extension_inputAppId_extensionName": "extensionValue" } ```
-Finally, verify the attribute for the user. To learn more, see [Get a user](/graph/api/user-get.md?view=graph-rest-1.0&tabs=http#example-3-users-request-using-select&preserve-view=true).
+Finally, verify the attribute for the user. To learn more, see [Get a user](/graph/api/user-get?view=graph-rest-1.0&tabs=http#example-3-users-request-using-select&preserve-view=true).
```json GET https://graph.microsoft.com/v1.0/users/{id}?$select=displayName,extension_inputAppId_extensionName
active-directory Concept Continuous Access Evaluation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-continuous-access-evaluation.md
Continuous access evaluation is implemented by enabling services, like Exchange
This process enables the scenario where users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within mins after one of these critical events. > [!NOTE]
-> Teams does not support user risk events yet.
+> Teams and SharePoint Online does not support user risk events yet.
### Conditional Access policy evaluation (preview)
active-directory Active Directory Configurable Token Lifetimes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-configurable-token-lifetimes.md
Previously updated : 02/01/2021 Last updated : 04/08/2021
Customers with [Microsoft 365 Business licenses](/office365/servicedescriptions/
## Token lifetime policies for access, SAML, and ID tokens
-You can set token lifetime policies for access tokens, SAML tokens, and ID tokens.
+You can set token lifetime policies for access tokens, SAML tokens, and ID tokens.
### Access tokens
-Clients use access tokens to access a protected resource. An access token can be used only for a specific combination of user, client, and resource. Access tokens cannot be revoked and are valid until their expiry. A malicious actor that has obtained an access token can use it for extent of its lifetime. Adjusting the lifetime of an access token is a trade-off between improving system performance and increasing the amount of time that the client retains access after the userΓÇÖs account is disabled. Improved system performance is achieved by reducing the number of times a client needs to acquire a fresh access token. The default is 1 hour - after 1 hour, the client must use the refresh token to (usually silently) acquire a new refresh token and access token.
+Clients use access tokens to access a protected resource. An access token can be used only for a specific combination of user, client, and resource. Access tokens cannot be revoked and are valid until their expiry. A malicious actor that has obtained an access token can use it for extent of its lifetime. Adjusting the lifetime of an access token is a trade-off between improving system performance and increasing the amount of time that the client retains access after the userΓÇÖs account is disabled. Improved system performance is achieved by reducing the number of times a client needs to acquire a fresh access token. The default varies, depending on the client application requesting the token. For example, continuous access evaluation (CAE) capable clients that negotiate CAE-aware sessions will see a long lived token lifetime (up to 28 hours). After the token expires, the client must use the refresh token to (usually silently) acquire a new refresh token and access token.
### SAML tokens
The subject confirmation NotOnOrAfter specified in the `<SubjectConfirmationData
ID tokens are passed to websites and native clients. ID tokens contain profile information about a user. An ID token is bound to a specific combination of user and client. ID tokens are considered valid until their expiry. Usually, a web application matches a userΓÇÖs session lifetime in the application to the lifetime of the ID token issued for the user. You can adjust the lifetime of an ID token to control how often the web application expires the application session, and how often it requires the user to be re-authenticated with the Microsoft identity platform (either silently or interactively).
-### Token lifetime policy properties
-
-A token lifetime policy is a type of policy object that contains token lifetime rules. This policy controls how long access, SAML, and ID tokens for this resource are considered valid. If no policy is set, the system enforces the default lifetime value.
-
-Reducing the Access Token Lifetime property mitigates the risk of an access token or ID token being used by a malicious actor for an extended period of time. (These tokens cannot be revoked.) The trade-off is that performance is adversely affected, because the tokens have to be replaced more often.
-
-For an example, see [Create a policy for web sign-in](configure-token-lifetimes.md#create-a-policy-for-web-sign-in).
-
-| Property | Policy property string | Affects | Default | Minimum | Maximum |
-| | | | | | |
-| Access Token Lifetime |AccessTokenLifetime |Access tokens, ID tokens, SAML2 tokens |1 hour |10 minutes |1 day |
-
-> [!NOTE]
-> To ensure the Microsoft Teams Web client works, it is recommended to keep AccessTokenLifetime to greater than 15 minutes for Microsoft Teams.
- ## Token lifetime policies for refresh tokens and session tokens You can not set token lifetime policies for refresh tokens and session tokens. > [!IMPORTANT]
-> As of January 30, 2021 you can not configure refresh and session token lifetimes. Azure Active Directory no longer honors refresh and session token configuration in existing policies. New tokens issued after existing tokens have expired are now set to the [default configuration](#configurable-token-lifetime-properties-after-the-retirement). You can still configure access, SAML, and ID token lifetimes after the refresh and session token configuration retirement.
+> As of January 30, 2021 you can not configure refresh and session token lifetimes. Azure Active Directory no longer honors refresh and session token configuration in existing policies. New tokens issued after existing tokens have expired are now set to the [default configuration](#configurable-token-lifetime-properties). You can still configure access, SAML, and ID token lifetimes after the refresh and session token configuration retirement.
> > Existing tokenΓÇÖs lifetime will not be changed. After they expire, a new token will be issued based on the default value. > > If you need to continue to define the time period before a user is asked to sign in again, configure sign-in frequency in Conditional Access. To learn more about Conditional Access, read [Configure authentication session management with Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md). -
-### Refresh tokens
-
-When a client acquires an access token to access a protected resource, the client also receives a refresh token. The refresh token is used to obtain new access/refresh token pairs when the current access token expires. A refresh token is bound to a combination of user and client. A refresh token can be [revoked at any time](access-tokens.md#token-revocation), and the token's validity is checked every time the token is used. Refresh tokens are not revoked when used to fetch new access tokens - it's best practice, however, to securely delete the old token when getting a new one.
-
-It's important to make a distinction between confidential clients and public clients, as this impacts how long refresh tokens can be used. For more information about different types of clients, see [RFC 6749](https://tools.ietf.org/html/rfc6749#section-2.1).
-
-#### Token lifetimes with confidential client refresh tokens
-Confidential clients are applications that can securely store a client password (secret). They can prove that requests are coming from the secured client application and not from a malicious actor. For example, a web app is a confidential client because it can store a client secret on the web server. It is not exposed. Because these flows are more secure, the default lifetimes of refresh tokens issued to these flows is `until-revoked`, cannot be changed by using policy, and will not be revoked on voluntary password resets.
-
-#### Token lifetimes with public client refresh tokens
-
-Public clients cannot securely store a client password (secret). For example, an iOS/Android app cannot obfuscate a secret from the resource owner, so it is considered a public client. You can set policies on resources to prevent refresh tokens from public clients older than a specified period from obtaining a new access/refresh token pair. To do this, use the [Refresh Token Max Inactive Time property](#refresh-token-max-inactive-time) (`MaxInactiveTime`). You also can use policies to set a period beyond which the refresh tokens are no longer accepted. To do this, use the [Single-Factor Refresh Token Max Age](#single-factor-session-token-max-age) or [Multi-Factor Session Token Max Age](#multi-factor-refresh-token-max-age) property. You can adjust the lifetime of a refresh token to control when and how often the user is required to reenter credentials, instead of being silently reauthenticated, when using a public client application.
-
-The Max Age property is the length of time a single token can be used.
-
-### Single sign-on session tokens
-When a user authenticates with the Microsoft identity platform, a single sign-on session (SSO) is established with the userΓÇÖs browser and the Microsoft identity platform. The SSO token, in the form of a cookie, represents this session. The SSO session token is not bound to a specific resource/client application. SSO session tokens can be revoked, and their validity is checked every time they are used.
-
-The Microsoft identity platform uses two kinds of SSO session tokens: persistent and nonpersistent. Persistent session tokens are stored as persistent cookies by the browser. Nonpersistent session tokens are stored as session cookies. (Session cookies are destroyed when the browser is closed.)
-Usually, a nonpersistent session token is stored. But, when the user selects the **Keep me signed in** check box during authentication, a persistent session token is stored.
-
-Nonpersistent session tokens have a lifetime of 24 hours. Persistent tokens have a lifetime of 90 days. Anytime an SSO session token is used within its validity period, the validity period is extended another 24 hours or 90 days, depending on the token type. If an SSO session token is not used within its validity period, it is considered expired and is no longer accepted.
-
-You can use a policy to set the time after the first session token was issued beyond which the session token is no longer accepted. (To do this, use the Session Token Max Age property.) You can adjust the lifetime of a session token to control when and how often a user is required to reenter credentials, instead of being silently authenticated, when using a web application.
-
-### Refresh and session token lifetime policy properties
-A token lifetime policy is a type of policy object that contains token lifetime rules. Use the properties of the policy to control specified token lifetimes. If no policy is set, the system enforces the default lifetime value.
-
-#### Configurable token lifetime properties
-| Property | Policy property string | Affects | Default | Minimum | Maximum |
-| | | | | | |
-| Refresh Token Max Inactive Time |MaxInactiveTime |Refresh tokens |90 days |10 minutes |90 days |
-| Single-Factor Refresh Token Max Age |MaxAgeSingleFactor |Refresh tokens (for any users) |Until-revoked |10 minutes |Until-revoked<sup>1</sup> |
-| Multi-Factor Refresh Token Max Age |MaxAgeMultiFactor |Refresh tokens (for any users) | Until-revoked |10 minutes |180 days<sup>1</sup> |
-| Single-Factor Session Token Max Age |MaxAgeSessionSingleFactor |Session tokens (persistent and nonpersistent) |Until-revoked |10 minutes |Until-revoked<sup>1</sup> |
-| Multi-Factor Session Token Max Age |MaxAgeSessionMultiFactor |Session tokens (persistent and nonpersistent) | Until-revoked |10 minutes | 180 days<sup>1</sup> |
-
-* <sup>1</sup>365 days is the maximum explicit length that can be set for these attributes.
-
-#### Exceptions
-| Property | Affects | Default |
-| | | |
-| Refresh Token Max Age (issued for federated users who have insufficient revocation information<sup>1</sup>) |Refresh tokens (issued for federated users who have insufficient revocation information<sup>1</sup>) |12 hours |
-| Refresh Token Max Inactive Time (issued for confidential clients) |Refresh tokens (issued for confidential clients) |90 days |
-| Refresh Token Max Age (issued for confidential clients) |Refresh tokens (issued for confidential clients) |Until-revoked |
-
-* <sup>1</sup> Federated users who have insufficient revocation information include any users who do not have the "LastPasswordChangeTimestamp" attribute synced. These users are given this short Max Age because Azure Active Directory is unable to verify when to revoke tokens that are tied to an old credential (such as a password that has been changed) and must check back in more frequently to ensure that the user and associated tokens are still in good standing. To improve this experience, tenant admins must ensure that they are syncing the ΓÇ£LastPasswordChangeTimestampΓÇ¥ attribute (this can be set on the user object using PowerShell or through AADSync).
-
-### Configurable policy property details
-
-#### Refresh Token Max Inactive Time
-**String:** MaxInactiveTime
+## Configurable token lifetime properties
+A token lifetime policy is a type of policy object that contains token lifetime rules. This policy controls how long access, SAML, and ID tokens for this resource are considered valid. Token lifetime policies cannot be set for refresh and session tokens. If no policy is set, the system enforces the default lifetime value.
-**Affects:** Refresh tokens
+### Access, ID, and SAML2 token lifetime policy properties
-**Summary:** This policy controls how old a refresh token can be before a client can no longer use it to retrieve a new access/refresh token pair when attempting to access this resource. Because a new refresh token usually is returned when a refresh token is used, this policy prevents access if the client tries to access any resource by using the current refresh token during the specified period of time.
-
-This policy forces users who have not been active on their client to reauthenticate to retrieve a new refresh token.
-
-The Refresh Token Max Inactive Time property must be set to a lower value than the Single-Factor Token Max Age and the Multi-Factor Refresh Token Max Age properties.
-
-For an example, see [Create a policy for a native app that calls a web API](configure-token-lifetimes.md#create-a-policy-for-a-native-app-that-calls-a-web-api).
-
-#### Single-Factor Refresh Token Max Age
-**String:** MaxAgeSingleFactor
-
-**Affects:** Refresh tokens
-
-**Summary:** This policy controls how long a user can use a refresh token to get a new access/refresh token pair after they last authenticated successfully by using only a single factor. After a user authenticates and receives a new refresh token, the user can use the refresh token flow for the specified period of time. (This is true as long as the current refresh token is not revoked, and it is not left unused for longer than the inactive time.) At that point, the user is forced to reauthenticate to receive a new refresh token.
-
-Reducing the max age forces users to authenticate more often. Because single-factor authentication is considered less secure than multi-factor authentication, we recommend that you set this property to a value that is equal to or lesser than the Multi-Factor Refresh Token Max Age property.
-
-For an example, see [Create a policy for a native app that calls a web API](configure-token-lifetimes.md#create-a-policy-for-a-native-app-that-calls-a-web-api).
-
-#### Multi-Factor Refresh Token Max Age
-**String:** MaxAgeMultiFactor
-
-**Affects:** Refresh tokens
-
-**Summary:** This policy controls how long a user can use a refresh token to get a new access/refresh token pair after they last authenticated successfully by using multiple factors. After a user authenticates and receives a new refresh token, the user can use the refresh token flow for the specified period of time. (This is true as long as the current refresh token is not revoked, and it is not unused for longer than the inactive time.) At that point, users are forced to reauthenticate to receive a new refresh token.
-
-Reducing the max age forces users to authenticate more often. Because single-factor authentication is considered less secure than multi-factor authentication, we recommend that you set this property to a value that is equal to or greater than the Single-Factor Refresh Token Max Age property.
-
-For an example, see [Create a policy for a native app that calls a web API](configure-token-lifetimes.md#create-a-policy-for-a-native-app-that-calls-a-web-api).
-
-#### Single-Factor Session Token Max Age
-**String:** MaxAgeSessionSingleFactor
-
-**Affects:** Session tokens (persistent and nonpersistent)
-
-**Summary:** This policy controls how long a user can use a session token to get a new ID and session token after they last authenticated successfully by using only a single factor. After a user authenticates and receives a new session token, the user can use the session token flow for the specified period of time. (This is true as long as the current session token is not revoked and has not expired.) After the specified period of time, the user is forced to reauthenticate to receive a new session token.
-
-Reducing the max age forces users to authenticate more often. Because single-factor authentication is considered less secure than multi-factor authentication, we recommend that you set this property to a value that is equal to or less than the Multi-Factor Session Token Max Age property.
+Reducing the Access Token Lifetime property mitigates the risk of an access token or ID token being used by a malicious actor for an extended period of time. (These tokens cannot be revoked.) The trade-off is that performance is adversely affected, because the tokens have to be replaced more often.
For an example, see [Create a policy for web sign-in](configure-token-lifetimes.md#create-a-policy-for-web-sign-in).
-#### Multi-Factor Session Token Max Age
-**String:** MaxAgeSessionMultiFactor
+Access, ID, and SAML2 token configuration are affected by the following properties and their respectively set values:
-**Affects:** Session tokens (persistent and nonpersistent)
+- **Property**: Access Token Lifetime
+- **Policy property string**: AccessTokenLifetime
+- **Affects**: Access tokens, ID tokens, SAML2 tokens
+- **Default**:
+ - Access tokens: varies, depending on the client application requesting the token. For example, continuous access evaluation (CAE) capable clients that negotiate CAE-aware sessions will see a long lived token lifetime (up to 28 hours).
+ - ID tokens, SAML2 tokens: 1 hour
+- **Minimum**: 10 minutes
+- **Maximum**: 1 day
-**Summary:** This policy controls how long a user can use a session token to get a new ID and session token after the last time they authenticated successfully by using multiple factors. After a user authenticates and receives a new session token, the user can use the session token flow for the specified period of time. (This is true as long as the current session token is not revoked and has not expired.) After the specified period of time, the user is forced to reauthenticate to receive a new session token.
-
-Reducing the max age forces users to authenticate more often. Because single-factor authentication is considered less secure than multi-factor authentication, we recommend that you set this property to a value that is equal to or greater than the Single-Factor Session Token Max Age property.
+### Refresh and session token lifetime policy properties
-## Configurable token lifetime properties after the retirement
-Refresh and session token configuration are affected by the following properties and their respectively set values. After the retirement of refresh and session token configuration on January 30, 2021, Azure AD will only honor the default values described below. If you decide not to use Conditional Access to manage sign-in frequency, your refresh and session tokens will be set to the default configuration on that date and youΓÇÖll no longer be able to change their lifetimes.
+Refresh and session token configuration are affected by the following properties and their respectively set values. After the retirement of refresh and session token configuration on January 30, 2021, Azure AD will only honor the default values described below. If you decide not to use [Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md) to manage sign-in frequency, your refresh and session tokens will be set to the default configuration on that date and youΓÇÖll no longer be able to change their lifetimes.
|Property |Policy property string |Affects |Default | |-|--|||
-|Access Token Lifetime |AccessTokenLifetime |Access tokens, ID tokens, SAML2 tokens |1 hour |
|Refresh Token Max Inactive Time |MaxInactiveTime |Refresh tokens |90 days | |Single-Factor Refresh Token Max Age |MaxAgeSingleFactor |Refresh tokens (for any users) |Until-revoked | |Multi-Factor Refresh Token Max Age |MaxAgeMultiFactor |Refresh tokens (for any users) |Until-revoked |
You can create and then assign a token lifetime policy to a specific application
* If a policy is explicitly assigned to the service principal, it is enforced. * If no policy is explicitly assigned to the service principal, a policy explicitly assigned to the parent organization of the service principal is enforced. * If no policy is explicitly assigned to the service principal or to the organization, the policy assigned to the application is enforced.
-* If no policy has been assigned to the service principal, the organization, or the application object, the default values are enforced. (See the table in [Configurable token lifetime properties](#configurable-token-lifetime-properties-after-the-retirement).)
+* If no policy has been assigned to the service principal, the organization, or the application object, the default values are enforced. (See the table in [Configurable token lifetime properties](#configurable-token-lifetime-properties).)
For more information about the relationship between application objects and service principal objects, see [Application and service principal objects in Azure Active Directory](app-objects-and-service-principals.md).
A tokenΓÇÖs validity is evaluated at the time the token is used. The policy with
All timespans used here are formatted according to the C# [TimeSpan](/dotnet/api/system.timespan) object - D.HH:MM:SS. So 80 days and 30 minutes would be `80.00:30:00`. The leading D can be dropped if zero, so 90 minutes would be `00:90:00`.
-### Example scenario
-
-A user wants to access two web applications: Web Application A and Web Application B.
-
-Factors:
-* Both web applications are in the same parent organization.
-* Token Lifetime Policy 1 with a Session Token Max Age of eight hours is set as the parent organizationΓÇÖs default.
-* Web Application A is a regular-use web application and isnΓÇÖt linked to any policies.
-* Web Application B is used for highly sensitive processes. Its service principal is linked to Token Lifetime Policy 2, which has a Session Token Max Age of 30 minutes.
-
-At 12:00 PM, the user starts a new browser session and tries to access Web Application A. The user is redirected to the Microsoft identity platform and is asked to sign in. This creates a cookie that has a session token in the browser. The user is redirected back to Web Application A with an ID token that allows the user to access the application.
-
-At 12:15 PM, the user tries to access Web Application B. The browser redirects to the Microsoft identity platform, which detects the session cookie. Web Application BΓÇÖs service principal is linked to Token Lifetime Policy 2, but it's also part of the parent organization, with default Token Lifetime Policy 1. Token Lifetime Policy 2 takes effect because policies linked to service principals have a higher priority than organization default policies. The session token was originally issued within the last 30 minutes, so it is considered valid. The user is redirected back to Web Application B with an ID token that grants them access.
-
-At 1:00 PM, the user tries to access Web Application A. The user is redirected to the Microsoft identity platform. Web Application A is not linked to any policies, but because it is in an organization with default Token Lifetime Policy 1, that policy takes effect. The session cookie that was originally issued within the last eight hours is detected. The user is silently redirected back to Web Application A with a new ID token. The user is not required to authenticate.
-
-Immediately afterward, the user tries to access Web Application B. The user is redirected to the Microsoft identity platform. As before, Token Lifetime Policy 2 takes effect. Because the token was issued more than 30 minutes ago, the user is prompted to reenter their sign-in credentials. A brand-new session token and ID token are issued. The user can then access Web Application B.
- ## Cmdlet reference These are the cmdlets in the [Azure Active Directory PowerShell for Graph Preview module](/powershell/module/azuread/?view=azureadps-2.0-preview&preserve-view=true#service-principals).
active-directory Configure Token Lifetimes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/configure-token-lifetimes.md
Previously updated : 02/01/2021 Last updated : 04/08/2021
You can specify the lifetime of an access, SAML, or ID token issued by Microsoft
In this section, we walk through a common policy scenario that can help you impose new rules for token lifetime. In the example, you learn how to create a policy that requires users to authenticate more frequently in your web app. ## Get started
-To get started, do the following steps:
-1. Download the latest [Azure AD PowerShell Module Public Preview release](https://www.powershellgallery.com/packages/AzureADPreview).
-1. Run the `Connect` command to sign in to your Azure AD admin account. Run this command each time you start a new session.
+To get started, download the latest [Azure AD PowerShell Module Public Preview release](https://www.powershellgallery.com/packages/AzureADPreview).
- ```powershell
- Connect-AzureAD -Confirm
- ```
-
-1. To see all policies that have been created in your organization, run the [Get-AzureADPolicy](/powershell/module/azuread/get-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet. Any results with defined property values that differ from the defaults listed above are in scope of the retirement.
-
- ```powershell
- Get-AzureADPolicy -All $true
- ```
+Next, run the `Connect` command to sign in to your Azure AD admin account. Run this command each time you start a new session.
-1. To see which apps and service principals are linked to a specific policy you identified run the following [Get-AzureADPolicyAppliedObject](/powershell/module/azuread/get-azureadpolicyappliedobject?view=azureadps-2.0-preview&preserve-view=true) cmdlet by replacing **1a37dad8-5da7-4cc8-87c7-efbc0326cf20** with any of your policy IDs. Then you can decide whether to configure Conditional Access sign-in frequency or remain with the Azure AD defaults.
-
- ```powershell
- Get-AzureADPolicyAppliedObject -id 1a37dad8-5da7-4cc8-87c7-efbc0326cf20
- ```
-
-If your tenant has policies which define custom values for the refresh and session token configuration properties, Microsoft recommends you update those policies to values that reflect the defaults described above. If no changes are made, Azure AD will automatically honor the default values.
+```powershell
+Connect-AzureAD -Confirm
+```
## Create a policy for web sign-in
-In this example, you create a policy that requires users to authenticate more frequently in your web app. This policy sets the lifetime of the access/ID tokens and the max age of a multi-factor session token to the service principal of your web app.
+In this example, you create a policy that requires users to authenticate more frequently in your web app. This policy sets the lifetime of the access/ID tokens to the service principal of your web app.
1. Create a token lifetime policy.
- This policy, for web sign-in, sets the access/ID token lifetime and the max single-factor session token age to two hours.
+ This policy, for web sign-in, sets the access/ID token lifetime to two hours.
- 1. To create the policy, run the [New-AzureADPolicy](/powershell/module/azuread/new-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet:
+ To create the policy, run the [New-AzureADPolicy](/powershell/module/azuread/new-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet:
- ```powershell
- $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00","MaxAgeSessionSingleFactor":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
- ```
+ ```powershell
+ $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
+ ```
- 1. To see your new policy, and to get the policy **ObjectId**, run the [Get-AzureADPolicy](/powershell/module/azuread/get-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet:
+ To see your new policy, and to get the policy **ObjectId**, run the [Get-AzureADPolicy](/powershell/module/azuread/get-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet:
- ```powershell
- Get-AzureADPolicy -Id $policy.Id
- ```
+ ```powershell
+ Get-AzureADPolicy -Id $policy.Id
+ ```
1. Assign the policy to your service principal. You also need to get the **ObjectId** of your service principal.
- 1. Use the [Get-AzureADServicePrincipal](/powershell/module/azuread/get-azureadserviceprincipal) cmdlet to see all your organization's service principals or a single service principal.
- ```powershell
- # Get ID of the service principal
- $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '<service principal display name>'"
- ```
-
- 1. When you have the service principal, run the [Add-AzureADServicePrincipalPolicy](/powershell/module/azuread/add-azureadserviceprincipalpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet:
- ```powershell
- # Assign policy to a service principal
- Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
- ```
-
-## Create token lifetime policies for refresh and session tokens
-> [!IMPORTANT]
-> As of January 30, 2021 you can not configure refresh and session token lifetimes. Azure Active Directory no longer honors refresh and session token configuration in existing policies. New tokens issued after existing tokens have expired are now set to the [default configuration](active-directory-configurable-token-lifetimes.md#configurable-token-lifetime-properties-after-the-retirement). You can still configure access, SAML, and ID token lifetimes after the refresh and session token configuration retirement.
->
-> Existing tokenΓÇÖs lifetime will not be changed. After they expire, a new token will be issued based on the default value.
->
-> If you need to continue to define the time period before a user is asked to sign in again, configure sign-in frequency in Conditional Access. To learn more about Conditional Access, read [Configure authentication session management with Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md).
-
-### Manage an organization's default policy
-In this example, you create a policy that lets your users' sign in less frequently across your entire organization. To do this, create a token lifetime policy for single-factor refresh tokens, which is applied across your organization. The policy is applied to every application in your organization, and to each service principal that doesnΓÇÖt already have a policy set.
-
-1. Create a token lifetime policy.
-
- 1. Set the single-factor refresh token to "until-revoked." The token doesn't expire until access is revoked. Create the following policy definition:
-
- ```powershell
- @('{
- "TokenLifetimePolicy":
- {
- "Version":1,
- "MaxAgeSingleFactor":"until-revoked"
- }
- }')
- ```
-
- 1. To create the policy, run the [New-AzureADPolicy](/powershell/module/azuread/new-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet:
-
- ```powershell
- $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1, "MaxAgeSingleFactor":"until-revoked"}}') -DisplayName "OrganizationDefaultPolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
- ```
-
- 1. To remove any whitespace, run the [Get-AzureADPolicy](/powershell/module/azuread/get-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet:
-
- ```powershell
- Get-AzureADPolicy -id | set-azureadpolicy -Definition @($((Get-AzureADPolicy -id ).Replace(" ","")))
- ```
-
- 1. To see your new policy, and to get the policy's **ObjectId**, run the following command:
-
- ```powershell
- Get-AzureADPolicy -Id $policy.Id
- ```
-
-1. Update the policy.
-
- You might decide that the first policy you set in this example is not as strict as your service requires. To set your single-factor refresh token to expire in two days, run the following command:
+ Use the [Get-AzureADServicePrincipal](/powershell/module/azuread/get-azureadserviceprincipal) cmdlet to see all your organization's service principals or a single service principal.
```powershell
- Set-AzureADPolicy -Id $policy.Id -DisplayName $policy.DisplayName -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxAgeSingleFactor":"2.00:00:00"}}')
+ # Get ID of the service principal
+ $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '<service principal display name>'"
```
-### Create a policy for a native app that calls a web API
-In this example, you create a policy that requires users to authenticate less frequently. The policy also lengthens the amount of time a user can be inactive before the user must reauthenticate. The policy is applied to the web API. When the native app requests the web API as a resource, this policy is applied.
-
-1. Create a token lifetime policy.
-
- 1. To create a strict policy for a web API, run the [New-AzureADPolicy](/powershell/module/azuread/new-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet:
-
- ```powershell
- $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxInactiveTime":"30.00:00:00","MaxAgeMultiFactor":"until-revoked","MaxAgeSingleFactor":"180.00:00:00"}}') -DisplayName "WebApiDefaultPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
- ```
-
- 1. To see your new policy, run the following command:
-
- ```powershell
- Get-AzureADPolicy -Id $policy.Id
- ```
-
-1. Assign the policy to your web API. You also need to get the **ObjectId** of your application. Use the [Get-AzureADApplication](/powershell/module/azuread/get-azureadapplication) cmdlet to find your app's **ObjectId**, or use the [Azure portal](https://portal.azure.com/).
-
- Get the **ObjectId** of your app and assign the policy:
+ When you have the service principal, run the [Add-AzureADServicePrincipalPolicy](/powershell/module/azuread/add-azureadserviceprincipalpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet:
```powershell
- # Get the application
- $app = Get-AzureADApplication -Filter "DisplayName eq 'Fourth Coffee Web API'"
-
- # Assign the policy to your web API.
- Add-AzureADApplicationPolicy -Id $app.ObjectId -RefObjectId $policy.Id
+ # Assign policy to a service principal
+ Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
```
-### Manage an advanced policy
-In this example, you create a few policies to learn how the priority system works. You also learn how to manage multiple policies that are applied to several objects.
+## View existing policies in a tenant
-1. Create a token lifetime policy.
-
- 1. To create an organization default policy that sets the single-factor refresh token lifetime to 30 days, run the [New-AzureADPolicy](/powershell/module/azuread/new-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet:
-
- ```powershell
- $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxAgeSingleFactor":"30.00:00:00"}}') -DisplayName "ComplexPolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
- ```
-
- 1. To see your new policy, run the [Get-AzureADPolicy](/powershell/module/azuread/get-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet:
-
- ```powershell
- Get-AzureADPolicy -Id $policy.Id
- ```
-
-1. Assign the policy to a service principal.
+To see all policies that have been created in your organization, run the [Get-AzureADPolicy](/powershell/module/azuread/get-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet. Any results with defined property values that differ from the defaults listed above are in scope of the retirement.
- Now, you have a policy that applies to the entire organization. You might want to preserve this 30-day policy for a specific service principal, but change the organization default policy to the upper limit of "until-revoked."
+```powershell
+Get-AzureADPolicy -All $true
+```
- 1. To see all your organization's service principals, you use the [Get-AzureADServicePrincipal](/powershell/module/azuread/get-azureadserviceprincipal) cmdlet.
+To see which apps and service principals are linked to a specific policy you identified run the following [Get-AzureADPolicyAppliedObject](/powershell/module/azuread/get-azureadpolicyappliedobject?view=azureadps-2.0-preview&preserve-view=true) cmdlet by replacing **1a37dad8-5da7-4cc8-87c7-efbc0326cf20** with any of your policy IDs. Then you can decide whether to configure Conditional Access sign-in frequency or remain with the Azure AD defaults.
- 1. When you have the service principal, run the [Add-AzureADServicePrincipalPolicy](/powershell/module/azuread/add-azureadserviceprincipalpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet:
+```powershell
+Get-AzureADPolicyAppliedObject -id 1a37dad8-5da7-4cc8-87c7-efbc0326cf20
+```
- ```powershell
- # Get ID of the service principal
- $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '<service principal display name>'"
-
- # Assign policy to a service principal
- Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
- ```
+If your tenant has policies which define custom values for the refresh and session token configuration properties, Microsoft recommends you update those policies to values that reflect the defaults described above. If no changes are made, Azure AD will automatically honor the default values.
-1. Set the `IsOrganizationDefault` flag to false:
+### Troubleshooting
+Some users have reported a `Get-AzureADPolicy : The term 'Get-AzureADPolicy' is not recognized` error after running the `Get-AzureADPolicy` cmdlet. As a workaround, run the following to uninstall/re-install the AzureAD module and then install the AzureADPreview module:
- ```powershell
- Set-AzureADPolicy -Id $policy.Id -DisplayName "ComplexPolicyScenario" -IsOrganizationDefault $false
- ```
+```powershell
+# Uninstall the AzureAD Module
+UnInstall-Module AzureAD
-1. Create a new organization default policy:
+# Re-install the AzureAD Module
+Install-Module AzureAD
- ```powershell
- New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxAgeSingleFactor":"until-revoked"}}') -DisplayName "ComplexPolicyScenarioTwo" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
- ```
+# Install the AzureAD Preview Module adding the -AllowClobber
+Install-Module AzureADPreview -AllowClobber
- You now have the original policy linked to your service principal, and the new policy is set as your organization default policy. It's important to remember that policies applied to service principals have priority over organization default policies.
+Connect-AzureAD
+Get-AzureADPolicy -All $true
+```
## Next steps Learn about [authentication session management capabilities](../conditional-access/howto-conditional-access-session-lifetime.md) in Azure AD Conditional Access.
active-directory Assign Local Admin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/assign-local-admin.md
Device administrators are assigned to all Azure AD joined devices. You cannot sc
## Manage administrator privileges using Azure AD groups (preview)
->[!NOTE]
-> This feature is currently in preview.
--
-Starting with Windows 10 2004 update, you can use Azure AD groups to manage administrator privileges on Azure AD joined devices with the [Restricted Groups](/windows/client-management/mdm/policy-csp-restrictedgroups) MDM policy. This policy allows you to assign individual users or Azure AD groups to the local administrators group on an Azure AD joined device, providing you the granularity to configure distinct administrators for different groups of devices.
+Starting with Windows 10 version 2004, you can use Azure AD groups to manage administrator privileges on Azure AD joined devices with the [Restricted Groups](/windows/client-management/mdm/policy-csp-restrictedgroups) MDM policy. This policy allows you to assign individual users or Azure AD groups to the local administrators group on an Azure AD joined device, providing you the granularity to configure distinct administrators for different groups of devices.
>[!NOTE] > Starting Windows 10 20H2 update, we recommend using [Local Users and Groups](/windows/client-management/mdm/policy-csp-localusersandgroups) policy instead of the Restricted Groups policy
Currently, there's no UI in Intune to manage these policies and they need to be
- When Restricted Groups policy is enforced, any current member of the group that is not on the Members list is removed. So enforcing this policy with new members or groups will remove the existing administrators namely user who joined the device, the Device administrator role and Global administrator role from the device. To avoid removing existing members, you need to configure them as part of the Members list in the Restricted Groups policy. This limitation is addressed if you use the Local Users and Groups policy that allows incremental updates to group membership - Administrator privileges using both policies are evaluated only for the following well-known groups on a Windows 10 device - Administrators, Users, Guests, Power Users, Remote Desktop Users and Remote Management Users. - Managing local administrators using Azure AD groups is not applicable to Hybrid Azure AD joined or Azure AD Registered devices.-- While the Restricted Groups policy existed prior to Windows 10 2004 update, it did not support Azure AD groups as members of a device's local administrators group.
+- While the Restricted Groups policy existed prior to Windows 10 version 2004, it did not support Azure AD groups as members of a device's local administrators group.
## Manage regular users
active-directory Direct Federation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/direct-federation.md
In any of these scenarios, you can update a guest userΓÇÖs authentication method
Direct federation is tied to domain namespaces, such as contoso.com and fabrikam.com. When establishing a direct federation configuration with AD FS or a third-party IdP, organizations associate one or more domain namespaces to these IdPs. ## End-user experience
-With direct federation, guest users sign into your Azure AD tenant using their own organizational account. When they are accessing shared resources and are prompted for sign-in, direct federation users are redirected to their IdP. After successful sign-in, they are returned to Azure AD to access resources. Direct federation usersΓÇÖ refresh tokens are valid for 12 hours, the [default length for passthrough refresh token](../develop/active-directory-configurable-token-lifetimes.md#exceptions) in Azure AD. If the federated IdP has SSO enabled, the user will experience SSO and will not see any sign-in prompt after initial authentication.
+With direct federation, guest users sign into your Azure AD tenant using their own organizational account. When they are accessing shared resources and are prompted for sign-in, direct federation users are redirected to their IdP. After successful sign-in, they are returned to Azure AD to access resources. Direct federation usersΓÇÖ refresh tokens are valid for 12 hours, the [default length for passthrough refresh token](../develop/active-directory-configurable-token-lifetimes.md#configurable-token-lifetime-properties) in Azure AD. If the federated IdP has SSO enabled, the user will experience SSO and will not see any sign-in prompt after initial authentication.
## Sign-in endpoints
active-directory Active Directory How To Find Tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-how-to-find-tenant.md
Last updated 10/30/2020 -+
active-directory How To Connect Health Operations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-health-operations.md
You can configure the Azure AD Connect Health service to send email notification
> ### To enable Azure AD Connect Health email notifications
-1. Open the **Alerts** blade for the service for which you want to receive email notification.
-2. From the action bar, click **Notification Settings**.
-3. At the email notification switch, select **ON**.
-4. Select the check box if you want all global administrators to receive email notifications.
-5. If you want to receive email notifications at any other email addresses, specify them in the **Additional Email Recipients** box. To remove an email address from this list, right-click the entry and select **Delete**.
-6. To finalize the changes, click **Save**. Changes take effect only after you save.
+1. In the Azure Portal, search for Azure AD Connect Health
+2. Select **Sync errors**
+3. Select **Notification Settings**.
+5. At the email notification switch, select **ON**.
+6. Select the check box if you want all global administrators to receive email notifications.
+7. If you want to receive email notifications at any other email addresses, specify them in the **Additional Email Recipients** box. To remove an email address from this list, right-click the entry and select **Delete**.
+8. To finalize the changes, click **Save**. Changes take effect only after you save.
>[!NOTE] > When there are issues processing synchronization requests in our backend service, this service sends a notification email with the details of the error to the administrative contact email address(es) of your tenant. We heard feedback from customers that in certain cases the volume of these messages is prohibitively large so we are changing the way we send these messages.
active-directory Concept Identity Protection Risks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/identity-protection/concept-identity-protection-risks.md
Previously updated : 01/05/2021 Last updated : 04/13/2021
While Microsoft does not provide specific details about how risk is calculated,
### Password hash synchronization
-Risk detections like leaked credentials and password spray require the presence of password hashes for detection to occur. For more information about password hash synchronization, see the article, [Implement password hash synchronization with Azure AD Connect sync](../hybrid/how-to-connect-password-hash-synchronization.md).
+Risk detections like leaked credentials require the presence of password hashes for detection to occur. For more information about password hash synchronization, see the article, [Implement password hash synchronization with Azure AD Connect sync](../hybrid/how-to-connect-password-hash-synchronization.md).
### Leaked credentials
active-directory Access Panel Collections https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/access-panel-collections.md
Title: Create collections for My Apps portals in Azure Active Directory | Micro
description: Use My Apps collections to Customize My Apps pages for a simpler My Apps experience for your end users. Organize applications into groups with separate tabs. documentationcenter: ''--++ ms.assetid: Last updated 02/10/2020-+
active-directory Access Panel Manage Self Service Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/access-panel-manage-self-service-access.md
Title: How to use self-service application access in Azure AD description: Enable self-service so users can find apps in Azure AD --++ Last updated 07/11/2017-+
active-directory Add Application Portal Assign Users https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-assign-users.md
Title: 'Quickstart: Assign users to an app that uses Azure Active Directory as an identity provider' description: This quickstart walks through the process of allowing users to use an app that you have setup to use Azure AD as an identity provider. --++ Last updated 09/01/2020-+ # Quickstart: Assign users to an app that is using Azure AD as an identity provider
active-directory Add Application Portal Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-configure.md
Title: 'Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant' description: This quickstart uses the Azure portal to configure an application that has been registered with your Azure Active Directory (Azure AD) tenant. --++ Last updated 10/29/2019-+ # Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant
active-directory Add Application Portal Setup Oidc Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-setup-oidc-sso.md
Title: 'Quickstart: Set up OIDC-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant' description: This quickstart walks through the process of setting up OIDC-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant. --++ Last updated 07/01/2020-+ # Quickstart: Set up OIDC-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant
active-directory Add Application Portal Setup Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-setup-sso.md
Title: 'Quickstart: Set up SAML-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant' description: This quickstart walks through the process of setting up SAML-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant. --++ Last updated 07/01/2020-+ # Quickstart: Set up SAML-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant
active-directory Add Application Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal.md
Title: 'Quickstart: Add an application to your Azure Active Directory (Azure AD) tenant' description: This quickstart uses the Azure portal to add a gallery application to your Azure Active Directory (Azure AD) tenant. --++ Last updated 10/29/2019-+ # Quickstart: Add an application to your Azure Active Directory (Azure AD) tenant
active-directory App Management Powershell Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/app-management-powershell-samples.md
Title: PowerShell samples for Azure Active Directory Application Management description: These PowerShell samples are used for apps you manage in your Azure Active Directory tenant. You can use these sample scripts to find expiration information about secrets and certificates. --++ Last updated 02/18/2021-+
active-directory Application Management Certs Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-management-certs-faq.md
Title: Azure Active Directory Application Management certificates frequently asked questions description: Learn answers to frequently asked questions (FAQ) about managing certificates for apps using Azure Active Directory as an Identity Provider (IdP). --++ Last updated 03/19/2021-+
active-directory Application Management Fundamentals https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-management-fundamentals.md
Title: 'Application management: Best practices and recommendations | Microsoft D
description: Learn best practices and recommendations for managing applications in Azure Active Directory. Learn about using automatic provisioning and publishing on-premises apps with Application Proxy. --++ ms.assetid: ms.devlang: na
na
Last updated 11/13/2019 -+
active-directory Application Sign In Problem Application Error https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-problem-application-error.md
Title: Error message appears on app page after you sign in | Microsoft Docs description: How to resolve issues with Azure AD sign in when the app returns an error message. --++ Last updated 07/11/2017-+
active-directory Application Sign In Problem First Party Microsoft https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-problem-first-party-microsoft.md
Title: Problems signing in to a Microsoft application | Microsoft Docs description: Troubleshoot common problems faced when signing in to first-party Microsoft Applications using Azure AD (like Microsoft 365). --++ Last updated 09/10/2018-+
active-directory Application Sign In Unexpected User Consent Error https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error.md
Title: Unexpected error when performing consent to an application | Microsoft Docs description: Discusses errors that can occur during the process of consenting to an application and what you can do about them --++ Last updated 07/11/2017-+
active-directory Application Sign In Unexpected User Consent Prompt https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-unexpected-user-consent-prompt.md
Title: Unexpected consent prompt when signing in to an application | Microsoft Docs description: How to troubleshoot when a user sees a consent prompt for an application you have integrated with Azure AD that you did not expect --++ Last updated 07/11/2017-+
active-directory Application Types https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-types.md
Title: Viewing apps using your Azure Active Directory tenant for identity management description: Understand how to view all applications using your Azure Active Directory tenant for identity management. --++ Last updated 01/07/2021-+ # Viewing apps using your Azure AD tenant for identity management
active-directory Assign User Or Group Access Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/assign-user-or-group-access-portal.md
Title: Manage user assignment for an app in Azure Active Directory description: Learn how to assign and unassign users, and groups, for an app using Azure Active Directory for identity management. --++ Last updated 02/21/2020-+
active-directory Certificate Signing Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/certificate-signing-options.md
Title: Advanced SAML token certificate signing options for Azure AD apps description: Learn how to use advanced certificate signing options in the SAML token for pre-integrated apps in Azure Active Directory --++ Last updated 03/25/2019-+
active-directory Cloud App Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/cloud-app-security.md
Title: App visibility and control with Microsoft Cloud App Security description: Learn ways to identify app risk levels, stop breaches and leaks in real time, and use app connectors to take advantage of provider APIs for visibility and governance. --++ Last updated 02/03/2020-+
active-directory Common Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/common-scenarios.md
Title: Common application management scenarios for Azure Active Directory | Microsoft Docs description: Centralize application management with Azure AD--++ Last updated 03/02/2019-+
active-directory Configure Admin Consent Workflow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-admin-consent-workflow.md
Title: Configure the admin consent workflow - Azure Active Directory | Microsoft Docs description: Learn how to configure a way for end users to request access to applications that require admin consent. --++ Last updated 10/29/2019-+
active-directory Configure Authentication For Federated Users Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md
Title: Configure sign-in auto-acceleration using Home Realm Discovery description: Learn how to configure Home Realm Discovery policy for Azure Active Directory authentication for federated users, including auto-acceleration and domain hints. --++ Last updated 02/12/2021-+
active-directory Configure Linked Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-linked-sign-on.md
Title: Understand linked sign-on in Azure Active Directory description: Understand linked sign-on in Azure Active Directory. --++ Last updated 07/30/2020-+
active-directory Configure Oidc Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-oidc-single-sign-on.md
Title: Understand OIDC-based single sign-on (SSO) for apps in Azure Active Directory description: Understand OIDC-based single sign-on (SSO) for apps in Azure Active Directory. --++ Last updated 10/19/2020-+
active-directory Configure Password Single Sign On Non Gallery Applications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-password-single-sign-on-non-gallery-applications.md
Title: Understand password-based single sign-on (SSO) for apps in Azure Active Directory description: Understand password-based single sign-on (SSO) for apps in Azure Active Directory --++ Last updated 07/29/2020-+ # Understand password-based single sign-on
active-directory Configure Permission Classifications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-permission-classifications.md
Title: Configure permission classifications with Azure AD description: Learn how to manage delegated permission classifications. --++ Last updated 06/01/2020-+
active-directory Configure Saml Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-saml-single-sign-on.md
Title: Understand SAML-based single sign-on (SSO) for apps in Azure Active Directory description: Understand SAML-based single sign-on (SSO) for apps in Azure Active Directory --++ Last updated 07/28/2020-+
active-directory Configure User Consent Groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-user-consent-groups.md
Title: Configure group owner consent to apps accessing group data using Azure AD description: Learn manage whether group and team owners can consent to applications that will have access to the group or team's data. --++ Last updated 05/19/2020-+
active-directory Configure User Consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-user-consent.md
Title: Configure how end-users consent to applications using Azure AD description: Learn how to manage how and when users can consent to applications that will have access to your organization's data. --++ Last updated 06/01/2020-+
active-directory Debug Saml Sso Issues https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/debug-saml-sso-issues.md
Title: Debug SAML-based single sign-on - Azure Active Directory description: Debug SAML-based single sign-on to applications in Azure Active Directory. ---+++
active-directory Delete Application Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/delete-application-portal.md
Title: 'Quickstart: Delete an application from your Azure Active Directory (Azure AD) tenant' description: This quickstart uses the Azure portal to delete an application from your Azure Active Directory (Azure AD) tenant. --++ Last updated 1/5/2021-+ # Quickstart: Delete an application from your Azure Active Directory (Azure AD) tenant
active-directory Disable User Sign In Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/disable-user-sign-in-portal.md
Title: Disable user sign-ins for an enterprise app in Azure AD description: How to disable an enterprise application so that no users may sign in to it in Azure Active Directory --++ Last updated 04/12/2019-+
active-directory End User Experiences https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/end-user-experiences.md
Title: End-user experiences for applications - Azure Active Directory description: Azure Active Directory (Azure AD) provides several customizable ways to deploy applications to end users in your organization. --++ Last updated 09/27/2019-+
active-directory Get It Now Azure Marketplace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/get-it-now-azure-marketplace.md
Title: 'Add an app from the Azure Marketplace' description: This article acts as a landing page from the Get It Now button on the Azure Marketplace. --++ Last updated 07/16/2020-+
active-directory Grant Admin Consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/grant-admin-consent.md
Title: Grant tenant-wide admin consent to an application - Azure AD description: Learn how to grant tenant-wide consent to an application so that end-users are not prompted for consent when signing in to an application. --++ Last updated 11/04/2019-+
active-directory Hide Application From User Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/hide-application-from-user-portal.md
Title: Hide an Enterprise application from user's experience in Azure AD description: How to hide an Enterprise application from user's experience in Azure Active Directory access panels or Microsoft 365 launchers. --++ Last updated 03/25/2020-+
active-directory Howto Saml Token Encryption https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/howto-saml-token-encryption.md
Title: SAML token encryption in Azure Active Directory description: Learn how to configure Azure Active Directory SAML token encryption. --++ Last updated 03/13/2020-+
active-directory Manage App Consent Policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-app-consent-policies.md
Title: Manage app consent policies in Azure AD description: Learn how to manage built-in and custom app consent policies to control when consent can be granted. --++ Last updated 06/01/2020-+
active-directory Manage Application Permissions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-application-permissions.md
Title: Manage user and admin permissions - Azure Active Directory | Microsoft Docs description: Learn how to review and manage permissions for the application on Azure AD. For example, revoke all permissions granted to an application. --++ Last updated 7/10/2020-+
active-directory Manage Certificates For Federated Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on.md
Title: Manage federation certificates in Azure AD | Microsoft Docs description: Learn how to customize the expiration date for your federation certificates, and how to renew certificates that will soon expire. --++ Last updated 04/04/2019-+
active-directory Manage Consent Requests https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-consent-requests.md
Title: Managing consent to applications and evaluating consent requests in Azure Active Directory description: Learn how to manage consent requests when user consent is disabled or restricted, and how to evaluate a request for tenant-wide admin consent to an application in Azure Active Directory. --++ Last updated 12/27/2019-+
active-directory Manage Self Service Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-self-service-access.md
Title: How to configure self-service application assignment | Microsoft Docs description: Enable self-service application access to allow users to find their own applications --++ Last updated 04/20/2020-+
active-directory Methods For Removing User Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/methods-for-removing-user-access.md
Title: How to remove a user's access to an application in Azure Active Directory description: Understand how to remove a user's access to an application in Azure Active Directory --++ Last updated 11/02/2020-+ # How to remove a user's access to an application
active-directory Migrate Adfs Application Activity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migrate-adfs-application-activity.md
Title: Use the activity report to move AD FS apps to Azure Active Directory | Microsoft Docs' description: The Active Directory Federation Services (AD FS) application activity report lets you quickly migrate applications from AD FS to Azure Active Directory (Azure AD). This migration tool for AD FS identifies compatibility with Azure AD and gives migration guidance. --++ Last updated 01/14/2019-+
active-directory Migrate Adfs Apps To Azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migrate-adfs-apps-to-azure.md
Title: Moving application authentication from AD FS to Azure Active Directory description: Learn how to use Azure Active Directory to replace Active Directory Federation Services (AD FS), giving users single sign-on to all their applications. --++ Last updated 03/01/2021-+
active-directory Migrate Application Authentication To Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migrate-application-authentication-to-azure-active-directory.md
Title: 'Migrate application authentication to Azure Active Directory' description: This whitepaper details the planning for and benefits of migrating your application authentication to Azure AD. --++ Last updated 02/05/2021-+
active-directory Migration Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migration-resources.md
Title: Resources for migrating apps to Azure Active Directory | Microsoft Docs description: Resources to help you migrate application access and authentication to Azure Active Directory (Azure AD). --++ Last updated 02/29/2020-+
active-directory My Apps Deployment Plan https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/my-apps-deployment-plan.md
Title: Plan Azure Active Directory My Apps configuration
description: Planning guide to effectively use My Apps in your organization. -+ Last updated 02/29/2020--+ # Plan Azure Active Directory My Apps configuration
active-directory One Click Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/one-click-sso-tutorial.md
Title: One-click, single sign-on (SSO) configuration of your Azure Marketplace application | Microsoft Docs description: Steps for one-click configuration of SSO for your application from the Azure Marketplace. --++ ms.assetid: e0416991-4b5d-4b18-89bb-91b6070ed3ba Last updated 06/11/2019-+
active-directory Plan An Application Integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/plan-an-application-integration.md
Title: Get started integrating Azure Active Directory with apps description: This article is a getting started guide for integrating Azure Active Directory (AD) with on-premises applications, and cloud applications. --++ Last updated 04/05/2021-+
active-directory Plan Sso Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/plan-sso-deployment.md
Title: Plan an Azure Active Directory single sign-on deployment description: Guide to help you plan, deploy, and manage SSO in your organization. --++ Last updated 06/10/2020-+
active-directory Prevent Domain Hints With Home Realm Discovery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/prevent-domain-hints-with-home-realm-discovery.md
Title: Prevent sign-in auto-acceleration in Azure AD using Home Realm Discovery policy description: Learn how to prevent domain_hint auto-acceleration to federated IDPs. --++ Last updated 02/12/2021-++ # Disable auto-acceleration to a federated IDP during user sign-in with Home Realm Discovery policy
active-directory Powershell Assign Group To App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-assign-group-to-app.md
Title: PowerShell sample - Assign group to an Application Proxy app
description: PowerShell example that assigns a group to an Azure Active Directory (Azure AD) Application Proxy application. -+
active-directory Powershell Assign User To App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-assign-user-to-app.md
Title: PowerShell sample - Assign user to an Application Proxy app
description: PowerShell example that assigns a user to an Azure Active Directory (Azure AD) Application Proxy application. -+
active-directory Powershell Display Users Group Of App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-display-users-group-of-app.md
Title: PowerShell sample - List users & groups for Application Proxy app
description: PowerShell example that lists all the users and groups assigned to a specific Azure Active Directory (Azure AD) Application Proxy application. -+
active-directory Powershell Export All App Registrations Secrets And Certs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-export-all-app-registrations-secrets-and-certs.md
Title: PowerShell sample - Export secrets and certificates for app registrations in Azure Active Directory tenant. description: PowerShell example that exports all secrets and certificates for the specified app registrations in your Azure Active Directory tenant. --++ Last updated 03/09/2021-+
active-directory Powershell Export All Enterprise Apps Secrets And Certs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-export-all-enterprise-apps-secrets-and-certs.md
Title: PowerShell sample - Export secrets and certificates for enterprise apps in Azure Active Directory tenant. description: PowerShell example that exports all secrets and certificates for the specified enterprise apps in your Azure Active Directory tenant. --++ Last updated 03/09/2021-+
active-directory Powershell Export Apps With Expriring Secrets https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-export-apps-with-expriring-secrets.md
Title: PowerShell sample - Export apps with expiring secrets and certificates in Azure Active Directory tenant. description: PowerShell example that exports all apps with expiring secrets and certificates for the specified apps in your Azure Active Directory tenant. --++ Last updated 03/09/2021-+
active-directory Powershell Export Apps With Secrets Beyond Required https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-export-apps-with-secrets-beyond-required.md
Title: PowerShell sample - Export apps with secrets and certificates expiring beyond the required date in Azure Active Directory tenant. description: PowerShell example that exports all apps with secrets and certificates expiring beyond the required date for the specified apps in your Azure Active Directory tenant. --++ Last updated 03/09/2021-+
active-directory Powershell Get All App Proxy Apps Basic https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-get-all-app-proxy-apps-basic.md
Title: PowerShell sample - List basic info for Application Proxy apps
description: PowerShell example that lists Azure Active Directory (Azure AD) Application Proxy applications along with the application ID (AppId), name (DisplayName), and object ID (ObjId). -+
active-directory Powershell Get All App Proxy Apps By Connector Group https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-get-all-app-proxy-apps-by-connector-group.md
Title: List Azure AD Application Proxy connector groups for apps
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy Connector groups with the assigned applications. -+
active-directory Powershell Get All App Proxy Apps Extended https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-get-all-app-proxy-apps-extended.md
Title: PowerShell sample - List extended info for Application Proxy apps
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications along with the application ID (AppId), name (DisplayName), external URL (ExternalUrl), internal URL (InternalUrl), and authentication type (ExternalAuthenticationType). -+
active-directory Powershell Get All App Proxy Apps With Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-get-all-app-proxy-apps-with-policy.md
Title: PowerShell sample - List all Application Proxy apps with a policy
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications in your directory that have a lifetime token policy. -+
active-directory Powershell Get All Connectors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-get-all-connectors.md
Title: PowerShell sample - List all Application Proxy connector groups
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy connector groups and connectors in your directory. -+
active-directory Powershell Get All Custom Domain No Cert https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-get-all-custom-domain-no-cert.md
Title: PowerShell sample - Application Proxy apps with no certificate
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are using custom domains but do not have a valid TLS/SSL certificate uploaded. -+
active-directory Powershell Get All Custom Domains And Certs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-get-all-custom-domains-and-certs.md
Title: PowerShell sample - Application Proxy apps using custom domains
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are using custom domains and certificate information. -+
active-directory Powershell Get All Default Domain Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-get-all-default-domain-apps.md
Title: PowerShell sample - Application Proxy apps using default domain
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are using default domains (.msappproxy.net). -+
active-directory Powershell Get All Wildcard Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-get-all-wildcard-apps.md
Title: PowerShell sample - List Application Proxy apps using wildcards
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are using wildcards. -+
active-directory Powershell Get Custom Domain Identical Cert https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-get-custom-domain-identical-cert.md
Title: PowerShell sample - Application Proxy apps with identical certs
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are published with the identical certificate. -+
active-directory Powershell Get Custom Domain Replace Cert https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-get-custom-domain-replace-cert.md
Title: PowerShell sample - Replace certificate in Application Proxy apps
description: PowerShell example that bulk replaces a certificate across Azure Active Directory (Azure AD) Application Proxy applications. -+
active-directory Powershell Move All Apps To Connector Group https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-move-all-apps-to-connector-group.md
Title: PowerShell sample - Move Application Proxy apps to another group
description: Azure Active Directory (Azure AD) Application Proxy PowerShell example used to move all applications currently assigned to a connector group to a different connector group. -+
active-directory Sso Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/sso-options.md
Title: Single sign-on options in Azure AD description: Learn about the options available for single sign-on (SSO) in Azure Active Directory. --++ Last updated 12/03/2019-+
active-directory Tenant Restrictions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/tenant-restrictions.md
Title: Use tenant restrictions to manage access to SaaS apps - Azure AD description: How to use tenant restrictions to manage which users can access apps based on their Azure AD tenant. --++ Last updated 4/6/2021-+
active-directory Troubleshoot Password Based Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/troubleshoot-password-based-sso.md
Title: Troubleshoot password-based single sign-on in Azure Active Directory description: Troubleshoot issues with an Azure AD app that's configured for password-based single sign-on.--++ Last updated 07/11/2017-+
active-directory Troubleshoot Saml Based Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/troubleshoot-saml-based-sso.md
Title: Troubleshoot SAML-based single sign-on in Azure Active Directory description: Troubleshoot issues with an Azure AD app that's configured for SAML-based single sign-on. --++ Last updated 07/11/2017-+ # Troubleshoot SAML-based single sign-on in Azure Active Directory
active-directory View Applications Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/view-applications-portal.md
Title: 'Quickstart: View the list of applications that are using your Azure Active Directory (Azure AD) tenant for identity management' description: In this Quickstart, use the Azure portal to view the list of applications that are registered to use your Azure Active Directory (Azure AD) tenant for identity management. --++ Last updated 04/09/2019-+
active-directory Ways Users Get Assigned To Applications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/ways-users-get-assigned-to-applications.md
Title: Understand how users are assigned to apps in Azure Active Directory description: Understand how users get assigned to an app that is using Azure Active Directory for identity management. --++ Last updated 01/07/2021-+ # Understand how users are assigned to apps in Azure Active Directory
active-directory What Is Access Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/what-is-access-management.md
Title: Managing access to apps using Azure AD description: Describes how Azure Active Directory enables organizations to specify the apps to which each user has access. --++ Last updated 05/16/2017-+ # Managing access to apps
active-directory What Is Application Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/what-is-application-management.md
Title: What is application management in Azure Active Directory description: An overview of using Azure Active Directory (AD) as an Identity and Access Management (IAM) system for your cloud and on-premises applications. --++ Last updated 01/22/2021-+
active-directory What Is Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/what-is-single-sign-on.md
Title: What is Azure single sign-on (SSO)? description: Learn how single sign-on (SSO) works with Azure Active Directory. Use SSO so users don't need to remember passwords for every application. Also use SSO to simplify the administration of account management. --++ Last updated 12/03/2019-+
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/whats-new-docs.md
---+++ # Azure Active Directory application management: What's new
active-directory How To Use Vm Token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-token.md
ms.devlang: na
na Previously updated : 11/03/2020 Last updated : 04/12/2021
GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-0
| `client_id` | (Optional) A query string parameter, indicating the client_id of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities.| | `mi_res_id` | (Optional) A query string parameter, indicating the mi_res_id (Azure Resource ID) of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities. |
-Sample request using the managed identities for Azure resources VM Extension Endpoint *(planned for deprecation in January 2019)*:
-
-```http
-GET http://localhost:50342/oauth2/token?resource=https%3A%2F%2Fmanagement.azure.com%2F HTTP/1.1
-Metadata: true
-```
-
-| Element | Description |
-| - | -- |
-| `GET` | The HTTP verb, indicating you want to retrieve data from the endpoint. In this case, an OAuth access token. |
-| `http://localhost:50342/oauth2/token` | The managed identities for Azure resources endpoint, where 50342 is the default port and is configurable. |
-| `resource` | A query string parameter, indicating the App ID URI of the target resource. It also appears in the `aud` (audience) claim of the issued token. This example requests a token to access Azure Resource Manager, which has an App ID URI of `https://management.azure.com/`. |
-| `Metadata` | An HTTP request header field, required by managed identities for Azure resources as a mitigation against Server Side Request Forgery (SSRF) attack. This value must be set to "true", in all lower case.|
-| `object_id` | (Optional) A query string parameter, indicating the object_id of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities.|
-| `client_id` | (Optional) A query string parameter, indicating the client_id of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities.|
- Sample response: ```json
echo The managed identities for Azure resources access token is $access_token
## Token caching
-While the managed identities for Azure resources subsystem being used (IMDS/managed identities for Azure resources VM Extension) does cache tokens, we also recommend to implement token caching in your code. As a result, you should prepare for scenarios where the resource indicates that the token is expired.
+While the managed identities for Azure resources subsystem does cache tokens, we also recommend to implement token caching in your code. As a result, you should prepare for scenarios where the resource indicates that the token is expired.
On-the-wire calls to Azure AD result only when:-- cache miss occurs due to no token in the managed identities for Azure resources subsystem cache-- the cached token is expired+
+- Cache miss occurs due to no token in the managed identities for Azure resources subsystem cache.
+- The cached token is expired.
## Error handling
This section documents the possible error responses. A "200 OK" status is a succ
| 400 Bad Request | bad_request_102 | Required metadata header not specified | Either the `Metadata` request header field is missing from your request, or is formatted incorrectly. The value must be specified as `true`, in all lower case. See the "Sample request" in the preceding REST section for an example.| | 401 Unauthorized | unknown_source | Unknown Source *\<URI\>* | Verify that your HTTP GET request URI is formatted correctly. The `scheme:host/resource-path` portion must be specified as `http://localhost:50342/oauth2/token`. See the "Sample request" in the preceding REST section for an example.| | | invalid_request | The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. | |
-| | unauthorized_client | The client is not authorized to request an access token using this method. | Caused by a request that didn't use local loopback to call the extension, or on a VM that doesn't have managed identities for Azure resources configured correctly. See [Configure managed identities for Azure resources on a VM using the Azure portal](qs-configure-portal-windows-vm.md) if you need assistance with VM configuration. |
+| | unauthorized_client | The client is not authorized to request an access token using this method. | Caused by a request on a VM that doesn't have managed identities for Azure resources configured correctly. See [Configure managed identities for Azure resources on a VM using the Azure portal](qs-configure-portal-windows-vm.md) if you need assistance with VM configuration. |
| | access_denied | The resource owner or authorization server denied the request. | | | | unsupported_response_type | The authorization server does not support obtaining an access token using this method. | | | | invalid_scope | The requested scope is invalid, unknown, or malformed. | |
active-directory Howto Migrate Vm Extension https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/howto-migrate-vm-extension.md
- Title: Stop using managed identity VM extension - Azure AD
-description: Step by step instructions to stop using the VM extension and start using the Azure Instance Metadata Service (IMDS) for authentication.
-------- Previously updated : 02/03/2020----
-# How to stop using the virtual machine managed identities extension and start using the Azure Instance Metadata Service
-
-## Virtual machine extension for managed identities
-
-The virtual machine extension for managed identities is used to request tokens for a managed identity within the virtual machine. The workflow consists of the following steps:
-
-1. First, the workload within the resource calls the local endpoint `http://localhost/oauth2/token` to request an access token.
-2. The virtual machine extension then uses the credentials for the managed identity, to request an access token from Azure AD..
-3. The access token is returned to the caller, and can be used to authenticate to services that support Azure AD authentication, like Azure Key Vault or Azure Storage.
-
-Due to several limitations outlined in the next section, the managed identity VM extension has been deprecated in favor of using the equivalent endpoint in the Azure Instance Metadata Service (IMDS)
-
-### Provision the extension
-
-When you configure a virtual machine or virtual machine scale set to have a managed identity, you may optionally choose to provision the managed identities for Azure resources VM extension using the `-Type` parameter on the [Set-AzVMExtension](/powershell/module/az.compute/set-azvmextension) cmdlet. You can pass either `ManagedIdentityExtensionForWindows` or `ManagedIdentityExtensionForLinux`, depending on the type of virtual machine, and name it using the `-Name` parameter. The `-Settings` parameter specifies the port used by the OAuth token endpoint for token acquisition:
-
-```azurepowershell-interactive
-$settings = @{ "port" = 50342 }
- Set-AzVMExtension -ResourceGroupName myResourceGroup -Location WestUS -VMName myVM -Name "ManagedIdentityExtensionForWindows" -Type "ManagedIdentityExtensionForWindows" -Publisher "Microsoft.ManagedIdentity" -TypeHandlerVersion "1.0" -Settings $settings
-```
-
-You can also use the Azure Resource Manager deployment template to provision the VM extension, by adding the following JSON to the `resources` section to the template (use `ManagedIdentityExtensionForLinux` for the name and type elements for the Linux version).
-
-```json
-{
- "type": "Microsoft.Compute/virtualMachines/extensions",
- "name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]",
- "apiVersion": "2018-06-01",
- "location": "[resourceGroup().location]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
- ],
- "properties": {
- "publisher": "Microsoft.ManagedIdentity",
- "type": "ManagedIdentityExtensionForWindows",
- "typeHandlerVersion": "1.0",
- "autoUpgradeMinorVersion": true,
- "settings": {
- "port": 50342
- }
- }
-}
-```
-
-
-If you're working with virtual machine scale sets, you can also provision the managed identities for Azure resources virtual machine scale set extension using the [Add-AzVmssExtension](/powershell/module/az.compute/add-azvmssextension) cmdlet. You can pass either `ManagedIdentityExtensionForWindows` or `ManagedIdentityExtensionForLinux`, depending on the type of virtual machine scale set, and name it using the `-Name` parameter. The `-Settings` parameter specifies the port used by the OAuth token endpoint for token acquisition:
-
- ```azurepowershell-interactive
- $setting = @{ "port" = 50342 }
- $vmss = Get-AzVmss
- Add-AzVmssExtension -VirtualMachineScaleSet $vmss -Name "ManagedIdentityExtensionForWindows" -Type "ManagedIdentityExtensionForWindows" -Publisher "Microsoft.ManagedIdentity" -TypeHandlerVersion "1.0" -Setting $settings 
- ```
-To provision the virtual machine scale set extension with the Azure Resource Manager deployment template, add the following JSON to the `extensionpProfile` section to the template (use `ManagedIdentityExtensionForLinux` for the name and type elements for the Linux version).
-
-```json
-"extensionProfile": {
- "extensions": [
- {
- "name": "ManagedIdentityWindowsExtension",
- "properties": {
- "publisher": "Microsoft.ManagedIdentity",
- "type": "ManagedIdentityExtensionForWindows",
- "typeHandlerVersion": "1.0",
- "autoUpgradeMinorVersion": true,
- "settings": {
- "port": 50342
- },
- "protectedSettings": {}
- }
- }
-```
-
-Provisioning of the virtual machine extension might fail due to DNS lookup failures. If this happens, restart the virtual machine, and try again.
-
-### Remove the extension
-To remove the extension, use `-n ManagedIdentityExtensionForWindows` or `-n ManagedIdentityExtensionForLinux` switch (depending on the type of virtual machine) with [az vm extension delete](/cli/azure/vm/), or [az vmss extension delete](/cli/azure/vmss) for virtual machine scale sets using Azure CLI, or `Remove-AzVMExtension` for PowerShell:
-
-```azurecli-interactive
-az vm identity --resource-group myResourceGroup --vm-name myVm -n ManagedIdentityExtensionForWindows
-```
-
-```azurecli-interactive
-az vmss extension delete -n ManagedIdentityExtensionForWindows -g myResourceGroup -vmss-name myVMSS
-```
-
-```azurepowershell-interactive
-Remove-AzVMExtension -ResourceGroupName myResourceGroup -Name "ManagedIdentityExtensionForWindows" -VMName myVM
-```
-
-### Acquire a token using the virtual machine extension
-
-The following is a sample request using the managed identities for Azure resources VM Extension Endpoint:
-
-```
-GET http://localhost:50342/oauth2/token?resource=https%3A%2F%2Fmanagement.azure.com%2F HTTP/1.1
-Metadata: true
-```
-
-| Element | Description |
-| - | -- |
-| `GET` | The HTTP verb, indicating you want to retrieve data from the endpoint. In this case, an OAuth access token. |
-| `http://localhost:50342/oauth2/token` | The managed identities for Azure resources endpoint, where 50342 is the default port and is configurable. |
-| `resource` | A query string parameter, indicating the App ID URI of the target resource. It also appears in the `aud` (audience) claim of the issued token. This example requests a token to access Azure Resource Manager, which has an App ID URI of `https://management.azure.com/`. |
-| `Metadata` | An HTTP request header field, required by managed identities for Azure resources as a mitigation against Server Side Request Forgery (SSRF) attack. This value must be set to "true", in all lower case.|
-| `object_id` | (Optional) A query string parameter, indicating the object_id of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities.|
-| `client_id` | (Optional) A query string parameter, indicating the client_id of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities.|
--
-Sample response:
-
-```
-HTTP/1.1 200 OK
-Content-Type: application/json
-{
- "access_token": "eyJ0eXAi...",
- "refresh_token": "",
- "expires_in": "3599",
- "expires_on": "1506484173",
- "not_before": "1506480273",
- "resource": "https://management.azure.com/",
- "token_type": "Bearer"
-}
-```
-
-| Element | Description |
-| - | -- |
-| `access_token` | The requested access token. When calling a secured REST API, the token is embedded in the `Authorization` request header field as a "bearer" token, allowing the API to authenticate the caller. |
-| `refresh_token` | Not used by managed identities for Azure resources. |
-| `expires_in` | The number of seconds the access token continues to be valid, before expiring, from time of issuance. Time of issuance can be found in the token's `iat` claim. |
-| `expires_on` | The timespan when the access token expires. The date is represented as the number of seconds from "1970-01-01T0:0:0Z UTC" (corresponds to the token's `exp` claim). |
-| `not_before` | The timespan when the access token takes effect, and can be accepted. The date is represented as the number of seconds from "1970-01-01T0:0:0Z UTC" (corresponds to the token's `nbf` claim). |
-| `resource` | The resource the access token was requested for, which matches the `resource` query string parameter of the request. |
-| `token_type` | The type of token, which is a "Bearer" access token, which means the resource can give access to the bearer of this token. |
--
-### Troubleshoot the virtual machine extension
-
-#### Restart the virtual machine extension after a failure
-
-On Windows and certain versions of Linux, if the extension stops, the following cmdlet may be used to manually restart it:
-
-```azurepowershell-interactive
-Set-AzVMExtension -Name <extension name> -Type <extension Type> -Location <location> -Publisher Microsoft.ManagedIdentity -VMName <vm name> -ResourceGroupName <resource group name> -ForceRerun <Any string different from any last value used>
-```
-
-Where:
-- Extension name and type for Windows is: `ManagedIdentityExtensionForWindows`-- Extension name and type for Linux is: `ManagedIdentityExtensionForLinux`-
-#### "Automation script" fails when attempting schema export for managed identities for Azure resources extension
-
-When managed identities for Azure resources is enabled on a virtual machine, the following error is shown when attempting to use the "Automation script" feature for the virtual machine, or its resource group:
-
-![Managed identities for Azure resources automation script export error](./media/howto-migrate-vm-extension/automation-script-export-error.png)
-
-The managed identities for Azure resources virtual machine extension does not currently support the ability to export its schema to a resource group template. As a result, the generated template does not show configuration parameters to enable managed identities for Azure resources on the resource. These sections can be added manually by following the examples in [Configure managed identities for Azure resources on an Azure virtual machine using a templates](qs-configure-template-windows-vm.md).
-
-When the schema export functionality becomes available for the managed identities for Azure resources virtual machine extension (planned for deprecation in January 2019), it will be listed in [Exporting Resource Groups that contain VM extensions](../../virtual-machines/extensions/export-templates.md#supported-virtual-machine-extensions).
-
-## Limitations of the virtual machine extension
-
-There are several major limitations to using the virtual machine extension.
-
- * The most serious limitation is the fact that the credentials used to request tokens are stored on the virtual machine. An attacker who successfully breaches the virtual machine can exfiltrate the credentials.
- * Furthermore, the virtual machine extension is still unsupported by several Linux distributions, with a huge development cost to modify, build and test the extension on each of those distributions. Currently, only the following Linux distributions are supported:
- * CoreOS Stable
- * CentOS 7.1
- * Red Hat 7.2
- * Ubuntu 15.04
- * Ubuntu 16.04
- * There is a performance impact to deploying virtual machines with managed identities, as the virtual machine extension also has to be provisioned.
- * Finally, the virtual machine extension can only support having 32 user-assigned managed identities per virtual machine.
-
-## Azure Instance Metadata Service
-
-The [Azure Instance Metadata Service (IMDS)](../../virtual-machines/windows/instance-metadata-service.md) is a REST endpoint that provides information about running virtual machine instances that can be used to manage and configure your virtual machines. The endpoint is available at a well-known non-routable IP address (`169.254.169.254`) that can be accessed only from within the virtual machine.
-
-There are several advantages to using Azure IMDS to request tokens.
-
-1. The service is external to the virtual machine, therefore the credentials used by managed identities are no longer present on the virtual machine. Instead, they are hosted and secured on the host machine of the Azure virtual machine.
-2. All Windows and Linux operating systems supported on Azure IaaS can use managed identities.
-3. Deployment is faster and easier, since the VM extension no longer needs to be provisioned.
-4. With the IMDS endpoint, up to 1000 user-assigned managed identities can be assigned to a single virtual machine.
-5. There is no significant change to the requests using IMDS as opposed to those using the virtual machine extension, therefore it is fairly simple to port over existing deployments that currently use the virtual machine extension.
-
-For these reasons, the Azure IMDS service will be the defacto way to request tokens, once the virtual machine extension is deprecated.
--
-## Next Steps
-
-* [How to use managed identities for Azure resources on an Azure virtual machine to acquire an access token](how-to-use-vm-token.md)
-* [Azure Instance Metadata Service](../../virtual-machines/windows/instance-metadata-service.md)
active-directory Managed Identities Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/managed-identities-faq.md
Managed identities limits have dependencies on Azure service limits, Azure Insta
- **Azure Active Directory service** Each managed identity counts towards the object quota limit in an Azure AD tenant as described in Azure [AD service limits and restrictions](../enterprise-users/directory-service-limits-restrictions.md).
-## Is it Ok to move a user-assigned managed identity to a different resource group/subscription?
+### Is it possible to move a user-assigned managed identity to a different resource group/subscription?
Moving a user-assigned managed identity to a different resource group is not supported.
active-directory Qs Configure Template Windows Vmss https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vmss.md
ms.devlang: na
na Previously updated : 12/15/2020 Last updated : 04/12/2021
Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code. In this article, you learn how to perform the following managed identities for Azure resources operations on an Azure virtual machine scale set, using Azure Resource Manager deployment template:+ - Enable and disable the system-assigned managed identity on an Azure virtual machine scale set - Add and remove a user-assigned managed identity on an Azure virtual machine scale set
Regardless of the option you choose, template syntax is the same during initial
In this section, you will enable and disable the system-assigned managed identity using an Azure Resource Manager template.
-### Enable system-assigned managed identity during creation the creation of a virtual machines scale set or an existing virtual machine scale set
+### Enable system-assigned managed identity during the creation of a virtual machines scale set or an existing virtual machine scale set
1. Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the virtual machine scale set. 2. To enable the system-assigned managed identity, load the template into an editor, locate the `Microsoft.Compute/virtualMachinesScaleSets` resource of interest within the resources section and add the `identity` property at the same level as the `"type": "Microsoft.Compute/virtualMachinesScaleSets"` property. Use the following syntax:
In this section, you will enable and disable the system-assigned managed identit
} ```
-> [!NOTE]
-> You may optionally provision the managed identities for Azure resources virtual machine scale set extension by specifying it in the `extensionProfile` element of the template. This step is optional as you can use the Azure Instance Metadata Service (IMDS) identity endpoint, to retrieve tokens as well. For more information, see [Migrate from VM extension to Azure IMDS for authentication](howto-migrate-vm-extension.md).
-- 4. When you're done, the following sections should added to the resource section of your template and should resemble the following: ```json
In this section, you will enable and disable the system-assigned managed identit
//other resource provider properties... "virtualMachineProfile": { //other virtual machine profile properties...
- //The following appears only if you provisioned the optional virtual machine scale set extension (to be deprecated)
- "extensionProfile": {
- "extensions": [
- {
- "name": "ManagedIdentityWindowsExtension",
- "properties": {
- "publisher": "Microsoft.ManagedIdentity",
- "type": "ManagedIdentityExtensionForWindows",
- "typeHandlerVersion": "1.0",
- "autoUpgradeMinorVersion": true,
- "settings": {
- "port": 50342
- }
- }
- }
- ]
- }
+
} } }
In this section, you assign a user-assigned managed identity to a virtual machin
} }
- ```
-> [!NOTE]
-> You may optionally provision the managed identities for Azure resources virtual machine scale set extension by specifying it in the `extensionProfile` element of the template. This step is optional as you can use the Azure Instance Metadata Service (IMDS) identity endpoint, to retrieve tokens as well. For more information, see [Migrate from VM extension to Azure IMDS for authentication](howto-migrate-vm-extension.md).
3. When you are done, your template should look similar to the following:
In this section, you assign a user-assigned managed identity to a virtual machin
//other virtual machine properties... "virtualMachineProfile": { //other virtual machine profile properties...
- //The following appears only if you provisioned the optional virtual machine scale set extension (to be deprecated)
- "extensionProfile": {
- "extensions": [
- {
- "name": "ManagedIdentityWindowsExtension",
- "properties": {
- "publisher": "Microsoft.ManagedIdentity",
- "type": "ManagedIdentityExtensionForWindows",
- "typeHandlerVersion": "1.0",
- "autoUpgradeMinorVersion": true,
- "settings": {
- "port": 50342
- }
- }
- }
- ]
- }
} } }
In this section, you assign a user-assigned managed identity to a virtual machin
//other virtual machine properties... "virtualMachineProfile": { //other virtual machine profile properties...
- //The following appears only if you provisioned the optional virtual machine scale set extension (to be deprecated)
- "extensionProfile": {
- "extensions": [
- {
- "name": "ManagedIdentityWindowsExtension",
- "properties": {
- "publisher": "Microsoft.ManagedIdentity",
- "type": "ManagedIdentityExtensionForWindows",
- "typeHandlerVersion": "1.0",
- "autoUpgradeMinorVersion": true,
- "settings": {
- "port": 50342
- }
- }
- }
- ]
- }
} } } ] ```
- ### Remove user-assigned managed identity from an Azure virtual machine scale set
+### Remove user-assigned managed identity from an Azure virtual machine scale set
If you have a virtual machine scale set that no longer needs a user-assigned managed identity:
active-directory Tutorial Windows Vm Access Nonaad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad.md
Title: Tutorial`:` Use a managed identity to access Azure Key Vault - Windows - Azure AD
+ Title: "Tutorial: Use a managed identity to access Azure Key Vault - Windows - Azure AD"
description: A tutorial that walks you through the process of using a Windows VM system-assigned managed identity to access Azure Key Vault. documentationcenter: ''
Alternatively you may also do this via [PowerShell or the CLI](../../azure-resou
In this tutorial, you learned how to use a Windows VM system-assigned managed identity to access Azure Key Vault. To learn more about Azure Key Vault see: > [!div class="nextstepaction"]
->[Azure Key Vault](../../key-vault/general/overview.md)
+>[Azure Key Vault](../../key-vault/general/overview.md)
active-directory Permissions Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/permissions-reference.md
Users in this role can read settings and administrative information across Micro
> Global reader role has a few limitations right now - > >- [OneDrive admin center](https://admin.onedrive.com/) - OneDrive admin center does not support the Global reader role
->- [M365 admin center](https://admin.microsoft.com/Adminportal/Home#/homepage) - Global reader can't read customer lockbox requests. You won't find the **Customer lockbox requests** tab under **Support** in the left pane of M365 Admin Center.
+>- [M365 admin center](https://admin.microsoft.com/Adminportal/Home#/homepage) - Global reader can't read integrated apps. You won't find the **Integrated apps** tab under **Settings** in the left pane of M365 Admin Center.
>- [Office Security & Compliance Center](https://sip.protection.office.com/homepage) - Global reader can't read SCC audit logs, do content search, or see Secure Score. >- [Teams admin center](https://admin.teams.microsoft.com) - Global reader cannot read **Teams lifecycle**, **Analytics & reports**, **IP phone device management** and **App catalog**. >- [Privileged Access Management (PAM)](/office365/securitycompliance/privileged-access-management-overview) doesn't support the Global reader role.
active-directory Jostle Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/jostle-provisioning-tutorial.md
+
+ Title: 'Tutorial: Configure Jostle for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Jostle.
+
+documentationcenter: ''
+
+writer: Zhchia
++
+ms.assetid: 6dbb744f-8b8e-4988-b293-ebe079c8c5c5
+++
+ na
+ms.devlang: na
+ Last updated : 04/05/2021+++
+# Tutorial: Configure Jostle for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both Jostle and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Jostle](https://www.jostle.me/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
++
+## Capabilities Supported
+> [!div class="checklist"]
+> * Create users in Jostle
+> * Remove users in Jostle when they do not require access anymore
+> * Keep user attributes synchronized between Azure AD and Jostle
+> * [Single sign-on](jostle-tutorial.md) to Jostle (recommended)
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A [Jostle tenant](https://www.jostle.me/).
+* A user account in Jostle with Admin permissions.
+
+## Step 1. Plan your provisioning deployment
+
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+1. Determine what data to [map between Azure AD and Jostle](../app-provisioning/customize-application-attributes.md).
+
+## Step 2. Configure Jostle to support provisioning with Azure AD
+
+### Automation account
+
+Before you begin, youΓÇÖll need to create an **Automation user** in your Jostle intranet. This will be the account youΓÇÖll use to configure with Azure. Automation users can be created in Admin **Settings > User accounts and data > Manage Automation users**.
+
+For more details on Automation users and how to create one, see [this article](https://forum.jostle.us/hc/en-us/articles/360057364073).
+
+Once created, the Automation user account **must be activated** (i.e. logged in to your intranet at least once) before it can be used to configure Azure.
+
+### Manage user provisioning
+
+Before you begin, ensure that your account subscription **includes SSO/user provisioning features**. If it doesn't, you can contact your Customer Success Manager <success@jostle.me> and they can assist you in adding it to your account.
+
+The next step is to obtain the **API URL** and **API key** from Jostle:
+
+1. Go to the Main Navigation and click **Admin Settings**.
+1. Under **User data to/from other systems** click **Manage user provisioning** .If you do not see "Manage user provisioning" here and have verified that your account includes SSO/user provisioning, contact Support <support@jostle.me> to have this page enabled in your Admin Settings).
+1. In the **User Provisioning API details** section, go to **Your Base URL** field, click the Copy button and save the URL somewhere you can easily access it later.
+
+ ![Provisioning](media/jostle-provisioning-tutorial/manage-user-provisioning.png)
+
+1. Next, click the **Add a new key**... button
+1. On the following screen, go to the **Automation User** field and use the drop-down menu to select your Automation user account.
+
+ ![Integration Account](media/jostle-provisioning-tutorial/select-integration-account.png)
+1. In the **Provisioning API key description** field give your key a name (i.e. ΓÇ£AzureΓÇ¥) and then click the **Add** button.
+
+1. Once your key is generated, **make sure to copy it right away** and save it where you saved your URL (since this will be the only time your key will appear).
+1. Next, youΓÇÖll use the **API URL** and **API key** to configure the integration in Azure.
+## Step 3. Add Jostle from the Azure AD application gallery
+
+Add Jostle from the Azure AD application gallery to start managing provisioning to Jostle. If you have previously setup Jostle for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-gallery-app.md).
+
+## Step 4. Define who will be in scope for provisioning
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* When assigning users and groups to Jostle, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add more roles.
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
++
+## Step 5. Configure automatic user provisioning to Jostle
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and groups in Jostle app based on user and group assignments in Azure AD.
+
+### To configure automatic user provisioning for Jostle in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+1. In the applications list, select **Jostle**.
+
+ ![The Jostle link in the Applications list](common/all-applications.png)
+
+1. Select the **Provisioning** tab.
+
+ ![Provisioning tab](common/provisioning.png)
+
+1. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Provisioning tab automatic](common/provisioning-automatic.png)
+
+1. In the **Admin Credentials** section, enter your Jostle **Tenant URL** and **Secret token** information. Select **Test Connection** to ensure that Azure AD can connect to Jostle. If the connection fails, ensure that your Jostle account has admin permissions and try again.
+
+ ![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications. Select the **Send an email notification when a failure occurs** check box.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+1. Select **Save**.
+
+1. In the **Mappings** section, select **Synchronize Azure Active Directory Users to Jostle**.
+
+1. Review the user attributes that are synchronized from Azure AD to Jostle in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Jostle for update operations. If you change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Jostle API supports filtering users based on that attribute. Select **Save** to commit any changes.
+
+ |Attribute|Type|Supported for filtering|
+ ||||
+ |userName|String|&check;|
+ |active|Boolean|
+ |name.givenName|String|
+ |name.familyName|String|
+ |emails[type eq "work"].value|String|
+ |emails[type eq "personal"].value|String|
+ |emails[type eq "alternate1"].value|String|
+ |emails[type eq "alternate2"].value|String|
+ |urn:ietf:params:scim:schemas:extension:jostle:2.0:User:alternateEmail1Label|String|
+ |urn:ietf:params:scim:schemas:extension:jostle:2.0:User:alternateEmail2Label |String|
+
+1. To configure scoping filters, see the instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+1. To enable the Azure AD provisioning service for Jostle, change **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+1. Define the users or groups that you want to provision to Jostle by selecting the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+1. When you're ready to provision, select **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to do than next cycles, which occur about every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+
+After you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users were provisioned successfully or unsuccessfully.
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion.
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. To learn more about quarantine states, see [Application provisioning status of quarantine](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## More resources
+
+* [Managing user account provisioning for enterprise apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
aks Tutorial Kubernetes Upgrade Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/tutorial-kubernetes-upgrade-cluster.md
Last updated 01/12/2021 -+ #Customer intent: As a developer or IT pro, I want to learn how to upgrade an Azure Kubernetes Service (AKS) cluster so that I can use the latest version of Kubernetes and features.
aks Virtual Nodes Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/virtual-nodes-portal.md
description: Learn how to use the Azure portal to create an Azure Kubernetes Ser
Last updated 03/15/2021-+ # Create and configure an Azure Kubernetes Services (AKS) cluster to use virtual nodes in the Azure portal
app-service App Gateway With Service Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/networking/app-gateway-with-service-endpoints.md
na
Last updated 12/09/2019 -+
app-service Quickstart Html Uiex https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-html-uiex.md
ms.assetid: 60495cc5-6963-4bf0-8174-52786d226c26
Last updated 08/23/2019 -+
app-service Quickstart Html https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-html.md
ms.assetid: 60495cc5-6963-4bf0-8174-52786d226c26
Last updated 08/23/2019 -+ adobe-target: true adobe-target-activity: DocsExpΓÇô386541ΓÇôA/BΓÇôEnhanced-Readability-QuickstartsΓÇô2.19.2021 adobe-target-experience: Experience B
app-service Quickstart Python 1 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-python-1.md
Title: 'Quickstart: Create a Python app on Linux'
description: Get started with Azure App Service by deploying a Python app to a Linux container in App Service. Last updated 09/22/2020-+ zone_pivot_groups: python-frameworks-01
app-service Quickstart Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-python.md
Title: 'Quickstart: Create a Python app'
description: Get started with Azure App Service by deploying your first Python app to a Linux container in App Service. Last updated 11/10/2020-+ zone_pivot_groups: python-frameworks-01 adobe-target: true adobe-target-activity: DocsExpΓÇô393165ΓÇôA/BΓÇôDocs/PythonQuickstartΓÇôCLIvsPortalΓÇôFY21Q4
automanage Arm Deploy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/arm-deploy.md
+
+ Title: Onboard a machine to Azure Automanage with an ARM template
+description: Learn how to onboard a machine to Azure Automanage with an Azure Resource Manager template.
+++++ Last updated : 04/09/2021+++
+# Onboard a machine to Automanage with an Azure Resource Manager (ARM) template
++
+## Overview
+Follow the steps below to onboard a machine to Automanage Best Practices. The ARM template below will create a `configurationProfileAssignment` object, which is the Azure resource that represents a machine that has been onboarded to Automanage.
+
+## Prerequisites
+* You must have created an existing Automanage Account. See [this document](./automanage-account.md) for more information on the Automanage Account and how to create one.
+* You must have the **Contributor** role on the resource group containing the machines you want to onboard to Automanage
+
+## ARM template overview
+The following ARM template will onboard your specified machine onto Azure Automanage Best Practices. Details on the ARM template and steps on how to deploy are located in the ARM template deployment section [below](#arm-template-deployment).
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "machineName": {
+ "type": "String"
+ },
+ "automanageAccountName": {
+ "type": "String"
+ },
+ "configurationProfileAssignment": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Compute/virtualMachines/providers/configurationProfileAssignments",
+ "apiVersion": "2020-06-30-preview",
+ "name": "[concat(parameters('machineName'), '/Microsoft.Automanage/', 'default')]",
+ "properties": {
+ "configurationProfile": "[parameters('configurationProfileAssignment')]",
+ "accountId": "[concat(resourceGroup().id, '/providers/Microsoft.Automanage/accounts/', parameters('automanageAccountName'))]"
+ }
+ }
+ ]
+}
+```
+
+## ARM template deployment
+The ARM template above will create a configuration profile assignment for your specified machine, using a specified Automanage Account. If you haven't created an Automanage Account, learn more at [this doc](./automanage-account.md).
+
+The `configurationProfileAssignment` value can be one of the following values:
+* "Production"
+* "DevTest"
+
+Follow these steps to deploy the ARM template:
+1. Save the below ARM template as `azuredeploy.json`
+1. Run the ARM template deployment with `az deployment group create --resource-group myResourceGroup --template-file azuredeploy.json`
+1. Provide the values for machineName, automanageAccountName, and configurationProfileAssignment when prompted
+1. You are done!
+
+As with any ARM template, it is possible to factor out the parameters into a separate `azuredeploy.parameters.json` file and use that as an argument when deploying.
+
+## Next steps
+Learn more about Automanage for [Linux](./automanage-linux.md) and [Windows](./automanage-windows-server.md)
automanage Automanage Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/automanage-account.md
+
+ Title: Azure Automanage Account
+description: Learn how an Automanage Account works and how to create one.
+++++ Last updated : 04/07/2021+++
+# Automanage Accounts
+
+The Automanage account is the identity that is used by the Automanage service to perform its automated operations.
+
+In the Azure portal experience, when you are enabling Automanage on your VMs, there is an Advanced dropdown on the **Enable Azure VM best practice** blade that allows you to assign or manually create the Automanage Account.
+
+The Automanage Account will be granted both **Contributor** and **Resource Policy Contributor** roles to the subscription(s) containing the machine(s) you onboard to Automanage. You may use the same Automanage Account on machines across multiple subscriptions, which will grant that Automanage Account **Contributor** and **Resource Policy Contributor** permissions on all subscriptions.
+
+If your VM is connected to a Log Analytics workspace in another subscription, the Automanage Account will be granted both **Contributor** and **Resource Policy Contributor** in that other subscription as well.
+
+If you are enabling Automanage with a new Automanage Account, you need the following permissions on your subscription: **Owner** role or **Contributor** along with **User Access Administrator** roles.
+
+If you are enabling Automanage with an existing Automanage Account, you need to have the **Contributor** role on the resource group containing your VMs.
+
+> [!NOTE]
+> When you disable Automanage Best Practices, the Automanage Account's permissions on any associated subscriptions will remain. Manually remove the permissions by going to the subscription's IAM page or delete the Automanage Account. The Automanage Account cannot be deleted if it is still managing any machines.
+
+## Create an Automanage Account
+You may create an Automanage Account using the portal or using an ARM template.
+
+### Portal
+1. Navigate to the **Automanage** blade in the portal
+1. Click **Enable on existing machine**
+1. Under **Advanced**, click "Create a new account"
+1. Fill in the required fields and click **Create**
+
+### ARM template
+Creating an Automanage Account using an ARM template requires 2 steps:
+1. Create the Automanage Account
+1. Grant sufficient permissions to the account to allow it to perform operations for you
+ 1. You will need the Object ID of the account you created for this step.
+ 1. Steps to find details of your account's service principal (including the Object ID) are available [here](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-view-managed-identity-service-principal-portal#view-the-service-principal).
+ 1. Once you have found your service principal, copy the **Object ID**. Save this as you will need it to delegate permissions below.
+
+#### 1. Create Automanage Account (does not grant permissions to it)
+To create an Automanage Account, save the following ARM template as `azuredeploy.json` and run the Azure CLI command below. Once you are done, move on to the second template below to delegate sufficient permissions to the account.
+
+```azurecli-interactive
+az deployment group create --resource-group <resource group name> --template-file azuredeploy.json
+```
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "automanageAccountName": {
+ "type": "String"
+ },
+ "location": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "apiVersion": "2020-06-30-preview",
+ "type": "Microsoft.Automanage/accounts",
+ "name": "[parameters('automanageAccountName')]",
+ "location": "[parameters('location')]",
+ "identity": {
+ "type": "SystemAssigned"
+ }
+ }
+ ]
+}
+```
+#### 2. Grant permissions to the Automanage Account
+To grant sufficient permissions to the Automanage Account, you will need to do the following:
+1. Save the following ARM template as `azuredeploy2.json` and run the Azure CLI command below.
+1. When prompted, enter the Object ID of the Automanage Account you created and saved down.
+
+```azurecli-interactive
+az deployment group create --resource-group <resource group name> --template-file azuredeploy.json
+```
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "principalId": {
+ "type": "string",
+ "metadata": {
+ "description": "The principal to assign the role to"
+ }
+ }
+ },
+ "variables": {
+ "contributorRoleDefinitionID": "/providers/Microsoft.Authorization/roledefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
+ "resourcePolicyContributorRoleDefinitionID": "/providers/Microsoft.Authorization/roledefinitions/36243c78-bf99-498c-9df9-86d9f8d28608"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Authorization/roleAssignments",
+ "apiVersion": "2020-04-01-preview",
+ "name": "[guid(variables('contributorRoleDefinitionID'))]",
+ "properties": {
+ "roleDefinitionId": "[variables('contributorRoleDefinitionID')]",
+ "principalId": "[parameters('principalId')]"
+ }
+ },
+ {
+ "type": "Microsoft.Authorization/roleAssignments",
+ "apiVersion": "2020-04-01-preview",
+ "name": "[guid(variables('resourcePolicyContributorRoleDefinitionID'))]",
+ "properties": {
+ "roleDefinitionId": "[variables('resourcePolicyContributorRoleDefinitionID')]",
+ "principalId": "[parameters('principalId')]"
+ }
+ }
+ ]
+}
+```
+
+## Next steps
+* Learn about Automanage services for [Linux](./automanage-linux.md) and [Windows](./automanage-windows-server.md)
automanage Automanage Virtual Machines https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/automanage-virtual-machines.md
Automanage only supports VMs located in the following regions:
* UK South * AU East * AU Southeast
+* Southeast Asia
### Required RBAC permissions Your account will require slightly different RBAC roles depending on whether you are enabling Automanage with a new Automanage account.
A direct link to the policy is [here](https://portal.azure.com/#blade/Microsoft_
1. Click the **Assign** button when viewing the policy definition 1. Select the scope at which you want to apply the policy (can be management group, subscription, or resource group) 1. Under **Parameters**, specify parameters for the Automanage account, Configuration profile, and Effect (the effect should usually be DeployIfNotExists)
- 1. If you don't have an Automanage account, you will have to [create one](#create-an-automanage-account).
+ 1. If you don't have an Automanage account, you will have to [create one](./automanage-account.md).
1. Under **Remediation**, check the "Click a remediation task" checkbox. This will perform onboarding to Automanage. 1. Click **Review + create** and ensure that all settings look good. 1. Click **Create**.
For the complete list of participating Azure services and if they support prefer
## Automanage Account
-The Automanage Account is the security context or the identity under which the automated operations occur. Typically, the Automanage Account option is unnecessary for you to select, but if there was a delegation scenario where you wanted to divide the automated management of your resources (perhaps between two system administrators), this option allows you to define an Azure identity for each of those administrators.
+The Automanage Account is the security context or the identity under which the automated operations occur. Typically, the Automanage Account option is unnecessary for you to select, but if there was a delegation scenario where you wanted to divide the automated management of your resources (perhaps between two system administrators), the Automanage Account option in the enablement flow allows you to define an Azure identity for each of those administrators.
-In the Azure portal experience, when you are enabling Automanage on your VMs, there is an Advanced dropdown on the **Enable Azure VM best practice** blade that allows you to assign or manually create the Automanage Account.
-
-The Automanage Account will be granted both **Contributor** and **Resource Policy Contributor** roles to the subscription(s) containing the machine(s) you onboard to Automanage. You may use the same Automanage Account on machines across multiple subscriptions, which will grant that Automanage Account **Contributor** and **Resource Policy Contributor** permissions on all subscriptions.
-
-If your VM is connected to a Log Analytics workspace in another subscription, the Automanage Account will be granted both **Contributor** and **Resource Policy Contributor** in that other subscription as well.
-
-If you are enabling Automanage with a new Automanage Account, you need the following permissions on your subscription: **Owner** role or **Contributor** along with **User Access Administrator** roles.
-
-If you are enabling Automanage with an existing Automanage Account, you need to have the **Contributor** role on the resource group containing your VMs.
-
-> [!NOTE]
-> When you disable Automanage Best Practices, the Automanage Account's permissions on any associated subscriptions will remain. Manually remove the permissions by going to the subscription's IAM page or delete the Automanage Account. The Automanage Account cannot be deleted if it is still managing any machines.
-
-### Create an Automanage Account
-You may create an Automanage Account using the portal or using an ARM template.
-
-#### Portal
-1. Navigate to the **Automanage** blade in the portal
-1. Click **Enable on existing machine**
-1. Under **Advanced**, click "Create a new account"
-1. Fill in the required fields and click **Create**
-
-#### ARM template
-Save the following ARM template as `azuredeploy.json` and run the following command:
-`az deployment group create --resource-group <resource group name> --template-file azuredeploy.json`
-
-```json
-{
- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "automanageAccountName": {
- "type": "String"
- },
- "location": {
- "type": "String"
- }
- },
- "resources": [
- {
- "apiVersion": "2020-06-30-preview",
- "type": "Microsoft.Automanage/accounts",
- "name": "[parameters('automanageAccountName')]",
- "location": "[parameters('location')]",
- "identity": {
- "type": "SystemAssigned"
- }
- }
- ]
-}
-```
+To learn more about the Automanage account and how to create one, visit the [Automanage Account document](./automanage-account.md).
## Status of VMs
Read carefully through the messaging in the resulting pop-up before agreeing to
> > - The configuration of the VM and the services it is onboarded to don't change. > - Any charges incurred by those services remain billable and continue to be incurred.
-> - Any Automanage behaviors immediately stop.
+> - Automanage drift monitoring immediately stops.
First and foremost, we will not off-board the virtual machine from any of the services that we onboarded it to and configured. So any charges incurred by those services will continue to remain billable. You will need to off-board if necessary. Any Automanage behavior will stop immediately. For example, we will no longer monitor the VM for drift.
automanage Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/faq.md
No, Automanage will not reconfigure it. We will begin to monitor the resources a
**Why does my VM have a Failed status in the Automanage portal?**
-If you see the status as *Failed*, you can troubleshoot the deployment through the Resource Group your VM is located in. Go to **Resource groups**, select your resource group, click on **Deployments** and see the *Failed* status there along with error details.
+If you see the status as *Failed*, you can troubleshoot the deployment in a few different ways:
+* Go to **Resource groups**, select your resource group, click on **Deployments** and see the *Failed* status there along with error details.
+* Go to **Subscriptions**, select your resource group, click on **Deployments** and see the *Failed* status there along with error details.
+* You can also visit the activity log of a VM, which will contain an entry for "Create or Update Configuration Profile Assignments". This may also contain more details on your deployment.
**How can I get troubleshooting support for Automanage?**
automanage Virtual Machines Policy Enable https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/virtual-machines-policy-enable.md
If you don't have an Azure subscription, [create an account](https://azure.micro
> [!IMPORTANT] > The following Azure RBAC permission is needed to enable Automanage: **Owner** role or **Contributor** along with **User Access Administrator** roles.
+## Direct link to Policy
+The Automanage policy definition can be found in the Azure portal by the name of [Configure virtual machines to be onboarded to Azure Automanage](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F270610db-8c04-438a-a739-e8e6745b22d3). If you click on this link, skip directly to step 8 in [Locate and assign the policy](#locate-and-assign-the-policy) below.
## Sign in to Azure
Sign in to the [Azure portal](https://portal.azure.com/).
1. Under the **Basics** tab, fill out **Scope** by setting the *Subscription* and *Resource Group* > [!NOTE]
- > The Scope lets you define which VMs this policy applies to. You can set application at the subscription level or resource group level. If you set a resource group, all VMs that are currently in that resource group or any future VMs we add to it will have Automanage automatically enabled.
+ > The Scope lets you define which VMs this policy applies to. You can set application at the subscription level or resource group level. If you set a resource group, all VMs that are currently in that resource group or any future VMs we add to it will have Automanage automatically enabled.
-1. Click on the **Parameters** tab and set the **Automanage Account** and the desired **Configuration Profile**
+1. Click on the **Parameters** tab and set the **Automanage Account** and the desired **Configuration Profile**
1. Under the **Review + create** tab, review the settings 1. Apply the Assignment by clicking **Create** 1. View your assignments in the **Assignments** tab next to **Definition**
Sign in to the [Azure portal](https://portal.azure.com/).
> It will take some time for that policy to begin taking effect on the VMs currently in the resource group or subscription.
-## Next steps
+## Next steps
-Learn another way to enable Azure Automanage for virtual machines through the Azure portal.
+Learn another way to enable Azure Automanage for virtual machines through the Azure portal.
> [!div class="nextstepaction"] > [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
availability-zones Az Region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/availability-zones/az-region.md
description: To create highly available and resilient applications in Azure, Ava
Previously updated : 04/06/2021 Last updated : 04/13/2021
To achieve comprehensive business continuity on Azure, build your application ar
| Products | Resiliency | |--|:-:|
-| Storage Account | :large_blue_diamond: |
-| Application Gateway (V2) | :large_blue_diamond: |
-| Azure Backup | :large_blue_diamond: |
-| Azure Cosmos DB | :large_blue_diamond: |
-| Azure Data Lake Storage Gen 2 | :large_blue_diamond: |
-| Azure Express Route | :large_blue_diamond: |
-| Azure Public IP | :large_blue_diamond: |
-| Azure SQL Database (General Purpose Tier) | :large_blue_diamond: |
-| Azure SQL Database (Premium & Business Critical Tier) | :large_blue_diamond: |
-| Disk Storage | :large_blue_diamond: |
-| Event Hubs | :large_blue_diamond: |
-| Key Vault | :large_blue_diamond: |
-| Load Balancer | :large_blue_diamond: |
-| Service Bus | :large_blue_diamond: |
-| Service Fabric | :large_blue_diamond: |
-| Storage: Hot/Cool Blob Storage Tiers | :large_blue_diamond: |
-| Storage: Managed Disks | :large_blue_diamond: |
-| Virtual Machines Scale Sets | :large_blue_diamond: |
-| Virtual Machines | :large_blue_diamond: |
-| Virtual Machines: Av2-Series | :large_blue_diamond: |
-| Virtual Machines: Bs-Series | :large_blue_diamond: |
-| Virtual Machines: DSv2-Series | :large_blue_diamond: |
-| Virtual Machines: DSv3-Series | :large_blue_diamond: |
-| Virtual Machines: Dv2-Series | :large_blue_diamond: |
-| Virtual Machines: Dv3-Series | :large_blue_diamond: |
-| Virtual Machines: ESv3-Series | :large_blue_diamond: |
-| Virtual Machines: Ev3-Series | :large_blue_diamond: |
-| Virtual Machines: F-Series | :large_blue_diamond: |
-| Virtual Machines: FS-Series | :large_blue_diamond: |
-| Virtual Network | :large_blue_diamond: |
-| VPN Gateway | :large_blue_diamond: |
+| [Application Gateway (V2)](https://docs.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) | :large_blue_diamond: |
+| [Azure Backup](https://docs.microsoft.com/azure/backup/backup-create-rs-vault#set-storage-redundancy) | :large_blue_diamond: |
+| [Azure Cosmos DB](https://docs.microsoft.com/azure/cosmos-db/high-availability#availability-zone-support) | :large_blue_diamond: |
+| [Azure Data Lake Storage Gen 2](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-introduction) | :large_blue_diamond: |
+| [Azure Express Route](https://docs.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute) | :large_blue_diamond: |
+| [Azure Public IP](https://docs.microsoft.com/azure/virtual-network/public-ip-addresses) | :large_blue_diamond: |
+| Azure SQL Database ([General Purpose Tier](https://docs.microsoft.com/azure/azure-sql/database/high-availability-sla)) | :large_blue_diamond: |
+| Azure SQL Database([Premium & Business Critical Tier](https://docs.microsoft.com/azure/azure-sql/database/high-availability-sla)) | :large_blue_diamond: |
+| [Disk Storage](https://docs.microsoft.com/azure/storage/common/storage-redundancy) | :large_blue_diamond: |
+| [Event Hubs](https://docs.microsoft.com/azure/event-hubs/event-hubs-geo-dr#availability-zones) | :large_blue_diamond: |
+| [Key Vault](https://docs.microsoft.com/azure/key-vault/general/disaster-recovery-guidance) | :large_blue_diamond: |
+| [Load Balancer](https://docs.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones) | :large_blue_diamond: |
+| [Service Bus](https://docs.microsoft.com/azure/service-bus-messaging/service-bus-geo-dr#availability-zones) | :large_blue_diamond: |
+| [Service Fabric](https://docs.microsoft.com/azure/service-fabric/service-fabric-cross-availability-zones#:~:text=An%20Availability%20Zone%20is%20a%20unique%20physical%20location,zones.%20This%20will%20ensure%20high-availability%20of%20your%20applications) | :large_blue_diamond: |
+| [Storage Account](https://docs.microsoft.com/azure/storage/common/storage-redundancy) | :large_blue_diamond: |
+| Storage: [Hot/Cool Blob Storage Tiers](https://docs.microsoft.com/azure/storage/common/storage-redundancy) | :large_blue_diamond: |
+| Storage: [Managed Disks](https://docs.microsoft.com/azure/virtual-machines/managed-disks-overview) | :large_blue_diamond: |
+| [Virtual Machines Scale Sets](https://docs.microsoft.com/azure/virtual-machine-scale-sets/scripts/cli-sample-zone-redundant-scale-set) | :large_blue_diamond: |
+| [Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Av2-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Bs-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [DSv2-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [DSv3-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Dv2-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Dv3-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [ESv3-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Ev3-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [F-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [FS-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Shared Image Gallery](https://docs.microsoft.com/azure/virtual-machines/shared-image-galleries#make-your-images-highly-available) | :large_blue_diamond: |
+| [Virtual Network](https://docs.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) | :large_blue_diamond: |
+| [VPN Gateway](https://docs.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways) | :large_blue_diamond: |
**Mainstream services**
To achieve comprehensive business continuity on Azure, build your application ar
| Products | Resiliency | |--|:-:|
-| App Service Environments | :large_blue_diamond: |
-| Azure Active Directory Domain Services | :large_blue_diamond: |
-| Azure Bastion | :large_blue_diamond: |
-| Azure Cache for Redis | :large_blue_diamond: |
-| Azure Cognitive Search | :large_blue_diamond: |
-| Azure Cognitive
-| Azure Data Explorer | :large_blue_diamond: |
-| Azure Database for MySQL ΓÇô Flexible Server | :large_blue_diamond: |
-| Azure Database for PostgreSQL ΓÇô Flexible Server | :large_blue_diamond: |
-| Azure DDoS Protection | :large_blue_diamond: |
-| Azure Disk Encryption | :large_blue_diamond: |
-| Azure Firewall | :large_blue_diamond: |
-| Azure Firewall Manager | :large_blue_diamond: |
-| Azure Kubernetes Service (AKS) | :large_blue_diamond: |
-| Azure Private Link | :large_blue_diamond: |
-| Azure Site Recovery | :large_blue_diamond: |
-| Azure SQL: Virtual Machine | :large_blue_diamond: |
-| Azure Web Application Firewall | :large_blue_diamond: |
-| Container Registry | :large_blue_diamond: |
-| Event Grid | :large_blue_diamond: |
-| Network Watcher | :large_blue_diamond: |
-| Network Watcher: Traffic Analytics | :large_blue_diamond: |
-| Power BI Embedded | :large_blue_diamond: |
-| Premium Blob Storage | :large_blue_diamond: |
-| Storage: Azure Premium Files | :large_blue_diamond: |
-| Virtual Machines: Azure Dedicated Host | :large_blue_diamond: |
-| Virtual Machines: Ddsv4-Series | :large_blue_diamond: |
-| Virtual Machines: Ddv4-Series | :large_blue_diamond: |
-| Virtual Machines: Dsv4-Series | :large_blue_diamond: |
-| Virtual Machines: Dv4-Series | :large_blue_diamond: |
-| Virtual Machines: Edsv4-Series | :large_blue_diamond: |
-| Virtual Machines: Edv4-Series | :large_blue_diamond: |
-| Virtual Machines: Esv4-Series | :large_blue_diamond: |
-| Virtual Machines: Ev4-Series | :large_blue_diamond: |
-| Virtual Machines: Fsv2-Series | :large_blue_diamond: |
-| Virtual Machines: M-Series | :large_blue_diamond: |
-| Virtual WAN | :large_blue_diamond: |
-| Virtual WAN: ExpressRoute | :large_blue_diamond: |
-| Virtual WAN: Point-to-Site VPN Gateway | :large_blue_diamond: |
-| Virtual WAN: Site-to-Site VPN Gateway | :large_blue_diamond: |
+| [App Service Environments](https://docs.microsoft.com/azure/app-service/environment/zone-redundancy) | :large_blue_diamond: |
+| [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) | :large_blue_diamond: |
+| [Azure Bastion](https://docs.microsoft.com/azure/bastion/bastion-overview) | :large_blue_diamond: |
+| [Azure Cache for Redis](https://docs.microsoft.com/azure/azure-cache-for-redis/cache-high-availability) | :large_blue_diamond: |
+| [Azure Cognitive Search](https://docs.microsoft.com/azure/search/search-performance-optimization#availability-zones) | :large_blue_diamond: |
+| Azure Cognitive
+| [Azure Data Explorer](https://docs.microsoft.com/azure/data-explorer/create-cluster-database-portal) | :large_blue_diamond: |
+| Azure Database for MySQL ΓÇô [Flexible Server](https://docs.microsoft.com/azure/mysql/flexible-server/concepts-high-availability) | :large_blue_diamond: |
+| Azure Database for PostgreSQL ΓÇô [Flexible Server](https://docs.microsoft.com/azure/postgresql/flexible-server/overview) | :large_blue_diamond: |
+| [Azure DDoS Protection](https://docs.microsoft.com/azure/ddos-protection/ddos-faq) | :large_blue_diamond: |
+| [Azure Disk Encryption](https://docs.microsoft.com/azure/virtual-machines/disks-redundancy) | :large_blue_diamond: |
+| [Azure Firewall](https://docs.microsoft.com/azure/firewall/deploy-availability-zone-powershell#:~:text=For%20more%20information%20about%20Azure%20Firewall%20Availability%20Zones%2C,This%20creates%20a%20zone-redundant%20IP%20address%20by%20default) | :large_blue_diamond: |
+| [Azure Firewall Manager](https://docs.microsoft.com/azure/firewall-manager/quick-firewall-policy) | :large_blue_diamond: |
+| [Azure Kubernetes Service (AKS)](https://docs.microsoft.com/azure/aks/availability-zones) | :large_blue_diamond: |
+| [Azure Private Link](https://docs.microsoft.com/azure/private-link/private-link-overview) | :large_blue_diamond: |
+| [Azure Site Recovery](https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery) | :large_blue_diamond: |
+| Azure SQL: [Virtual Machine](https://docs.microsoft.com/azure/azure-sql/database/high-availability-sla) | :large_blue_diamond: |
+| [Azure Web Application Firewall](https://docs.microsoft.com/azure/firewall/deploy-availability-zone-powershell#:~:text=For%20more%20information%20about%20Azure%20Firewall%20Availability%20Zones%2C,This%20creates%20a%20zone-redundant%20IP%20address%20by%20default) | :large_blue_diamond: |
+| [Container Registry](https://docs.microsoft.com/azure/container-registry/zone-redundancy) | :large_blue_diamond: |
+| [Event Grid](https://docs.microsoft.com/azure/event-grid/overview) | :large_blue_diamond: |
+| [Network Watcher](https://docs.microsoft.com/azure/network-watcher/frequently-asked-questions#service-availability-and-redundancy) | :large_blue_diamond: |
+| Network Watcher: [Traffic Analytics](https://docs.microsoft.com/azure/network-watcher/frequently-asked-questions#service-availability-and-redundancy) | :large_blue_diamond: |
+| [Power BI Embedded](https://docs.microsoft.com/power-bi/admin/service-admin-failover#what-does-high-availability) | :large_blue_diamond: |
+| [Premium Blob Storage](https://docs.microsoft.com/azure/storage/blobs/storage-blob-performance-tiers#:~:text=Table%201%20%20%20%20Area%20%20,%20%20Currently%20supports%20only%20locally-redundan%20...%20) | :large_blue_diamond: |
+| Storage: [Azure Premium Files](https://docs.microsoft.com/azure/storage/files/storage-files-planning) | :large_blue_diamond: |
+| Virtual Machines: [Azure Dedicated Host](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Ddsv4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Ddv4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Dsv4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Dv4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Edsv4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Edv4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Esv4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Ev4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [Fsv2-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| Virtual Machines: [M-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
+| [Virtual WAN](https://docs.microsoft.com/azure/virtual-wan/virtual-wan-about#how-are-availability-zones-and-resiliency-handled-in-virtual-wan) | :large_blue_diamond: |
+| Virtual WAN: [ExpressRoute](https://docs.microsoft.com/azure/virtual-wan/virtual-wan-about#how-are-availability-zones-and-resiliency-handled-in-virtual-wan) | :large_blue_diamond: |
+| Virtual WAN: [Point-to-Site VPN Gateway](https://docs.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways) | :large_blue_diamond: |
+| Virtual WAN: [Site-to-Site VPN Gateway](https://docs.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways) | :large_blue_diamond: |
**Specialized Services**
azure-arc Manage Vm Extensions Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-vm-extensions-cli.md
Title: Enable VM extension using Azure CLI description: This article describes how to deploy virtual machine extensions to Azure Arc enabled servers running in hybrid cloud environments using the Azure CLI. Previously updated : 01/05/2021 Last updated : 04/13/2021
This article shows you how to deploy and uninstall VM extensions, supported by Azure Arc enabled servers, to a Linux or Windows hybrid machine using the Azure CLI.
+> [!NOTE]
+> Azure Arc enabled servers does not support deploying and managing VM extensions to Azure virtual machines. For Azure VMs, see the following [VM extension overview](../../virtual-machines/extensions/overview.md) article.
+ [!INCLUDE [Azure CLI Prepare your environment](../../../includes/azure-cli-prepare-your-environment.md)] ## Install the Azure CLI extension
azure-arc Manage Vm Extensions Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-vm-extensions-portal.md
Title: Enable VM extension from Azure portal description: This article describes how to deploy virtual machine extensions to Azure Arc enabled servers running in hybrid cloud environments from the Azure portal. Previously updated : 01/22/2020 Last updated : 04/13/2021
This article shows you how to deploy and uninstall Azure VM extensions, supporte
> [!NOTE] > The Key Vault VM extension (preview) does not support deployment from the Azure portal, only using the Azure CLI, the Azure PowerShell, or using an Azure Resource Manager template.
+> [!NOTE]
+> Azure Arc enabled servers does not support deploying and managing VM extensions to Azure virtual machines. For Azure VMs, see the following [VM extension overview](../../virtual-machines/extensions/overview.md) article.
+ ## Enable extensions from the portal VM extensions can be applied your Arc for server managed machine through the Azure portal.
azure-arc Manage Vm Extensions Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-vm-extensions-powershell.md
Title: Enable VM extension using Azure PowerShell description: This article describes how to deploy virtual machine extensions to Azure Arc enabled servers running in hybrid cloud environments using Azure PowerShell. Previously updated : 01/05/2021 Last updated : 04/13/2021
This article shows you how to deploy and uninstall Azure VM extensions, supported by Azure Arc enabled servers, to a Linux or Windows hybrid machine using Azure PowerShell.
+> [!NOTE]
+> Azure Arc enabled servers does not support deploying and managing VM extensions to Azure virtual machines. For Azure VMs, see the following [VM extension overview](../../virtual-machines/extensions/overview.md) article.
+ ## Prerequisites - A computer with Azure PowerShell. For instructions, see [Install and configure Azure PowerShell](/powershell/azure/).
azure-arc Manage Vm Extensions Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-vm-extensions-template.md
Title: Enable VM extension using Azure Resource Manager template description: This article describes how to deploy virtual machine extensions to Azure Arc enabled servers running in hybrid cloud environments using an Azure Resource Manager template. Previously updated : 03/01/2021 Last updated : 04/13/2021
VM extensions can be added to an Azure Resource Manager template and executed wi
>[!NOTE] >While multiple extensions can be batched together and processed, they are installed serially. Once the first extension installation is complete, installation of the next extension is attempted.
+> [!NOTE]
+> Azure Arc enabled servers does not support deploying and managing VM extensions to Azure virtual machines. For Azure VMs, see the following [VM extension overview](../../virtual-machines/extensions/overview.md) article.
+ ## Deploy the Log Analytics VM extension To easily deploy the Log Analytics agent, the following sample is provided to install the agent on either Windows or Linux.
azure-arc Manage Vm Extensions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-vm-extensions.md
Title: VM extension management with Azure Arc enabled servers description: Azure Arc enabled servers can manage deployment of virtual machine extensions that provide post-deployment configuration and automation tasks with non-Azure VMs. Previously updated : 03/22/2021 Last updated : 04/13/2021
Azure Arc enabled servers enables you to deploy Azure VM extensions to non-Azure
- [Azure PowerShell](manage-vm-extensions-powershell.md) - Azure [Resource Manager templates](manage-vm-extensions-template.md)
+> [!NOTE]
+> Azure Arc enabled servers does not support deploying and managing VM extensions to Azure virtual machines. For Azure VMs, see the following [VM extension overview](../../virtual-machines/extensions/overview.md) article.
+ ## Key benefits Azure Arc enabled servers VM extension support provides the following key benefits:
azure-functions Create First Function Cli Java Uiex https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/create-first-function-cli-java-uiex.md
Title: Create a Java function from the command line - Azure Functions
description: Learn how to create a Java function from the command line, then publish the local project to serverless hosting in Azure Functions. Last updated 11/03/2020 -+
azure-functions Disable Function https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/disable-function.md
Title: How to disable functions in Azure Functions
description: Learn how to disable and enable functions in Azure Functions. Last updated 03/15/2021 -+ # How to disable functions in Azure Functions
azure-functions Functions Twitter Email https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-twitter-email.md
Title: Create a function that integrates with Azure Logic Apps
-description: Create a function that integrates with Azure Logic Apps and Azure Cognitive Services to categorize tweet sentiment and send notifications when sentiment is poor.
+description: Create a function integrate with Azure Logic Apps and Azure Cognitive Services. The resulting workflow categorizes tweet sentiments sends email notifications.
- ms.assetid: 60495cc5-1638-4bf0-8174-52786d227734 Previously updated : 04/27/2020 Last updated : 04/10/2021
-# Create a function that integrates with Azure Logic Apps
-
-Azure Functions integrates with Azure Logic Apps in the Logic Apps Designer. This integration lets you use the computing power of Functions in orchestrations with other Azure and third-party services.
+# Tutorial: Create a function to integrate with Azure Logic Apps
-This tutorial shows you how to use Azure Functions with Logic Apps and Cognitive Services on Azure to run sentiment analysis from Twitter posts. An HTTP trigger function categorizes tweets as green, yellow, or red based on the sentiment score. An email is sent when poor sentiment is detected.
+Azure Functions integrates with Azure Logic Apps in the Logic Apps Designer. This integration allows you use the computing power of Functions in orchestrations with other Azure and third-party services.
-![image first two steps of app in Logic App Designer](media/functions-twitter-email/00-logic-app-overview.png)
+This tutorial shows you how to create a workflow to analyze Twitter activity. As tweets are evaluated, the workflow sends notifications when positive sentiments are detected.
-In this tutorial, you learn how to:
+In this tutorial, you learn to:
> [!div class="checklist"] > * Create a Cognitive Services API Resource. > * Create a function that categorizes tweet sentiment. > * Create a logic app that connects to Twitter.
-> * Add sentiment detection to the logic app.
+> * Add sentiment detection to the logic app.
> * Connect the logic app to the function. > * Send an email based on the response from the function. ## Prerequisites
-+ An active [Twitter](https://twitter.com/) account.
-+ An [Outlook.com](https://outlook.com/) account (for sending notifications).
+* An active [Twitter](https://twitter.com/) account.
+* An [Outlook.com](https://outlook.com/) account (for sending notifications).
> [!NOTE]
-> If you want to use the Gmail connector, only G-Suite business accounts can use this connector without restrictions in logic apps.
-> If you have a Gmail consumer account, you can use the Gmail connector with only specific Google-approved apps and services,
-> or you can [create a Google client app to use for authentication in your Gmail connector](/connectors/gmail/#authentication-and-bring-your-own-application).
-> For more information, see [Data security and privacy policies for Google connectors in Azure Logic Apps](../connectors/connectors-google-data-security-privacy-policy.md).
+> If you want to use the Gmail connector, only G-Suite business accounts can use this connector without restrictions in logic apps. If you have a Gmail consumer account, you can use the Gmail connector with only specific Google-approved apps and services, or you can [create a Google client app to use for authentication in your Gmail connector](/connectors/gmail/#authentication-and-bring-your-own-application). <br><br>For more information, see [Data security and privacy policies for Google connectors in Azure Logic Apps](../connectors/connectors-google-data-security-privacy-policy.md).
-+ This article uses as its starting point the resources created in [Create your first function from the Azure portal](./functions-get-started.md).
-If you haven't already done so, complete these steps now to create your function app.
+## Create Text Analytics resource
-## Create a Cognitive Services resource
-
-The Cognitive Services APIs are available in Azure as individual resources. Use the Text Analytics API to detect the sentiment of the tweets being monitored.
+The Cognitive Services APIs are available in Azure as individual resources. Use the Text Analytics API to detect the sentiment of posted tweets.
1. Sign in to the [Azure portal](https://portal.azure.com/).
-2. Click **Create a resource** in the upper left-hand corner of the Azure portal.
+1. Select **Create a resource** in the upper left-hand corner of the Azure portal.
+
+1. Under _Categories_, select **AI + Machine Learning**
+
+1. Under _Text Analytics_, select **Create**.
+
+1. Enter the following values in the _Create Text Analytics_ screen.
+
+ | Setting | Value | Remarks |
+ | - | -- | - |
+ | Subscription | Your Azure subscription name | |
+ | Resource group | Create a new resource group named **tweet-sentiment-tutorial** | Later, you delete this resource group to remove all the resources created during this tutorial. |
+ | Region | Select the region closest to you | |
+ | Name | **TweetSentimentApp** | |
+ | Pricing tier | Select **Free F0** | |
+
+1. Select **Review + create**.
-3. Click **AI + Machine Learning** > **Text Analytics**. Then, use the settings as specified in the table to create the resource.
+1. Select **Create**.
- ![Create Cognitive resource page](media/functions-twitter-email/01-create-text-analytics.png)
+1. Once the deployment is complete, select **Go to Resource**.
- | Setting | Suggested value | Description |
- | | | |
- | **Name** | MyCognitiveServicesAccnt | Choose a unique account name. |
- | **Location** | West US | Use the location nearest you. |
- | **Pricing tier** | F0 | Start with the lowest tier. If you run out of calls, scale to a higher tier.|
- | **Resource group** | myResourceGroup | Use the same resource group for all services in this tutorial.|
+## Get Text Analytics settings
-4. Click **Create** to create your resource.
+With the Text Analytics resource created, you'll copy a few settings and set them aside for later use.
-5. Click **Overview** and copy the value of the **Endpoint** to a text editor. This value is used when creating a connection to the Cognitive Services API.
+1. Select **Keys and Endpoint**.
- ![Cognitive Services Settings](media/functions-twitter-email/02-cognitive-services.png)
+1. Copy **Key 1** by clicking on the icon at the end of the input box.
-6. In the left navigation column, click **Keys**, and then copy the value of **Key 1** and set it aside in a text editor. You use the key to connect the logic app to your Cognitive Services API.
-
- ![Cognitive Services Keys](media/functions-twitter-email/03-cognitive-serviecs-keys.png)
+1. Paste the value into a text editor.
+
+1. Copy the **Endpoint** by clicking on the icon at the end of the input box.
+
+1. Paste the value into a text editor.
## Create the function app
-Azure Functions provides a great way to offload processing tasks in a logic apps workflow. This tutorial uses an HTTP trigger function to process tweet sentiment scores from Cognitive Services and return a category value.
+1. From the top search box, search for and select **Function app**.
+
+1. Select **Create**.
+
+1. Enter the following values.
+
+ | Setting | Suggested Value | Remarks |
+ | - | -- | - |
+ | Subscription | Your Azure subscription name | |
+ | Resource group | **tweet-sentiment-tutorial** | Use the same resource group name throughout this tutorial. |
+ | Function App name | **TweetSentimentAPI** + a unique suffix | Function application names are globally unique. Valid characters are `a-z` (case insensitive), `0-9`, and `-`. |
+ | Publish | **Code** | |
+ | Runtime stack | **.NET** | The function code provided for you is in C#. |
+ | Version | Select the latest version number | |
+ | Region | Select the region closest to you | |
+
+1. Select **Review + create**.
+
+1. Select **Create**.
+1. Once the deployment is complete, select **Go to Resource**.
-## Create an HTTP trigger function
+## Create an HTTP-triggered function
-1. From the left menu of the **Functions** window, select **Functions**, then select **Add** from the top menu.
+1. From the left menu of the _Functions_ window, select **Functions**.
-2. From the **New Function** window, select **HTTP trigger**.
+1. Select **Add** from the top menu and enter the following values.
- ![Choose HTTP trigger function](./media/functions-twitter-email/06-function-http-trigger.png)
+ | Setting | Value | Remarks |
+ | - | -- | - |
+ | Development environment | **Develop in portal** | |
+ | Template | **HTTP Trigger** | |
+ | New Function | **TweetSentimentFunction** | This is the name of your function. |
+ | Authorization level | **Function** | |
-3. From the **New Function** page, select **Create Function**.
+1. Select the **Add** button.
-4. In your new HTTP trigger function, select **Code + Test** from the left menu, replace the contents of the `run.csx` file with the following code, and then select **Save**:
+1. Select the **Code + Test** button.
+
+1. Paste the following code in the code editor window.
```csharp #r "Newtonsoft.Json"
Azure Functions provides a great way to offload processing tasks in a logic apps
public static async Task<IActionResult> Run(HttpRequest req, ILogger log) {
- string category = "GREEN";
- string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
- log.LogInformation(string.Format("The sentiment score received is '{0}'.", requestBody));
+ string requestBody = String.Empty;
+ using (StreamReader streamReader = new StreamReader(req.Body))
+ {
+ requestBody = await streamReader.ReadToEndAsync();
+ }
- double score = Convert.ToDouble(requestBody);
+ dynamic score = JsonConvert.DeserializeObject(requestBody);
+ string value = "Positive";
if(score < .3) {
- category = "RED";
+ value = "Negative";
} else if (score < .6) {
- category = "YELLOW";
+ value = "Neutral";
} return requestBody != null
- ? (ActionResult)new OkObjectResult(category)
- : new BadRequestObjectResult("Please pass a value on the query string or in the request body");
+ ? (ActionResult)new OkObjectResult(value)
+ : new BadRequestObjectResult("Pass a sentiment score in the request body.");
} ```
- This function code returns a color category based on the sentiment score received in the request.
+ A sentiment score is passed into the function, which returns a category name for the value.
+
+1. Select the **Save** button on the toolbar to save your changes.
+
+ > [!NOTE]
+ > To test the function, select **Test/Run** from the top menu. On the _Input_ tab, enter a value of `0.9` in the _Body_ input box, and then select **Run**. Verify that a value of _Positive_ is returned in the _HTTP response content_ box in the _Output_ section.
+
+Next, create a logic app that integrates with Azure Functions, Twitter, and the Cognitive Services API.
-5. To test the function, select **Test** from the top menu. On the **Input** tab, enter a value of `0.2` in the **Body**, and then select **Run**. A value of **RED** is returned in the **HTTP response content** on the **Output** tab.
+## Create a logic app
- :::image type="content" source="./media/functions-twitter-email/07-function-test.png" alt-text="Define the proxy settings":::
+1. From the top search box, search for and select **Logic Apps**.
-Now you have a function that categorizes sentiment scores. Next, you create a logic app that integrates your function with your Twitter and Cognitive Services API.
+1. Select **Add**.
-## Create a logic app
+1. Select **Consumption** and enter the following values.
-1. In the Azure portal, click the **Create a resource** button found on the upper left-hand corner of the Azure portal.
+ | Setting | Suggested Value |
+ | - | |
+ | Subscription | Your Azure subscription name |
+ | Resource group | **tweet-sentiment-tutorial** |
+ | Logic app name | **TweetSentimentApp** |
+ | Region | Select the region closest to you, preferably the same region you selected in previous steps. |
-2. Click **Web** > **Logic App**.
-
-3. Then, type a value for **Name** like `TweetSentiment`, and use the settings as specified in the table.
+ Accept default values for all other settings.
- ![Create logic app in the Azure portal](./media/functions-twitter-email/08-logic-app-create.png)
+1. Select **Review + create**.
- | Setting | Suggested value | Description |
- | -- | | - |
- | **Name** | TweetSentiment | Choose an appropriate name for your app. |
- | **Resource group** | myResourceGroup | Choose the same existing resource group as before. |
- | **Location** | East US | Choose a location close to you. |
+1. Select **Create**.
-4. Once you have entered the proper settings values, click **Create** to create your logic app.
+1. Once the deployment is complete, select **Go to Resource**.
-5. After the app is created, click your new logic app pinned to the dashboard. Then in the Logic Apps Designer, scroll down and click the **Blank Logic App** template.
+1. Select the **Blank Logic App** button.
- ![Blank Logic Apps template](media/functions-twitter-email/09-logic-app-create-blank.png)
+ :::image type="content" source="media/functions-twitter-email/blank-logic-app-button.png" alt-text="Blank Logic App button":::
-You can now use the Logic Apps Designer to add services and triggers to your app.
+1. Select the **Save** button on the toolbar to save your progress.
+
+You can now use the Logic Apps Designer to add services and triggers to your application.
## Connect to Twitter
-First, create a connection to your Twitter account. The logic app polls for tweets, which trigger the app to run.
+Create a connection to Twitter so your app can poll for new tweets.
-1. In the designer, click the **Twitter** service, and click the **When a new tweet is posted** trigger. Sign in to your Twitter account and authorize Logic Apps to use your account.
+1. Search for **Twitter** in the top search box.
-2. Use the Twitter trigger settings as specified in the table.
+1. Select the **Twitter** icon.
- ![Twitter connector settings](media/functions-twitter-email/10-tweet-settings.png)
+1. Select the **When a new tweet is posted** trigger.
- | Setting | Suggested value | Description |
- | -- | | - |
- | **Search text** | #Azure | Use a hashtag that is popular enough to generate new tweets in the chosen interval. When using the Free tier and your hashtag is too popular, you can quickly use up the transaction quota in your Cognitive Services API. |
- | **Interval** | 15 | The time elapsed between Twitter requests, in frequency units. |
- | **Frequency** | Minute | The frequency unit used for polling Twitter. |
+1. Enter the following values to set up the connection.
-3. Click **Save** to connect to your Twitter account.
+ | Setting | Value |
+ | - | - |
+ | Connection name | **MyTwitterConnection** |
+ | Authentication Type | **Use default shared application** |
-Now your app is connected to Twitter. Next, you connect to text analytics to detect the sentiment of collected tweets.
+1. Select **Sign in**.
-## Add sentiment detection
+1. Follow the prompts in the popup window to complete signing in to Twitter.
-1. Click **New Step**, and then **Add an action**.
+1. Next, enter the following values in the _When a new tweet is posted_ box.
-2. In **Choose an action**, type **Text Analytics**, and then click the **Detect sentiment** action.
-
- ![Screenshot that shows the "Choose an action" section with "Text Analytics" in the search box, and the "Detect sentiment" action selected. ](media/functions-twitter-email/11-detect-sentiment.png)
+ | Setting | Value |
+ | - | -- |
+ | Search text | **#my-twitter-tutorial** |
+ | How oven do you want to check for items? | **15** in the textbox, and <br> **Minute** in the dropdown |
-3. Type a connection name such as `MyCognitiveServicesConnection`, paste the key for your Cognitive Services API and the Cognitive Services endpoint you set aside in a text editor, and click **Create**.
+1. Select the **Save** button on the toolbar to save your progress.
- ![New Step, and then Add an action](media/functions-twitter-email/12-connection-settings.png)
+Next, connect to text analytics to detect the sentiment of collected tweets.
-4. Next, enter **Tweet text** in the text box and then click **New Step**.
+## Add Text Analytics sentiment detection
- ![Define text to analyze](media/functions-twitter-email/13-analyze-tweet-text.png)
+1. Select **New step**.
-Now that sentiment detection is configured, you can add a connection to your function that consumes the sentiment score output.
+1. Search for **Text Analytics** in the search box.
-## Connect sentiment output to your function
+1. Select the **Text Analytics** icon.
-1. In the Logic Apps Designer, click **New step** > **Add an action**, filter on **Azure Functions** and click **Choose an Azure function**.
+1. Select **Detect Sentiment** and enter the following values.
- ![Detect Sentiment](media/functions-twitter-email/14-azure-functions.png)
-
-4. Select the function app you created earlier.
+ | Setting | Value |
+ | - | -- |
+ | Connection name | **TextAnalyticsConnection** |
+ | Account Key | Paste in the Text Analytics account key you set aside earlier. |
+ | Site URL | Paste in the Text Analytics endpoint you set aside earlier. |
- ![Screenshot that shows the "Choose an action" section with a function app selected.](media/functions-twitter-email/15-select-function.png)
+1. Select **Create**.
-5. Select the function you created for this tutorial.
+1. Click inside the _Add new parameter_ box, and check the box next to **documents** that appears in the pop-up.
- ![Select function](media/functions-twitter-email/16-select-function.png)
+1. Click inside the _documents Id - 1_ textbox to open the dynamic content pop-up.
-4. In **Request Body**, click **Score** and then **Save**.
+1. In the _dynamic content_ search box, search for **id**, and click on **Tweet id**.
- ![Score](media/functions-twitter-email/17-function-input-score.png)
+1. Click inside the _documents Text - 1_ textbox to open the dynamic content pop-up.
-Now, your function is triggered when a sentiment score is sent from the logic app. A color-coded category is returned to the logic app by the function. Next, you add an email notification that is sent when a sentiment value of **RED** is returned from the function.
+1. In the _dynamic content_ search box, search for **text**, and click on **Tweet text**.
-## Add email notifications
+1. In **Choose an action**, type **Text Analytics**, and then click the **Detect sentiment** action.
-The last part of the workflow is to trigger an email when the sentiment is scored as _RED_. This article uses an Outlook.com connector. You can perform similar steps to use a Gmail or Office 365 Outlook connector.
+1. Select the **Save** button on the toolbar to save your progress.
-1. In the Logic Apps Designer, click **New step** > **Add a condition**.
+The _Detect Sentiment_ box should look like the following screenshot.
- ![Add a condition to the logic app.](media/functions-twitter-email/18-add-condition.png)
-2. Click **Choose a value**, then click **Body**. Select **is equal to**, click **Choose a value** and type `RED`, and click **Save**.
+## Connect sentiment output to function endpoint
- ![Choose an action for the condition.](media/functions-twitter-email/19-condition-settings.png)
+1. Select **New step**.
-3. In **IF TRUE**, click **Add an action**, search for `outlook.com`, click **Send an email**, and sign in to your Outlook.com account.
+1. Search for **Azure Functions** in the search box.
- ![Screenshot that shows the "IF TRUE" section with "outlook.com" entered in the search box, and the "Send an email" action selected.](media/functions-twitter-email/20-add-outlook.png)
+1. Select the **Azure Functions** icon.
- > [!NOTE]
- > If you don't have an Outlook.com account, you can choose another connector, such as Gmail or Office 365 Outlook
+1. Search for your function name in the search box. If you followed the guidance above, your function name begins with **TweetSentimentAPI**.
-4. In the **Send an email** action, use the email settings as specified in the table.
+1. Select the function icon.
- ![Configure the email for the send an email action.](media/functions-twitter-email/21-configure-email.png)
-
-| Setting | Suggested value | Description |
-| -- | | - |
-| **To** | Type your email address | The email address that receives the notification. |
-| **Subject** | Negative tweet sentiment detected | The subject line of the email notification. |
-| **Body** | Tweet text, Location | Click the **Tweet text** and **Location** parameters. |
+1. Select the **TweetSentimentFunction** item.
-1. Click **Save**.
+1. Click inside the _Request Body_ box, and select the _Detect Sentiment_ **score** item from the pop-up window.
-Now that the workflow is complete, you can enable the logic app and see the function at work.
+1. Select the **Save** button on the toolbar to save your progress.
-## Test the workflow
+## Add conditional step
-1. In the Logic App Designer, click **Run** to start the app.
+1. Select the **Add an action** button.
-2. In the left column, click **Overview** to see the status of the logic app.
-
- ![Logic app execution status](media/functions-twitter-email/22-execution-history.png)
+1. Click inside the _Control_ box, and search for and select **Control** in the pop-up window.
-3. (Optional) Click one of the runs to see details of the execution.
+1. Select **Condition**.
-4. Go to your function, view the logs, and verify that sentiment values were received and processed.
-
- ![View function logs](media/functions-twitter-email/sent.png)
+1. Click inside the _Choose a value_ box, and select the _TweetSentimentFunction_ **Body** item from the pop-up window.
-5. When a potentially negative sentiment is detected, you receive an email. If you haven't received an email, you can change the function code to return RED every time:
+1. Enter **Positive** in the _Choose a value_ box.
- ```csharp
- return (ActionResult)new OkObjectResult("RED");
- ```
+1. Select the **Save** button on the toolbar to save your progress.
- After you have verified email notifications, change back to the original code:
+## Add email notifications
- ```csharp
- return requestBody != null
- ? (ActionResult)new OkObjectResult(category)
- : new BadRequestObjectResult("Please pass a value on the query string or in the request body");
- ```
+1. Under the _True_ box, select the **Add an action** button.
- > [!IMPORTANT]
- > After you have completed this tutorial, you should disable the logic app. By disabling the app, you avoid being charged for executions and using up the transactions in your Cognitive Services API.
+1. Search for and select **Office 365 Outlook** in the text box.
-Now you've seen how easy it is to integrate Functions into a Logic Apps workflow.
+1. Search for **send** and select **Send an email** in the text box.
-## Disable the logic app
+1. Select the **Sign in** button.
-To disable the logic app, click **Overview** and then click **Disable** at the top of the screen. Disabling the app stops it from running and incurring charges without deleting the app.
+1. Follow the prompts in the popup window to complete signing in to Office 365 Outlook.
-![Function logs](media/functions-twitter-email/disable-logic-app.png)
+1. Enter your email address in the _To_ box.
-## Next steps
+1. Click inside the _Subject_ box and click on the **Body** item under _TweetSentimentFunction_. If the _Body_ item isn't shown in the list, click the **See more** link to expand the options list.
-In this tutorial, you learned how to:
+1. After the _Body_ item in the _Subject_, enter the text **Tweet from:**.
-> [!div class="checklist"]
-> * Create a Cognitive Services API Resource.
-> * Create a function that categorizes tweet sentiment.
-> * Create a logic app that connects to Twitter.
-> * Add sentiment detection to the logic app.
-> * Connect the logic app to the function.
-> * Send an email based on the response from the function.
+1. After the _Tweet from:_ text, click on the box again and select **User name** from the _When a new tweet is posted_ options list.
-Advance to the next tutorial to learn how to create a serverless API for your function.
+1. Click inside the _Body_ box and select **Tweet text** under the _When a new tweet is posted_ options list. If the _Tweet text_ item isn't shown in the list, click the **See more** link to expand the options list.
-> [!div class="nextstepaction"]
-> [Create a serverless API using Azure Functions](functions-create-serverless-api.md)
+1. Select the **Save** button on the toolbar to save your progress.
+
+The email box should now look like this screenshot.
++
+## Run the workflow
-To learn more about Logic Apps, see [Azure Logic Apps](../logic-apps/logic-apps-overview.md).
+1. From your Twitter account, tweet the following text: **I'm enjoying #my-twitter-tutorial**.
+
+1. Return to the Logic Apps Designer and select the **Run** button.
+
+1. Check your email for a message from the workflow.
+
+## Clean up resources
+
+To clean up all the Azure services and accounts created during this tutorial, delete the resource group.
+
+1. Search for **Resource groups** in the top search box.
+
+1. Select the **tweet-sentiment-tutorial**.
+
+1. Select **Delete resource group**
+
+1. Enter **tweet-sentiment-tutorial** in the text box.
+
+1. Select the **Delete** button.
+
+Optionally, you may want to return to your Twitter account and delete any test tweets from your feed.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Create a serverless API using Azure Functions](functions-create-serverless-api.md)
azure-monitor Itsmc Connector Deletion https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/itsmc-connector-deletion.md
Title: Deletion of ITSM connector and the action that are associated to it
-description: This article provides an explanation of how to delete ITSM connector and the action groups that are associated to it.
+ Title: Delete unused ITSM connectors
+description: This article provides an explanation of how to delete ITSM connectors and the action groups that are associated with it.
-# Deletion of unused ITSM connectors
+# Delete unused ITSM connectors
-The process of deletion of unused connector contain 2 phases:
+The process of deleting unused IT service management (ITSM) connectors has two phases. You delete all the actions that are associated with an ITSM connector, and then you delete the connector itself. You delete the actions first because actions without a connector might cause errors in your subscription.
-1. Deletion of the associated actions: all the actions that are associated with the ITSM connector should be deleted. This should be done in order not to have actions without connector that might cause errors in your subscription.
+## Delete associated actions
-2. Deletion of the unused ITSM connector.
+1. In the Azure portal, select **Monitor**.
+
+ ![Screenshot of the Monitor selection.](media/itsmc-connector-deletion/itsmc-monitor-selection.png)
-## Deletion of the associated actions
+2. Select **Alerts**.
+
+ ![Screenshot of the Alerts selection.](media/itsmc-connector-deletion/itsmc-alert-selection.png)
-1. In order to find the action group you should go into ΓÇ£MonitorΓÇ¥
- ![Screenshot of monitor selection.](media/itsmc-connector-deletion/itsmc-monitor-selection.png)
+3. Select **Manage Actions**.
+
+ ![Screenshot of the Manage Actions selection.](media/itsmc-connector-deletion/itsmc-actions-selection.png)
-2. Select ΓÇ£AlertsΓÇ¥
- ![Screenshot of alerts selection.](media/itsmc-connector-deletion/itsmc-alert-selection.png)
-3. Select ΓÇ£Manage ActionsΓÇ¥
- ![Screenshot of manage actions selection.](media/itsmc-connector-deletion/itsmc-actions-selection.png)
-4. Select all the ITSM connectors that is connected to Cherwell
- ![Screenshot of ITSM connectors that is connected to Cherwell.](media/itsmc-connector-deletion/itsmc-actions-screen.png)
-5. Delete the action group
- ![Screenshot of action group deletion.](media/itsmc-connector-deletion/itsmc-action-deletion.png)
+4. Select an action group that's associated with the ITSM connector that you want to delete. This article uses the example of a Cherwell connector.
+
+ ![Screenshot of actions that are associated with the Cherwell connector.](media/itsmc-connector-deletion/itsmc-actions-screen.png)
-## Deletion of the unused ITSM connector
+5. Review the information, and then select **Delete action group**.
-1. You should search and select ΓÇ£ServiceDeskΓÇ¥ LA in the top search bar
- ![Screenshot of search and select ΓÇ£ServiceDeskΓÇ¥ LA.](media/itsmc-connector-deletion/itsmc-connector-selection.png)
-2. Select the ΓÇ£ITSM ConnectionsΓÇ¥ and select the Cherwell connector
- ![Screenshot of Cherwell ITSM connectors.](media/itsmc-connector-deletion/itsmc-cherwell-connector.png)
-3. Select ΓÇ£DeleteΓÇ¥
- ![Screenshot of ITSM connector deletion.](media/itsmc-connector-deletion/itsmc-connector-deletion.png)
+ ![Screenshot of action group information and the button for deleting the group.](media/itsmc-connector-deletion/itsmc-action-deletion.png)
+
+## Delete the connector
+
+1. On the search bar, search for **servicedesk**. Then select **ServiceDesk** in the list of resources.
+
+ ![Screenshot of search for and selecting ServiceDesk.](media/itsmc-connector-deletion/itsmc-connector-selection.png)
+
+2. Select **ITSM Connections**, and then select the Cherwell connector.
+
+ ![Screenshot of the Cherwell I T S M connector.](media/itsmc-connector-deletion/itsmc-cherwell-connector.png)
+
+3. Select **Delete**.
+
+ ![Screenshot of the delete button for the I T S M connector.](media/itsmc-connector-deletion/itsmc-connector-deletion.png)
## Next steps
-* [Troubleshooting problems in ITSM Connector](./itsmc-resync-servicenow.md)
+* [Troubleshooting problems in an ITSM connector](./itsmc-resync-servicenow.md)
azure-monitor Cross Workspace Query https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/cross-workspace-query.md
Identifying a workspace can be accomplished one of several ways:
* Resource name - is a human-readable name of the workspace, sometimes referred to as *component name*.
- >[!Note]
- >Because app and workspace names are not unique, this identifier might be ambiguous. When there are multiple instances of the resource name, reference should be by Qualified name, Resource ID, or Azure Resource ID.
+ >[!IMPORTANT]
+ >Because app and workspace names are not unique, this identifier might be ambiguous. It's recommended that reference is by Qualified name, Workspace ID, or Azure Resource ID.
`workspace("contosoretail-it").Update | count`
azure-monitor Customer Managed Keys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/customer-managed-keys.md
Clusters support two [managed identity types](../../active-directory/managed-ide
"identity": { "type": "UserAssigned", "userAssignedIdentities": {
- "subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft. ManagedIdentity/UserAssignedIdentities/<cluster-assigned-managed-identity>"
+ "subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.ManagedIdentity/UserAssignedIdentities/<cluster-assigned-managed-identity>"
} } ```
azure-monitor Private Link Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/private-link-security.md
Restricting access as explained above doesn't apply to the Azure Resource Manage
### Log Analytics solution packs download
-To allow the Log Analytics Agent to download solution packs, add the appropriate fully qualified domain names to your firewall allow list.
+To allow the Log Analytics Agent to download solution packs, add the appropriate fully qualified domain names to your firewall allowlist.
| Cloud environment | Agent Resource | Ports | Direction |
To allow the Log Analytics Agent to download solution packs, add the appropriate
|Azure Government | usbn1oicore.blob.core.usgovcloudapi.net | 443 | Outbound |Azure China 21Vianet | mceast2oicore.blob.core.chinacloudapi.cn| 443 | Outbound +
+>[!NOTE]
+> Starting April 19, 2021 the above setting won't be required, and you'll be able to reach the solution packs storage account through the private link. The new capability requires re-creating the AMPLS (on April 19th, 2021 or later) and the Private Endpoint connected to it. It will not apply to existing AMPLSs and Private Endpints.
+ ## Configure Application Insights Go to the Azure portal. In your Azure Monitor Application Insights component resource, is a menu item **Network Isolation** on the left-hand side. You can control two different states from this menu.
Go to the Azure portal. In your Azure Monitor Application Insights component res
First, you can connect this Application Insights resource to Azure Monitor Private Link scopes that you have access to. Select **Add** and select the **Azure Monitor Private Link Scope**. Select Apply to connect it. All connected scopes show up in this screen. Making this connection allows network traffic in the connected virtual networks to reach this component, and has the same effect as connecting it from the scope as we did in [Connecting Azure Monitor resources](#connect-azure-monitor-resources).
-Second, you can control how this resource can be reached from outside of the private link scopes (AMPLS) listed previously. If you set **Allow public network access for ingestion** to **No**, then machines or SDKs outside of the connected scopes can't upload data to this component. If you set **Allow public network access for queries** to **No**, then machines outside of the scopes can't access data in this Application Insights resource. That data includes access to APM logs, metrics, and the live metrics stream, as well as experiences built on top such as workbooks, dashboards, query API-based client experiences, insights in the Azure portal, and more.
+Then, you can control how this resource can be reached from outside of the private link scopes (AMPLS) listed previously. If you set **Allow public network access for ingestion** to **No**, then machines or SDKs outside of the connected scopes can't upload data to this component. If you set **Allow public network access for queries** to **No**, then machines outside of the scopes can't access data in this Application Insights resource. That data includes access to APM logs, metrics, and the live metrics stream, as well as experiences built on top such as workbooks, dashboards, query API-based client experiences, insights in the Azure portal, and more.
> [!NOTE] > Non-portal consumption experiences must also run on the private-linked VNET that includes the monitored workloads.
azure-monitor Partners https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/partners.md
With Site24x7 Azure Monitoring, you will be able to:
[SolarWinds documentation](https://www.solarwinds.com/topics/azure-monitoring)
+## SpearTip
+
+![SpearTip logo](./media/partners/speartip.png)
+
+SpearTipΓÇÖs 24/7 security operations center continuously monitors Azure environments for cyber threats. Utilizing the ShadowSpear integration with Azure Monitor, security events are collected and analyzed for advanced threats, while SpearTip engineers investigate and respond to stop threat actors in their tracks. The integration is seamless and provides instant value once the integration is deployed.
+
+[SpearTip documentation](https://www.speartip.com/identify/)
+ ## Splunk ![Splunk Logo](./media/partners/splunk.png)
azure-netapp-files Azure Netapp Files Metrics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-metrics.md
na ms.devlang: na Previously updated : 12/04/2020 Last updated : 04/12/2021 # Metrics for Azure NetApp Files Azure NetApp Files provides metrics on allocated storage, actual storage usage, volume IOPS, and latency. By analyzing these metrics, you can gain a better understanding on the usage pattern and volume performance of your NetApp accounts.
+You can find metrics for a capacity pool or volume by selecting the **capacity pool** or **volume**. Then click **Metric** to view the available metrics:
+
+[ ![Snapshot that shows how to navigate to the Metric pull-down.](../media/azure-netapp-files/metrics-navigate-volume.png) ](../media/azure-netapp-files/metrics-navigate-volume.png#lightbox)
+ ## <a name="capacity_pools"></a>Usage metrics for capacity pools - *Pool Allocated Size*
azure-netapp-files Azure Netapp Files Quickstart Set Up Account Create Volumes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-quickstart-set-up-account-create-volumes.md
# Quickstart: Set up Azure NetApp Files and create an NFS volume
-This article shows you how to quickly set up Azure NetApp Files and create a volume.
+This article shows you how to quickly set up Azure NetApp Files and create an NFS volume.
In this quickstart, you will set up the following items:
In this quickstart, you will set up the following items:
If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+To see all features that you can enable for an NFS volume and relevant considerations, see [Create an NFS volume](azure-netapp-files-create-volumes.md).
+ ## Before you begin > [!IMPORTANT]
The following code snippet shows how to create a capacity pool in an Azure Resou
-## Create NFS volume for Azure NetApp Files
+## Create an NFS volume for Azure NetApp Files
# [Portal](#tab/azure-portal)
azure-resource-manager Extension Resource Types https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/extension-resource-types.md
Title: Extension resource types description: Lists the Azure resource types are used to extend the capabilities of other resource types. Previously updated : 11/14/2020 Last updated : 04/12/2021 # Resource types that extend capabilities of other resources
An extension resource is a resource that adds to another resource's capabilities
- Microsoft.Authorization/policyExemptions - Microsoft.Authorization/policySetDefinitions - Microsoft.Authorization/privateLinkAssociations
+- Microsoft.Authorization/roleAssignmentApprovals
- Microsoft.Authorization/roleAssignments
+- Microsoft.Authorization/roleAssignmentScheduleInstances
+- Microsoft.Authorization/roleAssignmentScheduleRequests
+- Microsoft.Authorization/roleAssignmentSchedules
- Microsoft.Authorization/roleDefinitions
+- Microsoft.Authorization/roleEligibilityScheduleInstances
+- Microsoft.Authorization/roleEligibilityScheduleRequests
+- Microsoft.Authorization/roleEligibilitySchedules
+- Microsoft.Authorization/roleManagementPolicies
+- Microsoft.Authorization/roleManagementPolicyAssignments
## Microsoft.Automanage
An extension resource is a resource that adds to another resource's capabilities
- Microsoft.Blueprint/blueprintAssignments - Microsoft.Blueprint/blueprints
+## Microsoft.Capacity
+
+- Microsoft.Capacity/listSkus
+
+## Microsoft.ChangeAnalysis
+
+- Microsoft.ChangeAnalysis/changes
+ ## Microsoft.Consumption - Microsoft.Consumption/AggregatedCost
An extension resource is a resource that adds to another resource's capabilities
- Microsoft.CostManagement/Alerts - Microsoft.CostManagement/Budgets
+- Microsoft.CostManagement/CheckNameAvailability
- Microsoft.CostManagement/Dimensions - Microsoft.CostManagement/Exports - Microsoft.CostManagement/ExternalSubscriptions - Microsoft.CostManagement/Forecast
+- Microsoft.CostManagement/GenerateDetailedCostReport
- Microsoft.CostManagement/Insights
+- Microsoft.CostManagement/OperationResults
+- Microsoft.CostManagement/OperationStatus
- Microsoft.CostManagement/Query - Microsoft.CostManagement/Reportconfigs - Microsoft.CostManagement/Reports
+- Microsoft.CostManagement/ScheduledActions
- Microsoft.CostManagement/Views ## Microsoft.CustomProviders - Microsoft.CustomProviders/associations
+## Microsoft.DataMigration
+
+- Microsoft.DataMigration/DatabaseMigrations
+ ## Microsoft.EventGrid - Microsoft.EventGrid/eventSubscriptions
An extension resource is a resource that adds to another resource's capabilities
## Microsoft.PolicyInsights - Microsoft.PolicyInsights/attestations
+- Microsoft.PolicyInsights/eventGridFilters
- Microsoft.PolicyInsights/policyEvents - Microsoft.PolicyInsights/policyStates - Microsoft.PolicyInsights/policyTrackedResources
An extension resource is a resource that adds to another resource's capabilities
- Microsoft.ResourceHealth/childResources - Microsoft.ResourceHealth/events - Microsoft.ResourceHealth/impactedResources-- Microsoft.ResourceHealth/notifications ## Microsoft.Resources
An extension resource is a resource that adds to another resource's capabilities
- Microsoft.Security/devices - Microsoft.Security/deviceSecurityGroups - Microsoft.Security/InformationProtectionPolicies
+- Microsoft.Security/insights
+- Microsoft.Security/iotAlerts
+- Microsoft.Security/iotRecommendations
- Microsoft.Security/iotSensors
+- Microsoft.Security/iotSites
- Microsoft.Security/jitPolicies - Microsoft.Security/serverVulnerabilityAssessments - Microsoft.Security/sqlVulnerabilityAssessments
An extension resource is a resource that adds to another resource's capabilities
- Microsoft.SecurityInsights/cases - Microsoft.SecurityInsights/dataConnectors - Microsoft.SecurityInsights/dataConnectorsCheckRequirements
+- Microsoft.SecurityInsights/enrichment
- Microsoft.SecurityInsights/entities
+- Microsoft.SecurityInsights/entityQueryTemplates
- Microsoft.SecurityInsights/incidents - Microsoft.SecurityInsights/settings - Microsoft.SecurityInsights/threatIntelligence - Microsoft.SecurityInsights/watchlists
-## Microsoft.SerialConsole.PPE
+## Microsoft.SerialConsole
+
+- Microsoft.SerialConsole/serialPorts
+
+## Microsoft.ServiceLinker
-- Microsoft.SerialConsole.PPE/serialPorts
+- Microsoft.ServiceLinker/linkers
## Microsoft.SoftwarePlan - Microsoft.SoftwarePlan/hybridUseBenefits
+## Microsoft.Subscription
+
+- Microsoft.Subscription/policies
+ ## microsoft.support - microsoft.support/supporttickets ## Microsoft.WorkloadMonitor -- Microsoft.WorkloadMonitor/components-- Microsoft.WorkloadMonitor/monitorInstances - Microsoft.WorkloadMonitor/monitors-- Microsoft.WorkloadMonitor/notificationSettings ## Next steps
azure-resource-manager Resources Without Resource Group Limit https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/resources-without-resource-group-limit.md
Title: Resources without 800 count limit description: Lists the Azure resource types that can have more than 800 instances in a resource group. Previously updated : 01/08/2021 Last updated : 04/12/2021 # Resources not limited to 800 instances per resource group
By default, you can deploy up to 800 instances of a resource type in each resour
For some resource types, you need to contact support to have the 800 instance limit removed. Those resource types are noted in this article. + ## Microsoft.AlertsManagement
+* resourceHealthAlertRules
* smartDetectorAlertRules
-
+ ## Microsoft.Automation * automationAccounts
For some resource types, you need to contact support to have the 800 instance li
* flexibleServers * serverGroups
+* serverGroupsv2
* servers * serversv2
For some resource types, you need to contact support to have the 800 instance li
## Microsoft.HybridCompute * machines - supports up to 5,000 instances
-* extensions - supports an unlimited number of VM extension instances
+* machines/extensions - supports an unlimited number of VM extension instances
## microsoft.insights
For some resource types, you need to contact support to have the 800 instance li
* netAppAccounts/capacityPools/volumes * netAppAccounts/capacityPools/volumes/mountTargets * netAppAccounts/capacityPools/volumes/snapshots
+* netAppAccounts/volumeGroups
## Microsoft.Network
For some resource types, you need to contact support to have the 800 instance li
## Microsoft.PowerBIDedicated
+* autoScaleVCores - By default, limited to 800 instances. That limit can be increased by contacting support.
* capacities - By default, limited to 800 instances. That limit can be increased by contacting support. ## Microsoft.Relay
azure-resource-manager Test Cases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/test-cases.md
Title: Test cases for test toolkit description: Describes the tests that are run by the ARM template test toolkit. Previously updated : 12/03/2020 Last updated : 04/12/2021
The following example **passes** this test.
Test name: **ManagedIdentityExtension must not be used**
-Don't apply the ManagedIdentity extension to a virtual machine. For more information, see [How to stop using the virtual machine managed identities extension and start using the Azure Instance Metadata Service](../../active-directory/managed-identities-azure-resources/howto-migrate-vm-extension.md).
+Don't apply the ManagedIdentity extension to a virtual machine. The extension was deprecated in 2019 and should no longer be used.
## Outputs can't include secrets
azure-sql Authentication Aad Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/authentication-aad-configure.md
description: Learn how to connect to SQL Database, SQL Managed Instance, and Azu
-+ ms.devlang:
azure-sql Auto Failover Group Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/auto-failover-group-overview.md
description: Auto-failover groups allow you to manage replication and automatic
-+ ms.devlang:
azure-sql Dns Alias Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/dns-alias-overview.md
A code example of PowerShell cmdlets being used to manage DNS aliases is documen
The cmdlets used in the code example are the following: -- [New-AzSqlServerDNSAlias](/powershell/module/az.Sql/New-azSqlServerDnsAlias): Creates a new DNS alias in the Azure SQL Database service system. The alias refers to server 1.-- [Get-AzSqlServerDNSAlias](/powershell/module/az.Sql/Get-azSqlServerDnsAlias): Get and list all the DNS aliases that are assigned to server 1.-- [Set-AzSqlServerDNSAlias](/powershell/module/az.Sql/Set-azSqlServerDnsAlias): Modifies the server name that the alias is configured to refer to, from server 1 to server 2.-- [Remove-AzSqlServerDNSAlias](/powershell/module/az.Sql/Remove-azSqlServerDnsAlias): Remove the DNS alias from server 2, by using the name of the alias.
+- [New-AzSqlServerDnsAlias](/powershell/module/az.Sql/New-azSqlServerDnsAlias): Creates a new DNS alias in the Azure SQL Database service system. The alias refers to server 1.
+- [Get-AzSqlServerDnsAlias](/powershell/module/az.Sql/Get-azSqlServerDnsAlias): Get and list all the DNS aliases that are assigned to server 1.
+- [Set-AzSqlServerDnsAlias](/powershell/module/az.Sql/Set-azSqlServerDnsAlias): Modifies the server name that the alias is configured to refer to, from server 1 to server 2.
+- [Remove-AzSqlServerDnsAlias](/powershell/module/az.Sql/Remove-azSqlServerDnsAlias): Remove the DNS alias from server 2, by using the name of the alias.
## Limitations
azure-sql Access To Sql Database Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/access-to-sql-database-guide.md
ms.devlang: -+ Last updated 03/19/2021
azure-sql Mysql To Sql Database Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/mysql-to-sql-database-guide.md
ms.devlang:-+ Last updated 03/19/2021
azure-sql Oracle To Sql Database Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/oracle-to-sql-database-guide.md
ms.devlang:-+ Last updated 08/25/2020
azure-sql Sap Ase To Sql Database https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/sap-ase-to-sql-database.md
ms.devlang: -+ Last updated 03/19/2021
azure-sql Sql Server To Managed Instance Performance Baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-performance-baseline.md
Title: "SQL Server to Azure SQL Managed Instance: Performance analysis"
+ Title: "SQL Server to Azure SQL Managed Instance: Performance baseline"
description: Learn to create and compare a performance baseline when migrating your SQL Server databases to Azure SQL Managed Instance. ms.devlang: -+ Last updated 11/06/2020
-# Migration performance: SQL Server to Azure SQL Managed Instance performance analysis
+# Migration performance: SQL Server to Azure SQL Managed Instance performance baseline
[!INCLUDE[appliesto-sqldb-sqlmi](../../includes/appliesto-sqlmi.md)] Create a performance baseline to compare the performance of your workload on a SQL Managed Instance with your original workload running on SQL Server.
azure-sql Performance Guidelines Best Practices Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-storage.md
Review the following checklist for a brief overview of the storage best practice
- [Credit-based Disk Bursting](../../../virtual-machines/disk-bursting.md#credit-based-bursting) (P1-P20) should only be considered for smaller dev/test workloads and departmental systems. - Provision the storage account in the same region as the SQL Server VM. - Disable Azure geo-redundant storage (geo-replication) and use LRS (local redundant storage) on the storage account.-- Format your data disk to use 64 KB allocation unit size for all data files placed on a drive other than the temporary `D:\` drive (which has a default of 4 KB). SQL Server VMs deployed through Azure Marketplace come with data disks formatted with allocation unit size and interleave for the storage pool set to 64 KB.
+- Format your data disk to use 64 KB block size (allocation unit size) for all data files placed on a drive other than the temporary `D:\` drive (which has a default of 4 KB). SQL Server VMs deployed through Azure Marketplace come with data disks formatted with a block size and interleave for the storage pool set to 64 KB.
To compare the storage checklist with the others, see the comprehensive [Performance best practices checklist](performance-guidelines-best-practices-checklist.md).
azure-vmware Tutorial Create Private Cloud https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/tutorial-create-private-cloud.md
In this tutorial, you'll learn how to:
- Ensure you have the appropriate networking configured as described in [Tutorial: Network checklist](tutorial-network-checklist.md). - Hosts have been provisioned and the Microsoft.AVS resource provider registered as described in [Request hosts and enable the Microsoft.AVS resource provider](enable-azure-vmware-solution.md).
-## Create a Private Cloud
+## Create a private cloud
You can create an Azure VMware Solution private cloud by using the [Azure portal](#azure-portal) or by using the [Azure CLI](#azure-cli).
Continue to the next tutorial to learn how to create a jump box. You use the jum
> [!div class="nextstepaction"]
-> [Access an Azure VMware Solution private cloud](tutorial-access-private-cloud.md)
+> [Access an Azure VMware Solution private cloud](tutorial-access-private-cloud.md)
backup Backup Azure Database Postgresql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-database-postgresql.md
Title: Backup Azure Database for PostgreSQL description: Learn about Azure Database for PostgreSQL backup with long-term retention (preview) Previously updated : 04/06/2021 Last updated : 04/12/2021
This section provides troubleshooting information for backing up Azure PostgreSQ
### UserErrorMSIMissingPermissions
-Give Backup Vault MSI **Read** access on the PG server you want to back up or restore:
+Give Backup Vault MSI **Read** access on the PG server you want to back up or restore.
To establish secure connection to the PostgreSQL database, Azure Backup uses the [Managed Service Identity (MSI)](../active-directory/managed-identities-azure-resources/overview.md) authentication model. This means that the backup vault will have access to only those resources that have been explicitly granted permission by the user.
Steps:
![Access Control pane](./media/backup-azure-database-postgresql/access-control-pane.png)
-1. Select **Add a role assignment**.
+1. Select **Add role assignments**.
![Add role assignment](./media/backup-azure-database-postgresql/add-role-assignment.png) 1. In the right context pane that opens, enter the following:<br>
- **Role:** Reader<br>
- **Assign access to:** Choose **Backup vault**<br>
- If you canΓÇÖt find the **Backup vault** option in the drop-down list, choose the **Azure AD user, group, or service principal option**<br>
+ - **Role:** Choose the **Reader** role in the drop-down list.<br>
+ - **Assign access to:** Choose the **User, group, or service principal** option in the drop-down list.<br>
+ - **Select:** Enter the Backup vault name to which you want to back up this server and its databases.<br>
- ![Select role](./media/backup-azure-database-postgresql/select-role.png)
-
- **Select:** Enter the Backup vault name to which you want to back up this server and its databases.<br>
-
- ![Enter Backup vault name](./media/backup-azure-database-postgresql/enter-backup-vault-name.png)
+ ![Select role](./media/backup-azure-database-postgresql/select-role-and-enter-backup-vault-name.png)
### UserErrorBackupUserAuthFailed
batch Batch Application Packages https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/batch-application-packages.md
Title: Deploy application packages to compute nodes description: Use the application packages feature of Azure Batch to easily manage multiple applications and versions for installation on Batch compute nodes. Previously updated : 03/24/2021 Last updated : 04/13/2021 - H1Hack27Feb2017 - devx-track-csharp
CloudPool myCloudPool =
poolId: "myPool", targetDedicatedComputeNodes: 1, virtualMachineSize: "standard_d1_v2",
- cloudServiceConfiguration: new CloudServiceConfiguration(osFamily: "5"));
+ VirtualMachineConfiguration: new VirtualMachineConfiguration(
+ imageReference: new ImageReference(
+ publisher: "MicrosoftWindowsServer",
+ offer: "WindowsServer",
+ sku: "2019-datacenter-core",
+ version: "latest"),
+ nodeAgentSkuId: "batch.node.windows amd64");
// Specify the application and version to install on the compute nodes myCloudPool.ApplicationPackageReferences = new List<ApplicationPackageReference>
batch Batch Automatic Scaling https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/batch-automatic-scaling.md
Title: Automatically scale compute nodes in an Azure Batch pool description: Enable automatic scaling on a cloud pool to dynamically adjust the number of compute nodes in the pool. Previously updated : 11/23/2020 Last updated : 04/13/2021
The following example creates an autoscale-enabled pool in .NET. The pool's auto
CloudPool pool = myBatchClient.PoolOperations.CreatePool( poolId: "mypool", virtualMachineSize: "standard_d1_v2",
- cloudServiceConfiguration: new CloudServiceConfiguration(osFamily: "5"));
+ VirtualMachineConfiguration: new VirtualMachineConfiguration(
+ imageReference: new ImageReference(
+ publisher: "MicrosoftWindowsServer",
+ offer: "WindowsServer",
+ sku: "2019-datacenter-core",
+ version: "latest"),
+ nodeAgentSkuId: "batch.node.windows amd64");
pool.AutoScaleEnabled = true; pool.AutoScaleFormula = "$TargetDedicatedNodes = (time().weekday == 1 ? 5:1);"; pool.AutoScaleEvaluationInterval = TimeSpan.FromMinutes(30);
batch Batch Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/batch-diagnostics.md
Title: Metrics, alerts, and diagnostic logs description: Record and analyze diagnostic log events for Azure Batch account resources like pools and tasks. Previously updated : 03/25/2021 Last updated : 04/13/2021
Azure Batch service logs contain events emitted by the Batch service during the
```json {
- "poolId": "myPool1",
+ "id": "myPool1",
"displayName": "Production Pool",
- "vmSize": "Small",
+ "vmSize": "Standard_F1s",
+ "imageType": "VirtualMachineConfiguration",
"cloudServiceConfiguration": {
- "osFamily": "5",
+ "osFamily": "3",
"targetOsVersion": "*" }, "networkConfiguration": { "subnetId": " " },
+ "virtualMachineConfiguration": {
+ "imageReference": {
+ "publisher": " ",
+ "offer": " ",
+ "sku": " ",
+ "version": " "
+ },
+ "nodeAgentId": " "
+ },
"resizeTimeout": "300000",
- "targetDedicatedComputeNodes": 2,
+ "targetDedicatedNodes": 2,
+ "targetLowPriorityNodes": 2,
"taskSlotsPerNode": 1, "vmFillType": "Spread",
- "enableAutoscale": false,
+ "enableAutoScale": false,
"enableInterNodeCommunication": false, "isAutoPool": false }
batch Batch Mpi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/batch-mpi.md
Title: Use multi-instance tasks to run MPI applications description: Learn how to execute Message Passing Interface (MPI) applications using the multi-instance task type in Azure Batch. Previously updated : 03/25/2021 Last updated : 04/13/2021 # Use multi-instance tasks to run Message Passing Interface (MPI) applications in Batch
CloudPool myCloudPool =
poolId: "MultiInstanceSamplePool", targetDedicatedComputeNodes: 3 virtualMachineSize: "standard_d1_v2",
- cloudServiceConfiguration: new CloudServiceConfiguration(osFamily: "5"));
+ VirtualMachineConfiguration: new VirtualMachineConfiguration(
+ imageReference: new ImageReference(
+ publisher: "MicrosoftWindowsServer",
+ offer: "WindowsServer",
+ sku: "2019-datacenter-core",
+ version: "latest"),
+ nodeAgentSkuId: "batch.node.windows amd64");
// Multi-instance tasks require inter-node communication, and those nodes // must run only one task at a time.
batch Batch Parallel Node Tasks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/batch-parallel-node-tasks.md
Title: Run tasks concurrently to maximize usage of Batch compute nodes description: Increase efficiency and lower costs by using fewer compute nodes and running tasks in parallel on each node in an Azure Batch pool Previously updated : 03/25/2021 Last updated : 04/13/2021 # Run tasks concurrently to maximize usage of Batch compute nodes
CloudPool pool =
poolId: "mypool", targetDedicatedComputeNodes: 4 virtualMachineSize: "standard_d1_v2",
- cloudServiceConfiguration: new CloudServiceConfiguration(osFamily: "5"));
+ VirtualMachineConfiguration: new VirtualMachineConfiguration(
+ imageReference: new ImageReference(
+ publisher: "MicrosoftWindowsServer",
+ offer: "WindowsServer",
+ sku: "2019-datacenter-core",
+ version: "latest"),
+ nodeAgentSkuId: "batch.node.windows amd64");
pool.TaskSlotsPerNode = 4; pool.TaskSchedulingPolicy = new TaskSchedulingPolicy(ComputeNodeFillType.Pack);
For more information on adding pools by using the REST API, see [Add a pool to a
"odata.metadata":"https://myaccount.myregion.batch.azure.com/$metadata#pools/@Element", "id":"mypool", "vmSize":"large",
- "cloudServiceConfiguration": {
- "osFamily":"4",
- "targetOSVersion":"*",
+ "virtualMachineConfiguration": {
+ "imageReference": {
+ "publisher": "canonical",
+ "offer": "ubuntuserver",
+ "sku": "18.04-lts"
+ },
+ "nodeAgentSKUId": "batch.node.ubuntu 16.04"
}, "targetDedicatedComputeNodes":2, "taskSlotsPerNode":4,
batch Batch User Accounts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/batch-user-accounts.md
Title: Run tasks under user accounts description: Learn the types of user accounts and how to configure them. Previously updated : 03/25/2021 Last updated : 04/13/2021 # Run tasks under user accounts in Batch
pool = batchClient.PoolOperations.CreatePool(
poolId: poolId, targetDedicatedComputeNodes: 3, virtualMachineSize: "standard_d1_v2",
- cloudServiceConfiguration: new CloudServiceConfiguration(osFamily: "5"));
+ VirtualMachineConfiguration: new VirtualMachineConfiguration(
+ imageReference: new ImageReference(
+ publisher: "MicrosoftWindowsServer",
+ offer: "WindowsServer",
+ sku: "2019-datacenter-core",
+ version: "latest"),
+ nodeAgentSkuId: "batch.node.windows amd64");
// Add named user accounts. pool.UserAccounts = new List<UserAccount>
PoolAddParameter addParameter = new PoolAddParameter()
.withId(poolId) .withTargetDedicatedNodes(POOL_VM_COUNT) .withVmSize(POOL_VM_SIZE)
- .withCloudServiceConfiguration(configuration)
+ .withVirtualMachineConfiguration(configuration)
.withUserAccounts(userList); batchClient.poolOperations().createPool(addParameter); ```
batch Monitor Application Insights https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/monitor-application-insights.md
Title: Monitor Batch with Azure Application Insights
description: Learn how to instrument an Azure Batch .NET application using the Azure Application Insights library. Previously updated : 03/25/2021 Last updated : 04/13/2021 # Monitor and debug an Azure Batch .NET application with Application Insights
CloudPool pool = client.PoolOperations.CreatePool(
topNWordsConfiguration.PoolId, targetDedicated: topNWordsConfiguration.PoolNodeCount, virtualMachineSize: "standard_d1_v2",
- cloudServiceConfiguration: new CloudServiceConfiguration(osFamily: "5"));
+ VirtualMachineConfiguration: new VirtualMachineConfiguration(
+ imageReference: new ImageReference(
+ publisher: "MicrosoftWindowsServer",
+ offer: "WindowsServer",
+ sku: "2019-datacenter-core",
+ version: "latest"),
+ nodeAgentSkuId: "batch.node.windows amd64");
... // Create a start task which will run a dummy exe in background that simply emits performance
cognitive-services FAQ https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/FAQ.md
-**Question**: *Can Computer Vision be used locally without an internet connection?*
-**Answer**: We currently do not offer an on-premises or local solution.
+**Question**: *Can I deploy the OCR (Read) capability on-premise?*
--
-**Question**: *Can Computer Vision be used to read license plates?*
-
-**Answer**: The Vision API offers good text-detection with OCR, but it is not currently optimized for license plates. We are constantly trying to improve our services and have added OCR for auto license plate recognition to our list of feature requests.
---
-**Question**: *What types of writing surfaces are supported for handwriting recognition?*
-
-**Answer**: The technology works with different kinds of surfaces, including whiteboards, white paper, and yellow sticky notes.
---
-**Question**: *How long does the handwriting recognition operation take?*
-
-**Answer**: The amount of time that it takes depends on the length of the text. For longer texts, it can take up to several seconds. Therefore, after the Recognize Handwritten Text operation completes, you may need to wait before you can retrieve the results using the Get Handwritten Text Operation Result operation.
---
-**Question**: *How does the handwriting recognition technology handle text that was inserted using a caret in the middle of a line?*
-
-**Answer**: Such text is returned as a separate line by the handwriting recognition operation.
+**Answer**: Yes, the OCR (Read) cloud API is also available as a Docker container for on-premise deployment. Learn [how to deploy the OCR containers](/computer-vision-how-to-install-containers).
-**Question**: *How does the handwriting recognition technology handle crossed-out words or lines?*
+**Question**: *Can Computer Vision be used to read license plates?*
-**Answer**: If the words are crossed out with multiple lines to render them unrecognizable, the handwriting recognition operation doesn't pick them up. However, if the words are crossed out using a single line, that crossing is treated as noise, and the words still get picked up by the handwriting recognition operation.
+**Answer**: The Vision API includes the deep learning powered OCR capabilities with the latest Read feature. We are constantly trying to improve our services to work across all scenarios.
-**Question**: *What text orientations are supported for the handwriting recognition technology?*
-
-**Answer**: Text oriented at angles of up to around 30 degrees to 40 degrees may get picked up by the handwriting recognition operation.
--
cognitive-services Upgrade Api Versions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/upgrade-api-versions.md
# Upgrade from Read v2.x to Read v3.x
-This guide shows how to upgrade your existing container or cloud API code from Read v2.x to Read v3.0 and v3.1 preview.
+This guide shows how to upgrade your existing container or cloud API code from Read v2.x to Read v3.x.
## Determine your API path Use the following table to determine the **version string** in the API path based on the Read 3.x version you are migrating to.
cognitive-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/whats-new.md
Learn what's new in the service. These items may be release notes, videos, blog
### Computer Vision v3.2 GA The Computer Vision API v3.2 is now generally available with the following updates:
-* Improved image tagging model: analyzes visual content and generates relevant tags based on objects, actions and content displayed in the image. This is available through the [Tag Image API](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2-preview-3/operations/56f91f2e778daf14a499f200). See the Image Analysis [how-to guide](https://docs.microsoft.com/azure/cognitive-services/computer-vision/vision-api-how-to-topics/howtocallvisionapi) and [overview](https://docs.microsoft.com/azure/cognitive-services/computer-vision/overview-image-analysis) to learn more.
-* Updated content moderation model: detects presence of adult content and provides flags to filter images containing adult, racy and gory visual content. This is available through the [Analyze API](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2-preview-3/operations/56f91f2e778daf14a499f21b). See the Image Analysis [how-to guide](https://docs.microsoft.com/azure/cognitive-services/computer-vision/vision-api-how-to-topics/howtocallvisionapi) and [overview](https://docs.microsoft.com/azure/cognitive-services/computer-vision/overview-image-analysis) to learn more.
+* Improved image tagging model: analyzes visual content and generates relevant tags based on objects, actions and content displayed in the image. This is available through the [Tag Image API](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f200). See the Image Analysis [how-to guide](https://docs.microsoft.com/azure/cognitive-services/computer-vision/vision-api-how-to-topics/howtocallvisionapi) and [overview](https://docs.microsoft.com/azure/cognitive-services/computer-vision/overview-image-analysis) to learn more.
+* Updated content moderation model: detects presence of adult content and provides flags to filter images containing adult, racy and gory visual content. This is available through the [Analyze API](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b). See the Image Analysis [how-to guide](https://docs.microsoft.com/azure/cognitive-services/computer-vision/vision-api-how-to-topics/howtocallvisionapi) and [overview](https://docs.microsoft.com/azure/cognitive-services/computer-vision/overview-image-analysis) to learn more.
* [OCR (Read) available for 73 languages](./language-support.md#optical-character-recognition-ocr) including Simplified and Traditional Chinese, Japanese, Korean, and Latin languages. * [OCR (Read)](./overview-ocr.md) also available as a [Distroless container](./computer-vision-how-to-install-containers.md?tabs=version-3-2) for on-premise deployment.
cognitive-services Speech Container Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/speech-container-faq.md
auto result = synthesizer->SpeakTextAsync("{{{text2}}}").get();
<br> </details>
-<details>
-<summary>
-<b>How can I use v1.7 of the Speech SDK with a Speech container?</b>
-</summary>
-
-**Answer:** There are three endpoints on the Speech container for different usages, they're defined as Speech modes - see below:
-
-## Speech modes
--
-They are for different purposes and are used differently.
-
-Python [samples](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/python/console/speech_sample.py):
-- For single recognition (interactive mode) with a custom endpoint (that is; `SpeechConfig` with an endpoint parameter), see `speech_recognize_once_from_file_with_custom_endpoint_parameters()`.-- For continuous recognition (conversation mode), and just modify to use a custom endpoint as above, see `speech_recognize_continuous_from_file()`.-- To enable dictation in samples like above (only if you really need it), right after you create `speech_config`, add code `speech_config.enable_dictation()`.-
-In C# to enable dictation, invoke the `SpeechConfig.EnableDictation()` function.
-
-### `FromEndpoint` APIs
-| Language | API details |
-|-|:|
-| C++ | <a href="https://docs.microsoft.com/cpp/cognitive-services/speech/speechconfig#fromendpoint" target="_blank">`SpeechConfig::FromEndpoint` <span class="docon docon-navigate-external x-hidden-focus"></span></a> |
-| C# | <a href="https://docs.microsoft.com/dotnet/api/microsoft.cognitiveservices.speech.speechconfig.fromendpoint" target="_blank">`SpeechConfig.FromEndpoint` <span class="docon docon-navigate-external x-hidden-focus"></span></a> |
-| Java | <a href="https://docs.microsoft.com/java/api/com.microsoft.cognitiveservices.speech.speechconfig.fromendpoint" target="_blank">`SpeechConfig.fromendpoint` <span class="docon docon-navigate-external x-hidden-focus"></span></a> |
-| Objective-C | <a href="https://docs.microsoft.com/objectivec/cognitive-services/speech/spxspeechconfiguration#initwithendpoint" target="_blank">`SPXSpeechConfiguration:initWithEndpoint;` <span class="docon docon-navigate-external x-hidden-focus"></span></a> |
-| Python | <a href="https://docs.microsoft.com/python/api/azure-cognitiveservices-speech/azure.cognitiveservices.speech.speechconfig" target="_blank">`SpeechConfig;` <span class="docon docon-navigate-external x-hidden-focus"></span></a> |
-| JavaScript | Not currently supported, nor is it planned. |
-
-<br>
-</details>
-
-<details>
-<summary>
-<b>How can I use v1.8 of the Speech SDK with a Speech container?</b>
-</summary>
-
-**Answer:** There's a new `FromHost` API. This does not replace or modify any existing APIs. It just adds an alternative way to create a speech config using a custom host.
-
-### `FromHost` APIs
-
-| Language | API details |
-|--|:-|
-| C# | <a href="https://docs.microsoft.com/dotnet/api/microsoft.cognitiveservices.speech.speechconfig.fromhost" target="_blank">`SpeechConfig.FromHost` <span class="docon docon-navigate-external x-hidden-focus"></span></a> |
-| C++ | <a href="https://docs.microsoft.com/cpp/cognitive-services/speech/speechconfig#fromhost" target="_blank">`SpeechConfig::FromHost` <span class="docon docon-navigate-external x-hidden-focus"></span></a> |
-| Java | <a href="https://docs.microsoft.com/java/api/com.microsoft.cognitiveservices.speech.speechconfig.fromhost" target="_blank">`SpeechConfig.fromHost` <span class="docon docon-navigate-external x-hidden-focus"></span></a> |
-| Objective-C | <a href="https://docs.microsoft.com/objectivec/cognitive-services/speech/spxspeechconfiguration#initwithhost" target="_blank">`SPXSpeechConfiguration:initWithHost;` <span class="docon docon-navigate-external x-hidden-focus"></span></a> |
-| Python | <a href="https://docs.microsoft.com/python/api/azure-cognitiveservices-speech/azure.cognitiveservices.speech.speechconfig" target="_blank">`SpeechConfig;` <span class="docon docon-navigate-external x-hidden-focus"></span></a> |
-| JavaScript | Not currently supported |
-
-> Parameters: host (mandatory), subscription key (optional, if you can use the service without it).
-
-Format for host is `protocol://hostname:port` where `:port` is optional (see below):
-- If the container is running locally, the hostname is `localhost`.-- If the container is running on a remote server, use the hostname or IPv4 address of that server.-
-Host parameter examples for speech-to-text:
-- `ws://localhost:5000` - non-secure connection to a local container using port 5000-- `ws://some.host.com:5000` - non-secure connection to a container running on a remote server-
-Python samples from above, but use `host` parameter instead of `endpoint`:
-
-```python
-speech_config = speechsdk.SpeechConfig(host="ws://localhost:5000")
-```
-
-<br>
-</details>
- ## Next steps > [!div class="nextstepaction"]
-> [Cognitive Services containers](speech-container-howto.md)
+> [Cognitive Services containers](speech-container-howto.md)
cognitive-services Speech Container Howto https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/speech-container-howto.md
Speech containers enable customers to build a speech application architecture th
| Container | Features | Latest | |--|--|--|
-| Speech-to-text | Analyzes sentiment and transcribes continuous real-time speech or batch audio recordings with intermediate results. | 2.10.0 |
-| Custom Speech-to-text | Using a custom model from the [Custom Speech portal](https://speech.microsoft.com/customspeech), transcribes continuous real-time speech or batch audio recordings into text with intermediate results. | 2.10.0 |
-| Text-to-speech | Converts text to natural-sounding speech with plain text input or Speech Synthesis Markup Language (SSML). | 1.12.0 |
-| Custom Text-to-speech | Using a custom model from the [Custom Voice portal](https://aka.ms/custom-voice-portal), converts text to natural-sounding speech with plain text input or Speech Synthesis Markup Language (SSML). | 1.12.0 |
+| Speech-to-text | Analyzes sentiment and transcribes continuous real-time speech or batch audio recordings with intermediate results. | 2.11.0 |
+| Custom Speech-to-text | Using a custom model from the [Custom Speech portal](https://speech.microsoft.com/customspeech), transcribes continuous real-time speech or batch audio recordings into text with intermediate results. | 2.11.0 |
+| Text-to-speech | Converts text to natural-sounding speech with plain text input or Speech Synthesis Markup Language (SSML). | 1.13.0 |
+| Custom Text-to-speech | Using a custom model from the [Custom Voice portal](https://aka.ms/custom-voice-portal), converts text to natural-sounding speech with plain text input or Speech Synthesis Markup Language (SSML). | 1.13.0 |
| Speech Language Detection | Detect the language spoken in audio files. | 1.0 |
-| Neural Text-to-speech | Converts text to natural-sounding speech using deep neural network technology, allowing for more natural synthesized speech. | 1.4.0 |
+| Neural Text-to-speech | Converts text to natural-sounding speech using deep neural network technology, allowing for more natural synthesized speech. | 1.5.0 |
If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.
cognitive-services Character Counts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/character-counts.md
The number of requests, words, bytes, or sentences is irrelevant in the characte
Calls to the Detect and BreakSentence methods are not counted in the character consumption. However, we do expect that the calls to the Detect and BreakSentence methods are in a reasonable proportion to the use of other functions that are counted. If the number of Detect or BreakSentence calls you make exceeds the number of other counted methods by 100 times, Microsoft reserves the right to restrict your use of the Detect and BreakSentence methods.
+Every character submitted to the translate function is counted even when the content is not changed or when the source and target language are the same.
+ More information about character counts is in the [Translator FAQ](https://www.microsoft.com/en-us/translator/faq.aspx).
cognitive-services V3 0 Translate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/reference/v3-0-translate.md
Request parameters passed on the query string are:
</tr> <tr> <td>textType</td>
- <td><em>Optional parameter</em>.<br/>Defines whether the text being translated is plain text or HTML text. Any HTML needs to be a well-formed, complete element. Possible values are: <code>plain</code> (default) or <code>html</code>.</td>
+ <td><em>Optional parameter</em>.<br/>Defines whether the text being translated is plain text or HTML text. Any HTML needs to be a well-formed, complete element. When translating HTML text, the output text has the following special characters in escaped form: ΓÇÿ&ΓÇÖ, ΓÇÿ<ΓÇÖ, and ΓÇÿ>ΓÇÖ. This is irrespective of whether the input HTML text has the characters escaped. Possible values are: <code>plain</code> (default) or <code>html</code>.</td>
</tr> <tr> <td>category</td>
The result is:
] ```
-This feature works the same way with `textType=text` or with `textType=html`. The feature should be used sparingly. The appropriate and far better way of customizing translation is by using Custom Translator. Custom Translator makes full use of context and statistical probabilities. If you have or can afford to create training data that shows your work or phrase in context, you get much better results. [Learn more about Custom Translator](../customization.md).
+This feature works the same way with `textType=text` or with `textType=html`. The feature should be used sparingly. The appropriate and far better way of customizing translation is by using Custom Translator. Custom Translator makes full use of context and statistical probabilities. If you have or can afford to create training data that shows your work or phrase in context, you get much better results. [Learn more about Custom Translator](../customization.md).
cognitive-services Container Image Tags https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/containers/container-image-tags.md
Previously updated : 03/25/2020 Last updated : 04/12/2021
This container image has the following tags available. You can also find a full
# [Latest version](#tab/current)
-Release notes for `3.2-preview.2`:
-* Distroless release
-* ReadingOrder parameter to choose between text line order in JSON response
-* Enhanced logging
-* Hotfixes to CJK model
+Release notes for `3.2`:
+
+* Read OCR container is now generally available.
| Image Tags | Notes | |-|:|
-|3.2.2.014850001-49e0eac6-amd64-preview | |
+| `3.2` | |
# [Previous versions](#tab/previous) +
+Release notes for `3.2-preview.2`:
+
+* Distroless release
+* ReadingOrder parameter to choose between text line order in JSON response
+* Enhanced logging
+* Hotfixes to CJK model
+*
Release notes for `v2.0.013250001-amd64-preview`: * Further decrease memory usage for container.
Release notes for `1.1.013050001-amd64-preview`
| Image Tags | Notes | |-|:|
+| `3.2.2.014850001-49e0eac6-amd64-preview` | |
| `2.0.013250001-amd64-preview` | | | `1.1.013050001-amd64-preview` | | | `1.1.011580001-amd64-preview` | |
The [Custom Speech-to-text][sp-cstt] container image can be found on the `mcr.mi
# [Latest version](#tab/current)
-Release note for `2.10.0-amd64`:
+Release note for `2.11.0-amd64`:
-**Feature**
-* Upgrade to latest models.
+**Fixes**
+* Keep user's inputs case-sensitive.
-Note that due to the included phrase lists, the size of this container image has increased.
+Note that due to the phrase lists feature, the size of this container image has increased.
| Image Tags | Notes | Digest | |-|:|:-|
-| `latest` | | `sha256:944f051e3b90aa8eb8a37a4d4a18d4e13dbb49f9fe6d5ced61a0f99b3b3e312c`|
-| `2.10.0-amd64` | | `sha256:944f051e3b90aa8eb8a37a4d4a18d4e13dbb49f9fe6d5ced61a0f99b3b3e312c`|
+| `latest` | | `sha256:bbf23ded55bf61421f673bffa7d97aca5724f782328a80efe43020c9979cd069`|
+| `2.11.0-amd64` | | `sha256:bbf23ded55bf61421f673bffa7d97aca5724f782328a80efe43020c9979cd069`|
# [Previous version](#tab/previous)
+Release note for `2.10.0-amd64`:
+
+Regular monthly release
+ Release note for `2.9.0-amd64`: **Feature**
Release note for `2.5.0-amd64`:
| Image Tags | Notes | |-|:--|
+| `2.10.0-amd64` | |
| `2.9.0-amd64` | | | `2.7.0-amd64` | | | `2.6.0-amd64` | |
The [Custom Text-to-speech][sp-ctts] container image can be found on the `mcr.mi
# [Latest version](#tab/current)
-Release note for `1.12.0-amd64`:
+Release note for `1.13.0-amd64`:
-**Feature**
-* Upgrade to latest models.
+**Fixes**
+* Keep user's inputs case-sensitive.
| Image Tags | Notes | Digest | |-|:|:-|
-| `latest` | | `sha256:82806245b8ccce808523c4276d8f447c8429db8b04ff26bdbc4d36ba6a704db4` |
-| `1.12.0-amd64` | | `sha256:82806245b8ccce808523c4276d8f447c8429db8b04ff26bdbc4d36ba6a704db4` |
+| `latest` | | `sha256:390ff9e4981c798058058e7825cd1e6d173d9d54d66d8fdc450d157cf393aaec` |
+| `1.13.0-amd64` | | `sha256:390ff9e4981c798058058e7825cd1e6d173d9d54d66d8fdc450d157cf393aaec` |
# [Previous version](#tab/previous)
+Release note for `1.12.0-amd64`:
+
+Regular monthly release
+ Release note for `1.11.0-amd64`: **Feature**
Release note for `1.7.0-amd64`:
| Image Tags | Notes | |-|:--|
+| `1.12.0-amd64` | |
| `1.11.0-amd64` | | | `1.9.0-amd64` | | | `1.8.0-amd64` | |
Since Speech-to-text v2.5.0, images are supported in the *US Government Virginia
# [Latest version](#tab/current)
-Release note for `2.10.0-amd64-<locale>`:
+Release note for `2.11.0-amd64-<locale>`:
**Feature** * Upgrade to latest models.
-Note that due to the included phrase lists, the size of this container image has increased.
+**Fixes**
+* Keep user's inputs case-sensitive.
+
+Note that due to the phrase lists feature, the size of this container image has increased.
| Image Tags | Notes | |-|:--| | `latest` | Container image with the `en-US` locale. |
-| `2.10.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `2.10.0-amd64-en-us`.|
+| `2.11.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `2.11.0-amd64-en-us`.|
+
+This container has the following locales available.
+
+| Locale for v2.11.0 | Notes | Digest |
+|--|:--|:--|
+| `ar-ae` | Container image with the `ar-AE` locale. | `sha256:32c26ed8370d1f30098811fda382e68aceccabc671570365f15ead37c3d84304` |
+| `ar-bh` | Container image with the `ar-BH` locale. | `sha256:a6af48cdaf9f7562bfaced449016106dbde5c678fdd4c69985d166959a38b146` |
+| `ar-eg` | Container image with the `ar-EG` locale. | `sha256:43cec166dcde9dc7cd535228440d11d396518fcfb14d9fa617e6e26f5156dc84` |
+| `ar-iq` | Container image with the `ar-IQ` locale. | `sha256:b55095b27e8eef60dfe9657735a425b9ca1fe3c29ce4ff1f3d67bf7b2ac77bb1` |
+| `ar-jo` | Container image with the `ar-JO` locale. | `sha256:7cc4ad997a76844414a982982251653525f27dc396db44f23b7f012d20f53677` |
+| `ar-kw` | Container image with the `ar-KW` locale. | `sha256:32c26ed8370d1f30098811fda382e68aceccabc671570365f15ead37c3d84304` |
+| `ar-lb` | Container image with the `ar-LB` locale. | `sha256:5d3b402f41f616ee792a5e7e3f41b4ec5638dc8ad60a3c133ec588e07b09d581` |
+| `ar-om` | Container image with the `ar-OM` locale. | `sha256:c4f88fdaec73ebe241d6c94695b20eb2c792a9fd77dbb51f24fc7807dfd0dc61` |
+| `ar-qa` | Container image with the `ar-QA` locale. | `sha256:32c26ed8370d1f30098811fda382e68aceccabc671570365f15ead37c3d84304` |
+| `ar-sa` | Container image with the `ar-SA` locale. | `sha256:32c26ed8370d1f30098811fda382e68aceccabc671570365f15ead37c3d84304` |
+| `ar-sy` | Container image with the `ar-SY` locale. | `sha256:a42b6f63a16313f280088bd47978e177bc2f1bf2d392a070cf5c6a06d9f7a62c` |
+| `bg-bg` | Container image with the `bg-BG` locale. | `sha256:21425557e62d71326e9eb614c535878f981a914bf66d9dd883221656ca891858` |
+| `ca-es` | Container image with the `ca-ES` locale. | `sha256:682e8a8ad5f2582f25a18b0518f9fba9b3849b72eb5dab5454586724272c52de` |
+| `cs-cz` | Container image with the `cs-CZ` locale. | `sha256:1d0661ae5920f82e607c72ae7d6eee917c190d80c3d13403d770947c67a4294e` |
+| `da-dk` | Container image with the `da-DK` locale. | `sha256:8d5257d6c326e4d96ba395faa0c717f48c4d437866f8dc1e1252c5e983b3008f` |
+| `de-de` | Container image with the `de-DE` locale. | `sha256:086a4e33f746868fc1865322f1d7dfb5c1c3af64bdbd369804155f18710ad96e` |
+| `el-gr` | Container image with the `el-GR` locale. | `sha256:0e2c7d5337f953d45fc7594317e6eab5eecec44a1c15fba51a128fc510519c3f` |
+| `en-au` | Container image with the `en-AU` locale. | `sha256:dcfe3fc95b895d0205a7b72368595e98dfdcb4b6398522e7daa2fbbe2b087ef6` |
+| `en-ca` | Container image with the `en-CA` locale. | `sha256:f04cedb6b50560f0584cb3634cbfee5e9c147d60fc044cbd0df10fc28f04ed98` |
+| `en-gb` | Container image with the `en-GB` locale. | `sha256:9692c45c6b5b8716f99852a2ddf4b7fd1e2c00ea29f9a20da68e899cf3064fa1` |
+| `en-hk` | Container image with the `en-HK` locale. | `sha256:97106aa991b4ef5b0f1859ae7a7df3c6e22dd009123281a7458d336a78ebd854` |
+| `en-ie` | Container image with the `en-IE` locale. | `sha256:da2bc14cd86f200a439b3ce708c6643d507d482daabae87c351bee4c10efa60b` |
+| `en-in` | Container image with the `en-IN` locale. | `sha256:f8fc43e5d20afe8108b6f35c3e09d403557f150413672d45322421be1fddff20` |
+| `en-nz` | Container image with the `en-NZ` locale. | `sha256:abb8ca669c806a71af88d3643694252e1833ca99aacbd739a3962ec00c3cdb61` |
+| `en-ph` | Container image with the `en-PH` locale. | `sha256:13bc7717dd73f4323956a3f7441b24dd2f86c13d41adc709e3f6f26266cacd91` |
+| `en-sg` | Container image with the `en-SG` locale. | `sha256:b7f44d7cf4bbe4d89729207a38e91726c321ea03a66c5e5624b27ae9913fdafa` |
+| `en-us` | Container image with the `en-US` locale. | `sha256:d81ee15821646607aec9fa46223c9197f74675a89070912ca892ad5adfcab6f9` |
+| `en-za` | Container image with the `en-ZA` locale. | `sha256:2e2f9102c9f6fba0736fb01d745d35b677bf92750eed5cad245ee089998f66f2` |
+| `es-ar` | Container image with the `es-AR` locale. | `sha256:dd962ec3f32b8fdeb15f7ab18ea9d19e7c93baf4c801fac59d44f5cf845e9935` |
+| `es-bo` | Container image with the `es-BO` locale. | `sha256:f89c0e513f43800e1d19177384b815c1a04f5b07ccba8fd9c80aa5ebf5c71648` |
+| `es-cl` | Container image with the `es-CL` locale. | `sha256:3ebc64dceb1b7fbef716de3736a020b23e8fb4e9aceb183524863681e0b278fe` |
+| `es-co` | Container image with the `es-CO` locale. | `sha256:ba05465c312acf6b9a1a1866c81c795027470e8bda8389dd0fcb641c9f1af592` |
+| `es-cr` | Container image with the `es-CR` locale. | `sha256:51d49d90f600ae971019974a6a38c71b3bf01a84301ee6e8604c3f424bc6773f` |
+| `es-cu` | Container image with the `es-CU` locale. | `sha256:a19f0ab805d0268c06a0e83aad2dcab458638e8c2f7869f5b2315695ae2ea4d8` |
+| `es-do` | Container image with the `es-DO` locale. | `sha256:a9539f091ec3feef34511ce9d337436151980eda69c7f8c8f2493e8d1be81e66` |
+| `es-ec` | Container image with the `es-EC` locale. | `sha256:a0f5c19a683b92566747db79e30ac7ad09cde07bcb15451166b5257d036a86bc` |
+| `es-es` | Container image with the `es-ES` locale. | `sha256:2aa5e82c726a8771c706a2de38bed09ca9c8298bb166c49fa227b8966011efa4` |
+| `es-gt` | Container image with the `es-GT` locale. | `sha256:60361c1a305d0fef3deb0e4886c4044aebcf41878a748bc0615b94fcf9489cf9` |
+| `es-hn` | Container image with the `es-HN` locale. | `sha256:d628b894966988880bb11f1ec1380702077bd45c2a83b912ae3e7451d8fd90cb` |
+| `es-mx` | Container image with the `es-MX` locale. | `sha256:2bd901c320237e041ecca1ea34c359cf847cf8dacecfcb0e1ed8fd1794463fe5` |
+| `es-ni` | Container image with the `es-NI` locale. | `sha256:099d21e5e5816d5d7e0965cda5878bfe78f5447e4994957dcc45ae40223b14b1` |
+| `es-pa` | Container image with the `es-PA` locale. | `sha256:af6c258b7e984ee17d32b9dfc49969cfc1d7ee33aa2485017fab191d8d574e92` |
+| `es-pe` | Container image with the `es-PE` locale. | `sha256:7d0e03c7f44f61b4632b730c2cf8e3d7c584a869bb5d53b9e5021549d1d500a8` |
+| `es-pr` | Container image with the `es-PR` locale. | `sha256:ad580c1ac73d919434387869803d9fabec24e19afd6b4cc5aa7e809fb93dc908` |
+| `es-py` | Container image with the `es-PY` locale. | `sha256:2e85df2af0003c0a41752c6e989ed8b724a22958e7ed3cbf67e54ca621bb5975` |
+| `es-sv` | Container image with the `es-SV` locale. | `sha256:bae49ae543878096c1dd0c77a8f83a30ba1416605efa58dad59ca3577f7006ea` |
+| `es-us` | Container image with the `es-US` locale. | `sha256:fd9deebe4e5a4466af439a8e40a1a39261a7b0228a4ed979b8086e1c65c60e26` |
+| `es-uy` | Container image with the `es-UY` locale. | `sha256:0e69fc4689dafad97e00bed7c4eb7ca44b94e3a3d9357d6d36bed8135963e9e4` |
+| `es-ve` | Container image with the `es-VE` locale. | `sha256:37ebac38fac4306668858140736d83e008ae0756f8e1fe5ed6386780bc9796ba` |
+| `et-ee` | Container image with the `et-EE` locale. | `sha256:223d494cf64cdceaabe6e9bae82d378d7ea53eb8c01d58bdbd2e1ed360aaa34b` |
+| `fi-fi` | Container image with the `fi-FI` locale. | `sha256:378e5735198e38d6bed8c87a59ed69f8c3bd57ac8a462332d74dd8495cb07ed2` |
+| `fr-ca` | Container image with the `fr-CA` locale. | `sha256:d92f672c2a61a67db43d9884bc2692c304b3c2c5446bed2d315892876270366b` |
+| `fr-fr` | Container image with the `fr-FR` locale. | `sha256:11dc172c7ae91b6cba7fb4ab1a61e48b27b193bf434a68827eb197c0ba05d6fb` |
+| `ga-ie` | Container image with the `ga-IE` locale. | `sha256:3057eaaf8e0403690c0223c0db3a392b05f2ec45e53511327b8447912e32b8b4` |
+| `gu-in` | Container image with the `gu-IN` locale. | `sha256:37062edf6805dce30309e4615c2947dded730b5b5be7e3bcd85bb93e38b08f31` |
+| `hi-in` | Container image with the `hi-IN` locale. | `sha256:9f1bf1901a6b0e2caf4c9ff30e0b6bb3f1f4f814ad86fc62a471d4fe1fe4c101` |
+| `hr-hr` | Container image with the `hr-HR` locale. | `sha256:095b40ad1afeebd932c299410a4732fd64da2251230aa044ca2c43b4d0bb6791` |
+| `hu-hu` | Container image with the `hu-HU` locale. | `sha256:60e9257735cee7dc6cde1b5725588b1c1ea84f852220f1f4f3e873177a24fc5c` |
+| `it-it` | Container image with the `it-IT` locale. | `sha256:71c5e3a9196155678a6ad9cd62b812386579521ac410b40e3526dee153d749e1` |
+| `ja-jp` | Container image with the `ja-JP` locale. | `sha256:fce7d215575d2a94cdb4818bb1525f6448f5f881fc3e7f04274c64978bd6aaa7` |
+| `ko-kr` | Container image with the `ko-KR` locale. | `sha256:d71d8e1e3692bb0781e98b984dea79950a8009a6fa03e729325c338ca5c09a98` |
+| `lt-lt` | Container image with the `lt-LT` locale. | `sha256:dc2e35e158c09fd793b180050a0100df4a3716da4d0a7a528dc3ea65b6ecf21b` |
+| `lv-lv` | Container image with the `lv-LV` locale. | `sha256:e6ab373eb9477d90d44175fffb646298d403405633e0a61ccf20f9e7381243b8` |
+| `mr-in` | Container image with the `mr-IN` locale. | `sha256:0ce15c2d14bba49639adea30c91df1ac47e7b2a7796be551276bad8ec8312ed4` |
+| `mt-mt` | Container image with the `mt-MT` locale. | `sha256:bbe958ff9c7c51efc6521866173b26ac2cfe682d114ce3ed6b1f6b8e9b3a7327` |
+| `nb-no` | Container image with the `nb-NO` locale. | `sha256:4e4d890605e09717ef88982f586611c605342465a8ef81f2280f665ad1378522` |
+| `nl-nl` | Container image with the `nl-NL` locale. | `sha256:60bd2d1f817019e6626876b15f5697be07c3b2b368e4cc7e3c3871c3e9181052` |
+| `pl-pl` | Container image with the `pl-PL` locale. | `sha256:c8520e7155ef176fb9fea48c541acae995a6a80ba6913ac4289786ee55062ce6` |
+| `pt-br` | Container image with the `pt-BR` locale. | `sha256:c8440308a5cb77791f33ae458c49abc084a1be8c418df9feeda9a4aa917a59bc` |
+| `pt-pt` | Container image with the `pt-PT` locale. | `sha256:a66739b36a410c181ccd2205c59fee2726b3905d1c5ba4531909be96cf85a55c` |
+| `ro-ro` | Container image with the `ro-RO` locale. | `sha256:c4ba7ff5c11d4243a3e128aca1f8110e62df82d956706c97c237016a94cb485f` |
+| `ru-ru` | Container image with the `ru-RU` locale. | `sha256:c3fc4117598c0dcea0fd5e6f19adf7763e42732e32e3ac93ff74795fdc167e67` |
+| `sk-sk` | Container image with the `sk-SK` locale. | `sha256:78bcfa610f645c113134cc24c8af8dd3c630065c1b009fb5e36dfab4999c16fb` |
+| `sl-si` | Container image with the `sl-SI` locale. | `sha256:134eb68c900787bae3a98a2bdf192f2a5460fb96b92590d65765d982245a7ccf` |
+| `sv-se` | Container image with the `sv-SE` locale. | `sha256:d194aaefe82a5f91df9e01beec271ad9565c4d36cb0539421e947b5c8e67228d` |
+| `ta-in` | Container image with the `ta-IN` locale. | `sha256:cf272b112b10587c034f00f7df2bfcdefbf542859fa089c15581040db99ed383` |
+| `te-in` | Container image with the `te-IN` locale. | `sha256:7364a1068f9940e9bb6ea5476b0a007a37d42b899dc4ba56be833e4d2b8d359d` |
+| `th-th` | Container image with the `th-TH` locale. | `sha256:21ce33714fa37bfede60560a7a24c17c88566c767b76c58c877a48c51811c9ac` |
+| `tr-tr` | Container image with the `tr-TR` locale. | `sha256:b97035a4f0334f890ff3630a2de249b72a879de3c7d4fcc849c3d76aa97f4d2e` |
+| `zh-cn` | Container image with the `zh-CN` locale. | `sha256:ae4a89a26768c978d91ed797e9ecb8035fdb61f12c1b1124c86939c79ddcb38e` |
+| `zh-hk` | Container image with the `zh-HK` locale. | `sha256:41bc980abe79cd69034a8ade2be203478b531a00f5e74b1f7b8f9c5267700261` |
+| `zh-tw` | Container image with the `zh-TW` locale. | `sha256:51a50a7fcd5a9db6422235a2df0e8fba360efcd3cefee9abe44ab2cdce62088f` |
++
+# [Previous version](#tab/previous)
+
+Release note for `2.10.0-amd64-<locale>`:
+
+**Feature**
+* Upgrade to latest models.
+
+Release note for `2.9.0-amd64-<locale>`:
+
+**Feature**
+* More error details for issues when fetching custom models by ID.
+* Hypothesis is supported in conversation results by default.
+
+Release note for `2.7.0-amd64-<locale>`:
+
+**Features**
+* Support for the following new locales:
+ * ar-bh, ar-iq, ar-jo, ar-lb, ar-om, ar-sy
+ * bg-bg
+ * el-gr
+ * en-hk, en-ie, en-ph, en-sg, en-za
+ * es-ar, es-bo, es-cl, es-co, es-cr, es-cu, es-do, es-ec, es-gt, es-pa, es-pe, es-pr, es-py, es-sv, es-us, es-uy, es-ve
+ * et-ee
+ * ga-ie
+ * hr-hr
+ * hu-hu
+ * lt-lt
+ * lv-lv
+ * mt-mt
+ * ro-ro
+ * sk-sk
+ * sl-sl
+* Punctuation is enabled by default.
+
+Note that due to the included phrase lists, the size of this container image has increased.
+
+Release note for `2.6.0-amd64-<locale>`:
+
+**Features**
+* Upgraded to latest models and fully migrated to .NET 3.1
+* Support for phraselist v2
+* Phrase lists are supported in the following locales:
+ * en-au
+ * en-ca
+ * en-gb
+ * en-in
+ * en-us
+ * zh-cn
+* Support for new locale `cs-CZ`
+ * Capitalization and punctuation are currently not supported.
+
+**Fixes**
+* Fixes an issue where confidence scores were always 1 in Diarization mode
+* Migrated use the TextAnalytics 3.0 API
+
+Note that due to the included phrase lists, the size of this container image has increased.
+
+Release note for `2.5.0-amd64-<locale>`:
+
+**Features**
+* Support for Azure US Government Cloud
+
+**Fixes**
+* Fixes an issue with running as a non-root user in Diarization mode
+
+| Image Tags | Notes |
+|--|:--|
+| `2.10.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `2.10.0-amd64-en-us`.|
+| `2.9.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `2.9.0-amd64-en-us`. |
+| `2.7.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `2.7.0-amd64-en-us`. |
+| `2.6.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `2.6.0-amd64-en-us`. |
+| `2.5.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `2.5.0-amd64-en-us`. |
+ This container has the following locales available.
This container has the following locales available.
| `zh-hk` | Container image with the `zh-HK` locale. | `sha256:372e1c256520e9ee84c4c400eae935c1d6b1d59adb2be4c4dbc56439db069ba0` | | `zh-tw` | Container image with the `zh-TW` locale. | `sha256:8406a3be34530c7d654d1dfa1c593dd51b8946b480fe80a100e599e86385dc2b` | -
-# [Previous version](#tab/previous)
-
-Release note for `2.9.0-amd64-<locale>`:
-
-**Feature**
-* More error details for issues when fetching custom models by ID.
-* Hypothesis is supported in conversation results by default.
-
-Release note for `2.7.0-amd64-<locale>`:
-
-**Features**
-* Support for the following new locales:
- * ar-bh, ar-iq, ar-jo, ar-lb, ar-om, ar-sy
- * bg-bg
- * el-gr
- * en-hk, en-ie, en-ph, en-sg, en-za
- * es-ar, es-bo, es-cl, es-co, es-cr, es-cu, es-do, es-ec, es-gt, es-pa, es-pe, es-pr, es-py, es-sv, es-us, es-uy, es-ve
- * et-ee
- * ga-ie
- * hr-hr
- * hu-hu
- * lt-lt
- * lv-lv
- * mt-mt
- * ro-ro
- * sk-sk
- * sl-sl
-* Punctuation is enabled by default.
-
-Note that due to the included phrase lists, the size of this container image has increased.
-
-Release note for `2.6.0-amd64-<locale>`:
-
-**Features**
-* Upgraded to latest models and fully migrated to .NET 3.1
-* Support for phraselist v2
-* Phrase lists are supported in the following locales:
- * en-au
- * en-ca
- * en-gb
- * en-in
- * en-us
- * zh-cn
-* Support for new locale `cs-CZ`
- * Capitalization and punctuation are currently not supported.
-
-**Fixes**
-* Fixes an issue where confidence scores were always 1 in Diarization mode
-* Migrated use the TextAnalytics 3.0 API
-
-Note that due to the included phrase lists, the size of this container image has increased.
-
-Release note for `2.5.0-amd64-<locale>`:
-
-**Features**
-* Support for Azure US Government Cloud
-
-**Fixes**
-* Fixes an issue with running as a non-root user in Diarization mode
-
-| Image Tags | Notes |
-|--|:--|
-| `2.9.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `2.9.0-amd64-en-us`. |
-| `2.7.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `2.7.0-amd64-en-us`. |
-| `2.6.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `2.6.0-amd64-en-us`. |
-| `2.5.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `2.5.0-amd64-en-us`. |
--
-This container has the following locales available.
- | Locale for v2.9.0 | Notes | Digest | |--|:--|:--| | `ar-ae` | Container image with the `ar-AE` locale. | `sha256:08885bedb2993daf0c918ecdc6ec775f7982ffa5ca561e80ab9b8a103cde8194` |
This container image has the following tags available. You can also find a full
# [Latest version](#tab/current)
-Release note for `1.12.0-amd64-<locale-and-voice>`:
+Release note for `1.13.0-amd64-<locale-and-voice>`:
**Feature** * Upgrade to latest models.
Release note for `1.12.0-amd64-<locale-and-voice>`:
| Image Tags | Notes | ||:--| | `latest` | Container image with the `en-US` locale and `en-US-AriaRUS` voice. |
+| `1.13.0-amd64-<locale-and-voice>` | Replace `<locale>` with one of the available locales, listed below. For example `1.13.0-amd64-en-us-ariarus`. |
+
+| Locales for v1.13.0 | Notes | Digest |
+||:|:-|
+| `ar-eg-hoda` | Container image with the `ar-EG` locale and `ar-EG-Hoda` voice. | `sha256:8ff6360ba584d81b987582ce1c2cb6bb624cf68e4d71544805b9afc0401542dd` |
+| `ar-sa-naayf` | Container image with the `ar-SA` locale and `ar-SA-Naayf` voice. | `sha256:da5037de95c00362cb1871374735778c3eb68640ae4cb6a260659e7e0a67c37e` |
+| `bg-bg-ivan` | Container image with the `bg-BG` locale and `bg-BG-Ivan` voice. | `sha256:871140e57c126ac79c92c69572b86587150d1f14447c91152de3d4b10b3ef9f6` |
+| `ca-es-herenarus` | Container image with the `ca-ES` locale and `ca-ES-HerenaRUS` voice. | `sha256:7291ca9c579b1967cca941ce11321daa06ed6a9a1f0922d425d39f70a4aa8acd` |
+| `cs-cz-jakub` | Container image with the `cs-CZ` locale and `cs-CZ-Jakub` voice. | `sha256:c8f34c3a7fc5af5141da5439b520614e039d133b6180e8157f12ec7279e9163a` |
+| `da-dk-hellerus` | Container image with the `da-DK` locale and `da-DK-HelleRUS` voice. | `sha256:694eb294595700266355f8d57530ec3cccd4e04aa74dd630b96558bf2b481e71` |
+| `de-at-michael` | Container image with the `de-AT` locale and `de-AT-Michael` voice. | `sha256:f875435d8fadb56df2123d5aa1ceca34990d00f4c75678eb2526b83058972717` |
+| `de-ch-karsten` | Container image with the `de-CH` locale and `de-CH-Karsten` voice. | `sha256:c58359bd6e6676e23dda181a86caee1771366b0329a44fae0f363bbd381058ad` |
+| `de-de-heddarus` | Container image with the `de-DE` locale and `de-DE-Hedda` voice. | `sha256:c8e615d40c6e96216b90e329bf7185060de646db1e92fd1fdcd344a52bd86b55` |
+| `de-de-hedda` | Container image with the `de-DE` locale and `de-DE-Hedda` voice. | `sha256:c8e615d40c6e96216b90e329bf7185060de646db1e92fd1fdcd344a52bd86b55` |
+| `de-de-stefan-apollo` | Container image with the `de-DE` locale and `de-DE-Stefan-Apollo` voice. | `sha256:e8e3f04f0ee74d4247ffb7c69e54559f0cc6db66a121406e06ceb9dcdc3c4379` |
+| `el-gr-stefanos` | Container image with the `el-GR` locale and `el-GR-Stefanos` voice. | `sha256:15112a55bc7ccb6c29ee0a1de464fa6352a0e9953399032e5c8a0d29ec064af0` |
+| `en-au-catherine` | Container image with the `en-AU` locale and `en-AU-Catherine` voice. | `sha256:9a77bb5451889f62b8a146bfcc4a412c1cef95fd2102650528ccee84a08b25b8` |
+| `en-au-hayleyrus` | Container image with the `en-AU` locale and `en-AU-HayleyRUS` voice. | `sha256:90ee1094fbb8e739788545b3b9f4fabad5b4dffb5b7087cfd01c3b21ba1b2473` |
+| `en-ca-heatherrus` | Container image with the `en-CA` locale and `en-CA-HeatherRUS` voice. | `sha256:43b7d3c87162129253fd5c150307a5d9dc6ea28b8fa19776b66f4aa7a546f43b` |
+| `en-ca-linda` | Container image with the `en-CA` locale and `en-CA-Linda` voice. | `sha256:75a4423d5b24136efdc5de28a7a5b50a3a09b65b3824f86dd50a95eefea7ead6` |
+| `en-gb-george-apollo` | Container image with the `en-GB` locale and `en-GB-George-Apollo` voice. | `sha256:87e926f7db4a27870c735c80ad801bc5480fb2665594727ae760c8c287677088` |
+| `en-gb-hazelrus` | Container image with the `en-GB` locale and `en-GB-HazelRUS` voice. | `sha256:3fbd6a824831f158762036aa41c0397f7c1148150a4dc045db5f19ba840e74b6` |
+| `en-gb-susan-apollo` | Container image with the `en-GB` locale and `en-GB-Susan-Apollo` voice. | `sha256:646810c4129f8919ff56d91701b488e229bd12b3dd9c89a1635868f9340e00b8` |
+| `en-ie-sean` | Container image with the `en-IE` locale and `en-IE-Sean` voice. | `sha256:641abfa96380f142d4b2f9145cd02886d44f01bce68614094b48c1e01b50ed59` |
+| `en-in-heera-apollo` | Container image with the `en-IN` locale and `en-IN-Heera-Apollo` voice. | `sha256:c0acfffceae9c1ff5ad305d8b98929d9c65eca25f49ddcb8999d7de6118392d2` |
+| `en-in-priyarus` | Container image with the `en-IN` locale and `en-IN-PriyaRUS` voice. | `sha256:fbdc9ef0b4308ffce87d6ff6854814804b3cafacad6c4dc5cdac6a47c6de7975` |
+| `en-in-ravi-apollo` | Container image with the `en-IN` locale and `en-IN-Ravi-Apollo` voice. | `sha256:f31c40c9db2f1e826686649e748d0b2be0c00abcac62c2aae5b8981b0d8c681d` |
+| `en-us-aria24krus` | Container image with the `en-US` locale and `en-US-Aria24kRUS` voice. | `sha256:1232b798aae3ce68d1e555a5b35142bde5b4c871488f8c82c3d7c0767925afd8` |
+| `en-us-ariarus` | Container image with the `en-US` locale and `en-US-AriaRUS` voice. | `sha256:1232b798aae3ce68d1e555a5b35142bde5b4c871488f8c82c3d7c0767925afd8` |
+| `en-us-benjaminrus` | Container image with the `en-US` locale and `en-US-BenjaminRUS` voice. | `sha256:5fd7e9fbcc84ab467d04e95b18f5411579ce2d9a153b7f6e396f2412d08898dc` |
+| `en-us-guy24krus` | Container image with the `en-US` locale and `en-US-Guy24kRUS` voice. | `sha256:5fbbd16ab58b7f2440778b258bb0cd966286de0dbb3ce7f5e54d0f244f63dd3f` |
+| `en-us-zirarus` | Container image with the `en-US` locale and `en-US-ZiraRUS` voice. | `sha256:806b92916b2fe1e7855023a009742033a48cb7eddde84ddf7c93be93b9621026` |
+| `es-es-helenarus` | Container image with the `es-ES` locale and `es-ES-HelenaRUS` voice. | `sha256:507d9f40dcb846a5d1511a5e9e1cf94b360b1d9922f4b1143c3146d1b3bc69a2` |
+| `es-es-laura-apollo` | Container image with the `es-ES` locale and `es-ES-Laura-Apollo` voice. | `sha256:594add691d03d02fa5925f817e6a25c091fac1a924e0ea4b626e0fce858a78cb` |
+| `es-es-pablo-apollo` | Container image with the `es-ES` locale and `es-ES-Pablo-Apollo` voice. | `sha256:09d288b58fea080689471618227d1cb3ccc467f2edc9477eaaffffb09b3d6d8b` |
+| `es-mx-hildarus` | Container image with the `es-MX` locale and `es-MX-HildaRUS` voice. | `sha256:7019c80c88444a60bf1016eb66284745dc8184b051685df4a1b3c40d32c8ad7f` |
+| `es-mx-raul-apollo` | Container image with the `es-MX` locale and `es-MX-Raul-Apollo` voice. | `sha256:eed46588733b884c330fff1ff7f4e3e3fd6416cb340ebd80e44c4b3d1e085e55` |
+| `fi-fi-heidirus` | Container image with the `fi-FI` locale and `fi-FI-HeidiRUS` voice. | `sha256:00f7a854c4a01bdbef88e0b138c97f732f1c6008a8b2c1722fc8da3a91fa79a4` |
+| `fr-ca-caroline` | Container image with the `fr-CA` locale and `fr-CA-Caroline` voice. | `sha256:5f32e838a0925c560d2961a42487b99dd7e79e04661a7711f905d36c55973fd6` |
+| `fr-ca-harmonierus` | Container image with the `fr-CA` locale and `fr-CA-HarmonieRUS` voice. | `sha256:6f3d3237c990f8f04d4c8f488746f74fa94edd2c5f1def758af90b2be251900e` |
+| `fr-ch-guillaume` | Container image with the `fr-CH` locale and `fr-CH-Guillaume` voice. | `sha256:282e2e48c1147b74d927e801534be52b1301a081ff881994e85bb9d85b6e85fb` |
+| `fr-fr-hortenserus` | Container image with the `fr-FR` locale and `fr-FR-HortenseRUS` voice. | `sha256:16370c22530c93fc6c5ebeaf10663de7c3d45db58eccc716abd5274b5bee56d3` |
+| `fr-fr-julie-apollo` | Container image with the `fr-FR` locale and `fr-FR-Julie-Apollo` voice. | `sha256:e6541e82b8555f748f1feb5eef1c0ebf884245c5448f0ced46e6f25dabb925a2` |
+| `fr-fr-paul-apollo` | Container image with the `fr-FR` locale and `fr-FR-Paul-Apollo` voice. | `sha256:a4cf0bab208a31da3e796bf353969dfd98184b30e0cf713df49cb4fb07ff568b` |
+| `he-il-asaf` | Container image with the `he-IL` locale and `he-IL-Asaf` voice. | `sha256:4417d0a14098b564eb4ba91772eb7ad5976ac52b0b59ae484fc3a88017e0776b` |
+| `hi-in-hemant` | Container image with the `hi-IN` locale and `hi-IN-Hemant` voice. | `sha256:da086a3e2bc3e17f4e44165055fc61679e9356688d3735ee8cfd81e6265b8622` |
+| `hi-in-kalpana-apollo` | Container image with the `hi-IN` locale and `hi-IN-Kalpana-Apollo` voice. | `sha256:0c9915bf34e3045e39aa245c597aa7223fbf6100d7e20cbcc1bf131f89ee785e` |
+| `hi-in-kalpana` | Container image with the `hi-IN` locale and `hi-IN-Kalpana` voice. | `sha256:0c9915bf34e3045e39aa245c597aa7223fbf6100d7e20cbcc1bf131f89ee785e` |
+| `hr-hr-matej` | Container image with the `hr-HR` locale and `hr-HR-Matej` voice. | `sha256:fc08c968efe882ed11ad0ee0755a9d43eff88b96da8ec19e7a5c071810c84d8c` |
+| `hu-hu-szabolcs` | Container image with the `hu-HU` locale and `hu-HU-Szabolcs` voice. | `sha256:b6ad73f07efd1576e166b4d7e54a4ff419bfedc513a175fbb968389eb289a4ee` |
+| `id-id-andika` | Container image with the `id-ID` locale and `id-ID-Andika` voice. | `sha256:3aad5ccf0c155593934c29a3e50502bc80b0370fa29626e67cda141d4bf5ac89` |
+| `it-it-cosimo-apollo` | Container image with the `it-IT` locale and `it-IT-Cosimo-Apollo` voice. | `sha256:01502f274bad378e6e99bed5f80fdb476880ce04e8775ca56d338de2f2d43e8c` |
+| `it-it-luciarus` | Container image with the `it-IT` locale and `it-IT-LuciaRUS` voice. | `sha256:fdc20724194612d99e8339d25c72c7fe937ad741abe46d86def6c62880913c2a` |
+| `ja-jp-ayumi-apollo` | Container image with the `ja-JP` locale and `ja-JP-Ayumi-Apollo` voice. | `sha256:abf0e442ec972e25743a8af55da49a6fd5bf2ffd6ca09619d68e4dc9f9db779a` |
+| `ja-jp-harukarus` | Container image with the `ja-JP` locale and `ja-JP-HarukaRUS` voice. | `sha256:9eff152cd4bea6f9de3b101c0704f37c8a061e060287e3f9f8fc2eb28d7dcec7` |
+| `ja-jp-ichiro-apollo` | Container image with the `ja-JP` locale and `ja-JP-Ichiro-Apollo` voice. | `sha256:83aa3c569f7598843d4957f075915ac2635d3aaf577ac1158c12a1238dd7e148` |
+| `ko-kr-heamirus` | Container image with the `ko-KR` locale and `ko-KR-HeamiRUS` voice. | `sha256:ea404c7857f9df0a23cbf3fac12ae00f11c32a6822d91078a321302f09f01082` |
+| `ms-my-rizwan` | Container image with the `ms-MY` locale and `ms-MY-Rizwan` voice. | `sha256:d4c15f7da8e03650395489b6cb6975d59322b1bbd2c59957617f0c0a297409ee` |
+| `nb-no-huldarus` | Container image with the `nb-NO` locale and `nb-NO-HuldaRUS` voice. | `sha256:cb2c0fb57513c66e00bd6b8cbb44882d5bb7d483c19784d2b1e09511d58842bc` |
+| `nl-nl-hannarus` | Container image with the `nl-NL` locale and `nl-NL-HannaRUS` voice. | `sha256:7b9a92ab8a9856f422e65b428b845571a059c0923dc1c348134f271ed7a4abe0` |
+| `pl-pl-paulinarus` | Container image with the `pl-PL` locale and `pl-PL-PaulinaRUS` voice. | `sha256:cface74973368a78d75a2a079214aa748574c5f037b0c4189888269b6016f230` |
+| `pt-br-daniel-apollo` | Container image with the `pt-BR` locale and `pt-BR-Daniel-Apollo` voice. | `sha256:cc3e74228002b8d4e7dc487ff6f930316ac5d7a93f97937942a23f41b484ba8c` |
+| `pt-br-heloisarus` | Container image with the `pt-BR` locale and `pt-BR-HeloisaRUS` voice. | `sha256:dca613867e2f559d9485f9ba553ecea3de6d4b2779d4eed0ce1e53e7f7939773` |
+| `pt-pt-heliarus` | Container image with the `pt-PT` locale and `pt-PT-HeliaRUS` voice. | `sha256:791ac2b3100725f909cfeceb17fc0d5fd1022242db45ba455d7ea088d76ac033` |
+| `ro-ro-andrei` | Container image with the `ro-RO` locale and `ro-RO-Andrei` voice. | `sha256:3b93df188bcbdf9416d203a7e30ade8908728316666cd3451a5f0320cdf219a9` |
+| `ru-ru-ekaterinarus` | Container image with the `ru-RU` locale and `ru-RU-EkaterinaRUS` voice. | `sha256:d2f636e35e67be196a4ad79f168e4df74d2f00d5b5c6123bd61f9aec72bfd1a7` |
+| `ru-ru-irina-apollo` | Container image with the `ru-RU` locale and `ru-RU-Irina-Apollo` voice. | `sha256:247a4c6025faced1be1738d816c1bb74b23bbc5d49458f9afe95dc32ab3ea71c` |
+| `ru-ru-pavel-apollo` | Container image with the `ru-RU` locale and `ru-RU-Pavel-Apollo` voice. | `sha256:355c3a0f64f003d0a041a757b8ddcdea8130b6a56a7c4003a68ba0412400c446` |
+| `sk-sk-filip` | Container image with the `sk-SK` locale and `sk-SK-Filip` voice. | `sha256:55fff1cde012a7791c756104ba68a360e609a765bd776024a9f5f00199f568e5` |
+| `sl-si-lado` | Container image with the `sl-SI` locale and `sl-SI-Lado` voice. | `sha256:7f80965dde85e3a5aae9f69561c296d073289f0b6aa37e95ff0aa5192a5b7f90` |
+| `sv-se-hedvigrus` | Container image with the `sv-SE` locale and `sv-SE-HedvigRUS` voice. | `sha256:1bd43f513a5b2752c44a107e1898459cdda5d7267ec21f379679d411700e5189` |
+| `ta-in-valluvar` | Container image with the `ta-IN` locale and `ta-IN-Valluvar` voice. | `sha256:8062e2479a6a3dc17b8342c07a94a39dd1e1f788c1def0a1ab55a885b491bbab` |
+| `te-in-chitra` | Container image with the `te-IN` locale and `te-IN-Chitra` voice. | `sha256:6ce345df654bd1db213c16c866b608037dcefb1d056fc14727db3b9e21437762` |
+| `th-th-pattara` | Container image with the `th-TH` locale and `th-TH-Pattara` voice. | `sha256:9b9c8ad7f8621f887f3e9fda26f43995855dba76831fdf2598ef383cf3d20f39` |
+| `tr-tr-sedarus` | Container image with the `tr-TR` locale and `tr-TR-SedaRUS` voice. | `sha256:2e45f019df702d8788c1d9c20ff75cfd94aecaaf6facb9f41b642ef1bfe7d318` |
+| `vi-vn-an` | Container image with the `vi-VN` locale and `vi-VN-An` voice. | `sha256:3b142a414ff9f30ebef144e22bf979589600f226442d2f882384695795739178` |
+| `zh-cn-huihuirus` | Container image with the `zh-CN` locale and `zh-CN-HuihuiRUS` voice. | `sha256:23b76501492c9b60e8888eda2f6b0258859f68ed6ff7fb49bacbb18cd5f542ed` |
+| `zh-cn-kangkang-apollo` | Container image with the `zh-CN` locale and `zh-CN-Kangkang-Apollo` voice. | `sha256:e9acc58168f6800d9dd11cbc569c9d279ecf28f3d17c702528d25f67edd447c9` |
+| `zh-cn-yaoyao-apollo` | Container image with the `zh-CN` locale and `zh-CN-Yaoyao-Apollo` voice. | `sha256:85e7d7ae77d41195de5102b772621ef34564d40fad224a0ed21a8fe8daf98b0f` |
+| `zh-hk-danny-apollo` | Container image with the `zh-HK` locale and `zh-HK-Danny-Apollo` voice. | `sha256:1fcba05138c0e5bf36447530311800e2d4044824b5d893439a12f3ebc6380135` |
+| `zh-hk-tracy-apollo` | Container image with the `zh-HK` locale and `zh-HK-Tracy-Apollo` voice. | `sha256:d02bd8759e085abbc95725aa4f70f124c4505aa0856a17696a1555b2cf64512e` |
+| `zh-hk-tracyrus` | Container image with the `zh-HK` locale and `zh-HK-TracyRUS` voice. | `sha256:d02bd8759e085abbc95725aa4f70f124c4505aa0856a17696a1555b2cf64512e` |
+| `zh-tw-hanhanrus` | Container image with the `zh-TW` locale and `zh-TW-HanHanRUS` voice. | `sha256:a3f68538088b5b07f4dc27239fa3a6308d949c2643638634c74f3ee132bca911` |
+| `zh-tw-yating-apollo` | Container image with the `zh-TW` locale and `zh-TW-Yating-Apollo` voice. | `sha256:bb0696685f3a90fe6898ff1487cb0c5957e02f3c63cdb7d02394b5c061339bf3` |
+| `zh-tw-zhiwei-apollo` | Container image with the `zh-TW` locale and `zh-TW-Zhiwei-Apollo` voice. | `sha256:1772b3bc8b166f429356b00d07ca438202c75d578b6d1655351b9c1e06ae1424` |
++
+# [Previous version](#tab/previous)
+
+Release note for `1.12.0-amd64-<locale-and-voice>`:
+
+**Feature**
+* Upgrade to latest models.
+
+Release note for `1.11.0-amd64-<locale-and-voice>`:
+
+**Feature**
+* More error details for issues when fetching custom models by ID.
+
+Release note for `1.9.0-amd64-<locale-and-voice>`:
+
+* Regular monthly release
+
+Release note for `1.8.0-amd64-<locale-and-voice>`:
+
+**Feature**
+
+* Fully migrated to .NET 3.1
+
+Release note for `1.7.0-amd64-<locale-and-voice>`:
+
+**Feature**
+
+* Upgraded components to .NET 3.1
+
+| Image Tags | Notes |
+||:--|
| `1.12.0-amd64-<locale-and-voice>` | Replace `<locale>` with one of the available locales, listed below. For example `1.12.0-amd64-en-us-ariarus`. |
+| `1.11.0-amd64-<locale-and-voice>` | Replace `<locale>` with one of the available locales, listed below. For example `1.11.0-amd64-en-us-ariarus`. |
+| `1.9.0-amd64-<locale-and-voice>` | Replace `<locale>` with one of the available locales, listed below. For example `1.9.0-amd64-en-us-ariarus`. |
+| `1.8.0-amd64-<locale-and-voice>` | Replace `<locale>` with one of the available locales, listed below. For example `1.8.0-amd64-en-us-ariarus`. |
+| `1.7.0-amd64-<locale-and-voice>` | 1st GA version. Replace `<locale>` with one of the available locales, listed below. For example `1.7.0-amd64-en-us-ariarus`. |
| Locales for v1.12.0 | Notes | Digest | ||:|:-|
Release note for `1.12.0-amd64-<locale-and-voice>`:
| `zh-tw-yating-apollo` | Container image with the `zh-TW` locale and `zh-TW-Yating-Apollo` voice. | `sha256:05f50dffbeb17e4215a5a53cc0791d825b63bc1e2b007b00797e5d0e1b1d6d1e` | | `zh-tw-zhiwei-apollo` | Container image with the `zh-TW` locale and `zh-TW-Zhiwei-Apollo` voice. | `sha256:e96f4aecba6e3c0741218f3e1aec35e53147b12543be9fdcd76ff98d4c34cf84` | -
-# [Previous version](#tab/previous)
-
-Release note for `1.11.0-amd64-<locale-and-voice>`:
-
-**Feature**
-* More error details for issues when fetching custom models by ID.
-
-Release note for `1.9.0-amd64-<locale-and-voice>`:
-
-* Regular monthly release
-
-Release note for `1.8.0-amd64-<locale-and-voice>`:
-
-**Feature**
-
-* Fully migrated to .NET 3.1
-
-Release note for `1.7.0-amd64-<locale-and-voice>`:
-
-**Feature**
-
-* Upgraded components to .NET 3.1
-
-| Image Tags | Notes |
-||:--|
-| `1.11.0-amd64-<locale-and-voice>` | Replace `<locale>` with one of the available locales, listed below. For example `1.11.0-amd64-en-us-ariarus`. |
-| `1.9.0-amd64-<locale-and-voice>` | Replace `<locale>` with one of the available locales, listed below. For example `1.9.0-amd64-en-us-ariarus`. |
-| `1.8.0-amd64-<locale-and-voice>` | Replace `<locale>` with one of the available locales, listed below. For example `1.8.0-amd64-en-us-ariarus`. |
-| `1.7.0-amd64-<locale-and-voice>` | 1st GA version. Replace `<locale>` with one of the available locales, listed below. For example `1.7.0-amd64-en-us-ariarus`. |
- | Locales for v1.11.0 | Notes | Digest | ||:|:-| | `ar-eg-hoda` | Container image with the `ar-EG` locale and `ar-EG-Hoda` voice. | `sha256:7ba558f444ea482eca87b3e850e9b416c71391282b26a590d1ee3d9a81350188` |
This container image has the following tags available. You can also find a full
# [Latest version](#tab/current)
-Release notes for `v1.4.0`:
-* Upgrade to latest models.
-* The CPU cost and latency was reduced.
-* Better support of prosody tuning with SSML tag (e.g. pitch contour).
+Release notes for `v1.5.0`:
+* Upgrade to latest models with quality improvements and bug fixes
+* Support up to 38 neural voices
| Image Tags | Notes | ||:| | `latest` | Container image with the `en-US` locale and `en-US-AriaNeural` voice. |
-| `1.4.0-amd64-<locale-and-voice>` | Replace `<locale>` with one of the available locales, listed below. For example `1.4.0-amd64-en-us-arianeural`. |
+| `1.5.0-amd64-<locale-and-voice>` | Replace `<locale>` with one of the available locales, listed below. For example `1.5.0-amd64-en-us-arianeural`. |
-| v1.4.0 Locales and voices | Notes |
+| v1.5.0 Locales and voices | Notes |
|-|:|
+| `de-de-conradneural` | Container image with the `de-DE` locale and `de-DE-ConradNeural` voice. |
| `de-de-katjaneural` | Container image with the `de-DE` locale and `de-DE-KatjaNeural` voice. | | `en-au-natashaneural` | Container image with the `en-AU` locale and `en-AU-NatashaNeural` voice. |
+| `en-au-williamneural` | Container image with the `en-AU` locale and `en-AU-WilliamNeural` voice. |
| `en-ca-claraneural` | Container image with the `en-CA` locale and `en-CA-ClaraNeural` voice. |
+| `en-ca-liamneural` | Container image with the `en-CA` locale and `en-CA-LiamNeural` voice. |
| `en-gb-libbyneural` | Container image with the `en-GB` locale and `en-GB-LibbyNeural` voice. | | `en-gb-mianeural` | Container image with the `en-GB` locale and `en-GB-MiaNeural` voice. |
+| `en-gb-ryanneural` | Container image with the `en-GB` locale and `en-GB-RyanNeural` voice. |
| `en-us-arianeural` | Container image with the `en-US` locale and `en-US-AriaNeural` voice. | | `en-us-guyneural` | Container image with the `en-US` locale and `en-US-GuyNeural` voice. | | `en-us-jennyneural` | Container image with the `en-US` locale and `en-US-JennyNeural` voice. |
+| `es-es-alvaroneural` | Container image with the `es-ES` locale and `es-ES-AlvaroNeural` voice. |
| `es-es-elviraneural` | Container image with the `es-ES` locale and `es-ES-ElviraNeural` voice. | | `es-mx-dalianeural` | Container image with the `es-MX` locale and `es-MX-DaliaNeural` voice. |
+| `es-mx-jorgeneural` | Container image with the `es-MX` locale and `es-MX-JorgeNeural` voice. |
+| `fr-ca-antoineneural` | Container image with the `fr-CA` locale and `fr-CA-AntoineNeural` voice. |
+| `fr-ca-jeanneural` | Container image with the `fr-CA` locale and `fr-CA-JeanNeural` voice. |
| `fr-ca-sylvieneural` | Container image with the `fr-CA` locale and `fr-CA-SylvieNeural` voice. | | `fr-fr-deniseneural` | Container image with the `fr-FR` locale and `fr-FR-DeniseNeural` voice. |
-| `hi-in-swaracpuneural` | Container image with the `hi-IN` locale and `hi-IN-Swaraneural` voice. |
+| `fr-fr-henrineural` | Container image with the `fr-FR` locale and `fr-FR-HenriNeural` voice. |
+| `hi-in-madhurneural` | Container image with the `hi-IN` locale and `hi-IN-MadhurNeural` voice. |
+| `hi-in-swaraneural` | Container image with the `hi-IN` locale and `hi-IN-Swaraneural` voice. |
+| `it-it-diegoneural` | Container image with the `it-IT` locale and `it-IT-DiegoNeural` voice. |
| `it-it-elsaneural` | Container image with the `it-IT` locale and `it-IT-ElsaNeural` voice. |
+| `it-it-isabellaneural` | Container image with the `it-IT` locale and `it-IT-IsabellaNeural` voice. |
+| `ja-jp-keitaneural` | Container image with the `ja-JP` locale and `ja-JP-KeitaNeural` voice. |
| `ja-jp-nanamineural` | Container image with the `ja-JP` locale and `ja-JP-NanamiNeural` voice. |
+| `ko-kr-injoonneural` | Container image with the `ko-KR` locale and `ko-KR-InJoonNeural` voice. |
| `ko-kr-sunhineural` | Container image with the `ko-KR` locale and `ko-KR-SunHiNeural` voice. |
+| `pt-br-antonioneural` | Container image with the `pt-BR` locale and `pt-BR-AntonioNeural` voice. |
| `pt-br-franciscaneural` | Container image with the `pt-BR` locale and `pt-BR-FranciscaNeural` voice. |
+| `tr-tr-ahmetneural` | Container image with the `tr-TR` locale and `tr-TR-AhmetNeural` voice. |
+| `tr-tr-emelneural` | Container image with the `tr-TR` locale and `tr-TR-EmelNeural` voice. |
| `zh-cn-xiaoxiaoneural` | Container image with the `zh-CN` locale and `zh-CN-XiaoxiaoNeural` voice. | | `zh-cn-xiaoyouneural` | Container image with the `zh-CN` locale and `zh-CN-XiaoYouNeural` voice. | | `zh-cn-yunyangneural` | Container image with the `zh-CN` locale and `zh-CN-YunYangNeural` voice. |
Release notes for `v1.4.0`:
# [Previous version](#tab/previous)
+Release notes for `v1.4.0`:
+* Upgrade to latest models.
+* The CPU cost and latency was reduced.
+* Better support of prosody tuning with SSML tag (e.g. pitch contour).
+ Release notes for `v1.3.0`: * The Neural Text-to-speech container is now generally available. | Image Tags | Notes | ||:|
-| `latest` | Container image with the `en-US` locale and `en-US-AriaNeural` voice. |
+| `1.4.0-amd64-<locale-and-voice>` | Replace `<locale>` with one of the available locales, listed below. For example `1.4.0-amd64-en-us-arianeural`. |
| `1.3.0-amd64-<locale-and-voice>-preview` | Replace `<locale>` with one of the available locales, listed below. For example `1.3.0-amd64-en-us-arianeural-preview`. | | `1.2.0-amd64-<locale-and-voice>-preview` | Replace `<locale>` with one of the available locales, listed below. For example `1.2.0-amd64-en-us-arianeural-preview`. |
+| v1.4.0 Locales and voices | Notes |
+|-|:|
+| `de-de-katjaneural` | Container image with the `de-DE` locale and `de-DE-KatjaNeural` voice. |
+| `en-au-natashaneural` | Container image with the `en-AU` locale and `en-AU-NatashaNeural` voice. |
+| `en-ca-claraneural` | Container image with the `en-CA` locale and `en-CA-ClaraNeural` voice. |
+| `en-gb-libbyneural` | Container image with the `en-GB` locale and `en-GB-LibbyNeural` voice. |
+| `en-gb-mianeural` | Container image with the `en-GB` locale and `en-GB-MiaNeural` voice. |
+| `en-us-arianeural` | Container image with the `en-US` locale and `en-US-AriaNeural` voice. |
+| `en-us-guyneural` | Container image with the `en-US` locale and `en-US-GuyNeural` voice. |
+| `en-us-jennyneural` | Container image with the `en-US` locale and `en-US-JennyNeural` voice. |
+| `es-es-elviraneural` | Container image with the `es-ES` locale and `es-ES-ElviraNeural` voice. |
+| `es-mx-dalianeural` | Container image with the `es-MX` locale and `es-MX-DaliaNeural` voice. |
+| `fr-ca-sylvieneural` | Container image with the `fr-CA` locale and `fr-CA-SylvieNeural` voice. |
+| `fr-fr-deniseneural` | Container image with the `fr-FR` locale and `fr-FR-DeniseNeural` voice. |
+| `hi-in-swaraneural` | Container image with the `hi-IN` locale and `hi-IN-Swaraneural` voice. |
+| `it-it-elsaneural` | Container image with the `it-IT` locale and `it-IT-ElsaNeural` voice. |
+| `ja-jp-nanamineural` | Container image with the `ja-JP` locale and `ja-JP-NanamiNeural` voice. |
+| `ko-kr-sunhineural` | Container image with the `ko-KR` locale and `ko-KR-SunHiNeural` voice. |
+| `pt-br-franciscaneural` | Container image with the `pt-BR` locale and `pt-BR-FranciscaNeural` voice. |
+| `zh-cn-xiaoxiaoneural` | Container image with the `zh-CN` locale and `zh-CN-XiaoxiaoNeural` voice. |
+| `zh-cn-xiaoyouneural` | Container image with the `zh-CN` locale and `zh-CN-XiaoYouNeural` voice. |
+| `zh-cn-yunyangneural` | Container image with the `zh-CN` locale and `zh-CN-YunYangNeural` voice. |
+| `zh-cn-yunyeneural` | Container image with the `zh-CN` locale and `zh-CN-YunYeNeural` voice. |
+ | v1.3.0 Locales and voices | Notes | |-|:| | `de-de-katjaneural` | Container image with the `de-DE` locale and `de-DE-KatjaNeural` voice. |
Release notes for `v1.3.0`:
| `es-mx-dalianeural` | Container image with the `es-MX` locale and `es-MX-DaliaNeural` voice. | | `fr-ca-sylvieneural` | Container image with the `fr-CA` locale and `fr-CA-SylvieNeural` voice. | | `fr-fr-deniseneural` | Container image with the `fr-FR` locale and `fr-FR-DeniseNeural` voice. |
-| `hi-in/swaracpuneural` | Container image with the `hi-IN` locale and `hi-IN-Swaraneural` voice. |
+| `hi-in-swaraneural` | Container image with the `hi-IN` locale and `hi-IN-Swaraneural` voice. |
| `it-it-elsaneural` | Container image with the `it-IT` locale and `it-IT-ElsaNeural` voice. | | `ja-jp-nanamineural` | Container image with the `ja-JP` locale and `ja-JP-NanamiNeural` voice. | | `ko-kr-sunhineural` | Container image with the `ko-KR` locale and `ko-KR-SunHiNeural` voice. |
communication-services Calling Sdk Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/voice-video-calling/calling-sdk-features.md
The following list presents the set of features which are currently available in
| | Get camera list | ✔️ | ✔️ | ✔️ | | Set camera | ✔️ | ✔️ | ✔️ | | Get selected camera | ✔️ | ✔️ | ✔️
-| | Get microphone list | ✔️ | ✔️ | ✔️
-| | Set microphone | ✔️ | ✔️ | ✔️
-| | Get selected microphone | ✔️ | ✔️ | ✔️
-| | Get speakers list | ✔️ | ✔️ | ✔️
-| | Set speaker | ✔️ | ✔️ | ✔️
-| | Get selected speaker | ✔️ | ✔️ | ✔️
+| | Get microphone list | ✔️ | ❌ |❌
+| | Set microphone | ✔️ | ❌ | ❌
+| | Get selected microphone | ✔️ | ❌ | ❌
+| | Get speakers list | ✔️ | ❌ | ❌
+| | Set speaker | ✔️ | ❌ | ❌
+| | Get selected speaker | ✔️ | ❌ | ❌
| Video Rendering | Render single video in many places (local camera or remote stream) | ✔️ | ✔️ | ✔️ | | Set / update scaling mode | ✔️ | ✔️ | ✔️ | | Render remote video stream | ✔️ | ✔️ | ✔️
container-instances Container Instances Get Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-instances/container-instances-get-logs.md
Title: Get container instance logs & events
description: Learn how to retrieve container logs and events in Azure Container Instances to help troubleshoot container issues Last updated 12/30/2019-+ # Retrieve container logs and events in Azure Container Instances
container-registry Container Registry Tasks Pack Build https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/container-registry-tasks-pack-build.md
Title: Build image with Cloud Native Buildpack
description: Use the az acr pack build command to build a container image from an app and push to Azure Container Registry, without using a Dockerfile. Last updated 10/24/2019-+ # Build and push an image from an app using a Cloud Native Buildpack
container-registry Tasks Agent Pools https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/tasks-agent-pools.md
This feature is available in the **Premium** container registry service tier. Fo
## Preview limitations - Task agent pools currently support Linux nodes. Windows nodes aren't currently supported.-- Task agent pools are available in preview in the following regions: West US 2, South Central US, East US 2, East US, Central US, West Europe, Canada Central, USGov Arizona, USGov Texas, and USGov Virginia.
+- Task agent pools are available in preview in the following regions: West US 2, South Central US, East US 2, East US, Central US, West Europe, North Europe, Canada Central, USGov Arizona, USGov Texas, and USGov Virginia.
- For each registry, the default total vCPU (core) quota is 16 for all standard agent pools and is 0 for isolated agent pools. Open a [support request][open-support-ticket] for additional allocation. - You can't currently cancel a task run on an agent pool.
cosmos-db Analytical Store Introduction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/analytical-store-introduction.md
description: Learn about Azure Cosmos DB transactional (row-based) and analytica
Previously updated : 03/16/2021 Last updated : 04/12/2021
There are two modes of schema representation in the analytical store. These mode
The well-defined schema representation creates a simple tabular representation of the schema-agnostic data in the transactional store. The well-defined schema representation has the following considerations: * A property always has the same type across multiple items.
+* We only allow 1 type change, from null to any other data type.The first non-null occurrence defines the column data type.
* For example, `{"a":123} {"a": "str"}` does not have a well-defined schema because `"a"` is sometimes a string and sometimes a number. In this case, the analytical store registers the data type of `"a"` as the data type of `ΓÇ£aΓÇ¥` in the first-occurring item in the lifetime of the container. The document will still be included in analytical store, but items where the data type of `"a"` differs will not.
cosmos-db Create Sql Api Dotnet V4 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/create-sql-api-dotnet-v4.md
ms.devlang: dotnet
Last updated 04/07/2021 - # Quickstart: Build a console app using the .NET V4 SDK (Preview) to manage Azure Cosmos DB SQL API account resources. [!INCLUDE[appliesto-sql-api](includes/appliesto-sql-api.md)]
> * [.NET V4](create-sql-api-dotnet-V4.md) > * [Java SDK v4](create-sql-api-java.md) > * [Spring Data v3](create-sql-api-spring-data.md)
+> * [Spark v3 connector](create-sql-api-spark.md)
> * [Node.js](create-sql-api-nodejs.md) > * [Python](create-sql-api-python.md) > * [Xamarin](create-sql-api-xamarin-dotnet.md)
cosmos-db Create Sql Api Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/create-sql-api-dotnet.md
ms.devlang: dotnet Previously updated : 10/21/2020 Last updated : 03/07/2021 + # Quickstart: Build a .NET console app to manage Azure Cosmos DB SQL API resources [!INCLUDE[appliesto-sql-api](includes/appliesto-sql-api.md)]
> * [.NET V4](create-sql-api-dotnet-V4.md) > * [Java SDK v4](create-sql-api-java.md) > * [Spring Data v3](create-sql-api-spring-data.md)
+> * [Spark v3 connector](create-sql-api-spark.md)
> * [Node.js](create-sql-api-nodejs.md) > * [Python](create-sql-api-python.md) > * [Xamarin](create-sql-api-xamarin-dotnet.md)
cosmos-db Create Sql Api Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/create-sql-api-java.md
ms.devlang: java Previously updated : 09/22/2020 Last updated : 03/07/2021
> * [.NET V4](create-sql-api-dotnet-V4.md) > * [Java SDK v4](create-sql-api-java.md) > * [Spring Data v3](create-sql-api-spring-data.md)
+> * [Spark v3 connector](create-sql-api-spark.md)
> * [Node.js](create-sql-api-nodejs.md) > * [Python](create-sql-api-python.md) > * [Xamarin](create-sql-api-xamarin-dotnet.md)
cosmos-db Create Sql Api Nodejs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/create-sql-api-nodejs.md
ms.devlang: nodejs Previously updated : 09/22/2020 Last updated : 03/07/2021 + # Quickstart: Use Node.js to connect and query data from Azure Cosmos DB SQL API account [!INCLUDE[appliesto-sql-api](includes/appliesto-sql-api.md)]
> - [.NET V4](create-sql-api-dotnet-V4.md) > - [Java SDK v4](create-sql-api-java.md) > * [Spring Data v3](create-sql-api-spring-data.md)
+> * [Spark v3 connector](create-sql-api-spark.md)
> - [Node.js](create-sql-api-nodejs.md) > - [Python](create-sql-api-python.md) > - [Xamarin](create-sql-api-xamarin-dotnet.md)
cosmos-db Create Sql Api Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/create-sql-api-python.md
Title: 'Quickstart: Build a Python app using Azure Cosmos DB SQL API account' description: Presents a Python code sample you can use to connect to and query the Azure Cosmos DB SQL API-+ ms.devlang: python Previously updated : 09/22/2020- Last updated : 04/06/2021+ + # Quickstart: Build a Python application using an Azure Cosmos DB SQL API account [!INCLUDE[appliesto-sql-api](includes/appliesto-sql-api.md)]
> * [.NET V4](create-sql-api-dotnet-V4.md) > * [Java SDK v4](create-sql-api-java.md) > * [Spring Data v3](create-sql-api-spring-data.md)
+> * [Spark v3 connector](create-sql-api-spark.md)
> * [Node.js](create-sql-api-nodejs.md) > * [Python](create-sql-api-python.md) > * [Xamarin](create-sql-api-xamarin-dotnet.md)
cosmos-db Create Sql Api Spark https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/create-sql-api-spark.md
+
+ Title: Quickstart - Use Cosmos DB Apache Spark 3 OLTP Connector for SQL API (Preview) to create a document database using Azure Cosmos DB
+description: This quickstart presents a Cosmos DB Apache Spark 3 OLTP Connector for SQL API (Preview) code sample you can use to connect to and query the Azure Cosmos DB SQL API
+++
+ms.devlang: java
+ Last updated : 04/06/2021++++
+# Quickstart: Build a Cosmos DB Apache Spark 3 OLTP Connector for SQL API (Preview) app to manage Azure Cosmos DB SQL API data
+
+> [!div class="op_single_selector"]
+> * [.NET V3](create-sql-api-dotnet.md)
+> * [.NET V4](create-sql-api-dotnet-V4.md)
+> * [Java SDK v4](create-sql-api-java.md)
+> * [Spring Data v3](create-sql-api-spring-data.md)
+> * [Spark 3 OLTP connector](create-sql-api-spark.md)
+> * [Node.js](create-sql-api-nodejs.md)
+> * [Python](create-sql-api-python.md)
+> * [Xamarin](create-sql-api-xamarin-dotnet.md)
++
cosmos-db Create Sql Api Spring Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/create-sql-api-spring-data.md
ms.devlang: java Previously updated : 10/06/2020 Last updated : 03/07/2021
> * [.NET V4](create-sql-api-dotnet-V4.md) > * [Java SDK v4](create-sql-api-java.md) > * [Spring Data v3](create-sql-api-spring-data.md)
+> * [Spark v3 connector](create-sql-api-spark.md)
> * [Node.js](create-sql-api-nodejs.md) > * [Python](create-sql-api-python.md) > * [Xamarin](create-sql-api-xamarin-dotnet.md)
cosmos-db Create Sql Api Xamarin Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/create-sql-api-xamarin-dotnet.md
ms.devlang: dotnet Previously updated : 10/09/2020 Last updated : 03/07/2021 - + # Quickstart: Build a todo app with Xamarin using Azure Cosmos DB SQL API account [!INCLUDE[appliesto-sql-api](includes/appliesto-sql-api.md)]
> * [.NET V4](create-sql-api-dotnet-V4.md) > * [Java SDK v4](create-sql-api-java.md) > * [Spring Data v3](create-sql-api-spring-data.md)
+> * [Spark v3 connector](create-sql-api-spark.md)
> * [Node.js](create-sql-api-nodejs.md) > * [Python](create-sql-api-python.md) > * [Xamarin](create-sql-api-xamarin-dotnet.md)
Go back to the Azure portal to get your API key information and copy it into the
2. In Visual Studio, open **ToDoItems.Core/Helpers/APIKeys.cs**.
-3. In the Azure Portal, using the copy button, copy the **URI** value and make it the value of the `CosmosEndpointUrl` variable in APIKeys.cs.
+3. In the Azure portal, using the copy button, copy the **URI** value and make it the value of the `CosmosEndpointUrl` variable in APIKeys.cs.
```csharp //#error Enter the URL of your Azure Cosmos DB endpoint here
- public static readonly string CosmosEndpointUrl = "[URI Copied from Azure Portal]";
+ public static readonly string CosmosEndpointUrl = "[URI Copied from Azure portal]";
```
-4. In the Azure Portal, using the copy button, copy the **PRIMARY KEY** value and make it the value of the `Cosmos Auth Key` in APIKeys.cs.
+4. In the Azure portal, using the copy button, copy the **PRIMARY KEY** value and make it the value of the `Cosmos Auth Key` in APIKeys.cs.
```csharp //#error Enter the read/write authentication key of your Azure Cosmos DB endpoint here
- public static readonly string CosmosAuthKey = "[PRIMARY KEY copied from Azure Portal";
+ public static readonly string CosmosAuthKey = "[PRIMARY KEY copied from Azure portal";
``` [!INCLUDE [cosmos-db-auth-key-info](../../includes/cosmos-db-auth-key-info.md)]
Now let's take a quick review of how the app communicates with Azure Cosmos DB.
The `CreateDocumentQuery<T>` takes a URI that points to the container created in the previous section. And you are also able to specify LINQ operators such as a `Where` clause. In this case only todo items that are not completed are returned.
- The `CreateDocumentQuery<T>` function is executed synchronously, and returns an `IQueryable<T>`. However, the `AsDocumentQuery` method converts the `IQueryable<T>` to an `IDocumentQuery<T>` object which can be executed asynchronously. Thus not blocking the UI thread for mobile applications.
+ The `CreateDocumentQuery<T>` function is executed synchronously, and returns an `IQueryable<T>`. However, the `AsDocumentQuery` method converts the `IQueryable<T>` to an `IDocumentQuery<T>` object, which can be executed asynchronously. Thus not blocking the UI thread for mobile applications.
- The `IDocumentQuery<T>.ExecuteNextAsync<T>` function retrieves the page of results from Azure Cosmos DB, which `HasMoreResults` checking to see if additional results remain to be returned.
+ The `IDocumentQuery<T>.ExecuteNextAsync<T>` function retrieves the page of results from Azure Cosmos DB, which `HasMoreResults` will examine in order to see if additional results remain to be returned.
> [!TIP] > Several functions that operate on Azure Cosmos containers and documents take an URI as a parameter which specifies the address of the container or document. This URI is constructed using the `URIFactory` class. URIs for databases, containers, and documents can all be created with this class.
The following steps will demonstrate how to run the app using the Visual Studio
:::image type="content" source="./media/create-sql-api-xamarin-dotnet/ide-start-debug.png" alt-text="Starting to debug in Visual Studio for Mac":::
-3. When the iOS simulator or Android emulator finishes launching, the app will display 2 tabs at the bottom of the screen for iOS and the top of the screen for Android. The first shows todo items which are not completed, the second shows todo items which are completed.
+3. When the iOS simulator or Android emulator finishes launching, the app will display two tabs at the bottom of the screen for iOS and the top of the screen for Android. The first shows todo items, which are not completed, the second shows todo items, which are completed.
:::image type="content" source="./media/create-sql-api-xamarin-dotnet/ios-droid-started.png" alt-text="Launch screen of ToDo app":::
The following steps will demonstrate how to run the app using the Visual Studio
## Next steps
-In this quickstart, you've learned how to create an Azure Cosmos account, create a container using the Data Explorer, and build and deploy a Xamarin app. You can now import additional data to your Azure Cosmos account.
+In this quickstart, you've learned how to create an Azure Cosmos account, create a container using the Data Explorer, and build and deploy a Xamarin app. You can now import more data to your Azure Cosmos account.
> [!div class="nextstepaction"] > [Import data into Azure Cosmos DB](import-data.md)
cosmos-db High Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/high-availability.md
For the rare cases of regional outage, Azure Cosmos DB makes sure your database
* Single-region accounts may lose availability following a regional outage. It's always recommended to set up **at least two regions** (preferably, at least two write regions) with your Azure Cosmos account to ensure high availability at all times.
+> [!IMPORTANT]
+> When using SQL APIs, it is necessary to configure the Cosmos DB SDK to use all the specified read regions to take advantage of the increased availability. Refer to [this article](troubleshoot-sdk-availability.md) for more information.
+ ### Multi-region accounts with a single-write region (write region outage) * During a write region outage, the Azure Cosmos account will automatically promote a secondary region to be the new primary write region when **enable automatic failover** is configured on the Azure Cosmos account. When enabled, the failover will occur to another region in the order of region priority you've specified.
Availability Zones can be enabled via:
* Within a globally distributed database environment, there is a direct relationship between the consistency level and data durability in the presence of a region-wide outage. As you develop your business continuity plan, you need to understand the maximum acceptable time before the application fully recovers after a disruptive event. The time required for an application to fully recover is known as recovery time objective (RTO). You also need to understand the maximum period of recent data updates the application can tolerate losing when recovering after a disruptive event. The time period of updates that you might afford to lose is known as recovery point objective (RPO). To see the RPO and RTO for Azure Cosmos DB, see [Consistency levels and data durability](./consistency-levels.md#rto)
-## What to expect during a region outage
+## What to expect during a Cosmos DB region outage
For single-region accounts, clients will experience loss of read and write availability.
Multi-region accounts will experience different behaviors depending on the follo
| Write regions | Automatic failover | What to expect | What to do | | -- | -- | -- | -- |
-| Single write region | Not enabled | In case of outage in a read region, all clients will redirect to other regions. No read or write availability loss. No data loss. <p/> In case of an outage in the write region, clients will experience write availability loss. Data loss will be dependent on the constistency level selected. <p/> Cosmos DB will restore write availability automatically when the outage ends. | During the outage, ensure that there is enough capacity provisioned in the remaining regions to support read traffic. <p/> Do *not* trigger a manual failover during the outage, as it will not succeed. <p/> When the outage is over, re-adjust provisioned capacity as appropriate. |
-| Single write region | Enabled | In case of outage in a read region, all clients will redirect to other regions. No read or write availability loss. No data loss. <p/> In case of an outage in the write region, clients will experience write availability loss until Cosmos DB automatically elects a new region as the new write region according to your preferences. Data loss will be dependent on the constistency level selected. | During the outage, ensure that there is enough capacity provisioned in the remaining regions to support read traffic. <p/> Do *not* trigger a manual failover during the outage, as it will not succeed. <p/> When the outage is over, you may recover the non-replicated data in the failed region from your [conflicts feed](how-to-manage-conflicts.md#read-from-conflict-feed), move the write region back to the original region, and re-adjust provisioned capacity as appropriate. |
-| Multiple write regions | Not applicable | No read or write availability loss. <p/> Data loss as per consistency level selected. | During the outage, ensure that there is enough capacity provisioned in the remaining regions to support additional traffic. <p/> When the outage is over, you may recover the non-replicated data in the failed region from your [conflicts feed](how-to-manage-conflicts.md#read-from-conflict-feed) and re-adjust provisioned capacity as appropriate. |
+| Single write region | Not enabled | In case of outage in a read region, all clients will redirect to other regions. No read or write availability loss. No data loss. <p/> In case of an outage in the write region, clients will experience write availability loss. If strong consistency level is not selected, some data may not have been replicated to the remaining active regions. This depends on the consistenvy level selected as described in [this section](consistency-levels.md#rto). If the affected region suffers permanent data loss, unreplicated data may be lost. <p/> Cosmos DB will restore write availability automatically when the outage ends. | During the outage, ensure that there are enough provisioned RUs in the remaining regions to support read traffic. <p/> Do *not* trigger a manual failover during the outage, as it will not succeed. <p/> When the outage is over, re-adjust provisioned RUs as appropriate. |
+| Single write region | Enabled | In case of outage in a read region, all clients will redirect to other regions. No read or write availability loss. No data loss. <p/> In case of an outage in the write region, clients will experience write availability loss until Cosmos DB automatically elects a new region as the new write region according to your preferences. If strong consistency level is not selected, some data may not have been replicated to the remaining active regions. This depends on the consistenvy level selected as described in [this section](consistency-levels.md#rto). If the affected region suffers permanent data loss, unreplicated data may be lost. | During the outage, ensure that there are enough provisioned RUs in the remaining regions to support read traffic. <p/> Do *not* trigger a manual failover during the outage, as it will not succeed. <p/> When the outage is over, you may move the write region back to the original region, and re-adjust provisioned RUs as appropriate. Accounts using SQL APIs may also recover the non-replicated data in the failed region from your [conflicts feed](how-to-manage-conflicts.md#read-from-conflict-feed). |
+| Multiple write regions | Not applicable | No read or write availability loss. <p/> Recently updated data in the failed region may be unavilable in the remaining active regions. Eventual, consistent prefix, and session consistency levels guarantee a staleness of <15mins. Bounded staleness guarantees less than K updates or T seconds, depending on the configuration. If the affected region suffers permanent data loss, unreplicated data may be lost. | During the outage, ensure that there are enough provisioned RUs in the remaining regions to support additional traffic. <p/> When the outage is over, you may re-adjust provisioned RUs as appropriate. If possible, Cosmos DB will automatically recover non-replicated data in the failed region using the configured conflict resolution method for SQL API accounts, and Last Write Wins for accounts using other APIs. |
## Next steps
cosmos-db Spark Connector https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/spark-connector.md
Title: Connect Apache Spark to Azure Cosmos DB
-description: Learn about the Azure Cosmos DB Spark connector that enables you to connect Apache Spark to Azure Cosmos DB.
-
+ Title: Connect Apache Spark 2 to Azure Cosmos DB
+description: Learn about the Azure Cosmos DB Spark 2 OLTP connector that enables you to connect Apache Spark to Azure Cosmos DB.
+ Previously updated : 05/21/2019- Last updated : 04/06/2021+
-# Accelerate big data analytics by using the Apache Spark to Azure Cosmos DB connector
+# Accelerate big data analytics by using the Apache Spark v2 to Azure Cosmos DB OLTP connector
[!INCLUDE[appliesto-sql-api](includes/appliesto-sql-api.md)]
-You can run [Spark](https://spark.apache.org/) jobs with data stored in Azure Cosmos DB using the Cosmos DB Spark connector. Cosmos can be used for batch and stream processing, and as a serving layer for low latency access.
+You can run [Spark v2](https://spark.apache.org/) jobs with data stored in Azure Cosmos DB using the Cosmos DB Spark 2 OLTP connector. Cosmos can be used for batch and stream processing, and as a serving layer for low latency access.
You can use the connector with [Azure Databricks](https://azure.microsoft.com/services/databricks) or [Azure HDInsight](https://azure.microsoft.com/services/hdinsight/), which provide managed Spark clusters on Azure. The following table shows supported Spark versions.
You can use the connector with [Azure Databricks](https://azure.microsoft.com/se
> For Cosmos DB Cassandra API, use the [Cassandra Spark connector](https://github.com/datastax/spark-cassandra-connector). > [!IMPORTANT]
-> The Azure Cosmos DB Spark connector is not currently supported on [serverless](serverless.md) accounts. This will be addressed as the serverless offer becomes generally available.
+> The Azure Cosmos DB Spark OLTP connector is not currently supported on [serverless](serverless.md) accounts. This will be addressed as the serverless offer becomes generally available.
## Quickstart
cosmos-db Sql Api Sdk Async Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-async-java.md
ms.devlang: java Previously updated : 08/12/2020 Last updated : 04/06/2021
> * [Sync Java SDK v2](sql-api-sdk-java.md) > * [Spring Data v2](sql-api-sdk-java-spring-v2.md) > * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
-> * [Spark Connector](sql-api-sdk-java-spark.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
> * [Python](sql-api-sdk-python.md) > * [REST](/rest/api > * [REST Resource Provider](/azure/azure-resource-manager/management/azure-services-resource-providers)
cosmos-db Sql Api Sdk Bulk Executor Dot Net https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-bulk-executor-dot-net.md
ms.devlang: dotnet Previously updated : 08/12/2020 Last updated : 04/06/2021
> * [Sync Java SDK v2](sql-api-sdk-java.md) > * [Spring Data v2](sql-api-sdk-java-spring-v2.md) > * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
-> * [Spark Connector](sql-api-sdk-java-spark.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
> * [Python](sql-api-sdk-python.md) > * [REST](/rest/api/cosmos-db/) > * [REST Resource Provider](/rest/api/cosmos-db-resource-provider/)
cosmos-db Sql Api Sdk Bulk Executor Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-bulk-executor-java.md
ms.devlang: java Previously updated : 08/12/2020 Last updated : 04/06/2021
> * [Sync Java SDK v2](sql-api-sdk-java.md) > * [Spring Data v2](sql-api-sdk-java-spring-v2.md) > * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
-> * [Spark Connector](sql-api-sdk-java-spark.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
> * [Python](sql-api-sdk-python.md) > * [REST](/rest/api/cosmos-db/) > * [REST Resource Provider](/rest/api/cosmos-db-resource-provider/)
cosmos-db Sql Api Sdk Dotnet Changefeed https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-dotnet-changefeed.md
ms.devlang: dotnet Previously updated : 08/12/2020 Last updated : 04/06/2021
> * [Sync Java SDK v2](sql-api-sdk-java.md) > * [Spring Data v2](sql-api-sdk-java-spring-v2.md) > * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
-> * [Spark Connector](sql-api-sdk-java-spark.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
> * [Python](sql-api-sdk-python.md) > * [REST](/rest/api > * [REST Resource Provider](/rest/api
cosmos-db Sql Api Sdk Dotnet Core https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-dotnet-core.md
ms.devlang: dotnet Previously updated : 08/12/2020 Last updated : 04/06/2021
> * [Sync Java SDK v2](sql-api-sdk-java.md) > * [Spring Data v2](sql-api-sdk-java-spring-v2.md) > * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
-> * [Spark Connector](sql-api-sdk-java-spark.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
> * [Python](sql-api-sdk-python.md) > * [REST](/rest/api > * [REST Resource Provider](/azure/azure-resource-manager/management/azure-services-resource-providers)
cosmos-db Sql Api Sdk Dotnet Standard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-dotnet-standard.md
ms.devlang: dotnet Previously updated : 10/07/2020 Last updated : 04/06/2021
> * [Sync Java SDK v2](sql-api-sdk-java.md) > * [Spring Data v2](sql-api-sdk-java-spring-v2.md) > * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
-> * [Spark Connector](sql-api-sdk-java-spark.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
> * [Python](sql-api-sdk-python.md) > * [REST](/rest/api/cosmos-db/) > * [REST Resource Provider](/rest/api/cosmos-db-resource-provider/)
cosmos-db Sql Api Sdk Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-dotnet.md
ms.devlang: dotnet Previously updated : 08/12/2020 Last updated : 04/06/2021
> * [Sync Java SDK v2](sql-api-sdk-java.md) > * [Spring Data v2](sql-api-sdk-java-spring-v2.md) > * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
-> * [Spark Connector](sql-api-sdk-java-spark.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
> * [Python](sql-api-sdk-python.md) > * [REST](/rest/api/cosmos-db/) > * [REST Resource Provider](/rest/api/cosmos-db-resource-provider/)
cosmos-db Sql Api Sdk Java Spark V3 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-java-spark-v3.md
+
+ Title: 'Azure Cosmos DB Apache Spark 3 OLTP Connector for SQL API (Preview) release notes and resources'
+description: Learn about the Azure Cosmos DB Apache Spark 3 OLTP Connector for SQL API (Preview), including release dates, retirement dates, and changes made between each version of the Azure Cosmos DB SQL Java SDK.
+++
+ms.devlang: java
+ Last updated : 04/06/2021++++
+# Azure Cosmos DB Apache Spark 3 OLTP Connector for Core (SQL) API (Preview): Release notes and resources
+
+> [!div class="op_single_selector"]
+> * [.NET SDK v3](sql-api-sdk-dotnet-standard.md)
+> * [.NET SDK v2](sql-api-sdk-dotnet.md)
+> * [.NET Core SDK v2](sql-api-sdk-dotnet-core.md)
+> * [.NET Change Feed SDK v2](sql-api-sdk-dotnet-changefeed.md)
+> * [Node.js](sql-api-sdk-node.md)
+> * [Java SDK v4](sql-api-sdk-java-v4.md)
+> * [Async Java SDK v2](sql-api-sdk-async-java.md)
+> * [Sync Java SDK v2](sql-api-sdk-java.md)
+> * [Spring Data v2](sql-api-sdk-java-spring-v2.md)
+> * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
+> * [Python](sql-api-sdk-python.md)
+> * [REST](/rest/api/cosmos-db/)
+> * [REST Resource Provider](/rest/api/cosmos-db-resource-provider/)
+> * [SQL](./sql-query-getting-started.md)
+> * [Bulk executor - .NET v2](sql-api-sdk-bulk-executor-dot-net.md)
+> * [Bulk executor - Java](sql-api-sdk-bulk-executor-java.md)
+
+**Azure Cosmos DB Spark 3 OLTP connector (Preview)** provides Apache Spark v3 support for Azure Cosmos DB using
+the SQL API.
+[Azure Cosmos DB](introduction.md) is a globally-distributed database service which allows
+developers to work with data using a variety of standard APIs, such as SQL, MongoDB, Cassandra, Graph, and Table.
+
+> [!Note]
+> This version of Azure Cosmos DB Spark 3 OLTP connector is a Preview build.
+> This build hasn't been load or performance tested.
+> This build isn't recommended for use in production scenarios.
+>
+
+## Documentation
+
+- [Getting started](https://github.com/Azure/azure-sdk-for-jav)
+- [Catalog API](https://github.com/Azure/azure-sdk-for-jav)
+- [Configuration Parameter Reference](https://github.com/Azure/azure-sdk-for-jav)
++
+## Version compatibility
+
+| Connector | Spark | Minimum Java version | Supported Scala versions |
+| - | - | -- | -- |
+| 4.0.0-beta.1 | 3.1.1 | 8 | 2.12 |
+
+## Download
+
+You can use the maven coordinate of the jar to auto install the Spark Connector to your Databricks Runtime 8 from Maven:
+`com.azure.cosmos.spark:azure-cosmos-spark_3-1_2-12:4.0.0-beta.1`
+
+You can also integrate against Cosmos DB Spark Connector in your SBT project:
+```scala
+libraryDependencies += "com.azure.cosmos.spark" % "azure-cosmos-spark_3-1_2-12" % "4.0.0-beta.1"
+```
+
+Cosmos DB Spark Connector is available on [Maven Central Repo](https://search.maven.org/artifact/com.azure.cosmos.spark/azure-cosmos-spark_3-1_2-12/4.0.0-beta.1/jar).
+
+### General
+
+If you encounter any bug, please file an issue [here](https://github.com/Azure/azure-sdk-for-java/issues/new).
+
+To suggest a new feature or changes that could be made, file an issue the same way you would for a bug.
++
+## Next steps
+
+Review our [quickstart guide for working with Azure Cosmos DB Spark 3 OLTP connector](create-sql-api-spark.md).
cosmos-db Sql Api Sdk Java Spark https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-java-spark.md
Title: 'Cosmos DB Apache Spark Connector for SQL API release notes and resources'
-description: Learn about the Azure Cosmos DB Apache Spark Connector for SQL API, including release dates, retirement dates, and changes made between each version of the Azure Cosmos DB SQL Async Java SDK.
+ Title: 'Azure Cosmos DB Apache Spark 2 OLTP Connector for SQL API release notes and resources'
+description: Learn about the Azure Cosmos DB Apache Spark 2 OLTP Connector for SQL API, including release dates, retirement dates, and changes made between each version of the Azure Cosmos DB SQL Async Java SDK.
ms.devlang: java Previously updated : 08/12/2020 Last updated : 04/06/2021
-# Azure Cosmos DB Apache Spark Connector for Core (SQL) API: Release notes and resources
+# Azure Cosmos DB Apache Spark 2 OLTP Connector for Core (SQL) API: Release notes and resources
[!INCLUDE[appliesto-sql-api](includes/appliesto-sql-api.md)] > [!div class="op_single_selector"]
> * [Sync Java SDK v2](sql-api-sdk-java.md) > * [Spring Data v2](sql-api-sdk-java-spring-v2.md) > * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
-> * [Spark Connector](sql-api-sdk-java-spark.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
> * [Python](sql-api-sdk-python.md) > * [REST](/rest/api/cosmos-db/) > * [REST Resource Provider](/rest/api/cosmos-db-resource-provider/)
> * [Bulk executor - .NET v2](sql-api-sdk-bulk-executor-dot-net.md) > * [Bulk executor - Java](sql-api-sdk-bulk-executor-java.md)
-You can accelerate big data analytics by using the Azure Cosmos DB Apache Spark Connector for Core (SQL). The Spark Connector allows you to run [Spark](https://spark.apache.org/) jobs on data stored in Azure Cosmos DB. Batch and stream processing are supported.
+You can accelerate big data analytics by using the Azure Cosmos DB Apache Spark 2 OLTP Connector for Core (SQL). The Spark Connector allows you to run [Spark](https://spark.apache.org/) jobs on data stored in Azure Cosmos DB. Batch and stream processing are supported.
You can use the connector with [Azure Databricks](https://azure.microsoft.com/services/databricks) or [Azure HDInsight](https://azure.microsoft.com/services/hdinsight/), which provide managed Spark clusters on Azure. The following table shows supported versions:
cosmos-db Sql Api Sdk Java Spring V2 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-java-spring-v2.md
ms.devlang: java Previously updated : 08/12/2020 Last updated : 04/06/2021
> * [Sync Java SDK v2](sql-api-sdk-java.md) > * [Spring Data v2](sql-api-sdk-java-spring-v2.md) > * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
-> * [Spark Connector](sql-api-sdk-java-spark.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
> * [Python](sql-api-sdk-python.md) > * [REST](/rest/api/cosmos-db/) > * [REST Resource Provider](/rest/api/cosmos-db-resource-provider/)
cosmos-db Sql Api Sdk Java Spring V3 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-java-spring-v3.md
ms.devlang: java Previously updated : 03/15/2021- Last updated : 04/06/2021+
> * [Sync Java SDK v2](sql-api-sdk-java.md) > * [Spring Data v2](sql-api-sdk-java-spring-v2.md) > * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
-> * [Spark Connector](sql-api-sdk-java-spark.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
> * [Python](sql-api-sdk-python.md) > * [REST](/rest/api/cosmos-db/) > * [REST Resource Provider](/rest/api/cosmos-db-resource-provider/)
cosmos-db Sql Api Sdk Java V4 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-java-v4.md
ms.devlang: java Previously updated : 08/12/2020 Last updated : 04/06/2021
> * [Sync Java SDK v2](sql-api-sdk-java.md) > * [Spring Data v2](sql-api-sdk-java-spring-v2.md) > * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
-> * [Spark Connector](sql-api-sdk-java-spark.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
> * [Python](sql-api-sdk-python.md) > * [REST](/rest/api/cosmos-db/) > * [REST Resource Provider](/rest/api/cosmos-db-resource-provider/)
cosmos-db Sql Api Sdk Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-java.md
ms.devlang: java Previously updated : 12/18/2020 Last updated : 04/06/2021
> * [Sync Java SDK v2](sql-api-sdk-java.md) > * [Spring Data v2](sql-api-sdk-java-spring-v2.md) > * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
-> * [Spark Connector](sql-api-sdk-java-spark.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
> * [Python](sql-api-sdk-python.md) > * [REST](/rest/api/cosmos-db/) > * [REST Resource Provider](/rest/api/cosmos-db-resource-provider/)
cosmos-db Sql Api Sdk Node https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-node.md
ms.devlang: nodejs Previously updated : 08/12/2020 Last updated : 04/06/2021
> * [Sync Java SDK v2](sql-api-sdk-java.md) > * [Spring Data v2](sql-api-sdk-java-spring-v2.md) > * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
-> * [Spark Connector](sql-api-sdk-java-spark.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
> * [Python](sql-api-sdk-python.md) > * [REST](/rest/api/cosmos-db/) > * [REST Resource Provider](/rest/api/cosmos-db-resource-provider/)
cosmos-db Sql Api Sdk Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-python.md
ms.devlang: python Previously updated : 08/12/2020 Last updated : 04/06/2021
> * [Sync Java SDK v2](sql-api-sdk-java.md) > * [Spring Data v2](sql-api-sdk-java-spring-v2.md) > * [Spring Data v3](sql-api-sdk-java-spring-v3.md)
-> * [Spark Connector](sql-api-sdk-java-spark.md)
+> * [Spark 3 OLTP Connector](sql-api-sdk-java-spark-v3.md)
+> * [Spark 2 OLTP Connector](sql-api-sdk-java-spark.md)
> * [Python](sql-api-sdk-python.md) > * [REST](/rest/api/cosmos-db/) > * [REST Resource Provider](/rest/api/cosmos-db-resource-provider/)
cost-management-billing Programmatically Create Subscription https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/programmatically-create-subscription.md
Last updated 03/11/2021 -+ # Create Azure subscriptions programmatically
data-factory Connector Azure Sql Database https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-sql-database.md
For different authentication types, refer to the following sections on prerequis
- [Azure AD application token authentication: Managed identities for Azure resources](#managed-identity) >[!TIP]
->If you hit an error with the error code "UserErrorFailedToConnectToSqlServer" and a message like "The session limit for the database is XXX and has been reached," add `Pooling=false` to your connection string and try again.
+>If you hit an error with the error code "UserErrorFailedToConnectToSqlServer" and a message like "The session limit for the database is XXX and has been reached," add `Pooling=false` to your connection string and try again. `Pooling=false` is also recommended for **SHIR(Self Hosted Integration Runtime)** type linked service setup. Pooling and other connection parameters can be added as new parameter names and values in **Additional connection properties** section of linked service creation form.
### SQL authentication
data-factory Managed Virtual Network Private Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/managed-virtual-network-private-endpoint.md
Interactive authoring capabilities is used for functionalities like test connect
![Interactive authoring](./media/managed-vnet/interactive-authoring.png)
+## Create managed virtual network via Azure PowerShell
+```powershell
+$subscriptionId = ""
+$resourceGroupName = ""
+$factoryName = ""
+$managedPrivateEndpointName = ""
+$integrationRuntimeName = ""
+$apiVersion = "2018-06-01"
+$privateLinkResourceId = ""
+
+$vnetResourceId = "subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.DataFactory/factories/${factoryName}/managedVirtualNetworks/default"
+$privateEndpointResourceId = "subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.DataFactory/factories/${factoryName}/managedVirtualNetworks/default/managedprivateendpoints/${managedPrivateEndpointName}"
+$integrationRuntimeResourceId = "subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.DataFactory/factories/${factoryName}/integrationRuntimes/${integrationRuntimeName}"
+
+# Create managed Virtual Network resource
+New-AzResource -ApiVersion "${apiVersion}" -ResourceId "${vnetResourceId}"
+
+# Create managed private endpoint resource
+New-AzResource -ApiVersion "${apiVersion}" -ResourceId "${privateEndpointResourceId}" -Properties @{
+ privateLinkResourceId = "${privateLinkResourceId}"
+ groupId = "blob"
+ }
+
+# Create integration runtime resource enabled with VNET
+New-AzResource -ApiVersion "${apiVersion}" -ResourceId "${integrationRuntimeResourceId}" -Properties @{
+ type = "Managed"
+ typeProperties = @{
+ computeProperties = @{
+ location = "AutoResolve"
+ dataFlowProperties = @{
+ computeType = "General"
+ coreCount = 8
+ timeToLive = 0
+ }
+ }
+ }
+ managedVirtualNetwork = @{
+ type = "ManagedVirtualNetworkReference"
+ referenceName = "default"
+ }
+ }
+
+```
+ ## Limitations and known issues ### Supported Data Sources Below data sources are supported to connect through private link from ADF Managed Virtual Network.
data-factory Quickstart Create Data Factory Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/quickstart-create-data-factory-python.md
Pipelines can ingest data from disparate data stores. Pipelines process or trans
* [Azure Storage Explorer](https://storageexplorer.com/) (optional).
-* [An application in Azure Active Directory](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). Make note of the following values to use in later steps: **application ID**, **authentication key**, and **tenant ID**. Assign application to the **Contributor** role by following instructions in the same article. Make note of the following values as shown in the article to use in later steps: **application ID (service principal id below), authentication key (client secret below), and tenant ID.**
+* [An application in Azure Active Directory](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). Create the application by following the steps in this link, and assign the application to the **Contributor** role by following instructions in the same article. Make note of the following values as shown in the article to use in later steps: **application ID (service principal id below), authentication key (client secret below), and tenant ID.**
## Create and upload an input file
You define a dataset that represents the source data in Azure Blob. This Blob da
rg_name, df_name, dsOut_name, dsOut_azure_blob) print_item(dsOut) ```
- > [!NOTE]
- > The To pass parameters to the pipeline, add them to the json string params_for_pipeline shown below in the format **{ ΓÇ£ParameterName1ΓÇ¥ : ΓÇ£ParameterValue1ΓÇ¥ }** for each of the parameters needed in the pipeline. To pass parameters to a dataflow, create a pipeline parameter to hold the parameter name/value, and then consume the pipeline parameter in the dataflow parameter in the format **@pipeline().parameters.parametername.**
## Create a pipeline
Add the following code to the **Main** method that creates a **pipeline with a c
copy_activity = CopyActivity(name=act_name,inputs=[dsin_ref], outputs=[dsOut_ref], source=blob_source, sink=blob_sink) #Create a pipeline with the copy activity
+
+ #Note1: To pass parameters to the pipeline, add them to the json string params_for_pipeline shown below in the format { ΓÇ£ParameterName1ΓÇ¥ : ΓÇ£ParameterValue1ΓÇ¥ } for each of the parameters needed in the pipeline.
+ #Note2: To pass parameters to a dataflow, create a pipeline parameter to hold the parameter name/value, and then consume the pipeline parameter in the dataflow parameter in the format @pipeline().parameters.parametername.
+
+ p_name = 'copyPipeline'
+ params_for_pipeline = {}
+ p_name = 'copyPipeline' params_for_pipeline = {} p_obj = PipelineResource(activities=[copy_activity], parameters=params_for_pipeline)
databox-online Azure Stack Edge Gpu Back Up Virtual Machine Disks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-back-up-virtual-machine-disks.md
Before you back up VMs, make sure that:
PS C:\Users\user> ```
+ You can also use Storage Explorer to verify that the snapshot was copied correctly to the storage account.
+
+ ![Storage Explorer showing the backup in the container in local storage account](media/azure-stack-edge-gpu-back-up-virtual-machine-disks/back-up-virtual-machine-disk-1.png)
+ ## Download VHD to external target To move your backups to an external location, you can use Azure Storage Explorer or AzCopy.
To move your backups to an external location, you can use Azure Storage Explorer
azcopy copy "https://<local storage account name>.blob.<device name>.<DNS domain>/<container name>/<filename><SAS query string>" <destination target> ``` -- To set up and use Azure Storage Explorer with Azure Stack Edge, see the instructions contained in [Use Storage Explorer for upload](azure-stack-edge-gpu-deploy-virtual-machine-templates.md#use-storage-explorer-for-upload).
+- To set up and use Azure Storage Explorer with Azure Stack Edge, see the instructions in [Use Storage Explorer for upload](azure-stack-edge-gpu-deploy-virtual-machine-templates.md#use-storage-explorer-for-upload).
## Next steps
databox-online Azure Stack Edge Gpu Create Certificates Tool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-create-certificates-tool.md
First, you'll generate a proper folder structure and place the certificates in t
2. To generate the appropriate folder structure, at the prompt type:
- `New-AzsCertificateFolder -CertificateType AzureStackEdge -OutputPath "$ENV:USERPROFILE\Documents\AzureStackCSR"`
+ `New-AzsCertificateFolder -CertificateType AzureStackEdgeDevice -OutputPath "$ENV:USERPROFILE\Documents\AzureStackCSR"`
3. Convert the PFX password into a secure string. Type:
First, you'll generate a proper folder structure and place the certificates in t
4. Next, validate the certificates. Type:
- `Invoke-AzsCertificateValidation -CertificateType AzureStackEdge -DeviceName mytea1 -NodeSerialNumber VM1500-00025 -externalFQDN azurestackedge.contoso.com -CertificatePath $ENV:USERPROFILE\Documents\AzureStackCSR\AzureStackEdge -pfxPassword $pfxPassword`
+ `Invoke-AzsCertificateValidation -CertificateType AzureStackEdgeDevice -DeviceName mytea1 -NodeSerialNumber VM1500-00025 -externalFQDN azurestackedge.contoso.com -CertificatePath $ENV:USERPROFILE\Documents\AzureStackCSR\AzureStackEdge -pfxPassword $pfxPassword`
## Next steps
dev-spaces Ingress Https Nginx https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/dev-spaces/how-to/ingress-https-nginx.md
Last updated "12/10/2019"
description: "Learn how to configure Azure Dev Spaces to use a custom NGINX ingress controller and configure HTTPS using that ingress controller" keywords: "Docker, Kubernetes, Azure, AKS, Azure Kubernetes Service, containers, Helm, service mesh, service mesh routing, kubectl, k8s"-+ # Use a custom NGINX ingress controller and configure HTTPS
dev-spaces Ingress Https Traefik https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/dev-spaces/how-to/ingress-https-traefik.md
Last updated "12/10/2019"
description: "Learn how to configure Azure Dev Spaces to use a custom traefik ingress controller and configure HTTPS using that ingress controller" keywords: "Docker, Kubernetes, Azure, AKS, Azure Kubernetes Service, containers, Helm, service mesh, service mesh routing, kubectl, k8s"-+ # Use a custom traefik ingress controller and configure HTTPS
devtest-labs Resource Group Control https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/devtest-labs/resource-group-control.md
If you're using an Azure Resource Manager template to create a lab, use the **vm
{ "type": "microsoft.devtestlab/labs", "name": "[parameters('lab_name')]",
- "apiVersion": "2018_10_15_preview",
+ "apiVersion": "2018-10-15-preview",
"location": "eastus", "tags": {}, "scale": null,
You have the following options as a lab owner when using this API:
This setting applies to new virtual machines created in the lab. The older VMs in your lab that were created in their own resource groups remain unaffected. Environments that are created in your lab continue to remain in their own resource groups. How to use this API:-- Use API version **2018_10_15_preview**.
+- Use API version **2018-10-15-preview**.
- If you specify a new resource group, ensure that you have **write permissions on resource groups** in your subscription. If you lack write permissions, creating new virtual machines in the specified resource group will fail. - While using the API, pass in the **full resource group ID**. For example: `/subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroupName>`. Ensure that the resource group is in the same subscription as the lab.
devtest-labs Tutorial Use Custom Lab https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/devtest-labs/tutorial-use-custom-lab.md
If you don't have an Azure subscription, create a [free account](https://azure.m
1. Select your VM in the list. You see the **Virtual Machine page** for your VM. Select **Connect** on the toolbar. ![Connect to virtual machine](./media/tutorial-use-custom-lab/connect-button.png)
-2. Save the downloaded **RDP** file your hard disk and use it to connect to the virtual machine. Specify the user name and password you mentioned when the VM was created in the previous section.
+2. Save the downloaded **RDP** file on your hard disk and use it to connect to the virtual machine. Specify the user name and password you mentioned when the VM was created in the previous section.
To connect to a Linux VM, SSH and/or RDP access must be enabled for the VM. For steps to connect to a Linux VM via RDP, see [Install and configure Remote Desktop to connect to a Linux VM in Azure](../virtual-machines/linux/use-remote-desktop.md).
digital-twins How To Use Apis Sdks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-use-apis-sdks.md
The following list provides additional detail and general guidelines for using t
* You can use an HTTP REST-testing tool like Postman to make direct calls to the Azure Digital Twins APIs. For more information about this process, see [*How-to: Make requests with Postman*](how-to-use-postman.md). * To use the SDK, instantiate the `DigitalTwinsClient` class. The constructor requires credentials that can be obtained with a variety of authentication methods in the `Azure.Identity` package. For more on `Azure.Identity`, see its [namespace documentation](/dotnet/api/azure.identity). * You may find the `InteractiveBrowserCredential` useful while getting started, but there are several other options, including credentials for [managed identity](/dotnet/api/azure.identity.interactivebrowsercredential), which you will likely use to authenticate [Azure functions set up with MSI](../app-service/overview-managed-identity.md?tabs=dotnet) against Azure Digital Twins. For more about `InteractiveBrowserCredential`, see its [class documentation](/dotnet/api/azure.identity.interactivebrowsercredential).
+* Requests to the Azure Digital Twins APIs require a User or Service Principal that is a part of the same [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) tenant where the Azure Digital Twins instance resides. To prevent bad actors from scanning URLs to discover where Azure Digital Twins instances live, requests with access tokens from outside the originating tenant will be returned a "404 Sub-Domain not found" error message. This error will be returned *even if* the User or Service Principal was given an Azure Digital Twins Data Owner or Azure Digital Twins Data Reader role through [Azure AD B2B](../active-directory/external-identities/what-is-b2b.md) collaboration.
* All service API calls are exposed as member functions on the `DigitalTwinsClient` class. * All service functions exist in synchronous and asynchronous versions. * All service functions throw an exception for any return status of 400 or above. Make sure you wrap calls into a `try` section, and catch at least `RequestFailedExceptions`. For more about this type of exception, see [here](/dotnet/api/azure.requestfailedexception).
The following list provides additional detail and general guidelines for using t
* You can iterate over paged results using an `await foreach` loop. For more about this process, see [here](/archive/msdn-magazine/2019/november/csharp-iterating-with-async-enumerables-in-csharp-8). * The underlying SDK is `Azure.Core`. See the [Azure namespace documentation](/dotnet/api/azure) for reference on the SDK infrastructure and types. + Service methods return strongly-typed objects wherever possible. However, because Azure Digital Twins is based on models custom-configured by the user at runtime (via DTDL models uploaded to the service), many service APIs take and return twin data in JSON format. ## Monitor API metrics
See how to make direct requests to the APIs using Postman:
* [*How-to: Make requests with Postman*](how-to-use-postman.md) Or, practice using the .NET SDK by creating a client app with this tutorial:
-* [*Tutorial: Code a client app*](tutorial-code.md)
+* [*Tutorial: Code a client app*](tutorial-code.md)
digital-twins How To Use Tags https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-use-tags.md
Here is an example that populates the marker `tags` for three twins:
:::code language="csharp" source="~/digital-twins-docs-samples/sdks/csharp/twin_operations_other.cs" id="TagPropertiesMarker":::
+Here is a code example on how to set the marker `tags` for a twin using the [.NET SDK](/dotnet/api/overview/azure/digitaltwins/client):
++ ### Query with marker tags Once tags have been added to digital twins, the tags can be used to filter the twins in queries.
Read more about designing and managing digital twin models:
* [*How-to: Manage DTDL models*](how-to-manage-model.md) Read more about querying the twin graph:
-* [*How-to: Query the twin graph*](how-to-query-graph.md)
+* [*How-to: Query the twin graph*](how-to-query-graph.md)
digital-twins Reference Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/reference-service-limits.md
These are the service limits of Azure Digital Twins.
[!INCLUDE [Azure Digital Twins limits](../../includes/digital-twins-limits.md)]
+## Working with limits
+
+When a limit is reached, the service throttles additional requests. This will result in a 404 error response from these requests.
+
+To manage this, here are some recommendations for working with limits.
+* **Use retry logic.** The [Azure Digital Twins SDKs](how-to-use-apis-sdks.md) implement retry logic for failed requests, so if you are working with a provided SDK, this is already built-in. Otherwise, consider implementing retry logic in your own application. The service sends back a `Retry-After` header in the failure response, which you can use to determine how long to wait before retrying.
+* **Use thresholds and notifications to warn about approaching limits.** Some of the service limits for Azure Digital Twins have corresponding [metrics](troubleshoot-metrics.md) that can be used to track usage in these areas. To configure thresholds and set up an alert on any metric when a threshold is approached, see the instructions in [*Troubleshooting: Set up alerts*](troubleshoot-alerts.md). To set up notifications for other limits where metrics aren't provided, consider implementing this logic in your own application code.
+ ## Next steps Learn more about the current release of Azure Digital Twins in the service overview:
dms Tutorial Oracle Azure Postgresql Online https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/dms/tutorial-oracle-azure-postgresql-online.md
-
event-grid Cloudevents Schema https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/cloudevents-schema.md
You can use Event Grid for both input and output of events in the CloudEvents sc
Event Grid resource | Input schema | Delivery schema ||-|
-| System Topics | Event Grid schema | Event Grid schema or CloudEvents schema
-| User Topics/Domains | Event Grid schema | Event Grid schema or CloudEvents schema
-| User Topics/Domains | CloudEvents schema | CloudEvents schema
-| User Topics/Domains | Custom schema | Custom schema, Event Grid schema, or CloudEvents schema
-| PartnerTopics | CloudEvents schema | CloudEvents schema
+| System topics | Event Grid schema | Event Grid schema or CloudEvents schema
+| Custom topics/domains | Event Grid schema | Event Grid schema or CloudEvents schema
+| Custom topics/domains | CloudEvents schema | CloudEvents schema
+| Custom topics/domains | Custom schema | Custom schema, Event Grid schema, or CloudEvents schema
+| Partner topics | CloudEvents schema | CloudEvents schema
For all event schemas, Event Grid requires validation when you're publishing to an Event Grid topic and when you're creating an event subscription.
event-grid Event Domains https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/event-domains.md
Title: Event Domains in Azure Event Grid description: This article describes how to use event domains to manage the flow of custom events to your various business organizations, customers, or applications. Previously updated : 07/07/2020 Last updated : 04/13/2021 # Understand event domains for managing Event Grid topics
This article describes how to use event domains to manage the flow of custom eve
An event domain is a management tool for large numbers of Event Grid topics related to the same application. You can think of it as a meta-topic that can have thousands of individual topics.
-Event domains make available to you the same architecture used by Azure services (like Storage and IoT Hub) to publish their events. They allow you to publish events to thousands of topics. Domains also give you authorization and authentication control over each topic so you can partition your tenants.
+Event domains provide you the same architecture used by Azure services like Storage and IoT Hub to publish their events. They allow you to publish events to thousands of topics. Domains also give you authorization and authentication control over each topic so you can partition your tenants.
## Example use case [!INCLUDE [event-grid-domain-example-use-case.md](../../includes/event-grid-domain-example-use-case.md)]
For information about these roles, see [Built-in roles for Event Grid](security-
Subscribing to events on a topic within an event domain is the same as [creating an Event Subscription on a custom topic](./custom-event-quickstart.md) or subscribing to an event from an Azure service.
+> [!IMPORTANT]
+> Domain topic is considered an **auto-managed** resource in Event Grid. You can create an event subscription at the domain topic scope without creating the domain topic. In this case, Event Grid automatically creates the domain topic on your behalf. Of course, you can still choose to create the domain topic manually. This behavior allows you to worry about one less resource when dealing with a huge number of domain topics. When the last subscription to a domain topic is deleted, the domain topic is also deleted irrespective of whether the domain topic was manually created or auto-created.
+ ### Domain scope subscriptions Event domains also allow for domain-scope subscriptions. An event subscription on an event domain will receive all events sent to the domain regardless of the topic the events are sent to. Domain scope subscriptions can be useful for management and auditing purposes.
Here are the limits and quotas related to event domains:
- 50 domain scope subscriptions - 5,000 events per second ingestion rate (into a domain)
-If these limits don't suit you, reach out the product team by opening a support ticket or by sending an email to [askgrid@microsoft.com](mailto:askgrid@microsoft.com).
+If these limits don't suit you, open a support ticket or send an email to [askgrid@microsoft.com](mailto:askgrid@microsoft.com).
## Pricing Event domains use the same [operations pricing](https://azure.microsoft.com/pricing/details/event-grid/) that all other features in Event Grid use.
event-grid Secure Webhook Delivery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/secure-webhook-delivery.md
Title: Secure WebHook delivery with Azure AD in Azure Event Grid description: Describes how to deliver events to HTTPS endpoints protected by Azure Active Directory using Azure Event Grid Previously updated : 03/20/2021 Last updated : 04/13/2021 # Publish events to Azure Active Directory protected endpoints
This article describes how to use Azure Active Directory (Azure AD) to secure th
This article uses the Azure portal for demonstration, however the feature can also be enabled using CLI, PowerShell, or the SDKs.
+> [!IMPORTANT]
+> Additional access check has been introduced as part of create or update of event subscription on March 30, 2021 to address a security vulnerability. The subscriber client's service principal needs to be either an owner or have a role assigned on the destination application service principal. Please reconfigure your AAD Application following the new instructions below.
+ ## Create an Azure AD Application Register your Webhook with Azure AD by creating an Azure AD application for your protected endpoint. See [Scenario: Protected web API](https://docs.microsoft.com/azure/active-directory/develop/scenario-protected-web-api-overview). Configure your protected API to be called by a daemon app.
Write-Host $myAppRoles
```
-### Create a role Assignment
+### Create role assignment for the client creating event subscription
The role assignment should be created in the Webhook Azure AD App for the AAD app or AAD user creating the event subscription. Use one of the scripts below depending on whether an AAD app or AAD user is creating the event subscription.
-#### Option A. Create a role assignment for event subscription AAD app
+> [!IMPORTANT]
+> Additional access check has been introduced as part of create or update of event subscription on March 30, 2021 to address a security vulnerability. The subscriber client's service principal needs to be either an owner or have a role assigned on the destination application service principal. Please reconfigure your AAD Application following the new instructions below.
+
+#### Create role assignment for an event subscription AAD app
```powershell # This is the app id of the application which will create event subscription. Set to $null if you are not assigning the role to app.
if ($eventSubscriptionWriterSP -eq $null)
} Write-Host "Creating the Azure Ad App Role assignment for application: " $eventSubscriptionWriterAppId
-New-AzureADServiceAppRoleAssignment -Id $myApp.AppRoles[0].Id -ResourceId $myServicePrincipal.ObjectId -ObjectId $eventSubscriptionWriterSP.ObjectId -PrincipalId $eventSubscriptionWriterSP.ObjectId
+$eventGridAppRole = $myApp.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
+New-AzureADServiceAppRoleAssignment -Id $eventGridAppRole.Id -ResourceId $myServicePrincipal.ObjectId -ObjectId $eventSubscriptionWriterSP.ObjectId -PrincipalId $eventSubscriptionWriterSP.ObjectId
```
-#### Option B. Create a role assignment for event subscription AAD user
+#### Create role assignment for an event subscription AAD user
```powershell # This is the user principal name of the user who will create event subscription. Set to $null if you are not assigning the role to user.
$myServicePrincipal = Get-AzureADServicePrincipal -Filter ("appId eq '" + $myApp
Write-Host "Creating the Azure Ad App Role assignment for user: " $eventSubscriptionWriterUserPrincipalName $eventSubscriptionWriterUser = Get-AzureAdUser -ObjectId $eventSubscriptionWriterUserPrincipalName
-New-AzureADUserAppRoleAssignment -Id $myApp.AppRoles[0].Id -ResourceId $myServicePrincipal.ObjectId -ObjectId $eventSubscriptionWriterUser.ObjectId -PrincipalId $eventSubscriptionWriterUser.ObjectId
+$eventGridAppRole = $myApp.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
+New-AzureADUserAppRoleAssignment -Id $eventGridAppRole.Id -ResourceId $myServicePrincipal.ObjectId -ObjectId $eventSubscriptionWriterUser.ObjectId -PrincipalId $eventSubscriptionWriterUser.ObjectId
```
-### Add Event Grid service principal to the role
+### Create role assignment for Event Grid Service principal
Run the New-AzureADServiceAppRoleAssignment command to assign Event Grid service principal to the role you created in the previous step. ```powershell
-New-AzureADServiceAppRoleAssignment -Id $myApp.AppRoles[0].Id -ResourceId $myServicePrincipal.ObjectId -ObjectId $eventGridSP.ObjectId -PrincipalId $eventGridSP.ObjectId
+$eventGridAppRole = $myApp.AppRoles | Where-Object -Property "DisplayName" -eq -Value $eventGridRoleName
+New-AzureADServiceAppRoleAssignment -Id $eventGridAppRole.Id -ResourceId $myServicePrincipal.ObjectId -ObjectId -PrincipalId $eventGridSP.ObjectId
``` Run the following commands to output information that you'll use later.
When creating an event subscription, follow these steps:
1. On the **Additional features** tab, do these steps: 1. Select **Use AAD authentication**, and configure the tenant ID and application ID: 1. Copy the Azure AD tenant ID from the output of the script and enter it in the **AAD Tenant ID** field.
- 1. Copy the Azure AD application ID from the output of the script and enter it in the **AAD Application ID** field.
+ 1. Copy the Azure AD application ID from the output of the script and enter it in the **AAD Application ID** field. Alternatively, you can use the AAD Application ID URI. For more information about application ID URI, see [this article](../app-service/configure-authentication-provider-aad.md).
![Secure Webhook action](./media/secure-webhook-delivery/aad-configuration.png)
event-grid Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/whats-new.md
Azure Event Grid receives improvements on an ongoing basis. To stay up to date w
- Deprecated functionality - Plans for changes
+## 6.1.0-preview (2020-10)
+- [Managed identities for system topics](enable-identity-system-topics.md)
+- [Custom delivery properties](delivery-properties.md)
+- [Storage queue - message time-to-live (TTL)](delivery-properties.md#configure-time-to-live-on-outgoing-events-to-azure-storage-queues)
+- [Advanced filtering improvements](event-filtering.md#advanced-filtering)
+ - Support filtering on array data in incoming events
+ - Allow filtering on CloudEvents extensions context attributes
+ - New operators
+ - StringNotContains
+ - StringNotBeginsWith
+ - StringNotEndsWith
+ - NumberInRange
+ - NumberNotInRange
+ - IsNull
+ - IsNotNull
+- [Allow Event Grid schema to CloudEvents 1.0 schema transformations for custom topics and domains](cloudevents-schema.md#configure-event-grid-for-cloudevents)
+
+ ## 6.0.0 (2020-06) - Add support to new generally available (GA) service API version 2020-06-01. - The new features that became GA:
expressroute Expressroute Locations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/expressroute/expressroute-locations.md
The following table shows locations by service provider. If you want to view ava
| **[IX Reach](https://www.ixreach.com/partners/cloud-partners/microsoft-azure/)**|Supported |Supported | Amsterdam, London2, Silicon Valley, Toronto, Washington DC | | **Jaguar Network** |Supported |Supported |Marseille, Paris | | **[Jisc](https://www.jisc.ac.uk/microsoft-azure-expressroute)** |Supported |Supported |London, Newport(Wales) |
-| **[KINX](https://www.kinx.net/service/network/cloudhub/ms-expressroute/?lang=en)** |Supported |Supported |Seoul |
+| **[KINX](https://www.kinx.net/service/cloudhub/ms-expressroute/?lang=en)** |Supported |Supported |Seoul |
| **[Kordia](https://www.kordia.co.nz/cloudconnect)** | Supported |Supported |Auckland, Sydney | | **[KPN](https://www.kpn.com/zakelijk/cloud/connect.htm)** | Supported | Supported | Amsterdam | | **[KT](https://cloud.kt.com/)** | Supported | Supported | Seoul |
The following table shows locations by service provider. If you want to view ava
| **[Spark NZ](https://www.sparkdigital.co.nz/solutions/connectivity/cloud-connect/)** |Supported |Supported |Auckland, Sydney | | **[Sprint](https://business.sprint.com/solutions/cloud-networking/)** |Supported |Supported |Chicago, Silicon Valley, Washington DC | | **[Swisscom](https://www.swisscom.ch/en/business/enterprise/offer/cloud-data-center/microsoft-cloud-services/microsoft-azure-von-swisscom.html)** | Supported | Supported | Geneva, Zurich |
-| **[Tata Communications](https://www.tatacommunications.com/lp/izo/azure/azure_https://docsupdatetracker.net/index.html)** |Supported |Supported |Amsterdam, Chennai, Hong Kong SAR, London, Mumbai, Sao Paulo, Silicon Valley, Singapore, Washington DC |
+| **[Tata Communications](https://www.tatacommunications.com/solutions/network/cloud-ready-networks/)** |Supported |Supported |Amsterdam, Chennai, Hong Kong SAR, London, Mumbai, Sao Paulo, Silicon Valley, Singapore, Washington DC |
| **[Telefonica](https://www.business-solutions.telefonica.com/es/enterprise/solutions/efficient-infrastructure/managed-voice-data-connectivity/)** |Supported |Supported |Amsterdam, Sao Paulo | | **[Telehouse - KDDI](https://www.telehouse.net/solutions/cloud-services/cloud-link)** |Supported |Supported |London, London2, Singapore2 | | **Telenor** |Supported |Supported |Amsterdam, London, Oslo |
If you are remote and don't have fiber connectivity or you want to explore other
| **[Fastweb S.p.A](https://www.fastweb.it/grandi-aziende/connessione-voce-e-wifi/scheda-prodotto/rete-privata-virtuale/)** | Equinix | Amsterdam | | **[Fibrenoire](https://www.fibrenoire.ca/en/cloudextn)** | Megaport | Quebec City | | **[Gtt Communications Inc](https://www.gtt.net)** |Equinix | Washington DC |
-| **[Gulf Bridge International](https://www.gbiinc.com/microsoft-azure-expressroute/)** | Equinix | Amsterdam |
+| **[Gulf Bridge International](https://gbiinc.com/)** | Equinix | Amsterdam |
| **[HSO](https://www.hso.co.uk/products/cloud-direct)** |Equinix | London, Slough | | **[IVedha Inc](http://www.ivedha.com/cloud/manage-azure-cloud/express-route-4/)**| Equinix | Toronto | | **[Kaalam Telecom Bahrain B.S.C](http://www.kalaam-telecom.com/azure/)**| Level 3 Communications |Amsterdam |
firewall Deploy Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/firewall/deploy-cli.md
az vm create \
--admin-username azureadmin ``` + ## Deploy the firewall Now deploy the firewall into the virtual network.
firewall Deploy Ps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/firewall/deploy-ps.md
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName 'Micros
New-AzVM -ResourceGroupName Test-FW-RG -Location "East US" -VM $VirtualMachine -Verbose ``` + ## Deploy the firewall Now deploy the firewall into the virtual network.
firewall Tutorial Firewall Deploy Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/firewall/tutorial-firewall-deploy-portal.md
Now create the workload virtual machine, and place it in the **Workload-SN** sub
12. Select **Disable** to disable boot diagnostics. Accept the other defaults and select **Review + create**. 13. Review the settings on the summary page, and then select **Create**. + ## Deploy the firewall Deploy the firewall into the VNet.
firewall Tutorial Firewall Dnat https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/firewall/tutorial-firewall-dnat.md
Review the summary, and then select **Create**. This will take a few minutes to
After deployment finishes, note the private IP address for the virtual machine. It will be used later when you configure the firewall. Select the virtual machine name, and under **Settings**, select **Networking** to find the private IP address. + ## Deploy the firewall 1. From the portal home page, select **Create a resource**.
firewall Tutorial Hybrid Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/firewall/tutorial-hybrid-portal.md
This is a virtual machine that you use to connect using Remote Desktop to the pu
10. For **Boot diagnostics**, Select **Disable**. 10. Select **Review+Create**, review the settings on the summary page, and then select **Create**. + ## Test the firewall 1. First, note the private IP address for **VM-spoke-01** virtual machine.
firewall Tutorial Hybrid Ps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/firewall/tutorial-hybrid-ps.md
New-AzVm `
-Size "Standard_DS2" ``` + ## Test the firewall First, get and then note the private IP address for **VM-spoke-01** virtual machine.
frontdoor Front Door Custom Domain Https https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/frontdoor/front-door-custom-domain-https.md
To enable HTTPS on a custom domain, follow these steps:
5. Continue to [Validate the domain](#validate-the-domain). > [!NOTE]
-> For AFD managed certificates, DigiCertΓÇÖs 64 character limit is enforced. Validation will fail if that limit is exceeded.
-
-![NOTE] Enabling HTTPS via Front Door managed certificate is not supported for apex/root domains (example: contoso.com). You can use your own certificate for this scenario. Please continue with Option 2 for further details.
+> * For AFD managed certificates, DigiCertΓÇÖs 64 character limit is enforced. Validation will fail if that limit is exceeded.
+> * Enabling HTTPS via Front Door managed certificate is not supported for apex/root domains (example: contoso.com). You can use your own certificate for this scenario. Please continue with Option 2 for further details.
### Option 2: Use your own certificate
In this tutorial, you learned how to:
To learn how to set up a geo-filtering policy for your Front Door, continue to the next tutorial. > [!div class="nextstepaction"]
-> [Set up a geo-filtering policy](front-door-geo-filtering.md)
+> [Set up a geo-filtering policy](front-door-geo-filtering.md)
frontdoor How To Add Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/frontdoor/standard-premium/how-to-add-custom-domain.md
When you use Azure Front Door Standard/Premium for application delivery, a custom domain is necessary if you would like your own domain name to be visible in your end-user requests. Having a visible domain name can be convenient for your customers and useful for branding purposes.
-After you create an Azure Front Door Standard/Premium profile, the default frontend host will have a subdomain of azurefd.net. This subdomain gets included in the URL when Azure Front Door Standard/Premium delivers content from your backend by default. For example, `https://contoso-frontend.azurefd.net/activeusers.htm`. For your convenience, Azure Front Door provides the option of associating a custom domain with the default host. With this option, you deliver your content with a custom domain in your URL instead of an Azure Front Door Standard/Premium owned domain name. For example, https://www.contoso.com/photo.png.
+After you create an Azure Front Door Standard/Premium profile, the default frontend host will have a subdomain of azurefd.net. This subdomain gets included in the URL when Azure Front Door Standard/Premium delivers content from your backend by default. For example, `https://contoso-frontend.azurefd.net/activeusers.htm`. For your convenience, Azure Front Door provides the option of associating a custom domain with the default host. With this option, you deliver your content with a custom domain in your URL instead of an Azure Front Door Standard/Premium owned domain name. For example, 'https://www.contoso.com/photo.png'.
> [!IMPORTANT] > Azure Front Door Standard/Premium (Preview) is currently in public preview.
governance Deploy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/blueprints/samples/dod-impact-level-4/deploy.md
Title: DoD Impact Level 4 blueprint sample description: Deploy steps for the DoD Impact Level 4 blueprint sample including blueprint artifact parameter details. Previously updated : 04/02/2021 Last updated : 04/13/2021 # Deploy the DoD Impact Level 4 blueprint sample
To deploy the Azure Blueprints Department of Defense Impact Level 4 (DoD IL4) bl
> - Mark your copy of the sample as **Published** > - Assign your copy of the blueprint to an existing subscription
-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free)
-before you begin.
+If you don't have an Azure Government subscription, request a
+[trial subscription](https://azure.microsoft.com/global-infrastructure/government/request/) before
+you begin.
## Create blueprint from sample
governance Deploy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/blueprints/samples/dod-impact-level-5/deploy.md
Title: DoD Impact Level 5 blueprint sample description: Deploy steps for the DoD Impact Level 5 blueprint sample including blueprint artifact parameter details. Previously updated : 04/02/2021 Last updated : 04/13/2021 # Deploy the DoD Impact Level 5 blueprint sample
To deploy the Azure Blueprints Department of Defense Impact Level 5 (DoD IL5) bl
> - Mark your copy of the sample as **Published** > - Assign your copy of the blueprint to an existing subscription
-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free)
-before you begin.
+If you don't have an Azure Government subscription, request a
+[trial subscription](https://azure.microsoft.com/global-infrastructure/government/request/) before
+you begin.
## Create blueprint from sample
governance Control Mapping https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/blueprints/samples/media/control-mapping.md
Title: Media blueprint sample controls description: Control mapping of the Media blueprint samples. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 04/02/2021 Last updated : 04/13/2021 # Control mapping of the Media blueprint sample The following article details how the Azure Blueprints Media blueprint sample maps to the Media controls. For more information about the controls, see
-[Media](https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/https://docsupdatetracker.net/index.html).
+[Media](https://www.motionpictures.org/best-practices).
The following mappings are to the **Media** controls. Use the navigation on the right to jump directly to a specific control mapping. Many of the mapped controls are implemented with an
governance Assign Policy Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/assign-policy-python.md
Title: "Quickstart: New policy assignment with Python"
description: In this quickstart, you use Python to create an Azure Policy assignment to identify non-compliant resources. Last updated 03/02/2021 -+ # Quickstart: Create a policy assignment to identify non-compliant resources using Python
hdinsight Hdinsight Hadoop Customize Cluster Linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/hdinsight-hadoop-customize-cluster-linux.md
Title: Customize Azure HDInsight clusters by using script actions
description: Add custom components to HDInsight clusters by using script actions. Script actions are Bash scripts that can be used to customize the cluster configuration. Or add additional services and utilities like Hue, Solr, or R. -+ Last updated 03/09/2021
hdinsight Hdinsight Hadoop Use Data Lake Storage Gen2 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/hdinsight-hadoop-use-data-lake-storage-gen2.md
Title: Use Azure Data Lake Storage Gen2 with Azure HDInsight clusters
description: Learn how to use Azure Data Lake Storage Gen2 with Azure HDInsight clusters. -+ Last updated 04/24/2020
iot-central Howto Manage Devices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/howto-manage-devices.md
To add a device to your Azure IoT Central application:
## Import devices
-To connect large number of devices to your application, you can bulk import devices from a CSV file. The CSV file should have the following columns and headers:
+To connect large number of devices to your application, you can bulk import devices from a CSV file. You can find an example CSV file in the [Azure Samples repository](https://github.com/Azure-Samples/iot-central-docs-samples/tree/master/bulk-upload-devices). The CSV file should include the following column headers:
+
+| Column | Description
+| - | - |
+| IOTC_DEVICEID | The device ID is a unique identified this device will use to connect. The device ID can contain letters, numbers, and the `-` character without any spaces. |
+| IOTC_DEVICENAME | Optional. The device name is a friendly name that will be displayed throughout the application. If not specified, this will be the same as the device ID. |
+
-* **IOTC_DeviceID** - the device ID can contain letters, numbers, and the `-` character.
-* **IOTC_DeviceName** - this column is optional.
To bulk-register devices in your application:
iot-central Troubleshoot Connection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/troubleshoot-connection.md
If you are seeing issues related to your authentication flow:
| 429 | Operations are being throttled by the service. For specific service limits, see [IoT Hub Device Provisioning Service limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#iot-hub-device-provisioning-service-limits). | Reduce message frequency, split responsibilities among more devices. | | 500 | An internal error occurred. | [File a ticket with customer support](https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) to see if they can help you further. |
+### File upload error codes
+
+Here is a list of common error codes you might see when a device tries to upload a file to the cloud. Remember that before your device can upload a file, you must configure [device file uploads](howto-configure-file-uploads.md) in your application.
+
+| Error code | Description | Possible Mitigation |
+| - | - | - |
+| 403006 | You've exceeded the number of concurrent file upload operations. Each device client is limited to 10 concurrent file uploads. | Ensure the device promptly notifies IoT Central that the file upload operation has completed. If that doesn't work, try reducing the request timeout. |
+ ## Payload shape issues When you've established that your device is sending data to IoT Central, the next step is to ensure that your device is sending data in a valid format.
iot-edge Tutorial Machine Learning Edge 05 Configure Edge Device https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-edge/tutorial-machine-learning-edge-05-configure-edge-device.md
Last updated 2/5/2020
-+ # Tutorial: Configure an Azure IoT Edge device
iot-hub-device-update Device Update Agent Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub-device-update/device-update-agent-provisioning.md
The Device Update agent can also be configured without the IoT Identity service
> [!Important] > Do not add quotes around the connection string. ```shell
- - connection_string=<ADD CONNECTION STRING HERE>
- ```
+ connection_string=<ADD CONNECTION STRING HERE>
+ ```
1. Enter and save.
iot-hub Iot Hub Devguide Messages Read Custom https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/iot-hub-devguide-messages-read-custom.md
A single message may match the condition on multiple routing queries, in which c
## Endpoints and routing
-An IoT hub has a default [built-in endpoint](iot-hub-devguide-messages-read-builtin.md). You can create custom endpoints to route messages to by linking other services in your subscription to the hub. IoT Hub currently supports Azure Storage containers, Event Hubs, Service Bus queues, and Service Bus topics as custom endpoints.
+An IoT hub has a default [built-in endpoint](iot-hub-devguide-messages-read-builtin.md). You can create custom endpoints to route messages to by linking other services in the subscriptions you own to the hub. IoT Hub currently supports Azure Storage containers, Event Hubs, Service Bus queues, and Service Bus topics as custom endpoints.
When you use routing and custom endpoints, messages are only delivered to the built-in endpoint if they don't match any query. To deliver messages to the built-in endpoint as well as to a custom endpoint, add a route that sends messages to the built-in **events** endpoint. > [!NOTE] > * IoT Hub only supports writing data to Azure Storage containers as blobs. > * Service Bus queues and topics with **Sessions** or **Duplicate Detection** enabled are not supported as custom endpoints.
+> * In the Azure portal, you can create custom routing endpoints only to Azure resources that are in the same subscription as your hub. You can create custom endpoints to resources in other subscriptions that you own, but custom endpoints must be configured by using a different method than the Azure portal.
For more information about creating custom endpoints in IoT Hub, see [IoT Hub endpoints](iot-hub-devguide-endpoints.md).
For more information about reading from custom endpoints, see:
* For more information about the query language you use to define routing queries, see [Message Routing query syntax](iot-hub-devguide-routing-query-syntax.md).
-* The [Process IoT Hub device-to-cloud messages using routes](tutorial-routing.md) tutorial shows you how to use routing queries and custom endpoints.
+* The [Process IoT Hub device-to-cloud messages using routes](tutorial-routing.md) tutorial shows you how to use routing queries and custom endpoints.
iot-hub Tutorial X509 Certificates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/tutorial-x509-certificates.md
Last updated 02/26/2021 -+ #Customer intent: As a developer, I want to be able to use X.509 certificates to authenticate devices to an IoT hub. This step of the tutorial needs to introduce me to X.509 Public Key certificates.
iot-hub Tutorial X509 Introduction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/tutorial-x509-introduction.md
Last updated 02/25/2021 -+ #Customer intent: As a developer, I want to be able to use X.509 certificates to authenticate devices to an IoT hub. This step of the tutorial needs to introduce me to X.509 Public Key Infrastructure and public key encryption.
iot-hub Tutorial X509 Openssl https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/tutorial-x509-openssl.md
Last updated 02/26/2021 -+ #Customer intent: As a developer, I want to be able to use X.509 certificates to authenticate devices to an IoT hub. This step of the tutorial needs to introduce me to OpenSSL that I can use to generate test certificates.
iot-hub Tutorial X509 Prove Possession https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/tutorial-x509-prove-possession.md
Last updated 02/26/2021 -+ #Customer intent: As a developer, I want to be able to use X.509 certificates to authenticate devices to an IoT hub. This step of the tutorial needs to show me how to prove that I own the certificate I uploaded to IoT Hub
iot-hub Tutorial X509 Scripts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/tutorial-x509-scripts.md
Last updated 02/26/2021 -+ #Customer intent: As a developer, I want to be able to use X.509 certificates to authenticate devices to an IoT hub. This step of the tutorial needs to introduce me to Microsoft scripts that I can use to generate test certificates.
iot-hub Tutorial X509 Self Sign https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/tutorial-x509-self-sign.md
Last updated 02/26/2021 -+ #Customer intent: As a developer, I want to be able to use X.509 certificates to authenticate devices to an IoT hub. This step of the tutorial needs to show me how to use OpenSSL to self-sign device certificates.
iot-hub Tutorial X509 Test Certificate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/tutorial-x509-test-certificate.md
Last updated 02/26/2021 -+ #Customer intent: As a developer, I want to be able to use X.509 certificates to authenticate devices to an IoT hub. This step of the tutorial needs to show me how to test that my certificate authenticates my device.
key-vault Overview Renew Certificate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/certificates/overview-renew-certificate.md
Azure Key Vault also handles autorenewal of self-signed certificates. To learn m
**How can I test the autorotation feature of the certificate?**
-Create a certificate with a validity of **1 month**, and then set the lifetime action for rotation at **1%**. This setting will rotate the certificate every 7.2 hours.
+Create a self-signed certificate with a validity of **1 month**, and then set the lifetime action for rotation at **1%**. You should be able to view certificate version history being created over next few days.
**Will the tags be replicated after autorenewal of the certificate?**
key-vault Quick Create Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/certificates/quick-create-java.md
Title: Quickstart for Azure Key Vault Certificate client library - Java description: Learn about the the Azure Key Vault Certificate client library for Java with the steps in this quickstart. -+ Last updated 12/18/2020
key-vault Quick Create Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/certificates/quick-create-python.md
Last updated 09/03/2020
-+
key-vault Authentication Fundamentals https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/general/authentication-fundamentals.md
However, classic access policies do not allow per-object level permissions, and
> [!IMPORTANT] > Classic key vault access policies and Azure Active Directory role assignments are independent of each other. Assigning a security principal a ΓÇÿContributorΓÇÖ role at a subscription level will not automatically allow the security principal the ability to perform data-plane operations on every key vault within the scope of the subscription. The security principal must still must be granted, or grant themselves access policy permissions to perform data plane operations.
-### Data Plane Access Option 2: Azure RBAC for Key Vault (Preview)
+### Data Plane Access Option 2: Azure RBAC for Key Vault
A new way to grant access to the key vault data plane is through Azure role-based access control (Azure RBAC) for key vault.
key-vault Authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/general/authentication.md
Key Vault works with two separate levels of authorization:
- [Azure CLI](../../role-based-access-control/role-assignments-cli.md) - [Azure PowerShell](../../role-based-access-control/role-assignments-powershell.md)
- Key Vault currently supports the [Contributor](../../role-based-access-control/built-in-roles.md#key-vault-contributor) role, which allows management operations on Key Vault resources. A number of other roles are currently in preview. You can also create custom roles, as described on [Azure custom roles](../../role-based-access-control/custom-roles.md).
- For general information on roles, see [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md).
key-vault Developers Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/general/developers-guide.md
For tutorials on how to authenticate to Key Vault in applications, see:
## Manage keys, certificates, and secrets
-Access to keys, secrets, and certificates is controlled by data plane. Data plane access control can be done using local vault access policies or Azure RBAC (preview).
+Access to keys, secrets, and certificates is controlled by data plane. Data plane access control can be done using local vault access policies or Azure RBAC.
**Keys API's and SDKs**
Access to keys, secrets, and certificates is controlled by data plane. Data plan
See [Client Libraries](client-libraries.md) for installation packages and source code.
-For more information about Key Vault data plane security, see [Key Vault Data Plane and access policies](./secure-your-key-vault.md#data-plane-and-access-policies) and [Key Vault Data Plane and Azure RBAC (preview)](./secure-your-key-vault.md#data-plane-and-azure-rbac-preview)
+For more information about Key Vault data plane security, see [Key Vault Data Plane and access policies](./secure-your-key-vault.md#data-plane-and-access-policies) and [Key Vault Data Plane and Azure RBAC](./secure-your-key-vault.md#data-plane-and-azure-rbac)
### Code examples
key-vault Secure Your Key Vault https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/general/secure-your-key-vault.md
When you create a key vault in an Azure subscription, it's automatically associa
- **Application-only**: The application represents a service principal or managed identity. This identity is the most common scenario for applications that periodically need to access certificates, keys, or secrets from the key vault. For this scenario to work, the `objectId` of the application must be specified in the access policy and the `applicationId` must _not_ be specified or must be `null`. - **User-only**: The user accesses the key vault from any application registered in the tenant. Examples of this type of access include Azure PowerShell and the Azure portal. For this scenario to work, the `objectId` of the user must be specified in the access policy and the `applicationId` must _not_ be specified or must be `null`.-- **Application-plus-user** (sometimes referred as _compound identity_): The user is required to access the key vault from a specific application _and_ the application must use the on-behalf-of authentication (OBO) flow to impersonate the user. For this scenario to work, both `applicationId` and `objectId` must be specified in the access policy. The `applicationId` identifies the required application and the `objectId` identifies the user. Currently, this option isn't available for data plane Azure RBAC (preview).
+- **Application-plus-user** (sometimes referred as _compound identity_): The user is required to access the key vault from a specific application _and_ the application must use the on-behalf-of authentication (OBO) flow to impersonate the user. For this scenario to work, both `applicationId` and `objectId` must be specified in the access policy. The `applicationId` identifies the required application and the `objectId` identifies the user. Currently, this option isn't available for data plane Azure RBAC.
In all types of access, the application authenticates with Azure AD. The application uses any [supported authentication method](../../active-directory/develop/authentication-vs-authorization.md) based on the application type. The application acquires a token for a resource in the plane to grant access. The resource is an endpoint in the management or data plane, based on the Azure environment. The application uses the token and sends a REST API request to Key Vault. To learn more, review the [whole authentication flow](../../active-directory/develop/v2-oauth2-auth-code-flow.md).
The model of a single mechanism for authentication to both planes has several be
## Resource endpoints
-Applications access the planes through endpoints. The access controls for the two planes work independently. To grant an application access to use keys in a key vault, you grant data plane access by using a Key Vault access policy or Azure RBAC (preview). To grant a user read access to Key Vault properties and tags, but not access to data (keys, secrets, or certificates), you grant management plane access with Azure RBAC.
+Applications access the planes through endpoints. The access controls for the two planes work independently. To grant an application access to use keys in a key vault, you grant data plane access by using a Key Vault access policy or Azure RBAC. To grant a user read access to Key Vault properties and tags, but not access to data (keys, secrets, or certificates), you grant management plane access with Azure RBAC.
The following table shows the endpoints for the management and data planes. | Access&nbsp;plane | Access endpoints | Operations | Access&nbsp;control mechanism | | | | | | | Management plane | **Global:**<br> management.azure.com:443<br><br> **Azure China 21Vianet:**<br> management.chinacloudapi.cn:443<br><br> **Azure US Government:**<br> management.usgovcloudapi.net:443<br><br> **Azure Germany:**<br> management.microsoftazure.de:443 | Create, read, update, and delete key vaults<br><br>Set Key Vault access policies<br><br>Set Key Vault tags | Azure RBAC |
-| Data plane | **Global:**<br> &lt;vault-name&gt;.vault.azure.net:443<br><br> **Azure China 21Vianet:**<br> &lt;vault-name&gt;.vault.azure.cn:443<br><br> **Azure US Government:**<br> &lt;vault-name&gt;.vault.usgovcloudapi.net:443<br><br> **Azure Germany:**<br> &lt;vault-name&gt;.vault.microsoftazure.de:443 | Keys: encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, recover, backup, restore, purge<br><br> Certificates: managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, get, list, create, import, update, delete, recover, backup, restore, purge<br><br> Secrets: get, list, set, delete,recover, backup, restore, purge | Key Vault access policy or Azure RBAC (preview)|
+| Data plane | **Global:**<br> &lt;vault-name&gt;.vault.azure.net:443<br><br> **Azure China 21Vianet:**<br> &lt;vault-name&gt;.vault.azure.cn:443<br><br> **Azure US Government:**<br> &lt;vault-name&gt;.vault.usgovcloudapi.net:443<br><br> **Azure Germany:**<br> &lt;vault-name&gt;.vault.microsoftazure.de:443 | Keys: encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, recover, backup, restore, purge<br><br> Certificates: managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, get, list, create, import, update, delete, recover, backup, restore, purge<br><br> Secrets: get, list, set, delete,recover, backup, restore, purge | Key Vault access policy or Azure RBAC |
## Management plane and Azure RBAC
For more information about using key vault access policies, see [Assign a Key Va
Key Vault access policies don't support granular, object-level permissions like a specific key, secret, or certificate. >
-## Data plane and Azure RBAC (preview)
+## Data plane and Azure RBAC
Azure role-based access control is an alternative permission model to control access to Azure Key Vault data plane, which can be enabled on individual key vaults. Azure RBAC permission model is exclusive and once is set, vault access policies became inactive. Azure Key Vault defines a set of Azure built-in roles that encompass common sets of permissions used to access keys, secrets, or certificates.
key-vault Tutorial Net Virtual Machine https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/general/tutorial-net-virtual-machine.md
Last updated 03/17/2021 -+ #Customer intent: As a developer I want to use Azure Key Vault to store secrets for my app, so that they are kept secure.
key-vault Quick Create Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/keys/quick-create-java.md
Title: Quickstart - Azure Key Vault Key client library for Java description: Provides a quickstart for the Azure Key Vault Keys client library for Java. -+ Last updated 01/05/2021
key-vault Quick Create Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/keys/quick-create-python.md
Last updated 09/03/2020
-+
key-vault Quick Create Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/managed-hsm/quick-create-template.md
tags: azure-resource-manager
-+ Last updated 09/15/2020
key-vault Quick Create Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/secrets/quick-create-java.md
Title: Quickstart - Azure Key Vault Secret client library for Java description: Provides a quickstart for the Azure Key Vault Secret client library for Java. -+ Last updated 10/20/2019
key-vault Quick Create Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/secrets/quick-create-python.md
Last updated 09/03/2020
-+
load-balancer Outbound Rules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/load-balancer/outbound-rules.md
To use a different public IP or prefix than used by a load-balancing rule:
5. Configure an outbound rule on the public load balancer to enable outbound NAT for the VMs using the frontend. It is not recommended to use a load-balancing rule for outbound, disable outbound SNAT on the load-balancing rule.
-### <a name="scenario2out"></a>Scenario 2: Modify [SNAT](load-balancer-outbound-connections.md)port allocation
+### <a name="scenario2out"></a>Scenario 2: Modify [SNAT](load-balancer-outbound-connections.md) port allocation
#### Details
To use a different public IP or prefix than used by a load-balancing rule:
You can use outbound rules to tune the [automatic SNAT port allocation based on backend pool size](load-balancer-outbound-connections.md#preallocatedports).
-If you experience SNAT exhaustion, increase the number of [SNAT](load-balancer-outbound-connections.md)ports given from the default of 1024.
+If you experience SNAT exhaustion, increase the number of [SNAT](load-balancer-outbound-connections.md) ports given from the default of 1024.
-Each public IP address contributes up to 64,000 ephemeral ports. The number of VMs in the backend pool determines the number of ports distributed to each VM. One VM in the backend pool has access to the maximum of 64,000 ports. For two VMs, a maximum of 32,000 [SNAT](load-balancer-outbound-connections.md)ports can be given with an outbound rule (2x 32,000 = 64,000).
+Each public IP address contributes up to 64,000 ephemeral ports. The number of VMs in the backend pool determines the number of ports distributed to each VM. One VM in the backend pool has access to the maximum of 64,000 ports. For two VMs, a maximum of 32,000 [SNAT](load-balancer-outbound-connections.md) ports can be given with an outbound rule (2x 32,000 = 64,000).
-You can use outbound rules to tune the SNAT ports given by default. You give more or less than the default [SNAT](load-balancer-outbound-connections.md)port allocation provides. Each public IP address from a frontend of an outbound rule contributes up to 64,000 ephemeral ports for use as [SNAT](load-balancer-outbound-connections.md)ports.
+You can use outbound rules to tune the SNAT ports given by default. You give more or less than the default [SNAT](load-balancer-outbound-connections.md) port allocation provides. Each public IP address from a frontend of an outbound rule contributes up to 64,000 ephemeral ports for use as [SNAT](load-balancer-outbound-connections.md) ports.
-Load balancer gives [SNAT](load-balancer-outbound-connections.md)ports in multiples of 8. If you provide a value not divisible by 8, the configuration operation is rejected. Each load balancing rule and inbound NAT rule will consume a range of 8 ports. If a load balancing or inbound NAT rule shares the same range of 8 as another, no additional ports will be consumed.
+Load balancer gives [SNAT](load-balancer-outbound-connections.md) ports in multiples of 8. If you provide a value not divisible by 8, the configuration operation is rejected. Each load balancing rule and inbound NAT rule will consume a range of 8 ports. If a load balancing or inbound NAT rule shares the same range of 8 as another, no additional ports will be consumed.
-If you attempt to give more [SNAT](load-balancer-outbound-connections.md)ports than are available based on the number of public IP addresses, the configuration operation is rejected. For example, if you give 10,000 ports per VM and seven VMs in a backend pool share a single public IP, the configuration is rejected. Seven multiplied by 10,000 exceeds the 64,000 port limit. Add more public IP addresses to the frontend of the outbound rule to enable the scenario.
+If you attempt to give more [SNAT](load-balancer-outbound-connections.md) ports than are available based on the number of public IP addresses, the configuration operation is rejected. For example, if you give 10,000 ports per VM and seven VMs in a backend pool share a single public IP, the configuration is rejected. Seven multiplied by 10,000 exceeds the 64,000 port limit. Add more public IP addresses to the frontend of the outbound rule to enable the scenario.
Revert to the [default port allocation](load-balancer-outbound-connections.md#preallocatedports) by specifying 0 for the number of ports. The first 50 VM instances will get 1024 ports, 51-100 VM instances will get 512 up to the maximum instances. For more information on default SNAT port allocation, see [SNAT ports allocation table](./load-balancer-outbound-connections.md#preallocatedports).
Azure Load Balancer outbound rules and Virtual Network NAT are options available
-Use a prefix or public IP to scale [SNAT](load-balancer-outbound-connections.md)ports. Add the source of outbound connections to an allow or deny list.
+Use a prefix or public IP to scale [SNAT](load-balancer-outbound-connections.md) ports. Add the source of outbound connections to an allow or deny list.
For more information, see [Outbound-only load balancer configuration](./egress-o
When using a public standard load balancer, the automatic outbound NAT provided matches the transport protocol of the load-balancing rule.
-1. Disable outbound [SNAT](load-balancer-outbound-connections.md)on the load-balancing rule.
+1. Disable outbound [SNAT](load-balancer-outbound-connections.md) on the load-balancing rule.
2. Configure an outbound rule on the same load balancer. 3. Reuse the backend pool already used by your VMs. 4. Specify "protocol": "All" as part of the outbound rule.
load-balancer Quickstart Load Balancer Standard Internal Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/load-balancer/quickstart-load-balancer-standard-internal-cli.md
Get started with Azure Load Balancer by using the Azure CLI to create an interna
This quickstart requires version 2.0.28 or later of the Azure CLI. If you're using Azure Cloud Shell, the latest version is already installed.
->[!NOTE]
->Azure Load Balancer Standard is the recommended choice for production workloads. This article contains information about Azure Load Balancer Standard, as well as Azure Load Balancer Basic. For more information about SKUs, see [Azure Load Balancer SKUs](skus.md).
- ## Create a resource group An Azure resource group is a logical container into which you deploy and manage your Azure resources.
Create a resource group with [az group create](/cli/azure/group#az_group_create)
```
-## Azure Load Balancer Standard
+
+# [**Standard SKU**](#tab/option-1-create-load-balancer-standard)
+
+>[!NOTE]
+>Standard SKU load balancer is recommended for production workloads. For more information about skus, see **[Azure Load Balancer SKUs](skus.md)**.
In this section, you create a load balancer that load balances virtual machines. When you create an internal load balancer, a virtual network is configured as the network for the load balancer. The following diagram shows the resources created in this quickstart:
Add the virtual machines to the back-end pool with [az network nic ip-config add
```
-## Azure Load Balancer Basic
+# [**Basic SKU**](#tab/option-1-create-load-balancer-basic)
+
+>[!NOTE]
+>Standard SKU load balancer is recommended for production workloads. For more information about skus, see **[Azure Load Balancer SKUs](skus.md)**.
In this section, you create a load balancer that load balances virtual machines. When you create an internal load balancer, a virtual network is configured as the network for the load balancer. The following diagram shows the resources created in this quickstart:
Add the virtual machines to the back-end pool with [az network nic ip-config add
done ```-+ ## Test the load balancer Create the network interface with [az network nic create](/cli/azure/network/nic#az-network-nic-create). Specify the following:
machine-learning How To Deploy Custom Docker Image https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-deploy-custom-docker-image.md
Last updated 11/16/2020 -+ # Deploy a model using a custom Docker base image
machine-learning How To Save Write Experiment Files https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-save-write-experiment-files.md
When launching training runs on a [compute target](concept-compute-target.md), t
Before you can initiate an experiment on a compute target or your local machine, you must ensure that the necessary files are available to that compute target, such as dependency files and data files your code needs to run.
-Azure Machine Learning runs training scripts by copying the entire source directory. If you have sensitive data that you don't want to upload, use a [.ignore file](how-to-save-write-experiment-files.md#storage-limits-of-experiment-snapshots) or don't include it in the source directory . Instead, access your data using a [datastore](/python/api/azureml-core/azureml.data).
+Azure Machine Learning runs training scripts by copying the entire source directory. If you have sensitive data that you don't want to upload, use a [.ignore file](how-to-save-write-experiment-files.md#storage-limits-of-experiment-snapshots) or don't include it in the source directory. Instead, access your data using a [datastore](/python/api/azureml-core/azureml.data).
The storage limit for experiment snapshots is 300 MB and/or 2000 files. For this reason, we recommend:
-* **Storing your files in an Azure Machine Learning [datastore](/python/api/azureml-core/azureml.data).** This prevents experiment latency issues, and has the advantages of accessing data from a remote compute target, which means authentication and mounting are managed by Azure Machine Learning. Learn more about specifying a datastore as your source directory, and uploading files to your datastore in the [Access data from your datastores](how-to-access-data.md) article.
+* **Storing your files in an Azure Machine Learning [dataset](/python/api/azureml-core/azureml.data).** This prevents experiment latency issues, and has the advantages of accessing data from a remote compute target, which means authentication and mounting are managed by Azure Machine Learning. Learn more about how to specify a dataset as your input data source in your training script with [Train with datasets](how-to-train-with-datasets.md).
* **If you only need a couple data files and dependency scripts and can't use a datastore,** place the files in the same folder directory as your training script. Specify this folder as your `source_directory` directly in your training script, or in the code that calls your training script.
Jupyter notebooks| Create a `.amlignore` file or move your notebook into a new,
Due to the isolation of training experiments, the changes to files that happen during runs are not necessarily persisted outside of your environment. If your script modifies the files local to compute, the changes are not persisted for your next experiment run, and they're not propagated back to the client machine automatically. Therefore, the changes made during the first experiment run don't and shouldn't affect those in the second.
-When writing changes, we recommend writing files to an Azure Machine Learning datastore. See [Access data from your datastores](how-to-access-data.md).
+When writing changes, we recommend writing files to storage via an Azure Machine Learning dataset with an [OutputFileDatasetConfig object](/python/api/azureml-core/azureml.data.output_dataset_config.outputfiledatasetconfig). See [how to create an OutputFileDatasetConfig](how-to-train-with-datasets.md#where-to-write-training-output).
-If you don't require a datastore, write files to the `./outputs` and/or `./logs` folder.
+Otherwise, write files to the `./outputs` and/or `./logs` folder.
>[!Important] > Two folders, *outputs* and *logs*, receive special treatment by Azure Machine Learning. During training, when you write files to`./outputs` and`./logs` folders, the files will automatically upload to your run history, so that you have access to them once your run is finished.
If you don't require a datastore, write files to the `./outputs` and/or `./logs`
## Next steps
-* Learn more about [accessing data from your datastores](how-to-access-data.md).
+* Learn more about [accessing data from storage](how-to-access-data.md).
* Learn more about [Create compute targets for model training and deployment](how-to-create-attach-compute-studio.md)
machine-learning How To Train With Datasets https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-train-with-datasets.md
In this article, you learn how to work with [Azure Machine Learning datasets](/python/api/azureml-core/azureml.core.dataset%28class%29) to train machine learning models. You can use datasets in your local or remote compute target without worrying about connection strings or data paths.
-Azure Machine Learning datasets provide a seamless integration with Azure Machine Learning training functionality like [ScriptRunConfig](/python/api/azureml-core/azureml.core.scriptrunconfig), [HyperDrive](/python/api/azureml-train-core/azureml.train.hyperdrive) and [Azure Machine Learning pipelines](./how-to-create-machine-learning-pipelines.md).
+Azure Machine Learning datasets provide a seamless integration with Azure Machine Learning training functionality like [ScriptRunConfig](/python/api/azureml-core/azureml.core.scriptrunconfig), [HyperDrive](/python/api/azureml-train-core/azureml.train.hyperdrive), and [Azure Machine Learning pipelines](./how-to-create-machine-learning-pipelines.md).
If you are not ready to make your data available for model training, but want to load your data to your notebook for data exploration, see how to [explore the data in your dataset](how-to-create-register-datasets.md#explore-data).
To create and train with datasets, you need:
If you have structured data not yet registered as a dataset, create a TabularDataset and use it directly in your training script for your local or remote experiment.
-In this example, you create an unregistered [TabularDataset](/python/api/azureml-core/azureml.data.tabulardataset) and specify it as a script argument in the ScriptRunConfig object for training. If you want to reuse this TabularDataset with other experiments in your workspace, see [how to register datasets to your workspace](how-to-create-register-datasets.md#register-datasets).
+In this example, you create an unregistered [TabularDataset](/python/api/azureml-core/azureml.data.tabulardataset) and specify it as a script argument in the [ScriptRunConfig](/python/api/azureml-core/azureml.core.script_run_config.scriptrunconfig) object for training. If you want to reuse this TabularDataset with other experiments in your workspace, see [how to register datasets to your workspace](how-to-create-register-datasets.md#register-datasets).
### Create a TabularDataset
run.wait_for_completion(show_output=True)
If you have unstructured data, create a [FileDataset](/python/api/azureml-core/azureml.data.filedataset) and either mount or download your data files to make them available to your remote compute target for training. Learn about when to use [mount vs. download](#mount-vs-download) for your remote training experiments.
-The following example creates a FileDataset and mounts the dataset to the compute target by passing it as an argument to the training script.
+The following example,
+
+* Creates an input FileDataset, `mnist_ds`, for your training data.
+* Specifies where to write training results, and to promote those results as a FileDataset.
+* Mounts the input dataset to the compute target.
> [!Note] > If you are using a custom Docker base image, you will need to install fuse via `apt-get install -y fuse` as a dependency for dataset mount to work. Learn how to [build a custom build image](how-to-deploy-custom-docker-image.md#build-a-custom-base-image).
+For the notebook example , see [How to configure a training run with data input and output](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/work-with-data/datasets-tutorial/scriptrun-with-data-input-output/how-to-use-scriptrun.ipynb).
+ ### Create a FileDataset
-The following example creates an unregistered FileDataset from web urls. Learn more about [how to create datasets](how-to-create-register-datasets.md) from other sources.
+The following example creates an unregistered FileDataset, `mnist_data` from web urls. This FileDataset is the input data for your training run.
+
+Learn more about [how to create datasets](how-to-create-register-datasets.md) from other sources.
```Python+ from azureml.core.dataset import Dataset web_paths = [
web_paths = [
'http://yann.lecun.com/exdb/mnist/t10k-images-idx3-ubyte.gz', 'http://yann.lecun.com/exdb/mnist/t10k-labels-idx1-ubyte.gz' ]+ mnist_ds = Dataset.File.from_files(path = web_paths)+
+```
+### Where to write training output
+
+You can specify where to write your training results with an [OutputFileDatasetConfig object](/python/api/azureml-core/azureml.data.output_dataset_config.outputfiledatasetconfig).
+
+OutputFileDatasetConfig objects allow you to:
+
+* Mount or upload the output of a run to cloud storage you specify.
+* Save the output as a FileDataset to these supported storage types:
+ * Azure blob
+ * Azure file share
+ * Azure Data Lake Storage generations 1 and 2
+* Track the data lineage between training runs.
+
+The following code specifies that training results should be saved as a FileDataset in the `outputdataset` folder in the default blob datastore, `def_blob_store`.
+
+```python
+from azureml.core import Workspace
+from azureml.data import OutputFileDatasetConfig
+
+ws = Workspace.from_config()
+
+def_blob_store = ws.get_default_datastore()
+output = OutputFileDatasetConfig(destination=(def_blob_store, 'sample/outputdataset'))
``` ### Configure the training run
-We recommend passing the dataset as an argument when mounting via the `arguments` parameter of the `ScriptRunConfig` constructor. By doing so, you will get the data path (mounting point) in your training script via arguments. This way, you will be able use the same training script for local debugging and remote training on any cloud platform.
+We recommend passing the dataset as an argument when mounting via the `arguments` parameter of the `ScriptRunConfig` constructor. By doing so, you get the data path (mounting point) in your training script via arguments. This way, you are able to use the same training script for local debugging and remote training on any cloud platform.
-The following example creates a ScriptRunConfig that passes in the FileDataset via `arguments`. After you submit the run, data files referred by the dataset `mnist_ds` will be mounted to the compute target.
+The following example creates a ScriptRunConfig that passes in the FileDataset via `arguments`. After you submit the run, data files referred to by the dataset `mnist_ds` are mounted to the compute target, and training results are saved to the specified `outputdataset` folder in the default datastore.
```python from azureml.core import ScriptRunConfig
+input_data= mnist_ds.as_named_input('input').as_mount()# the dataset will be mounted on the remote compute
+ src = ScriptRunConfig(source_directory=script_folder,
- script='train_mnist.py',
- # the dataset will be mounted on the remote compute and the mounted path passed as an argument to the script
- arguments=['--data-folder', mnist_ds.as_mount(), '--regularization', 0.5],
+ script='dummy_train.py',
+ arguments=[input_data, output],
compute_target=compute_target, environment=myenv)
run = experiment.submit(src)
run.wait_for_completion(show_output=True) ```
-### Retrieve data in your training script
+### Simple training script
-The following code shows how to retrieve the data in your script.
+The following script is submitted through the ScriptRunConfig. It reads the `mnist_ds ` dataset as input, and writes the file to the `outputdataset` folder in the default blob datastore, `def_blob_store`.
```Python
-%%writefile $script_folder/train_mnist.py
+%%writefile $source_directory/dummy_train.py
-import argparse
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+import sys
import os
-import numpy as np
-import glob
-from utils import load_data
+print("*********************************************************")
+print("Hello Azure ML!")
-# retrieve the 2 arguments configured through `arguments` in the ScriptRunConfig
-parser = argparse.ArgumentParser()
-parser.add_argument('--data-folder', type=str, dest='data_folder', help='data folder mounting point')
-parser.add_argument('--regularization', type=float, dest='reg', default=0.01, help='regularization rate')
-args = parser.parse_args()
-
-data_folder = args.data_folder
-print('Data folder:', data_folder)
+mounted_input_path = sys.argv[1]
+mounted_output_path = sys.argv[2]
-# get the file paths on the compute
-X_train_path = glob.glob(os.path.join(data_folder, '**/train-images-idx3-ubyte.gz'), recursive=True)[0]
-X_test_path = glob.glob(os.path.join(data_folder, '**/t10k-images-idx3-ubyte.gz'), recursive=True)[0]
-y_train_path = glob.glob(os.path.join(data_folder, '**/train-labels-idx1-ubyte.gz'), recursive=True)[0]
-y_test = glob.glob(os.path.join(data_folder, '**/t10k-labels-idx1-ubyte.gz'), recursive=True)[0]
-
-# load train and test set into numpy arrays
-X_train = load_data(X_train_path, False) / 255.0
-X_test = load_data(X_test_path, False) / 255.0
-y_train = load_data(y_train_path, True).reshape(-1)
-y_test = load_data(y_test, True).reshape(-1)
+print("Argument 1: %s" % mounted_input_path)
+print("Argument 2: %s" % mounted_output_path)
+
+with open(mounted_input_path, 'r') as f:
+ content = f.read()
+ with open(os.path.join(mounted_output_path, 'output.csv'), 'w') as fw:
+ fw.write(content)
``` ## Mount vs download
src.run_config.source_directory_data_store = "workspaceblobstore"
## Notebook examples
-+ The [dataset notebooks](https://aka.ms/dataset-tutorial) demonstrate and expand upon concepts in this article.
++ For additional dataset examples and concepts, see the [dataset notebooks](https://aka.ms/dataset-tutorial). + See how to [parametrize datasets in your ML pipelines](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/machine-learning-pipelines/intro-to-pipelines/aml-pipelines-showcasing-dataset-and-pipelineparameter.ipynb). ## Troubleshooting
managed-instance-apache-cassandra Configure Hybrid Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/managed-instance-apache-cassandra/configure-hybrid-cluster.md
This quickstart demonstrates how to use the Azure CLI commands to configure a hy
:::image type="content" source="./media/configure-hybrid-cluster/subnet.png" alt-text="Add a new subnet to your Virtual Network." lightbox="./media/configure-hybrid-cluster/subnet.png" border="true"::: <!-- ![image](./media/configure-hybrid-cluster/subnet.png) -->
-1. Now we will apply some special permissions to the VNet and subnet which Cassandra Managed Instance requires, using Azure CLI. Use the `az role assignment create` command, replacing `<subscription ID>`, `<resource group name>`, `<VNet name>`, and `<subnet name>` with the appropriate values:
+ > [!NOTE]
+ > The Deployment of a Azure Managed Instance for Apache Cassandra requires internet access. Deployment fails in environments where internet access is restricted. Make sure you aren't blocking access within your VNet to the following vital Azure services that are necessary for Managed Cassandra to work properly:
+ > - Azure Storage
+ > - Azure KeyVault
+ > - Azure Virtual Machine Scale Sets
+ > - Azure Monitoring
+ > - Azure Active Directory
+ > - Azure Security
+
+1. Now we will apply some special permissions to the VNet and subnet which Cassandra Managed Instance requires, using Azure CLI. Use the `az role assignment create` command, replacing `<subscription ID>`, `<resource group name>`, and `<VNet name>` with the appropriate values:
```azurecli-interactive
- az role assignment create --assignee e5007d2c-4b13-4a74-9b6a-605d99f03501 --role 4d97b98b-1d4f-4787-a291-c67834d212e7 --scope /subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.Network/virtualNetworks/<VNet name>/subnets/<subnet name>
+ az role assignment create --assignee a232010e-820c-4083-83bb-3ace5fc29d0b --role 4d97b98b-1d4f-4787-a291-c67834d212e7 --scope /subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.Network/virtualNetworks/<VNet name>
``` > [!NOTE]
managed-instance-apache-cassandra Create Cluster Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/managed-instance-apache-cassandra/create-cluster-cli.md
This quickstart demonstrates how to use the Azure CLI commands to create a clust
```azurecli-interactive az network vnet create -n <VNet_Name> -l eastus2 -g <Resource_Group_Name> --subnet-name <Subnet Name> ```
+ > [!NOTE]
+ > The Deployment of a Azure Managed Instance for Apache Cassandra requires internet access. Deployment fails in environments where internet access is restricted. Make sure you aren't blocking access within your VNet to the following vital Azure services that are necessary for Managed Cassandra to work properly:
+ > - Azure Storage
+ > - Azure KeyVault
+ > - Azure Virtual Machine Scale Sets
+ > - Azure Monitoring
+ > - Azure Active Directory
+ > - Azure Security
-1. Apply some special permissions to the Virtual Network and the subnet, which are required by the managed instance. Use the `az role assignment create` command, replacing `<subscription ID>`, `<resource group name>`, `<VNet name>`, and `<subnet name>` with the appropriate values:
+1. Apply some special permissions to the Virtual Network, which are required by the managed instance. Use the `az role assignment create` command, replacing `<subscription ID>`, `<resource group name>`, and `<VNet name>` with the appropriate values:
```azurecli-interactive
- az role assignment create --assignee e5007d2c-4b13-4a74-9b6a-605d99f03501 --role 4d97b98b-1d4f-4787-a291-c67834d212e7 --scope /subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.Network/virtualNetworks/<VNet name>/subnets/<subnet name>
+ az role assignment create --assignee a232010e-820c-4083-83bb-3ace5fc29d0b --role 4d97b98b-1d4f-4787-a291-c67834d212e7 --scope /subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.Network/virtualNetworks/<VNet name>
``` > [!NOTE]
managed-instance-apache-cassandra Create Cluster Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/managed-instance-apache-cassandra/create-cluster-portal.md
If you don't have an Azure subscription, create a [free account](https://azure.m
:::image type="content" source="./media/create-cluster-portal/networking.png" alt-text="Configure networking details." lightbox="./media/create-cluster-portal/networking.png" border="true":::
-1. If you created a new VNet in the last step, skip to step 8. If you selected an existing VNet, before creating your cluster, you need to apply some special permissions to the Virtual Network and the subnet. To do so, use the `az role assignment create` command, replacing `<subscription ID>`, `<resource group name>`, `<VNet name>`, and `<subnet name>` with the appropriate values:
+ > [!NOTE]
+ > The Deployment of a Azure Managed Instance for Apache Cassandra requires internet access. Deployment fails in environments where internet access is restricted. Make sure you aren't blocking access within your VNet to the following vital Azure services that are necessary for Managed Cassandra to work properly:
+ > - Azure Storage
+ > - Azure KeyVault
+ > - Azure Virtual Machine Scale Sets
+ > - Azure Monitoring
+ > - Azure Active Directory
+ > - Azure Security
+
+1. If you created a new VNet in the last step, skip to step 8. If you selected an existing VNet, before creating your cluster, you need to apply some special permissions to the Virtual Network and the subnet. To do so, use the `az role assignment create` command, replacing `<subscription ID>`, `<resource group name>`, and `<VNet name>` with the appropriate values:
```azurecli-interactive
- az role assignment create --assignee e5007d2c-4b13-4a74-9b6a-605d99f03501 --role 4d97b98b-1d4f-4787-a291-c67834d212e7 --scope /subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.Network/virtualNetworks/<VNet name>/subnets/<subnet name>
+ az role assignment create --assignee a232010e-820c-4083-83bb-3ace5fc29d0b --role 4d97b98b-1d4f-4787-a291-c67834d212e7 --scope /subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.Network/virtualNetworks/<VNet name>
``` > [!NOTE]
mariadb Concepts Azure Advisor Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mariadb/concepts-azure-advisor-recommendations.md
+
+ Title: Azure Advisor for MariaDB
+description: Learn about Azure Advisor recommendations for MariaDB.
++++ Last updated : 04/12/2021+
+# Azure Advisor for MariaDB
+Learn about how Azure Advisor is applied to Azure Database for MariaDB and get answers to common questions.
+## What is Azure Advisor for MariaDB?
+The Azure Advisor system uses telemetry to issue performance and reliability recommendations for your MariaDB database.
+
+Some recommendations are common to multiple product offerings, while other recommendations are based on product-specific optimizations.
+## Where can I view my recommendations?
+Recommendations are available from the **Overview** navigation sidebar in the Azure portal. A preview will appear as a banner notification, and details can be viewed in the **Notifications** section located just below the resource usage graphs.
++
+## Recommendation types
+Azure Database for MariaDB prioritize the following types of recommendations:
+* **Performance**: To improve the speed of your MariaDB server. This includes CPU usage, memory pressure, disk utilization, and product-specific server parameters. For more information, see [Advisor Performance recommendations](../advisor/advisor-performance-recommendations.md).
+* **Reliability**: To ensure and improve the continuity of your business-critical databases. This includes storage limit and connection limit recommendations. For more information, see [Advisor Reliability recommendations](../advisor/advisor-high-availability-recommendations.md).
+* **Cost**: To optimize and reduce your overall Azure spending. This includes server right-sizing recommendations. For more information, see [Advisor Cost recommendations](../advisor/advisor-cost-recommendations.md).
+
+## Understanding your recommendations
+* **Daily schedule**: For Azure MariaDB databases, we check server telemetry and issue recommendations on a daily schedule. If you make a change to your server configuration, existing recommendations will remain visible until we re-examine telemetry on the following day.
+* **Performance history**: Some of our recommendations are based on performance history. These recommendations will only appear after a server has been operating with the same configuration for 7 days. This allows us to detect patterns of heavy usage (e.g. high CPU activity or high connection volume) over a sustained time period. If you provision a new server or change to a new vCore configuration, these recommendations will be paused temporarily. This prevents legacy telemetry from triggering recommendations on a newly reconfigured server. However, this also means that performance history-based recommendations may not be identified immediately.
+
+## Next steps
+For more information, see [Azure Advisor Overview](../advisor/advisor-overview.md).
mariadb Howto Auto Grow Storage Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mariadb/howto-auto-grow-storage-cli.md
# Auto-grow Azure Database for MariaDB storage using the Azure CLI This article describes how you can configure an Azure Database for MariaDB server storage to grow without impacting the workload.
-The server [reaching the storage limit](concepts-pricing-tiers.md#reaching-the-storage-limit), is set to read-only. If storage auto grow is enabled then for servers with less than 100 GB provisioned storage, the provisioned storage size is increased by 5 GB as soon as the free storage is below the greater of 1 GB or 10% of the provisioned storage. For servers with more than 100 GB of provisioned storage, the provisioned storage size is increased by 5% when the free storage space is below 5% of the provisioned storage size. Maximum storage limits as specified [here](concepts-pricing-tiers.md#storage) apply.
+The server [reaching the storage limit](concepts-pricing-tiers.md#reaching-the-storage-limit), is set to read-only. If storage auto grow is enabled then for servers with less than 100 GB provisioned storage, the provisioned storage size is increased by 5 GB as soon as the free storage is below the greater of 1 GB or 10% of the provisioned storage. For servers with more than 100 GB of provisioned storage, the provisioned storage size is increased by 5% when the free storage space is below 10GB of the provisioned storage size. Maximum storage limits as specified [here](concepts-pricing-tiers.md#storage) apply.
## Prerequisites
mariadb Howto Auto Grow Storage Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mariadb/howto-auto-grow-storage-portal.md
Last updated 3/18/2020
# Auto grow storage in Azure Database for MariaDB using the Azure portal This article describes how you can configure an Azure Database for MariaDB server storage to grow without impacting the workload.
-When a server reaches the allocated storage limit, the server is marked as read-only. However, if you enable storage auto grow, the server storage increases to accommodate the growing data. For servers with less than 100 GB provisioned storage, the provisioned storage size is increased by 5 GB as soon as the free storage is below the greater of 1 GB or 10% of the provisioned storage. For servers with more than 100 GB of provisioned storage, the provisioned storage size is increased by 5% when the free storage space is below 5% of the provisioned storage size. Maximum storage limits as specified [here](concepts-pricing-tiers.md#storage) apply.
+When a server reaches the allocated storage limit, the server is marked as read-only. However, if you enable storage auto grow, the server storage increases to accommodate the growing data. For servers with less than 100 GB provisioned storage, the provisioned storage size is increased by 5 GB as soon as the free storage is below the greater of 1 GB or 10% of the provisioned storage. For servers with more than 100 GB of provisioned storage, the provisioned storage size is increased by 5% when the free storage space is below 10GB of the provisioned storage size. Maximum storage limits as specified [here](concepts-pricing-tiers.md#storage) apply.
## Prerequisites To complete this how-to guide, you need:
mysql Concepts Migrate Dbforge Studio For Mysql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/concepts-migrate-dbforge-studio-for-mysql.md
The New Schema Comparison Wizard appears.
:::image type="content" source="media/concepts-migrate-dbforge-studio-for-mysql/schema-sync-wizard.png" alt-text="Schema sync wizard":::
-### Data Comparison
+### Step 3. Data Comparison
1. On the Comparison menu, select New Data Comparison. The New Data Comparison Wizard appears.
mysql Concepts Migrate Import Export https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/concepts-migrate-import-export.md
-+ Last updated 10/30/2020
mysql Concepts Supported Versions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/concepts-supported-versions.md
In Azure Database for MySQL service, gateway nodes listens on port 3308 for v5.7
## Azure Database for MySQL currently supports the following major and minor versions of MySQL:
-| Version | [Single Server](overview.md) <br/> Current minor version |[Flexible Server (Preview)](/../flexible-server/overview.md) <br/> Current minor version |
+| Version | [Single Server](overview.md) <br/> Current minor version |[Flexible Server (Preview)](/azure/mysql/flexible-server/overview) <br/> Current minor version |
|:-|:-|:| |MySQL Version 5.6 | [5.6.47](https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-47.html) (Retired) | Not supported| |MySQL Version 5.7 | [5.7.29](https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-29.html) | [5.7.29](https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-29.html)|
mysql Concepts Version Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/concepts-version-policy.md
Azure Database for MySQL has been developed from [MySQL Community Edition](https
Azure Database for MySQL currently supports the following major and minor versions of MySQL:
-| Version | [Single Server](overview.md) <br/> Current minor version |[Flexible Server (Preview)](/../flexible-server/overview.md) <br/> Current minor version |
+| Version | [Single Server](overview.md) <br/> Current minor version |[Flexible Server (Preview)](/azure/mysql/flexible-server/overview) <br/> Current minor version |
|:-|:-|:| |MySQL Version 5.6 | [5.6.47](https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-47.html)(Retired) | Not supported| |MySQL Version 5.7 | [5.7.29](https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-29.html) | [5.7.29](https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-29.html)|
mysql Howto Auto Grow Storage Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/howto-auto-grow-storage-cli.md
# Auto-grow Azure Database for MySQL storage using the Azure CLI This article describes how you can configure an Azure Database for MySQL server storage to grow without impacting the workload.
-The server [reaching the storage limit](./concepts-pricing-tiers.md#reaching-the-storage-limit), is set to read-only. If storage auto grow is enabled then for servers with less than 100 GB provisioned storage, the provisioned storage size is increased by 5 GB as soon as the free storage is below the greater of 1 GB or 10% of the provisioned storage. For servers with more than 100 GB of provisioned storage, the provisioned storage size is increased by 5% when the free storage space is below 5% of the provisioned storage size. Maximum storage limits as specified [here](./concepts-pricing-tiers.md#storage) apply.
+The server [reaching the storage limit](./concepts-pricing-tiers.md#reaching-the-storage-limit), is set to read-only. If storage auto grow is enabled then for servers with less than 100 GB provisioned storage, the provisioned storage size is increased by 5 GB as soon as the free storage is below the greater of 1 GB or 10% of the provisioned storage. For servers with more than 100 GB of provisioned storage, the provisioned storage size is increased by 5% when the free storage space is below 10GB of the provisioned storage size. Maximum storage limits as specified [here](./concepts-pricing-tiers.md#storage) apply.
## Prerequisites
az mysql server create --resource-group myresourcegroup --name mydemoserver --a
## Next steps
-Learn about [how to create alerts on metrics](howto-alert-on-metric.md).
+Learn about [how to create alerts on metrics](howto-alert-on-metric.md).
mysql Howto Auto Grow Storage Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/howto-auto-grow-storage-portal.md
Last updated 3/18/2020
# Auto grow storage in Azure Database for MySQL using the Azure portal This article describes how you can configure an Azure Database for MySQL server storage to grow without impacting the workload.
-When a server reaches the allocated storage limit, the server is marked as read-only. However, if you enable storage auto grow, the server storage increases to accommodate the growing data. For servers with less than 100 GB provisioned storage, the provisioned storage size is increased by 5 GB as soon as the free storage is below the greater of 1 GB or 10% of the provisioned storage. For servers with more than 100 GB of provisioned storage, the provisioned storage size is increased by 5% when the free storage space is below 5% of the provisioned storage size. Maximum storage limits as specified [here](./concepts-pricing-tiers.md#storage) apply.
+When a server reaches the allocated storage limit, the server is marked as read-only. However, if you enable storage auto grow, the server storage increases to accommodate the growing data. For servers with less than 100 GB provisioned storage, the provisioned storage size is increased by 5 GB as soon as the free storage is below the greater of 1 GB or 10% of the provisioned storage. For servers with more than 100 GB of provisioned storage, the provisioned storage size is increased by 5% when the free storage space is below 10GB of the provisioned storage size. Maximum storage limits as specified [here](./concepts-pricing-tiers.md#storage) apply.
## Prerequisites To complete this how-to guide, you need:
Follow these steps to set MySQL server storage auto grow:
## Next steps
-Learn about [how to create alerts on metrics](howto-alert-on-metric.md).
+Learn about [how to create alerts on metrics](howto-alert-on-metric.md).
network-watcher Migrate To Connection Monitor From Connection Monitor Classic https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/network-watcher/migrate-to-connection-monitor-from-connection-monitor-classic.md
The migration helps produce the following results:
## Prerequisites
-If you're using a custom workspace, ensure that Network Watcher is enabled in your subscription and in the region of your Log Analytics workspace.
+1. If you're using a custom workspace, ensure that Network Watcher is enabled in your subscription and in the region of your Log Analytics workspace. If not you will see an error stating "Before you attempt migrate, please enable Network watcher extension in selection subscription and location of LA workspace selected."
+1. In case virtual machines used as sources in connection monitor (classic) no longer have the Network Watcher extension enabled, you will see an error message stating "Connection monitors having following tests cannot be imported as one or more azure virtual machines don't have network watcher extension installed. Install network watcher extension and click refresh to import them."
++ ## Migrate the connection monitors
network-watcher Migrate To Connection Monitor From Network Performance Monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/network-watcher/migrate-to-connection-monitor-from-network-performance-monitor.md
The migration helps produce the following results:
## Prerequisites
-* Ensure that Network Watcher is enabled in your subscription and the region of the Log Analytics workspace.
+* Ensure that Network Watcher is enabled in your subscription and the region of the Log Analytics workspace. If not done, you will see an error stating "Before you attempt migrate, please enable Network watcher extension in selection subscription and location of LA workspace selected."
* In case Azure VM belonging to a different region/subscription than that of Log Analytics workspace is used as an endpoint, make sure Network Watcher is enabled for that subscription and region. * Azure virtual machines with Log Analytics agents installed must be enabled with the Network Watcher extension.
To migrate the tests from Network Performance Monitor to Connection Monitor, do
1. In the drop-down lists, select your subscription and workspace, and then select the NPM feature you want to migrate. 1. Select **Import** to migrate the tests.
+* If NPM is not enabled on the workspace, you will see an error stating "No valid NPM config found".
+* If no tests exist in the feature you chose in step2 , you will see an error stating "Workspace selected does not have <feature> config".
+* If there are no valid tests, you will see an error stating "Workspace selected does not have valid tests"
+* Your tests may contain agents that are no longer active, but may have been active in the past. You will see an error stating "Few tests contain agents that are no longer active. List of inactive agents - {0}. These agents may be running in the past but are shut down/not running any more. Enable agents and migrate to Connection Monitor. Click continue to migrate the tests that do not contain agents that are not active."
After the migration begins, the following changes take place: * A new connection monitor resource is created.
After the migration, be sure to:
To learn more about Connection Monitor, see: * [Migrate from Connection Monitor (classic) to Connection Monitor](./migrate-to-connection-monitor-from-connection-monitor-classic.md)
-* [Create Connection Monitor by using the Azure portal](./connection-monitor-create-using-portal.md)
+* [Create Connection Monitor by using the Azure portal](./connection-monitor-create-using-portal.md)
openshift Howto Restrict Egress https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/openshift/howto-restrict-egress.md
+
+ Title: Restrict egress traffic in an Azure Red Hat OpenShift (ARO) cluster
+description: Learn what ports and addresses are required to control egress traffic in Azure Red Hat OpenShift (ARO)
++++ Last updated : 04/09/2021+
+# Control egress traffic for your Azure Red Hat OpenShift (ARO) cluster (preview)
+
+This article provides the necessary details that allow you to secure outbound traffic from your Azure Red Hat OpenShift cluster (ARO). It contains the cluster requirements for a basic ARO deployment, and more requirements for optional Red Hat and third-party components. An [example](#private-aro-cluster-setup) will be provided at the end on how to configure these requirements with Azure Firewall. Keep in mind, you can apply this information to Azure Firewall or to any outbound restriction method or appliance.
+
+## Before you begin
+
+This article assumes that you're creating a new cluster. If you need a basic ARO cluster, see the [ARO quickstart](https://docs.microsoft.com/azure/openshift/tutorial-create-cluster).
+
+> [!IMPORTANT]
+> ARO preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. ARO previews are partially covered by customer support on a best-effort basis.
+
+## Minimum Required FQDN / application rules
+
+This list is based on the list of FQDNs found in the OpenShift docs here: https://docs.openshift.com/container-platform/4.6/installing/install_config/configuring-firewall.html
+
+The following FQDN / application rules are required:
+
+| Destination FQDN | Port | Use |
+| -- | -- | - |
+| **`quay.io`** | **HTTPS:443** | Mandatory for the installation, used by the cluster. This is used by the cluster to download the platform container images. |
+| **`registry.redhat.io`** | **HTTPS:443** | Mandatory for core add-ons. This is used by the cluster to download core components such as dev tools, operator-based add-ons, and Red Hat provided container images.
+| **`mirror.openshift.com`** | **HTTPS:443** | This is required in the VDI environment or your laptop to access mirrored installation content and images. It's required in the cluster to download platform release signatures to know what images to pull from quay.io. |
+| **`api.openshift.com`** | **HTTPS:443** | Required by the cluster to check if there are available updates before downloading the image signatures. |
+| **`arosvc.azurecr.io`** | **HTTPS:443** | Internal Private registry for ARO Operators. Required if you do not allow the service-endpoints Microsoft.ContainerRegistry on your subnets. |
+| **`management.azure.com`** | **HTTPS:443** | This is used by the cluster to access Azure APIs. |
+| **`login.microsoftonline.com`** | **HTTPS:443** | This is used by the cluster for authentication to Azure. |
+| **`gcs.prod.monitoring.core.windows.net`** | **HTTPS:443** | This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |
+| **`*.blob.core.windows.net`** | **HTTPS:443** | This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |
+| **`*.servicebus.windows.net`** | **HTTPS:443** | This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |
+| **`*.table.core.windows.net`** | **HTTPS:443** | This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |
+
+> [!NOTE]
+> For many customers exposing *.blob, *.table and other large address spaces creates a potential data exfiltration concern. You may want to consider using the [OpenShift Egress Firewall](https://docs.openshift.com/container-platform/4.6/networking/openshift_sdn/configuring-egress-firewall.html) to protect applications deployed in the cluster from reaching these destinations and use Azure Private Link for specific application needs.
+++
+## Complete list of required and optional FQDNs
+
+### FIRST GROUP: INSTALLING AND DOWNLOADING PACKAGES AND TOOLS
+
+- **`quay.io`**: Mandatory for the installation, used by the cluster. This is used by the cluster to download the platform container images.
+- **`registry.redhat.io`**: Mandatory for core add-ons. This is used by the cluster to download core components such as dev tools, operator-based add-ons, or Red Hat provided container images such as our middleware, the Universal Base Image...
+- **`sso.redhat.com`**: This one is required in the VDI environment or your laptop to connect to cloud.redhat.com. This is the site where we can download the pull secret, and use some of the SaaS solutions we offer in Red Hat to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, among other things.
+- **`openshift.org`**: This one is required in the VDI environment or your laptop to connect to download RH CoreOS images, but in Azure they are picked from the marketplace, there is no need to download OS images.
+++
+### SECOND GROUP: TELEMETRY
+
+All this section can be opted out, but before we know how, please check what it is: https://docs.openshift.com/container-platform/4.6/support/remote_health_monitoring/about-remote-health-monitoring.html
+- **`cert-api.access.redhat.com`**: Use in your VDI or laptop environment.
+- **`api.access.redhat.com`**: Use in your VDI or laptop environment.
+- **`infogw.api.openshift.com`**: Use in your VDI or laptop environment.
+- **`https://cloud.redhat.com/api/ingress`**: Use in the cluster for the insights operator who integrates with the aaS Red Hat Insights.
+In OpenShift Container Platform, customers can opt out of reporting health and usage information. However, connected clusters allow Red Hat to react more quickly to problems and better support our customers, and better understand how product upgrades clusters. Check details here: https://docs.openshift.com/container-platform/4.6/support/remote_health_monitoring/opting-out-of-remote-health-reporting.html.
+++
+### THIRD GROUP: CLOUD APIs
+
+- **`management.azure.com`**: This is used by the cluster to access Azure APIs.
+++
+### FOURTH GROUP: OTHER OPENSHIFT REQUIREMENTS
+
+- **`mirror.openshift.com`**: This one is required in the VDI environment or your laptop to access mirrored installation content and images and required in the cluster to download platform release signatures, used by the cluster to know what images to pull from quay.io.
+- **`storage.googleapis.com/openshift-release`**: Alternative site to download platform release signatures, used by the cluster to know what images to pull from quay.io.
+- **`*.apps.<cluster_name>.<base_domain>`** (OR EQUIVALENT ARO URL): When allowlisting domains, this is use in your corporate network to reach applications deployed in OpenShift, or to access the OpenShift console.
+- **`api.openshift.com`**: Required by the cluster to check if there are available updates before downloading the image signatures.
+- **`registry.access.redhat.com`**: Registry access is required in your VDI or laptop environment to download dev images when using the ODO CLI tool. (This CLI tool is an alternative CLI tool for developers who aren't familiar with kubernetes). https://docs.openshift.com/container-platform/4.6/cli_reference/developer_cli_odo/understanding-odo.html
+++
+### FIFTH GROUP: MICROSOFT & RED HAT ARO MONITORING SERVICE
+
+- **`login.microsoftonline.com`**: This is used by the cluster for authentication to Azure.
+- **`gcs.prod.monitoring.core.windows.net`**: This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s).
+- **`*.blob.core.windows.net`**: This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s).
+- **`*.servicebus.windows.net`**: This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s).
+- **`*.table.core.windows.net`**: This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s).
+
+## ARO integrations
+
+### Azure Monitor for containers
+
+There are two options to provide access to Azure Monitor for containers, you may allow the Azure Monitor [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) **or** provide access to the required FQDN/Application Rules. Here are the [instructions](https://docs.microsoft.com/azure/azure-monitor/containers/container-insights-azure-redhat4-setup) on how to add Azure Monitor to your existing ARO cluster.
+
+#### Required network rules
+
+The following FQDN / application rules are required:
+
+| Destination Endpoint | Protocol | Port | Use |
+|-|-|||
+| [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - **`AzureMonitor:443`** | TCP | 443 | This endpoint is used to send metrics data and logs to Azure Monitor and Log Analytics. |
+
+#### Required FQDN / application rules
+
+The following FQDN / application rules are required for ARO clusters that have the Azure Monitor for containers enabled:
+
+| FQDN | Port | Use |
+|--|--|-|
+| **`dc.services.visualstudio.com`** | **`HTTPS:443`** | This endpoint is used for metrics and monitoring telemetry using Azure Monitor. |
+| **`*.ods.opinsights.azure.com`** | **`HTTPS:443`** | This endpoint is used by Azure Monitor for ingesting log analytics data. |
+| **`*.oms.opinsights.azure.com`** | **`HTTPS:443`** | This endpoint is used by omsagent, which is used to authenticate the log analytics service. |
+| **`*.monitoring.azure.com`** | **`HTTPS:443`** | This endpoint is used to send metrics data to Azure Monitor. |
++
+## Private ARO cluster setup
+The goal is to secure ARO cluster by routing Egress traffic through an Azure Firewall
+### Before:
+![Before](media/concepts-networking/aro-private.jpg)
+### After:
+![After](media/concepts-networking/aro-fw.jpg)
+
+## Create a private ARO cluster
+
+### Set up VARS for your environment
+```bash
+
+CLUSTER=aro-cluster # Name of your created cluster
+RESOURCEGROUP=aro-rg # The name of your resource group where you created the ARO cluster
+AROVNET=aro-vnet # The name of your vnet from your created ARO cluster
+JUMPSUBNET=jump-subnet
+LOCATION=eastus # The location where ARO cluster is deployed
+
+```
+
+### Create a resource group
+```bash
+az group create -g "$RESOURCEGROUP" -l $LOCATION
+```
+
+### Create the virtual network
+```bash
+az network vnet create \
+ -g $RESOURCEGROUP \
+ -n $AROVNET \
+ --address-prefixes 10.0.0.0/8
+```
+
+### Add two empty subnets to your virtual network
+```bash
+ az network vnet subnet create \
+ -g "$RESOURCEGROUP" \
+ --vnet-name $AROVNET \
+ -n "$CLUSTER-master" \
+ --address-prefixes 10.10.1.0/24 \
+ --service-endpoints Microsoft.ContainerRegistry
+
+ az network vnet subnet create \
+ -g $RESOURCEGROUP \
+ --vnet-name $AROVNET \
+ -n "$CLUSTER-worker" \
+ --address-prefixes 10.20.1.0/24 \
+ --service-endpoints Microsoft.ContainerRegistry
+```
+
+### Disable network policies for Private Link Service on your virtual network and subnets. This is a requirement for the ARO service to access and manage the cluster.
+```bash
+az network vnet subnet update \
+ -g "$RESOURCEGROUP" \
+ --vnet-name $AROVNET \
+ -n "$CLUSTER-master" \
+ --disable-private-link-service-network-policies true
+```
+### Create a Firewall Subnet
+```bash
+az network vnet subnet create \
+ -g "$RESOURCEGROUP" \
+ --vnet-name $AROVNET \
+ -n "AzureFirewallSubnet" \
+ --address-prefixes 10.100.1.0/26
+```
+
+## Create a jump-host VM
+### Create a jump-subnet
+```bash
+ az network vnet subnet create \
+ -g "$RESOURCEGROUP" \
+ --vnet-name $AROVNET \
+ -n $JUMPSUBNET \
+ --address-prefixes 10.30.1.0/24 \
+ --service-endpoints Microsoft.ContainerRegistry
+```
+### Create a jump-host VM
+```bash
+VMUSERNAME=aroadmin
+
+az vm create --name ubuntu-jump \
+ --resource-group $RESOURCEGROUP \
+ --ssh-key-values ~/.ssh/id_rsa.pub \
+ --admin-username $VMUSERNAME \
+ --image UbuntuLTS \
+ --subnet $JUMPSUBNET \
+ --public-ip-address jumphost-ip \
+ --vnet-name $AROVNET
+```
+
+## Create an Azure Red Hat OpenShift cluster
+### Get a Red Hat pull secret (optional)
+
+A Red Hat pull secret enables your cluster to access Red Hat container registries along with other content. This step is optional but recommended.
+
+1. **[Go to your Red Hat OpenShift cluster manager portal](https://cloud.redhat.com/openshift/install/azure/aro-provisioned) and log in.**
+
+ You will need to log in to your Red Hat account or create a new Red Hat account with your business email and accept the terms and conditions.
+
+2. **Click Download pull secret.**
+
+Keep the saved `pull-secret.txt` file somewhere safe - it will be used in each cluster creation.
+
+When running the `az aro create` command, you can reference your pull secret using the `--pull-secret @pull-secret.txt` parameter. Execute `az aro create` from the directory where you stored your `pull-secret.txt` file. Otherwise, replace `@pull-secret.txt` with `@<path-to-my-pull-secret-file`.
+
+If you are copying your pull secret or referencing it in other scripts, your pull secret should be formatted as a valid JSON string.
+
+```bash
+az aro create \
+ -g "$RESOURCEGROUP" \
+ -n "$CLUSTER" \
+ --vnet $AROVNET \
+ --master-subnet "$CLUSTER-master" \
+ --worker-subnet "$CLUSTER-worker" \
+ --apiserver-visibility Private \
+ --ingress-visibility Private \
+ --pull-secret @pull-secret.txt
+```
+
+## Create an Azure Firewall
+
+### Create a public IP Address
+```bash
+az network public-ip create -g $RESOURCEGROUP -n fw-ip --sku "Standard" --location $LOCATION
+```
+### Update install Azure Firewall extension
+```bash
+az extension add -n azure-firewall
+az extension update -n azure-firewall
+```
+
+### Create Azure Firewall and configure IP Config
+```bash
+az network firewall create -g $RESOURCEGROUP -n aro-private -l $LOCATION
+az network firewall ip-config create -g $RESOURCEGROUP -f aro-private -n fw-config --public-ip-address fw-ip --vnet-name $AROVNET
+
+```
+
+### Capture Azure Firewall IPs for a later use
+```bash
+FWPUBLIC_IP=$(az network public-ip show -g $RESOURCEGROUP -n fw-ip --query "ipAddress" -o tsv)
+FWPRIVATE_IP=$(az network firewall show -g $RESOURCEGROUP -n aro-private --query "ipConfigurations[0].privateIpAddress" -o tsv)
+
+echo $FWPUBLIC_IP
+echo $FWPRIVATE_IP
+```
+
+### Create a UDR and Routing Table for Azure Firewall
+```bash
+az network route-table create -g $RESOURCEGROUP --name aro-udr
+
+az network route-table route create -g $RESOURCEGROUP --name aro-udr --route-table-name aro-udr --address-prefix 0.0.0.0/0 --next-hop-type VirtualAppliance --next-hop-ip-address $FWPRIVATE_IP
+```
+
+### Add Application Rules for Azure Firewall
+Rule for OpenShift to work based on this [list](https://docs.openshift.com/container-platform/4.3/installing/install_config/configuring-firewall.html#configuring-firewall_configuring-firewall):
+```bash
+az network firewall application-rule create -g $RESOURCEGROUP -f aro-private \
+ --collection-name 'ARO' \
+ --action allow \
+ --priority 100 \
+ -n 'required' \
+ --source-addresses '*' \
+ --protocols 'http=80' 'https=443' \
+ --target-fqdns 'registry.redhat.io' '*.quay.io' 'sso.redhat.com' 'management.azure.com' 'mirror.openshift.com' 'api.openshift.com' 'quay.io' '*.blob.core.windows.net' 'gcs.prod.monitoring.core.windows.net' 'registry.access.redhat.com' 'login.microsoftonline.com' '*.servicebus.windows.net' '*.table.core.windows.net' 'grafana.com'
+```
+Optional rules for Docker images:
+```bash
+az network firewall application-rule create -g $RESOURCEGROUP -f aro-private \
+ --collection-name 'Docker' \
+ --action allow \
+ --priority 200 \
+ -n 'docker' \
+ --source-addresses '*' \
+ --protocols 'http=80' 'https=443' \
+ --target-fqdns '*cloudflare.docker.com' '*registry-1.docker.io' 'apt.dockerproject.org' 'auth.docker.io'
+```
+
+### Associate ARO Subnets to FW
+```bash
+az network vnet subnet update -g $RESOURCEGROUP --vnet-name $AROVNET --name "$CLUSTER-master" --route-table aro-udr
+az network vnet subnet update -g $RESOURCEGROUP --vnet-name $AROVNET --name "$CLUSTER-worker" --route-table aro-udr
+```
+
+## Test the configuration from the Jumpbox
+These steps work only if you added rules for Docker images.
+### Configure the jumpbox
+Log into a jumpbox VM and install `azure-cli`, `oc-cli`, and `jq` utils. For the installation of openshift-cli, check the Red Hat customer portal.
+```bash
+#Install Azure-cli
+curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+#Install jq
+sudo apt install jq -y
+```
+### Log into the ARO cluster
+List cluster credentials:
+```bash
+
+# Login to Azure
+az login
+# Set Vars in Jumpbox
+CLUSTER=aro-cluster # Name of your created cluster
+RESOURCEGROUP=aro-rg # The name of your resource group where you created the ARO cluster
+
+#Get the cluster credentials
+ARO_PASSWORD=$(az aro list-credentials -n $CLUSTER -g $RESOURCEGROUP -o json | jq -r '.kubeadminPassword')
+ARO_USERNAME=$(az aro list-credentials -n $CLUSTER -g $RESOURCEGROUP -o json | jq -r '.kubeadminUsername')
+```
+Get an API server endpoint:
+```bash
+ARO_URL=$(az aro show -n $CLUSTER -g $RESOURCEGROUP -o json | jq -r '.apiserverProfile.url')
+```
+
+### Download the oc CLI to the jumpbox
+```bash
+cd ~
+wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux.tar.gz
+
+mkdir openshift
+tar -zxvf openshift-client-linux.tar.gz -C openshift
+echo 'export PATH=$PATH:~/openshift' >> ~/.bashrc && source ~/.bashrc
+```
+
+Log in using `oc login`:
+```bash
+oc login $ARO_URL -u $ARO_USERNAME -p $ARO_PASSWORD
+```
+
+### Run CentOS to test outside connectivity
+Create a pod
+```bash
+cat <<EOF | oc apply -f -
+apiVersion: v1
+kind: Pod
+metadata:
+ name: centos
+spec:
+ containers:
+ - name: centos
+ image: centos
+ ports:
+ - containerPort: 80
+ command:
+ - sleep
+ - "3600"
+EOF
+```
+Once the pod is running, exec into it and test outside connectivity.
+
+```bash
+oc exec -it centos -- /bin/bash
+curl microsoft.com
+```
+
+## Access the web console of the private cluster
+
+### Set up ssh forwards commands
+
+```bash
+sudo ssh -i $SSH_PATH -L 443:$CONSOLE_URL:443 aroadmin@$JUMPHOST
+
+example:
+sudo ssh -i /Users/jimzim/.ssh/id_rsa -L 443:console-openshift-console.apps.d5xm5iut.eastus.aroapp.io:443 aroadmin@104.211.18.56
+```
+
+### Modify the etc. hosts file on your local machine
+```bash
+##
+# Host Database
+#
+127.0.0.1 console-openshift-console.apps.d5xm5iut.eastus.aroapp.io
+127.0.0.1 oauth-openshift.apps.d5xm5iut.eastus.aroapp.io
+```
+
+### Use sshuttle as another option
+
+[SSHuttle](https://github.com/sshuttle/sshuttle)
++
+## Clean up resources
+
+```bash
+
+# Clean up the ARO cluster, vnet, firewall and jumpbox
+
+# Remove udr from master and worker subnets first or will get error when deleting ARO cluster
+az network vnet subnet update --vnet-name $AROVNET -n aro-cluster-master -g $RESOURCEGROUP --route-table aro-udr --remove routeTable
+az network vnet subnet update --vnet-name $AROVNET -n aro-cluster-worker -g $RESOURCEGROUP --route-table aro-udr --remove routeTable
+
+# Remove ARO Cluster
+az aro delete -n $CLUSTER -g $RESOURCEGROUP
+
+# Remove the resource group that contains the firewall, jumpbox and vnet
+az group delete -n $RESOURCEGROUP
+```
postgresql Concepts Hyperscale Configuration Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/postgresql/concepts-hyperscale-configuration-options.md
available to the basic tier node.
Hyperscale (Citus) server groups are available in the following Azure regions: * Americas:
+ * Brazil South
* Canada Central * Central US * East US *
Hyperscale (Citus) server groups are available in the following Azure regions:
* Korea Central * Southeast Asia * Europe:
+ * France Central
* North Europe * UK South * West Europe
postgresql Howto Auto Grow Storage Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/postgresql/howto-auto-grow-storage-cli.md
# Auto-grow Azure Database for PostgreSQL storage - Single Server using the Azure CLI This article describes how you can configure an Azure Database for PostgreSQL server storage to grow without impacting the workload.
-The server [reaching the storage limit](./concepts-pricing-tiers.md#reaching-the-storage-limit), is set to read-only. If storage auto grow is enabled then for servers with less than 100 GB provisioned storage, the provisioned storage size is increased by 5 GB as soon as the free storage is below the greater of 1 GB or 10% of the provisioned storage. For servers with more than 100 GB of provisioned storage, the provisioned storage size is increased by 5% when the free storage space is below 5% of the provisioned storage size. Maximum storage limits as specified [here](./concepts-pricing-tiers.md#storage) apply.
+The server [reaching the storage limit](./concepts-pricing-tiers.md#reaching-the-storage-limit), is set to read-only. If storage auto grow is enabled then for servers with less than 100 GB provisioned storage, the provisioned storage size is increased by 5 GB as soon as the free storage is below the greater of 1 GB or 10% of the provisioned storage. For servers with more than 100 GB of provisioned storage, the provisioned storage size is increased by 5% when the free storage space is below 10GB of the provisioned storage size. Maximum storage limits as specified [here](./concepts-pricing-tiers.md#storage) apply.
## Prerequisites
az postgres server create --resource-group myresourcegroup --name mydemoserver
## Next steps
-Learn about [how to create alerts on metrics](howto-alert-on-metric.md).
+Learn about [how to create alerts on metrics](howto-alert-on-metric.md).
postgresql Howto Auto Grow Storage Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/postgresql/howto-auto-grow-storage-portal.md
Last updated 5/29/2019
# Auto grow storage using the Azure portal in Azure Database for PostgreSQL - Single Server This article describes how you can configure an Azure Database for PostgreSQL server storage to grow without impacting the workload.
-When a server reaches the allocated storage limit, the server is marked as read-only. However, if you enable storage auto grow, the server storage increases to accommodate the growing data. For servers with less than 100 GB provisioned storage, the provisioned storage size is increased by 5 GB as soon as the free storage is below the greater of 1 GB or 10% of the provisioned storage. For servers with more than 100 GB of provisioned storage, the provisioned storage size is increased by 5% when the free storage space is below 5% of the provisioned storage size. Maximum storage limits as specified [here](./concepts-pricing-tiers.md#storage) apply.
+When a server reaches the allocated storage limit, the server is marked as read-only. However, if you enable storage auto grow, the server storage increases to accommodate the growing data. For servers with less than 100 GB provisioned storage, the provisioned storage size is increased by 5 GB as soon as the free storage is below the greater of 1 GB or 10% of the provisioned storage. For servers with more than 100 GB of provisioned storage, the provisioned storage size is increased by 5% when the free storage space is below 10GB of the provisioned storage size. Maximum storage limits as specified [here](./concepts-pricing-tiers.md#storage) apply.
## Prerequisites To complete this how-to guide, you need:
Follow these steps to set PostgreSQL server storage auto grow:
## Next steps
-Learn about [how to create alerts on metrics](howto-alert-on-metric.md).
+Learn about [how to create alerts on metrics](howto-alert-on-metric.md).
postgresql Howto Restore Dropped Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/postgresql/howto-restore-dropped-server.md
To restore a dropped Azure Database for PostgreSQL server, you need following:
![Create server using REST API](./media/howto-restore-dropped-server/create-server-from-rest-api-azure.png)
- 6. Scroll below on Request Body section and paste the following replacing the "Dropped server Location", "submissionTimestamp", and "resourceId". For "restorePointInTime", specify a value of "submissionTimestamp" minus **15 minutes** to ensure the command does not error out.
+ 6. Scroll below on Request Body section and paste the following replacing the "Dropped server Location"(e.g. CentralUS, EastUS etc.), "submissionTimestamp", and "resourceId". For "restorePointInTime", specify a value of "submissionTimestamp" minus **15 minutes** to ensure the command does not error out.
```json {
private-link Create Private Endpoint Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/private-link/create-private-endpoint-cli.md
az vm create \
--admin-username azureuser ``` + ## Create private endpoint In this section, you'll create the private endpoint.
private-link Create Private Endpoint Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/private-link/create-private-endpoint-portal.md
In this section, you'll create a virtual machine that will be used to test the p
6. Review the settings, and then select **Create**. + ## Create a Private Endpoint In this section, you'll create a Private Endpoint for the web app you created in the prerequisites section.
private-link Create Private Endpoint Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/private-link/create-private-endpoint-powershell.md
New-AzVMConfig @parameters2 | Set-AzVMOperatingSystem -Windows @parameters3 | Se
New-AzVM -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Location 'eastus' -VM $vmConfig ``` + ## Create private endpoint In this section, you'll create the private endpoint and connection using:
private-link Inspect Traffic With Azure Firewall https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/private-link/inspect-traffic-with-azure-firewall.md
Replace the following parameters in the steps with the information below:
7. When you see the **Validation passed** message, select **Create**. + ## Deploy the Firewall 1. On the Azure portal menu or from the **Home** page, select **Create a resource**.
private-link Tutorial Private Endpoint Cosmosdb Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/private-link/tutorial-private-endpoint-cosmosdb-portal.md
In this section, you'll create a virtual machine that will be used to test the p
6. Review the settings, and then select **Create**. + ## Create a Cosmos DB account with a private endpoint In this section, you'll create a Cosmos DB account and configure the private endpoint.
private-link Tutorial Private Endpoint Sql Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/private-link/tutorial-private-endpoint-sql-cli.md
az vm create \
--admin-username azureuser ``` + ## Create an Azure SQL server In this section, you'll create a SQL server and database.
private-link Tutorial Private Endpoint Sql Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/private-link/tutorial-private-endpoint-sql-portal.md
In this section, you'll create a virtual machine that will be used to test the p
6. Review the settings, and then select **Create**. + ## <a name ="create-a-private-endpoint"></a>Create an Azure SQL server and private endpoint In this section, you'll create a SQL server in Azure.
private-link Tutorial Private Endpoint Sql Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/private-link/tutorial-private-endpoint-sql-powershell.md
New-AzVMConfig @parameters2 | Set-AzVMOperatingSystem -Windows @parameters3 | Se
New-AzVM -ResourceGroupName 'CreateSQLEndpointTutorial-rg' -Location 'eastus' -VM $vmConfig ``` + ## Create an Azure SQL server In this section, you'll create a SQL server and database using:
private-link Tutorial Private Endpoint Storage Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/private-link/tutorial-private-endpoint-storage-portal.md
In this section, you'll create a virtual machine that will be used to test the p
6. Review the settings, and then select **Create**. + ## Create storage account with a private endpoint In this section, you'll create a storage account and configure the private endpoint.
private-link Tutorial Private Endpoint Webapp Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/private-link/tutorial-private-endpoint-webapp-portal.md
In this section, you'll create a virtual machine that will be used to test the p
6. Review the settings, and then select **Create**. + ## Create web app In this section, you'll create a web app.
role-based-access-control Role Assignments Rest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/role-based-access-control/role-assignments-rest.md
The following shows an example of the output:
If you create a new service principal and immediately try to assign a role to that service principal, that role assignment can fail in some cases. For example, if you create a new managed identity and then try to assign a role to that service principal, the role assignment might fail. The reason for this failure is likely a replication delay. The service principal is created in one region; however, the role assignment might occur in a different region that hasn't replicated the service principal yet.
-To address this scenario, you should set the `principalType` property to `ServicePrincipal` when creating the role assignment. You must also set the `apiVersion` of the role assignment to `2018-09-01-preview` or later.
+To address this scenario, use the [Role Assignments - Create](/rest/api/authorization/roleassignments/create) REST API and set the `principalType` property to `ServicePrincipal`. You must also set the `apiVersion` to `2018-09-01-preview` or later.
```http
-PUT https://management.azure.com/subscriptions/{subscriptionId1}/providers/microsoft.authorization/roleassignments/{roleAssignmentId1}?api-version=2018-09-01-preview
+PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}?api-version=2018-09-01-preview
``` ```json
route-server Quickstart Configure Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/route-server/quickstart-configure-template.md
Multiple Azure resources have been defined in the template:
* [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualNetworks) * [**Microsoft.Network/virtualNetworks/subnets**](/azure/templates/microsoft.network/virtualNetworks/subnets) (two subnets, one named `routeserversubnet`)
-* [**Microsoft.Network/virtualHubs**](/azure.templates/microsoft.network/virtualhubs) (Route Server deployment)
-* [**Microsoft.Network/virtualHubs/ipConfigurations**](/azure.templates/microsoft.network/virtualhubs/ipConfigurations)
-* [**Microsoft.Network/virtualHubs/bgpConnections**](/azure.templates/microsoft.network/virtualhubs/bgpConnections) (Peer ASN and Peer IP configuration)
+* [**Microsoft.Network/virtualHubs**](/azure/templates/microsoft.network/virtualhubs) (Route Server deployment)
+* [**Microsoft.Network/virtualHubs/ipConfigurations**](/azure/templates/microsoft.network/virtualhubs/ipConfigurations)
+* [**Microsoft.Network/virtualHubs/bgpConnections**](/azure/templates/microsoft.network/virtualhubs/bgpconnections) (Peer ASN and Peer IP configuration)
To find more templates that are related to ExpressRoute, see [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/?resourceType=Microsoft.Network&pageNumber=1&sort=Popular).
security-center Alerts Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/alerts-reference.md
Previously updated : 04/08/2021 Last updated : 04/13/2021
At the bottom of this page, there's a table describing the Azure Security Center
|**Failed SSH brute force attack**|Failed brute force attacks were detected from the following attackers: %{Attackers}. Attackers were trying to access the host with the following user names: %{Accounts used on failed sign in to host attempts}.|-|Medium| |**Fileless Attack Behavior Detected**<br>(AppServices_FilelessAttackBehaviorDetection)| The memory of the process specified below contains behaviors commonly used by fileless attacks.<br>Specific behaviors include: {list of observed behaviors} | Execution | Medium | |**Fileless Attack Technique Detected**<br>(VM_FilelessAttackTechnique.Linux)| The memory of the process specified below contains evidence of a fileless attack technique. Fileless attacks are used by attackers to execute code while evading detection by security software.<br>Specific behaviors include: {list of observed behaviors} | Execution | High |
-|**Fileless Attack Toolkit Detected**<br>(VM_FilelessAttackToolkit.Linux)| The memory of the process specified below contains a fileless attack toolkit: {ToolKitName}. Fileless attack toolkits typically do not have a presence on the filesystem, making detection by traditional anti-virus software difficult.<br>Specific behaviors include: {list of observed behaviors} | DefenseEvasion, Execution | High |
+|**Fileless Attack Toolkit Detected**<br>(VM_FilelessAttackToolkit.Linux)| The memory of the process specified below contains a fileless attack toolkit: {ToolKitName}. Fileless attack toolkits typically do not have a presence on the filesystem, making detection by traditional anti-virus software difficult.<br>Specific behaviors include: {list of observed behaviors} | Defense Evasion, Execution | High |
|**Hidden file execution detected**|Analysis of host data indicates that a hidden file was executed by %{user name}. This activity could either be legitimate activity, or an indication of a compromised host.|-|Informational| |**Indicators associated with DDOS toolkit detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected file names that are part of a toolkit associated with malware capable of launching DDoS attacks, opening ports and services and taking full control over the infected system. This could also possibly be legitimate activity. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium| |**Indicators associated with DDOS toolkit detected**|Analysis of host data on %{Compromised Host} detected file names that are part of a toolkit associated with malware capable of launching DDoS attacks, opening ports and services and taking full control over the infected system. This could also possibly be legitimate activity.|-|Medium|
At the bottom of this page, there's a table describing the Azure Security Center
| **K8S API requests from proxy IP address detected**<br>(AKS_TI_Proxy) | Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP. | Execution | Low | | **Container with a sensitive volume mount detected**<br>(AKS_SensitiveMount) | Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. | Privilege Escalation | Medium | | **CoreDNS modification in Kubernetes detected**<br>(AKS_CoreDnsModification) | Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the clusterΓÇÖs DNS server and poison it. | Lateral Movement | Low |
-| **Creation of admission webhook configuration detected**<br>(AKS_AdmissionController) | Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook). | CredentialAccess, Persistence | Low |
+| **Creation of admission webhook configuration detected**<br>(AKS_AdmissionController) | Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook). | Credential Access, Persistence | Low |
| **Digital currency mining container detected**<br>(AKS_MaliciousContainerImage) | Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool. | Execution | High | | **Exposed Kubeflow dashboard detected**<br>(AKS_ExposedKubeflow) | The Kubernetes audit log analysis detected exposure of the Istio Ingress by a load balancer in a cluster that runs Kubeflow. This action might expose the Kubeflow dashboard to the internet. If the dashboard is exposed to the internet, attackers can access it and run malicious containers or code on the cluster. Find more details in the following article: https://www.microsoft.com/security/blog/2020/06/10/misconfigured-kubeflow-workloads-are-a-security-risk | Initial Access | Medium | | **Exposed Kubernetes dashboard detected**<br>(AKS_ExposedDashboard) | Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service. Exposed dashboard allows an unauthenticated access to the cluster management and poses a security threat. | Initial Access | High |
Azure Defender alerts for container hosts aren't limited to the alerts below. Ma
## <a name="alerts-sql-db-and-warehouse"></a>Alerts for SQL Database and Azure Synapse Analytics
-[Further details and notes](defender-for-sql-introduction.md)| Alert | Description | MITRE tactics<br>([Learn more](#intentions)) | Severity |
+[Further details and notes](defender-for-sql-introduction.md)
+
+| Alert | Description | MITRE tactics<br>([Learn more](#intentions)) | Severity |
|-|-|:--:|-| | **A possible vulnerability to SQL Injection** | An application has generated a faulty SQL statement in the database. This can indicate a possible vulnerability to SQL injection attacks. There are two possible reasons for a faulty statement. A defect in application code might have constructed the faulty SQL statement. Or, application code or stored procedures didn't sanitize user input when constructing the faulty SQL statement, which can be exploited for SQL injection. | - | Medium | | **Attempted logon by a potentially harmful application** | A potentially harmful application attempted to access SQL server '{name}'. | PreAttack | High |
Azure Defender alerts for container hosts aren't limited to the alerts below. Ma
[Further details and notes](defender-for-storage-introduction.md)
-| Alert (alert type) | Description | MITRE tactics<br>([Learn more](#intentions)) | Severity |
-|-|-|:--:||
-| **Access from a Tor exit node to a storage account**<br>(Storage.Blob_TorAnomaly<br>Storage.Files_TorAnomaly) | Indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert considers the authentication type used (if any), and whether this is the first case of such access. Potential causes can be an attacker who has accessed your storage account by using Tor, or a legitimate user who has accessed your storage account by using Tor.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Probing / Exploitation | High |
-| **Access from an unusual location to a storage account**<br>(Storage.Blob_GeoAnomaly<br>Storage.Files_GeoAnomaly) | Indicates that there was a change in the access pattern to an Azure Storage account. Someone has accessed this account from an IP address considered unfamiliar when compared with recent activity. Either an attacker has gained access to the account, or a legitimate user has connected from a new or unusual geographic location. An example of the latter is remote maintenance from a new application or developer.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Exploitation | Low |
-| **Anonymous access to a storage account**<br>(Storage.Blob_AnonymousAccessAnomaly) | Indicates that there's a change in the access pattern to a storage account. For instance, the account has been accessed anonymously (without any authentication), which is unexpected compared to the recent access pattern on this account. A potential cause is that an attacker has exploited public read access to a container that holds blob storage.<br>Applies to: Azure Blob Storage | Exploitation | High |
-| **Potential malware uploaded to a storage account**<br>(Storage.Blob_MalwareHashReputation<br>Storage.Files_MalwareHashReputation) | Indicates that a blob containing potential malware has been uploaded to a blob container or a file share in a storage account. This alert is based on hash reputation analysis leveraging the power of Microsoft threat intelligence, which includes hashes for viruses, trojans, spyware and ransomware. Potential causes may include an intentional malware upload by an attacker, or an unintentional upload of a potentially malicious blob by a legitimate user.<br>Applies to: Azure Blob Storage, Azure Files (Only for transactions over REST API)<br>Learn more about [Azure's hash reputation analysis for malware](defender-for-storage-introduction.md#what-is-hash-reputation-analysis-for-malware).<br>Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684). | LateralMovement | High |
-| **PREVIEW ΓÇô Access from a suspicious IP address**<br>(Storage.Blob_SuspiciousIp<br>Storage.Files_SuspiciousIp) | Indicates that this storage account has been successfully accessed from an IP address that is considered suspicious. This alert is powered by Microsoft Threat Intelligence.<br>Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684).<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Initial Access | Medium |
-| **PREVIEW ΓÇô Phishing content hosted on a storage account**<br>(Storage.Blob_PhishingContent<br>Storage.Files_PhishingContent) | A URL used in a phishing attack points to your Azure Storage account. This URL was part of a phishing attack affecting users of Microsoft 365.<br>Typically, content hosted on such pages is designed to trick visitors into entering their corporate credentials or financial information into a web form that looks legitimate.<br>This alert is powered by Microsoft Threat Intelligence.<br>Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684).<br>Applies to: Azure Blob Storage, Azure Files | Collection | High |
-| **Unusual access inspection in a storage account**<br>(Storage.Blob_AccessInspectionAnomaly<br>Storage.Files_AccessInspectionAnomaly) | Indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.<br>Applies to: Azure Blob Storage, Azure Files | Collection | Medium |
-| **Unusual amount of data extracted from a storage account**<br>(Storage.Blob_DataExfiltration.AmountOfDataAnomaly<br>Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly<br>Storage.Files_DataExfiltration.AmountOfDataAnomaly<br>Storage.Files_DataExfiltration.NumberOfFilesAnomaly) | Indicates that an unusually large amount of data has been extracted compared to recent activity on this storage container. A potential cause is that an attacker has extracted a large amount of data from a container that holds blob storage.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Exfiltration | Medium |
-| **Unusual application accessed a storage account**<br>(Storage.Blob_ApplicationAnomaly<br>Storage.Files_ApplicationAnomaly) | Indicates that an unusual application has accessed this storage account. A potential cause is that an attacker has accessed your storage account by using a new application.<br>Applies to: Azure Blob Storage, Azure Files | Exploitation | Medium |
-| **Unusual change of access permissions in a storage account**<br>(Storage.Blob_PermissionsChangeAnomaly<br>Storage.Files_PermissionsChangeAnomaly) | Indicates that the access permissions of this storage container have been changed in an unusual way. A potential cause is that an attacker has changed container permissions to weaken its security posture or to gain persistence.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Persistence | Medium |
-| **Unusual data exploration in a storage account**<br>(Storage.Blob_DataExplorationAnomaly<br>Storage.Files_DataExplorationAnomaly) | Indicates that blobs or containers in a storage account have been enumerated in an abnormal way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.<br>Applies to: Azure Blob Storage, Azure Files | Collection | Medium |
-| **Unusual deletion in a storage account**<br>(Storage.Blob_DeletionAnomaly<br>Storage.Files_DeletionAnomaly) | Indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account. A potential cause is that an attacker has deleted data from your storage account.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Exfiltration | Medium |
-| **Unusual upload of .cspkg to a storage account**<br>(Storage.Blob_CspkgUploadAnomaly) | Indicates that an Azure Cloud Services package (.cspkg file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has been preparing to deploy malicious code from your storage account to an Azure cloud service.<br>Applies to: Azure Blob Storage, Azure Data Lake Storage Gen2 | LateralMovement / Execution | Medium |
-| **Unusual upload of .exe to a storage account**<br>(Storage.Blob_ExeUploadAnomaly<br>Storage.Files_ExeUploadAnomaly) | Indicates that an .exe file has been uploaded to a storage account in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has uploaded a malicious executable file to your storage account, or that a legitimate user has uploaded an executable file.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | LateralMovement / Execution | Medium |
-| | | | |
+| Alert (alert type) | Description | MITRE tactics<br>([Learn more](#intentions)) | Severity |
+||-|:--:|-|
+| **PREVIEW ΓÇô Access from a suspicious IP address**<br>(Storage.Blob_SuspiciousIp<br>Storage.Files_SuspiciousIp) | Indicates that this storage account has been successfully accessed from an IP address that is considered suspicious. This alert is powered by Microsoft Threat Intelligence.<br>Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684).<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Initial Access | Medium |
+| **PREVIEW - Anonymous scan of public storage containers**<br>(Storage.Blob_ContainerAnonymousScan)|A series of attempts were made to anonymously identify public containers in your storage account. This might indicate a reconnaissance attack, where the attacker scans your storage account to identify publicly accessible containers and then tries to find sensitive data inside them. <br>Applies to: Azure Blob Storage|PreAttack, Collection|Medium / High|
+| **PREVIEW ΓÇô Phishing content hosted on a storage account**<br>(Storage.Blob_PhishingContent<br>Storage.Files_PhishingContent) | A URL used in a phishing attack points to your Azure Storage account. This URL was part of a phishing attack affecting users of Microsoft 365.<br>Typically, content hosted on such pages is designed to trick visitors into entering their corporate credentials or financial information into a web form that looks legitimate.<br>This alert is powered by Microsoft Threat Intelligence.<br>Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684).<br>Applies to: Azure Blob Storage, Azure Files | Collection | High |
+| **PREVIEW - Storage account identified as source for distribution of malware**<br>(Storage.Files_WidespreadeAm) | Antimalware alerts indicate that an infected file(s) is stored in an Azure file share that is mounted to multiple VMs. If attackers gain access to a VM with a mounted Azure file share, they can use it to spread malware to other VMs that mount the same share.<br>Applies to: Azure Files | Lateral Movement, Execution | High |
+| **PREVIEW - Storage account with potentially sensitive data has been detected with a publicly exposed container**<br>(Storage.Blob_OpenACL) | The access policy of a container in your storage account was modified to allow anonymous access. This might lead to a data breach if the container holds any sensitive data. This alert is based on analysis of Azure activity log.<br>Applies to: Azure Blob Storage, Azure Data Lake Storage Gen2 | Privilege Escalation | Medium |
+| **Access from a Tor exit node to a storage account**<br>(Storage.Blob_TorAnomaly<br>Storage.Files_TorAnomaly) | Indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). The severity of this alert considers the authentication type used (if any), and whether this is the first case of such access. Potential causes can be an attacker who has accessed your storage account by using Tor, or a legitimate user who has accessed your storage account by using Tor.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Probing / Exploitation | High |
+| **Access from an unusual location to a storage account**<br>(Storage.Blob_GeoAnomaly<br>Storage.Files_GeoAnomaly) | Indicates that there was a change in the access pattern to an Azure Storage account. Someone has accessed this account from an IP address considered unfamiliar when compared with recent activity. Either an attacker has gained access to the account, or a legitimate user has connected from a new or unusual geographic location. An example of the latter is remote maintenance from a new application or developer.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Exploitation | Low |
+| **Anonymous access to a storage account**<br>(Storage.Blob_AnonymousAccessAnomaly) | Indicates that there's a change in the access pattern to a storage account. For instance, the account has been accessed anonymously (without any authentication), which is unexpected compared to the recent access pattern on this account. A potential cause is that an attacker has exploited public read access to a container that holds blob storage.<br>Applies to: Azure Blob Storage | Exploitation | High |
+| **Potential malware uploaded to a storage account**<br>(Storage.Blob_MalwareHashReputation<br>Storage.Files_MalwareHashReputation) | Indicates that a blob containing potential malware has been uploaded to a blob container or a file share in a storage account. This alert is based on hash reputation analysis leveraging the power of Microsoft threat intelligence, which includes hashes for viruses, trojans, spyware and ransomware. Potential causes may include an intentional malware upload by an attacker, or an unintentional upload of a potentially malicious blob by a legitimate user.<br>Applies to: Azure Blob Storage, Azure Files (Only for transactions over REST API)<br>Learn more about [Azure's hash reputation analysis for malware](defender-for-storage-introduction.md#what-is-hash-reputation-analysis-for-malware).<br>Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684). | Lateral Movement | High |
+| **Unusual access inspection in a storage account**<br>(Storage.Blob_AccessInspectionAnomaly<br>Storage.Files_AccessInspectionAnomaly) | Indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.<br>Applies to: Azure Blob Storage, Azure Files | Collection | Medium |
+| **Unusual amount of data extracted from a storage account**<br>(Storage.Blob_DataExfiltration.AmountOfDataAnomaly<br>Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly<br>Storage.Files_DataExfiltration.AmountOfDataAnomaly<br>Storage.Files_DataExfiltration.NumberOfFilesAnomaly) | Indicates that an unusually large amount of data has been extracted compared to recent activity on this storage container. A potential cause is that an attacker has extracted a large amount of data from a container that holds blob storage.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Exfiltration | Medium |
+| **Unusual application accessed a storage account**<br>(Storage.Blob_ApplicationAnomaly<br>Storage.Files_ApplicationAnomaly) | Indicates that an unusual application has accessed this storage account. A potential cause is that an attacker has accessed your storage account by using a new application.<br>Applies to: Azure Blob Storage, Azure Files | Exploitation | Medium |
+| **Unusual change of access permissions in a storage account**<br>(Storage.Blob_PermissionsChangeAnomaly<br>Storage.Files_PermissionsChangeAnomaly) | Indicates that the access permissions of this storage container have been changed in an unusual way. A potential cause is that an attacker has changed container permissions to weaken its security posture or to gain persistence.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Persistence | Medium |
+| **Unusual data exploration in a storage account**<br>(Storage.Blob_DataExplorationAnomaly<br>Storage.Files_DataExplorationAnomaly) | Indicates that blobs or containers in a storage account have been enumerated in an abnormal way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.<br>Applies to: Azure Blob Storage, Azure Files | Collection | Medium |
+| **Unusual deletion in a storage account**<br>(Storage.Blob_DeletionAnomaly<br>Storage.Files_DeletionAnomaly) | Indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account. A potential cause is that an attacker has deleted data from your storage account.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Exfiltration | Medium |
+| **Unusual upload of .cspkg to a storage account**<br>(Storage.Blob_CspkgUploadAnomaly) | Indicates that an Azure Cloud Services package (.cspkg file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has been preparing to deploy malicious code from your storage account to an Azure cloud service.<br>Applies to: Azure Blob Storage, Azure Data Lake Storage Gen2 | Lateral Movement / Execution | Medium |
+| **Unusual upload of .exe to a storage account**<br>(Storage.Blob_ExeUploadAnomaly<br>Storage.Files_ExeUploadAnomaly) | Indicates that an .exe file has been uploaded to a storage account in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has uploaded a malicious executable file to your storage account, or that a legitimate user has uploaded an executable file.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2 | Lateral Movement / Execution | Medium |
+| | | | |
## <a name="alerts-azurecosmos"></a>Alerts for Azure Cosmos DB (Preview)
Azure Defender alerts for container hosts aren't limited to the alerts below. Ma
| Alert (alert type) | Description | MITRE tactics<br>([Learn more](#intentions)) | Severity | |-|--|:-:|-|
-| **Access from a TOR exit node to a key vault**<br>KV_TORAccess | A key vault has been accessed from a known TOR exit node. This could be an indication that a threat actor has accessed the key vault and is using the TOR network to hide their source location. We recommend further investigations. | CredentialAccess | Medium |
-| **High volume of operations in a key vault**<br>KV_OperationVolumeAnomaly | An anomalous number of key vault operations were performed by a user, service principal, and/or a specific key vault. This anomalous activity pattern may be legitimate, but it could be an indication that a threat actor has gained access to the key vault and the secrets contained within it. We recommend further investigations. | CredentialAccess | Medium |
-| **Suspicious policy change and secret query in a key vault**<br>KV_PutGetAnomaly | A user or service principal has performed an anomalous Vault Put policy change operation followed by one or more Secret Get operations. This pattern is not normally performed by the specified user or service principal. This may be legitimate activity, but it could be an indication that a threat actor has updated the key vault policy to access previously inaccessible secrets. We recommend further investigations. | CredentialAccess | Medium |
-| **Suspicious secret listing and query in a key vault**<br>KV_ListGetAnomaly | A user or service principal has performed an anomalous Secret List operation followed by one or more Secret Get operations. This pattern is not normally performed by the specified user or service principal and is typically associated with secret dumping. This may be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault and is trying to discover secrets that can be used to move laterally through your network and/or gain access to sensitive resources. We recommend further investigations. | CredentialAccess | Medium |
-| **Unusual application accessed a key vault**<br>KV_AppAnomaly | A key vault has been accessed by a service principal that does not normally access it. This anomalous access pattern may be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations. | CredentialAccess | Medium |
-| **Unusual operation pattern in a key vault**<br>KV_OperationPatternAnomaly | An anomalous pattern of key vault operations was performed by a user, service principal, and/or a specific key vault. This anomalous activity pattern may be legitimate, but it could be an indication that a threat actor has gained access to the key vault and the secrets contained within it. We recommend further investigations. | CredentialAccess | Medium |
-| **Unusual user accessed a key vault**<br>KV_UserAnomaly | A key vault has been accessed by a user that does not normally access it. This anomalous access pattern may be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations. | CredentialAccess | Medium |
-| **Unusual user-application pair accessed a key vault**<br>KV_UserAppAnomaly | A key vault has been accessed by a user-service principal pair that does not normally access it. This anomalous access pattern may be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations. | CredentialAccess | Medium |
-| **User accessed high volume of key vaults**<br>KV_AccountVolumeAnomaly | A user or service principal has accessed an anomalously high volume of key vaults. This anomalous access pattern may be legitimate activity, but it could be an indication that a threat actor has gained access to multiple key vaults in an attempt to access the secrets contained within them. We recommend further investigations. | CredentialAccess | Medium |
+| **Access from a TOR exit node to a key vault**<br>KV_TORAccess | A key vault has been accessed from a known TOR exit node. This could be an indication that a threat actor has accessed the key vault and is using the TOR network to hide their source location. We recommend further investigations. | Credential Access | Medium |
+| **High volume of operations in a key vault**<br>KV_OperationVolumeAnomaly | An anomalous number of key vault operations were performed by a user, service principal, and/or a specific key vault. This anomalous activity pattern may be legitimate, but it could be an indication that a threat actor has gained access to the key vault and the secrets contained within it. We recommend further investigations. | Credential Access | Medium |
+| **Suspicious policy change and secret query in a key vault**<br>KV_PutGetAnomaly | A user or service principal has performed an anomalous Vault Put policy change operation followed by one or more Secret Get operations. This pattern is not normally performed by the specified user or service principal. This may be legitimate activity, but it could be an indication that a threat actor has updated the key vault policy to access previously inaccessible secrets. We recommend further investigations. | Credential Access | Medium |
+| **Suspicious secret listing and query in a key vault**<br>KV_ListGetAnomaly | A user or service principal has performed an anomalous Secret List operation followed by one or more Secret Get operations. This pattern is not normally performed by the specified user or service principal and is typically associated with secret dumping. This may be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault and is trying to discover secrets that can be used to move laterally through your network and/or gain access to sensitive resources. We recommend further investigations. | Credential Access | Medium |
+| **Unusual application accessed a key vault**<br>KV_AppAnomaly | A key vault has been accessed by a service principal that does not normally access it. This anomalous access pattern may be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations. | Credential Access | Medium |
+| **Unusual operation pattern in a key vault**<br>KV_OperationPatternAnomaly | An anomalous pattern of key vault operations was performed by a user, service principal, and/or a specific key vault. This anomalous activity pattern may be legitimate, but it could be an indication that a threat actor has gained access to the key vault and the secrets contained within it. We recommend further investigations. | Credential Access | Medium |
+| **Unusual user accessed a key vault**<br>KV_UserAnomaly | A key vault has been accessed by a user that does not normally access it. This anomalous access pattern may be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations. | Credential Access | Medium |
+| **Unusual user-application pair accessed a key vault**<br>KV_UserAppAnomaly | A key vault has been accessed by a user-service principal pair that does not normally access it. This anomalous access pattern may be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations. | Credential Access | Medium |
+| **User accessed high volume of key vaults**<br>KV_AccountVolumeAnomaly | A user or service principal has accessed an anomalously high volume of key vaults. This anomalous access pattern may be legitimate activity, but it could be an indication that a threat actor has gained access to multiple key vaults in an attempt to access the secrets contained within them. We recommend further investigations. | Credential Access | Medium |
| | | | |
security Introduction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/introduction.md
- Title: Azure Security Benchmark Introduction
-description: Security Benchmark introduction
----- Previously updated : 12/16/2019-----
-# Azure security benchmark introduction
-
-New services and features are released daily in Azure, developers are rapidly publishing new cloud applications built on these services, and attackers are always seeking new ways to exploit misconfigured resources. The cloud moves fast, developers move fast, and attackers are always on the move. How do you keep up and make sure that your cloud deployments are secure? How are security practices for cloud systems different from on-premises systems? How do you monitor for consistency across many independent development teams?
-
-Microsoft has found that using *security benchmarks* can help you quickly secure cloud deployments. Benchmark recommendations from your cloud service provider give you a starting point for selecting specific security configuration settings in your environment and allow you to quickly reduce risk to your organization.
-
-The Azure Security Benchmark includes a collection of high-impact security recommendations you can use to help secure the services you use in Azure:
--- **Security controls**: These recommendations are generally applicable across your Azure tenant and Azure services. Each recommendation identifies a list of stakeholders that are typically involved in planning, approval, or implementation of the benchmark. -- **Service baselines**: These apply the controls to individual Azure services to provide recommendations on that serviceΓÇÖs security configuration.-
-## Implement the Azure Security Benchmark
-- **Plan** your Azure Security Benchmark implementation by reviewing the [documentation](overview.md) for the enterprise controls and service-specific baselines to plan your control framework and how it maps to guidance like CIS (Controls v7.1) and NIST (SP 800-53) framework.-- **Monitor** your compliance with Azure Security Benchmark status (and other control sets) using the Azure Security Center [regulatory compliance dashboard](../../security-center/security-center-compliance-dashboard.md).-- **Establish guardrails** to automate secure configurations and enforce compliance with Azure Security Benchmark (and other requirements in your organization) with Azure Blueprints and Azure Policy.
-
-Note that the Azure Security Benchmark v2 is aligned with [Microsoft Security Best Practices](/security/compass/microsoft-security-compass-introduction) (formerly Azure Security Compass) so that the Azure Security Benchmark provides a single consolidated view of MicrosoftΓÇÖs Azure security recommendations.
-
-## Common Use Cases
-
-Azure Security Benchmark is frequently used to address these common challenges for customers or service partners who are:
-- New to Azure and are looking for security best practices to ensure a secure deployment.-- Improving security posture of existing Azure deployments to prioritize top risks and mitigations.-- Approving Azure services for use by technology and business use to meet specific security guidelines.-- Meeting regulatory requirements for customers who are from government or highly-regulated industries like finance and healthcare (or service vendors who need to build systems for these customers). These customers need to ensure their configuration of Azure meets the security capabilities specified in an industry framework such as CIS, NIST, or PCI. Azure Security Benchmark provides an efficient approach with the controls already pre-mapped to these industry benchmarks.-
-## Terminology
-
-The terms "control", "benchmark", and "baseline" are used often in the Azure Security Benchmark documentation and it's important to understand how Azure uses those terms.
--
-| Term | Description | Example |
-|--|--|--|
-| Control | A control is a high-level description of a feature or activity that needs to be addressed and is not specific to a technology or implementation. | Data Protection is one of the security controls. This control contains specific actions that must be addressed to help ensure data is protected. |
-| Benchmark | A benchmark contains security recommendations for a specific technology, such as Azure. The recommendations are categorized by the control to which they belong. | The Azure Security Benchmark comprises the security recommendations specific to the Azure platform |
-| Baseline | A baseline is the implementation of the benchmark on the individual Azure service. Each organization decides benchmark recommendation and corresponding configurations are needed in the Azure implementation scope. | The Contoso company looks to enabling Azure SQL security features by following the configuration recommended in Azure SQL security baseline.
-
-We welcome your feedback on the Azure Security Benchmark! We encourage you to provide comments in the feedback area below. If you prefer to share your input more privately with the Azure Security Benchmark team, you are welcome to fill out the form at https://aka.ms/AzSecBenchmark
security Overview V1 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/overview-v1.md
- Title: Overview of the Azure Security Benchmark V1
-description: Azure Security Benchmark V1 overview
----- Previously updated : 09/11/2020-----
-# Overview of the Azure Security Benchmark (v1)
-
-> [!NOTE]
-> The most up-to-date Azure Security Benchmark is available [here](overview.md).
-
-The Azure Security Benchmark contains recommendations that help you improve the security of your applications and data on Azure.
-
-This benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls Version 7.1.
-
-The following controls are used in the Azure Security Benchmark:
--- [Network security](security-control-network-security.md)-- [Logging and monitoring](security-control-logging-monitoring.md)-- [Identity and access control](security-control-identity-access-control.md)-- [Data protection](security-control-data-protection.md)-- [Vulnerability management](security-control-vulnerability-management.md)-- [Inventory and asset management](security-control-inventory-asset-management.md)-- [Secure configuration](security-control-secure-configuration.md)-- [Malware defense](security-control-malware-defense.md)-- [Data recovery](security-control-data-recovery.md)-- [Incident response](security-control-incident-response.md)-- [Penetration tests and red team exercises](security-control-penetration-tests-red-team-exercises.md)-
-You can also download the [Azure Security Benchmark v1 excel spreadsheet](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/spreadsheets).
-
-## Azure Security Benchmark Recommendations
-
-Each recommendation includes the following information:
--- **Azure ID**: The Azure Security Benchmark ID that corresponds to the recommendation. -- **CIS ID(s)**: The CIS Benchmark recommendation(s) that correspond to this recommendation. -- **Responsibility**: Whether the customer or the service-provider (or both) is (are) responsible for implementing this recommendation. Security responsibilities are shared in the public cloud. Some security controls are only available to the cloud service provider and therefore the provider is responsible for addressing those. These are general observations ΓÇô for some individual services, the responsibility will be different than what is listed in the Azure Security Benchmark. Those differences are described in the baseline recommendations for the individual service. -- **Details**: The rationale for the recommendation and links to guidance on how to implement it. If the recommendation is supported by Azure Security Center, that information will also be listed.-
-We welcome your detailed feedback and active participation in the Azure Security Benchmark effort. if you would like to provide the Azure Security Benchmark team direct input, please fill out the form at [https://aka.ms/AzSecBenchmark](https://aka.ms/AzSecBenchmark).
-
-## Next Steps
--- See the first security control: [network security](security-control-network-security.md)-- Read the [Azure Security Benchmark introduction](introduction.md)-- Download the [Azure Security Benchmark v1 excel spreadsheet](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/spreadsheets)
security Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/overview.md
- Title: Overview of the Azure Security Benchmark V2
-description: Azure Security Benchmark V2 overview
----- Previously updated : 09/11/2020-----
-# Overview of the Azure Security Benchmark (V2)
-
-The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure.
-
-This benchmark is part of a set of holistic security guidance that also includes:
--- **Cloud Adoption Framework** ΓÇô Guidance on security, including [strategy](/azure/cloud-adoption-framework/strategy/define-security-strategy), [roles and responsibilities](/azure/cloud-adoption-framework/organize/cloud-security), [Azure Top 10 Security Best Practices](/azure/cloud-adoption-framework/get-started/security#step-1-establish-essential-security-practices), and [reference implementation](/azure/cloud-adoption-framework/ready/enterprise-scale/).-- **Azure Well-Architected Framework** ΓÇô Guidance on [securing your workloads](/assessments/?mode=pre-assessment&session=local) on Azure.-- **Microsoft Security Best Practices** ΓÇô [recommendations](/security/compass/microsoft-security-compass-introduction) with examples on Azure.-
- The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls Version 7.1 and National Institute of Standards and Technology (NIST) SP 800-53.
-The following controls are included in the Azure Security Benchmark:
-
-| ASB Control Domains | Description
-|--|--|
-| [Network&nbsp;security&nbsp;(NS)](security-controls-v2-network-security.md) | Network Security covers controls to secure and protect Azure networks, including securing virtual networks, establishing private connections, preventing and mitigating external attacks, and securing DNS. |
-| [Identity&nbsp;Management&nbsp;(IM)](security-controls-v2-identity-management.md) | Identity Management covers controls to establish a secure identity and access controls using Azure Active Directory, including the use of single sign-on, strong authentications, managed identities (and service principles) for applications, conditional access, and account anomalies monitoring. |
-| [Privileged&nbsp;Access&nbsp;(PA)](security-controls-v2-privileged-access.md) | Privileged Access covers controls to protect privileged access to your Azure tenant and resources, including a range of controls to protect your administrative model, administrative accounts, and privileged access workstations against deliberate and inadvertent risk. |
-| [Data&nbsp;Protection&nbsp;(DP)](security-controls-v2-data-protection.md) | Data Protection covers control of data protection at rest, in transit, and via authorized access mechanisms, including discover, classify, protect, and monitor sensitive data assets using access control, encryption, and logging in Azure. |
-| [Asset&nbsp;Management&nbsp;(AM)](security-controls-v2-asset-management.md) | Asset Management covers controls to ensure security visibility and governance over Azure resources, including recommendations on permissions for security personnel, security access to asset inventory, and managing approvals for services and resources (inventory, track, and correct). |
-| [Logging&nbsp;and&nbsp;Threat&nbsp;Detection (LT)](security-controls-v2-logging-threat-detection.md) | Logging and Threat Detection covers controls for detecting threats on Azure and enabling, collecting, and storing audit logs for Azure services, including enabling detection, investigation, and remediation processes with controls to generate high-quality alerts with native threat detection in Azure services; it also includes collecting logs with Azure Monitor, centralizing security analysis with Azure Sentinel, time synchronization, and log retention. |
-| [Incident&nbsp;Response&nbsp;(IR)](security-controls-v2-incident-response.md) | Incident Response covers controls in incident response life cycle - preparation, detection and analysis, containment, and post-incident activities, including using Azure services such as Azure Security Center and Sentinel to automate the incident response process. |
-| [Posture&nbsp;and&nbsp;Vulnerability&nbsp;Management&nbsp;(PV)](security-controls-v2-posture-vulnerability-management.md) | Posture and Vulnerability Management focuses on controls for assessing and improving Azure security posture, including vulnerability scanning, penetration testing and remediation, as well as security configuration tracking, reporting, and correction in Azure resources. |
-| [Endpoint&nbsp;Security&nbsp;(ES)](security-controls-v2-endpoint-security.md) | Endpoint Security covers controls in endpoint detection and response, including use of endpoint detection and response (EDR) and anti-malware service for endpoints in Azure environments. |
-| [Backup&nbsp;and&nbsp;Recovery&nbsp;(BR)](security-controls-v2-backup-recovery.md) | Backup and Recovery covers controls to ensure that data and configuration backups at the different service tiers are performed, validated, and protected. |
-| [Governance&nbsp;and&nbsp;Strategy&nbsp;(GS)](security-controls-v2-governance-strategy.md) | Governance and Strategy provides guidance for ensuring a coherent security strategy and documented governance approach to guide and sustain security assurance, including establishing roles and responsibilities for the different cloud security functions, unified technical strategy, and supporting policies and standards. |
-
-## Azure Security Benchmark Recommendations
-
-Each recommendation includes the following information:
--- **Azure ID**: The Azure Security Benchmark ID that corresponds to the recommendation.-- **CIS Controls v7.1 ID(s)**: The CIS Controls v7.1 control(s) that correspond to this recommendation.-- **NIST SP 800-53 r4 ID(s)**: The NIST SP 800-53 r4 (moderate) control(s) that correspond to this recommendation.-- **Details**: The rationale for the recommendation and links to guidance on how to implement it. If the recommendation is supported by Azure Security Center, that information will also be listed.-- **Responsibility**: Whether the customer, the service-provider, or both are responsible for implementing this recommendation. Security responsibilities are shared in the public cloud. Some security controls are only available to the cloud service provider and therefore the provider is responsible for addressing those. These are general observations ΓÇô for some individual services, the responsibility will be different from what is listed in the Azure Security Benchmark. Those differences are described in the baseline recommendations for the individual service.-- **Customer Security Stakeholders**: [The security functions](/azure/cloud-adoption-framework/organize/cloud-security#security-functions) at the customer organization who may be accountable, responsible, or consulted for the respective control. It may be different from organization to organization depending on your companyΓÇÖs security organization structure, and the roles and responsibilities you set up related to Azure security.-
-> [!NOTE]
-> The control mappings between ASB and industry benchmarks (such as NIST and CIS) only indicate that a specific Azure feature can be used to fully or partially address a control requirement defined in NIST or CIS. You should be aware that such implementation does not necessarily translate to the full compliance of the corresponding control in CIS or NIST.
-
-We welcome your detailed feedback and active participation in the Azure Security Benchmark effort. If you would like to provide the Azure Security Benchmark team direct input, fill out the form at https://aka.ms/AzSecBenchmark
-
-## Download
-
-You can download the Azure Security Benchmark in [spreadsheet format](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Security%20Benchmark).
-
-## Next steps
-- See the first security control: [Network security](security-control-network-security.md)-- Read the [Azure Security Benchmark introduction](introduction.md)-- Learn the [Azure Security Fundamentals](../fundamentals/index.yml)
security Security Baselines Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-baselines-overview.md
- Title: Azure Security Benchmark overview
-description: Security Benchmark overview
----- Previously updated : 12/16/2019-----
-# Security baselines for Azure
-
-Security baselines for Azure help you strengthen security through improved tooling, tracking, and security features. They also provide you a consistent experience when securing your environment.
-
-Security baselines for Azure focus on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS). Our baselines provide guidance for the control areas listed in the [Azure Security Benchmark](overview.md).
-
-Each recommendation includes the following information:
--- **Azure ID**: The Azure Security Benchmark ID that corresponds to the recommendation.-- **Recommendation**: Following directly after the Azure ID, the recommendation provides a high-level description of the control.-- **Guidance**: The rationale for the recommendation and links to guidance on how to implement it. If the recommendation is supported by Azure Security Center, that information will also be listed.-- **Responsibility**: Who is responsible for implementing the control. Possible scenarios are customer responsibility, Microsoft responsibility, or shared responsibility.-- **Azure Security Center monitoring**: Whether the control is monitored by Azure Security Center, with link to reference.-
-All recommendations, including recommendations that are not applicable to this specific service, are included in the baseline to provide you a complete picture of how the Azure Security Benchmark relates to each service. There may occasionally be controls that are not applicable for various reasonsΓÇöfor example, IaaS/compute-centric controls (such as controls specific to OS configuration management) may not be applicable to PaaS services.
--
-We welcome your feedback on the security baselines for Azure services. We encourage you to provide comments in the feedback area below. Or, if you prefer to share your input more privately with the Azure Security Benchmark team, you are welcome to fill out the form at https://aka.ms/AzSecBenchmark.
security Security Control Data Protection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-control-data-protection.md
- Title: Azure Security Control - Data Protection
-description: Azure Security Control Data Protection
--- Previously updated : 04/14/2020-----
-# Security Control: Data Protection
-
-Data protection recommendations focus on addressing issues related to encryption, access control lists, identity-based access control, and audit logging for data access.
-
-## 4.1: Maintain an inventory of sensitive Information
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 4.1 | 13.1 | Customer |
-
-Use Tags to assist in tracking Azure resources that store or process sensitive information.
--- [How to create and use Tags](../../azure-resource-manager/management/tag-resources.md)-
-## 4.2: Isolate systems storing or processing sensitive information
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 4.2 | 13.2, 2.10 | Customer |
-
-Implement isolation using separate subscriptions and management groups for individual security domains such as environment type and data sensitivity level. You can restrict the level of access to your Azure resources that your applications and enterprise environments demand. You can control access to Azure resources via Azure role-based access control (Azure RBAC).
--- [How to create additional Azure subscriptions](../../cost-management-billing/manage/create-subscription.md)--- [How to create Management Groups](../../governance/management-groups/create-management-group-portal.md)--- [How to create and use tags](../../azure-resource-manager/management/tag-resources.md)-
-## 4.3: Monitor and block unauthorized transfer of sensitive information
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 4.3 | 13.3 | Shared |
-
-Leverage a third-party solution from Azure Marketplace on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.
-
-For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.
--- [Understand customer data protection in Azure](../fundamentals/protection-customer-data.md)-
-## 4.4: Encrypt all sensitive information in transit
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 4.4 | 14.4 | Shared |
-
-Encrypt all sensitive information in transit. Ensure that any clients connecting to your Azure resources are able to negotiate TLS 1.2 or greater.
-
-Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.
--- [Understand encryption in transit with Azure](../fundamentals/encryption-overview.md#encryption-of-data-in-transit)-
-## 4.5: Use an active discovery tool to identify sensitive data
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 4.5 | 14.5 | Shared |
-
-When no feature is available for your specific service in Azure, use a third-party active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site, or at a remote service provider, and update the organization's sensitive information inventory.
-
-Use Azure Information Protection for identifying sensitive information within Microsoft 365 documents.
-
-Use Azure SQL Information Protection to assist in the classification and labeling of information stored in Azure SQL Database.
--- [How to implement Azure SQL Data Discovery](../../azure-sql/database/data-discovery-and-classification-overview.md)--- [How to implement Azure Information Protection](/azure/information-protection/deployment-roadmap)--- [Understand customer data protection in Azure](../fundamentals/protection-customer-data.md)-
-## 4.6: Use Azure RBAC to control access to resources
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 4.6 | 14.6 | Customer |
-
-Use Azure role-based access control (Azure RBAC) to control access to data and resources, otherwise use service specific access control methods.
--- [How to configure Azure RBAC](../../role-based-access-control/role-assignments-portal.md)-
-## 4.7: Use host-based data loss prevention to enforce access control
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 4.7 | 14.7 | Shared |
-
-If required for compliance on compute resources, implement a third-party tool, such as an automated host-based Data Loss Prevention solution, to enforce access controls to data even when data is copied off a system.
-
-For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.
--- [Understand customer data protection in Azure](../fundamentals/protection-customer-data.md)-
-## 4.8: Encrypt sensitive information at rest
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 4.8 | 14.8 | Customer |
-
-Use encryption at rest on all Azure resources. Microsoft recommends allowing Azure to manage your encryption keys, however there is the option for you to manage your own keys in some instances.
--- [Understand encryption at rest in Azure](../fundamentals/encryption-atrest.md)--- [How to configure customer managed encryption keys](../../storage/common/customer-managed-keys-configure-key-vault.md)-
-## 4.9: Log and alert on changes to critical Azure resources
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 4.9 | 14.9 | Customer |
-
-Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place to critical Azure resources.
--- [How to create alerts for Azure Activity Log events](../../azure-monitor/alerts/alerts-activity-log.md)--
-## Next steps
--- See the next Security Control: [Vulnerability Management](security-control-vulnerability-management.md)
security Security Control Data Recovery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-control-data-recovery.md
- Title: Azure Security Control - Data Recovery
-description: Azure Security Control Data Recovery
--- Previously updated : 04/14/2020-----
-# Security Control: Data Recovery
-
-Ensure that all system data, configurations, and secrets are automatically backed up on a regular basis.
-
-## 9.1: Ensure regular automated back ups
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 9.1 | 10.1 | Customer |
-
-Enable Azure Backup and configure the backup source (Azure VMs, SQL Server, or File Shares), as well as the desired frequency and retention period.
--- [How to enable Azure Backup](../../backup/index.yml)-
-## 9.2: Perform complete system backups and backup any customer managed keys
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 9.2 | 10.2 | Customer |
-
-Enable Azure Backup and target VM(s), as well as the desired frequency and retention periods. Backup customer managed keys within Azure Key Vault.
--- [How to enable Azure Backup](../../backup/index.yml)--- [How to backup key vault keys in Azure](/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey)-
-## 9.3: Validate all backups including customer managed keys
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 9.3 | 10.3 | Customer |
-
-Ensure ability to periodically perform data restoration of content within Azure Backup. Test restoration of backed up customer managed keys.
--- [How to recover files from Azure Virtual Machine backup](../../backup/backup-azure-restore-files-from-vm.md)--- [How to restore key vault keys in Azure](/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey)-
-## 9.4: Ensure protection of backups and customer managed keys
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 9.4 | 10.4 | Customer |
-
-For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE). Use Azure role-based access control to protect backups and customer managed keys.
-
-Enable Soft-Delete and purge protection in Key Vault to protect keys against accidental or malicious deletion. If Azure Storage is used to store backups, enable soft delete to save and recover your data when blobs or blob snapshots are deleted.
--- [Understand Azure RBAC](../../role-based-access-control/overview.md)--- [How to enable Soft-Delete and Purge protection in Key Vault](../../storage/blobs/soft-delete-blob-overview.md?tabs=azure-portal)--- [Soft delete for Azure Storage blobs](../../storage/blobs/soft-delete-blob-overview.md?tabs=azure-portal)--
-## Next steps
--- See the next Security Control: [Incident Response](security-control-incident-response.md)
security Security Control Identity Access Control https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-control-identity-access-control.md
- Title: Azure Security Control - Identity and Access Control
-description: Azure Security Control Identity and Access Control
--- Previously updated : 04/14/2020-----
-# Security Control: Identity and Access Control
-
-Identity and access management recommendations focus on addressing issues related to identity-based access control, locking down administrative access, alerting on identity-related events, abnormal account behavior, and role-based access control.
-
-## 3.1: Maintain an inventory of administrative accounts
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 3.1 | 4.1 | Customer |
-
-Azure AD has built-in roles that must be explicitly assigned and are queryable. Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.
--- [How to get a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrole)--- [How to get members of a directory role in Azure AD with PowerShell](/powershell/module/azuread/get-azureaddirectoryrolemember)-
-## 3.2: Change default passwords where applicable
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 3.2 | 4.2 | Customer |
-
-Azure AD does not have the concept of default passwords. Other Azure resources requiring a password forces a password to be created with complexity requirements and a minimum password length, which differs depending on the service. You are responsible for third-party applications and marketplace services that may use default passwords.
-
-## 3.3: Use dedicated administrative accounts
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 3.3 | 4.3 | Customer |
-
-Create standard operating procedures around the use of dedicated administrative accounts. Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.
-
-You can also enable a Just-In-Time / Just-Enough-Access by using Azure AD Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager.
--- [Learn more about Privileged Identity Management](../../active-directory/privileged-identity-management/index.yml)-
-## 3.4: Use single sign-on (SSO) with Azure Active Directory
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 3.4 | 4.4 | Customer |
-
-Wherever possible, use Azure Active Directory SSO instead than configuring individual stand-alone credentials per-service. Use Azure Security Center Identity and Access Management recommendations.
--- [Understand SSO with Azure AD](../../active-directory/manage-apps/what-is-single-sign-on.md)-
-## 3.5: Use multi-factor authentication for all Azure Active Directory based access
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 3.5 | 4.5, 11.5, 12.11, 16.3 | Customer |
-
-Enable Azure AD MFA and follow Azure Security Center Identity and Access Management recommendations.
--- [How to enable MFA in Azure](../../active-directory/authentication/howto-mfa-getstarted.md)--- [How to monitor identity and access within Azure Security Center](../../security-center/security-center-identity-access.md)-
-## 3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 3.6 | 4.6, 11.6, 12.12 | Customer |
-
-Use PAWs (privileged access workstations) with MFA configured to log into and configure Azure resources.
--- [Learn about Privileged Access Workstations](https://4sysops.com/archives/understand-the-microsoft-privileged-access-workstation-paw-security-model/)--- [How to enable MFA in Azure](../../active-directory/authentication/howto-mfa-getstarted.md)-
-## 3.7: Log and alert on suspicious activities from administrative accounts
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 3.7 | 4.8, 4.9 | Customer |
-
-Use Azure Active Directory security reports for generation of logs and alerts when suspicious or unsafe activity occurs in the environment. Use Azure Security Center to monitor identity and access activity.
--- [How to identify Azure AD users flagged for risky activity](../../active-directory/identity-protection/overview-identity-protection.md)--- [How to monitor users' identity and access activity in Azure Security Center](../../security-center/security-center-identity-access.md)-
-## 3.8: Manage Azure resources from only approved locations
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 3.8 | 11.7 | Customer |
-
-Use Conditional Access Named Locations to allow access from only specific logical groupings of IP address ranges or countries/regions.
--- [How to configure Named Locations in Azure](../../active-directory/reports-monitoring/quickstart-configure-named-locations.md)-
-## 3.9: Use Azure Active Directory
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 3.9 | 16.1, 16.2, 16.4, 16.5, 16.6 | Customer |
-
-Use Azure Active Directory as the central authentication and authorization system. Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD also salts, hashes, and securely stores user credentials.
--- [How to create and configure an Azure AD instance](../../active-directory/fundamentals/active-directory-access-create-new-tenant.md)-
-## 3.10: Regularly review and reconcile user access
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 3.10 | 16.9, 16.10 | Customer |
-
-Azure AD provides logs to help discover stale accounts. In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right Users have continued access.
--- [Understand Azure AD reporting](../../active-directory/reports-monitoring/index.yml)--- [How to use Azure Identity Access Reviews](../../active-directory/governance/access-reviews-overview.md)-
-## 3.11: Monitor attempts to access deactivated credentials
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 3.11 | 16.12 | Customer |
-
-You have access to Azure AD Sign-in Activity, Audit and Risk Event log sources, which allow you to integrate with any SIEM/Monitoring tool.
-
-You can streamline this process by creating Diagnostic Settings for Azure Active Directory user accounts and sending the audit logs and sign-in logs to a Log Analytics Workspace. You can configure desired Alerts within Log Analytics Workspace.
--- [How to integrate Azure Activity Logs into Azure Monitor](../../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)-
-## 3.12: Alert on account login behavior deviation
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 3.12 | 16.13 | Customer |
-
-Use Azure AD Risk and Identity Protection features to configure automated responses to detected suspicious actions related to user identities. You can also ingest data into Azure Sentinel for further investigation.
--- [How to view Azure AD risky sign-ins](../../active-directory/identity-protection/overview-identity-protection.md)--- [How to configure and enable Identity Protection risk policies](../../active-directory/identity-protection/howto-identity-protection-configure-risk-policies.md)--- [How to onboard Azure Sentinel](../../sentinel/quickstart-onboard.md)-
-## 3.13: Provide Microsoft with access to relevant customer data during support scenarios
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 3.13 | 16 | Customer |
-
-In support scenarios where Microsoft needs to access customer data, Customer Lockbox provides an interface for you to review, and approve or reject customer data access requests.
--- [Understand Customer Lockbox](../fundamentals/customer-lockbox-overview.md)--
-## Next steps
--- See the next Security Control: [Data Protection](security-control-data-protection.md)
security Security Control Incident Response https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-control-incident-response.md
- Title: Azure Security Control - Incident Response
-description: Azure Security Control Incident Response
--- Previously updated : 04/14/2020-----
-# Security Control: Incident Response
-
-Protect the organization's information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and systems.
-
-## 10.1: Create an incident response guide
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 10.1 | 19.1, 19.2, 19.3 | Customer |
-
-Build out an incident response guide for your organization. Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.
--- [Guidance on building your own security incident response process](https://msrc-blog.microsoft.com/2019/07/01/inside-the-msrc-building-your-own-security-incident-response-process/)--- [Microsoft Security Response Center's Anatomy of an Incident](https://msrc-blog.microsoft.com/2019/06/27/inside-the-msrc-anatomy-of-a-ssirp-incident/)--- [Leverage NIST's Computer Security Incident Handling Guide to aid in the creation of your own incident response plan](https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final)-
-## 10.2: Create an incident scoring and prioritization procedure
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 10.2 | 19.8 | Customer |
-
-Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.
-
-Additionally, clearly mark subscriptions (for ex. production, non-prod) using tags and create a naming system to clearly identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.
--- [Security alerts in Azure Security Center](../../security-center/security-center-alerts-overview.md)--- [Use tags to organize your Azure resources](../../azure-resource-manager/management/tag-resources.md)-
-## 10.3: Test security response procedures
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 10.3 | 19 | Customer |
-
-Conduct exercises to test your systemsΓÇÖ incident response capabilities on a regular cadence to help protect your Azure resources. Identify weak points and gaps and revise plan as needed.
--- [NIST's publication - Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities](https://csrc.nist.gov/publications/detail/sp/800-84/final)-
-## 10.4: Provide security incident contact details and configure alert notifications for security incidents
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 10.4 | 19.5 | Customer |
-
-Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. Review incidents after the fact to ensure that issues are resolved.
--- [How to set the Azure Security Center Security Contact](../../security-center/security-center-provide-security-contact-details.md)-
-## 10.5: Incorporate security alerts into your incident response system
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 10.5 | 19.6 | Customer |
-
-Export your Azure Security Center alerts and recommendations using the Continuous Export feature to help identify risks to Azure resources. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
--- [How to configure continuous export](../../security-center/continuous-export.md)--- [How to stream alerts into Azure Sentinel](../../sentinel/connect-azure-security-center.md)-
-## 10.6: Automate the response to security alerts
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 10.6 | 19 | Customer |
-
-Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations to protect your Azure resources.
--- [How to configure Workflow Automation and Logic Apps](../../security-center/workflow-automation.md)--
-## Next steps
--- See the next Security Control: [Penetration Tests and Red Team Exercises](security-control-penetration-tests-red-team-exercises.md)
security Security Control Inventory Asset Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-control-inventory-asset-management.md
- Title: Azure Security Control - Inventory and Asset Management
-description: Azure Security Control Inventory and Asset Management
--- Previously updated : 04/14/2020-----
-# Security Control: Inventory and Asset Management
-
-Inventory and Asset Management recommendations focus on addressing issues related to actively managing (inventory, track, and correct) all Azure resources so that only authorized resources are given access, and unauthorized and unmanaged resources are identified and removed.
-
-## 6.1: Use automated Asset Discovery solution
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 6.1 | 1.1, 1.2, 1.3, 1.4, 9.1, 12.1 | Customer |
-
-Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.) within your subscription(s). Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions.
-
-Although classic Azure resources may be discovered via Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.
--- [How to create queries with Azure Resource Graph](../../governance/resource-graph/first-query-portal.md)--- [How to view your Azure Subscriptions](/powershell/module/az.accounts/get-azsubscription)--- [Understand Azure RBAC](../../role-based-access-control/overview.md)-
-## 6.2: Maintain asset metadata
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 6.2 | 1.5 | Customer |
-
-Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.
--- [How to create and use Tags](../../azure-resource-manager/management/tag-resources.md)-
-## 6.3: Delete unauthorized Azure resources
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 6.3 | 1.6 | Customer |
-
-Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track assets. Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.
--- [How to create additional Azure subscriptions](../../cost-management-billing/manage/create-subscription.md)--- [How to create Management Groups](../../governance/management-groups/create-management-group-portal.md)--- [How to create and use Tags](../../azure-resource-manager/management/tag-resources.md)-
-## 6.4: Define and Maintain an inventory of approved Azure resources
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 6.4 | 2.1 | Customer |
-
-Create an inventory of approved Azure resources and approved software for compute resources as per our organizational needs.
-
-## 6.5: Monitor for unapproved Azure resources
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 6.5 | 2.3, 2.4 | Customer |
-
-Use Azure Policy to put restrictions on the type of resources that can be created in your subscription(s).
-
-Use Azure Resource Graph to query/discover resources within their subscription(s). Ensure that all Azure resources present in the environment are approved.
--- [How to configure and manage Azure Policy](../../governance/policy/tutorials/create-and-manage.md)--- [How to create queries with Azure Graph](../../governance/resource-graph/first-query-portal.md)-
-## 6.6: Monitor for unapproved software applications within compute resources
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 6.6 | 2.3, 2.4 | Customer |
-
-Use Azure virtual machine Inventory to automate the collection of information about all software on Virtual Machines. Software Name, Version, Publisher, and Refresh time are available from the Azure portal. To get access to install date and other information, enable guest-level diagnostics and bring the Windows Event Logs into a Log Analytics Workspace.
--- [How to enable Azure virtual machine Inventory](../../automation/automation-tutorial-installed-software.md)-
-## 6.7: Remove unapproved Azure resources and software applications
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 6.7 | 2.5 | Customer |
-
-Use Azure Security Center's File Integrity Monitoring (Change Tracking) and virtual machine inventory to identify all software installed on Virtual Machines. You can implement your own process for removing unauthorized software. You can also use a third party solution to identify unapproved software.
--- [How to use File Integrity Monitoring](../../security-center/security-center-file-integrity-monitoring.md)--- [Understand Azure Change Tracking](../../automation/change-tracking/overview.md)--- [How to enable Azure virtual machine inventory](../../automation/automation-tutorial-installed-software.md)-
-## 6.8: Use only approved applications
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 6.8 | 2.6 | Customer |
-
-Use Azure Security Center Adaptive Application Controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.
--- [How to use Azure Security Center Adaptive Application Controls](../../security-center/security-center-adaptive-application.md)-
-## 6.9: Use only approved Azure services
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 6.9 | 2.6 | Customer |
-
-Use Azure Policy to restrict which services you can provision in your environment.
--- [How to configure and manage Azure Policy](../../governance/policy/tutorials/create-and-manage.md)--- [How to deny a specific resource type with Azure Policy](../../governance/policy/samples/index.md)-
-## 6.10: Maintain an inventory of approved software titles
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 6.10 | 2.7 | Customer |
-
-Use Azure Security Center Adaptive Application Controls to specify which file types a rule may or may not apply to.
-
-Implement third party solution if this does not meet the requirement.
--- [How to use Azure Security Center Adaptive Application Controls](../../security-center/security-center-adaptive-application.md)-
-## 6.11: Limit users' ability to interact with Azure Resource Manager
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 6.11 | 2.9 | Customer |
-
-Use Azure Conditional Access to limit users' ability to interact with Azure Resources Manager by configuring "Block access" for the "Microsoft Azure Management" App.
--- [How to configure Conditional Access to block access to Azure Resources Manager](../../role-based-access-control/conditional-access-azure-management.md)-
-## 6.12: Limit users' ability to execute scripts within compute resources
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 6.12 | 2.9 | Customer |
-
-Depending on the type of scripts, you may use operating system specific configurations or third-party resources to limit users' ability to execute scripts within Azure compute resources. You can also leverage Azure Security Center Adaptive Application Controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.
--- [How to control PowerShell script execution in Windows Environments](/powershell/module/microsoft.powershell.security/set-executionpolicy)--- [How to use Azure Security Center Adaptive Application Controls](../../security-center/security-center-adaptive-application.md)-
-## 6.13: Physically or logically segregate high risk applications
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 6.13 | 2.9 | Customer |
-
-Software that is required for business operations, but may incur higher risk for the organization, should be isolated within its own virtual machine and/or virtual network and sufficiently secured with either an Azure Firewall or Network Security Group.
--- [How to create a virtual network](../../virtual-network/quick-create-portal.md)--- [How to create an NSG with a security config](../../virtual-network/tutorial-filter-network-traffic.md)--
-## Next steps
--- See the next Security Control: [Secure Configuration](security-control-secure-configuration.md)
security Security Control Logging Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-control-logging-monitoring.md
- Title: Azure Security Control - Logging and Monitoring
-description: Azure Security Control Logging and Monitoring
--- Previously updated : 04/14/2020-----
-# Security Control: Logging and Monitoring
-
-Security logging and monitoring focuses on activities related to enabling, acquiring, and storing audit logs for Azure services.
-
-## 2.1: Use approved time synchronization sources
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 2.1 | 6.1 | Microsoft |
-
-Microsoft maintains time sources for Azure resources, however, you have the option to manage the time synchronization settings for your compute resources.
--- [How to configure time synchronization for Azure Windows compute resources](../../virtual-machines/windows/time-sync.md)--- [How to configure time synchronization for Azure Linux compute resources](../../virtual-machines/linux/time-sync.md)-
-## 2.2: Configure central security log management
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 2.2 | 6.5, 6.6 | Customer |
-
-Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. Within Azure Monitor, use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage.
-
-Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM.
--- [How to onboard Azure Sentinel](../../sentinel/quickstart-onboard.md)--- [How to collect platform logs and metrics with Azure Monitor](../../azure-monitor/essentials/diagnostic-settings.md)--- [How to collect Azure Virtual Machine internal host logs with Azure Monitor](../../azure-monitor/vm/quick-collect-azurevm.md)--- [How to get started with Azure Monitor and third-party SIEM integration](https://azure.microsoft.com/blog/use-azure-monitor-to-integrate-with-siem-tools/)-
-## 2.3: Enable audit logging for Azure resources
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 2.3 | 6.2, 6.3 | Customer |
-
-Enable Diagnostic Settings on Azure resources for access to audit, security, and diagnostic logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
--- [How to collect platform logs and metrics with Azure Monitor](../../azure-monitor/essentials/diagnostic-settings.md)--- [Understand logging and different log types in Azure](../../azure-monitor/essentials/platform-logs-overview.md)-
-## 2.4: Collect security logs from operating systems
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 2.4 | 6.2, 6.3 | Customer |
-
-If the compute resource is owned by Microsoft, then Microsoft is responsible for monitoring it. If the compute resource is owned by your organization, it's your responsibility to monitor it. You can use Azure Security Center to monitor the OS. Data collected by Security Center from the operating system includes OS type and version, OS (Windows Event Logs), running processes, machine name, IP addresses, and logged in user. The Log Analytics Agent also collects crash dump files.
--- [How to collect Azure Virtual Machine internal host logs with Azure Monitor](../../azure-monitor/vm/quick-collect-azurevm.md)--- [Understand Azure Security Center data collection](../../security-center/security-center-enable-data-collection.md)-
-## 2.5: Configure security log storage retention
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 2.5 | 6.4 | Customer |
-
-Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term/archival storage.
--- [Change the data retention period in Log Analytics](../../azure-monitor/logs/manage-cost-storage.md#change-the-data-retention-period)--- [How to configure retention policy for Azure Storage account logs](../../storage/common/manage-storage-analytics-logs.md#configure-logging)-
-## 2.6: Monitor and review Logs
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 2.6 | 6.7 | Customer |
-
-Analyze and monitor logs for anomalous behavior and regularly review results. Use Azure Monitor's Log Analytics Workspace to review logs and perform queries on log data.
-
-Alternatively, you may enable and on-board data to Azure Sentinel or a third party SIEM.
--- [How to onboard Azure Sentinel](../../sentinel/quickstart-onboard.md)--- [Understand Log Analytics Workspace](../../azure-monitor/logs/log-analytics-tutorial.md)--- [How to perform custom queries in Azure Monitor](../../azure-monitor/logs/get-started-queries.md)-
-## 2.7: Enable alerts for anomalous activities
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 2.7 | 6.8 | Customer |
-
-Use Azure Security Center with Log Analytics Workspace for monitoring and alerting on anomalous activity found in security logs and events.
-
-Alternatively, you may enable and on-board data to Azure Sentinel.
--- [How to onboard Azure Sentinel](../../sentinel/quickstart-onboard.md)--- [How to manage alerts in Azure Security Center](../../security-center/security-center-managing-and-responding-alerts.md)--- [How to alert on log analytics log data](../../azure-monitor/alerts/tutorial-response.md)-
-## 2.8: Centralize anti-malware logging
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 2.8 | 8.6 | Customer |
-
-Enable antimalware event collection for Azure Virtual Machines and Cloud Services.
--- [How to configure Microsoft Antimalware for Virtual Machines](/powershell/module/servicemanagement/azure.service/set-azurevmmicrosoftantimalwareextension)--- [How to configure Microsoft Antimalware for Cloud Services](/powershell/module/servicemanagement/azure.service/set-azureserviceantimalwareextension)--- [Understand Microsoft Antimalware](../fundamentals/antimalware.md)-
-## 2.9: Enable DNS query logging
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 2.9 | 8.7 | Customer |
-
-Implement a third-party solution from Azure Marketplace for DNS logging solution as per your organizations need.
-
-## 2.10: Enable command-line audit logging
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 2.10 | 8.8 | Customer |
-
-Use Microsoft Monitoring Agent on all supported Azure Windows virtual machines to log the process creation event and the CommandLine field. For supported Azure Linux Virtual machines, you can manually configure console logging on a per-node basis and use Syslog to store the data. Also, use Azure Monitor's Log Analytics workspace to review logs and perform queries on logged data from Azure Virtual machines.
--- [Data collection in Azure Security Center](../../security-center/security-center-enable-data-collection.md#data-collection-tier)--- [How to perform custom queries in Azure Monitor](../../azure-monitor/logs/get-started-queries.md)--- [Syslog data sources in Azure Monitor](../../azure-monitor/agents/data-sources-syslog.md)--
-## Next steps
--- See the next Security Control: [Identity and Access Control](security-control-identity-access-control.md)
security Security Control Malware Defense https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-control-malware-defense.md
- Title: Azure Security Control - Malware Defense
-description: Azure Security Control Malware Defense
--- Previously updated : 04/14/2020-----
-# Security Control: Malware Defense
-
-Control the installation, spread, and execution of malicious code at multiple points the environment, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
-
-## 8.1: Use centrally managed anti-malware software
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 8.1 | 8.1 | Customer |
-
-Use Microsoft Antimalware for Azure Cloud Services and Virtual Machines to continuously monitor and defend your resources. For Linux, use third party antimalware solution. Also, use Azure Security Center's Threat detection for data services to detect malware uploaded to storage accounts.
--- [How to configure Microsoft Antimalware for Cloud Services and Virtual Machines](../fundamentals/antimalware.md)--- [Threat protection in Azure Security Center](../../security-center/azure-defender.md)-
-## 8.2: Pre-scan files to be uploaded to non-compute Azure resources
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 8.2 | 8.1 | Customer |
-
-Microsoft Antimalware is enabled on the underlying host that supports Azure services (for example, Azure App Service), however it does not run on your content.
-
-Pre-scan any files being uploaded to non-compute Azure resources, such as App Service, Data Lake Storage, Blob Storage, etc.
-
-Use Azure Security Center's Threat detection for data services to detect malware uploaded to storage accounts.
--- [Understand Microsoft Antimalware for Azure Cloud Services and Virtual Machines](../fundamentals/antimalware.md)--- [Understand Azure Security Center's Threat detection for data services](../../security-center/azure-defender.md)-
-## 8.3: Ensure anti-malware software and signatures are updated
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 8.3 | 8.2 | Customer |
-
-Microsoft Antimalware will automatically install the latest signatures and engine updates by default. Follow recommendations in Azure Security Center: "Compute &amp; Apps" to ensure all endpoints are up to date with the latest signatures. For Linux, use third party antimalware solution.
--- [How to deploy Microsoft Antimalware for Azure Cloud Services and Virtual Machines](../fundamentals/antimalware.md)--
-## Next steps
--- See the next Security Control: [Data Recovery](security-control-data-recovery.md)
security Security Control Network Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-control-network-security.md
- Title: Azure Security Control - Network Security
-description: Azure Security Control Network Security
--- Previously updated : 04/14/2020-----
-# Security Control: Network Security
-
-Network security recommendations focus on specifying which network protocols, TCP/UDP ports, and network connected services are allowed or denied access to Azure services.
-
-## 1.1: Protect Azure resources within virtual networks
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 1.1 | 9.2, 9.4, 14.1, 14.2, 14.3 | Customer |
-
-Ensure that all Virtual Network subnet deployments have a Network Security Group applied with network access controls specific to your application's trusted ports and sources. When available, use Private Endpoints with Private Link to secure your Azure service resources to your virtual network by extending VNet identity to the service. When Private Endpoints and Private Link not available, use Service Endpoints. For service specific requirements, please refer to the security recommendation for that specific service.
-
-Alternatively, if you have a specific use case, requirement may be met by implementing Azure Firewall.
--- [Understand Virtual Network Service Endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md)--- [Understand Azure Private Link](../../private-link/private-link-overview.md)--- [How to create a Virtual Network](../../virtual-network/quick-create-portal.md)--- [How to create an NSG with a security configuration](../../virtual-network/tutorial-filter-network-traffic.md)--- [How to deploy and configure Azure Firewall](../../firewall/tutorial-firewall-deploy-portal.md)-
-## 1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and NICs
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 1.2 | 9.3, 12.2, 12.8 | Customer |
-
-Use Azure Security Center and follow network protection recommendations to help secure your network resources in Azure. Enable NSG flow logs and send logs into a Storage Account for traffic audit. You may also send NSG flow logs to a Log Analytics Workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.
--- [How to Enable NSG Flow Logs](../../network-watcher/network-watcher-nsg-flow-logging-portal.md)--- [How to Enable and use Traffic Analytics](../../network-watcher/traffic-analytics.md)--- [Understand Network Security provided by Azure Security Center](../../security-center/security-center-network-recommendations.md)-
-## 1.3: Protect critical web applications
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 1.3 | 9.5 | Customer |
-
-Deploy Azure Web Application Firewall (WAF) in front of critical web applications for additional inspection of incoming traffic. Enable Diagnostic Setting for WAF and ingest logs into a Storage Account, Event Hub, or Log Analytics Workspace.
--- [How to deploy Azure WAF](../../web-application-firewall/ag/create-waf-policy-ag.md)-
-## 1.4: Deny communications with known malicious IP addresses
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 1.4 | 12.3 | Customer |
-
-Enable DDoS Standard protection on your Azure Virtual Networks to guard against DDoS attacks. Use Azure Security Center Integrated Threat Intelligence to deny communications with known malicious IP addresses.
-
-Deploy Azure Firewall at each of the organization's network boundaries with Threat Intelligence enabled and configured to "Alert and deny" for malicious network traffic.
-
-Use Azure Security Center Just In Time Network access to configure NSGs to limit exposure of endpoints to approved IP addresses for a limited period.
-
-Use Azure Security Center Adaptive Network Hardening to recommend NSG configurations that limit ports and source IPs based on actual traffic and threat intelligence.
--- [How to configure DDoS protection](../../ddos-protection/manage-ddos-protection.md)--- [How to deploy Azure Firewall](../../firewall/tutorial-firewall-deploy-portal.md)--- [Understand Azure Security Center Integrated Threat Intelligence](../../security-center/azure-defender.md)--- [Understand Azure Security Center Adaptive Network Hardening](../../security-center/security-center-adaptive-network-hardening.md)--- [Understand Azure Security Center Just In Time Network Access Control](../../security-center/security-center-just-in-time.md)-
-## 1.5: Record network packets
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 1.5 | 12.5 | Customer |
-
-Enable Network Watcher packet capture to investigate anomalous activities.
--- [How to enable Network Watcher](../../network-watcher/network-watcher-create.md)-
-## 1.6: Deploy network based intrusion detection/intrusion prevention systems (IDS/IPS)
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 1.6 | 12.6, 12.7 | Customer |
-
-Select an offer from the Azure Marketplace that supports IDS/IPS functionality with payload inspection capabilities. If intrusion detection and/or prevention based on payload inspection is not a requirement, Azure Firewall with Threat Intelligence can be used. Azure Firewall Threat intelligence-based filtering can alert and deny traffic to and from known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.
-
-Deploy the firewall solution of your choice at each of your organization's network boundaries to detect and/or deny malicious traffic.
--- [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/?term=Firewall)--- [How to deploy Azure Firewall](../../firewall/tutorial-firewall-deploy-portal.md)--- [How to configure alerts with Azure Firewall](../../firewall/threat-intel.md)-
-## 1.7: Manage traffic to web applications
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 1.7 | 12.9, 12.10 | Customer |
-
-Deploy Azure Application Gateway for web applications with HTTPS/TLS enabled for trusted certificates.
--- [How to deploy Application Gateway](../../application-gateway/quick-create-portal.md)--- [How to configure Application Gateway to use HTTPS](../../application-gateway/create-ssl-portal.md)--- [Understand layer 7 load balancing with Azure web application gateways](../../application-gateway/overview.md)-
-## 1.8: Minimize complexity and administrative overhead of network security rules
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 1.8 | 1.5 | Customer |
-
-Use Virtual Network Service Tags to define network access controls on Network Security Groups or Azure Firewall. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name (e.g., ApiManagement) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.
-
-You may also use Application Security Groups to help simplify complex security configuration. Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.
--- [Understand and use Service Tags](../../virtual-network/service-tags-overview.md)--- [Understand and use Application Security Groups](../../virtual-network/network-security-groups-overview.md#application-security-groups)-
-## 1.9: Maintain standard security configurations for network devices
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 1.9 | 11.1 | Customer |
-
-Define and implement standard security configurations for network resources with Azure Policy.
-
-You may also use Azure Blueprints to simplify large scale Azure deployments by packaging key environment artifacts, such as Azure Resources Manager templates, Azure RBAC controls, and policies, in a single blueprint definition. You can apply the blueprint to new subscriptions, and fine-tune control and management through versioning.
--- [How to configure and manage Azure Policy](../../governance/policy/tutorials/create-and-manage.md)--- [Azure Policy samples for networking](../../governance/policy/samples/built-in-policies.md#network)--- [How to create an Azure Blueprint](../../governance/blueprints/create-blueprint-portal.md)-
-## 1.10: Document traffic configuration rules
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 1.10 | 11.2 | Customer |
-
-Use Tags for NSGs and other resources related to network security and traffic flow. For individual NSG rules, use the "Description" field to specify business need and/or duration (etc.) for any rules that allow traffic to/from a network.
-
-Use any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with Tags and to notify you of existing untagged resources.
-
-You may use Azure PowerShell or Azure CLI to look-up or perform actions on resources based on their Tags.
--- [How to create and use Tags](../../azure-resource-manager/management/tag-resources.md)--- [How to create a Virtual Network](../../virtual-network/quick-create-portal.md)--- [How to create an NSG with a Security Config](../../virtual-network/tutorial-filter-network-traffic.md)-
-## 1.11: Use automated tools to monitor network resource configurations and detect changes
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 1.11 | 11.3 | Customer |
-
-Use Azure Activity Log to monitor resource configurations and detect changes to your Azure resources. Create alerts within Azure Monitor that will trigger when changes to critical resources take place.
--- [How to view and retrieve Azure Activity Log events](../../azure-monitor/essentials/activity-log.md#view-the-activity-log)--- [How to create alerts in Azure Monitor](../../azure-monitor/alerts/alerts-activity-log.md)-
-## Next steps
--- See the next Security Control: [Logging and Monitoring](security-control-logging-monitoring.md)
security Security Control Penetration Tests Red Team Exercises https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-control-penetration-tests-red-team-exercises.md
- Title: Azure Security Control - Penetration Tests and Red Team Exercises
-description: Azure Security Control Penetration Tests and Red Team Exercises
--- Previously updated : 04/14/2020-----
-# Security Control: Penetration Tests and Red Team Exercises
-
-Test the overall strength of an organization's defense (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.
-
-## 11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 11.1 | 20.1, 20.2, 20.3, 20.4, 20.5, 20.6, 20.7, 20.8 | Shared |
-
-Follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.
--- [Penetration Testing Rules of Engagement](https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1)--- [Microsoft Cloud Red Teaming](https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392e)--
-## Next steps
--- Return to the [Azure Security Benchmark overview](overview.md)
security Security Control Secure Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-control-secure-configuration.md
- Title: Azure Security Control - Secure Configuration
-description: Azure Security Control Secure Configuration
--- Previously updated : 04/14/2020-----
-# Security Control: Secure Configuration
-
-Establish, implement, and actively manage (track, report on, correct) the security configuration of Azure resources in order to prevent attackers from exploiting vulnerable services and settings.
-
-## 7.1: Establish secure configurations for all Azure resources
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 7.1 | 5.1 | Customer |
-
-Use Azure Policy aliases to create custom policies to audit or enforce the configuration of your Azure resources. You may also use built-in Azure Policy definitions.
-
-Also, Azure Resource Manager has the ability to export the template in JavaScript Object Notation (JSON), which should be reviewed to ensure that the configurations meet / exceed the security requirements for your organization.
-
-You may also use recommendations from Azure Security Center as a secure configuration baseline for your Azure resources.
--- [How to view available Azure Policy aliases](/powershell/module/az.resources/get-azpolicyalias)--- [Tutorial: Create and manage policies to enforce compliance](../../governance/policy/tutorials/create-and-manage.md)--- [Single and multi-resource export to a template in Azure portal](../../azure-resource-manager/templates/export-template-portal.md)--- [Security recommendations - a reference guide](../../security-center/recommendations-reference.md)-
-## 7.2: Establish secure operating system configurations
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 7.2 | 5.1 | Customer |
-
-Use Azure Security Center recommendations to maintain security configurations on all compute resources. Additionally, you may use custom operating system images or Azure Automation State configuration to establish the security configuration of the operating system required by your organization.
--- [How to monitor Azure Security Center recommendations](../../security-center/security-center-recommendations.md)--- [Security recommendations - a reference guide](../../security-center/recommendations-reference.md)--- [Azure Automation State Configuration Overview](../../automation/automation-dsc-overview.md)--- [Upload a VHD and use it to create new Windows VMs in Azure](../../virtual-machines/windows/upload-generalized-managed.md)--- [Create a Linux VM from a custom disk with the Azure CLI](../../virtual-machines/linux/upload-vhd.md)-
-## 7.3: Maintain secure Azure resource configurations
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 7.3 | 5.2 | Customer |
-
-Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources. In addition, you may use Azure Resource Manager templates to maintain the security configuration of your Azure resources required by your organization.
--- [Understand Azure Policy effects](../../governance/policy/concepts/effects.md)--- [Create and manage policies to enforce compliance](../../governance/policy/tutorials/create-and-manage.md)--- [Azure Resource Manager templates overview](../../azure-resource-manager/templates/overview.md)-
-## 7.4: Maintain secure operating system configurations
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 7.4 | 5.2 | Shared |
-
-Follow recommendations from Azure Security Center on performing vulnerability assessments on your Azure compute resources. In addition, you may use Azure Resource Manager templates, custom operating system images or Azure Automation State configuration to maintain the security configuration of the operating system required by your organization. The Microsoft virtual machine templates combined with the Azure Automation Desired State Configuration may assist in meeting and maintaining the security requirements.
-
-Also, note that Azure Marketplace Virtual Machine Images published by Microsoft are managed and maintained by Microsoft.
--- [How to implement Azure Security Center vulnerability assessment recommendations](../../security-center/deploy-vulnerability-assessment-vm.md)--- [How to create an Azure Virtual Machine from an Azure Resource Manager template](../../virtual-machines/windows/ps-template.md)--- [Azure Automation State Configuration Overview](../../automation/automation-dsc-overview.md)--- [Create a Windows virtual machine in the Azure portal](../../virtual-machines/windows/quick-create-portal.md)--- [Information on how to download the VM template](/previous-versions/azure/virtual-machines/windows/download-template)--- [Sample script to upload a VHD to Azure and create a new VM](/previous-versions/azure/virtual-machines/scripts/virtual-machines-windows-powershell-upload-generalized-script)-
-## 7.5: Securely store configuration of Azure resources
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 7.5 | 5.3 | Customer |
-
-Use Azure DevOps to securely store and manage your code like custom Azure policies, Azure Resource Manager templates and Desired State Configuration scripts. To access the resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if integrated with Azure DevOps, or Active Directory if integrated with TFS.
--- [How to store code in Azure DevOps](/azure/devops/repos/git/gitworkflow)--- [About permissions and groups in Azure DevOps](/azure/devops/organizations/security/about-permissions)-
-## 7.6: Securely store custom operating system images
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 7.6 | 5.3 | Customer |
-
-If using custom images, use Azure role-based access control (Azure RBAC) to ensure only authorized users may access the images. Using a Shared Image Gallery you can share your images to different users, service principals, or AD groups within your organization. For container images, store them in Azure Container Registry and leverage Azure RBAC to ensure only authorized users may access the images.
--- [Understand Azure RBAC](../../role-based-access-control/rbac-and-directory-admin-roles.md)--- [Understand Azure RBAC for Container Registry](../../container-registry/container-registry-roles.md)--- [How to configure Azure RBAC](../../role-based-access-control/quickstart-assign-role-user-portal.md)--- [Shared Image Gallery overview](../../virtual-machines/shared-image-galleries.md)-
-## 7.7: Deploy configuration management tools for Azure resources
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 7.7 | 5.4 | Customer |
-
-Define and implement standard security configurations for Azure resources using Azure Policy. Use Azure Policy aliases to create custom policies to audit or enforce the network configuration of your Azure resources. You may also make use of built-in policy definitions related to your specific resources. Additionally, you may use Azure Automation to deploy configuration changes.
--- [How to configure and manage Azure Policy](../../governance/policy/tutorials/create-and-manage.md)--- [How to use Aliases](../../governance/policy/concepts/definition-structure.md#aliases)-
-## 7.8: Deploy configuration management tools for operating systems
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 7.8 | 5.4 | Customer |
-
-Azure Automation State Configuration is a configuration management service for Desired State Configuration (DSC) nodes in any cloud or on-premises datacenter. You can easily onboard machines, assign them declarative configurations, and view reports showing each machine's compliance to the desired state you specified.
--- [Onboarding machines for management by Azure Automation State Configuration](../../automation/automation-dsc-onboarding.md)-
-## 7.9: Implement automated configuration monitoring for Azure resources
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 7.9 | 5.5 | Customer |
-
-Use Azure Security Center to perform baseline scans for your Azure Resources. Additionally, use Azure Policy to alert and audit Azure resource configurations.
--- [How to remediate recommendations in Azure Security Center](../../security-center/security-center-remediate-recommendations.md)-
-## 7.10: Implement automated configuration monitoring for operating systems
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 7.10 | 5.5 | Customer |
-
-Use Azure Security Center to perform baseline scans for OS and Docker Settings for containers.
--- [Understand Azure Security Center container recommendations](../../security-center/container-security.md)-
-## 7.11: Manage Azure secrets securely
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 7.11 | 13.1 | Customer |
-
-Use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure secret management for your cloud applications.
--- [How to integrate with Azure Managed Identities](../../azure-app-configuration/howto-integrate-azure-managed-service-identity.md)--- [How to create a Key Vault](../../key-vault/secrets/quick-create-portal.md)--- [How to authenticate to Key Vault](../../key-vault/general/authentication.md)--- [How to assign a Key Vault access policy](../../key-vault/general/assign-access-policy-portal.md)-
-## 7.12: Manage identities securely and automatically
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 7.12 | 4.1 | Customer |
-
-Use Managed Identities to provide Azure services with an automatically managed identity in Azure AD. Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.
--- [How to configure Managed Identities](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md)-
-## 7.13: Eliminate unintended credential exposure
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 7.13 | 18.1, 18.7 | Customer |
-
-Implement Credential Scanner to identify credentials within code. Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.
--- [How to setup Credential Scanner](https://secdevtools.azurewebsites.net/helpcredscan.html)--
-## Next steps
--- See the next Security Control: [Malware Defense](security-control-malware-defense.md)
security Security Control Vulnerability Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-control-vulnerability-management.md
- Title: Azure Security Control - Vulnerability Management
-description: Azure Security Control Vulnerability Management
--- Previously updated : 04/14/2020-----
-# Security Control: Vulnerability Management
-
-Vulnerability management recommendations focus on addressing issues related to continuously acquiring, assessing, and acting on new information in order to identify and remediate vulnerabilities as well as minimizing the window of opportunity for attackers.
-
-## 5.1: Run automated vulnerability scanning tools
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 5.1 | 3.1, 3.2, 3.3 | Customer |
-
-Follow recommendations from Azure Security Center on performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers.
-
-Use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.
--- [How to implement Azure Security Center vulnerability assessment recommendations](../../security-center/deploy-vulnerability-assessment-vm.md)-
-## 5.2: Deploy automated operating system patch management solution
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 5.2 | 3.4 | Customer |
-
-Use Azure "Update Management" to ensure the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically.
--- [How to configure Update Management for virtual machines in Azure](../../automation/update-management/overview.md)--- [Understand Azure security policies monitored by Security Center](../../security-center/policy-reference.md)-
-## 5.3: Deploy automated patch management solution for third-party software titles
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 5.3 | 3.5 | Customer |
-
-Use a third-party patch management solution. Customers already leveraging System Center Configuration Manager in their environment may leverage System Center Updates Publisher, allowing them to publish custom updates into Windows Server Update Service. This allows Update Manager to patch machines that use System Center Configuration Manager as their update repository with third-party software.
-
-## 5.4: Compare back-to-back vulnerability scans
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 5.4 | 3.6 | Customer |
-
-Export scan results at consistent intervals and compare the results to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Azure Security Center, you may pivot into the selected solution's portal to view historical scan data.
-
-## 5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities
-
-| Azure ID | CIS IDs | Responsibility |
-|--|--|--|
-| 5.5 | 3.7 | Customer |
-
-Use a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool.
--
-## Next steps
--- See the next Security Control: [Inventory and Asset Management](security-control-inventory-asset-management.md)
security Security Controls V2 Asset Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-controls-v2-asset-management.md
- Title: Azure Security Benchmark V2 - Asset Management
-description: Azure Security Benchmark V2 Asset Management
--- Previously updated : 02/22/2021-----
-# Security Control V2: Asset Management
-
-Asset Management covers controls to ensure security visibility and governance over Azure resources. This includes recommendations on permissions for security personnel, security access to asset inventory, and managing approvals for services and resources (inventory, track, and correct).
-
-To see the applicable built-in Azure Policy, see [Details of the Azure Security Benchmark Regulatory Compliance built-in initiative: Network Security](../../governance/policy/samples/azure-security-benchmark.md#asset-management)
-
-## AM-1: Ensure security team has visibility into risks for assets
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| AM-1 | 1.1, 1.2 | CM-8, PM-5 |
-
-Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Azure Security Center.
-
-Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.
-
-Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.
-
-Note: Additional permissions might be required to get visibility into workloads and services.
--- [Overview of Security Reader Role](../../role-based-access-control/built-in-roles.md#security-reader)--- [Overview of Azure Management Groups](../../governance/management-groups/overview.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint)--- [Security Compliance Management](/azure/cloud-adoption-framework/organize/cloud-security-compliance-management)-
-## AM-2: Ensure security team has access to asset inventory and metadata
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| AM-2 | 1.1, 1.2, 1.4, 1.5, 9.1, 12.1 | CM-8, PM-5 |
-
-Ensure that security teams have access to a continuously updated inventory of assets on Azure. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuously security improvements.
-
-The Azure Security Center inventory feature and Azure Resource Graph can query for and discover all resources in your subscriptions, including Azure services, applications, and network resources.
-
-Logically organize assets according to your organization's taxonomy using Tags as well as other metadata in Azure (Name, Description, and Category).
--- [How to create queries with Azure Resource Graph Explorer](../../governance/resource-graph/first-query-portal.md)--- [Azure Security Center asset inventory management](../../security-center/asset-inventory.md)--- [For more information about tagging assets, see the resource naming and tagging decision guide](/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=%2fazure%2fazure-resource-manager%2fmanagement%2ftoc.json)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint)--- [Security Compliance Management](/azure/cloud-adoption-framework/organize/cloud-security-compliance-management)-
-## AM-3: Use only approved Azure services
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| AM-3 | 2.3, 2.4 | CM-7, CM-8 |
-
-Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.
--- [Configure and manage Azure Policy](../../governance/policy/tutorials/create-and-manage.md)--- [How to deny a specific resource type with Azure Policy](../../governance/policy/samples/index.md)--- [How to create queries with Azure Resource Graph Explorer](../../governance/resource-graph/first-query-portal.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Security Compliance Management](/azure/cloud-adoption-framework/organize/cloud-security-compliance-management)--- [Posture management](/azure/cloud-adoption-framework/organize/cloud-security-posture-management)-
-## AM-4: Ensure security of asset lifecycle management
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| AM-4 | 2.3, 2.4, 2.5 | CM-7, CM-8, CM-10, CM-11 |
-
-Establish or update security policies that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to: identity providers and access, data sensitivity, network configuration, and administrative privilege assignment.
-
-Remove Azure resources when they are no longer needed.
--- [Delete Azure resource group and resource](../../azure-resource-manager/management/delete-resource-group.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint)--- [Posture management](/azure/cloud-adoption-framework/organize/cloud-security-posture-management)--- [Security Compliance Management](/azure/cloud-adoption-framework/organize/cloud-security-compliance-management)-
-## AM-5: Limit users' ability to interact with Azure Resource Manager
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| AM-5 | 2.9 | AC-3 |
-
-Use Azure AD Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App.
--- [How to configure Conditional Access to block access to Azure Resources Manager](../../role-based-access-control/conditional-access-azure-management.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Posture management](/azure/cloud-adoption-framework/organize/cloud-security-posture-management)--- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint)-
-## AM-6: Use only approved applications in compute resources
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| AM-6 | 2.6, 2.7 | AC-3, CM-7, CM-8, CM-10, CM-11 |
-
-Ensure that only authorized software executes, and all unauthorized software is blocked from executing on Azure Virtual Machines.
-
-Use Azure Security Center (ASC) adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.
-
-Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time are available from the Azure portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace.
-
-Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources.
-
-You can also use a third-party solution to discover and identify unapproved software.
--- [How to use Azure Security Center adaptive application controls](../../security-center/security-center-adaptive-application.md)--- [Understand Azure Automation Change Tracking and Inventory](../../automation/change-tracking/overview.md)--- [How to control PowerShell script execution in Windows environments](/powershell/module/microsoft.powershell.security/set-executionpolicy)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint)--- [Posture management](/azure/cloud-adoption-framework/organize/cloud-security-posture-management)--- [Security Compliance Management](/azure/cloud-adoption-framework/organize/cloud-security-compliance-management)
security Security Controls V2 Backup Recovery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-controls-v2-backup-recovery.md
- Title: Azure Security Benchmark V2 - Backup and Recovery
-description: Azure Security Benchmark V2 Backup and Recovery
--- Previously updated : 02/22/2021-----
-# Security Control V2: Backup and Recovery
-
-Backup and Recovery covers controls to ensure that data and configuration backups at the different service tiers are performed, validated, and protected.
-
-To see the applicable built-in Azure Policy, see [Details of the Azure Security Benchmark Regulatory Compliance built-in initiative: Backup and Recovery](../../governance/policy/samples/azure-security-benchmark.md#backup-and-recovery)
-
-## BR-1: Ensure regular automated backups
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| BR-1 | 10.1 | CP-2, CP4, CP-6, CP-9 |
-
-Ensure you are backing up systems and data to maintain business continuity after an unexpected event. This should be defined by any objectives for Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
-
-Enable Azure Backup and configure the backup source (such as Azure VMs, SQL Server, HANA databases, or File Shares), as well as the desired frequency and retention period.
-
-For a higher level of protection, you can enable the geo-redundant storage option to replicate backup data to a secondary region and recover using cross region restore.
--- [Enterprise-scale business continuity and disaster recovery](/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery)--- [How to enable Azure Backup](../../backup/index.yml)--- [How to enable cross region restore](../../backup/backup-azure-arm-restore-vms.md#cross-region-restore)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Policy and standards](/azure/cloud-adoption-framework/organize/cloud-security-policy-standards)--- [Security architecture](/azure/cloud-adoption-framework/organize/cloud-security-architecture)--- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint)--- [Incident preparation](/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation)-
-## BR-2: Encrypt backup data
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| BR-2 | 10.2 | CP-9 |
-
-Ensure that your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality.
-
-For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. For regular Azure service backups, backup data is automatically encrypted using Azure platform-managed keys. You can choose to encrypt the backups using customer managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.
-
-Use Azure role-based access control in Azure Backup, Azure Key Vault, or other resources to protect backups and customer managed keys. Additionally, you can enable advanced security features to require MFA before backups can be altered or deleted.
--- [Overview of security features in Azure Backup](../../backup/security-overview.md)--- [Encryption of backup data using customer-managed keys](../../backup/encryption-at-rest-with-cmk.md) --- [How to backup Key Vault keys in Azure](/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey)--- [Security features to help protect hybrid backups from attacks](../../backup/backup-azure-security-feature.md#prevent-attacks)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Security architecture](/azure/cloud-adoption-framework/organize/cloud-security-architecture)--- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint)--- [Incident preparation](/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation)-
-## BR-3: Validate all backups including customer-managed keys
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| BR-3 | 10.3 | CP-4, CP-9 |
-
-Periodically perform data restoration of your backup. Ensure that you can restore backed-up customer-managed keys.
--- [How to recover files from Azure Virtual Machine backup](../../backup/backup-azure-restore-files-from-vm.md)--- [How to restore Key Vault keys in Azure](/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Incident preparation](/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation)--- [Security Compliance Management](/azure/cloud-adoption-framework/organize/cloud-security-compliance-management)-
-## BR-4: Mitigate risk of lost keys
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| BR-4 | 10.4 | CP-9 |
-
-Ensure that you have measures in place to prevent and recover from loss of keys. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.
--- [How to enable soft delete and purge protection in Key Vault](../../storage/blobs/soft-delete-blob-overview.md?tabs=azure-portal)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Security architecture](/azure/cloud-adoption-framework/organize/cloud-security-architecture)--- [Incident preparation](/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation)--- [Data Security](/azure/cloud-adoption-framework/organize/cloud-security-data-security)
security Security Controls V2 Data Protection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-controls-v2-data-protection.md
- Title: Azure Security Benchmark V2 - Data Protection
-description: Azure Security Benchmark V2 Data Protection
--- Previously updated : 02/22/2021-----
-# Security Control V2: Data Protection
-
-Data Protection covers control of data protection at rest, in transit, and via authorized access mechanisms. This includes discover, classify, protect, and monitor sensitive data assets using access control, encryption, and logging in Azure.
-
-To see the applicable built-in Azure Policy, see [Details of the Azure Security Benchmark Regulatory Compliance built-in initiative: Data Protection](../../governance/policy/samples/azure-security-benchmark.md#data-protection)
-
-## DP-1: Discovery, classify and label sensitive data
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| DP-1 | 13.1, 14.5, 14.7 | SC-28 |
-
-Discover, classify, and label your sensitive data so that you can design the appropriate controls to ensure sensitive information is stored, processed, and transmitted securely by the organization's technology systems.
-
-Use Azure Information Protection (and its associated scanning tool) for sensitive information within Office documents on Azure, on-premises, on Office 365, and in other locations.
-
-You can use Azure SQL Information Protection to assist in the classification and labeling of information stored in Azure SQL Databases.
--- [Tag sensitive information using Azure Information Protection](/azure/information-protection/what-is-information-protection) --- [How to implement Azure SQL Data Discovery](../../azure-sql/database/data-discovery-and-classification-overview.md)-
-**Responsibility**: Shared
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Application Security and DevOps](/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops)--- [Data Security](/azure/cloud-adoption-framework/organize/cloud-security-data-security) --- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint)-
-## DP-2: Protect sensitive data
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| DP-2 | 13.2, 2.10 | SC-7, AC-4 |
-
-Protect sensitive data by restricting access using Azure role-based access control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption in SQL and other databases).
-
-To ensure consistent access control, all types of access control should be aligned to your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.
-
-For the underlying platform, which is managed by Microsoft, Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities.
--- [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md)--- [Understand customer data protection in Azure](../fundamentals/protection-customer-data.md)-
-**Responsibility**: Shared
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Application Security and DevOps](/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops) --- [Data Security](/azure/cloud-adoption-framework/organize/cloud-security-data-security)--- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint)-
-## DP-3: Monitor for unauthorized transfer of sensitive data
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| DP-3 | 13.3 | AC-4, SI-4 |
-
-Monitor for unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration.
-
-Azure Storage Advanced Threat Protection (ATP) and Azure SQL ATP can alert on anomalous transfer of information that might indicate unauthorized transfers of sensitive information.
-
-Azure Information protection (AIP) provides monitoring capabilities for information that has been classified and labeled.
-
-If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution to enforce detective and/or preventative controls to prevent data exfiltration.
--- [Azure Defender for SQL](../../azure-sql/database/azure-defender-for-sql.md)--- [Azure Defender for Storage](../../storage/common/azure-defender-storage-configure.md?tabs=azure-security-center)-
-**Responsibility**: Shared
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Security operations](/azure/cloud-adoption-framework/organize/cloud-security) --- [Application security and DevOps](/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops) --- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint)-
-## DP-4: Encrypt sensitive information in transit
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| DP-4 | 14.4 | SC-8 |
-
-To complement access controls, data in transit should be protected against "out of band" attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
-
-While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsoleted SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled.
-
-By default, Azure provides encryption for data in transit between Azure data centers.
--- [Understand encryption in transit with Azure](../fundamentals/encryption-overview.md#encryption-of-data-in-transit)--- [Information on TLS Security](/security/engineering/solving-tls1-problem)--- [Double encryption for Azure data in transit](../fundamentals/double-encryption.md#data-in-transit)-
-**Responsibility**: Shared
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Security architecture](/azure/cloud-adoption-framework/organize/cloud-security-architecture) --- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint)--- [Application Security and DevOps](/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops) --- [Data Security](/azure/cloud-adoption-framework/organize/cloud-security-data-security)-
-## DP-5: Encrypt sensitive data at rest
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| DP-5 | 14.8 | SC-28, SC-12 |
-
-To complement access controls, data at rest should be protected against 'out of band' attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data.
-
-Azure provides encryption for data at rest by default. For highly sensitive data, you have options to implement additional encryption at rest on all Azure resources where available. Azure manages your encryption keys by default, but Azure provides options to manage your own keys (customer managed keys) for certain Azure services.
--- [Understand encryption at rest in Azure](../fundamentals/encryption-atrest.md#encryption-at-rest-in-microsoft-cloud-services)--- [How to configure customer managed encryption keys](../../storage/common/customer-managed-keys-configure-key-vault.md)--- [Encryption model and key management table](../fundamentals/encryption-models.md)--- [Data at rest double encryption in Azure](../fundamentals/double-encryption.md#data-at-rest)-
-**Responsibility**: Shared
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Security architecture](/azure/cloud-adoption-framework/organize/cloud-security-architecture) --- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint)--- [Application Security and DevOps](/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops)--- [Data Security](/azure/cloud-adoption-framework/organize/cloud-security-data-security)
security Security Controls V2 Endpoint Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-controls-v2-endpoint-security.md
- Title: Azure Security Benchmark V2 - Endpoint Security
-description: Azure Security Benchmark V2 Endpoint Security
--- Previously updated : 02/22/2021-----
-# Security Control V2: Endpoint Security
-
-Endpoint Security covers controls in endpoint detection and response. This includes use of endpoint detection and response (EDR) and anti-malware service for endpoints in Azure environments.
-
-To see the applicable built-in Azure Policy, see [Details of the Azure Security Benchmark Regulatory Compliance built-in initiative: Endpoint Security](../../governance/policy/samples/azure-security-benchmark.md#endpoint-security)
-
-## ES-1: Use Endpoint Detection and Response (EDR)
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| ES-1 | 8.1 | SI-2, SI-3, SC-3 |
-
-Enable Endpoint Detection and Response (EDR) capabilities for servers and clients and integrate with SIEM and Security Operations processes.
-
-Microsoft Defender for Endpoint provides EDR capability as part of an enterprise endpoint security platform to prevent, detect, investigate, and respond to advanced threats.
--- [Microsoft Defender for Endpoint Overview](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)--- [Microsoft Defender for Endpoint for Windows servers](/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints)--- [Microsoft Defender for Endpoint for non-Windows servers](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security)--- [Threat intelligence](/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence)--- [Security Compliance Management](/azure/cloud-adoption-framework/organize/cloud-security-compliance-management)--- [Posture management](/azure/cloud-adoption-framework/organize/cloud-security-compliance-management)-
-## ES-2: Use centrally managed modern anti-malware software
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| ES-2 | 8.1 | SI-2, SI-3, SC-3 |
-
-Use a centrally managed endpoint anti-malware solution capable of real time and periodic scanning
-
-Azure Security Center can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and report the endpoint protection running status and make recommendations.
-
-Microsoft Antimalware for Azure Cloud Services is the default anti-malware for Windows virtual machines (VMs). For Linux VMs, use third-party antimalware solution. Also, you can use Azure Security Center's Threat detection for data services to detect malware uploaded to Azure Storage accounts.
--- [How to configure Microsoft Antimalware for Cloud Services and Virtual Machines](../fundamentals/antimalware.md)--- [Supported endpoint protection solutions](../../security-center/security-center-services.md?tabs=features-windows#supported-endpoint-protection-solutions-)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security)--- [Threat intelligence](/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence)--- [Security Compliance Management](/azure/cloud-adoption-framework/organize/cloud-security-compliance-management)--- [Posture management](/azure/cloud-adoption-framework/organize/cloud-security-compliance-management)-
-## ES-3: Ensure anti-malware software and signatures are updated
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| ES-3 | 8.2 | SI-2, SI-3 |
-
-Ensure anti-malware signatures are updated rapidly and consistently.
-
-Follow recommendations in Azure Security Center: "Compute & Apps" to ensure all endpoints are up to date with the latest signatures. Microsoft Antimalware will automatically install the latest signatures and engine updates by default. For Linux, ensure the signatures are updated in the third-party antimalware solution.
--- [How to deploy Microsoft Antimalware for Azure Cloud Services and Virtual Machines](../fundamentals/antimalware.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security)--- [Threat intelligence](/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence)--- [Security Compliance Management](/azure/cloud-adoption-framework/organize/cloud-security-compliance-management)--- [Posture management](/azure/cloud-adoption-framework/organize/cloud-security-compliance-management)--- [Endpoint protection assessment and recommendations in Azure Security Center](../../security-center/security-center-endpoint-protection.md)
security Security Controls V2 Governance Strategy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-controls-v2-governance-strategy.md
- Title: Azure Security Benchmark V2 - Governance and Strategy
-description: Azure Security Benchmark V2 Governance and Strategy
--- Previously updated : 02/22/2021-----
-# Security Control V2: Governance and Strategy
-
-Governance and Strategy provides guidance for ensuring a coherent security strategy and documented governance approach to guide and sustain security assurance, including establishing roles and responsibilities for the different cloud security functions, unified technical strategy, and supporting policies and standards.
-
-## GS-1: Define asset management and data protection strategy
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| GS-1 | 2, 13 | SC, AC |
-
-Ensure you document and communicate a clear strategy for continuous monitoring and protection of systems and data. Prioritize discovery, assessment, protection, and monitoring of business-critical data and systems.
-
-This strategy should include documented guidance, policy, and standards for the following elements:
--- Data classification standard in accordance with the business risks--- Security organization visibility into risks and asset inventory--- Security organization approval of Azure services for use--- Security of assets through their lifecycle--- Required access control strategy in accordance with organizational data classification--- Use of Azure native and third party data protection capabilities--- Data encryption requirements for in-transit and at-rest use cases--- Appropriate cryptographic standards-
-For more information, see the following references:
-- [Azure Security Architecture Recommendation - Storage, data, and encryption](/azure/architecture/framework/security/storage-data-encryption?bc=%2fsecurity%2fcompass%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fcompass%2ftoc.json)--- [Azure Security Fundamentals - Azure Data security, encryption, and storage](../fundamentals/encryption-overview.md)--- [Cloud Adoption Framework - Azure data security and encryption best practices](../fundamentals/data-encryption-best-practices.md?bc=%2fazure%2fcloud-adoption-framework%2f_bread%2ftoc.json&toc=%2fazure%2fcloud-adoption-framework%2ftoc.json)--- [Azure Security Benchmark - Asset management](security-controls-v2-asset-management.md)--- [Azure Security Benchmark - Data Protection](security-controls-v2-data-protection.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [All stakeholders](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)-
-## GS-2: Define enterprise segmentation strategy
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| GS-2 | 4, 9, 16 | AC, CA, SC |
-
-Establish an enterprise-wide strategy to segmenting access to assets using a combination of identity, network, application, subscription, management group, and other controls.
-
-Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.
-
-Ensure that the segmentation strategy is implemented consistently across control types including network security, identity and access models, and application permission/access models, and human process controls.
--- [Guidance on segmentation strategy in Azure (video)](/security/compass/microsoft-security-compass-introduction#azure-components-and-reference-model-2151)--- [Guidance on segmentation strategy in Azure (document)](/security/compass/governance#enterprise-segmentation-strategy)--- [Align network segmentation with enterprise segmentation strategy](/security/compass/network-security-containment#align-network-segmentation-with-enterprise-segmentation-strategy)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [All stakeholders](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)-
-## GS-3: Define security posture management strategy
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| GS-3 | 20, 3, 5 | RA, CM, SC |
-
-Continuously measure and mitigate risks to your individual assets and the environment they are hosted in. Prioritize high value assets and highly-exposed attack surfaces, such as published applications, network ingress and egress points, user and administrator endpoints, etc.
--- [Azure Security Benchmark - Posture and vulnerability management](security-controls-v2-posture-vulnerability-management.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [All stakeholders](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)-
-## GS-4: Align organization roles, responsibilities, and accountabilities
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| GS-4 | N/A | PL, PM |
-
-Ensure that you document and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud.
--- [Azure Security Best Practice 1 ΓÇô People: Educate Teams on Cloud Security Journey](/azure/cloud-adoption-framework/security/security-top-10#1-people-educate-teams-about-the-cloud-security-journey)--- [Azure Security Best Practice 2 - People: Educate Teams on Cloud Security Technology](/azure/cloud-adoption-framework/security/security-top-10#2-people-educate-teams-on-cloud-security-technology)--- [Azure Security Best Practice 3 - Process: Assign Accountability for Cloud Security Decisions](/azure/cloud-adoption-framework/security/security-top-10#4-process-update-incident-response-ir-processes-for-cloud)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [All stakeholders](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)-
-## GS-5: Define network security strategy
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| GS-5 | 9 | CA, SC |
-
-Establish an Azure network security approach as part of your organization's overall security access control strategy.
-
-This strategy should include documented guidance, policy, and standards for the following elements:
--- Centralized network management and security responsibility--- Virtual network segmentation model aligned with the enterprise segmentation strategy--- Remediation strategy in different threat and attack scenarios--- Internet edge and ingress and egress strategy--- Hybrid cloud and on-premises interconnectivity strategy--- Up-to-date network security artifacts (such as network diagrams, reference network architecture)-
-For more information, see the following references:
--- [Azure Security Best Practice 11 - Architecture. Single unified security strategy](/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy)--- [Azure Security Benchmark - Network Security](security-controls-v2-network-security.md)--- [Azure network security overview](../fundamentals/network-overview.md)--- [Enterprise network architecture strategy](/azure/cloud-adoption-framework/ready/enterprise-scale/architecture)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [All stakeholders](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)-
-## GS-6: Define identity and privileged access strategy
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| GS-6 | 16, 4 | AC, AU, SC |
-
-Establish an Azure identity and privileged access approaches as part of your organization's overall security access control strategy.
-
-This strategy should include documented guidance, policy, and standards for the following elements:
--- A centralized identity and authentication system and its interconnectivity with other internal and external identity systems--- Strong authentication methods in different use cases and conditions--- Protection of highly privileged users--- Anomaly user activities monitoring and handling--- User identity and access review and reconciliation process-
-For more information, see the following references:
--- [Azure Security Benchmark - Identity management](security-controls-v2-identity-management.md)--- [Azure Security Benchmark - Privileged access](security-controls-v2-privileged-access.md)--- [Azure Security Best Practice 11 - Architecture. Single unified security strategy](/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy)--- [Azure identity management security overview](../fundamentals/identity-management-overview.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [All stakeholders](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)-
-## GS-7: Define logging and threat response strategy
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| GS-7 | 19 | IR, AU, RA, SC |
-
-Establish a logging and threat response strategy to rapidly detect and remediate threats while meeting compliance requirements. Prioritize providing analysts with high quality alerts and seamless experiences so that they can focus on threats rather than integration and manual steps.
-
-This strategy should include documented guidance, policy, and standards for the following elements:
--- The security operations (SecOps) organization's role and responsibilities --- A well-defined incident response process aligning with NIST or another industry framework --- Log capture and retention to support threat detection, incident response, and compliance needs--- Centralized visibility of and correlation information about threats, using SIEM, native Azure capabilities, and other sources --- Communication and notification plan with your customers, suppliers, and public parties of interest--- Use of Azure native and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication--- Processes for handling incidents and post-incident activities, such as lessons learned and evidence retention-
-For more information, see the following references:
-- [Azure Security Benchmark - Logging and threat detection](security-controls-v2-logging-threat-detection.md)--- [Azure Security Benchmark - Incident response](security-controls-v2-incident-response.md)--- [Azure Security Best Practice 4 - Process. Update Incident Response Processes for Cloud](/azure/cloud-adoption-framework/security/security-top-10#3-process-assign-accountability-for-cloud-security-decisions)--- [Azure Adoption Framework, logging, and reporting decision guide](/azure/cloud-adoption-framework/decision-guides/logging-and-reporting/)--- [Azure enterprise scale, management, and monitoring](/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [All stakeholders](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)-
-## GS-8: Define backup and recovery strategy
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| GS-8 | 10 | CP |
-
-Establish an Azure backup and recovery strategy for your organization.
-
-This strategy should include documented guidance, policy, and standards for the following elements:
--- Recovery time objective (RTO) and recovery point objective (RPO) definitions in accordance with your business resiliency objectives--- Redundancy design in your applications and infrastructure setup--- Protection of backup using access control and data encryption-
-For more information, see the following references:
-- [Azure Security Benchmark - Backup and recovery](security-controls-v2-backup-recovery.md)--- [Azure Well-Architecture Framework - Backup and disaster recover for Azure applications](/azure/architecture/framework/resiliency/backup-and-recovery)--- [Azure Adoption Framework - business continuity and disaster recovery](/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [All stakeholders](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)
security Security Controls V2 Identity Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-controls-v2-identity-management.md
- Title: Azure Security Benchmark V2 - Identity Management
-description: Azure Security Benchmark V2 Identity Management
--- Previously updated : 02/22/2021-----
-# Security Control V2: Identity Management
-
-Identity Management covers controls to establish a secure identity and access controls using Azure Active Directory. This includes the use of single sign-on, strong authentications, managed identities (and service principles) for applications, conditional access, and account anomalies monitoring.
-
-To see the applicable built-in Azure Policy, see [Details of the Azure Security Benchmark Regulatory Compliance built-in initiative: Identity Management](../../governance/policy/samples/azure-security-benchmark.md#identity-management)
-
-## IM-1: Standardize Azure Active Directory as the central identity and authentication system
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| IM-1 | 16.1, 16.2, 16.4, 16.5 | IA-2, IA-8, AC-2, AC-3 |
-
-Azure Active Directory (Azure AD) is Azure's default identity and access management service. You should standardize on Azure AD to govern your organization's identity and access management in:
-- Microsoft cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.--- Your organization's resources, such as applications on Azure or your corporate network resources.-
-Securing Azure AD should be a high priority in your organization's cloud security practice. Azure AD provides an identity secure score to help you assess your identity security posture relative to Microsoft's best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.
-
-Note: Azure AD supports external identity providers, which allow users without a Microsoft account to sign in to their applications and resources with their external identity.
--- [Tenancy in Azure AD](../../active-directory/develop/single-and-multi-tenant-apps.md)--- [How to create and configure an Azure AD instance](../../active-directory/fundamentals/active-directory-access-create-new-tenant.md)--- [Define Azure AD tenants](https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/)--- [Use external identity providers for an application](../../active-directory/external-identities/identity-providers.md)--- [What is the identity secure score in Azure AD](../../active-directory/fundamentals/identity-secure-score.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Identity and key management](/azure/cloud-adoption-framework/organize/cloud-security-identity-keys) --- [Security architecture](/azure/cloud-adoption-framework/organize/cloud-security-architecture)--- [Application security and DevSecOps](/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops)--- [Posture management](/azure/cloud-adoption-framework/organize/cloud-security-posture-management)-
-## IM-2: Manage application identities securely and automatically
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| IM-2 | N/A | AC-2, AC-3, IA-2, IA-4, IA-9 |
-
-For non-human accounts such as services or automation, use Azure managed identities, instead of creating a more powerful human account to access resources or execute code. Azure managed identities can authenticate to Azure services and resources that support Azure AD authentication. Authentication is enabled through pre-defined access grant rules, avoiding hard-coded credentials in source code or configuration files.
-
-For services that do not support managed identities, use Azure AD to create a service principal with restricted permissions at the resource level instead. It is recommended to configure service principals with certificate credentials and fall back to client secrets. In both cases, Azure Key Vault can be used in conjunction with Azure managed identities, so that the runtime environment (such as an Azure function) can retrieve the credential from the key vault.
--- [Azure managed identities](../../active-directory/managed-identities-azure-resources/overview.md)--- [Services that support managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/services-support-managed-identities.md)--- [Azure service principal](/powershell/azure/create-azure-service-principal-azureps)--- [Create a service principal with certificates](../../active-directory/develop/howto-authenticate-service-principal-powershell.md)-
-Use Azure Key Vault for security principal registration: authentication#authorize-a-security-principal-to-access-key-vault
-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Identity and key management](/azure/cloud-adoption-framework/organize/cloud-security-identity-keys)--- [Application security and DevSecOps](/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops)-
-## IM-3: Use Azure AD single sign-on (SSO) for application access
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| IM-3 | 4.4 | IA-2, IA-4 |
-
-Azure AD provides identity and access management to Azure resources, cloud applications, and on-premises applications. Identity and access management applies to enterprise identities such as employees, as well as external identities such as partners, vendors, and suppliers.
-
-Use Azure AD single sign-on (SSO) to manage and secure access to your organization's data and resources on-premises and in the cloud. Connect all your users, applications, and devices to Azure AD for seamless, secure access, and greater visibility and control.
--- [Understand application SSO with Azure AD](../../active-directory/manage-apps/what-is-single-sign-on.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Security architecture](/azure/cloud-adoption-framework/organize/cloud-security-architecture)--- [Identity and key management](/azure/cloud-adoption-framework/organize/cloud-security-identity-keys)--- [Application security and DevSecOps](/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops)-
-## IM-4: Use strong authentication controls for all Azure Active Directory based access
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| IM-4 | 4.2, 4.4 4.5, 11.5, 12.11, 16.3 | AC-2, AC-3, IA-2, IA-4 |
-
-Azure AD supports strong authentication controls through multi-factor authentication (MFA) and strong passwordless methods.
--- Multi-factor authentication: Enable Azure AD MFA and follow Azure Security Center identity and access management recommendations for your MFA setup. MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors.--- Passwordless authentication: Three passwordless authentication options are available: Windows Hello for Business, Microsoft Authenticator app, and on-premises authentication methods such as smart cards.-
-For administrator and privileged users, ensure the highest level of the strong authentication method is used, followed by rolling out the appropriate strong authentication policy to other users.
-
-If legacy password-based authentication is still used for Azure AD authentication, please be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. When using password-based authentication, Azure AD provides a password protection capability that prevents users from setting passwords that are easy to guess. Microsoft provides a global list of banned passwords that is updated based on telemetry, and customers can augment the list based on their needs (such as branding, cultural references, etc.). This password protection can be used for cloud-only and hybrid accounts.
-
-Note: Authentication based on password credentials alone is susceptible to popular attack methods. For higher security, use strong authentication such as MFA and a strong password policy. For third-party applications and marketplace services that may have default passwords, you should change them during initial service setup.
--- [How to enable MFA in Azure](../../active-directory/authentication/howto-mfa-getstarted.md)--- [Introduction to passwordless authentication options for Azure Active Directory](../../active-directory/authentication/concept-authentication-passwordless.md)--- [Azure AD default password policy](../../active-directory/authentication/concept-sspr-policy.md#password-policies-that-only-apply-to-cloud-user-accounts)--- [Eliminate bad passwords using Azure AD Password Protection](../../active-directory/authentication/concept-password-ban-bad.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Security architecture](/azure/cloud-adoption-framework/organize/cloud-security-architecture)--- [Identity and key management](/azure/cloud-adoption-framework/organize/cloud-security-identity-keys)--- [Application security and DevSecOps](/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops)-
-## IM-5: Monitor and alert on account anomalies
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| IM-5 | 4.8, 4.9, 16.12, 16.13 | AC-2, AC-3, AC-7, AU-6 |
-
-Azure AD provides the following data sources:
-- Sign-ins ΓÇô The sign-ins report provides information about the usage of managed applications and user sign-in activities.--- Audit logs - Provides traceability through logs for all changes made through various features in Azure AD. Examples of logged changes audit logs include adding or removing users, apps, groups, roles, and policies.--- Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.--- Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.-
-These data sources can be integrated with Azure Monitor, Azure Sentinel or third-party SIEM systems.
-
-Azure Security Center can also alert on certain suspicious activities such as an excessive number of failed authentication attempts, and deprecated accounts in the subscription.
-
-Azure Advanced Threat Protection (ATP) is a security solution that can use on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.
--- [Audit activity reports in Azure AD](../../active-directory/reports-monitoring/concept-audit-logs.md)--- [How to view Azure AD risky sign-ins](../../active-directory/identity-protection/overview-identity-protection.md)--- [How to identify Azure AD users flagged for risky activity](../../active-directory/identity-protection/overview-identity-protection.md)--- [How to monitor users' identity and access activity in Azure Security Center](../../security-center/security-center-identity-access.md)--- [Alerts in Azure Security Center's threat intelligence protection module](../../security-center/alerts-reference.md)--- [How to integrate Azure activity logs into Azure Monitor](../../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)--- [Connect data from Azure AD Identity Protection](../../sentinel/connect-azure-ad-identity-protection.md)--- [Microsoft Defender for Identity](/azure-advanced-threat-protection/what-is-atp)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Application security and DevSecOps](/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops)--- [Posture management](/azure/cloud-adoption-framework/organize/cloud-security-posture-management)-
-## IM-6: Restrict Azure resource access based on conditions
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| IM-6 | N/A | AC-2, AC-3 |
-
-Use Azure AD conditional access for more granular access control based on user-defined conditions, such as requiring user logins from certain IP ranges to use MFA. A granular authentication session management can also be used through Azure AD conditional access policy for different use cases.
--- [Azure Conditional Access overview](../../active-directory/conditional-access/overview.md)--- [Common Conditional Access policies](../../active-directory/conditional-access/concept-conditional-access-policy-common.md)--- [Configure authentication session management with Conditional Access](../../active-directory/conditional-access/howto-conditional-access-session-lifetime.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Identity and key management](/azure/cloud-adoption-framework/organize/cloud-security-identity-keys)--- [Application security and DevSecOps](/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops)--- [Posture management](/azure/cloud-adoption-framework/organize/cloud-security-posture-management)--- [Threat intelligence](/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence)-
-## IM-7: Eliminate unintended credential exposure
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| IM-7 | 18.1, 18.7 | IA-5 |
-
-Implement Azure DevOps Credential Scanner to identify credentials within the code. Credential Scanner also encourages moving discovered credentials to more secure locations such as Azure Key Vault.
-
-For GitHub, you can use the native secret scanning feature to identify credentials or other form of secrets within the code.
--- [How to setup Credential Scanner](https://secdevtools.azurewebsites.net/helpcredscan.html)--- [GitHub secret scanning](https://docs.github.com/github/administering-a-repository/about-secret-scanning)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Application security and DevSecOps](/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops)--- [Posture management](/azure/cloud-adoption-framework/organize/cloud-security-posture-management)-
-## IM-8: Secure user access to legacy applications
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| IM-8 | 14.6 | AC-2, AC-3, SC-11 |
-
-Ensure you have modern access controls and session monitoring for legacy applications and the data they store and process. While VPNs are commonly used to access legacy applications, they often have only basic access control and limited session monitoring.
-
-Azure AD Application Proxy enables you to publish legacy on-premises applications to remote users with single sign-on (SSO) while explicitly validating the trustworthiness of both remote users and devices with Azure AD Conditional Access.
-
-Alternatively, Microsoft Cloud App Security is a cloud access security broker (CASB) service that can provide controls for monitoring a user's application sessions and blocking actions (for both legacy on-premises applications and cloud software as a service (SaaS) applications).
--- [Azure AD Application Proxy](../../active-directory/manage-apps/application-proxy.md#what-is-application-proxy)--- [Microsoft Cloud App Security best practices](/cloud-app-security/best-practices)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Security architecture](/azure/cloud-adoption-framework/organize/cloud-security-architecture) --- [Infrastructure and endpoint security](/azure/cloud-adoption-framework/organize/cloud-security-architecture)--- [Application security and DevSecOps](/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops)
security Security Controls V2 Incident Response https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/benchmarks/security-controls-v2-incident-response.md
- Title: Azure Security Benchmark V2 - Incident Response
-description: Azure Security Benchmark V2 Incident Response
--- Previously updated : 02/22/2021-----
-# Security Control V2: Incident Response
-
-Incident Response covers controls in the incident response life cycle - preparation, detection and analysis, containment, and post-incident activities. This includes using Azure services such as Azure Security Center and Sentinel to automate the incident response process.
-
-To see the applicable built-in Azure Policy, see [Details of the Azure Security Benchmark Regulatory Compliance built-in initiative: Incident Response](../../governance/policy/samples/azure-security-benchmark.md#incident-response)
-
-## IR-1: Preparation ΓÇô update incident response process for Azure
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| IR-1 | 19 | IR-4, IR-8 |
-
-Ensure your organization has processes to respond to security incidents, has updated these processes for Azure, and is regularly exercising them to ensure readiness.
--- [Implement security across the enterprise environment](/azure/cloud-adoption-framework/security/security-top-10#3-process-assign-accountability-for-cloud-security-decisions)--- [Incident response reference guide](/microsoft-365/downloads/IR-Reference-Guide.pdf)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Security operations](/azure/cloud-adoption-framework/organize/cloud-security-operations-center)--- [Incident preparation](/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation)--- [Threat intelligence](/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence)-
-## IR-2: Preparation ΓÇô setup incident notification
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| IR-2 | 19.5 | IR-4, IR-5, IR-6, IR-8 |
-
-Set up security incident contact information in Azure Security Center. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alert and notification in different Azure services based on your incident response needs.
--- [How to set the Azure Security Center security contact](../../security-center/security-center-provide-security-contact-details.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Security operations](/azure/cloud-adoption-framework/organize/cloud-security-operations-center)--- [Incident preparation](/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation)-
-## IR-3: Detection and analysis ΓÇô create incidents based on high quality alerts
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| IR-3 | 19.6 | IR-4, IR-5 |
-
-Ensure you have a process to create high quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives.
-
-High quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources.
-
-Azure Security Center provides high quality alerts across many Azure assets. You can use the ASC data connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation.
-
-Export your Azure Security Center alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion.
--- [How to configure export](../../security-center/continuous-export.md)--- [How to stream alerts into Azure Sentinel](../../sentinel/connect-azure-security-center.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Security operations](/azure/cloud-adoption-framework/organize/cloud-security-operations-center)--- [Incident preparation](/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation)--- [Threat intelligence](/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence)-
-## IR-4: Detection and analysis ΓÇô investigate an incident
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| IR-4 | 19 | IR-4 |
-
-Ensure analysts can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. You should also ensure insights and learnings are captured for other analysts and for future historical reference.
-
-The data sources for investigation include the centralized logging sources that are already being collected from the in-scope services and running systems, but can also include:
--- Network data ΓÇô use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information. --- Snapshots of running systems: -
- - Use Azure virtual machine's snapshot capability to create a snapshot of the running system's disk.
-
- - Use the operating system's native memory dump capability to create a snapshot of the running system's memory.
-
- - Use the snapshot feature of the Azure services or your software's own capability to create snapshots of the running systems.
-
-Azure Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes.
--- [Snapshot a Windows machine's disk](../../virtual-machines/windows/snapshot-copy-managed-disk.md)--- [Snapshot a Linux machine's disk](../../virtual-machines/linux/snapshot-copy-managed-disk.md)--- [Microsoft Azure Support diagnostic information and memory dump collection](https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/) --- [Investigate incidents with Azure Sentinel](../../sentinel/tutorial-investigate-cases.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Security operations](/azure/cloud-adoption-framework/organize/cloud-security-operations-center)--- [Incident preparation](/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation)--- [Threat intelligence](/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence)-
-## IR-5: Detection and analysis ΓÇô prioritize incidents
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
-|--|--|--|--|
-| IR-5 | 19.8 | CA-2, IR-4 |
-
-Provide context to analysts on which incidents to focus on first based on alert severity and asset sensitivity.
-
-Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert.
-
-Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.
--- [Security alerts in Azure Security Center](../../security-center/security-center-alerts-overview.md)--- [Use tags to organize your Azure resources](../../azure-resource-manager/management/tag-resources.md)-
-**Responsibility**: Customer
-
-**Customer Security Stakeholders** ([Learn more](/azure/cloud-adoption-framework/organize/cloud-security#security-functions)):
--- [Security operations](/azure/cloud-adoption-framework/organize/cloud-security-operations-center)--- [Incident preparation](/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation)--- [Threat intelligence](/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence)-
-## IR-6: Containment, eradication and recovery ΓÇô automate the incident handling
-
-| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |