Updates from: 04/16/2021 03:14:43
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Deploy Custom Policies Devops https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/deploy-custom-policies-devops.md
There are three primary steps required for enabling Azure Pipelines to manage cu
1. Configure an Azure Pipeline > [!IMPORTANT]
-> Managing Azure AD B2C custom policies with an Azure Pipeline currently uses **preview** operations available on the Microsoft Graph API `/beta` endpoint. Use of these APIs in production applications is not supported. For more information, see the [Microsoft Graph REST API beta endpoint reference](/graph/api/overview?toc=.%2fref%2ftoc.json&view=graph-rest-beta).
+> Managing Azure AD B2C custom policies with an Azure Pipeline currently uses **preview** operations available on the Microsoft Graph API `/beta` endpoint. Use of these APIs in production applications is not supported. For more information, see the [Microsoft Graph REST API beta endpoint reference](/graph/api/overview?toc=.%2fref%2ftoc.json&view=graph-rest-beta&preserve-view=true).
## Prerequisites
active-directory-b2c Microsoft Graph Operations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/microsoft-graph-operations.md
For more information about accessing Azure AD B2C audit logs, see [Accessing Azu
## Conditional Access -- [List all of the Conditional Access policies](/graph/api/conditionalaccessroot-list-policies?view=graph-rest-beta&tabs=http)
+- [List all of the Conditional Access policies](/graph/api/conditionalaccessroot-list-policies?tabs=http)
- [Read properties and relationships of a Conditional Access policy](/graph/api/conditionalaccesspolicy-get) - [Create a new Conditional Access policy](/graph/api/resources/application) - [Update a Conditional Access policy](/graph/api/conditionalaccesspolicy-update)
active-directory-b2c User Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/user-overview.md
You can invite external users to your tenant as a guest user. A typical scenario
When you invite a guest user to your tenant, you provide the email address of the recipient and a message describing the invitation. The invitation link takes the user to the consent page. If an inbox isn't attached to the email address, the user can navigate to the consent page by going to a Microsoft page using the invited credentials. The user is then forced to redeem the invitation the same way as clicking on the link in the email. For example: `https://myapps.microsoft.com/B2CTENANTNAME`.
-You can also use the [Microsoft Graph API](/graph/api/invitation-post?view=graph-rest-beta) to invite a guest user.
+You can also use the [Microsoft Graph API](/graph/api/invitation-post) to invite a guest user.
## Consumer user
active-directory Application Provisioning When Will Provisioning Finish Specific User https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md
When you first configure automatic provisioning, the **Current Status** section
- The type of provisioning cycle (initial or incremental) that is currently running or was last completed. - A **progress bar** showing the percentage of the provisioning cycle that has completed. The percentage reflects the count of pages provisioned. Note that each page could contain multiple users or groups, so the percentage doesn't directly correlate to the number of users, groups, or roles provisioned. - A **Refresh** button you can use to keep the view updated.-- The number of **Users** and **Groups** in the connector data store. The count increases anytime an object is added to the scope of provisioning. The count will not go down if a user is soft-deleted or hard-deleted as this does not remove the object from the connector data store. The count will be recalculated the first sync after the CDS is [reset](/graph/api/synchronization-synchronizationjob-restart?tabs=http&view=graph-rest-beta)
+- The number of **Users** and **Groups** in the connector data store. The count increases anytime an object is added to the scope of provisioning. The count will not go down if a user is soft-deleted or hard-deleted as this does not remove the object from the connector data store. The count will be recalculated the first sync after the CDS is [reset](/graph/api/synchronization-synchronizationjob-restart?tabs=http&view=graph-rest-beta&preserve-view=true)
- A **View Audit Logs** link, which opens the Azure AD provisioning logs for details about all operations run by the user provisioning service, including provisioning status for individual users (see the [Use provisioning logs](#use-provisioning-logs-to-check-a-users-provisioning-status) section below). After a provisioning cycle is complete, the **Statistics to date** section shows the cumulative numbers of users and groups that have been provisioned to date, along with the completion date and duration of the last cycle. The **Activity ID** uniquely identifies the most recent provisioning cycle. The **Job ID** is a unique identifier for the provisioning job, and is specific to the app in your tenant.
active-directory Scim Graph Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/scim-graph-scenarios.md
My application creates information about a user that customers need in Azure AD.
## Related articles -- [Review the synchronization Microsoft Graph documentation](/graph/api/resources/synchronization-overview?view=graph-rest-beta)
+- [Review the synchronization Microsoft Graph documentation](/graph/api/resources/synchronization-overview)
- [Integrating a custom SCIM app with Azure AD](use-scim-to-provision-users-and-groups.md)
active-directory Concept Authentication Authenticator App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-authentication-authenticator-app.md
Users may have a combination of up to five OATH hardware tokens or authenticator
To get started with passwordless sign-in, see [Enable passwordless sign-in with the Microsoft Authenticator app](howto-authentication-passwordless-phone.md).
-Learn more about configuring authentication methods using the [Microsoft Graph REST API beta](/graph/api/resources/authenticationmethods-overview?view=graph-rest-beta).
+Learn more about configuring authentication methods using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).
active-directory Concept Authentication Methods https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-authentication-methods.md
The following table outlines when an authentication method can be used during a
| Voice call | No | MFA and SSPR | | Password | Yes | |
-All of these authentication methods can be configured in the Azure portal, and increasingly using the [Microsoft Graph REST API beta](/graph/api/resources/authenticationmethods-overview?view=graph-rest-beta).
+All of these authentication methods can be configured in the Azure portal, and increasingly using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).
To learn more about how each authentication method works, see the following separate conceptual articles:
To learn more about SSPR concepts, see [How Azure AD self-service password reset
To learn more about MFA concepts, see [How Azure AD Multi-Factor Authentication works][concept-mfa].
-Learn more about configuring authentication methods using the [Microsoft Graph REST API beta](/graph/api/resources/authenticationmethods-overview?view=graph-rest-beta).
+Learn more about configuring authentication methods using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).
To review what authentication methods are in use, see [Azure AD Multi-Factor Authentication authentication method analysis with PowerShell](/samples/azure-samples/azure-mfa-authentication-method-analysis/azure-mfa-authentication-method-analysis/).
active-directory Concept Authentication Oath Tokens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-authentication-oath-tokens.md
Users may have a combination of up to five OATH hardware tokens or authenticator
## Next steps
-Learn more about configuring authentication methods using the [Microsoft Graph REST API beta](/graph/api/resources/authenticationmethods-overview?view=graph-rest-beta).
+Learn more about configuring authentication methods using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).
active-directory Concept Authentication Security Questions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-authentication-security-questions.md
To get started, see the [tutorial for self-service password reset (SSPR)][tutori
To learn more about SSPR concepts, see [How Azure AD self-service password reset works][concept-sspr].
-Learn more about configuring authentication methods using the [Microsoft Graph REST API beta](/graph/api/resources/authenticationmethods-overview?view=graph-rest-beta).
+Learn more about configuring authentication methods using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).
<!-- INTERNAL LINKS --> [tutorial-sspr]: tutorial-enable-sspr.md
active-directory Concept Sspr Writeback https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-sspr-writeback.md
Passwords are written back in all the following situations:
* Any administrator self-service force change password operation, for example, password expiration. * Any administrator self-service password reset that originates from the [password reset portal](https://passwordreset.microsoftonline.com). * Any administrator-initiated end-user password reset from the [Azure portal](https://portal.azure.com).
- * Any administrator-initiated end-user password reset from the [Microsoft Graph API beta](/graph/api/passwordauthenticationmethod-resetpassword?tabs=http&view=graph-rest-beta).
+ * Any administrator-initiated end-user password reset from the [Microsoft Graph API](/graph/api/passwordauthenticationmethod-resetpassword?tabs=http).
## Unsupported writeback operations
Passwords aren't written back in any of the following situations:
* **Unsupported end-user operations** * Any end user resetting their own password by using PowerShell version 1, version 2, or the Microsoft Graph API. * **Unsupported administrator operations**
- * Any administrator-initiated end-user password reset from PowerShell version 1, version 2, or the Microsoft Graph API (the [Microsoft Graph API beta](/graph/api/passwordauthenticationmethod-resetpassword?tabs=http&view=graph-rest-beta) is supported).
+ * Any administrator-initiated end-user password reset from PowerShell version 1, version 2, or the Microsoft Graph API (the [Microsoft Graph API](/graph/api/passwordauthenticationmethod-resetpassword?tabs=http) is supported).
* Any administrator-initiated end-user password reset from the [Microsoft 365 admin center](https://admin.microsoft.com). * Any administrator cannot use password reset tool to reset their own password for password writeback.
active-directory Howto Authentication Methods Activity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-authentication-methods-activity.md
The registration details report shows the following information for each user:
## Next steps -- [Working with the authentication methods usage report API](/graph/api/resources/authenticationmethods-usage-insights-overview?view=graph-rest-beta)
+- [Working with the authentication methods usage report API](/graph/api/resources/authenticationmethods-usage-insights-overview)
- [Choosing authentication methods for your organization](concept-authentication-methods.md) - [Combined registration experience](concept-registration-mfa-sspr-combined.md)
active-directory Howto Authentication Sms Signin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-authentication-sms-signin.md
If you receive an error when you try to set a phone number for a user account in
For additional ways to sign in to Azure AD without a password, such as the Microsoft Authenticator App or FIDO2 security keys, see [Passwordless authentication options for Azure AD][concepts-passwordless].
-You can also use the Microsoft Graph REST API beta to [enable][rest-enable] or [disable][rest-disable] SMS-based sign-in.
+You can also use the Microsoft Graph REST API to [enable][rest-enable] or [disable][rest-disable] SMS-based sign-in.
<!-- INTERNAL LINKS --> [create-azure-ad-tenant]: ../fundamentals/sign-up-organization.md
You can also use the Microsoft Graph REST API beta to [enable][rest-enable] or [
[concepts-passwordless]: concept-authentication-passwordless.md [tutorial-azure-mfa]: tutorial-enable-azure-mfa.md [tutorial-sspr]: tutorial-enable-sspr.md
-[rest-enable]: /graph/api/phoneauthenticationmethod-enablesmssignin?view=graph-rest-beta&tabs=http
-[rest-disable]: /graph/api/phoneauthenticationmethod-disablesmssignin?view=graph-rest-beta&tabs=http
+[rest-enable]: /graph/api/phoneauthenticationmethod-enablesmssignin?tabs=http
+[rest-disable]: /graph/api/phoneauthenticationmethod-disablesmssignin?tabs=http
<!-- EXTERNAL LINKS --> [azure-portal]: https://portal.azure.com
active-directory Active Directory Acs Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/azuread-dev/active-directory-acs-migration.md
Each Microsoft cloud service that accepts tokens that are issued by Access Contr
| Azure DataMarket | [Migrate to the Cognitive Services APIs](https://azure.microsoft.com/services/cognitive-services/) | | BizTalk Services | [Migrate to the Logic Apps feature of Azure App Service](https://azure.microsoft.com/services/cognitive-services/) | | Azure Media Services | [Migrate to Azure AD authentication](https://azure.microsoft.com/blog/azure-media-service-aad-auth-and-acs-deprecation/) |
-| Azure Backup | [Upgrade the Azure Backup agent](../../backup/backup-azure-file-folder-backup-faq.md) |
+| Azure Backup | [Upgrade the Azure Backup agent](../../backup/backup-azure-file-folder-backup-faq.yml) |
<!-- Dynamics CRM: Migrate to new SDK, Dynamics team handling privately --> <!-- Azure RemoteApp deprecated in favor of Citrix: https://www.zdnet.com/article/microsoft-to-drop-azure-remoteapp-in-favor-of-citrix-remoting-technologies/ -->
active-directory How To Inbound Synch Ms Graph https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-inbound-synch-ms-graph.md
The following document describes how to replicate a synchronization profile from scratch using only MSGraph APIs. The structure of how to do this consists of the following steps. They are: -- [Basic setup](#basic-setup)-- [Create Service Principals](#create-service-principals)-- [Create Sync Job](#create-sync-job)-- [Update targeted domain](#update-targeted-domain)-- [Enable sync password hashes](#enable-sync-password-hashes-on-configuration-blade)-- [Accidental deletes](#accidental-deletes)-- [Start sync job](#start-sync-job)-- [Review status](#review-status)
+- [How to programmatically configure cloud sync using MS Graph API](#how-to-programmatically-configure-cloud-sync-using-ms-graph-api)
+ - [Basic setup](#basic-setup)
+ - [Enable tenant flags](#enable-tenant-flags)
+ - [Create service principals](#create-service-principals)
+ - [Create sync job](#create-sync-job)
+ - [Update targeted domain](#update-targeted-domain)
+ - [Enable Sync password hashes on configuration blade](#enable-sync-password-hashes-on-configuration-blade)
+ - [Accidental deletes](#accidental-deletes)
+ - [Enabling and setting the threshold](#enabling-and-setting-the-threshold)
+ - [Allowing deletes](#allowing-deletes)
+ - [Start sync job](#start-sync-job)
+ - [Review status](#review-status)
+ - [Next steps](#next-steps)
Use these [Microsoft Azure Active Directory Module for Windows PowerShell](/powershell/module/msonline/) commands to enable synchronization for a production tenant, a pre-requisite for being able to call the Administration Web Service for that tenant.
Use these [Microsoft Azure Active Directory Module for Windows PowerShell](/powe
The first of those two commands, require Azure Active Directory credentials. These commandlets implicitly identify the tenant and enable it for synchronization. ## Create service principals
-Next, we need to create the [AD2AAD application/ service principal](/graph/api/applicationtemplate-instantiate?view=graph-rest-beta&tabs=http)
+Next, we need to create the [AD2AAD application/ service principal](/graph/api/applicationtemplate-instantiate?view=graph-rest-beta&tabs=http&preserve-view=true)
You need to use this application ID 1a4721b3-e57f-4451-ae87-ef078703ec94. The displayName is the AD domain url, if used in the portal (for example, contoso.com), but it may be named something else.
You need to use this application ID 1a4721b3-e57f-4451-ae87-ef078703ec94. The di
## Create sync job The output of the above command will return the objectId of the service principal that was created. For this example, the objectId is 614ac0e9-a59b-481f-bd8f-79a73d167e1c. Use Microsoft Graph to add a synchronizationJob to that service principal.
-Documentation for creating a sync job can be found [here](/graph/api/synchronization-synchronizationjob-post?tabs=http&view=graph-rest-beta).
+Documentation for creating a sync job can be found [here](/graph/api/synchronization-synchronizationjob-post?tabs=http&view=graph-rest-beta&preserve-view=true).
If you did not record the ID above, you can find the service principal by running the following MS Graph call. You'll need Directory.Read.All permissions to make that call:
The job can be retrieved again via the following command:
`GET https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/ `
-Documentation for retrieving jobs can be found [here](/graph/api/synchronization-synchronizationjob-list?tabs=http&view=graph-rest-beta).
+Documentation for retrieving jobs can be found [here](/graph/api/synchronization-synchronizationjob-list?tabs=http&view=graph-rest-beta&preserve-view=true).
To start the job, issue this request, using the objectId of the service principal created in the first step, and the job identifier returned from the request that created the job.
-Documentation for how to start a job can be found [here](/graph/api/synchronization-synchronizationjob-start?tabs=http&view=graph-rest-beta).
+Documentation for how to start a job can be found [here](/graph/api/synchronization-synchronizationjob-start?tabs=http&view=graph-rest-beta&preserve-view=true).
``` POST https://graph.microsoft.com/beta/servicePrincipals/8895955e-2e6c-4d79-8943-4d72ca36878f/synchronization/jobs/AD2AADProvisioning.fc96887f36da47508c935c28a0c0b6da/start
Documentation for how to start a job can be found [here](/graph/api/synchronizat
The expected response is … HTTP 204/No content.
-Other commands for controlling the job are documented [here](/graph/api/resources/synchronization-synchronizationjob?view=graph-rest-beta).
+Other commands for controlling the job are documented [here](/graph/api/resources/synchronization-synchronizationjob?view=graph-rest-beta&preserve-view=true).
To restart a job, one would use …
Look under the 'status' section of the return object for relevant details
- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md) - [Transformations](how-to-transformation.md)-- [Azure AD Synchronization API](/graph/api/resources/synchronization-overview?view=graph-rest-beta)
+- [Azure AD Synchronization API](/graph/api/resources/synchronization-overview?view=graph-rest-beta&preserve-view=true)
active-directory How To Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-troubleshoot.md
Use the Azure portal to restart the provisioning job. On the agent configuration
![Restart provisioning](media/how-to-troubleshoot/quarantine-3.png) -- Use Microsoft Graph to [restart the provisioning job](/graph/api/synchronization-synchronizationjob-restart?tabs=http&view=graph-rest-beta). You'll have full control over what you restart. You can choose to clear:
+- Use Microsoft Graph to [restart the provisioning job](/graph/api/synchronization-synchronizationjob-restart?tabs=http&view=graph-rest-beta&preserve-view=true). You'll have full control over what you restart. You can choose to clear:
- Escrows, to restart the escrow counter that accrues toward quarantine status. - Quarantine, to remove the application from quarantine. - Watermarks.
active-directory Concept Conditional Access Grant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-conditional-access-grant.md
Previously updated : 03/17/2021 Last updated : 03/29/2021
The following client apps have been confirmed to support this setting:
- Microsoft Cortana - Microsoft Edge - Microsoft Excel
+- Microsoft Lists (iOS)
- Microsoft Office - Microsoft OneDrive - Microsoft OneNote
active-directory Location Condition https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/location-condition.md
When a cloud proxy is in place, a policy that is used to require a hybrid Azure
### API support and PowerShell
-A preview version of the Graph API for named locations is available, for more information see the [namedLocation API](/graph/api/resources/namedlocation?view=graph-rest-beta).
+A preview version of the Graph API for named locations is available, for more information see the [namedLocation API](/graph/api/resources/namedlocation).
> [!NOTE] > Named locations that you create by using PowerShell display only in Named locations (preview). You can't see named locations in the old view.
active-directory Terms Of Use https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/terms-of-use.md
Azure AD terms of use policies have the following capabilities:
- List who has or hasn't accepted to your terms of use policies. - Assist in meeting privacy regulations. - Display a log of terms of use policy activity for compliance and audit.-- Create and manage terms of use policies using [Microsoft Graph APIs](/graph/api/resources/agreement?view=graph-rest-beta) (currently in preview).
+- Create and manage terms of use policies using [Microsoft Graph APIs](/graph/api/resources/agreement) (currently in preview).
## Prerequisites
active-directory Active Directory How Applications Are Added https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-how-applications-are-added.md
Applications that you add yourself (represented as **App (yours)** in the diagra
* Attribute mappings (User provisioning) * For more detailed information on the service principal and application objects, see the Microsoft Graph API reference documentation: * [Application](/graph/api/resources/application)
- * [Service Principal](/graph/api/resources/serviceprincipal?view=graph-rest-beta)
+ * [Service Principal](/graph/api/resources/serviceprincipal)
## Why do applications integrate with Azure AD?
active-directory Developer Glossary https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/developer-glossary.md
Use the following comments section to provide feedback and help to refine and sh
[AAD-Dev-Guide]:azure-ad-developers-guide.md [Graph-Perm-Scopes]: /graph/permissions-reference [Graph-App-Resource]: /graph/api/resources/application
-[Graph-Sp-Resource]: /graph/api/resources/serviceprincipal?view=graph-rest-beta&preserve-view=true
+[Graph-Sp-Resource]: /graph/api/resources/serviceprincipal
[Graph-User-Resource]: /graph/api/resources/user [AAD-How-Subscriptions-Assoc]:../fundamentals/active-directory-how-subscriptions-associated-directory.md [AAD-How-To-Integrate]: ./active-directory-how-to-integrate.md
active-directory Id Tokens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/id-tokens.md
description: Learn how to use id_tokens emitted by the Azure AD v1.0 and Microso
-
Last updated 04/02/2021 --+
+ - aaddev
+ - identityplatformtop40
+ - fasttrack-edit
# Microsoft identity platform ID tokens
active-directory Microsoft Graph Intro https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/microsoft-graph-intro.md
Microsoft Graph exposes REST APIs and client libraries to access data on the fol
Microsoft Graph currently supports two versions: v1.0 and beta. The v1.0 version includes generally available APIs. Use the v1.0 version for all production apps. The beta includes APIs that are currently in preview. Because we might introduce breaking changes to our beta APIs, we recommend that you use the beta version only to test apps that are in development; do not use beta APIs in your production apps. For more information, see [Versioning, support, and breaking change policies for Microsoft Graph](/graph/versioning-and-support).
-To start using the beta APIs, see [Microsoft Graph beta endpoint reference](/graph/api/overview?view=graph-rest-beta)
+To start using the beta APIs, see [Microsoft Graph beta endpoint reference](/graph/api/overview?view=graph-rest-beta&preserve-view=true)
-To start using the v1.0 APIs, see [Microsoft Graph REST API v1.0 reference](/graph/api/overview)
+To start using the v1.0 APIs, see [Microsoft Graph REST API v1.0 reference](/graph/api/overview?view=graph-rest-1.0&preserve-view=true)
## Get started
When you complete the quickstart, you have an app that's ready to run. For more
Microsoft Graph Explorer is a web-based tool that you can use to build and test requests using Microsoft Graph APIs. You can access Microsoft Graph Explorer at: `https://developer.microsoft.com/graph/graph-explorer`.
-Postman is a tool that you can also use to build and test requests using the Microsoft Graph APIs. You can download Postman at: `https://www.getpostman.com/`. To interact with Microsoft Graph in Postman, you use the Microsoft Graph collection in Postman. For more information, see [Use Postman with the Microsoft Graph API](/graph/use-postman?context=graph%2Fapi%2Fbeta&view=graph-rest-beta).
+Postman is a tool that you can also use to build and test requests using the Microsoft Graph APIs. You can download Postman at: `https://www.getpostman.com/`. To interact with Microsoft Graph in Postman, you use the Microsoft Graph collection in Postman. For more information, see [Use Postman with the Microsoft Graph API](/graph/use-postman).
active-directory V2 Oauth2 On Behalf Of Flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md
This is a non-standard extension to the OAuth 2.0 On-Behalf-Of flow that allows
> [!TIP] > When you call a SAML-protected web service from a front-end web application, you can simply call the API and initiate a normal interactive authentication flow with the user's existing session. You only need to use an OBO flow when a service-to-service call requires a SAML token to provide user context.
+
+ ### Obtain a SAML token by using an OBO request with a shared secret
+
+A service-to-service request for a SAML assertion contains the following parameters:
+
+| Parameter | Type | Description |
+| | | |
+| grant_type |required | The type of the token request. For a request that uses a JWT, the value must be **urn:ietf:params:oauth:grant-type:jwt-bearer**. |
+| assertion |required | The value of the access token used in the request.|
+| client_id |required | The app ID assigned to the calling service during registration with Azure AD. To find the app ID in the Azure portal, select **Active Directory**, choose the directory, and then select the application name. |
+| client_secret |required | The key registered for the calling service in Azure AD. This value should have been noted at the time of registration. |
+| resource |required | The app ID URI of the receiving service (secured resource). This is the resource that will be the Audience of the SAML token. To find the app ID URI in the Azure portal, select **Active Directory** and choose the directory. Select the application name, choose **All settings**, and then select **Properties**. |
+| requested_token_use |required | Specifies how the request should be processed. In the On-Behalf-Of flow, the value must be **on_behalf_of**. |
+| requested_token_type | required | Specifies the type of token requested. The value can be **urn:ietf:params:oauth:token-type:saml2** or **urn:ietf:params:oauth:token-type:saml1** depending on the requirements of the accessed resource. |
+
+The response contains a SAML token encoded in UTF8 and Base64url.
+
+- **SubjectConfirmationData for a SAML assertion sourced from an OBO call**: If the target application requires a recipient value in **SubjectConfirmationData**, then the value must be a non-wildcard Reply URL in the resource application configuration.
+- **The SubjectConfirmationData node**: The node can't contain an **InResponseTo** attribute since it's not part of a SAML response. The application receiving the SAML token must be able to accept the SAML assertion without an **InResponseTo** attribute.
+
+- **Consent**: Consent must have been granted to receive a SAML token containing user data on an OAuth flow. For information on permissions and obtaining administrator consent, see [Permissions and consent in the Azure Active Directory v1.0 endpoint](https://docs.microsoft.com/azure/active-directory/azuread-dev/v1-permissions-consent).
+
+### Response with SAML assertion
+
+| Parameter | Description |
+| | |
+| token_type |Indicates the token type value. The only type that Azure AD supports is **Bearer**. For more information about bearer tokens, see [OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750)](https://www.rfc-editor.org/rfc/rfc6750.txt). |
+| scope |The scope of access granted in the token. |
+| expires_in |The length of time the access token is valid (in seconds). |
+| expires_on |The time when the access token expires. The date is represented as the number of seconds from 1970-01-01T0:0:0Z UTC until the expiration time. This value is used to determine the lifetime of cached tokens. |
+| resource |The app ID URI of the receiving service (secured resource). |
+| access_token |The parameter that returns the SAML assertion. |
+| refresh_token |The refresh token. The calling service can use this token to request another access token after the current SAML assertion expires. |
+
+- token_type: Bearer
+- expires_in: 3296
+- ext_expires_in: 0
+- expires_on: 1529627844
+- resource: `https://api.contoso.com`
+- access_token: \<SAML assertion\>
+- issued_token_type: urn:ietf:params:oauth:token-type:saml2
+- refresh_token: \<Refresh token\>
+ ## Gaining consent for the middle-tier application
active-directory V2 Permissions And Consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-permissions-and-consent.md
Previously updated : 09/23/2020 Last updated : 04/14/2021
Because of these types of permission definitions, the resource has fine-grained
When a resource's functionality is chunked into small permission sets, third-party apps can be built to request only the permissions that they need to perform their function. Users and administrators can know what data the app can access. And they can be more confident that the app isn't behaving with malicious intent. Developers should always abide by the principle of least privilege, asking for only the permissions they need for their applications to function.
-In OAuth 2.0, these types of permission sets are called *scopes*. They're also often referred to as *permissions*. In the Microsoft identity platform, a permission is represented as a string value. For the Microsoft Graph example, here's the string value for each permission:
-
-* Read a user's calendar by using `Calendars.Read`
-* Write to a user's calendar by using `Calendars.ReadWrite`
-* Send mail as a user using by `Mail.Send`
+In OAuth 2.0, these types of permission sets are called *scopes*. They're also often referred to as *permissions*. In the Microsoft identity platform, a permission is represented as a string value. An app requests the permissions it needs by specifying the permission in the `scope` query parameter. Identity platform supports several well-defined [OpenID Connect scopes](#openid-connect-scopes) as well as resource-based permissions (each permission is indicated by appending the permission value to the resource's identifier or application ID URI). For example, the permission string `https://graph.microsoft.com/Calendars.Read` is used to request permission to read users calendars in Microsoft Graph.
An app most commonly requests these permissions by specifying the scopes in requests to the Microsoft identity platform authorize endpoint. However, some high-privilege permissions can be granted only through administrator consent. They can be requested or granted by using the [administrator consent endpoint](#admin-restricted-permissions). Keep reading to learn more.
active-directory Assign Local Admin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/assign-local-admin.md
Starting with Windows 10 version 2004, you can use Azure AD groups to manage adm
Currently, there's no UI in Intune to manage these policies and they need to be configured using [Custom OMA-URI Settings](/mem/intune/configuration/custom-settings-windows-10). A few considerations for using either of these policies: -- Adding Azure AD groups through the policy requires the group's SID that can be obtained by executing the [Microsoft Graph API for Groups](/graph/api/resources/group?view=graph-rest-beta). The SID is defined by the property `securityIdentifier` in the API response.
+- Adding Azure AD groups through the policy requires the group's SID that can be obtained by executing the [Microsoft Graph API for Groups](/graph/api/resources/group). The SID is defined by the property `securityIdentifier` in the API response.
- When Restricted Groups policy is enforced, any current member of the group that is not on the Members list is removed. So enforcing this policy with new members or groups will remove the existing administrators namely user who joined the device, the Device administrator role and Global administrator role from the device. To avoid removing existing members, you need to configure them as part of the Members list in the Restricted Groups policy. This limitation is addressed if you use the Local Users and Groups policy that allows incremental updates to group membership - Administrator privileges using both policies are evaluated only for the following well-known groups on a Windows 10 device - Administrators, Users, Guests, Power Users, Remote Desktop Users and Remote Management Users. - Managing local administrators using Azure AD groups is not applicable to Hybrid Azure AD joined or Azure AD Registered devices.
active-directory Groups Lifecycle https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/groups-lifecycle.md
If the group you're restoring contains documents, SharePoint sites, or other per
## How to retrieve Microsoft 365 group expiration date
-In addition to Access Panel where users can view group details including expiration date and last renewed date, expiration date of an Microsoft 365 group can be retrieved from Microsoft Graph REST API Beta. expirationDateTime as a group property has been enabled in Microsoft Graph Beta. It can be retrieved with a GET request. For more details, please refer to [this example](/graph/api/group-get?view=graph-rest-beta#example).
+In addition to Access Panel where users can view group details including expiration date and last renewed date, expiration date of an Microsoft 365 group can be retrieved from Microsoft Graph REST API Beta. expirationDateTime as a group property has been enabled in Microsoft Graph Beta. It can be retrieved with a GET request. For more details, please refer to [this example](/graph/api/group-get?view=graph-rest-beta#example&preserve-view=true).
> [!NOTE] > In order to manage group memberships on Access Panel, "Restrict access to Groups in Access Panel" needs to be set to "No" in Azure Active Directory Groups General Setting.
active-directory B2b Quickstart Add Guest Users Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/b2b-quickstart-add-guest-users-portal.md
Title: 'Quickstart: Add guest users in the Azure portal - Azure AD' description: Use this quickstart to learn how Azure AD admins can add B2B guest users in the Azure portal and walk through the B2B invitation workflow.- --- Previously updated : 08/05/2020-- +
-#Customer intent: As a tenant admin, I want to walk through the B2B invitation workflow so that I can understand how to add a guest user in the portal, and understand the end user experience.
- Last updated : 08/05/2020++++
+ - it-pro
+ - seo-update-azuread-jan
+ - mode-portal
+#Customer intent: As a tenant admin, I want to walk through the B2B invitation workflow so that I can understand how to add a guest user in the portal, and understand the end user experience.
# Quickstart: Add guest users to your directory in the Azure portal
active-directory B2b Quickstart Invite Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/b2b-quickstart-invite-powershell.md
- Title: 'Quickstart: Add a guest user with PowerShell - Azure AD' description: In this quickstart, you learn how to use PowerShell to send an invitation to an external Azure AD B2B collaboration user.- --- Previously updated : 08/28/2018-- + -
-# Customer intent: As a tenant admin, I want to walk through the B2B invitation workflow so that I can understand how to add a user through PowerShell.
- Last updated : 08/28/2018++++
+ - it-pro
+ - seo-update-azuread-jan
+ - mode-api
+# Customer intent: As a tenant admin, I want to walk through the B2B invitation workflow so that I can understand how to add a user through PowerShell.
# Quickstart: Add a guest user with PowerShell
active-directory One Time Passcode https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/one-time-passcode.md
However, if you'd prefer to opt out of the feature and allow it to be automatica
## Note for Azure US Government customers
-The email one-time passcode feature is disabled by default in the Azure US Government cloud.
+The email one-time passcode feature is disabled by default in the Azure US Government cloud. Your partners will be unable to sign in unless this feature is enabled. Unlike the Azure public cloud, the Azure US Government cloud doesn't support redeeming invitations with self-service Azure Active Directory accounts.
![Email one-time passcode disabled](media/one-time-passcode/enable-email-otp-disabled.png)
To enable the email one-time passcode feature in Azure US Government cloud:
1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD global administrator. 2. In the navigation pane, select **Azure Active Directory**.
-3. Select **Organizational relationships**ΓÇ»>ΓÇ»**Settings**.
+3. Select **Organizational relationships**ΓÇ»>ΓÇ»**All identity providers**.
> [!NOTE] > - If you don't see **Organizational relationships**, search for "External IdentitiesΓÇ¥ in the search bar at the top.
To enable the email one-time passcode feature in Azure US Government cloud:
4. Select **Email one-time passcode**, and then select **Yes**. 5. Select **Save**.
-For more information about current limitations, see [Azure US Government clouds](current-limitations.md#azure-us-government-clouds).
+For more information about current limitations, see [Azure US Government clouds](current-limitations.md#azure-us-government-clouds).
active-directory Reset Redemption Status https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/reset-redemption-status.md
If a user wants to sign in using a different email:
3. Use one of the methods below to reset the user's redemption status. > [!NOTE]
->During public preview, when you're resetting the user's email address, we recommend setting the `mail` property to the new email address. This way the user can redeem the invitation by signing into your directory in addition to using the redemption link in the invitation.
+>During public preview, we have two recommendations:
+>- When you're resetting the user's email address to a new address, we recommend setting the `mail` property. This way the user can redeem the invitation by signing into your directory in addition to using the redemption link in the invitation.
+>- When you're resetting the status for a B2B guest user, be sure to do so under the user context. App-only calls are currently not supported.
> ## Use PowerShell to reset redemption status
New-AzureADMSInvitation -InvitedUserEmailAddress <<external email>> -SendInvitat
## Use Microsoft Graph API to reset redemption status
-Using the [Microsoft Graph invitation API](/graph/api/resources/invitation?view=graph-rest-1.0), set the `resetRedemption` property to `true` and specify the new email address in the `invitedUserEmailAddress` property.
+Using the [Microsoft Graph invitation API](/graph/api/resources/invitation?view=graph-rest-beta&preserve-view=true), set the `resetRedemption` property to `true` and specify the new email address in the `invitedUserEmailAddress` property.
```json POST https://graph.microsoft.com/beta/invitations
active-directory 6 Secure Access Entitlement Managment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/6-secure-access-entitlement-managment.md
For more information about access reviews, see [Planning an Azure AD Access Revi
You can perform [Entitlement Management functions by using Microsoft Graph](/graph/tutorial-access-package-api), including
-* [Manage access packages](/graph/api/resources/accesspackage?view=graph-rest-beta)
+* [Manage access packages](/graph/api/resources/accesspackage?view=graph-rest-beta&preserve-view=true)
-* [Manage access reviews](/graph/api/resources/accessreviewsv2-root?view=graph-rest-beta)
+* [Manage access reviews](/graph/api/resources/accessreviewsv2-root?view=graph-rest-beta&preserve-view=true)
-* [Manage connected organizations](/graph/api/resources/connectedorganization?view=graph-rest-beta)
+* [Manage connected organizations](/graph/api/resources/connectedorganization?view=graph-rest-beta&preserve-view=true)
-* [Manage Entitlement Management settings](/graph/api/resources/entitlementmanagementsettings?view=graph-rest-beta)
+* [Manage Entitlement Management settings](/graph/api/resources/entitlementmanagementsettings?view=graph-rest-beta&preserve-view=true)
## Recommendations
We recommend the practices to govern external access with Entitlement Management
* If you already have B2B users in your directory, you can also directly assign them to the appropriate access packages.
-* You can assign access in the [Azure portal](../governance/entitlement-management-access-package-assignments.md), or via [Microsoft Graph](/graph/api/resources/accesspackageassignmentrequest?view=graph-rest-beta).
+* You can assign access in the [Azure portal](../governance/entitlement-management-access-package-assignments.md), or via [Microsoft Graph](/graph/api/resources/accesspackageassignmentrequest?view=graph-rest-beta&preserve-view=true).
**Use your Identity Governance settings to remove users from your directory when their access packages expire**.
active-directory Active Directory Ops Guide Auth https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-ops-guide-auth.md
Having access to sign-in activity, audits and risk events for Azure AD is crucia
#### Logs recommended reading -- [Azure Active Directory audit API reference](/graph/api/resources/directoryaudit?view=graph-rest-beta)-- [Azure Active Directory sign-in activity report API reference](/graph/api/resources/signin?view=graph-rest-beta)
+- [Azure Active Directory audit API reference](/graph/api/resources/directoryaudit)
+- [Azure Active Directory sign-in activity report API reference](/graph/api/resources/signin)
- [Get data using the Azure AD Reporting API with certificates](../reports-monitoring/tutorial-access-api-with-certificates.md) - [Microsoft Graph for Azure Active Directory Identity Protection](../identity-protection/howto-identity-protection-graph-api.md) - [Office 365 Management Activity API reference](/office/office-365-management-api/office-365-management-activity-api-reference)
active-directory Active Directory Users Assign Role Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md
For more information about the available Azure AD roles, see [Assigning administ
A common way to assign Azure AD roles to a user is on the **Assigned roles** page for a user. You can also configure the user eligibility to be elevated just-in-time into a role using Privileged Identity Management (PIM). For more information about how to use PIM, see [Privileged Identity Management](../privileged-identity-management/index.yml).
+If a directory role is assigned to a guest user, the guest user will be granted with additional permissions that come with the role, including basic read permissions. See [Azure AD built-in roles](https://docs.microsoft.com/azure/active-directory/roles/permissions-reference).
+ > [!Note] > If you have an Azure AD Premium P2 license plan and already use PIM, all role management tasks are performed in the [Privileged Identity Management experience](../roles/manage-roles-portal.md). This feature is currently limited to assigning only one role at a time. You can't currently select multiple roles and assign them to a user all at once. >
If you need to remove the role assignment from a user, you can also do that from
- [Add guest users from another directory](../external-identities/what-is-b2b.md) Other user management tasks you can check out
-are available in [Azure Active Directory user management documentation](../enterprise-users/index.yml).
+are available in [Azure Active Directory user management documentation](../enterprise-users/index.yml).
active-directory Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new-archive.md
Azure AD Connect Cloud Provisioning public preview refresh features two major en
When IT admins or end users read BitLocker recovery key(s) they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with.
-End users can [access their recovery keys via My Account](../user-help/my-account-portal-devices-page.md#view-a-bitlocker-key). IT admins can access recovery keys via the [BitLocker recovery key API in beta](/graph/api/resources/bitlockerrecoverykey?view=graph-rest-beta) or via the Azure AD Portal. To learn more, see [View or copy BitLocker keys in the Azure AD Portal](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys).
+End users can [access their recovery keys via My Account](../user-help/my-account-portal-devices-page.md#view-a-bitlocker-key). IT admins can access recovery keys via the [BitLocker recovery key API in beta](/graph/api/resources/bitlockerrecoverykey?view=graph-rest-beta&preserve-view=true) or via the Azure AD Portal. To learn more, see [View or copy BitLocker keys in the Azure AD Portal](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys).
To learn more about how to configure SAP SuccessFactors inbound provisioning to
**Service category:** B2C - Consumer Identity Management **Product capability:** B2B/B2C
-Previously, Custom Open ID Connect providers could only be added or managed through the Azure portal. Now the Azure AD B2C customers can add and manage them through Microsoft Graph APIs beta version as well. To learn how to configure this resource with APIs, see [identityProvider resource type](/graph/api/resources/identityprovider?view=graph-rest-beta).
+Previously, Custom Open ID Connect providers could only be added or managed through the Azure portal. Now the Azure AD B2C customers can add and manage them through Microsoft Graph APIs beta version as well. To learn how to configure this resource with APIs, see [identityProvider resource type](/graph/api/resources/identityprovider?view=graph-rest-beta&preserve-view=true).
Users in the Insights Administrator role can access the full set of administrati
**Service category:** Azure AD roles **Product capability:** Access Control
-Previously, only the Global Administrator could manage the [extension property](/graph/api/application-post-extensionproperty?view=graph-rest-beta&tabs=http). We're now enabling this capability for the Application Administrator and Cloud Application Administrator as well.
+Previously, only the Global Administrator could manage the [extension property](/graph/api/application-post-extensionproperty?view=graph-rest-beta&tabs=http&preserve-view=true). We're now enabling this capability for the Application Administrator and Cloud Application Administrator as well.
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new.md
For more information about how to better secure your organization by using autom
**Service category:** MS Graph **Product capability:** B2B/B2C
-[MS Graph API for the Company Branding](https://docs.microsoft.com/graph/api/resources/organizationalbrandingproperties?view=graph-rest-1.0) is available for the Azure AD or Microsoft 365 login experience to allow the management of the branding parameters programmatically.
+[MS Graph API for the Company Branding](https://docs.microsoft.com/graph/api/resources/organizationalbrandingproperties) is available for the Azure AD or Microsoft 365 login experience to allow the management of the branding parameters programmatically.
Customers can now reinvite existing external guest users to reset their redempti
**Service category:** App Provisioning **Product capability:** Identity Lifecycle Management
-Customers can now use application.readwrite.ownedby as an application permission to call the synchronization APIs. Note this is only supported for provisioning from Azure AD out into third-party applications (for example, AWS, Data Bricks, etc.). It is currently not supported for HR-provisioning (Workday / Successfactors) or Cloud Sync (AD to Azure AD). [Learn more](/graph/api/resources/provisioningobjectsummary?view=graph-rest-beta).
+Customers can now use application.readwrite.ownedby as an application permission to call the synchronization APIs. Note this is only supported for provisioning from Azure AD out into third-party applications (for example, AWS, Data Bricks, etc.). It is currently not supported for HR-provisioning (Workday / Successfactors) or Cloud Sync (AD to Azure AD). [Learn more](/graph/api/resources/provisioningobjectsummary?view=graph-rest-beta&preserve-view=true).
Cloud provisioning agent has been released in public preview and is now availabl
Previously, you could recover BitLocker keys via the /bitlocker endpoint. We'll eventually be deprecating this endpoint, and customers should begin consuming the API that now falls under /informationProtection.
-See [BitLocker recovery API](/graph/api/resources/bitlockerrecoverykey?view=graph-rest-beta) for updates to the documentation to reflect these changes.
+See [BitLocker recovery API](/graph/api/resources/bitlockerrecoverykey?view=graph-rest-beta&preserve-view=true) for updates to the documentation to reflect these changes.
The Integration Assistant (preview) experience is now available for Azure AD B2C
You can now view the template ID of each Azure AD role in the Azure portal. In Azure AD, select **description** of the selected role.
-It's recommended that customers use role template IDs in their PowerShell script and code, instead of the display name. Role template ID is supported for use to [directoryRoles](/graph/api/resources/directoryrole) and [roleDefinition](/graph/api/resources/unifiedroledefinition?view=graph-rest-beta) objects. For more information on role template IDs, see [Azure AD built-in roles](../roles/permissions-reference.md).
+It's recommended that customers use role template IDs in their PowerShell script and code, instead of the display name. Role template ID is supported for use to [directoryRoles](/graph/api/resources/directoryrole) and [roleDefinition](/graph/api/resources/unifiedroledefinition?view=graph-rest-beta&preserve-view=true) objects. For more information on role template IDs, see [Azure AD built-in roles](../roles/permissions-reference.md).
active-directory Access Reviews External Users https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/access-reviews-external-users.md
This setting allows you to identify, block, and delete external identities from
## Next steps -- [Access reviews - Graph API](/graph/api/resources/accessreviews-root?view=graph-rest-beta)-- [Entitlement management - Graph API](/graph/api/resources/entitlementmanagement-root?view=graph-rest-beta)
+- [Access reviews - Graph API](/graph/api/resources/accessreviewsv2-root?view=graph-rest-beta&preserve-view=true)
+- [Entitlement management - Graph API](/graph/api/resources/entitlementmanagement-root)
active-directory Conditional Access Exclusion https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/conditional-access-exclusion.md
that is excluded from the policy. Here is a recommended access review where memb
![Create an access review pane for example 2](./media/conditional-access-exclusion/create-access-review-2.png) >[!IMPORTANT]
->If you have many exclusion groups and therefore need to create multiple access reviews, we now have an API in the Microsoft Graph beta endpoint that allows you to create and manage them programmatically. To get started, see the [Azure AD access reviews API reference](/graph/api/resources/accessreviews-root?view=graph-rest-beta) and [Example of retrieving Azure AD access reviews via Microsoft Graph](https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Example-of-retrieving-Azure-AD-access-reviews-via-Microsoft/td-p/236096).
+>If you have many exclusion groups and therefore need to create multiple access reviews, we now have an API in the Microsoft Graph beta endpoint that allows you to create and manage them programmatically. To get started, see the [Azure AD access reviews API reference](/graph/api/resources/accessreviewsv2-root?view=graph-rest-beta&preserve-view=true) and [Example of retrieving Azure AD access reviews via Microsoft Graph](https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Example-of-retrieving-Azure-AD-access-reviews-via-Microsoft/td-p/236096).
## Access review results and audit logs
active-directory Create Access Review https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/create-access-review.md
If you have assigned guests as reviewers and they have not accepted the invite,
## Create reviews via APIs
-You can also create access reviews using APIs. What you do to manage access reviews of groups and application users in the Azure portal can also be done using Microsoft Graph APIs. For more information, see the [Azure AD access reviews API reference](/graph/api/resources/accessreviews-root?view=graph-rest-beta). For a code sample, see [Example of retrieving Azure AD access reviews via Microsoft Graph](https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Example-of-retrieving-Azure-AD-access-reviews-via-Microsoft/m-p/236096).
+You can also create access reviews using APIs. What you do to manage access reviews of groups and application users in the Azure portal can also be done using Microsoft Graph APIs. For more information, see the [Azure AD access reviews API reference](/graph/api/resources/accessreviewsv2-root?view=graph-rest-beta&preserve-view=true). For a code sample, see [Example of retrieving Azure AD access reviews via Microsoft Graph](https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Example-of-retrieving-Azure-AD-access-reviews-via-Microsoft/m-p/236096).
## Next steps
active-directory Deploy Access Reviews https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/deploy-access-reviews.md
Follow the instructions in the links below:
## Use the Access Reviews API
-See [graph API methods](/graph/api/resources/accessreviews-root?view=graph-rest-beta) and [role and application permission authorization checks](/graph/api/resources/accessreviews-root?view=graph-rest-beta) to interact with and manage reviewable resources. The Access Reviews methods in the Microsoft Graph API are available for both application and user contexts. When running scripts in the application context, the account used to run the API (the service principle) must be granted the ΓÇ£AccessReview.Read.AllΓÇ¥ permission to query Access Reviews information.
+See [graph API methods](/graph/api/resources/accessreviewsv2-root?view=graph-rest-beta&preserve-view=true) and [role and application permission authorization checks](/graph/api/resources/accessreviewsv2-root?view=graph-rest-beta&preserve-view=true) to interact with and manage reviewable resources. The Access Reviews methods in the Microsoft Graph API are available for both application and user contexts. When running scripts in the application context, the account used to run the API (the service principle) must be granted the ΓÇ£AccessReview.Read.AllΓÇ¥ permission to query Access Reviews information.
Popular Access Reviews tasks to automate using the Graph API for Access Reviews are:
active-directory Entitlement Management Access Package Assignments https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-access-package-assignments.md
To use Azure AD entitlement management and assign users to access packages, you
### Viewing assignments programmatically
-You can also retrieve assignments in an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignments](/graph/api/accesspackageassignment-list?view=graph-rest-beta).
+You can also retrieve assignments in an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignments](/graph/api/accesspackageassignment-list?view=graph-rest-beta&preserve-view=true).
## Directly assign a user
In some cases, you might want to directly assign specific users to an access pac
### Directly assigning users programmatically
-You can also directly assign a user to an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [create an accessPackageAssignmentRequest](/graph/api/accesspackageassignmentrequest-post?view=graph-rest-beta).
+You can also directly assign a user to an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [create an accessPackageAssignmentRequest](/graph/api/accesspackageassignmentrequest-post?view=graph-rest-beta&preserve-view=true).
## Remove an assignment
active-directory Entitlement Management Access Package Create https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-access-package-create.md
On the **Review + create** tab, you can review your settings and check for any v
You can also create an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to
-1. [List the accessPackageResources in the catalog](/graph/api/accesspackagecatalog-list?tabs=http&view=graph-rest-beta) and [create an accessPackageResourceRequest](/graph/api/accesspackageresourcerequest-post?tabs=http&view=graph-rest-beta) for any resources that are not yet in the catalog.
-1. [List the accessPackageResourceRoles](/graph/api/accesspackage-list-accesspackageresourcerolescopes?tabs=http&view=graph-rest-beta) of each accessPackageResource in an accessPackageCatalog. This list of roles will then be used to select a role, when subsequently creating an accessPackageResourceRoleScope.
-1. [Create an accessPackage](/graph/tutorial-access-package-api?view=graph-rest-beta).
-1. [Create an accessPackageAssignmentPolicy](/graph/api/accesspackageassignmentpolicy-post?tabs=http&view=graph-rest-beta).
-1. [Create an accessPackageResourceRoleScope](/graph/api/accesspackage-post-accesspackageresourcerolescopes?tabs=http&view=graph-rest-beta) for each resource role needed in the access package.
+1. [List the accessPackageResources in the catalog](/graph/api/accesspackagecatalog-list?tabs=http&view=graph-rest-beta&preserve-view=true) and [create an accessPackageResourceRequest](/graph/api/accesspackageresourcerequest-post?tabs=http&view=graph-rest-beta&preserve-view=true) for any resources that are not yet in the catalog.
+1. [List the accessPackageResourceRoles](/graph/api/accesspackage-list-accesspackageresourcerolescopes?tabs=http&view=graph-rest-beta&preserve-view=true) of each accessPackageResource in an accessPackageCatalog. This list of roles will then be used to select a role, when subsequently creating an accessPackageResourceRoleScope.
+1. [Create an accessPackage](/graph/tutorial-access-package-api&view=graph-rest-beta&preserve-view=true).
+1. [Create an accessPackageAssignmentPolicy](/graph/api/accesspackageassignmentpolicy-post?tabs=http&view=graph-rest-beta&preserve-view=true).
+1. [Create an accessPackageResourceRoleScope](/graph/api/accesspackage-post-accesspackageresourcerolescopes?tabs=http&view=graph-rest-beta&preserve-view=true) for each resource role needed in the access package.
## Next steps
active-directory Entitlement Management Catalog Create https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-catalog-create.md
A catalog is a container of resources and access packages. You create a catalog
### Creating a catalog programmatically
-You can also create a catalog using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [create an accessPackageCatalog](/graph/api/accesspackagecatalog-post?view=graph-rest-beta).
+You can also create a catalog using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [create an accessPackageCatalog](/graph/api/accesspackagecatalog-post?view=graph-rest-beta&preserve-view=true).
## Add resources to a catalog
To include resources in an access package, the resources must exist in a catalog
### Adding a resource to a catalog programmatically
-You can also add a resource to a catalog using Microsoft Graph. A user in an appropriate role, or a catalog and resource owner, with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [create an accessPackageResourceRequest](/graph/api/accesspackageresourcerequest-post?view=graph-rest-beta).
+You can also add a resource to a catalog using Microsoft Graph. A user in an appropriate role, or a catalog and resource owner, with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [create an accessPackageResourceRequest](/graph/api/accesspackageresourcerequest-post?view=graph-rest-beta&preserve-view=true).
## Remove resources from a catalog
You can delete a catalog, but only if it does not have any access packages.
### Deleting a catalog programmatically
-You can also delete a catalog using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [delete an accessPackageCatalog](/graph/api/accesspackagecatalog-delete?view=graph-rest-beta).
+You can also delete a catalog using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [delete an accessPackageCatalog](/graph/api/accesspackagecatalog-delete?view=graph-rest-beta&preserve-view=true).
## Next steps
active-directory Entitlement Management Organization https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-organization.md
If you no longer have a relationship with an external Azure AD directory or doma
## Managing a connected organization programmatically
-You can also create, list, update, and delete connected organizations using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to manage [connectedOrganization](/graph/api/resources/connectedorganization?view=graph-rest-beta) objects and set sponsors for them.
+You can also create, list, update, and delete connected organizations using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to manage [connectedOrganization](/graph/api/resources/connectedorganization?view=graph-rest-beta&preserve-view=true) objects and set sponsors for them.
## State properties of connected organizations
active-directory Entitlement Management Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-scenarios.md
There are several ways that you can configure entitlement management for your or
## Programmatic administration
-You can also manage access packages, catalogs, policies, requests and assignments using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the [entitlement management API](/graph/tutorial-access-package-api?view=graph-rest-beta).
+You can also manage access packages, catalogs, policies, requests and assignments using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the [entitlement management API](/graph/tutorial-access-package-api).
## Next steps
active-directory Application Proxy Deployment Plan https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-proxy-deployment-plan.md
Azure AD provides additional insights into your organizationΓÇÖs application usa
#### Application audit logs
-These logs provide detailed information about logins to applications configured with Application Proxy and the device and the user accessing the application. [Audit logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) are located in the Azure portal and in [Audit API](/graph/api/resources/directoryaudit?view=graph-rest-beta) for export. Additionally, [usage and insights reports](../reports-monitoring/concept-usage-insights-report.md?context=azure/active-directory/manage-apps/context/manage-apps-context) are also available for your application.
+These logs provide detailed information about logins to applications configured with Application Proxy and the device and the user accessing the application. [Audit logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) are located in the Azure portal and in [Audit API](/graph/api/resources/directoryaudit) for export. Additionally, [usage and insights reports](../reports-monitoring/concept-usage-insights-report.md?context=azure/active-directory/manage-apps/context/manage-apps-context) are also available for your application.
#### Application Proxy Connector monitoring
active-directory Configure Authentication For Federated Users Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md
To apply the HRD policy after you have created it, you can assign it to multiple
You need the **ObjectID** of the service principals to which you want to assign the policy. There are several ways to find the **ObjectID** of service principals.
-You can use the portal, or you can query [Microsoft Graph](/graph/api/resources/serviceprincipal?view=graph-rest-beta). You can also go to the [Graph Explorer Tool](https://developer.microsoft.com/graph/graph-explorer) and sign in to your Azure AD account to see all your organization's service principals.
+You can use the portal, or you can query [Microsoft Graph](/graph/api/resources/serviceprincipal). You can also go to the [Graph Explorer Tool](https://developer.microsoft.com/graph/graph-explorer) and sign in to your Azure AD account to see all your organization's service principals.
Because you are using PowerShell, you can use the following cmdlet to list the service principals and their IDs.
active-directory Migrate Adfs Apps To Azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migrate-adfs-apps-to-azure.md
Apps that require the following protocol capabilities can't be migrated today:
Apps that require the following claims in token capabilities can't be migrated today.
-* Claims from attribute stores other than the Azure AD directory, unless that data is synced to Azure AD. For more information, see the [Azure AD synchronization API overview](/graph/api/resources/synchronization-overview?view=graph-rest-beta).
+* Claims from attribute stores other than the Azure AD directory, unless that data is synced to Azure AD. For more information, see the [Azure AD synchronization API overview](/graph/api/resources/synchronization-overview).
* Issuance of directory multiple-value attributes. For example, we can't issue a multivalued claim for proxy addresses at this time. ## Map app settings from AD FS to Azure AD
active-directory Managed Identities Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/managed-identities-faq.md
No. Managed identities do not currently support cross-directory scenarios.
Managed identities limits have dependencies on Azure service limits, Azure Instance Metadata Service (IMDS) limits, and Azure Active Directory service limits. - **Azure service limits** define the number of create operations that can be performed at the tenant and subscription levels. User assigned managed identities also have [limitations](../../azure-resource-manager/management/azure-subscription-service-limits.md#managed-identity-limits) around how they may be named.-- **IMDS** In general, requests to IMDS are limited to five requests per second. Requests exceeding this threshold will be rejected with 429 responses. Requests to the Managed Identity category are limited to 20 requests per second and 5 concurrent requests. You can read more at the [Azure Instance Metadata Serice (Windows)](../../virtual-machines/windows/instance-metadata-service.md?tabs=windows#managed-identity) article.
+- **IMDS** In general, requests to IMDS are limited to five requests per second. Requests exceeding this threshold will be rejected with 429 responses. Requests to the Managed Identity category are limited to 20 requests per second and 5 concurrent requests. You can read more at the [Azure Instance Metadata Service (Windows)](../../virtual-machines/windows/instance-metadata-service.md?tabs=windows#managed-identity) article.
- **Azure Active Directory service** Each managed identity counts towards the object quota limit in an Azure AD tenant as described in Azure [AD service limits and restrictions](../enterprise-users/directory-service-limits-restrictions.md).
active-directory Pim Apis https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/privileged-identity-management/pim-apis.md
You can perform Privileged Identity Management tasks using the [Microsoft Graph APIs](/graph/overview) for Azure Active Directory. This article describes important concepts for using the Microsoft Graph APIs for Privileged Identity Management.
-For details about the Microsoft Graph APIs, check out the [Azure AD Privileged Identity Management API reference](/graph/api/resources/privilegedidentitymanagement-root?view=graph-rest-beta).
+For details about the Microsoft Graph APIs, check out the [Azure AD Privileged Identity Management API reference](/graph/api/resources/privilegedidentitymanagement-root?view=graph-rest-beta&preserve-view=true).
> [!IMPORTANT] > APIs under the /beta version in Microsoft Graph are in preview and are subject to change. Use of these APIs in production applications is not supported.
If you are using the Graph Explorer to test your calls, you can specify the perm
## Next steps -- [Azure AD Privileged Identity Management API reference](/graph/api/resources/privilegedidentitymanagement-root?view=graph-rest-beta)
+- [Azure AD Privileged Identity Management API reference](/graph/api/resources/privilegedidentitymanagement-root?view=graph-rest-beta&preserve-view=true)
active-directory Concept Provisioning Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-provisioning-logs.md
Customers can interact with the provisioning logs in four ways:
- Accessing the logs from the Azure portal, as described in the next section. - Streaming the provisioning logs into [Azure Monitor](../app-provisioning/application-provisioning-log-analytics.md). This method allows for extended data retention and building custom dashboards, alerts, and queries.-- Querying the [Microsoft Graph API](/graph/api/resources/provisioningobjectsummary?view=graph-rest-beta) for the provisioning logs.
+- Querying the [Microsoft Graph API](/graph/api/resources/provisioningobjectsummary) for the provisioning logs.
- Downloading the provisioning logs as a CSV or JSON file. ## Access the logs from the Azure portal
Use the following table to better understand how to resolve errors that you find
|InsufficientRights, MethodNotAllowed, NotPermitted, Unauthorized| Azure AD authenticated with the target application but was not authorized to perform the update. Review any instructions that the target application has provided, along with the respective application [tutorial](../saas-apps/tutorial-list.md).| |UnprocessableEntity|The target application returned an unexpected response. The configuration of the target application might not be correct, or a service issue with the target application might be preventing this from working.| |WebExceptionProtocolError |An HTTP protocol error occurred in connecting to the target application. There is nothing to do. This attempt will automatically be retired in 40 minutes.|
-|InvalidAnchor|A user that was previously created or matched by the provisioning service no longer exists. Ensure that the user exists. To force a new matching of all users, use the Microsoft Graph API to [restart the job](/graph/api/synchronization-synchronizationjob-restart?tabs=http&view=graph-rest-beta). <br><br>Restarting provisioning will trigger an initial cycle, which can take time to complete. Restarting provisioning also deletes the cache that the provisioning service uses to operate. That means all users and groups in the tenant will have to be evaluated again, and certain provisioning events might be dropped.|
+|InvalidAnchor|A user that was previously created or matched by the provisioning service no longer exists. Ensure that the user exists. To force a new matching of all users, use the Microsoft Graph API to [restart the job](/graph/api/synchronization-synchronizationjob-restart?tabs=http&view=graph-rest-beta&preserve-view=true). <br><br>Restarting provisioning will trigger an initial cycle, which can take time to complete. Restarting provisioning also deletes the cache that the provisioning service uses to operate. That means all users and groups in the tenant will have to be evaluated again, and certain provisioning events might be dropped.|
|NotImplemented | The target app returned an unexpected response. The configuration of the app might not be correct, or a service issue with the target app might be preventing this from working. Review any instructions that the target application has provided, along with the respective application [tutorial](../saas-apps/tutorial-list.md). | |MandatoryFieldsMissing, MissingValues |The user could not be created because required values are missing. Correct the missing attribute values in the source record, or review your matching attribute configuration to ensure that the required fields are not omitted. [Learn more](../app-provisioning/customize-application-attributes.md) about configuring matching attributes.| |SchemaAttributeNotFound |The operation couldn't be performed because an attribute was specified that does not exist in the target application. See the [documentation](../app-provisioning/customize-application-attributes.md) on attribute customization and ensure that your configuration is correct.|
Use the following table to better understand how to resolve errors that you find
* [Check the status of user provisioning](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) * [Problem configuring user provisioning to an Azure AD Gallery application](../app-provisioning/application-provisioning-config-problem.md)
-* [Graph API for provisioning logs](/graph/api/resources/provisioningobjectsummary?view=graph-rest-beta)
+* [Graph API for provisioning logs](/graph/api/resources/provisioningobjectsummary)
active-directory Concept Reporting Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-reporting-api.md
For detailed instructions, see the [prerequisites to access the Azure Active Dir
The Microsoft Graph API endpoint for audit logs is `https://graph.microsoft.com/v1.0/auditLogs/directoryAudits` and the Microsoft Graph API endpoint for sign-ins is `https://graph.microsoft.com/v1.0/auditLogs/signIns`. For more information, see the [audit API reference](/graph/api/resources/directoryaudit) and [sign-in API reference](/graph/api/resources/signIn).
-You can use the [Identity Protection risk detections API](/graph/api/resources/identityriskevent?view=graph-rest-beta) to gain programmatic access to security detections using Microsoft Graph. For more information, see [Get started with Azure Active Directory Identity Protection and Microsoft Graph](../identity-protection/howto-identity-protection-graph-api.md).
+You can use the [Identity Protection risk detections API](/graph/api/resources/identityriskevent?view=graph-rest-beta&preserve-view=true) to gain programmatic access to security detections using Microsoft Graph. For more information, see [Get started with Azure Active Directory Identity Protection and Microsoft Graph](../identity-protection/howto-identity-protection-graph-api.md).
-You can also use the [provisioning logs API](/graph/api/resources/provisioningobjectsummary?view=graph-rest-beta) to get programmatic access to provisioning events in your tenant.
+You can also use the [provisioning logs API](/graph/api/resources/provisioningobjectsummary?view=graph-rest-beta&preserve-view=true) to get programmatic access to provisioning events in your tenant.
## APIs with Microsoft Graph Explorer
active-directory Howto Configure Prerequisites For Reporting Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api.md
Follow the steps in the [Prerequisites to access the Azure Active Directory repo
## Next steps * [Get data using the Azure Active Directory reporting API with certificates](tutorial-access-api-with-certificates.md)
-* [Audit API reference](/graph/api/resources/directoryaudit?view=graph-rest-beta)
-* [Sign-in activity report API reference](/graph/api/resources/signin?view=graph-rest-beta)
+* [Audit API reference](/graph/api/resources/directoryaudit)
+* [Sign-in activity report API reference](/graph/api/resources/signin)
active-directory Howto Manage Inactive User Accounts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/howto-manage-inactive-user-accounts.md
This section lists what you need to know about the lastSignInDateTime property.
### How can I access this property?
-The **lastSignInDateTime** property is exposed by the [signInActivity resource type](/graph/api/resources/signinactivity?view=graph-rest-beta) of the [Microsoft Graph REST API](/graph/overview?view=graph-rest-beta#whats-in-microsoft-graph).
+The **lastSignInDateTime** property is exposed by the [signInActivity resource type](/graph/api/resources/signinactivity?view=graph-rest-beta&preserve-view=true) of the [Microsoft Graph REST API](/graph/overview#whats-in-microsoft-graph).
### Is the lastSignInDateTime property available through the Get-AzureAdUser cmdlet?
To generate a lastSignInDateTime timestamp, you need a successful sign-in. Becau
## Next steps * [Get data using the Azure Active Directory reporting API with certificates](tutorial-access-api-with-certificates.md)
-* [Audit API reference](/graph/api/resources/directoryaudit?view=graph-rest-beta)
-* [Sign-in activity report API reference](/graph/api/resources/signin?view=graph-rest-beta)
+* [Audit API reference](/graph/api/resources/directoryaudit)
+* [Sign-in activity report API reference](/graph/api/resources/signin)
active-directory Reports Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/reports-faq.md
This article includes answers to frequently asked questions about Azure Active D
**Q: I currently use the `https://graph.windows.net/<tenant-name>/reports/` endpoint APIs to pull Azure AD security reports (specific types of detections, such as leaked credentials or sign-ins from anonymous IP addresses) into our reporting systems programmatically. What should I switch to?**
-**A:** You can use the [Identity Protection risk detections API](../identity-protection/howto-identity-protection-graph-api.md) to access security detections through Microsoft Graph. This new format gives greater flexibility in how you can query data, with advanced filtering, field selection, and more, and standardizes risk detections into one type for easier integration into SIEMs and other data collection tools. Because the data is in a different format, you can't substitute a new query for your old queries. However, [the new API uses Microsoft Graph](/graph/api/resources/identityriskevent?view=graph-rest-beta), which is the Microsoft standard for such APIs as Microsoft 365 or Azure AD. So the work required can either extend your current Microsoft Graph investments or help you begin your transition to this new standard platform.
+**A:** You can use the [Identity Protection risk detections API](../identity-protection/howto-identity-protection-graph-api.md) to access security detections through Microsoft Graph. This new format gives greater flexibility in how you can query data, with advanced filtering, field selection, and more, and standardizes risk detections into one type for easier integration into SIEMs and other data collection tools. Because the data is in a different format, you can't substitute a new query for your old queries. However, [the new API uses Microsoft Graph](/graph/api/resources/identityriskevent?view=graph-rest-beta&preserve-view=true), which is the Microsoft standard for such APIs as Microsoft 365 or Azure AD. So the work required can either extend your current Microsoft Graph investments or help you begin your transition to this new standard platform.
active-directory Troubleshoot Graph Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/troubleshoot-graph-api.md
Please follow the steps in the [Prerequisites to access the Azure Active Directo
## Next Steps
-[Use the audit API reference](/graph/api/resources/directoryaudit?view=graph-rest-beta)
-[Use the sign-in activity report API reference](/graph/api/resources/signin?view=graph-rest-beta)
+[Use the audit API reference](/graph/api/resources/directoryaudit)
+[Use the sign-in activity report API reference](/graph/api/resources/signin)
active-directory Tutorial Access Api With Certificates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/tutorial-access-api-with-certificates.md
In this tutorial, you learn how to use a test certificate to access the MS Graph
## Next steps * [Get a first impression of the reporting APIs](concept-reporting-api.md)
-* [Audit API reference](/graph/api/resources/directoryaudit?view=graph-rest-beta)
-* [Sign-in activity report API reference](/graph/api/resources/signin?view=graph-rest-beta)
+* [Audit API reference](/graph/api/resources/directoryaudit)
+* [Sign-in activity report API reference](/graph/api/resources/signin)
active-directory Custom Enterprise Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/custom-enterprise-apps.md
Previously updated : 11/04/2020 Last updated : 04/14/2021
$displayName = "Can manage user and group assignments for Applications"
$templateId = (New-Guid).Guid # Set of permissions to grant
-$allowedResourceAction =@( "microsoft.directory/servicePrincipals/appRoleAssignedTo/update")
+$allowedResourceAction = @("microsoft.directory/servicePrincipals/appRoleAssignedTo/update")
$resourceActions = @{'allowedResourceActions'= $allowedResourceAction} $rolePermission = @{'resourceActions' = $resourceActions} $rolePermissions = $rolePermission
$customRole = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions -Dis
Assign the role using this PowerShell script. ```powershell
-PowerShell
-# Basic role information
-
-$description = "Manage user and group assignments"
-$displayName = "Can manage user and group assignments for Applications"
-$templateId = (New-Guid).Guid
+# Get the user and role definition you want to link
+$user = Get-AzureADUser -Filter "userPrincipalName eq 'chandra@example.com'"
+$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Manage user and group assignments'"
-# Set of permissions to grant
-$allowedResourceAction =
-@(
- "microsoft.directory/servicePrincipals/appRoleAssignedTo/update"
-)
-$resourceActions = @{'allowedResourceActions'= $allowedResourceAction}
-$rolePermission = @{'resourceActions' = $resourceActions}
-$rolePermissions = $rolePermission
+# Get app registration and construct resource scope for assignment.
+$appRegistration = Get-AzureADApplication -Filter "displayName eq 'My Filter Photos'"
+$resourceScope = '/' + $appRegistration.objectId
-# Create new custom role
-$customRole = New-AzureAdRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled $true
+# Create a scoped role assignment
+$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
``` ## Use the Microsoft Graph API
active-directory 4Me Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/4me-tutorial.md
Previously updated : 08/27/2019 Last updated : 04/06/2021
In this tutorial, you'll learn how to integrate 4me with Azure Active Directory
* Enable your users to be automatically signed-in to 4me with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* 4me supports **SP** initiated SSO
-* 4me supports **Just In Time** user provisioning
+* 4me supports **SP** initiated SSO.
+* 4me supports **Just In Time** user provisioning.
-## Adding 4me from the gallery
+## Add 4me from the gallery
To configure the integration of 4me into Azure AD, you need to add 4me from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **4me** in the search box. 1. Select **4me** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for 4me
+## Configure and test Azure AD SSO for 4me
Configure and test Azure AD SSO with 4me using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in 4me. To configure and test Azure AD SSO with 4me, complete the following building blocks: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure 4me SSO](#configure-4me-sso)** - to configure the single sign-on settings on application side.
- * **[Create 4me test user](#create-4me-test-user)** - to have a counterpart of B.Simon in 4me that is linked to the Azure AD representation of user.
+ 1. **[Create 4me test user](#create-4me-test-user)** - to have a counterpart of B.Simon in 4me that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **4me** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **4me** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
+ a. In the **Sign on URL** text box, type a URL using one of the following patterns:
| Environment| URL| |||
Follow these steps to enable Azure AD SSO in the Azure portal.
| QA| `https://<SUBDOMAIN>.4me.qa`| | | |
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ b. In the **Identifier (Entity ID)** text box, type a URL using one of the following patterns:
| Environment| URL| |||
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **4me**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure 4me SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. On the top left, click on **Settings** logo and on the left side bar click **Single Sign-On**.
- ![4me settings](./media/4me-tutorial/tutorial_4me_settings.png)
+ ![4me settings](./media/4me-tutorial/settings.png)
1. On the **Single Sign-On** page, perform the following steps:
- ![4me singleasignon](./media/4me-tutorial/tutorial_4me_singlesignon.png)
+ ![4me singleasignon](./media/4me-tutorial/single-sign-on.png)
a. Select the **Enabled** option.
In this section, a user called Britta Simon is created in 4me. 4me supports just
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the 4me tile in the Access Panel, you should be automatically signed in to the 4me for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to 4me Sign-on URL where you can initiate the login flow.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* Go to 4me Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the 4me tile in the My Apps, this will redirect to 4me Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try 4me with Azure AD](https://aad.portal.azure.com/)
+Once you configure 4me you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Amazon Web Service Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/amazon-web-service-tutorial.md
You can also use Microsoft My Apps to test the application in any mode. When you
* In the **Provisioning** section, the **Mappings** subsection shows a "Loading..." message, and never displays the attribute mappings. The only provisioning workflow supported today is the import of roles from AWS into Azure AD for selection during a user or group assignment. The attribute mappings for this are predetermined, and aren't configurable.
-* The **Provisioning** section only supports entering one set of credentials for one AWS tenant at a time. All imported roles are written to the `appRoles` property of the Azure AD [`servicePrincipal` object](/graph/api/resources/serviceprincipal?view=graph-rest-beta) for the AWS tenant.
+* The **Provisioning** section only supports entering one set of credentials for one AWS tenant at a time. All imported roles are written to the `appRoles` property of the Azure AD [`servicePrincipal` object](/graph/api/resources/serviceprincipal) for the AWS tenant.
Multiple AWS tenants (represented by `servicePrincipals`) can be added to Azure AD from the gallery for provisioning. There's a known issue, however, with not being able to automatically write all of the imported roles from the multiple AWS `servicePrincipals` used for provisioning into the single `servicePrincipal` used for SSO.
- As a workaround, you can use the [Microsoft Graph API](/graph/api/resources/serviceprincipal?view=graph-rest-beta) to extract all of the `appRoles` imported into each AWS `servicePrincipal` where provisioning is configured. You can subsequently add these role strings to the AWS `servicePrincipal` where SSO is configured.
+ As a workaround, you can use the [Microsoft Graph API](/graph/api/resources/serviceprincipal) to extract all of the `appRoles` imported into each AWS `servicePrincipal` where provisioning is configured. You can subsequently add these role strings to the AWS `servicePrincipal` where SSO is configured.
* Roles must meet the following requirements to be eligible to be imported from AWS into Azure AD:
active-directory Cerby Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cerby-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Cerby | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Cerby.
++++++++ Last updated : 04/13/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Cerby
+
+In this tutorial, you'll learn how to integrate Cerby with Azure Active Directory (Azure AD). When you integrate Cerby with Azure AD, you can:
+
+* Control in Azure AD who has access to Cerby.
+* Enable your users to be automatically signed-in to Cerby with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Cerby single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Cerby supports **SP** initiated SSO.
+
+* Cerby supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Adding Cerby from the gallery
+
+To configure the integration of Cerby into Azure AD, you need to add Cerby from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Cerby** in the search box.
+1. Select **Cerby** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for Cerby
+
+Configure and test Azure AD SSO with Cerby using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Cerby.
+
+To configure and test Azure AD SSO with Cerby, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Cerby SSO](#configure-cerby-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Cerby test user](#create-cerby-test-user)** - to have a counterpart of B.Simon in Cerby that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Cerby** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `urn:amazon:cognito:sp:<ID>`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<CustomerName>-cerbyauth.auth.us-east-2.amazoncognito.com/saml2/idpresponse`
+
+ c. In the **Sign-on URL** text box, type a URL using one of the following patterns:
+
+ | Sign on URL |
+ |--|
+ | `https://app.cerby.com` |
+ | `https://<CustomerName>.cerby.com` |
+ |
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Cerby Client support team](mailto:help@cerby.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Cerby** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Cerby.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Cerby**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Cerby SSO
+
+To configure single sign-on on **Cerby** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Cerby support team](mailto:help@cerby.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Cerby test user
+
+In this section, a user called Britta Simon is created in Cerby. Cerby supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Cerby, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to Cerby Sign-on URL where you can initiate the login flow.
+
+* Go to Cerby Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Cerby tile in the My Apps, this will redirect to Cerby Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
++
+## Next steps
+
+Once you configure Cerby you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
++
active-directory Check Point Identity Awareness Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/check-point-identity-awareness-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Check Point Identity Awareness | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Check Point Identity Awareness.
++++++++ Last updated : 04/08/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Check Point Identity Awareness
+
+In this tutorial, you'll learn how to integrate Check Point Identity Awareness with Azure Active Directory (Azure AD). When you integrate Check Point Identity Awareness with Azure AD, you can:
+
+* Control in Azure AD who has access to Check Point Identity Awareness.
+* Enable your users to be automatically signed-in to Check Point Identity Awareness with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Check Point Identity Awareness single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Check Point Identity Awareness supports **SP** initiated SSO.
+
+## Adding Check Point Identity Awareness from the gallery
+
+To configure the integration of Check Point Identity Awareness into Azure AD, you need to add Check Point Identity Awareness from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Check Point Identity Awareness** in the search box.
+1. Select **Check Point Identity Awareness** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for Check Point Identity Awareness
+
+Configure and test Azure AD SSO with Check Point Identity Awareness using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Check Point Identity Awareness.
+
+To configure and test Azure AD SSO with Check Point Identity Awareness, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Check Point Identity Awareness SSO](#configure-check-point-identity-awareness-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Check Point Identity Awareness test user](#create-check-point-identity-awareness-test-user)** - to have a counterpart of B.Simon in Check Point Identity Awareness that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Check Point Identity Awareness** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://<GATEWAY_IP>/connect/spPortal/ACS/ID/<IDENTIFIER_UID>`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<GATEWAY_IP>/connect/spPortal/ACS/Login/<IDENTIFIER_UID>`
+
+ c. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<GATEWAY_IP>/connect`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Check Point Identity Awareness Client support team](mailto:support@checkpoint.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Check Point Identity Awareness** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Check Point Identity Awareness.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Check Point Identity Awareness**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Check Point Identity Awareness SSO
+
+1. Sign in to the Check Point Identity Awareness company site as an administrator.
+
+1. In SmartConsole > **Gateways & Servers** view, click **New > More > User/Identity > Identity Provider**.
+
+ ![screenshot for new Identity Provider.](./media/check-point-identity-awareness-tutorial/identity-provider.png)
+
+1. Perform the following steps in **New Identity Provider** window.
+
+ ![screenshot for Identity Provider section.](./media/check-point-identity-awareness-tutorial/new-identity-provider.png)
+
+ a. In the **Gateway** field, select the Security Gateway, which needs to perform the SAML authentication.
+
+ b. In the **Service** field, select the **Identity Awareness** from the dropdown.
+
+ c. Copy **Identifier(Entity ID)** value, paste this value into the **Identifier** text box in the **Basic SAML Configuration** section in the Azure portal.
+
+ d. Copy **Reply URL** value, paste this value into the **Reply URL** text box in the **Basic SAML Configuration** section in the Azure portal.
+
+ e. Select **Import the Metadata File** to upload the downloaded **Certificate (Base64)** from the Azure portal.
+
+ > [!NOTE]
+ > Alternatively you can also select **Insert Manually** to paste manually the **Entity ID** and **Login URL** values into the corresponding fields, and to upload the **Certificate File** from the Azure portal.
+
+ f. Click **OK**.
+
+### Create Check Point Identity Awareness test user
+
+In this section, you create a user called Britta Simon in Check Point Identity Awareness. Work with [Check Point Identity Awareness support team](mailto:support@checkpoint.com) to add the users in the Check Point Identity Awareness platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to Check Point Identity Awareness Sign-on URL where you can initiate the login flow.
+
+* Go to Check Point Identity Awareness Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Check Point Identity Awareness tile in the My Apps, this will redirect to Check Point Identity Awareness Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
++
+## Next steps
+
+Once you configure Check Point Identity Awareness you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
++
active-directory Clarizen Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/clarizen-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Clarizen | Microsoft Docs'
-description: Learn how to configure single sign-on between Azure Active Directory and Clarizen.
+ Title: 'Tutorial: Azure Active Directory integration with Clarizen One | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Clarizen One.
Previously updated : 01/21/2019 Last updated : 04/08/2021
-# Tutorial: Azure Active Directory integration with Clarizen
+# Tutorial: Azure Active Directory integration with Clarizen One
-In this tutorial, you learn how to integrate Clarizen with Azure Active Directory (Azure AD).
-Integrating Clarizen with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Clarizen One with Azure Active Directory (Azure AD). When you integrate Clarizen One with Azure AD, you can:
-* You can control in Azure AD who has access to Clarizen.
-* You can enable your users to be automatically signed-in to Clarizen (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Clarizen One.
+* Enable your users to be automatically signed-in to Clarizen One with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Clarizen, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Clarizen single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Clarizen One single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Clarizen supports **IDP** initiated SSO
-
-## Adding Clarizen from the gallery
-
-To configure the integration of Clarizen into Azure AD, you need to add Clarizen from the gallery to your list of managed SaaS apps.
-
-**To add Clarizen from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Clarizen**, select **Clarizen** from result panel then click **Add** button to add the application.
-
- ![Clarizen in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+* Clarizen One supports **IDP** initiated SSO.
-In this section, you configure and test Azure AD single sign-on with Clarizen based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Clarizen needs to be established.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-To configure and test Azure AD single sign-on with Clarizen, you need to complete the following building blocks:
+## Add Clarizen One from the gallery
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Clarizen Single Sign-On](#configure-clarizen-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Clarizen test user](#create-clarizen-test-user)** - to have a counterpart of Britta Simon in Clarizen that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Clarizen One into Azure AD, you need to add Clarizen One from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Clarizen One** in the search box.
+1. Select **Clarizen One** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Clarizen One
-To configure Azure AD single sign-on with Clarizen, perform the following steps:
+Configure and test Azure AD SSO with Clarizen One using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Clarizen One.
-1. In the [Azure portal](https://portal.azure.com/), on the **Clarizen** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Clarizen One, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Clarizen One SSO](#configure-clarizen-one-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Clarizen test user](#create-clarizen-one-test-user)** - to have a counterpart of B.Simon in Clarizen One that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Clarizen One** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Set up Single Sign-On with SAML** page, perform the following steps:
- ![Clarizen Domain and URLs single sign-on information](common/idp-intiated.png)
-
- a. In the **Identifier** text box, type a value:
+ a. In the **Identifier** text box, type the value:
`Clarizen`
- b. In the **Reply URL** text box, type a URL using the following pattern:
+ b. In the **Reply URL** text box, type the URL:
`https://.clarizen.com/Clarizen/Pages/Integrations/SAML/SamlResponse.aspx`
- > [!NOTE]
- > These are not the real values. You have to use the actual identifier and reply URL. Here we suggest that you use the unique value of a string as the identifier. To get the actual values, contact the [Clarizen support team](https://success.clarizen.com/hc/en-us/requests/new).
- 4. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. ![The Certificate download link](common/certificatebase64.png)
-6. On the **Set up Clarizen** section, copy the appropriate URL(s) as per your requirement.
+6. On the **Set up Clarizen One** section, copy the appropriate URL(s) as per your requirement.
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- b. Azure Ad Identifier
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Clarizen One.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Clarizen One**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Clarizen Single Sign-On
+## Configure Clarizen One SSO
-1. In a different web browser window, sign in to your Clarizen company site as an administrator.
+1. In a different web browser window, sign in to your Clarizen One company site as an administrator.
1. Click your username, and then click **Settings**.
- ![Clicking "Settings" under your username](./media/clarizen-tutorial/tutorial_clarizen_001.png "Settings")
+ ![Clicking "Settings" under your username](./media/clarizen-tutorial/setting.png "Settings")
1. Click the **Global Settings** tab. Then, next to **Federated Authentication**, click **edit**.
- !["Global Settings" tab](./media/clarizen-tutorial/tutorial_clarizen_002.png "Global Settings")
+ !["Global Settings" tab](./media/clarizen-tutorial/authentication.png "Global Settings")
1. In the **Federated Authentication** dialog box, perform the following steps:
- !["Federated Authentication" dialog box](./media/clarizen-tutorial/tutorial_clarizen_003.png "Federated Authentication")
+ !["Federated Authentication" dialog box](./media/clarizen-tutorial/federated-authentication.png "Federated Authentication")
a. Select **Enable Federated Authentication**.
To configure Azure AD single sign-on with Clarizen, perform the following steps:
f. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
+### Create Clarizen One test user
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Clarizen.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Clarizen**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Clarizen**.
-
- ![The Clarizen link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
-
-### Create Clarizen test user
-
-The objective of this section is to create a user called Britta Simon in Clarizen.
+The objective of this section is to create a user called Britta Simon in Clarizen One.
**If you need to create user manually, please perform following steps:**
-To enable Azure AD users to sign in to Clarizen, you must provision user accounts. In the case of Clarizen, provisioning is a manual task.
+To enable Azure AD users to sign in to Clarizen One, you must provision user accounts. In the case of Clarizen One, provisioning is a manual task.
-1. Sign in to your Clarizen company site as an administrator.
+1. Sign in to your Clarizen One company site as an administrator.
2. Click **People**.
- ![Clicking "People"](./media/clarizen-tutorial/create_aaduser_001.png "People")
+ ![Clicking "People"](./media/clarizen-tutorial/people.png "People")
3. Click **Invite User**.
- !["Invite User" button](./media/clarizen-tutorial/create_aaduser_002.png "Invite Users")
+ !["Invite User" button](./media/clarizen-tutorial/user.png "Invite Users")
1. In the **Invite People** dialog box, perform the following steps:
- !["Invite People" dialog box](./media/clarizen-tutorial/create_aaduser_003.png "Invite People")
+ !["Invite People" dialog box](./media/clarizen-tutorial/invite-people.png "Invite People")
a. In the **Email** box, type the email address of the Britta Simon account.
To enable Azure AD users to sign in to Clarizen, you must provision user account
> [!NOTE] > The Azure Active Directory account holder will receive an email and follow a link to confirm their account before it becomes active.
+## Test SSO
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Clarizen tile in the Access Panel, you should be automatically signed in to the Clarizen for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Clarizen One for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Clarizen One tile in the My Apps, you should be automatically signed in to the Clarizen One for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Clarizen One you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Easysso For Bitbucket Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/easysso-for-bitbucket-tutorial.md
Previously updated : 12/21/2020 Last updated : 04/06/2021
To configure the integration of EasySSO for BitBucket into Azure AD, you need to
1. In the **Add from the gallery** section, type **EasySSO for BitBucket** in the search box. 1. Select **EasySSO for BitBucket** from the results, and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for EasySSO for BitBucket Configure and test Azure AD SSO with EasySSO for BitBucket by using a test user called **B.Simon**. For SSO to work, you need to establish a linked relationship between an Azure AD user and the related user in EasySSO for BitBucket.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications** > **All applications**. 1. In the applications list, select **EasySSO for BitBucket**. 1. In the app's overview page, find the **Manage** section, and select **Users and groups**.- 1. Select **Add user**. In the **Add Assignment** dialog box, select **Users and groups**.- 1. In the **Users and groups** dialog box, select **B.Simon** from the **Users** list, and then choose **Select** at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog box, select **Assign**.
active-directory Easysso For Confluence Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/easysso-for-confluence-tutorial.md
Previously updated : 12/24/2020 Last updated : 04/13/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* EasySSO for Confluence supports **SP and IDP** initiated SSO
-* EasySSO for Confluence supports **Just In Time** user provisioning
+* EasySSO for Confluence supports **SP and IDP** initiated SSO.
+* EasySSO for Confluence supports **Just In Time** user provisioning.
-## Adding EasySSO for Confluence from the gallery
+## Add EasySSO for Confluence from the gallery
To configure the integration of EasySSO for Confluence into Azure AD, you need to add EasySSO for Confluence from the gallery to your list of managed SaaS apps.
To configure the integration of EasySSO for Confluence into Azure AD, you need t
1. In the **Add from the gallery** section, type **EasySSO for Confluence** in the search box. 1. Select **EasySSO for Confluence** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for EasySSO for Confluence Configure and test Azure AD SSO with EasySSO for Confluence using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in EasySSO for Confluence.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **EasySSO for Confluence** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **EasySSO for Confluence**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
active-directory Egnyte Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/egnyte-tutorial.md
Previously updated : 08/27/2020 Last updated : 04/05/2021 # Tutorial: Azure Active Directory single sign-on (SSO) integration with Egnyte
In this tutorial, you'll learn how to integrate Egnyte with Azure Active Directo
* Enable your users to be automatically signed-in to Egnyte with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Egnyte supports **SP** initiated SSO
-* Once you configure Egnyte you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+* Egnyte supports **SP** initiated SSO.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Egnyte from the gallery
+## Add Egnyte from the gallery
To configure the integration of Egnyte into Azure AD, you need to add Egnyte from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Egnyte** in the search box. 1. Select **Egnyte** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO
-
-In this section, you configure and test Azure AD single sign-on with Egnyte based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Egnyte needs to be established.
+## Configure and test Azure AD SSO for Egnyte
-To configure and test Azure AD single sign-on with Egnyte, you need to complete the following building blocks:
+Configure and test Azure AD SSO with Form.com using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Form.com.
-To configure and test Azure AD SSO with Egnyte, complete the following building blocks:
+To configure and test Azure AD SSO with Form.com, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Egnyte, complete the following building
1. **[Create Egnyte test user](#create-egnyte-test-user)** - to have a counterpart of B.Simon in Egnyte that is linked to the Azure AD representation of user. 1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Egnyte** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Egnyte** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Egnyte Domain and URLs single sign-on information](common/sp-signonurl.png)
- a. In the **Sign-on URL** text box, type a URL using the following pattern: `https://<companyname>.egnyte.com`
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
- ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Egnyte**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Egnyte SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
2. Click **Settings**.
- ![Settings 1](./media/egnyte-tutorial/ic787819.png "Settings")
+ ![Settings 1](./media/egnyte-tutorial/settings-tab.png "Settings")
3. In the menu, click **Settings**.
- ![Settings](./media/egnyte-tutorial/ic787820.png "Settings")
+ ![Menu 1](./media/egnyte-tutorial/menu-tab.png "Menu")
4. Click the **Configuration** tab, and then click **Security**.
- ![Security](./media/egnyte-tutorial/ic787821.png "Security")
+ ![Security](./media/egnyte-tutorial/configuration.png "Security")
5. In the **Single Sign-On Authentication** section, perform the following steps:
- ![Single Sign On Authentication](./media/egnyte-tutorial/ic787822.png "Single Sign On Authentication")
+ ![Single Sign On Authentication](./media/egnyte-tutorial/authentication.png "Single Sign On Authentication")
a. As **Single sign-on authentication**, select **SAML 2.0**.
To enable Azure AD users to sign in to Egnyte, they must be provisioned into Egn
3. Click **Add New User**, and then select the type of user you want to add.
- ![Users](./media/egnyte-tutorial/ic787824.png "Users")
+ ![Users](./media/egnyte-tutorial/add-user.png "Users")
4. In the **New Power User** section, perform the following steps:
- ![New Standard User](./media/egnyte-tutorial/ic787825.png "New Standard User")
+ ![New Standard User](./media/egnyte-tutorial/new-user.png "New Standard User")
a. In **Email** text box, enter the email of user like **Brittasimon\@contoso.com**.
To enable Azure AD users to sign in to Egnyte, they must be provisioned into Egn
>You can use any other Egnyte user account creation tools or APIs provided by Egnyte to provision Azure AD user accounts. >
-### Test SSO
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Egnyte tile in the Access Panel, you should be automatically signed in to the Egnyte for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on **Test this application** in Azure portal. This will redirect to Egnyte Sign-on URL where you can initiate the login flow.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* Go to Egnyte Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Egnyte tile in the My Apps, this will redirect to Egnyte Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Egnyte you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Egress Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/egress-tutorial.md
Previously updated : 07/29/2020 Last updated : 04/13/2021
In this tutorial, you'll learn how to integrate Egress with Azure Active Directo
* Enable your users to be automatically signed-in to Egress with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Egress supports **SP and IDP** initiated SSO
-* Egress supports **Just In Time** user provisioning
-* Once you configure Egress you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Egress supports **SP and IDP** initiated SSO.
+* Egress supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Egress from the gallery
+## Add Egress from the gallery
To configure the integration of Egress into Azure AD, you need to add Egress from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Egress** in the search box. 1. Select **Egress** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Egress Configure and test Azure AD SSO with Egress using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Egress.
-To configure and test Azure AD SSO with Egress, complete the following building blocks:
+To configure and test Azure AD SSO with Egress, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Egress, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Egress** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal on the **Egress** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL using the following pattern:
+ In the **Sign-on URL** text box, type the URL:
`https://switch.egress.com/ui/` 1. Click **Save**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Egress**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Egress SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Egress tile in the Access Panel, you should be automatically signed in to the Egress for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Egress Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Egress Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Egress for which you set up the SSO.
-- [Try Egress with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Egress tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Egress for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Egress with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Egress you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Fcm Hub Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fcm-hub-tutorial.md
Previously updated : 03/25/2020 Last updated : 04/14/2021
In this tutorial, you'll learn how to integrate FCM HUB with Azure Active Direct
* Enable your users to be automatically signed-in to FCM HUB with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* FCM HUB supports **SP and IDP** initiated SSO
-* Once you configure FCM HUB you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* FCM HUB supports **SP and IDP** initiated SSO.
-## Adding FCM HUB from the gallery
+## Add FCM HUB from the gallery
To configure the integration of FCM HUB into Azure AD, you need to add FCM HUB from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **FCM HUB** in the search box. 1. Select **FCM HUB** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for FCM HUB
+## Configure and test Azure AD SSO for FCM HUB
Configure and test Azure AD SSO with FCM HUB using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in FCM HUB.
-To configure and test Azure AD SSO with FCM HUB, complete the following building blocks:
+To configure and test Azure AD SSO with FCM HUB, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure FCM HUB SSO](#configure-fcm-hub-sso)** - to configure the single sign-on settings on application side.
- * **[Create FCM HUB test user](#create-fcm-hub-test-user)** - to have a counterpart of B.Simon in FCM HUB that is linked to the Azure AD representation of user.
+ 1. **[Create FCM HUB test user](#create-fcm-hub-test-user)** - to have a counterpart of B.Simon in FCM HUB that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **FCM HUB** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal on the **FCM HUB** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **FCM HUB**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure FCM HUB SSO
In this section, you create a user called B.Simon in FCM HUB. Work with your acc
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the FCM HUB tile in the Access Panel, you should be automatically signed in to the FCM HUB for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to FCM HUB Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to FCM HUB Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the FCM HUB for which you set up the SSO.
-- [Try FCM HUB with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the FCM HUB tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the FCM HUB for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect FCM HUB with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure FCM HUB you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Formcom Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/formcom-tutorial.md
Previously updated : 02/15/2019 Last updated : 04/05/2021 # Tutorial: Azure Active Directory integration with Form.com
-In this tutorial, you learn how to integrate Form.com with Azure Active Directory (Azure AD).
-Integrating Form.com with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Form.com with Azure Active Directory (Azure AD). When you integrate Form.com with Azure AD, you can:
-* You can control in Azure AD who has access to Form.com.
-* You can enable your users to be automatically signed-in to Form.com (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Form.com.
+* Enable your users to be automatically signed-in to Form.com with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Form.com, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Form.com single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Form.com single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Form.com supports **SP** initiated SSO
+* Form.com supports **SP** initiated SSO.
-## Adding Form.com from the gallery
+## Add Form.com from the gallery
To configure the integration of Form.com into Azure AD, you need to add Form.com from the gallery to your list of managed SaaS apps.
-**To add Form.com from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Form.com**, select **Form.com** from result panel then click **Add** button to add the application.
-
- ![Form.com in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Form.com** in the search box.
+1. Select **Form.com** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with Form.com based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Form.com needs to be established.
+## Configure and test Azure AD SSO for Form.com
-To configure and test Azure AD single sign-on with Form.com, you need to complete the following building blocks:
+Configure and test Azure AD SSO with Form.com using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Form.com.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Form.com Single Sign-On](#configure-formcom-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Form.com test user](#create-formcom-test-user)** - to have a counterpart of Britta Simon in Form.com that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with Form.com, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Form.com SSO](#configure-formcom-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Form.com test user](#create-formcom-test-user)** - to have a counterpart of B.Simon in Form.com that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with Form.com, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Form.com** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **Form.com** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Form.com Domain and URLs single sign-on information](common/sp-identifier-reply.png)
- a. In the **Sign-on URL** text box, type a URL using the following pattern: `https://<subdomain>.wa-form.com` b. In the **Identifier** box, type a URL using the following pattern: `https://<subdomain>.form.com`
- c. In the **Reply URL** text box, type a URL using the following pattern:
+ c. In the **Reply URL** text box, type a URL using one of the following patterns:
```http https://<subdomain>.wa-form.com/Member/UserAccount/SAML2.action
To configure Azure AD single sign-on with Form.com, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Form.com Single Sign-On
-
-To configure single sign-on on **Form.com** side, you need to send the downloaded **Certificate (Base64)**, **App Federation Metadata Url** and appropriate copied URLs from Azure portal to [Form.com support team](https://form.com/about/company/contact-us/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Form.com.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Form.com.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Form.com**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Form.com**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Form.com SSO
-2. In the applications list, select **Form.com**.
-
- ![The Form.com link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Form.com** side, you need to send the downloaded **Certificate (Base64)**, **App Federation Metadata Url** and appropriate copied URLs from Azure portal to [Form.com support team](https://form.com/about/company/contact-us/). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Form.com test user In this section, you create a user called Britta Simon in Form.com. Work with [Form.com support team](https://form.com/about/company/contact-us/) to add the users in the Form.com platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Form.com tile in the Access Panel, you should be automatically signed in to the Form.com for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Form.com Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Form.com Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Form.com tile in the My Apps, this will redirect to Form.com Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Form.com you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory G Suite Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/g-suite-provisioning-tutorial.md
Once you've configured provisioning, use the following resources to monitor your
* 10/17/2020 - Added support for additional G Suite user and group attributes. * 10/17/2020 - Updated G Suite target attribute names to match what is defined [here](https://developers.google.com/admin-sdk/directory). * 10/17/2020 - Updated default attribute mappings.
-* 03/18/2021 - Manager email is now synchronized instead of ID for all new users. For any existing users that were provisioned with a manager as an ID, you can do a restart through [Microsoft Graph](https://docs.microsoft.com/graph/api/synchronization-synchronizationjob-restart?view=graph-rest-beta&tabs=http) with scope "full" to ensure that the email is provisioned. This change only impacts the GSuite provisioning job and not the older probisioning job begining with Goov2OutDelta. Note, the manager email is provisioned when the user is first created or when the manager changes. The manager email is not provisioned if the manager changes their email address.
+* 03/18/2021 - Manager email is now synchronized instead of ID for all new users. For any existing users that were provisioned with a manager as an ID, you can do a restart through [Microsoft Graph](https://docs.microsoft.com/graph/api/synchronization-synchronizationjob-restart?view=graph-rest-beta&tabs=http&preserve-view=true) with scope "full" to ensure that the email is provisioned. This change only impacts the GSuite provisioning job and not the older provisioning job beginning with Goov2OutDelta. Note, the manager email is provisioned when the user is first created or when the manager changes. The manager email is not provisioned if the manager changes their email address.
## Additional resources
active-directory Gigya Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/gigya-tutorial.md
Previously updated : 02/18/2019 Last updated : 04/06/2021 # Tutorial: Azure Active Directory integration with Gigya
-In this tutorial, you learn how to integrate Gigya with Azure Active Directory (Azure AD).
-Integrating Gigya with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Gigya with Azure Active Directory (Azure AD). When you integrate Gigya with Azure AD, you can:
-* You can control in Azure AD who has access to Gigya.
-* You can enable your users to be automatically signed-in to Gigya (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Gigya.
+* Enable your users to be automatically signed-in to Gigya with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Gigya, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Gigya single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Gigya single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Gigya supports **SP** initiated SSO
+* Gigya supports **SP** initiated SSO.
-## Adding Gigya from the gallery
+## Add Gigya from the gallery
To configure the integration of Gigya into Azure AD, you need to add Gigya from the gallery to your list of managed SaaS apps.
-**To add Gigya from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Gigya**, select **Gigya** from result panel then click **Add** button to add the application.
-
- ![Gigya in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Gigya based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Gigya needs to be established.
-
-To configure and test Azure AD single sign-on with Gigya, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Gigya** in the search box.
+1. Select **Gigya** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Gigya Single Sign-On](#configure-gigya-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Gigya test user](#create-gigya-test-user)** - to have a counterpart of Britta Simon in Gigya that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Gigya
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Gigya using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Gigya.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Gigya, perform the following steps:
-To configure Azure AD single sign-on with Gigya, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Gigya SSO](#configure-gigya-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Gigya test user](#create-gigya-test-user)** - to have a counterpart of B.Simon in Gigya that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Gigya** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Gigya** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Gigya Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern: `http://<companyname>.gigya.com`
To configure Azure AD single sign-on with Gigya, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure Ad Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure Gigya Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Gigya.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Gigya**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Gigya SSO
1. In a different web browser window, log into your Gigya company site as an administrator. 2. Go to **Settings \> SAML Login**, and then click the **Add** button.
- ![SAML Login](./media/gigya-tutorial/ic789532.png "SAML Login")
+ ![SAML Login](./media/gigya-tutorial/login.png "SAML Login")
3. In the **SAML Login** section, perform the following steps:
- ![SAML Configuration](./media/gigya-tutorial/ic789533.png "SAML Configuration")
+ ![SAML Configuration](./media/gigya-tutorial/configuration.png "SAML Configuration")
a. In the **Name** textbox, type a name for your configuration.
- b. In **Issuer** textbox, paste the value of **Azure Ad Identifier** which you have copied from Azure Portal.
+ b. In **Issuer** textbox, paste the value of **Azure Ad Identifier** which you have copied from Azure portal.
- c. In **Single Sign-On Service URL** textbox, paste the value of **Login URL** which you have copied from Azure Portal.
+ c. In **Single Sign-On Service URL** textbox, paste the value of **Login URL** which you have copied from Azure portal.
- d. In **Name ID Format** textbox, paste the value of **Name Identifier Format** which you have copied from Azure Portal.
+ d. In **Name ID Format** textbox, paste the value of **Name Identifier Format** which you have copied from Azure portal.
e. Open your base-64 encoded certificate in notepad downloaded from Azure portal, copy the content of it into your clipboard, and then paste it to the **X.509 Certificate** textbox. f. Click **Save Settings**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Gigya.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Gigya**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Gigya**.
-
- ![The Gigya link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
-
-### Create Gigya test user
+## Create Gigya test user
In order to enable Azure AD users to log into Gigya, they must be provisioned into Gigya. In the case of Gigya, provisioning is a manual task.
In order to enable Azure AD users to log into Gigya, they must be provisioned in
2. Go to **Admin \> Manage Users**, and then click **Invite Users**.
- ![Manage Users](./media/gigya-tutorial/ic789535.png "Manage Users")
+ ![Manage Users](./media/gigya-tutorial/users.png "Manage Users")
3. On the Invite Users dialog, perform the following steps:
- ![Invite Users](./media/gigya-tutorial/ic789536.png "Invite Users")
+ ![Invite Users](./media/gigya-tutorial/invite-user.png "Invite Users")
a. In the **Email** textbox, type the email alias of a valid Azure Active Directory account you want to provision.
In order to enable Azure AD users to log into Gigya, they must be provisioned in
> The Azure Active Directory account holder will receive an email that includes a link to confirm the account before it becomes active. >
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Gigya tile in the Access Panel, you should be automatically signed in to the Gigya for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Gigya Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Gigya Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Gigya tile in the My Apps, this will redirect to Gigya Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Gigya you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Grammarly Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/grammarly-tutorial.md
Previously updated : 09/01/2020 Last updated : 04/13/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Grammarly supports **IDP** initiated SSO
-* Grammarly supports **Just In Time** user provisioning
+* Grammarly supports **IDP** initiated SSO.
+* Grammarly supports **Just In Time** user provisioning.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
To configure the integration of Grammarly into Azure AD, you need to add Grammar
1. In the **Add from the gallery** section, type **Grammarly** in the search box. 1. Select **Grammarly** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Grammarly Configure and test Azure AD SSO with Grammarly using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Grammarly.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **Grammarly** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, a user called B.Simon is created in Grammarly. Grammarly suppor
## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
-1. Click on **Test this application** in Azure portal and you should be automatically signed in to the Grammarly for which you set up the SSO
+* Click on Test this application in Azure portal and you should be automatically signed in to the Grammarly for which you set up the SSO.
-2. You can use Microsoft Access Panel. When you click the Grammarly tile in the Access Panel, you should be automatically signed in to the Grammarly for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* You can use Microsoft My Apps. When you click the Grammarly tile in the My Apps, you should be automatically signed in to the Grammarly for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
## Next steps
-Once you configure Grammarly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Grammarly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Mobicontrol Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mobicontrol-tutorial.md
Previously updated : 03/28/2019 Last updated : 04/14/2021 # Tutorial: Azure Active Directory integration with MobiControl
-In this tutorial, you learn how to integrate MobiControl with Azure Active Directory (Azure AD).
-Integrating MobiControl with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate MobiControl with Azure Active Directory (Azure AD). When you integrate MobiControl with Azure AD, you can:
-* You can control in Azure AD who has access to MobiControl.
-* You can enable your users to be automatically signed-in to MobiControl (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to MobiControl.
+* Enable your users to be automatically signed-in to MobiControl with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with MobiControl, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* MobiControl single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* MobiControl single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* MobiControl supports **SP** initiated SSO
+* MobiControl supports **SP** initiated SSO.
-## Adding MobiControl from the gallery
+## Add MobiControl from the gallery
To configure the integration of MobiControl into Azure AD, you need to add MobiControl from the gallery to your list of managed SaaS apps.
-**To add MobiControl from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **MobiControl**, select **MobiControl** from result panel then click **Add** button to add the application.
-
- ![MobiControl in the results list](common/search-new-app.png)
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **MobiControl** in the search box.
+1. Select **MobiControl** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for MobiControl
-In this section, you configure and test Azure AD single sign-on with MobiControl based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in MobiControl needs to be established.
+Configure and test Azure AD SSO with MobiControl using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in MobiControl.
-To configure and test Azure AD single sign-on with MobiControl, you need to complete the following building blocks:
+To configure and test Azure AD SSO with MobiControl, perform the following steps:
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure MobiControl Single Sign-On](#configure-mobicontrol-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create MobiControl test user](#create-mobicontrol-test-user)** - to have a counterpart of Britta Simon in MobiControl that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure MobiControl SSO](#configure-mobicontrol-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create MobiControl test user](#create-mobicontrol-test-user)** - to have a counterpart of B.Simon in MobiControl that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD single sign-on
+## Configure Azure AD SSO
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Follow these steps to enable Azure AD SSO in the Azure portal.
-To configure Azure AD single sign-on with MobiControl, perform the following steps:
+1. In the Azure portal, on the **MobiControl** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-1. In the [Azure portal](https://portal.azure.com/), on the **MobiControl** application integration page, select **Single sign-on**.
-
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![MobiControl Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.corp.soti.net/mobicontrol`
To configure Azure AD single sign-on with MobiControl, perform the following ste
![The Certificate download link](common/copy-metadataurl.png)
-### Configure MobiControl Single Sign-On
-
-To configure single sign-on on **MobiControl** side, you need to send the **App Federation Metadata Url** to [MobiControl support team](https://www.soti.net/about/contact-us/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
+In this section, you'll create a test user in the Azure portal called B.Simon.
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to MobiControl.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **MobiControl**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to MobiControl.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **MobiControl**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **MobiControl**.
+## Configure MobiControl SSO
- ![The MobiControl link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **MobiControl** side, you need to send the **App Federation Metadata Url** to [MobiControl support team](https://www.soti.net/about/contact-us/). They set this setting to have the SAML SSO connection set properly on both sides.
### Create MobiControl test user In this section, you create a user called Britta Simon in MobiControl. Work with [MobiControl support team](https://www.soti.net/about/contact-us/) to add the users in the MobiControl platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the MobiControl tile in the Access Panel, you should be automatically signed in to the MobiControl for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to MobiControl Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to MobiControl Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the MobiControl tile in the My Apps, this will redirect to MobiControl Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure MobiControl you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Mongodb Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mongodb-cloud-tutorial.md
Previously updated : 04/03/2020 Last updated : 04/14/2021
In this tutorial, you'll learn how to integrate MongoDB Cloud with Azure Active
* Enable your users to be automatically signed in to MongoDB Cloud with their Azure AD accounts. * Manage your accounts in one central location: the Azure portal.
-To learn more about software as a service (SaaS) app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites
-To get started, you need:
+To get started, you need the following items:
* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* A MongoDB Cloud organization that is enabled for single sign-on (SSO), you can signup for a [free cluster](https://www.mongodb.com/cloud)
+* MongoDB Cloud single sign-on (SSO) enabled subscription.
## Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
* MongoDB Cloud supports **SP** and **IDP** initiated SSO. * MongoDB Cloud supports **Just In Time** user provisioning.
-* After you configure MongoDB Cloud, you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from conditional access. For more information, see [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
## Add MongoDB Cloud from the gallery To configure the integration of MongoDB Cloud into Azure AD, you need to add MongoDB Cloud from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) by using either a work or school account, or a personal Microsoft account.
-1. On the left pane, select **Azure Active Directory**.
-1. Go to **Enterprise Applications**, and then select **All Applications**.
-1. To add a new application, select **New application**.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
1. In the **Add from the gallery** section, type **MongoDB Cloud** in the search box.
-1. Select **MongoDB Cloud** from the results, and then add the app. Wait a few seconds while the app is added to your tenant.
-
+1. Select **MongoDB Cloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for MongoDB Cloud
+## Configure and test Azure AD SSO for MongoDB Cloud
Configure and test Azure AD SSO with MongoDB Cloud, by using a test user called **B.Simon**. For SSO to work, you need to establish a linked relationship between an Azure AD user and the related user in MongoDB Cloud.
-To configure and test Azure AD SSO with MongoDB Cloud, complete the following building blocks:
+To configure and test Azure AD SSO with MongoDB Cloud, perform the following steps:
1. [Configure Azure AD SSO](#configure-azure-ad-sso) to enable your users to use this feature. 1. [Create an Azure AD test user](#create-an-azure-ad-test-user) to test Azure AD single sign-on with B.Simon.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the **Set up MongoDB Cloud** section, copy the appropriate URLs, based on your requirement. ![Screenshot of Set up Mongo DB Cloud section, with URLs highlighted](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you create a test user in the Azure portal called B.Simon.
In this section, you create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you enable B.Simon to use Azure single sign-on by granting access to MongoDB Cloud.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to MongoDB Cloud.
-1. In the Azure portal, select **Enterprise Applications** > **All applications**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
1. In the applications list, select **MongoDB Cloud**.
-1. In the app's overview page, find the **Manage** section, and select **Users and groups**.
-
- ![Screenshot of the Manage section, with Users and groups highlighted](common/users-groups-blade.png)
-
-1. Select **Add user**. Then, in the **Add Assignment** dialog box, select **Users and groups**.
-
- ![Screenshot of Users and groups page, with Add user highlighted](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog box, select **B.Simon** from the list of users. Then choose **Select** at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog box, select the appropriate role for the user from the list. Then choose **Select** at the bottom of the screen.
-1. In the **Add Assignment** dialog box, select **Assign**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
## Configure MongoDB Cloud SSO
MongoDB Cloud supports just-in-time user provisioning, which is enabled by defau
## Test SSO
-In this section, you test your Azure AD single sign-on configuration by using Access Panel.
-
-When you select the MongoDB Cloud tile in Access Panel, you're automatically signed in to the MongoDB Cloud for which you set up SSO. For more information, see [Sign in and start apps from the My Apps portal](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+#### SP initiated:
-- [Tutorials for integrating SaaS applications with Azure Active Directory](./tutorial-list.md)
+* Click on **Test this application** in Azure portal. This will redirect to MongoDB Cloud Sign on URL where you can initiate the login flow.
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+* Go to MongoDB Cloud Sign-on URL directly and initiate the login flow from there.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+#### IDP initiated:
-- [Sign up for MongoDB Atlas on Azure](https://azuremarketplace.microsoft.com/marketplace/apps/mongodb.mdb_atlas_oct2020?tab=Overview)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the MongoDB Cloud for which you set up the SSO.
-- [Try MongoDB Cloud with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the MongoDB Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the MongoDB Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [Protect MongoDB Cloud with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure MongoDB Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Netskope User Authentication Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/netskope-user-authentication-tutorial.md
Previously updated : 11/01/2019 Last updated : 04/06/2021
In this tutorial, you'll learn how to integrate Netskope User Authentication wit
* Enable your users to be automatically signed-in to Netskope User Authentication with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Netskope User Authentication supports **SP and IDP** initiated SSO
+* Netskope User Authentication supports **SP and IDP** initiated SSO.
-## Adding Netskope User Authentication from the gallery
+## Add Netskope User Authentication from the gallery
To configure the integration of Netskope User Authentication into Azure AD, you need to add Netskope User Authentication from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Netskope User Authentication** in the search box. 1. Select **Netskope User Authentication** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Netskope User Authentication
+## Configure and test Azure AD SSO for Netskope User Authentication
Configure and test Azure AD SSO with Netskope User Authentication using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Netskope User Authentication. To configure and test Azure AD SSO with Netskope User Authentication, complete the following building blocks: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Netskope User Authentication SSO](#configure-netskope-user-authentication-sso)** - to configure the single sign-on settings on application side.
- * **[Create Netskope User Authentication test user](#create-netskope-user-authentication-test-user)** - to have a counterpart of B.Simon in Netskope User Authentication that is linked to the Azure AD representation of user.
+ 1. **[Create Netskope User Authentication test user](#create-netskope-user-authentication-test-user)** - to have a counterpart of B.Simon in Netskope User Authentication that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Netskope User Authentication** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal on the **Netskope User Authentication** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Netskope User Authentication**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Netskope User Authentication SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click **Active Platform** tab.
- ![Screenshot shows Active Platform selected from Settings.](./media/netskope-user-authentication-tutorial/user1.png)
+ ![Screenshot shows Active Platform selected from Settings.](./media/netskope-user-authentication-tutorial/user-1.png)
1. Scroll down to **FORWARD PROXY** and select **SAML**.
- ![Screenshot shows SAML selected from Active Platform.](./media/netskope-user-authentication-tutorial/config-saml.png)
+ ![Screenshot shows SAML selected from Active Platform.](./media/netskope-user-authentication-tutorial/configuration.png)
1. On the **SAML Settings** page, perform the following steps:
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click **ADD ACCOUNT**.
- ![Screenshot shows ADD ACCOUNT selected in the SAML pane.](./media/netskope-user-authentication-tutorial/config-addaccount.png)
+ ![Screenshot shows ADD ACCOUNT selected in the SAML pane.](./media/netskope-user-authentication-tutorial/add-account.png)
1. On the **Add SAML Account** page, perform the following steps:
- ![Screenshot shows Add SAML Account where you can enter the values described.](./media/netskope-user-authentication-tutorial/config-settings1.png)
+ ![Screenshot shows Add SAML Account where you can enter the values described.](./media/netskope-user-authentication-tutorial/configure-settings.png)
a. In the **NAME** textbox, provide the name like Azure AD.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on the **Settings** tab from the left navigation pane.
- ![Screenshot shows Setting selected.](./media/netskope-user-authentication-tutorial/config-settings.png)
+ ![Screenshot shows Setting selected.](./media/netskope-user-authentication-tutorial/configuration-settings.png)
1. Click **Active Platform** tab.
- ![Screenshot shows Active Platform selected from Settings.](./media/netskope-user-authentication-tutorial/user1.png)
+ ![Screenshot shows Active Platform selected from Settings.](./media/netskope-user-authentication-tutorial/user-1.png)
1. Click **Users** tab.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Netskope User Authentication Sign on URL where you can initiate the login flow.
-When you click the Netskope User Authentication tile in the Access Panel, you should be automatically signed in to the Netskope User Authentication for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Netskope User Authentication Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Netskope User Authentication for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Netskope User Authentication tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Netskope User Authentication for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Netskope User Authentication with Azure AD](https://aad.portal.azure.com/)
+Once you configure Netskope User Authentication you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory New Relic Limited Release Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/new-relic-limited-release-tutorial.md
Previously updated : 02/04/2020 Last updated : 04/13/2021
In this tutorial, you'll learn how to integrate New Relic with Azure Active Dire
* Enable your users to be automatically signed-in to New Relic with their Azure AD accounts. * Manage your accounts in one central location: the Azure portal.
-To learn more about software as a service (SaaS) app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need:
To get started, you need:
In this tutorial, you configure and test Azure AD SSO in a test environment. * New Relic supports SSO that's initiated by either the service provider or the identity provider.
-* After you configure New Relic, you can enforce session control, which protects against exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
## Add New Relic from the gallery To configure the integration of New Relic into Azure AD, you need to add **New Relic (By Organization)** from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) by using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal by using either a work or school account, or a personal Microsoft account.
1. Select the **Azure Active Directory** service. 1. Select **Enterprise applications** > **New application**. 1. On the **Browse Azure AD Gallery** page, type **New Relic (By Organization)** in the search box.
To configure and test Azure AD SSO with New Relic:
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **New Relic by Organization** application integration page, find the **Manage** section. Then select **Single sign-on**.
+1. In the Azure portal on the **New Relic by Organization** application integration page, find the **Manage** section. Then select **Single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
Follow these steps to enable Azure AD SSO in the Azure portal.
### Create an Azure AD test user
-Here's how to create a test user in the Azure portal called B.Simon.
+In this section, you'll create a test user in the Azure portal called B.Simon.
-1. From the Azure portal, select **Azure Active Directory**.
-1. Select **Users** > **New user**.
-1. On the **New user** page:
- 1. In the **User name** field, enter the `username@companydomain.extension`. For example, `b.simon@contoso.com`. This should match the email address you'll use on the New Relic side.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
1. In the **Name** field, enter `B.Simon`.
- 1. Select **Show password**, and then save the value that is shown.
- 1. Select **Create**.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-Here's how to enable B.Simon to use Azure AD single sign-on by granting access to the New Relic by Organization application.
-
-1. From the Azure portal, select **Azure Active Directory**.
-1. Select **Enterprise applications** > **New Relic by Organization**.
-1. In the app's overview page, find the **Manage** section, and select **Users and groups**.
-
- ![Screenshot of Manage section, with Users and groups highlighted.](common/users-groups-blade.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to New Relic.
-1. Select **Add user**. In **Add Assignment**, select **Users and groups** (or **Users**, depending on your plan level).
-
- ![Screenshot of Add user option.](common/add-assign-user.png)
-
-1. In **Users and groups** (or **Users**), select **B.Simon** from the **Users** list, and then choose **Select** at the bottom of the screen.
-1. In **Add Assignment**, select **Assign**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **New Relic**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
## Configure New Relic SSO
In this section, you create a user called B.Simon in New Relic.
## Test SSO
-Here's how to test your Azure AD single sign-on configuration by using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-When you select **New Relic by Organization** in the Access Panel, you should be automatically signed into New Relic. For more information about the Access Panel, see [Sign in and start apps from the My Apps portal](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to New Relic Sign on URL where you can initiate the login flow.
-## Additional resources
+* Go to New Relic Sign-on URL directly and initiate the login flow from there.
-- [Tutorials for integrating SaaS applications with Azure Active Directory](./tutorial-list.md)
+#### IDP initiated:
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the New Relic for which you set up the SSO.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the New Relic tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the New Relic for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [Try New Relic with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure New Relic you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Outsystems Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/outsystems-tutorial.md
Previously updated : 07/18/2019 Last updated : 04/06/2021
In this tutorial, you'll learn how to integrate OutSystems Azure AD with Azure A
* Enable your users to be automatically signed-in to OutSystems Azure AD with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
## Scenario description
-In this tutorial, you configure and test Azure AD SSO in a test environment. OutSystems Azure AD supports **SP and IDP** initiated SSO and supports **Just In Time** user provisioning.
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* OutSystems Azure AD supports **SP and IDP** initiated SSO and supports **Just In Time** user provisioning.
-## Adding OutSystems Azure AD from the gallery
+## Add OutSystems Azure AD from the gallery
To configure the integration of OutSystems Azure AD into Azure AD, you need to add OutSystems Azure AD from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **OutSystems Azure AD** in the search box. 1. Select **OutSystems Azure AD** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for OutSystems Azure AD
-Configure and test Azure AD SSO with OutSystems Azure AD using a test user called **B. Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in OutSystems Azure AD.
+Configure and test Azure AD SSO with OutSystems Azure AD using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in OutSystems Azure AD.
-To configure and test Azure AD SSO with OutSystems Azure AD, complete the following building blocks:
+To configure and test Azure AD SSO with OutSystems Azure AD, perform the following steps:
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature.
-2. **[Configure OutSystems Azure AD](#configure-outsystems-azure-ad)** to configure the SSO settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with B. Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B. Simon to use Azure AD single sign-on.
-5. **[Create OutSystems Azure AD test user](#create-outsystems-azure-ad-test-user)** to have a counterpart of B. Simon in OutSystems Azure AD that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure OutSystems Azure AD SSO](#configure-outsystems-azure-ad-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create OutSystems Azure AD test user](#create-outsystems-azure-ad-test-user)** - to have a counterpart of B.Simon in OutSystems Azure AD that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **OutSystems Azure AD** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **OutSystems Azure AD** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure OutSystems Azure AD
-
-To configure single sign-on on OutSystems side, you need to download the [IdP forge](https://www.outsystems.com/forge/component-overview/599/idp) component, configure it as mentioned in the [instructions](https://success.outsystems.com/Documentation/Development_FAQs/How_to_configure_OutSystems_to_use_identity_providers_using_SAML#Configure_your_application_to_use_IdP_connector). After installing the component and do the necessary code changes, configure Azure AD by downloading Federation Metadata XML from Azure portal and upload on OutSystems IdP component, according to the following [instructions](https://success.outsystems.com/Documentation/Development_FAQs/How_to_configure_OutSystems_to_use_identity_providers_using_SAML#Azure_AD_.2F_ADFS).
- ### Create an Azure AD test user
-In this section, you'll create a test user in the Azure portal called B. Simon.
+In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B. Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `BrittaSimon@contoso.com`.
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**. ### Assign the Azure AD test user
-In this section, you'll enable B. Simon to use Azure single sign-on by granting access to OutSystems Azure AD.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to OutSystems Azure AD.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **OutSystems Azure AD**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![The Add User link](common/add-assign-user.png)
+## Configure OutSystems Azure AD SSO
-1. In the **Users and groups** dialog, select **B. Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button.
+To configure single sign-on on OutSystems side, you need to download the [IdP forge](https://www.outsystems.com/forge/component-overview/599/idp) component, configure it as mentioned in the [instructions](https://success.outsystems.com/Documentation/Development_FAQs/How_to_configure_OutSystems_to_use_identity_providers_using_SAML#Configure_your_application_to_use_IdP_connector). After installing the component and do the necessary code changes, configure Azure AD by downloading Federation Metadata XML from Azure portal and upload on OutSystems IdP component, according to the following [instructions](https://success.outsystems.com/Documentation/Development_FAQs/How_to_configure_OutSystems_to_use_identity_providers_using_SAML#Azure_AD_.2F_ADFS).
### Create OutSystems Azure AD test user In this section, a user called B.Simon is created in OutSystems. OutSystems supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in OutSystems, a new one is created after authentication.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to OutSystems Azure AD Sign on URL where you can initiate the login flow.
+
+* Go to OutSystems Azure AD Sign-on URL directly and initiate the login flow from there.
-When you select the OutSystems Azure AD tile in the Access Panel, you should be automatically signed in to the OutSystems Azure AD for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the OutSystems Azure AD for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the OutSystems Azure AD tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the OutSystems Azure AD for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure OutSystems Azure AD you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Powerschool Performance Matters Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/powerschool-performance-matters-tutorial.md
Previously updated : 03/08/2019 Last updated : 04/05/2021 # Tutorial: Azure Active Directory integration with Powerschool Performance Matters
-In this tutorial, you learn how to integrate Powerschool Performance Matters with Azure Active Directory (Azure AD).
-Integrating Powerschool Performance Matters with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Powerschool Performance Matters with Azure Active Directory (Azure AD). When you integrate Powerschool Performance Matters with Azure AD, you can:
-* You can control in Azure AD who has access to Powerschool Performance Matters.
-* You can enable your users to be automatically signed-in to Powerschool Performance Matters (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Powerschool Performance Matters.
+* Enable your users to be automatically signed-in to Powerschool Performance Matters with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Powerschool Performance Matters, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Powerschool Performance Matters single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Powerschool Performance Matters single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Powerschool Performance Matters supports **SP** initiated SSO
-
-## Adding Powerschool Performance Matters from the gallery
-
-To configure the integration of Powerschool Performance Matters into Azure AD, you need to add Powerschool Performance Matters from the gallery to your list of managed SaaS apps.
-
-**To add Powerschool Performance Matters from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
+* Powerschool Performance Matters supports **SP** initiated SSO.
- ![The New application button](common/add-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-4. In the search box, type **Powerschool Performance Matters**, select **Powerschool Performance Matters** from result panel then click **Add** button to add the application.
+## Add Powerschool Performance Matters from the gallery
- ![Powerschool Performance Matters in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Powerschool Performance Matters based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Powerschool Performance Matters needs to be established.
-
-To configure and test Azure AD single sign-on with Powerschool Performance Matters, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Powerschool Performance Matters Single Sign-On](#configure-powerschool-performance-matters-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Powerschool Performance Matters test user](#create-powerschool-performance-matters-test-user)** - to have a counterpart of Britta Simon in Powerschool Performance Matters that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Powerschool Performance Matters into Azure AD, you need to add Powerschool Performance Matters from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Powerschool Performance Matters** in the search box.
+1. Select **Powerschool Performance Matters** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Powerschool Performance Matters
-To configure Azure AD single sign-on with Powerschool Performance Matters, perform the following steps:
+Configure and test Azure AD SSO with Form.com using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Form.com.
-1. In the [Azure portal](https://portal.azure.com/), on the **Powerschool Performance Matters** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Form.com, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Powerschool Performance Matters SSO](#configure-powerschool-performance-matters-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Powerschool Performance Matters test user](#create-powerschool-performance-matters-test-user)** - to have a counterpart of B.Simon in Powerschool Performance Matters that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Powerschool Performance Matters** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following step:
- ![[Application Name] Domain and URLs single sign-on information](common/sp-signonurl.png)
-
- In the **Sign-on URL** text box, type a URL using the following pattern:
+ In the **Sign-on URL** text box, type a URL using one of the following patterns:
```https https://ola.performancematters.com/ola/?clientcode=<Client Code>
To configure Azure AD single sign-on with Powerschool Performance Matters, perfo
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure Powerschool Performance Matters Single Sign-On
-
-To configure single sign-on on **Powerschool Performance Matters** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Powerschool Performance Matters support team](mailto:pmsupport@powerschoo.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field, enter **BrittaSimon**.
-
- b. In the **User name** field, type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Powerschool Performance Matters.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Powerschool Performance Matters.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Powerschool Performance Matters**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Powerschool Performance Matters**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Powerschool Performance Matters SSO
-2. In the applications list, select **Powerschool Performance Matters**.
-
- ![The Powerschool Performance Matters link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog, select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Powerschool Performance Matters** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Powerschool Performance Matters support team](mailto:pmsupport@powerschoo.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Powerschool Performance Matters test user In this section, you create a user called Britta Simon in Powerschool Performance Matters. Work with [Powerschool Performance Matters support team](mailto:pmsupport@powerschoo.com) to add the users in the Powerschool Performance Matters platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Powerschool Performance Matters tile in the Access Panel, you should be automatically signed in to the Powerschool Performance Matters for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Powerschool Performance Matters Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Powerschool Performance Matters tile in the My Apps, this will redirect to Powerschool Performance Matters Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Powerschool Performance Matters you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Processunity Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/processunity-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with ProcessUnity | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and ProcessUnity.
++++++++ Last updated : 04/09/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with ProcessUnity
+
+In this tutorial, you'll learn how to integrate ProcessUnity with Azure Active Directory (Azure AD). When you integrate ProcessUnity with Azure AD, you can:
+
+* Control in Azure AD who has access to ProcessUnity.
+* Enable your users to be automatically signed-in to ProcessUnity with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* ProcessUnity single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* ProcessUnity supports **SP and IDP** initiated SSO.
+* ProcessUnity supports **Just In Time** user provisioning.
+
+## Add ProcessUnity from the gallery
+
+To configure the integration of ProcessUnity into Azure AD, you need to add ProcessUnity from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **ProcessUnity** in the search box.
+1. Select **ProcessUnity** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for ProcessUnity
+
+Configure and test Azure AD SSO with ProcessUnity using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ProcessUnity.
+
+To configure and test Azure AD SSO with ProcessUnity, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure ProcessUnity SSO](#configure-processunity-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create ProcessUnity test user](#create-processunity-test-user)** - to have a counterpart of B.Simon in ProcessUnity that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **ProcessUnity** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.processunity.net/<DOMAIN_NAME>`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.processunity.net/<DOMAIN_NAME>/SAML/AssertionConsumerServiceV2.aspx`
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.processunity.net/<DOMAIN_NAME>/SAML/SamlLoginV2.aspx`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [ProcessUnity Client support team](mailto:customer.support@processunity.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/metadataxml.png)
+
+1. On the **Set up ProcessUnity** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ProcessUnity.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **ProcessUnity**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure ProcessUnity SSO
+
+To configure single sign-on on **ProcessUnity** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [ProcessUnity support team](mailto:customer.support@processunity.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create ProcessUnity test user
+
+In this section, a user called Britta Simon is created in ProcessUnity. ProcessUnity supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in ProcessUnity, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to ProcessUnity Sign on URL where you can initiate the login flow.
+
+* Go to ProcessUnity Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the ProcessUnity for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the ProcessUnity tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ProcessUnity for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+
+## Next steps
+
+Once you configure ProcessUnity you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Terraform Enterprise Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/terraform-enterprise-tutorial.md
Previously updated : 01/10/2020 Last updated : 04/05/2021
In this tutorial, you'll learn how to integrate Terraform Enterprise with Azure
* Enable your users to be automatically signed-in to Terraform Enterprise with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Terraform Enterprise supports **SP** initiated SSO
-* Terraform Enterprise supports **Just In Time** user provisioning
+* Terraform Enterprise supports **SP** initiated SSO.
+* Terraform Enterprise supports **Just In Time** user provisioning.
-## Adding Terraform Enterprise from the gallery
+## Add Terraform Enterprise from the gallery
To configure the integration of Terraform Enterprise into Azure AD, you need to add Terraform Enterprise from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Terraform Enterprise** in the search box. 1. Select **Terraform Enterprise** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Terraform Enterprise
+## Configure and test Azure AD SSO for Terraform Enterprise
Configure and test Azure AD SSO with Terraform Enterprise using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Terraform Enterprise.
To configure and test Azure AD SSO with Terraform Enterprise, complete the follo
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Terraform Enterprise** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal on the **Terraform Enterprise** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Terraform Enterprise**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Terraform Enterprise SSO
In this section, a user called B.Simon is created in Terraform Enterprise. Terra
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Terraform Enterprise tile in the Access Panel, you should be automatically signed in to the Terraform Enterprise for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Terraform Enterprise Sign-on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Terraform Enterprise Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Terraform Enterprise tile in the My Apps, this will redirect to Terraform Enterprise Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Terraform Enterprise with Azure AD](https://aad.portal.azure.com/)
+Once you configure Terraform Enterprise you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Topdesk Public Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/topdesk-public-tutorial.md
Previously updated : 05/02/2019 Last updated : 04/08/2021 # Tutorial: Azure Active Directory integration with TOPdesk - Public
-In this tutorial, you learn how to integrate TOPdesk - Public with Azure Active Directory (Azure AD).
-Integrating TOPdesk - Public with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate TOPdesk - Public with Azure Active Directory (Azure AD). When you integrate TOPdesk - Public with Azure AD, you can:
-* You can control in Azure AD who has access to TOPdesk - Public.
-* You can enable your users to be automatically signed-in to TOPdesk - Public (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to TOPdesk - Public.
+* Enable your users to be automatically signed-in to TOPdesk - Public with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with TOPdesk - Public, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* TOPdesk - Public single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* TOPdesk - Public single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* TOPdesk - Public supports **SP** initiated SSO
+* TOPdesk - Public supports **SP** initiated SSO.
-## Adding TOPdesk - Public from the gallery
+## Add TOPdesk - Public from the gallery
To configure the integration of TOPdesk - Public into Azure AD, you need to add TOPdesk - Public from the gallery to your list of managed SaaS apps.
-**To add TOPdesk - Public from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **TOPdesk - Public**, select **TOPdesk - Public** from result panel then click **Add** button to add the application.
-
- ![TOPdesk - Public in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with TOPdesk - Public based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in TOPdesk - Public needs to be established.
-
-To configure and test Azure AD single sign-on with TOPdesk - Public, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **TOPdesk - Public** in the search box.
+1. Select **TOPdesk - Public** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure TOPdesk - Public Single Sign-On](#configure-topdeskpublic-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create TOPdesk - Public test user](#create-topdeskpublic-test-user)** - to have a counterpart of Britta Simon in TOPdesk - Public that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for TOPdesk - Public
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with TOPdesk - Public using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in TOPdesk - Public.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with TOPdesk - Public, perform the following steps:
-To configure Azure AD single sign-on with TOPdesk - Public, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure TOPdesk - Public SSO](#configure-topdeskpublic-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create TOPdesk - Public test user](#create-topdeskpublic-test-user)** - to have a counterpart of B.Simon in TOPdesk - Public that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **TOPdesk - Public** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **TOPdesk - Public** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you have **Service Provider metadata file**, perform the following steps:
To configure Azure AD single sign-on with TOPdesk - Public, perform the followin
c. After the metadata file is successfully uploaded, the **Identifier** and **Reply URL** values get auto populated in Basic SAML Configuration section.
- ![TOPdesk - Public Domain and URLs single sign-on information](common/sp-identifier-reply.png)
- d. In the **Sign-on URL** text box, type a URL using the following pattern: `https://<companyname>.topdesk.net`
To configure Azure AD single sign-on with TOPdesk - Public, perform the followin
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure TOPdesk - Public Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to TOPdesk - Public.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **TOPdesk - Public**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure TOPdesk - Public SSO
1. Sign on to your **TOPdesk - Public** company site as an administrator. 2. In the **TOPdesk** menu, click **Settings**.
- ![Settings](./media/topdesk-public-tutorial/ic790598.png "Settings")
+ ![Settings](./media/topdesk-public-tutorial/menu.png "Settings")
3. Click **Login Settings**.
- ![Login Settings](./media/topdesk-public-tutorial/ic790599.png "Login Settings")
+ ![Login Settings](./media/topdesk-public-tutorial/login.png "Login Settings")
4. Expand the **Login Settings** menu, and then click **General**.
- ![General](./media/topdesk-public-tutorial/ic790600.png "General")
+ ![General Settings](./media/topdesk-public-tutorial/general.png "General Settings")
5. In the **Public** section of the **SAML login** configuration section, perform the following steps:
- ![Technical Settings](./media/topdesk-public-tutorial/ic790601.png "Technical Settings")
+ ![Technical Settings](./media/topdesk-public-tutorial/public.png "Technical Settings")
a. Click **Download** to download the public metadata file, and then save it locally on your computer. b. Open the downloaded metadata file, and then locate the **AssertionConsumerService** node.
- ![AssertionConsumerService](./media/topdesk-public-tutorial/ic790619.png "AssertionConsumerService")
+ ![AssertionConsumerService](./media/topdesk-public-tutorial/service.png "AssertionConsumerService")
c. Copy the **AssertionConsumerService** value, paste this value in the **Reply URL** textbox in **Basic SAML Configuration** section. 6. To create a certificate file, perform the following steps:
- ![Certificate](./media/topdesk-public-tutorial/ic790606.png "Certificate")
+ ![Certificate](./media/topdesk-public-tutorial/certificate-file.png "Certificate")
a. Open the downloaded metadata file from Azure portal.
To configure Azure AD single sign-on with TOPdesk - Public, perform the followin
7. In the **Public** section, click **Add**.
- ![SAML Login](./media/topdesk-public-tutorial/ic790625.png "SAML Login")
+ ![SAML Login](./media/topdesk-public-tutorial/add.png "SAML Login")
8. On the **SAML configuration assistant** dialog page, perform the following steps:
- ![SAML Configuration Assistant](./media/topdesk-public-tutorial/ic790608.png "SAML Configuration Assistant")
+ ![SAML Configuration Assistant](./media/topdesk-public-tutorial/configuration.png "SAML Configuration Assistant")
a. To upload your downloaded metadata file from Azure portal, under **Federation Metadata**, click **Browse**.
To configure Azure AD single sign-on with TOPdesk - Public, perform the followin
f. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to TOPdesk - Public.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **TOPdesk - Public**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **TOPdesk - Public**.
-
- ![The TOPdesk - Public link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create TOPdesk - Public test user In order to enable Azure AD users to sign into TOPdesk - Public, they must be provisioned into TOPdesk - Public. In the case of TOPdesk - Public, provisioning is a manual task.
In order to enable Azure AD users to sign into TOPdesk - Public, they must be pr
2. In the menu on the top, click **TOPdesk \> New \> Support Files \> Person**.
- ![Person](./media/topdesk-public-tutorial/ic790628.png "Person")
+ ![Person](./media/topdesk-public-tutorial/files.png "Person")
3. On the New Person dialog, perform the following steps:
- ![New Person](./media/topdesk-public-tutorial/ic790629.png "New Person")
+ ![New Person](./media/topdesk-public-tutorial/new.png "New Person")
a. Click the General tab.
In order to enable Azure AD users to sign into TOPdesk - Public, they must be pr
> [!NOTE] > You can use any other TOPdesk - Public user account creation tools or APIs provided by TOPdesk - Public to provision Azure AD user accounts.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the TOPdesk - Public tile in the Access Panel, you should be automatically signed in to the TOPdesk - Public for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to TOPdesk - Public Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to TOPdesk - Public Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the TOPdesk - Public tile in the My Apps, this will redirect to TOPdesk - Public Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure TOPdesk - Public you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Webmethods Integration Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/webmethods-integration-cloud-tutorial.md
Previously updated : 02/15/2019 Last updated : 04/14/2021 # Tutorial: Azure Active Directory integration with webMethods Integration Suite
-In this tutorial, you learn how to integrate webMethods Integration Suite with Azure Active Directory (Azure AD).
-Integrating webMethods Integration Suite with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate webMethods Integration Suite with Azure Active Directory (Azure AD). When you integrate webMethods Integration Suite with Azure AD, you can:
-* You can control in Azure AD who has access to webMethods Integration Suite.
-* You can enable your users to be automatically signed-in to webMethods Integration Suite (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to webMethods Integration Suite.
+* Enable your users to be automatically signed-in to webMethods Integration Suite with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with webMethods Integration Suite, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
-* webMethods Integration Suite single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* webMethods Integration Suite single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* webMethods Integration Suite supports **SP** and **IDP** initiated SSO
+* webMethods Integration Suite supports **SP** and **IDP** initiated SSO.
-* webMethods Integration Suite supports **just-in-time** user provisioning
+* webMethods Integration Suite supports **just-in-time** user provisioning.
-## Adding webMethods Integration Suite from the gallery
+## Add webMethods Integration Suite from the gallery
To configure the integration of webMethods Integration Suite into Azure AD, you need to add webMethods Integration Suite from the gallery to your list of managed SaaS apps.
-**To add webMethods Integration Suite from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **webMethods Integration Suite**, select **webMethods Integration Suite** from result panel then click **Add** button to add the application.
-
- ![webMethods Integration Suite in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with webMethods Integration Suite based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in webMethods Integration Suite needs to be established.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **webMethods Integration Suite** in the search box.
+1. Select **webMethods Integration Suite** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure and test Azure AD single sign-on with webMethods Integration Suite, you need to complete the following building blocks:
+## Configure and test Azure AD SSO for webMethods Integration Suite
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure webMethods Integration Suite Single Sign-On](#configure-webmethods-integration-suite-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create webMethods Integration Suite test user](#create-webmethods-integration-suite-test-user)** - to have a counterpart of Britta Simon in webMethods Integration Suite that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+Configure and test Azure AD SSO with webMethods Integration Suite using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in webMethods Integration Suite.
-### Configure Azure AD single sign-on
+To configure and test Azure AD SSO with webMethods Integration Suite, perform the following steps:
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure webMethods Integration Suite SSO](#configure-webmethods-integration-suite-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create webMethods Integration Suite test user](#create-webmethods-integration-suite-test-user)** - to have a counterpart of B.Simon in webMethods Integration Suite that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-To configure Azure AD single sign-on with webMethods Integration Suite, perform the following steps:
+## Configure Azure AD SSO
-1. In the [Azure portal](https://portal.azure.com/), on the **webMethods Integration Suite** application integration page, select **Single sign-on**.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Configure single sign-on link](common/select-sso.png)
+1. In the Azure portal, on the **webMethods Integration Suite** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. To configure the **webMethods Integration Cloud**, on the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
+ a. In the **Identifier** text box, type a URL using one of the following patterns:
- a. In the **Identifier** text box, type a URL using the following pattern:
+ | Identifier URL |
+ |-|
+ | `<SUBDOMAIN>.webmethodscloud.com`|
+ | `<SUBDOMAIN>.webmethodscloud.eu` |
+ | `<SUBDOMAIN>.webmethodscloud.de` |
+ |
- - `<SUBDOMAIN>.webmethodscloud.com`
- - `<SUBDOMAIN>.webmethodscloud.eu`
- - `<SUBDOMAIN>.webmethodscloud.de`
+ b. In the **Reply URL** text box, type a URL using one of the following patterns:
- b. In the **Reply URL** text box, type a URL using the following pattern:
--
- - `https://<SUBDOMAIN>.webmethodscloud.com/integration/live/saml/ssoResponse`
- - `https://<SUBDOMAIN>.webmethodscloud.eu/integration/live/saml/ssoResponse`
- - `https://<SUBDOMAIN>.webmethodscloud.de/integration/live/saml/ssoResponse`
+ | Reply URL |
+ |-|
+ | `https://<SUBDOMAIN>.webmethodscloud.com/integration/live/saml/ssoResponse`|
+ | `https://<SUBDOMAIN>.webmethodscloud.eu/integration/live/saml/ssoResponse`|
+ | `https://<SUBDOMAIN>.webmethodscloud.de/integration/live/saml/ssoResponse`|
+ |
c. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
-
- d. In the **Sign-on URL** text box, type a URL using the following pattern:
+ d. In the **Sign-on URL** text box, type a URL using one of the following patterns:
- - `https://<SUBDOMAIN>.webmethodscloud.com/integration/live/saml/ssoRequest`
- - `https://<SUBDOMAIN>.webmethodscloud.eu/integration/live/saml/ssoRequest`
- - `https://<SUBDOMAIN>.webmethodscloud.de/integration/live/saml/ssoRequest`
+ | Sign-on URL |
+ |--|
+ |`https://<SUBDOMAIN>.webmethodscloud.com/integration/live/saml/ssoRequest`|
+ |`https://<SUBDOMAIN>.webmethodscloud.eu/integration/live/saml/ssoRequest`|
+ |`https://<SUBDOMAIN>.webmethodscloud.de/integration/live/saml/ssoRequest`|
+ |
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [webMethods Integration Suite Client support team](https://empower.softwareag.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. 5. To configure the **webMethods API Cloud**, on the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
+ a. In the **Identifier** text box, type a URL using one of the following patterns:
- a. In the **Identifier** text box, type a URL using the following pattern:
+ | Identifier URL |
+ |-|
+ | `<SUBDOMAIN>.webmethodscloud.com`|
+ |`<SUBDOMAIN>.webmethodscloud.eu`|
+ | `<SUBDOMAIN>.webmethodscloud.de`|
+ |
- - `<SUBDOMAIN>.webmethodscloud.com`
- - `<SUBDOMAIN>.webmethodscloud.eu`
- - `<SUBDOMAIN>.webmethodscloud.de`
+ b. In the **Reply URL** text box, type a URL using one of the following patterns:
- b. In the **Reply URL** text box, type a URL using the following pattern:
-
- - `https://<SUBDOMAIN>.webmethodscloud.com/umc/rest/saml/initsso`
- - `https://<SUBDOMAIN>.webmethodscloud.eu/umc/rest/saml/initsso`
- - `https://<SUBDOMAIN>.webmethodscloud.de/umc/rest/saml/initsso`
+ | Reply URL |
+ |-|
+ | `https://<SUBDOMAIN>.webmethodscloud.com/umc/rest/saml/initsso`|
+ | `https://<SUBDOMAIN>.webmethodscloud.eu/umc/rest/saml/initsso`|
+ | `https://<SUBDOMAIN>.webmethodscloud.de/umc/rest/saml/initsso`|
+ |
c. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
-
- d. In the **Sign-on URL** text box, type a URL using the following pattern:
-
- - `https://api.webmethodscloud.com/umc/rest/saml/initsso/?tenant=<TENANTID>`
- - `https://api.webmethodscloud.eu/umc/rest/saml/initsso/?tenant=<TENANTID>`
- - `https://api.webmethodscloud.de/umc/rest/saml/initsso/?tenant=<TENANTID>`
+ d. In the **Sign-on URL** text box, type a URL using one of the following patterns:
+
+ | Sign-on URL |
+ |--|
+ | `https://api.webmethodscloud.com/umc/rest/saml/initsso/?tenant=<TENANTID>`|
+ | `https://api.webmethodscloud.eu/umc/rest/saml/initsso/?tenant=<TENANTID>`|
+ | `https://api.webmethodscloud.de/umc/rest/saml/initsso/?tenant=<TENANTID>`|
+ |
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [webMethods Integration Suite Client support team](https://empower.softwareag.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with webMethods Integration Suite, perform
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure webMethods Integration Suite Single Sign-On
-
-To configure single sign-on on **webMethods Integration Suite** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [webMethods Integration Suite support team](https://empower.softwareag.com/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field, enter **BrittaSimon**.
-
- b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
+In this section, you'll create a test user in the Azure portal called B.Simon.
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to webMethods Integration Suite.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **webMethods Integration Suite**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **webMethods Integration Suite**.
-
- ![The webMethods Integration Suite link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to webMethods Integration Suite.
- ![The "Users and groups" link](common/users-groups-blade.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **webMethods Integration Suite**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
+## Configure webMethods Integration Suite SSO
- ![The Add Assignment pane](common/add-assign-user.png)
+To configure single sign-on on **webMethods Integration Suite** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [webMethods Integration Suite support team](https://empower.softwareag.com/). They set this setting to have the SAML SSO connection set properly on both sides.
-5. In the **Users and groups** dialog, select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create webMethods Integration Suite test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, a user called Britta Simon is created in webMethods Integration Suite. webMethods Integration Suite supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in webMethods Integration Suite, a new one is created after authentication.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create webMethods Integration Suite test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, a user called Britta Simon is created in webMethods Integration Suite. webMethods Integration Suite supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in webMethods Integration Suite, a new one is created after authentication.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to webMethods Integration Suite Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to webMethods Integration Suite Sign-on URL directly and initiate the login flow from there.
-When you click the webMethods Integration Suite tile in the Access Panel, you should be automatically signed in to the webMethods Integration Suite for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the webMethods Integration Suite for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the webMethods Integration Suite tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the webMethods Integration Suite for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure webMethods Integration Suite you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Wuru App Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/wuru-app-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with W├║ru App | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and W├║ru App.
++++++++ Last updated : 04/08/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with W├║ru App
+
+In this tutorial, you'll learn how to integrate W├║ru App with Azure Active Directory (Azure AD). When you integrate W├║ru App with Azure AD, you can:
+
+* Control in Azure AD who has access to W├║ru App.
+* Enable your users to be automatically signed-in to W├║ru App with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* W├║ru App single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* W├║ru App supports **SP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Adding W├║ru App from the gallery
+
+To configure the integration of W├║ru App into Azure AD, you need to add W├║ru App from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **W├║ru App** in the search box.
+1. Select **W├║ru App** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for W├║ru App
+
+Configure and test Azure AD SSO with W├║ru App using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in W├║ru App.
+
+To configure and test Azure AD SSO with W├║ru App, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Wuru App SSO](#configure-wuru-app-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Wuru App test user](#create-wuru-app-test-user)** - to have a counterpart of B.Simon in W├║ru App that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **W├║ru App** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+
+ a. In the **Sign on URL** text box, type the URL:
+ `https://app.wuru.site/api/auth/azure`
+
+ b. In the **Identifier (Entity ID)** text box, type the value:
+ `urn:amazon:cognito:sp:us-east-2_142Y3PTBg`
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/metadataxml.png)
+
+1. On the **Set up W├║ru App** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to W├║ru App.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **W├║ru App**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Wuru App SSO
+
+To configure single sign-on on **W├║ru App** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [W├║ru App support team](mailto:contacto@wuru.site). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Wuru App test user
+
+In this section, you create a user called Britta Simon in Wúru App. Work with [Wúru App support team](mailto:contacto@wuru.site) to add the users in the Wúru App platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to W├║ru App Sign-on URL where you can initiate the login flow.
+
+* Go to W├║ru App Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the W├║ru App tile in the My Apps, this will redirect to W├║ru App Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
++
+## Next steps
+
+Once you configure W├║ru App you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
++
active-directory Zscaler Two Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-two-tutorial.md
Previously updated : 12/18/2020 Last updated : 04/06/2021 # Tutorial: Azure Active Directory integration with Zscaler Two
To configure Azure AD integration with Zscaler Two, you need the following items
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Zscaler Two supports **SP** initiated SSO
+* Zscaler Two supports **SP** initiated SSO.
-* Zscaler Two supports **Just In Time** user provisioning
+* Zscaler Two supports **Just In Time** user provisioning.
-## Adding Zscaler Two from the gallery
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add Zscaler Two from the gallery
To configure the integration of Zscaler Two into Azure AD, you need to add Zscaler Two from the gallery to your list of managed SaaS apps.
To configure and test Azure AD SSO with Zscaler Two, perform the following steps
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **Zscaler Three** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Zscaler Two** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
In this section, you'll create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Zscaler Two.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Zscaler Two**.
-2. In the applications list, select **Zscaler Two**.
-3. In the menu on the left, select **Users and groups**.
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-5. In the **Users and groups** dialog, select the user like **Britta Simon** from the list, then click the **Select** button at the bottom of the screen.
-
- ![Screenshot shows the Users and groups dialog box where you can select a user.](./media/zscaler-two-tutorial/tutorial_zscalertwo_users.png)
-
-6. From the **Select Role** dialog choose the appropriate user role in the list, then click the **Select** button at the bottom of the screen.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Zscaler Two.
- ![Screenshot shows the Select Role dialog box where you can choose a user role.](./media/zscaler-two-tutorial/tutorial_zscalertwo_roles.png)
-
-7. In the **Add Assignment** dialog select the **Assign** button.
-
- ![Screenshot shows the Add Assignment dialog box where you can select Assign.](./media/zscaler-two-tutorial/tutorial_zscalertwo_assign.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Zscaler Two**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
## Configure Zscaler Two SSO
In this section, you enable Britta Simon to use Azure single sign-on by granting
4. Go to **Administration > Authentication > Authentication Settings** and perform the following steps:
- ![Screenshot shows the Zscaler One site with steps as described.](./media/zscaler-two-tutorial/ic800206.png "Administration")
+ ![Screenshot shows the Zscaler One site with steps as described.](./media/zscaler-two-tutorial/administrator.png "Administration")
a. Under Authentication Type, choose **SAML**.
In this section, you enable Britta Simon to use Azure single sign-on by granting
5. On the **Edit SAML** window, perform the following steps: and click Save.
- ![Manage Users & Authentication](./media/zscaler-two-tutorial/ic800208.png "Manage Users & Authentication")
+ ![Manage Users & Authentication](./media/zscaler-two-tutorial/authentication.png "Manage Users & Authentication")
a. In the **SAML Portal URL** textbox, Paste the **Login URL** which you have copied from Azure portal.
In this section, you enable Britta Simon to use Azure single sign-on by granting
6. On the **Configure User Authentication** dialog page, perform the following steps:
- ![Screenshot shows the Configure User Authentication dialog box with Activate selected.](./media/zscaler-two-tutorial/ic800207.png)
+ ![Screenshot shows the Configure User Authentication dialog box with Activate selected.](./media/zscaler-two-tutorial/activation.png)
a. Hover over the **Activation** menu near the bottom left. b. Click **Activate**. ## Configuring proxy settings+ ### To configure the proxy settings in Internet Explorer 1. Start **Internet Explorer**. 2. Select **Internet options** from the **Tools** menu for open the **Internet Options** dialog.
- ![Internet Options](./media/zscaler-two-tutorial/ic769492.png "Internet Options")
+ ![Internet Options](./media/zscaler-two-tutorial/internet.png "Internet Options")
3. Click the **Connections** tab.
In this section, you enable Britta Simon to use Azure single sign-on by granting
5. In the Proxy server section, perform the following steps:
- ![Proxy server](./media/zscaler-two-tutorial/ic769494.png "Proxy server")
+ ![Proxy server](./media/zscaler-two-tutorial/proxy.png "Proxy server")
a. Select **Use a proxy server for your LAN**.
In this section, a user called Britta Simon is created in Zscaler Two. Zscaler T
>[!Note] >If you need to create a user manually, contact [Zscaler Two support team](https://www.zscaler.com/company/contact).
-### Test SSO
+## Test SSO
In this section, you test your Azure AD single sign-on configuration with following options.
In this section, you test your Azure AD single sign-on configuration with follow
* You can use Microsoft My Apps. When you click the Zscaler Two tile in the My Apps, this will redirect to Zscaler Two Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). - ## Next steps Once you configure Zscaler Two you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
analysis-services Analysis Services Create Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-create-powershell.md
Title: Quickstart - Create Azure Analysis Services using PowerShell Azure Analysis Services | Microsoft Docs description: This quickstart describes how to create an Azure Analysis Services server by using PowerShell -- Previously updated : 08/31/2020 - Last updated : 08/31/2020+++
+ - references_regions
+ - devx-track-azurepowershell
+ - mode-api
#Customer intent: As a BI developer, I want to create an Azure Analysis Services server by using PowerShell.
Remove-AzAnalysisServicesServer -Name "myserver" -ResourceGroupName "myResourceG
In this quickstart, you learned how to create a server in your Azure subscription by using PowerShell. Now that you have server, you can help secure it by configuring an (optional) server firewall. You can also add a basic sample data model to your server right from the portal. Having a sample model is helpful when learning about configuring model database roles and testing client connections. To learn more, continue to the tutorial for adding a sample model. > [!div class="nextstepaction"]
-> [Quickstart: Configure server firewall - Portal](analysis-services-qs-firewall.md)
+> [Quickstart: Configure server firewall - Portal](analysis-services-qs-firewall.md)
analysis-services Analysis Services Create Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-create-server.md
Title: Quickstart - Create an Analysis Services server in Azure portal | Microsoft Docs description: This quickstart describes how to create an Azure Analysis Services server instance by using the Azure portal. -- Previously updated : 08/31/2020 Last updated : 08/31/2020+++
+ - mode-portal
#Customer intent: As a BI developer, I want to create an Azure Analysis Services server by using the Azure portal. # Quickstart: Create a server - Portal
When no longer needed, delete your server. In your server's **Overview**, click
In this quickstart, you learned how to create a server in your Azure subscription. Now that you have server, you can help secure it by configuring an (optional) server firewall. You can also add a basic sample data model to your server right from the portal. Having a sample model is helpful when learning about configuring model database roles and testing client connections. To learn more, continue to the tutorial for adding a sample model. > [!div class="nextstepaction"]
-> [Quickstart: Configure server firewall - Portal](analysis-services-qs-firewall.md)
+> [Quickstart: Configure server firewall - Portal](analysis-services-qs-firewall.md)
analysis-services Analysis Services Create Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-create-template.md
-
+ Title: Quickstart - Create an Azure Analysis Services server resource by using Azure Resource Manager template description: Quickstart showing how to an Azure Analysis Services server resource by using an Azure Resource Manager template.
-tags: azure-resource-manager
-- Last updated 08/31/2020--++
+tags:
+ - azure-resource-manager
+
+ - subject-armqs
+ - references_regions
+ - mode-arm
#Customer intent: As a BI developer who is new to Azure, I want to use Azure Analysis Services to store and manage my organizations data models.- # Quickstart: Create a server - ARM template
analysis-services Analysis Services Qs Firewall https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-qs-firewall.md
Title: Quickstart - Configure Azure Analysis Services server firewall | Microsoft Docs description: This quickstart helps you configure a firewall for an Azure Analysis Services server by using the Azure portal. -- Previously updated : 08/12/2020 Last updated : 08/12/2020+++
+ - mode-portal
#Customer intent: As a BI developer, I want to secure my server by configuring a server firewall and create open IP address ranges for client computers in my organization. # Quickstart: Configure server firewall - Portal
api-management Api Management Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-features.md
description: Compare API Management tiers based on the features they offer. See
documentationcenter: '' - - Previously updated : 07/15/2020 Last updated : 04/13/2021
Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct
| Azure AD integration<sup>1</sup> | No | Yes | No | Yes | Yes | | Virtual Network (VNet) support | No | Yes | No | No | Yes | | Multi-region deployment | No | No | No | No | Yes |
+| Availability zones | No | No | No | No | Yes |
| Multiple custom domain names | No | Yes | No | No | Yes | | Developer portal<sup>2</sup> | No | Yes | Yes | Yes | Yes | | Built-in cache | No | Yes | Yes | Yes | Yes |
Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct
| [Backup and restore](api-management-howto-disaster-recovery-backup-restore.md) | No | Yes | Yes | Yes | Yes | | [Management over Git](api-management-configuration-repository-git.md) | No | Yes | Yes | Yes | Yes | | Direct management API | No | Yes | Yes | Yes | Yes |
-| Azure Monitor logs and metrics | Yes | Yes | Yes | Yes | Yes |
+| Azure Monitor logs and metrics | No | Yes | Yes | Yes | Yes |
| Static IP | No | Yes | Yes | Yes | Yes | <sup>1</sup> Enables the use of Azure AD (and Azure AD B2C) as an identity provider for user sign in on the developer portal.<br/>
api-management Api Management Howto Deploy Multi Region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-deploy-multi-region.md
Title: Deploy Azure API Management services to multiple Azure regions description: Learn how to deploy an Azure API Management service instance to multiple Azure regions.- - -- Previously updated : 04/20/2020+ Last updated : 04/13/2021
Azure API Management supports multi-region deployment, which enables API publish
A new Azure API Management service initially contains only one [unit][unit] in a single Azure region, the Primary region. Additional units can be added to the Primary or Secondary regions. An API Management gateway component is deployed to every selected Primary and Secondary region. Incoming API requests are automatically directed to the closest region. If a region goes offline, the API requests will be automatically routed around the failed region to the next closest gateway. > [!NOTE]
-> Only the gateway component of API Management is deployed to all regions. The service management component and developer portal are hosted in the Primary region only. Therefore, in case of the Primary region outage, access to the developer portal and ability to change configuration (e.g. adding APIs, applying policies) will be impaired until the Primary region comes back online. While the Primary region is offline available Secondary regions will continue to serve the API traffic using the latest configuration available to them.
+> Only the gateway component of API Management is deployed to all regions. The service management component and developer portal are hosted in the Primary region only. Therefore, in case of the Primary region outage, access to the developer portal and ability to change configuration (e.g. adding APIs, applying policies) will be impaired until the Primary region comes back online. While the Primary region is offline, available Secondary regions will continue to serve the API traffic using the latest configuration available to them. Optionally enable [zone redundacy](zone-redundancy.md) to improve the availability and resiliency of the Primary or Secondary regions.
>[!IMPORTANT] > The feature to enable storing customer data in a single region is currently only available in the Southeast Asia Region (Singapore) of the Asia Pacific Geo. For all other regions, customer data is stored in Geo. [!INCLUDE [premium.md](../../includes/api-management-availability-premium.md)]
-## <a name="add-region"> </a>Deploy API Management service to a new region
-> [!NOTE]
-> If you have not yet created an API Management service instance, see [Create an API Management service instance][create an api management service instance].
+## Prerequisites
-1. In the Azure portal, navigate to your API Management service and click on the **Locations** entry in the menu.
-2. Click **+ Add** in the top bar.
-3. Select the location from the drop-down list and set the number of units with the slider.
-4. Click the **Add** button to confirm.
-5. Repeat this process until you configure all locations.
-6. Click **Save** in the top bar to start the deployment process.
+* If you have not yet created an API Management service instance, see [Create an API Management service instance](get-started-create-service-instance.md). Select the Premium service tier.
+* If your API Management instance is deployed in a [virtual network](api-management-using-with-vnet.md), ensure that you set up a virtual network, subnet, and public IP address in the location that you plan to add.
+
+## <a name="add-region"> </a>Deploy API Management service to an additional location
+
+1. In the Azure portal, navigate to your API Management service and select **Locations** in the menu.
+1. Select **+ Add** in the top bar.
+1. Select the location from the drop-down list.
+1. Select the number of scale **[Units](upgrade-and-scale.md)** in the location.
+1. Optionally enable [**Availability zones**](zone-redundancy.md).
+1. If the API Management instance is deployed in a [virtual network](api-management-using-with-vnet.md), configure virtual network settings in the location. Select an existing virtual network, subnet, and public IP address that are available in the location.
+1. Select **Add** to confirm.
+1. Repeat this process until you configure all locations.
+1. Select **Save** in the top bar to start the deployment process.
## <a name="remove-region"> </a>Delete an API Management service location
api-management Api Management Howto Ip Addresses https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-ip-addresses.md
description: Learn how to retrieve the IP addresses of an Azure API Management s
documentationcenter: '' - - Previously updated : 08/26/2019 Last updated : 04/13/2021
In the Developer, Basic, Standard, and Premium tiers of API Management, the publ
* Azure Virtual Network is added to or removed from the service. * API Management service is switched between External and Internal VNet deployment mode.
-In [multi-regional deployments](api-management-howto-deploy-multi-region.md), the regional IP address changes if a region is vacated and then reinstated.
+In [multi-regional deployments](api-management-howto-deploy-multi-region.md), the regional IP address changes if a region is vacated and then reinstated. The regional IP address also changes when you enable, add, or remove [availability zones](zone-redundancy.md).
api-management Api Management Using With Internal Vnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-using-with-internal-vnet.md
description: Learn how to set up and configure Azure API Management on an intern
documentationcenter: '' - editor: '' -- Previously updated : 03/09/2021+ Last updated : 04/12/2021
Using API Management in internal mode, you can achieve the following scenarios:
* Enable hybrid cloud scenarios by exposing your cloud-based APIs and on-premises APIs through a common gateway. * Manage your APIs hosted in multiple geographic locations by using a single gateway endpoint. + [!INCLUDE [premium-dev.md](../../includes/api-management-availability-premium-dev.md)] ## Prerequisites
To perform the steps described in this article, you must have:
[!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)] + **An Azure API Management instance**. For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md).
-+ When an API Management service is deployed in a virtual network, a [list of ports](./api-management-using-with-vnet.md#required-ports) are used and need to be opened.
++
+When an API Management service is deployed in a virtual network, a [list of ports](./api-management-using-with-vnet.md#required-ports) are used and need to be opened.
## <a name="enable-vpn"> </a>Creating an API Management in an internal virtual network
-The API Management service in an internal virtual network is hosted behind an [internal load balancer (classic)](/previous-versions/azure/load-balancer/load-balancer-get-started-ilb-classic-cloud). This is the only option available and can't be changed.
+The API Management service in an internal virtual network is hosted behind an internal load balancer Basic SKU if the service is created with client API version 2020-12-01. For service created with clients having API version 2021-01-01-preview and having a public IP address from the customer's subscription, it is hosted behind an internal load balancer Standard SKU. For more information, see [Azure Load Balancer SKUs](../load-balancer/skus.md).
### Enable a virtual network connection using the Azure portal 1. Browse to your Azure API Management instance in the [Azure portal](https://portal.azure.com/).
-2. Select **Virtual network**.
-3. Configure the API Management instance to be deployed inside the virtual network.
+1. Select **Virtual network**.
+1. Configure the **Internal** access type. For detailed steps, see [Enable VNET connectivity using the Azure portal](api-management-using-with-vnet.md#enable-vnet-connectivity-using-the-azure-portal).
![Menu for setting up an Azure API Management in an internal virtual network][api-management-using-internal-vnet-menu] 4. Select **Save**.
-After the deployment succeeds, you should see **private** virtual IP address and **public** virtual IP address of your API Management service on the overview blade. The **private** virtual IP address is a load balanced IP address from within the API Management delegated subnet over which `gateway`, `portal`, `management` and `scm` endpoints can be accessed. The **public** virtual IP address is used **only** for control plane traffic to `management` endpoint over port 3443 and can be locked down to the [ApiManagement][ServiceTags] servicetag.
+After the deployment succeeds, you should see **private** virtual IP address and **public** virtual IP address of your API Management service on the overview blade. The **private** virtual IP address is a load balanced IP address from within the API Management delegated subnet over which `gateway`, `portal`, `management` and `scm` endpoints can be accessed. The **public** virtual IP address is used **only** for control plane traffic to `management` endpoint over port 3443 and can be locked down to the [ApiManagement][ServiceTags] service tag.
![API Management dashboard with an internal virtual network configured][api-management-internal-vnet-dashboard]
After the deployment succeeds, you should see **private** virtual IP address and
### <a name="deploy-apim-internal-vnet"> </a>Deploy API Management into Virtual Network
-[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F201-api-management-create-with-internal-vnet%2Fazuredeploy.json)
+You can also enable virtual network connectivity by using the following methods.
+
+### API version 2020-12-01
-You can also enable virtual network connectivity by using PowerShell cmdlets.
+* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/201-api-management-create-with-internal-vnet)
-* Create an API Management service inside a virtual network: Use the cmdlet [New-AzApiManagement](/powershell/module/az.apimanagement/new-azapimanagement) to create an Azure API Management service inside a virtual network and configure it to use the internal virtual network type.
+ [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F201-api-management-create-with-internal-vnet%2Fazuredeploy.json)
-* Update an existing deployment of an API Management service inside a virtual network: Use the cmdlet [Update-AzApiManagementRegion](/powershell/module/az.apimanagement/update-azapimanagementregion) to move an existing API Management service inside a virtual network and configure it to use the internal virtual network type.
+* Azure PowerShell cmdlets - [Create](/powershell/module/az.apimanagement/new-azapimanagement) or [update](/powershell/module/az.apimanagement/update-azapimanagementregion) an API Management instance in a virtual network
## <a name="apim-dns-configuration"></a>DNS configuration
-When API Management is in external virtual network mode, the DNS is managed by Azure. For internal virtual network mode, you have to manage your own DNS. Configuring an Azure DNS private zone and linking it to the virtual network API Management service is deployed into is the recommended option. Click [here](../dns/private-dns-getstarted-portal.md) to learn how to setup a private zone in Azure DNS.
+When API Management is in external virtual network mode, the DNS is managed by Azure. For internal virtual network mode, you have to manage your own DNS. Configuring an Azure DNS private zone and linking it to the virtual network API Management service is deployed into is the recommended option. Learn how to [set up a private zone in Azure DNS](../dns/private-dns-getstarted-portal.md).
> [!NOTE] > API Management service does not listen to requests coming from IP addresses. It only responds to requests to the host name configured on its service endpoints. These endpoints include gateway, the Azure portal and the Developer portal, direct management endpoint, and Git.
If you use a custom DNS server in a virtual network, you can also create A DNS r
## <a name="routing"> </a> Routing * A load balanced *private* virtual IP address from the subnet range will be reserved and used to access the API Management service endpoints from within the virtual network. This *private* IP address can be found on the Overview blade for the service in the Azure portal. This address must be registered with the DNS servers used by the virtual network.
-* A load balanced *public* IP address (VIP) will also be reserved to provide access to the management service endpoint over port 3443. This *public* IP address can be found on the Overview blade for the service in the Azure portal. The *public* IP address is used only for control plane traffic to the `management` endpoint over port 3443 and can be locked down to the [ApiManagement][ServiceTags] servicetag.
+* A load balanced *public* IP address (VIP) will also be reserved to provide access to the management service endpoint over port 3443. This *public* IP address can be found on the Overview blade for the service in the Azure portal. The *public* IP address is used only for control plane traffic to the `management` endpoint over port 3443 and can be locked down to the [ApiManagement][ServiceTags] service tag.
* IP addresses from the subnet IP range (DIP) will be assigned to each VM in the service and will be used to access resources within the virtual network. A public IP address (VIP) will be used to access resources outside the virtual network. If IP restriction lists are used to secure resources within the virtual network, the entire range for the subnet where the API Management service is deployed must be specified to grant or restrict access from the service. * The load balanced public and private IP addresses can be found on the Overview blade in the Azure portal. * The IP addresses assigned for public and private access may change if the service is removed from and then added back into the virtual network. If this happens, it may be necessary to update DNS registrations, routing rules, and IP restriction lists within the virtual network.
api-management Api Management Using With Vnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-using-with-vnet.md
Title: How to use Azure API Management with virtual networks description: Learn how to setup a connection to a virtual network in Azure API Management and access web services through it. - - Previously updated : 12/10/2020+ Last updated : 04/12/2021
Azure API Management can be deployed inside the virtual network (VNET), so it ca
To perform the steps described in this article, you must have:
-+ An active Azure subscription.
++ **An active Azure subscription.** [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
-+ An APIM instance. For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md).
++ **An API Management instance.** For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md).+ ## <a name="enable-vpn"> </a>Enable VNET connection
To perform the steps described in this article, you must have:
1. Go to the [Azure portal](https://portal.azure.com) to find your API management instance. Search for and select **API Management services**.
-2. Choose your API Management instance.
+1. Choose your API Management instance.
-3. Select **Virtual network**.
-4. Configure the API Management instance to be deployed inside a Virtual network.
+1. Select **Virtual network**.
+1. Configure the API Management instance to be deployed inside a Virtual network.
:::image type="content" source="media/api-management-using-with-vnet/api-management-menu-vnet.png" alt-text="Select virtual network in Azure portal.":::
-5. Select the desired access type:
+1. Select the desired access type:
* **Off**: This is the default. API Management is not deployed into a virtual network.
To perform the steps described in this article, you must have:
![Private peering][api-management-vnet-private]
-6. If you selected **External** or **Internal**, you will see a list of all regions where your API Management service is provisioned. Choose a **Location**, and then pick its **Virtual network** and **Subnet**. The virtual network list is populated with both classic and Resource Manager virtual networks available in your Azure subscriptions that are set up in the region you are configuring.
+1. If you selected **External** or **Internal**, you will see a list of all locations (regions) where your API Management service is provisioned. Choose a **Location**, and then pick its **Virtual network**, **Subnet**, and **IP address**. The virtual network list is populated with Resource Manager virtual networks available in your Azure subscriptions that are set up in the region you are configuring.
++
+ :::image type="content" source="media/api-management-using-with-vnet/api-management-using-vnet-select.png" alt-text="Virtual network settings in the portal.":::
> [!IMPORTANT]
- > When deploying an Azure API Management instance to a Resource Manager VNET, the service must be in a dedicated subnet that contains no other resources except for Azure API Management instances. If an attempt is made to deploy an Azure API Management instance to a Resource Manager VNET subnet that contains other resources, the deployment will fail.
+ > * When your client uses **API version 2020-12-01 or earlier** to deploy an Azure API Management instance in a Resource Manager VNET, the service must be in a dedicated subnet that contains no resources except Azure API Management instances. If an attempt is made to deploy an Azure API Management instance to a Resource Manager VNET subnet that contains other resources, the deployment will fail.
+ > * When your client uses **API version 2021-01-01-preview or later** to deploy an Azure API Management instance in a virtual network, only a Resource Manager virtual network is supported. Additionally, the subnet used may contain other resources. You don't have to use a subnet dedicated to API Management instances.
- Then select **Apply**. The **Virtual network** page of your API Management instance is updated with your new virtual network and subnet choices.
+1. Select **Apply**. The **Virtual network** page of your API Management instance is updated with your new virtual network and subnet choices.
- :::image type="content" source="media/api-management-using-with-vnet/api-management-using-vnet-select.png" alt-text="Virtual network settings in the portal.":::
+1. Continue configuring virtual network settings for the remaining locations of your API Management instance.
7. In the top navigation bar, select **Save**, and then select **Apply network configuration**.
+ It can take 15 to 45 minutes to update the API Management instance.
+ > [!NOTE]
-> The VIP address of the API Management instance will change each time VNET is enabled or disabled.
-> The VIP address will also change when API Management is moved from **External** to **Internal**, or vice-versa.
->
+> With clients using API version 2020-12-01 and earlier, the VIP address of the API Management instance will change each time the VNET is enabled or disabled. The VIP address will also change when API Management is moved from **External** to **Internal** virtual network, or vice versa.
> [!IMPORTANT]
-> If you remove API Management from a VNET or change the one it is deployed in, the previously used VNET can remain locked for up to six hours. During this period it will not be possible to delete the VNET or deploy a new resource to it. This behavior is true for clients using api-version 2018-01-01 and earlier. Clients using api-version 2019-01-01 and later, the VNET is freed up as soon as the associated API Management service is deleted.
+> If you remove API Management from a VNET or change the one it is deployed in, the previously used VNET can remain locked for up to six hours. During this period it will not be possible to delete the VNET or deploy a new resource to it. This behavior is true for clients using API version 2018-01-01 and earlier. Clients using API version 2019-01-01 and later, the VNET is freed up as soon as the associated API Management service is deleted.
-## <a name="deploy-apim-external-vnet"> </a>Deploy API Management into External VNET
+### <a name="deploy-apim-external-vnet"> </a>Deploy API Management into External VNET
-[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F201-api-management-create-with-external-vnet%2Fazuredeploy.json)
+You can also enable virtual network connectivity by using the following methods.
-* **Create an API Management service inside a VNET**: Use the cmdlet [New-AzApiManagement](/powershell/module/az.apimanagement/new-azapimanagement) to create an Azure API Management service inside a VNET.
+### API version 2021-01-01-preview
+
+* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/201-api-management-create-with-external-vnet-publicip)
+
+ [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F201-api-management-create-with-external-vnet-publicip%2Fazuredeploy.json)
+
+### API version 2020-12-01
+
+* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/201-api-management-create-with-external-vnet)
+
+ [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F201-api-management-create-with-external-vnet%2Fazuredeploy.json)
-* **Deploy an existing API Management service inside a VNET**: Use the cmdlet [Update-AzApiManagementRegion](/powershell/module/az.apimanagement/update-azapimanagementregion) to move an existing Azure API Management service inside a Virtual Network.
+* Azure PowerShell cmdlets - [Create](/powershell/module/az.apimanagement/new-azapimanagement) or [update](/powershell/module/az.apimanagement/update-azapimanagementregion) an API Management instance in a virtual network
## <a name="connect-vnet"> </a>Connect to a web service hosted within a virtual Network After your API Management service is connected to the VNET, accessing backend services within it is no different than accessing public services. Just type in the local IP address or the host name (if a DNS server is configured for the VNET) of your web service into the **Web service URL** field when creating a new API or editing an existing one.
Following is a list of common misconfiguration issues that can occur while deplo
* **Custom DNS server setup**: The API Management service depends on several Azure services. When API Management is hosted in a VNET with a custom DNS server, it needs to resolve the hostnames of those Azure services. Please follow [this](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server) guidance on custom DNS setup. See the ports table below and other network requirements for reference. > [!IMPORTANT]
-> If you plan to use a Custom DNS Server(s) for the VNET, you should set it up **before** deploying an API Management service into it. Otherwise you need to
-> update the API Management service each time you change the DNS Server(s) by running the [Apply Network Configuration Operation](/rest/api/apimanagement/2019-12-01/apimanagementservice/applynetworkconfigurationupdates)
+> If you plan to use a Custom DNS Server(s) for the VNET, you should set it up **before** deploying an API Management service into it. Otherwise you need to update the API Management service each time you change the DNS Server(s) by running the [Apply Network Configuration Operation](/rest/api/apimanagement/2019-12-01/apimanagementservice/applynetworkconfigurationupdates)
* **Ports required for API Management**: Inbound and Outbound traffic into the Subnet in which API Management is deployed can be controlled using [Network Security Group][Network Security Group]. If any of these ports are unavailable, API Management may not operate properly and may become inaccessible. Having one or more of these ports blocked is another common misconfiguration issue when using API Management with a VNET.
When an API Management service instance is hosted in a VNET, the ports in the fo
| Azure Environment | Endpoints | |-||
- | Azure Public | <ul><li>gcs.prod.monitoring.core.windows.net(**new**)</li><li>prod.warmpath.msftcloudes.com(**to be deprecated**)</li><li>global.prod.microsoftmetrics.com(**new**)</li><li>global.metrics.nsatc.net(**to be deprecated**)</li><li>shoebox2.prod.microsoftmetrics.com(**new**)</li><li>shoebox2.metrics.nsatc.net(**to be deprecated**)</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>shoebox2-red.shoebox2.metrics.nsatc.net</li><li>shoebox2-black.shoebox2.metrics.nsatc.net</li><li>prod3.prod.microsoftmetrics.com(**new**)</li><li>prod3.metrics.nsatc.net(**to be deprecated**)</li><li>prod3-black.prod.microsoftmetrics.com(**new**)</li><li>prod3-black.prod3.metrics.nsatc.net(**to be deprecated**)</li><li>prod3-red.prod.microsoftmetrics.com(**new**)</li><li>prod3-red.prod3.metrics.nsatc.net(**to be deprecated**)</li><li>gcs.prod.warm.ingestion.monitoring.azure.com</li></ul> |
- | Azure Government | <ul><li>fairfax.warmpath.usgovcloudapi.net</li><li>global.prod.microsoftmetrics.com(**new**)</li><li>global.metrics.nsatc.net(**to be deprecated**)</li><li>shoebox2.prod.microsoftmetrics.com(**new**)</li><li>shoebox2.metrics.nsatc.net(**to be deprecated**)</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>shoebox2-red.shoebox2.metrics.nsatc.net</li><li>shoebox2-black.shoebox2.metrics.nsatc.net</li><li>prod3.prod.microsoftmetrics.com(**new**)</li><li>prod3.metrics.nsatc.net(**to be deprecated**)</li><li>prod3-black.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>prod5.prod.microsoftmetrics.com</li><li>prod5-black.prod.microsoftmetrics.com</li><li>prod5-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.us</li></ul> |
- | Azure China 21Vianet | <ul><li>mooncake.warmpath.chinacloudapi.cn</li><li>global.prod.microsoftmetrics.com(**new**)</li><li>global.metrics.nsatc.net(**to be deprecated**)</li><li>shoebox2.prod.microsoftmetrics.com(**new**)</li><li>shoebox2.metrics.nsatc.net(**to be deprecated**)</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>shoebox2-red.shoebox2.metrics.nsatc.net</li><li>shoebox2-black.shoebox2.metrics.nsatc.net</li><li>prod3.prod.microsoftmetrics.com(**new**)</li><li>prod3.metrics.nsatc.net(**to be deprecated**)</li><li>prod3-black.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>prod5.prod.microsoftmetrics.com</li><li>prod5-black.prod.microsoftmetrics.com</li><li>prod5-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.cn</li></ul> |
+ | Azure Public | <ul><li>gcs.prod.monitoring.core.windows.net(**new**)</li><li>global.prod.microsoftmetrics.com(**new**)</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>shoebox2-red.shoebox2.metrics.nsatc.net</li><li>shoebox2-black.shoebox2.metrics.nsatc.net</li><li>prod3.prod.microsoftmetrics.com(**new**)</li><li>prod3-black.prod.microsoftmetrics.com(**new**)</li><li>prod3-red.prod.microsoftmetrics.com(**new**)</li><li>gcs.prod.warm.ingestion.monitoring.azure.com</li></ul> |
+ | Azure Government | <ul><li>fairfax.warmpath.usgovcloudapi.net</li><li>global.prod.microsoftmetrics.com(**new**)</li><li>shoebox2.prod.microsoftmetrics.com(**new**)</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>shoebox2-red.shoebox2.metrics.nsatc.net</li><li>shoebox2-black.shoebox2.metrics.nsatc.net</li><li>prod3.prod.microsoftmetrics.com(**new**)</li><li>prod3-black.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>prod5.prod.microsoftmetrics.com</li><li>prod5-black.prod.microsoftmetrics.com</li><li>prod5-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.us</li></ul> |
+ | Azure China 21Vianet | <ul><li>mooncake.warmpath.chinacloudapi.cn</li><li>global.prod.microsoftmetrics.com(**new**)</li><li>shoebox2.prod.microsoftmetrics.com(**new**)</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>shoebox2-red.shoebox2.metrics.nsatc.net</li><li>shoebox2-black.shoebox2.metrics.nsatc.net</li><li>prod3.prod.microsoftmetrics.com(**new**)</li><li>prod3-red.prod.microsoftmetrics.com</li><li>prod5.prod.microsoftmetrics.com</li><li>prod5-black.prod.microsoftmetrics.com</li><li>prod5-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.cn</li></ul> |
>[!IMPORTANT]
- > The change of clusters above with dns zone **.nsatc.net** to **.microsoftmetrics.com** is mostly a DNS Change. IP Address of cluster will not change.
+ > The change of clusters above with DNS zone **.nsatc.net** to **.microsoftmetrics.com** is mostly a DNS Change. IP Address of cluster will not change.
+ **Regional Service Tags**: NSG rules allowing outbound connectivity to Storage, SQL, and Event Hubs service tags may use the regional versions of those tags corresponding to the region containing the API Management instance (for example, Storage.WestUS for an API Management instance in the West US region). In multi-region deployments, the NSG in each region should allow traffic to the service tags for that region and the primary region.
Each additional scale unit of API Management requires two more IP addresses.
+ Load balanced public IP address can be found on the Overview/Essentials blade in the Azure portal. ## <a name="limitations"> </a>Limitations
-* A subnet containing API Management instances cannot contain any other Azure resource types.
+* For clients using API version 2020-12-01 and earlier, a subnet containing API Management instances cannot contain any other Azure resource types.
* The subnet and the API Management service must be in the same subscription. * A subnet containing API Management instances cannot be moved across subscriptions. * For multi-region API Management deployments configured in Internal virtual network mode, users are responsible for managing the load balancing across multiple regions, as they own the routing.
api-management Zone Redundancy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/zone-redundancy.md
+
+ Title: Availability zone support for Azure API Management
+description: Learn how to improve the resiliency of your Azure API Management service instance in a region by enabling zone redundancy.
++++ Last updated : 04/13/2021+++++
+# Availability zone support for Azure API Management
+
+This article shows how to enable zone redundancy for your API Management instance by using the Azure portal. [Zone redundancy](../availability-zones/az-overview.md#availability-zones) provides resiliency and high availability to a service instance in a specific Azure region (location). With zone redundancy, the gateway and the control plane of your API Management instance (Management API, developer portal, Git configuration) are replicated across datacenters in physically separated zones, making it resilient to a zone failure.
+
+API Management also supports [multi-region deployments](api-management-howto-deploy-multi-region.md), which helps reduce request latency perceived by geographically distributed API consumers and improves availability of the gateway component if one region goes offline. The combination of availability zones for redundancy within a region, and multi-region deployments to improve the gateway availability if there is a regional outage, helps enhance both the reliability and performance of your API Management instance.
++
+## Supported regions
+
+Configuring API Management for zone redundancy is currently supported in the following Azure regions.
+
+* Australia East
+* Brazil South
+* Canada Central
+* Central India
+* East US
+* East US 2
+* France Central
+* Japan East
+* South Central US
+* Southeast Asia
+* UK South
+* West US 2
+* West US 3
+
+## Prerequisites
+
+* If you have not yet created an API Management service instance, see [Create an API Management service instance](get-started-create-service-instance.md). Select the Premium service tier.
+* If your API Management instance is deployed in a [virtual network](api-management-using-with-vnet.md), ensure that you set up a virtual network, subnet, and public IP address in any new location where you plan to enable zone redundancy.
+
+## Enable zone redundancy - portal
+
+In the portal, optionally enable zone redundancy when you add a location to your API Management service, or update the configuration of an existing location.
+
+1. In the Azure portal, navigate to your API Management service and select **Locations** in the menu.
+1. Select an existing location, or select **+ Add** in the top bar. The location must [support availability zones](#supported-regions).
+1. Select the number of scale **[Units](upgrade-and-scale.md)** in the location.
+1. In **Availability zones**, select one or more zones. The number of units selected must distribute evenly across the availability zones. For example, if you selected 3 units, select 3 zones so that each zone hosts one unit.
+1. If the API Management instance is deployed in a [virtual network](api-management-using-with-vnet.md), configure virtual network settings in the location. Select an existing virtual network, subnet, and public IP address that are available in the location.
+1. Select **Apply** and then select **Save**.
++
+> [!IMPORTANT]
+> The public IP address in the location changes when you enable, add, or remove availability zones. When updating availability zones in a region with network settings, you must configure a different public IP address resource than the one you set up previously.
+
+> [!NOTE]
+> It can take 15 to 45 minutes to apply the change to your API Management instance.
+
+## Next steps
+
+* Learn more about [deploying an Azure API Management service instance to multiple Azure regions](api-management-howto-deploy-multi-region.md).
+* You can also enable zone redundancy using an [Azure Resource Manager template](https://github.com/Azure/azure-quickstart-templates/tree/master/101-api-management-simple-zones).
+* Learn more about [Azure services that support availability zones](../availability-zones/az-region.md).
+* Learn more about building for [reliability](/azure/architecture/framework/resiliency/overview) in Azure.
application-gateway Application Gateway Metrics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/application-gateway-metrics.md
Title: Azure Monitor metrics for Application Gateway description: Learn how to use metrics to monitor performance of application gateway -+ Last updated 06/06/2020-+ # Metrics for Application Gateway
Application Gateway publishes data points, called metrics, to [Azure Monitor](..
Application Gateway provides several builtΓÇæin timing metrics related to the request and response, which are all measured in milliseconds.
-![Diagram of timing metrics, for the Application Gateway.](./media/application-gateway-metrics/application-gateway-metrics.png)
+![Diagram of timing metrics, for the Application Gateway.](./media/application-gateway-metrics/application-gateway-metrics.jpg)
> [!NOTE] >
To understand more about webhooks and how you can use them with alerts, visit [C
[7]: ./media/application-gateway-diagnostics/figure7.png [8]: ./media/application-gateway-diagnostics/figure8.png [9]: ./media/application-gateway-diagnostics/figure9.png
-[10]: ./media/application-gateway-diagnostics/figure10.png
+[10]: ./media/application-gateway-diagnostics/figure10.png
application-gateway Quick Create Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/quick-create-portal.md
description: In this quickstart, you learn how to use the Azure portal to create an Azure Application Gateway that directs web traffic to virtual machines in a backend pool. -- Previously updated : 01/19/2021 - Last updated : 01/19/2021+++
+ - mvc
+ - mode-portal
# Quickstart: Direct web traffic with Azure Application Gateway - Azure portal
application-gateway Quick Create Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/quick-create-powershell.md
description: In this quickstart, you learn how to use Azure PowerShell to create an Azure Application Gateway that directs web traffic to virtual machines in a backend pool. -- Previously updated : 01/19/2021 - Last updated : 01/19/2021+++
+ - mvc
+ - mode-api
# Quickstart: Direct web traffic with Azure Application Gateway using Azure PowerShell
Remove-AzResourceGroup -Name myResourceGroupAG
> [!div class="nextstepaction"] > [Manage web traffic with an application gateway using Azure PowerShell](./tutorial-manage-web-traffic-powershell.md)-
application-gateway Quick Create Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/quick-create-template.md
description: In this quickstart, you learn how to use a Resource Manager template to create an Azure Application Gateway that directs web traffic to virtual machines in a backend pool. -- Previously updated : 01/20/2021 - Last updated : 01/20/2021+++
+ - mvc
+ - subject-armqs
+ - mode-arm
# Quickstart: Direct web traffic with Azure Application Gateway - ARM template
application-gateway Troubleshoot App Service Redirection App Service Url https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/troubleshoot-app-service-redirection-app-service-url.md
Title: Troubleshoot redirection to App Service URL
description: This article provides information on how to troubleshoot the redirection issue when Azure Application Gateway is used with Azure App Service -+ Previously updated : 11/14/2019- Last updated : 04/15/2021+ # Troubleshoot App Service issues in Application Gateway
In the previous example, notice that the response header has a status code of 30
Set the host name in the location header to the application gateway's domain name. To do this, create a [rewrite rule](./rewrite-http-headers.md) with a condition that evaluates if the location header in the response contains azurewebsites.net. It must also perform an action to rewrite the location header to have the application gateway's host name. For more information, see instructions on [how to rewrite the location header](./rewrite-http-headers.md#modify-a-redirection-url). > [!NOTE]
-> The HTTP header rewrite support is only available for the [Standard_v2 and WAF_v2 SKU](./application-gateway-autoscaling-zone-redundant.md) of Application Gateway. If you use v1 SKU, we recommend that you [migrate from v1 to v2](./migrate-v1-v2.md). You want to use rewrite and other [advanced capabilities](./application-gateway-autoscaling-zone-redundant.md#feature-comparison-between-v1-sku-and-v2-sku) that are available with v2 SKU.
+> The HTTP header rewrite support is only available for the [Standard_v2 and WAF_v2 SKU](./application-gateway-autoscaling-zone-redundant.md) of Application Gateway. We recommend [migrating to v2](./migrate-v1-v2.md) for Header Rewrite and other [advanced capabilities](./application-gateway-autoscaling-zone-redundant.md#feature-comparison-between-v1-sku-and-v2-sku) that are available with v2 SKU.
## Alternate solution: Use a custom domain name
-If you use v1 SKU, you can't rewrite the location header. This capability is only available for v2 SKU. To resolve the redirection issue, pass the same host name that the application gateway receives to the app service as well, instead of doing a host override.
+Using App Service's Custom Domain feature is another solution to always redirect the traffic to Application Gateway's domain name (`www.contoso.com` in our example). This configuration also serves as a solution for the ARR Affinity cookie problem. By default, the ARRAffinity cookie domain is set to the App Service's default host name (example.azurewebsites.net) instead of the Application Gateway's domain name. Therefore, the browser in such cases will reject the cookie due to the difference in the domain names of the request and the cookie.
-The app service now does the redirection (if any) on the same original host header that points to the application gateway and not its own.
+You can follow the given method for both the Redirection and ARRAffinity's cookie domain mismatch issues. This method will need you to have your custom domain's DNS zone access.
-You must own a custom domain and follow this process:
+**Step1**: Set a Custom Domain in App Service and verify the domain ownership by adding the [CNAME & TXT DNS records](../app-service/app-service-web-tutorial-custom-domain.md#get-a-domain-verification-id).
+The records would look similar to
+- `www.contoso.com` IN CNAME `contoso.azurewebsite.net`
+- `asuid.www.contoso.com` IN TXT "`<verification id string>`"
-- Register the domain to the custom domain list of the app service. You must have a CNAME in your custom domain that points to the app service's FQDN. For more information, see [Map an existing custom DNS name to Azure App Service](../app-service/app-service-web-tutorial-custom-domain.md).
- ![App service custom domain list](./media/troubleshoot-app-service-redirection-app-service-url/appservice-2.png)
+**Step2**: The CNAME record in the previous step was only needed for the domain verification. Ultimately, we need the traffic to route via Application Gateway. You can thus modify `www.contoso.com`'s CNAME now to point to Application Gateway's FQDN. To set a FQDN for your Application Gateway, navigate to its Public IP address resource and assign a "DNS Name label" for it. The updated CNAME record should now look as
+- `www.contoso.com` IN CNAME `contoso.eastus.cloudapp.azure.com`
-- Your app service is ready to accept the host name `www.contoso.com`. Change your CNAME entry in DNS to point it back to the application gateway's FQDN, for example, `appgw.eastus.cloudapp.azure.com`. -- Make sure that your domain `www.contoso.com` resolves to the application gateway's FQDN when you do a DNS query.
+**Step3**: Disable "Pick Hostname from Backend Address" for the associated HTTP Setting.
-- Set your custom probe to disable **Pick Hostname from Backend HTTP Settings**. In the Azure portal, clear the check box in the probe settings. In PowerShell, don't use the **-PickHostNameFromBackendHttpSettings** switch in the **Set-AzApplicationGatewayProbeConfig** command. In the host name field of the probe, enter your app service's FQDN, example.azurewebsites.net. The probe requests sent from the application gateway carry this FQDN in the host header.
+In PowerShell, don't use the `-PickHostNameFromBackendAddress` switch in the `Set-AzApplicationGatewayBackendHttpSettings` command.
- > [!NOTE]
- > For the next step, make sure that your custom probe isn't associated to your back-end HTTP settings. Your HTTP settings still have the **Pick Hostname from Backend Address** switch enabled at this point.
-- Set your application gateway's HTTP settings to disable **Pick Hostname from Backend Address**. In the Azure portal, clear the check box. In PowerShell, don't use the **-PickHostNameFromBackendAddress** switch in the **Set-AzApplicationGatewayBackendHttpSettings** command.
+**Step4**: For the probes to determine the backend as healthy and an operational traffic, set a custom Health Probe with Host field as custom or default domain of the App Service.
-- Associate the custom probe back to the back-end HTTP settings, and verify that the back end is healthy.--- The application gateway should now forward the same host name, `www.contoso.com`, to the app service. The redirection happens on the same host name. Check the following example request and response headers.
+In PowerShell, don't use the `-PickHostNameFromBackendHttpSettings` switch in the `Set-AzApplicationGatewayProbeConfig` command and use either the custom or default domain of the App Service in the -HostName switch of the probe.
To implement the previous steps using PowerShell for an existing setup, use the sample PowerShell script that follows. Note how we haven't used the **-PickHostname** switches in the probe and HTTP settings configuration.
Set-AzApplicationGateway -ApplicationGateway $gw
``` ## Next steps
-If the preceding steps didn't resolve the issue, open a [support ticket](https://azure.microsoft.com/support/options/).
+If the preceding steps didn't resolve the issue, open a [support ticket](https://azure.microsoft.com/support/options/).
attestation Claim Sets https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/attestation/claim-sets.md
Claims generated in the process of attesting enclaves using Microsoft Azure Atte
Claims to be used by policy authors to define authorization rules in an SGX attestation policy: -- **x-ms-sgx-is-debuggable**: A Boolean, which indicates whether or not the enclave has debugging enabled or not-- **x-ms-sgx-product-id**: Product ID value of the SGX enclave -- **x-ms-sgx-mrsigner**: hex encoded value of the ΓÇ£mrsignerΓÇ¥ field of the quote-- **x-ms-sgx-mrenclave**: hex encoded value of the ΓÇ£mrenclaveΓÇ¥ field of the quote-- **x-ms-sgx-svn**: security version number encoded in the quote
+- **x-ms-sgx-is-debuggable**: A boolean value, which indicates whether enclave debugging is enabled or not.
+
+ SGX enclaves can be loaded with debugging disabled, or enabled. When the flag is set to true in the enclave, it enables debugging features for the enclave code. This includes the ability to access enclaveΓÇÖs memory. Hence it is recommended to set the flag to true only for development purposes. If enabled in production environment, SGX security guarantees will not be retained.
+
+ Azure Attestation users can use the attestation policy to verify if debugging is disabled for the SGX enclave. Once the policy rule is added, attestation will fail when a malicious user turns on the debugging support to gain access to the enclave content.
+
+- **x-ms-sgx-product-id**: An integer value, which indicates product ID of the SGX enclave.
+
+ The enclave author assigns a Product ID to each enclave. The Product ID enables the enclave author to segment enclaves signed using the same MRSIGNER. By adding a validation rule in the attestation policy, customers can check if they are using the intended enclaves. Attestation will fail if the enclaveΓÇÖs product ID does not match the value published by the enclave author.
+
+- **x-ms-sgx-mrsigner**: A string value, which identifies the author of SGX enclave.
+
+ MRSIGNER is the hash of the enclave authorΓÇÖs public key which is used to sign the enclave binary. By validating MRSIGNER via an attestation policy, customers can verify if trusted binaries are running inside an enclave. When the policy claim does not match the enclave authorΓÇÖs MRSIGNER, it implies that the enclave binary is not signed by a trusted source and the attestation fails.
+
+ When an enclave author prefers to rotate MRSIGNER for security reasons, Azure Attestation policy must be updated to support the new and old MRSIGNER values before the binaries are updated. Otherwise authorization checks will fail resulting in attestation failures.
+
+ Attestation policy must be updated using the below format.
+
+ #### Before key rotation
+
+ ```
+ version= 1.0;
+ authorizationrules
+ {
+ [ type=="x-ms-sgx-is-debuggable", value==false]&&
+ [ type=="x-ms-sgx-mrsigner", value=="mrsigner1"] => permit();
+ };
+ ```
+
+ #### During key rotation
+
+ ```
+ version= 1.0;
+ authorizationrules
+ {
+ [ type=="x-ms-sgx-is-debuggable", value==false]&&
+ [ type=="x-ms-sgx-mrsigner", value=="mrsigner1"] => permit();
+ [ type=="x-ms-sgx-is-debuggable", value==false ]&&
+ [ type=="x-ms-sgx-mrsigner", value=="mrsigner2"] => permit();
+ };
+ ```
+
+ #### After key rotation
+
+ ```
+ version= 1.0;
+ authorizationrules
+ {
+ [ type=="x-ms-sgx-is-debuggable", value==false]&&
+ [ type=="x-ms-sgx-mrsigner", value=="mrsigner2"] => permit();
+ };
+ ```
+
+- **x-ms-sgx-mrenclave**: A string value, which identifies the code and data loaded in enclave memory.
+
+ MRENCLAVE is one of the enclave measurements which can be used to verify the enclave binaries. It is the hash of the code running inside the enclave. The measurement changes with every change to the enclave binary code. By validating MRENCLAVE via an attestation policy, customers can verify if intended binaries are running inside an enclave. However, as MRENCLAVE is expected to change frequently with any trivial modification to the existing code, it is recommended to verify enclave binaries using MRSIGNER validation in an attestation policy.
+
+- **x-ms-sgx-svn**: An integer value, which indicates the security version number of the SGX enclave
+
+ The enclave author assigns a Security Version Number (SVN) to each version of the SGX enclave. When a security issue is discovered in the enclave code, enclave author increments the SVN value post vulnerability fix. To prevent interacting with insecure enclave code, customers can add a validation rule in the attestation policy. If the SVN of the enclave code does not match the version recommended by the enclave author, attestation will fail.
Below claims are considered deprecated but are fully supported and will continue to be included in the future. It is recommended to use the non-deprecated claim names.
attestation Quickstart Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/attestation/quickstart-powershell.md
$attestationResourceGroup = "<attestation provider resource group name>"
New-AzResourceGroup -Name $attestationResourceGroup -Location $location ```
+ > [!NOTE]
+ > Once an attestation provider is created in this resource group, an Azure AD user must have **Attestation Contributor** role on the provider to perform operations like policy configuration/ policy signer certificates management. These permissions can be also be inherited with roles such as **Owner** (wildcard permissions)/ **Contributor** (wildcard permissions) on the subscription/ resource group.
++ ## Create and manage an attestation provider New-AzAttestation creates an attestation provider.
In order to manage policies, an Azure AD user requires the following permissions
- Microsoft.Attestation/attestationProviders/attestation/write - Microsoft.Attestation/attestationProviders/attestation/delete
-To perform these actions, an Azure AD user must have "Attestation Contributor" role on the attestation provider. These permissions can be also be inherited with roles such as "Owner" (wildcard permissions), "Contributor" (wildcard permissions) on the subscription/ resource group level.
+ To perform these actions, an Azure AD user must have **Attestation Contributor** role on the attestation provider. These permissions can be also be inherited with roles such as **Owner** (wildcard permissions)/ **Contributor** (wildcard permissions) on the subscription/ resource group.
In order to read policies, an Azure AD user requires the following permission for "Actions": - Microsoft.Attestation/attestationProviders/attestation/read
-To perform this action, an Azure AD user must have "Attestation Reader" role on the attestation provider. The read permission can be also be inherited with roles such as "Reader" (wildcard permissions) on the subscription/ resource group level.
+ To perform this action, an Azure AD user must have **Attestation Reader** role on the attestation provider. The read permission can be also be inherited with roles such as **Reader** (wildcard permissions) on the subscription/ resource group.
Below PowerShell cmdlets provide policy management for an attestation provider (one TEE at a time).
attestation Troubleshoot Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/attestation/troubleshoot-guide.md
Below are some examples of the errors returned by Azure Attestation:
Unauthorized **Scenario examples**
- - Attestation failure if the user is not assigned with Attestation Reader role
- Unable to manage attestation policies as the user is not assigned with appropriate roles - Unable to manage attestation policy signers as the user is not assigned with appropriate roles
At line:1 char:1
**Troubleshooting steps**
-In order to view attestation policies/policy signers, an Azure AD user requires the permission for "Actions":
+In order to manage policies, an Azure AD user requires the following permissions for "Actions":
- Microsoft.Attestation/attestationProviders/attestation/read-
- This permission can be assigned to an AD user through a role such as "Owner" (wildcard permissions) or "Reader" (wildcard permissions) or "Attestation Reader" (specific permissions for Azure Attestation only).
-
-In order to add/delete policy signers or to configure policies, an Azure AD user requires the following permissions for "Actions":
- Microsoft.Attestation/attestationProviders/attestation/write - Microsoft.Attestation/attestationProviders/attestation/delete
- These permissions can be assigned to an AD user through a role such as "Owner" (wildcard permissions), "Contributor" (wildcard permissions) or "Attestation Contributor" (specific permissions for Azure Attestation only).
-
-Customers can choose to use the default provider for attestation, or create their own providers with custom policies. To send attestation requests to custom attestation providers, "Owner" (wildcard permissions) or "Reader" (wildcard permissions) or "Attestation Reader" role is required for the user. The default providers are accessible by any Azure AD user.
-
-To verify the roles in PowerShell, run below:
+ To perform these actions, an Azure AD user must have "Attestation Contributor" role on the attestation provider. These permissions can be also be inherited with roles such as "Owner" (wildcard permissions), "Contributor" (wildcard permissions) on the subscription/ resource group.
-a. Launch PowerShell and log into Azure via the "Connect-AzAccount" cmdlet
+In order to read policies, an Azure AD user requires the following permission for "Actions":
+- Microsoft.Attestation/attestationProviders/attestation/read
-b. Verify your Azure role assignment settings
+ To perform this action, an Azure AD user must have "Attestation Reader" role on the attestation provider. The read permission can be also be inherited with roles such as "Reader" (wildcard permissions) on the subscription/ resource group.
+To verify the roles in PowerShell, run the below steps:
- ```powershell
- $c = Get-AzContext
- Get-AzRoleAssignment -ResourceGroupName $attestationResourceGroup -ResourceName $attestationProvider -ResourceType Microsoft.Attestation/attestationProviders -SignInName $c.Account.Id
- ```
-
- You should see something like this:
+a. Launch PowerShell and log into Azure via the "Connect-AzAccount" cmdlet
- ```
- RoleAssignmentId :/subscriptions/subscriptionId/providers/Microsoft.Authorization/roleAssignments/roleAssignmentId
-
- Scope : /subscriptions/subscriptionId
-
- DisplayName : displayName
-
- SignInName : signInName
-
- RoleDefinitionName : Reader
-
- RoleDefinitionId : roleDefinitionId
-
- ObjectId : objectid
-
- ObjectType : User
-
- CanDelegate : False
-
- ```
+b. Please refer the guidance [here](../role-based-access-control/role-assignments-list-powershell.md) to verify your Azure role assignment on the attestation provider
-c. If you don't find an appropriate role assignment in the list, follow the instructions in [here](../role-based-access-control/role-assignments-powershell.md)
+c. If you don't find an appropriate role assignment, follow the instructions in [here](../role-based-access-control/role-assignments-powershell.md)
## 2. HTTP ΓÇô 400 errors
To continue to interact with the PowerShell Gallery, run the following command b
User assigned with appropriate roles. But facing authorization issues while managing attestation policies through PowerShell. ### Error
-The client with object id &lt;object Id&gt; does not have authorization to perform action Microsoft.Authorization/roleassignments/write over scope ΓÇÿsubcriptions/&lt;subscriptionId&gt;resourcegroups/secure_enclave_poc/providers/Microsoft.Authorization/roleassignments/&lt;role assignmentId&gt;ΓÇÖ or the scope is invalid. If access was recently granted, please refresh your credentials
+The client with object ID &lt;object Id&gt; does not have authorization to perform action Microsoft.Authorization/roleassignments/write over scope ΓÇÿsubcriptions/&lt;subscriptionId&gt;resourcegroups/secure_enclave_poc/providers/Microsoft.Authorization/roleassignments/&lt;role assignmentId&gt;ΓÇÖ or the scope is invalid. If access was recently granted, please refresh your credentials
### Troubleshooting steps
automanage Quick Create Virtual Machines Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/quick-create-virtual-machines-portal.md
Title: Quickstart - Enable Azure Automanage for VMs in the Azure portal description: Learn how to quickly enable Automanage for virtual machines on a new or existing VM in the Azure portal. + Last updated : 02/17/2021+ - Previously updated : 02/17/2021-+
+ - mode-portal
automation Automation Quickstart Create Runbook https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-quickstart-create-runbook.md
Last updated 02/05/2019 -+
+ - mvc
+ - mode-api
# Create an Azure Automation runbook
automation Automation Security Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-security-overview.md
description: This article provides an overview of Azure Automation account authe
keywords: automation security, secure automation; automation authentication Previously updated : 04/08/2021 Last updated : 04/14/2021
The Automation resources for each Automation account are associated with a singl
All tasks that you create against resources using Azure Resource Manager and the PowerShell cmdlets in Azure Automation must authenticate to Azure using Azure Active Directory (Azure AD) organizational identity credential-based authentication.
-## Managed identities (Preview)
+## Managed identities (preview)
A managed identity from Azure Active Directory (Azure AD) allows your runbook to easily access other Azure AD-protected resources. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets. For more information about managed identities in Azure AD, see [Managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/overview). Here are some of the benefits of using managed identities: -- You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
+- You can use managed identities to authenticate to any Azure service that supports Azure AD authentication. They can be used for cloud as well as hybrid jobs. Hybrid jobs can use managed identities when run on a Hybrid Runbook Worker that's running on an Azure or non-Azure VM.
- Managed identities can be used without any additional cost.
An Automation account can be granted two types of identities:
>[!NOTE] > User assigned identities are not supported yet.
-For details on using managed identities, see [Enable managed identity for Azure Automation (Preview)](enable-managed-identity-for-automation.md).
+For details on using managed identities, see [Enable managed identity for Azure Automation (preview)](enable-managed-identity-for-automation.md).
## Run As accounts
automation Automation Solution Vm Management Remove https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-solution-vm-management-remove.md
Title: Remove Azure Automation Start/Stop VMs during off-hours overview
description: This article describes how to remove the Start/Stop VMs during off-hours feature and unlink an Automation account from the Log Analytics workspace. Previously updated : 03/04/2021 Last updated : 04/15/2021
After you enable the Start/Stop VMs during off-hours feature to manage the runni
Deleting this feature only removes the associated runbooks, it doesn't delete the schedules or variables that were created during deployment or any custom-defined ones created after.
+> [!NOTE]
+> Before proceeding, verify there aren't any [Resource Manager locks](../azure-resource-manager/management/lock-resources.md) applied at the subscription, resource group, or resource which prevents accidental deletion or modification of critical resources. When you deploy the Start/Stop VMs during off-hours solution, it sets the lock level to **CanNotDelete** against several dependent resources in the Automation account (specifically its runbooks and variables). Any locks need to be removed before you can delete the Automation account.
+ ## Delete the dedicated resource group To delete the resource group, follow the steps outlined in the [Azure Resource Manager resource group and resource deletion](../azure-resource-manager/management/delete-resource-group.md) article.
automation Delete Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/delete-account.md
description: This article tells how to delete your Automation account across the
Previously updated : 03/18/2021 Last updated : 04/15/2021
Removing your Automation account can be done using one of the following methods
* Unlink the Log Analytics workspace from the Automation account and delete the Automation account. * Delete the feature from your linked workspace, unlink the account from the workspace, and then delete the Automation account.
-This article tells you how to completely remove your Automation account through the Azure portal, PowerShell, the Azure CLI, or the REST API.
+This article tells you how to completely remove your Automation account through the Azure portal, using Azure PowerShell, the Azure CLI, or the REST API.
+
+> [!NOTE]
+> Before proceeding, verify there aren't any [Resource Manager locks](../azure-resource-manager/management/lock-resources.md) applied at the subscription, resource group, or resource which prevents accidental deletion or modification of critical resources. If you have deployed the Start/Stop VMs during off-hours solution, it sets the lock level to **CanNotDelete** against several dependent resources in the Automation account (specifically its runbooks and variables). Any locks need to be removed before you can delete the Automation account.
## Delete the dedicated resource group
automation Disable Managed Identity For Automation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/disable-managed-identity-for-automation.md
Title: Disable your Azure Automation account managed identity (Preview)
+ Title: Disable your Azure Automation account managed identity (preview)
description: This article explains how to disable and remove a managed identity for an Azure Automation account. Previously updated : 04/04/2021 Last updated : 04/14/2021
-# Disable your Azure Automation account managed identity (Preview)
+# Disable your Azure Automation account managed identity (preview)
There are two ways to disable a system-assigned identity in Azure Automation. You can complete this task from the Azure portal, or by using an Azure Resource Manager (ARM) template.
Removing a system-assigned identity using this method also deletes it from Azure
## Next steps -- For more information about enabling managed identity in Azure Automation, see [Enable and use managed identity for Automation (Preview)](enable-managed-identity-for-automation.md).
+- For more information about enabling managed identity in Azure Automation, see [Enable and use managed identity for Automation (preview)](enable-managed-identity-for-automation.md).
- For an overview of Automation account security, see [Automation account authentication overview](automation-security-overview.md).
automation Enable Managed Identity For Automation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/enable-managed-identity-for-automation.md
Title: Enable a managed identity for your Azure Automation account (Preview)
+ Title: Enable a managed identity for your Azure Automation account (preview)
description: This article describes how to set up managed identity for Azure Automation accounts. Previously updated : 04/09/2021 Last updated : 04/14/2021
-# Enable a managed identity for your Azure Automation account (Preview)
+# Enable a managed identity for your Azure Automation account (preview)
This topic shows you how to create a managed identity for an Azure Automation account and how to use it to access other resources. For more information on how managed identity works with Azure Automation, see [Managed identities](automation-security-overview.md#managed-identities-preview).
This topic shows you how to create a managed identity for an Azure Automation ac
- An Azure account and subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. Both the managed identity and the target Azure resources that your runbook manages using that identity must be in the same Azure subscription. -- The latest version of Azure Automation account modules.
+- The latest version of Azure Automation account modules. Currently this is 1.6.0. (See [Az.Automation 1.6.0](https://www.powershellgallery.com/packages/Az.Automation/1.6.0) for details about this version.)
- An Azure resource that you want to access from your Automation runbook. This resource needs to have a role defined for the managed identity, which helps the Automation runbook authenticate access to the resource. To add roles, you need to be an owner for the resource in the corresponding Azure AD tenant.
This topic shows you how to create a managed identity for an Azure Automation ac
## Enable system-assigned identity
->[!NOTE]
->User-assigned identities are not supported yet.
+>[!IMPORTANT]
+>The new Automation account-level identity will override any previous VM-level system-assigned identities (which are described in [Use runbook authentication with managed identities](/automation-hrw-run-runbooks#runbook-auth-managed-identities)). If you're running hybrid jobs on Azure VMs that use a VM's system-assigned identity to access runbook resources, then the Automation account identity will be used for the hybrid jobs. This means your existing job execution may be affected if you've been using the Customer Managed Keys (CMK) feature of your Automation account.<br/><br/>If you wish to continue using the VM's managed identity, you shouldn't enable the Automation account-level identity. If you've already enabled it, you can disable the Automation account managed identity. See [Disable your Azure Automation account managed identity](https://docs.microsoft.com/azure/automation/disable-managed-identity-for-automation).
Setting up system-assigned identities for Azure Automation can be done one of two ways. You can either use the Azure portal, or the Azure REST API.
+>[!NOTE]
+>User-assigned identities are not supported yet.
+ ### Enable system-assigned identity in Azure portal 1. Sign in to the [Azure portal](https://portal.azure.com).
Request body
## Give identity access to Azure resources by obtaining a token
-An Automation account can use its managed identity to get tokens to access other resources protected by Azure AD, such as Azure Key Vault. These tokens do not represent any specific user of the application. Instead, they represent the application thatΓÇÖs accessing the resource. For example, in this case, the token represents an Automation account.
+An Automation account can use its managed identity to get tokens to access other resources protected by Azure AD, such as Azure Key Vault. These tokens do not represent any specific user of the application. Instead, they represent the application thatΓÇÖs accessing the resource. In this case, for example, the token represents an Automation account.
Before you can use your system-assigned managed identity for authentication, set up access for that identity on the Azure resource where you plan to use the identity. To complete this task, assign the appropriate role to that identity on the target Azure resource.
-This example shows how to assign the Contributor role in the subscription to the target Azure resource using Azure PowerShell.
+This example uses Azure PowerShell to show how to assign the Contributor role in the subscription to the target Azure resource. The Contributor role is used as an example, and may or may not be required in your case.
```powershell New-AzRoleAssignment -ObjectId <automation-Identity-object-id> -Scope "/subscriptions/<subscription-id>" -RoleDefinitionName "Contributor"
endPoint = os.getenv('IDENTITY_ENDPOINT')+"?resource=https://management.azure.co
identityHeader = os.getenv('IDENTITY_HEADER') payload={} headers = {
- 'X-IDENTITY-HEADER': identityHeader,
+ 'X-IDENTITY-HEADER': identityHeader,
'Metadata': 'True' } response = requests.request("GET", endPoint, headers=headers, data=payload)
print(response.text)
## Next steps -- If you need to disable a managed identity, see [Disable your Azure Automation account managed identity (Preview)](disable-managed-identity-for-automation.md).
+- If you need to disable a managed identity, see [Disable your Azure Automation account managed identity (preview)](disable-managed-identity-for-automation.md).
- For an overview of Azure Automation account security, see [Automation account authentication overview](automation-security-overview.md).
automation Quickstart Create Automation Account Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/quickstart-create-automation-account-template.md
Title: "Quickstart: Create an Automation account - Azure template"
+ Title: 'Quickstart: Create an Automation account - Azure template'
description: This quickstart shows how to create an Automation account by using the Azure Resource Manager template.
-# Customer intent: I want to create an Automation account by using an Azure Resource Manager template so that I can automate processes with runbooks.
+ Last updated : 01/07/2021 Previously updated : 01/07/2021--+
+ - mvc
+ - subject-armqs
+ - mode-arm
+# Customer intent: I want to create an Automation account by using an Azure Resource Manager template so that I can automate processes with runbooks.
# Quickstart: Create an Automation account by using ARM template
In this quickstart, you created an Automation account, a Log Analytics workspace
To learn more, continue to the tutorials for Azure Automation. > [!div class="nextstepaction"]
-> [Azure Automation tutorials](learn/automation-tutorial-runbook-graphical.md)
+> [Azure Automation tutorials](learn/automation-tutorial-runbook-graphical.md)
automation Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/whats-new.md
Previously updated : 02/23/2021 Last updated : 04/09/2021
Azure Automation receives improvements on an ongoing basis. To stay up to date w
This page is updated monthly, so revisit it regularly.
+## March 2021
+
+### New Azure Automation built-in policies
+
+**Type:** New feature
+
+Azure Automation has added 5 new built-in policies:
+
+- Automation accounts should disable public network access,
+- Azure Automation accounts should use customer-managed keys to encrypt data at rest
+- Configure Azure Automation accounts to disable public network access
+- Configure private endpoint connections on Azure Automation accounts
+- Private endpoint connections on Automation Accounts should be enabled.
+
+See the [policy reference](./policy-reference.md) article for more details.
+
+### Support for Automation and State Configuration declared GA in South India
+
+**Type:** New feature
+
+Use Process Automation and State configuration capabilities in South India. Read the [announcement](https://azure.microsoft.com/updates/azure-automation-in-south-india-region/) for more information.
+
+### Support for Automation and State Configuration declared GA in UK West
+
+**Type:** New feature
+
+Use Process Automation and State configuration capabilities in UK West. For more information, read [announcement](https://azure.microsoft.com/updates/azure-automation-in-uk-west-region/).
+
+### Support for Automation and State Configuration declared GA in UAE Central
+
+**Type:** New feature
+
+Use Process Automation and State configuration capabilities in UAE Central. Read the [announcement](https://azure.microsoft.com/updates/azure-automation-in-uae-central-region/) for more information.
+
+### Support for Automation and State Configuration available in Australia Central 2 , Norway West and France South
+
+**Type:** New feature
+
+See more information on the [Data residency page](https://azure.microsoft.com/global-infrastructure/data-residency/) by selecting the geography for each region.
+
+### New scripts added for installing Hybrid worker on Windows and Linux
+
+**Type:** New feature
+
+Two new scripts have been added to the Azure Automation [GitHub repository](https://github.com/azureautomation) addressing one of Azure Automation's key scenarios of setting up a Hybrid Runbook Worker on either a Windows or a Linux machine. The script creates a new VM or uses an existing one, creates a Log Analytics workspace if needed, installs the Log Analytics agent for Windows or Log Analytics agent for Linux, and registers the machine to the Log Analytics workspace. The Windows script is named **Create Automation Windows HybridWorker** and the Linux script is **Create Automation Linux HybridWorker**.
+
+### Invoke runbook through an Azure Resource Manager template webhook
+
+**Type:** New feature
+
+See [Use a webhook from an ARM template](./automation-webhooks.md#use-a-webhook-from-an-arm-template) for more details.
+
+### Azure Update Management now supports Centos 8.x, Red Hat Enterprise Linux Server 8.x, and SUSE Linux Enterprise Server 15
+
+**Type:** New feature
+
+See the [full list](./update-management/overview.md#supported-operating-systems) of supported Linux operating systems for more details.
+
+### In-region data residency support for Brazil South and South East Asia
+
+**Type:** New feature
+
+In all regions except Brazil South and Southeast Asia, Azure Automation data is stored in a different region (Azure paired region) for providing Business Continuity and Disaster Recovery (BCDR). For the Brazil and Southeast Asia regions only, we now store Azure Automation data in the same region to accommodate data-residency requirements for these regions. See [Geo-replication in Azure Automation](./automation-managing-data.md#geo-replication-in-azure-automation) for more details.
+ ## February 2021 ### Support for Automation and State Configuration declared GA in Japan West
The script is available for download from our [GitHub repository](https://github
**Type.** New feature
-The Hybrid Runbook Worker feature supports CentOS 8.x, REHL 8.x, and SLES 15 distributions for only process automation on Hybrid Runbook Workers. See [Supported operating systems](automation-linux-hrw-install.md#supported-linux-operating-systems) for updates to the documentation to reflect these changes.
+The Hybrid Runbook Worker feature supports CentOS 8.x, REHL 8.x, and SLES 15 distributions for only process automation on Hybrid Runbook Workers. See [Supported operating systems](automation-linux-hrw-install.md#supported-linux-operating-systems) for updates to the documentation to reflect these changes.
-### Update Management & Change Tracking availability in Australia East, East Asia, West US & Central US regions
+### Update Management and Change Tracking availability in Australia East, East Asia, West US and Central US regions
**Type:** New feature
-Automation account, Change Tracking and Inventory, and Update Management are available in Australia East, East Asia, West US & Central US regions.
+Automation account, Change Tracking and Inventory, and Update Management are available in Australia East, East Asia, West US and Central US regions.
### Introduced public preview of Python 3 runbooks in US Government cloud **Type:** New feature
-Azure Automation introduces public preview support of Python 3 cloud and hybrid runbook execution in US Government cloud regions. For more information, see the [announcement](https://azure.microsoft.com/updates/azure-automation-python-3-public-preview/).
+Azure Automation introduces public preview support of Python 3 cloud and hybrid runbook execution in US Government cloud regions. For more information, see the [announcement](https://azure.microsoft.com/updates/azure-automation-python-3-public-preview/).
### Azure Automation runbooks moved from TechNet Script Center to GitHub
Manage Oracle Linux 6 and 7 machines with Automation State Configuration. See [S
**Type:** New feature
-Azure Automation now supports Python 3 cloud & hybrid runbook execution in public preview in all regions in Azure global cloud. See the [announcement]((https://azure.microsoft.com/updates/azure-automation-python-3-public-preview/) for more details.
+Azure Automation now supports Python 3 cloud and hybrid runbook execution in public preview in all regions in Azure global cloud. See the [announcement]((https://azure.microsoft.com/updates/azure-automation-python-3-public-preview/) for more details.
## November 2020
Azure Automation region mapping updated to support Update Management feature in
Azure Automation DNS records have been updated to support Private Links. For more information, read the [announcement](https://azure.microsoft.com/updates/azure-automation-updateddns-records/).
-### Added capability to keep Automation runbooks & DSC scripts encrypted by default
+### Added capability to keep Automation runbooks and DSC scripts encrypted by default
**Type:** New feature
-In addition to improve security of assets, runbooks & DSC scripts are also encrypted to enhance Azure Automation security.
+In addition to improve security of assets, runbooks and DSC scripts are also encrypted to enhance Azure Automation security.
## April 2020
Azure Automation Hybrid Runbook Worker can be used in Azure Government to suppor
**Type:** New feature
-Automation support of service tags allow or deny the traffic for the Automation service, for a subset of scenarios. To learn more, see the [documentation](automation-hybrid-runbook-worker.md#service-tags).
+Automation support of service tags allows or denies the traffic for the Automation service, for a subset of scenarios. To learn more, see the [documentation](automation-hybrid-runbook-worker.md#service-tags).
### Enable TLS 1.2 support for Azure Automation service
availability-zones Az Region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/availability-zones/az-region.md
To achieve comprehensive business continuity on Azure, build your application ar
|--|:-:| | [App Service Environments](https://docs.microsoft.com/azure/app-service/environment/zone-redundancy) | :large_blue_diamond: | | [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) | :large_blue_diamond: |
+| [Azure API Management](https://docs.microsoft.com/azure/api-management/zone-redundancy) | :large_blue_diamond: |
| [Azure Bastion](https://docs.microsoft.com/azure/bastion/bastion-overview) | :large_blue_diamond: | | [Azure Cache for Redis](https://docs.microsoft.com/azure/azure-cache-for-redis/cache-high-availability) | :large_blue_diamond: | | [Azure Cognitive Search](https://docs.microsoft.com/azure/search/search-performance-optimization#availability-zones) | :large_blue_diamond: |
azure-cache-for-redis Cache Event Grid Quickstart Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-event-grid-quickstart-portal.md
Title: 'Quickstart: Route Azure Cache for Redis events to web endpoint with the Azure portal' description: Use Azure Event Grid to subscribe to Azure Cache for Redis events, send the events to a Webhook, and handle the events in a web application++ Last updated 1/5/2021 --+
+ - mode-portal
# Quickstart: Route Azure Cache for Redis events to web endpoint with the Azure portal
Now that you know how to create custom topics and event subscriptions, learn mor
- [Reacting to Azure Cache for Redis events](cache-event-grid.md) - [About Event Grid](../event-grid/overview.md)-
azure-cache-for-redis Cache Java Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-java-get-started.md
Title: 'Quickstart: Use Azure Cache for Redis in Java' description: In this quickstart, you will create a new Java app that uses Azure Cache for Redis -+ Last updated : 05/22/2020+ ms.devlang: java- Previously updated : 05/22/2020--+
+ - mvc
+ - seo-java-august2019
+ - seo-java-september2019
+ - devx-track-java
+ - mode-api
#Customer intent: As a Java developer, new to Azure Cache for Redis, I want to create a new Java app that uses Azure Cache for Redis.
azure-cache-for-redis Cache Python Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-python-get-started.md
Title: 'Quickstart: Use Azure Cache for Redis in Python'
description: In this quickstart, you learn how to create a Python App that uses Azure Cache for Redis. Last updated : 11/05/2019+ ms.devlang: python-- Previously updated : 11/05/2019+
+ - mvc
+ - seo-python-october2019
+ - devx-track-python
+ - mode-api
#Customer intent: As a Python developer new to Azure Cache for Redis, I want to create a new Python app that uses Azure Cache for Redis. # Quickstart: Use Azure Cache for Redis in Python
To delete the resource group and its Redis Cache for Azure instance:
> [!div class="nextstepaction"] > [Create a simple ASP.NET web app that uses an Azure Cache for Redis.](./cache-web-app-howto.md)-
azure-functions Functions Create Function App Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-create-function-app-portal.md
Next, create a function in the new function app.
If the request URL included an [access key](functions-bindings-http-webhook-trigger.md#authorization-keys) (`?code=...`), it means you choose **Function** instead of **Anonymous** access level when creating the function. In this case, you should instead append `&name=<your_name>`.
-1. When your function runs, trace information is written to the logs. To see the trace output, return to the **Code + Test** page in the portal and expand the **Logs** arrow at the bottom of the page.
+1. When your function runs, trace information is written to the logs. To see the trace output, return to the **Code + Test** page in the portal and expand the **Logs** arrow at the bottom of the page. Call your function again to see trace output written to the logs.
- ![Functions log viewer in the Azure portal.](./media/functions-create-first-azure-function/function-view-logs.png)
+ :::image type="content" source="media/functions-create-first-azure-function/function-view-logs.png" alt-text="Functions log viewer in the Azure portal":::
## Clean up resources
azure-government Compare Azure Government Global Azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/compare-azure-government-global-azure.md
Title: Compare Azure Government and global Azure | Microsoft Docs
-description: Microsoft Azure Government uses same underlying technologies as global Azure, which includes the core components of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). This article compares Azure Government and global Azure.
+description: Describe feature differences between Azure Government and global Azure.
cloud: gov documentationcenter: ''
ms.devlang: na
na Previously updated : 03/07/2021 Last updated : 04/14/2021 # Compare Azure Government and global Azure
-Microsoft Azure Government uses same underlying technologies as global Azure, which includes the core components of [Infrastructure-as-a-Service (IaaS)](https://azure.microsoft.com/overview/what-is-iaas/), [Platform-as-a-Service (PaaS)](https://azure.microsoft.com/overview/what-is-paas/), and [Software-as-a-Service (SaaS)](https://azure.microsoft.com/overview/what-is-saas/). Both Azure and Azure Government have the same comprehensive security controls in place, as well as the same Microsoft commitment on the safeguarding of customer data. Whereas both cloud environments are assessed and authorized at the FedRAMP High impact level, Azure Government provides an additional layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons. These commitments may be of interest to customers using the cloud to store or process data subject to US export control regulations such as the EAR, ITAR, and DoE 10 CFR Part 810.
+Microsoft Azure Government uses same underlying technologies as global Azure, which includes the core components of [Infrastructure-as-a-Service (IaaS)](https://azure.microsoft.com/overview/what-is-iaas/), [Platform-as-a-Service (PaaS)](https://azure.microsoft.com/overview/what-is-paas/), and [Software-as-a-Service (SaaS)](https://azure.microsoft.com/overview/what-is-saas/). Both Azure and Azure Government have the same comprehensive security controls in place, as well as the same Microsoft commitment on the safeguarding of customer data. Whereas both cloud environments are assessed and authorized at the FedRAMP High impact level, Azure Government provides an additional layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to [screened US persons](./documentation-government-plan-security.md#screening). These commitments may be of interest to customers using the cloud to store or process data subject to US export control regulations.
### Export control implications
-Customers are responsible for designing and deploying their applications to meet [export control requirements](./documentation-government-overview-itar.md) such as those prescribed in the EAR and ITAR. In doing so, customers should not include sensitive or restricted information in Azure resource names, as explained in [Considerations for naming Azure resources](./documentation-government-concept-naming-resources.md). Data stored or processed in customer VMs, storage accounts, databases, Azure Import/Export, Azure Cache for Redis, ExpressRoute, Azure Cognitive Search, App Service, API Management, and other Azure services suitable for holding, processing, or transmitting customer data can contain export-controlled data. However, metadata for these Azure services is not permitted to contain export-controlled data. This metadata includes all configuration data entered when creating and maintaining an Azure service, including subscription names, service names, server names, database names, tenant role names, resource groups, deployment names, resource names, resource tags, circuit name, etc. It also includes all shipping information that is used to transport media for Azure Import/Export, such as carrier name, tracking number, description, return information, drive list, package list, storage account name, container name, etc. Sensitive data should not be included in HTTP headers sent to the REST API in search/query strings as part of the API.
+Customers are responsible for designing and deploying their applications to meet [US export control requirements](./documentation-government-overview-itar.md) such as the requirements prescribed in the EAR, ITAR, and DoE 10 CFR Part 810. In doing so, customers should not include sensitive or restricted information in Azure resource names, as explained in [Considerations for naming Azure resources](./documentation-government-concept-naming-resources.md).
### Guidance for developers
The following Translator **features are not currently available** in Azure Gover
This section outlines variations and considerations when using Analytics services in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=data-share,power-bi-embedded,analysis-services,event-hubs,data-lake-analytics,storage,data-catalog,data-factory,synapse-analytics,stream-analytics,databricks,hdinsight&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-iowa,usgov-texas,usgov-virginia).
+### [Azure Data Factory](../data-factory/index.yml)
+
+The following Data Factory **features are not currently available** in Azure Government:
+
+- Mapping data flows
### [Azure Databricks](/azure/databricks/scenarios/what-is-azure-databricks)
The following Virtual Machines **features are not currently available** in Azure
When connecting your function app to Application Insights in Azure Government, make sure you use [`APPLICATIONINSIGHTS_CONNECTION_STRING`](../azure-functions/functions-app-settings.md#applicationinsights_connection_string), which lets you customize the Application Insights endpoint. + ## Databases This section outlines variations and considerations when using Databases services in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-api-for-fhir,data-factory,sql-server-stretch-database,redis-cache,database-migration,synapse-analytics,postgresql,mariadb,mysql,sql-database,cosmos-db&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-iowa,usgov-texas,usgov-virginia).
The calculation for recommending that you should right-size or shut down underut
If you want to be more aggressive at identifying underutilized virtual machines, you can adjust the CPU utilization rule on a per subscription basis. + ## Media This section outlines variations and considerations when using Media services in the Azure Government environment.
The following Azure Security Center **features are not currently available** in
- [Connect GCP account](../security-center/quickstart-onboard-gcp.md) - [Integrated vulnerability assessment for machines (powered by Qualys)](../security-center/deploy-vulnerability-assessment-vm.md).
- >[!NOTE]
- >Security Center internal assessments are provided to discover security misconfigurations, based on Common Configuration Enumeration such as password policy, windows FW rules, local machine audit and security policy, and additional OS hardening settings.
+ > [!NOTE]
+ > Security Center internal assessments are provided to discover security misconfigurations, based on Common Configuration Enumeration such as password policy, windows FW rules, local machine audit and security policy, and additional OS hardening settings.
- **Threat detection** - [Azure Defender for App Service](../security-center/defender-for-app-service-introduction.md). - [Azure Defender for Key Vault](../security-center/defender-for-key-vault-introduction.md) - *Specific detections*: Detections based on VM log periodic batches, Azure core router network logs, and threat intelligence reports.
- >[!NOTE]
- >Near real-time alerts generated based on security events and raw data collected from the VMs are captured and displayed.
+ > [!NOTE]
+ > Near real-time alerts generated based on security events and raw data collected from the VMs are captured and displayed.
- **Environment hardening** - [Adaptive network hardening](../security-center/security-center-adaptive-network-hardening.md)
Azure relies on [paired regions](../best-practices-availability-paired-regions.m
Table in Guidance for developers section shows URL endpoints for main Azure Storage services.
->[!NOTE]
->All your scripts and code need to account for the appropriate endpoints. See [**Configure Azure Storage Connection Strings**](../storage/common/storage-configure-connection-string.md).
+> [!NOTE]
+> All your scripts and code need to account for the appropriate endpoints. See [**Configure Azure Storage Connection Strings**](../storage/common/storage-configure-connection-string.md).
For more information on APIs, see [Cloud Storage Account Constructor](/java/api/com.microsoft.azure.storage.cloudstorageaccount.cloudstorageaccount). The endpoint suffix to use in these overloads is *core.usgovcloudapi.net*.
->[!NOTE]
->If error 53 ("The network path was not found") is returned while you're [**mounting the file share**](../storage/files/storage-dotnet-how-to-use-files.md), a firewall might be blocking the outbound port. Try mounting the file share on VM that's in the same Azure subscription as the storage account.
+> [!NOTE]
+> If error 53 ("The network path was not found") is returned while you're [**mounting the file share**](../storage/files/storage-dotnet-how-to-use-files.md), a firewall might be blocking the outbound port. Try mounting the file share on VM that's in the same Azure subscription as the storage account.
When you're deploying the **StorSimple** Manager service, use the [https://portal.azure.us/](https://portal.azure.us/) URL for the Azure Government portal. For deployment instructions for [StorSimple Virtual Array](../storsimple/storsimple-ova-system-requirements.md), see StorSimple Virtual Array system requirements. For the StorSimple 8000 series, see [StorSimple software, high availability, and networking requirements](../storsimple/storsimple-8000-system-requirements.md) and go to the **Deploy** section from the left menu. For more information on StorSimple, see the [StorSimple documentation](../storsimple/index.yml).
azure-government Documentation Government Concept Naming Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-concept-naming-resources.md
Title: Considerations for naming Azure resources | Microsoft Docs
-description: This article contains guidance on how customers should consider naming their Azure resources to prevent attribution to business/mission sensitive workloads.
+description: Guidance on how customers should consider naming their Azure resources to prevent accidental spillage of sensitive data
cloud: gov
na Previously updated : 4/6/2020 Last updated : 04/14/2021 # Considerations for naming Azure resources
-Customers should not include sensitive or restricted information in Azure Resource Names because they may be stored or accessed outside the compliance boundary to facilitate support and troubleshooting.
-Azure Resource Names include information provided by you, or on your behalf, that is used to identify or configure Online Service resources, such as software, systems, or containers, but does **not** include customer-created content or metadata inside the resource (for example, database column/table names). Azure Resource Names include the names a customer assigns to Azure Resource Manager level objects and resources deployed in Azure. Examples include the names of resources such as:
-* VNets (Virtual Networks)
-* Virtual Hard Disks (VHDs)
-* Database Servers & Databases
-* Virtual Network Interface
-* Network Security Groups
-* Key Vaults
+
+Customers should not include sensitive or restricted information in Azure resource names because it may be stored or accessed outside the compliance boundary to facilitate support and troubleshooting. Examples of sensitive information include data subject to:
+
+- [Export control laws](./documentation-government-overview-itar.md)
+- [DoD Impact Level 5 isolation requirements](./documentation-government-impact-level-5.md)
+- [Controlled Unclassified Information](/azure/compliance/offerings/offering-nist-800-171) (CUI) that warrants extra protection or is subject to NOFORN marking
+- And others
+
+Data stored or processed in customer VMs, storage accounts, databases, Azure Import/Export, Azure Cache for Redis, ExpressRoute, Azure Cognitive Search, App Service, API Management, and other Azure services suitable for holding, processing, or transmitting customer data can contain sensitive data. However, metadata for these Azure services is not permitted to contain sensitive or restricted data. This metadata includes all configuration data entered when creating and maintaining an Azure service, including:
+
+- Subscription names, service names, server names, database names, tenant role names, resource groups, deployment names, resource names, resource tags, circuit name, and so on.
+- All shipping information that is used to transport media for Azure Import/Export, such as carrier name, tracking number, description, return information, drive list, package list, storage account name, container name, and so on.
+- Data in HTTP headers sent to the REST API in search/query strings as part of the API.
+- Device/policy/application and [other metadata](/mem/intune/protect/privacy-data-collect) sent to Intune.
+
+Azure resource names include information provided by you, or on your behalf, that is used to identify or configure cloud service resources, such as software, systems, or containers. However, it does **not** include customer-created content or metadata inside the resource (for example, database column/table names). Azure resource names include the names a customer assigns to Azure Resource Manager level objects and resources deployed in Azure. Examples include the names of resources such as virtual networks, virtual hard disks, database servers and databases, virtual network interface, network security groups, key vaults, and others.
>[!NOTE] >The above examples are but a subset of the types of resources customers can name. This list is not meant to be fully exhaustive and the types of resources could change in the future as new cloud services are added. > ## Naming convention+ The names of Azure resources are part of a larger resource ID as follows: `/subscriptions/<subscriptionID>/resourceGroups/<ResourceGroupName>/providers/<ResourceProvider>/<ResourceType>/<ResourceName>`
An example of a virtual machine resource ID is:
`/subscriptions/<subscriptionID>/resourceGroups/<ResourceGroupName>/providers/Microsoft.Compute/virtualMachines/<virtualMachineName>` - ## Naming considerations
-For all names that meet the criteria above, from the name of the larger resource group to the name of the end resources within it, customers should avoid names that are sensitive to business/mission functions. Customers should also avoid names that indicate customer regulatory requirements (for example, [ITAR](/microsoft-365/compliance/offering-itar), [CJIS](/microsoft-365/compliance/offering-cjis), and so on), as applicable.
+
+Customers should avoid names that are sensitive to business or mission functions. This guidance applies to all names that meet the criteria above, from the name of the larger resource group to the name of the end resources within it. Customers should also avoid names that indicate customer regulatory requirements, for example:
+
+- [EAR](/azure/compliance/offerings/offering-ear)
+- [ITAR](/azure/compliance/offerings/offering-itar)
+- [CNSSI 1253](/azure/compliance/offerings/offering-cnssi-1253)
+- [CJIS](/azure/compliance/offerings/offering-cjis)
+- [IRS 1075](/azure/compliance/offerings/offering-irs-1075)
+- And others as applicable
>[!NOTE]
->Also consider naming of resource tags when reviewing the [Resource naming and tagging decision guide](/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=%2fazure%2f%253eazure-resource-manager%2fmanagement%2ftoc.json).
->
+>Also consider naming of resource tags when reviewing the **[Resource naming and tagging decision guide](/azure/cloud-adoption-framework/decision-guides/resource-tagging/).**
-Customers should understand and take into account the resource naming convention to help ensure operational security, as Microsoft personnel could use the full resource ID in the following example scenarios:
+Customers should understand and take into account the resource naming convention to help ensure operational security, as Microsoft personnel could use the full resource ID in the following example scenarios:
-* Microsoft support personnel may use the full resource ID of resources during support events to ensure we're identifying the right resource within a customer's subscription to provide support for.
-* Microsoft product engineering personnel could use full resource IDs during routine monitoring of telemetry data to identify deviance from baseline/average system performance.
-* Proactive communication to customers about impacted resources during internally discovered incidents.
+- Microsoft support personnel may use the full resource ID of resources during support events to ensure we're identifying the right resource within a customer's subscription.
+- Microsoft product engineering personnel could use full resource IDs during routine monitoring of telemetry data to identify deviations from baseline or average system performance.
+- Proactive communication to customers about impacted resources during internally discovered incidents.
azure-government Documentation Government Csp List https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-csp-list.md
Below you can find a list of all the authorized Cloud Solution Providers, AOS-G
|[RMON Networks Inc.](https://rmonnetworks.com/)| |[rmsource, Inc.](https://www.rmsource.com)| |[RoboTech Science, Inc.](https://robotechscience.com)|
-|[Rollout Systems LLC](https://www.rolloutsys.com)|
+|[Rollout Systems LLC](http://www.rolloutsys.com/)|
|[RV Global Solutions](https://rvglobalsolutions.com/)| |[Saiph Technologies Corporation](http://www.saiphtech.com/)| |[SAP NS2](https://sapns2.com)|
Below you can find a list of all the authorized Cloud Solution Providers, AOS-G
|[Secure-24](https://www.secure-24.com)| |[Selex Galileo Inc](http://www.selexgalileo.com/)| |[Sev1Tech](https://www.sev1tech.com/)|
-|[SEV Technologies](https://sevtechnologies.com/)|
+|[SEV Technologies](http://sevtechnologies.com/)|
|[Sevatec Inc.](https://www.sevatec.com/)| |[Shadow-Soft, LLC.](https://shadow-soft.com)| |[SHI International Corp](https://www.shi.com)|
azure-government Documentation Government Impact Level 5 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-impact-level-5.md
Title: Azure Government isolation guidelines for Impact Level 5
-description: 'This article provides guidance for Azure Government Cloud configurations required to implement Impact Level 5 workloads for the DoD.'
+description: Guidance for configuring Azure Government services for DoD Impact Level 5 workloads
cloud: gov documentationcenter: ''
ms.devlang: na
na Previously updated : 1/25/2021 Last updated : 04/14/2021 #Customer intent: As a DoD mission owner, I want to know how to implement a workload at Impact Level 5 in Microsoft Azure Government.
Azure Government supports applications that use Impact Level 5 (IL5) data in all
## Background
-In January 2017, DISA awarded the IL5 Provisional Authorization (PA) to [Azure Government for DoD](https://azure.microsoft.com/global-infrastructure/government/dod/), making it the first IL5 PA awarded to a hyperscale cloud provider. The PA covered two Azure Government for DoD regions (US DoD Central and US DoD East) that are dedicated to the DoD. Based on DoD mission owner feedback and evolving security capabilities, Microsoft has partnered with DISA to expand the IL5 PA boundary in December 2018 to cover [Azure Government](https://azure.microsoft.com/global-infrastructure/government/get-started/). Azure Government is available from three regions (US Gov Arizona, US Gov Texas, and US Gov Virginia) to US federal, state, local, and tribal governments and their partners. The IL5 expansion to Azure Government honors the isolation requirements mandated by the DoD.
+In January 2017, DISA awarded the IL5 Provisional Authorization (PA) to [Azure Government](https://azure.microsoft.com/global-infrastructure/government/get-started/), making it the first IL5 PA awarded to a hyperscale cloud provider. The PA covered two Azure Government regions (US DoD Central and US DoD East) that are [dedicated to the DoD](https://azure.microsoft.com/global-infrastructure/government/dod/). Based on DoD mission owner feedback and evolving security capabilities, Microsoft has partnered with DISA to expand the IL5 PA boundary in December 2018 to cover the remaining Azure Government regions: US Gov Arizona, US Gov Texas, and US Gov Virginia. For service availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-iowa,usgov-texas,usgov-virginia). For a list of services in scope for DoD IL5 PA, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope).
-Azure Government continues to provide more PaaS services suitable for DoD IL5 workloads than any other cloud services environment.
+Azure Government is available to US federal, state, local, and tribal governments and their partners. The IL5 expansion to Azure Government honors the isolation requirements mandated by the DoD. Azure Government continues to provide more PaaS services suitable for DoD IL5 workloads than any other cloud services environment.
## Principles and approach
-You need to address two key areas for Azure services in IL5 scope: storage isolation and compute isolation. We'll focus on how these services can help isolate the compute and storage of IL5 data. The SRG allows for a shared management and network infrastructure. **This article is focused on Azure Government compute and storage isolation approaches.** If an Azure service is available in Azure Government for DoD and authorized at IL5, then it is by default suitable for IL5 workloads with no extra isolation configuration required. Azure Government for DoD is reserved for DoD agencies and their partners, enabling physical separation from non-DoD tenants by design.
+You need to address two key areas for Azure services in IL5 scope: storage isolation and compute isolation. We'll focus in this article on how Azure services can help isolate the compute and storage of IL5 data. The SRG allows for a shared management and network infrastructure. **This article is focused on Azure Government compute and storage isolation approaches for US Gov Arizona, US Gov Texas, and US Gov Virginia regions.** If an Azure service is available in Azure Government DoD regions and authorized at IL5, then it is by default suitable for IL5 workloads with no extra isolation configuration required. Azure Government DoD regions are reserved for DoD agencies and their partners, enabling physical separation from non-DoD tenants by design.
-For Azure service availability in Azure Government and Azure Government for DoD, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&products=all). For IL5 authorization status, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope).
+> [!IMPORTANT]
+> You are responsible for designing and deploying your applications to meet DoD IL5 compliance requirements. In doing so, you should not include sensitive or restricted information in Azure resource names, as explained in **[Considerations for naming Azure resources](./documentation-government-concept-naming-resources.md).**
### Compute isolation
For services where the compute processes are obfuscated from access by the owner
### Storage isolation
-In the most recent PA for Azure Government, DISA approved logical separation of IL5 from other data via cryptographic means. In Azure, this approach involves data encryption via keys that are maintained in Azure Key Vault and stored in FIPS 140-2 validated Hardware Security Modules (HSM). The keys are owned and managed by the IL5 system owner.
+In a recent PA for Azure Government, DISA approved logical separation of IL5 from other data via cryptographic means. In Azure, this approach involves data encryption via keys that are maintained in Azure Key Vault and stored in FIPS 140-2 validated Hardware Security Modules (HSMs). The keys are owned and managed by the IL5 system owner (also known as customer-managed keys).
Here's how this approach applies to
Azure DevTest Labs supports Impact Level 5 workloads in Azure Government with no
### [Azure Stack Edge](https://azure.microsoft.com/products/azure-stack/edge/)
-You can protect data via storage accounts because your device is associated with a storage account that's used as a destination for your data in Azure. Access to the storage account is controlled by the subscription and FIPS-compliant storage access keys associated with the storage account. For more information, see [Protect your data](../databox-online/azure-stack-edge-security.md#protect-your-data).
+Azure Stack Edge supports Impact Level 5 workloads in Azure Government with this configuration:
-Azure Stack Edge supports Impact Level 5 workloads in Azure Government with no extra configuration required.
+- You can protect data at rest via storage accounts because your device is associated with a storage account that's used as a destination for your data in Azure. You can configure your storage account to use data encryption with customer-managed keys stored in Azure Key Vault. For more information, see [Protect data in storage accounts](../databox-online/azure-stack-edge-pro-r-security.md#protect-data-in-storage-accounts).
## Identity
Log Analytics may also be used to ingest additional customer-provided logs. Thes
### [Microsoft Intune](/intune/what-is-intune)
-Intune supports Impact Level 5 workloads in Azure Government with no extra configuration required.
+Intune supports Impact Level 5 workloads in Azure Government with no extra configuration required. Line-of-business apps should be evaluated for IL5 restrictions prior to [uploading to Intune storage](/mem/intune/apps/apps-add). While Intune does encrypt applications that are uploaded to the service for distribution, it does not support customer-managed keys.
## Media
azure-monitor Action Groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/action-groups.md
If you are not receiving Notifications on your *primary email*, then you can try
You may have a limited number of email actions in an Action Group. See the [rate limiting information](./alerts-rate-limiting.md) article.
+While setting up *Email ARM Role* you need to make sure below 3 conditions are met:
+
+1. The type of the entity being assigned to the role needs to be **ΓÇ£UserΓÇ¥**.
+2. The assignment needs to be done at the **subscription** level.
+3. The user needs to have an email configured in their **AAD profile**.
++ ### Function Calls an existing HTTP trigger endpoint in [Azure Functions](../../azure-functions/functions-get-started.md). To handle a request, your endpoint must handle the HTTP POST verb.
azure-monitor Availability Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/availability-overview.md
+
+ Title: Application Insights availability overview
+description: Set up recurring web tests to monitor availability and responsiveness of your app or website.
+ Last updated : 04/15/2021+++
+# Availability tests overview
+
+After you've deployed your web app/website, you can set up recurring tests to monitor availability and responsiveness. [Application Insights](./app-insights-overview.md) sends web requests to your application at regular intervals from points around the world. It can alert you if your application isn't responding, or if it responds too slowly.
+
+You can set up availability tests for any HTTP or HTTPS endpoint that is accessible from the public internet. You don't have to make any changes to the website you're testing. In fact, it doesn't even have to be a site you own. You can test the availability of a REST API that your service depends on.
+
+## Types of availability tests
+
+There are four types of availability tests:
+
+* [URL ping test](monitor-web-app-availability.md): This category has two simple tests you can create through the portal.
+ - Basic ping test: A simple test that you can create in the Azure portal.
+ - Standard ping test: A more advanced standard ping test with features like using any HTTP request methods(for example `GET`,`HEAD`,`POST`,etc) or adding custom headers.
+* [Multi-step web test](availability-multistep.md): A recording of a sequence of web requests, which can be played back to test more complex scenarios. Multi-step web tests are created in Visual Studio Enterprise and uploaded to the portal for execution.
+* [Custom Track Availability Tests](/dotnet/api/microsoft.applicationinsights.telemetryclient.trackavailability): If you decide to create a custom application to run availability tests, the `TrackAvailability()` method can be used to send the results to Application Insights.
+
+> [!IMPORTANT]
+> Both, [URL ping test](monitor-web-app-availability.md) and [multi-step web test](availability-multistep.md) rely on the public internet DNS infrastructure to resolve the domain names of the tested endpoints. This means that if you are using Private DNS, you must either ensure that every domain name of your test is also resolvable by the public domain name servers or, when it is not possible, you can use [custom track availability tests](/dotnet/api/microsoft.applicationinsights.telemetryclient.trackavailability) instead.
+
+**You can create up to 100 availability tests per Application Insights resource.**
+
+## Troubleshooting
+
+Dedicated [troubleshooting article](troubleshoot-availability.md).
+
+## Next step
+
+* [Availability Alerts](availability-alerts.md)
+* [Multi-step web tests](availability-multistep.md)
+* [URL tests](monitor-web-app-availability.md)
+* [Create and run custom availability tests using Azure Functions.](availability-azure-functions.md)
azure-monitor Monitor Web App Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/monitor-web-app-availability.md
Title: Monitor availability and responsiveness of any web site | Microsoft Docs
-description: Set up web tests in Application Insights. Get alerts if a website becomes unavailable or responds slowly.
+ Title: Monitor availability and responsiveness of any web site - Azure Monitor
+description: Set up ping tests in Application Insights. Get alerts if a website becomes unavailable or responds slowly.
Previously updated : 03/10/2021 Last updated : 04/15/2021 # Monitor the availability of any website
-After you've deployed your web app/website, you can set up recurring tests to monitor availability and responsiveness. [Azure Application Insights](./app-insights-overview.md) sends web requests to your application at regular intervals from points around the world. It can alert you if your application isn't responding, or if it responds too slowly.
+The name "URL ping test" is a bit of a misnomer. To be clear, these tests are not making any use of ICMP (Internet Control Message Protocol) to check your site's availability. Instead they use more advanced HTTP request functionality to validate whether an endpoint is responding. They also measure the performance associated with that response, and adds the ability to set custom success criteria coupled with more advanced features like parsing dependent requests, and allowing for retries.
-You can set up availability tests for any HTTP or HTTPS endpoint that is accessible from the public internet. You don't have to make any changes to the website you're testing. In fact, it doesn't even have to be a site you own. You can test the availability of a REST API that your service depends on.
+There are two types of URL ping test you can create, basic and standard ping tests.
-### Types of availability tests:
-
-There are three types of availability tests:
-
-* [URL ping test](#create-a-url-ping-test): a simple test that you can create in the Azure portal.
-* [Multi-step web test](availability-multistep.md): A recording of a sequence of web requests, which can be played back to test more complex scenarios. Multi-step web tests are created in Visual Studio Enterprise and uploaded to the portal for execution.
-* [Custom Track Availability Tests](/dotnet/api/microsoft.applicationinsights.telemetryclient.trackavailability): If you decide to create a custom application to run availability tests, the `TrackAvailability()` method can be used to send the results to Application Insights.
-
-**You can create up to 100 availability tests per Application Insights resource.**
-
-> [!IMPORTANT]
-> Both, [URL ping test](#create-a-url-ping-test) and [multi-step web test](availability-multistep.md) rely on the public internet DNS infrastructure to resolve the domain names of the tested endpoints. This means that if you are using Private DNS, you must either ensure that every domain name of your test is also resolvable by the public domain name servers or, when it is not possible, you can use [custom track availability tests](/dotnet/api/microsoft.applicationinsights.telemetryclient.trackavailability) instead.
+> [!NOTE]
+> Basic and Standard ping tests are currently in public preview. These preview versions are provided without a service level agreement. Certain features might not be supported or might have constrained capabilities.
-## Create an Application Insights resource
+Basic vs Standard:
-In order to create an availability test, you first need to create an Application Insights resource. If you have already created a resource, proceed to the next section to [create a URL Ping test](#create-a-url-ping-test).
+- Basic is restricted to five locations per test.
+- Standard tests can have custom headers or request body.
+- Standard tests can use any HTTP request method while basic can only use `GET`.
+- SSL certificate lifetime check alerts you of a set period time before your certificate expires.
+- Standard tests are a paid feature.
-From the Azure portal, select **Create a resource** > **Developer Tools** > **Application Insights** and [create an Application Insights resource](create-new-resource.md).
+> [!NOTE]
+> There are currently no additional charges for the preview feature Standard Ping tests. Pricing for features that are in preview will be announced in the future and a notice provided prior to start of billing. Should you choose to continue using Standard Ping tests after the notice period, you will be billed at the applicable rate.
## Create a URL ping test
-The name "URL ping test" is a bit of a misnomer. To be clear, this test is not making any use of ICMP (Internet Control Message Protocol) to check your site's availability. Instead it uses more advanced HTTP request functionality to validate whether an endpoint is responding. It also measures the performance associated with that response, and adds the ability to set custom success criteria coupled with more advanced features like parsing dependent requests, and allowing for retries.
-
-To create your first availability request, open the Availability pane and select **Create Test**.
+In order to create an availability test, you need use an existing Application Insight resource or [create an Application Insights resource](create-new-resource.md).
-![Fill at least the URL of your website](./media/monitor-web-app-availability/availability-create-test-001.png)
+To create your first availability request, open the Availability pane and selectΓÇ» Create Test & choose your test SKU.
-### Create a test
-|Setting| Explanation
-|-|-|-|
+|Setting | Explanation |
+|--|-|
|**URL** | The URL can be any web page you want to test, but it must be visible from the public internet. The URL can include a query string. So, for example, you can exercise your database a little. If the URL resolves to a redirect, we follow it up to 10 redirects.|
-|**Parse dependent requests**| Test requests images, scripts, style files, and other files that are part of the web page under test. The recorded response time includes the time taken to get these files. The test fails if any of these resources cannot be successfully downloaded within the timeout for the whole test. If the option is not checked, the test only requests the file at the URL you specified. Enabling this option results in a stricter check. The test could fail for cases, which may not be noticeable when manually browsing the site.
-|**Enable retries**|when the test fails, it is retried after a short interval. A failure is reported only if three successive attempts fail. Subsequent tests are then performed at the usual test frequency. Retry is temporarily suspended until the next success. This rule is applied independently at each test location. **We recommend this option**. On average, about 80% of failures disappear on retry.|
+|**Parse dependent requests**| Test requests images, scripts, style files, and other files that are part of the web page under test. The recorded response time includes the time taken to get these files. The test fails if any of these resources cannot be successfully downloaded within the timeout for the whole test. If the option is not checked, the test only requests the file at the URL you specified. Enabling this option results in a stricter check. The test could fail for cases, which may not be noticeable when manually browsing the site. |
+|**Enable retries**| When the test fails, it is retried after a short interval. A failure is reported only if three successive attempts fail. Subsequent tests are then performed at the usual test frequency. Retry is temporarily suspended until the next success. This rule is applied independently at each test location. **We recommend this option**. On average, about 80% of failures disappear on retry.|
+| **SSL certificate validation test** | You can verify the SSL certificate on your website to make sure it is correctly installed, valid, trusted and doesn't give any errors to any of your users. |
+| **Proactive lifetime check** | This enables you to define a set time period before your SSL certificate expires. Once it expires your test will fail. |
|**Test frequency**| Sets how often the test is run from each test location. With a default frequency of five minutes and five test locations, your site is tested on average every minute.|
-|**Test locations**| Are the places from where our servers send web requests to your URL. **Our minimum number of recommended test locations is five** in order to insure that you can distinguish problems in your website from network issues. You can select up to 16 locations.
+|**Test locations**| Are the places from where our servers send web requests to your URL. **Our minimum number of recommended test locations is five** in order to insure that you can distinguish problems in your website from network issues. You can select more than five locations with standard test and up to 16 locations.|
**If your URL is not visible from the public internet, you can choose to selectively open up your firewall to allow only the test transactions through**. To learn more about the firewall exceptions for our availability test agents, consult the [IP address guide](./ip-addresses.md#availability-tests). > [!NOTE] > We strongly recommend testing from multiple locations with **a minimum of five locations**. This is to prevent false alarms that may result from transient issues with a specific location. In addition we have found that the optimal configuration is to have the **number of test locations be equal to the alert location threshold + 2**.
-### Success criteria
+## Standard Test
++
+|Setting | Explanation |
+|--|-|
+| **Custom headers** | Key value pairs that define the operating parameters. |
+| **HTTP request verb** | Indicate what action you would like to take with your request. IF your chosen verb is not available in the UI you can deploy a standard test using Azure Resource Monitor with the desired choice. |
+| **Request body** | Custom data associated with your HTTP request. You can upload type own files type in your content, or disable this feature. For raw body content we support TEXT, JSON, HTML, XML, and JavaScript. |
+
+## Success criteria
|Setting| Explanation |-|-|-|
To create your first availability request, open the Availability pane and select
| **HTTP response** | The returned status code that is counted as a success. 200 is the code that indicates that a normal web page has been returned.| | **Content match** | A string, like "Welcome!" We test that an exact case-sensitive match occurs in every response. It must be a plain string, without wildcards. Don't forget that if your page content changes you might have to update it. **Only English characters are supported with content match** |
-### Alerts
+## Alerts
|Setting| Explanation |-|-|-| |**Near-realtime (Preview)** | We recommend using Near-realtime alerts. Configuring this type of alert is done after your availability test is created. | |**Alert location threshold**|We recommend a minimum of 3/5 locations. The optimal relationship between alert location threshold and the number of test locations is **alert location threshold** = **number of test locations - 2, with a minimum of five test locations.**|
-### Location population tags
+## Location population tags
The following population tags can be used for the geo-location attribute when deploying an availability URL ping test using Azure Resource Manager.
-#### Azure Gov
+#### Azure gov
| Display Name | Population Name | |-||
Availability test results can be visualized with both line and scatter plot view
After a few minutes, click **Refresh** to see your test results.
-![Screenshot shows the Availability page with the Refresh button highlighted.](./media/monitor-web-app-availability/availability-refresh-002.png)
The scatterplot view shows samples of the test results that have diagnostic test-step detail in them. The test engine stores diagnostic detail for tests that have failures. For successful tests, diagnostic details are stored for a subset of the executions. Hover over any of the green/red dots to see the test, test name, and location.
-![Line view](./media/monitor-web-app-availability/availability-scatter-plot-003.png)
Select a particular test, location, or reduce the time period to see more results around the time period of interest. Use Search Explorer to see results from all executions, or use Analytics queries to run custom reports on this data.
Select a particular test, location, or reduce the time period to see more result
To edit, temporarily disable, or delete a test click the ellipses next to a test name. It may take up to 20 minutes for configuration changes to propagate to all test agents after a change is made.
-![View test details. Edit and Disable a web test](./media/monitor-web-app-availability/edit.png)
You might want to disable availability tests or the alert rules associated with them while you are performing maintenance on your service. ## If you see failures
-Click a red dot.
+Select a red dot.
-![Click a red dot](./media/monitor-web-app-availability/open-instance-3.png)
From an availability test result, you can see the transaction details across all components. Here you can:
+* Review the troubleshooting report to determine what may have caused your test to fail but your application is still available.
* Inspect the response received from your server. * Diagnose failure with correlated server-side telemetry collected while processing the failed availability test. * Log an issue or work item in Git or Azure Boards to track the problem. The bug will contain a link to this event. * Open the web test result in Visual Studio.
-Learn more about the end to end transaction diagnostics experience [here](./transaction-diagnostics.md).
+To learn more about the end to end transaction diagnostics experience visit the [transaction diagnostics documentation](./transaction-diagnostics.md).
Click on the exception row to see the details of the server-side exception that caused the synthetic availability test to fail. You can also get the [debug snapshot](./snapshot-debugger.md) for richer code level diagnostics.
-![Server-side diagnostics](./media/monitor-web-app-availability/open-instance-4.png)
In addition to the raw results, you can also view two key Availability metrics in [Metrics Explorer](../essentials/metrics-getting-started.md):
In addition to the raw results, you can also view two key Availability metrics i
* [Use PowerShell scripts to set up an availability test](./powershell.md#add-an-availability-test) automatically. * Set up a [webhook](../alerts/alerts-webhooks.md) that is called when an alert is raised.
-## Troubleshooting
-
-Dedicated [troubleshooting article](troubleshoot-availability.md).
## Next steps * [Availability Alerts](availability-alerts.md) * [Multi-step web tests](availability-multistep.md)-
+* [Troubleshooting](troubleshoot-availability.md)
azure-monitor Opencensus Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/opencensus-python.md
Azure Monitor supports distributed tracing, metric collection, and logging of Py
## Prerequisites - An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.-- Python installation. This article uses [Python 3.7.0](https://www.python.org/downloads/release/python-370/), although other versions will likely work with minor changes. The SDK only supports Python versions 2.7 and 3.6+.
+- Python installation. This article uses [Python 3.7.0](https://www.python.org/downloads/release/python-370/), although other versions will likely work with minor changes. The SDK only supports Python v2.7 and v3.4-v3.7.
- Create an Application Insights [resource](./create-new-resource.md). You'll be assigned your own instrumentation key (ikey) for your resource. ## Instrument with OpenCensus Python SDK for Azure Monitor
OpenCensus.stats supports 4 aggregation methods but provides partial support for
1. The exporter sends metric data to Azure Monitor at a fixed interval. The default is every 15 seconds. We're tracking a single metric, so this metric data, with whatever value and time stamp it contains, is sent every interval. The value is cumulative, can only increase and resets to 0 on restart. You can find the data under `customMetrics`, but `customMetrics` properties valueCount, valueSum, valueMin, valueMax, and valueStdDev are not effectively used.
+### Setting custom dimensions in metrics
+
+Opencensus Python SDK allows adding custom dimensions to your metrics telemetry by the way of `tags`, which are essentially a dictionary of key/value pairs.
+
+1. Insert the tags that you want to use into the tag map. The tag map acts like a sort of "pool" of all available tags you can use.
+
+```python
+...
+tmap = tag_map_module.TagMap()
+tmap.insert("url", "http://example.com")
+...
+```
+
+1. For a specific `View`, specify the tags you want to use when recording metrics with that view via the tag key.
+
+```python
+...
+prompt_view = view_module.View("prompt view",
+ "number of prompts",
+ ["url"], # <-- A sequence of tag keys used to specify which tag key/value to use from the tag map
+ prompt_measure,
+ aggregation_module.CountAggregation())
+...
+```
+
+1. Be sure to use the tag map when recording in the measurement map. The tag keys that are specified in the `View` must be found in the tag map used to record.
+
+```python
+...
+mmap = stats_recorder.new_measurement_map()
+mmap.measure_int_put(prompt_measure, 1)
+mmap.record(tmap) # <-- pass the tag map in here
+...
+```
+
+1. Under the `customMetrics` table, all metrics records emitted using the `prompt_view` will have custom dimensions `{"url":"http://example.com"}`.
+
+1. To produce tags with different values using the same keys, create new tag maps for them.
+
+```python
+...
+tmap = tag_map_module.TagMap()
+tmap2 = tag_map_module.TagMap()
+tmap.insert("url", "http://example.com")
+tmap2.insert("url", "https://www.wikipedia.org/wiki/")
+...
+```
+ #### Performance counters By default, the metrics exporter sends a set of performance counters to Azure Monitor. You can disable this by setting the `enable_standard_metrics` flag to `False` in the constructor of the metrics exporter.
azure-monitor Metrics Custom Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/essentials/metrics-custom-overview.md
Previously updated : 01/25/2021 Last updated : 04/13/2021 # Custom metrics in Azure Monitor (Preview)
Azure Monitor imposes the following usage limits on custom metrics:
An active time series is defined as any unique combination of metric, dimension key, or dimension value that has had metric values published in the past 12 hours.
+To understand the 50k time series limit, consider the following metric:
+
+*Server response time* with Dimensions: *Region*, *Department*, *CustomerID*
+
+With this metric, if you have 10 regions, 20 departments and 100 customers that gives you
+10 x 20 x 100 = 2000 time-series.
+
+If you have 100 regions, 200 departments and 2000 customers
+100 x 200 x 2000 = 40,000,000 time-series, which is far over the limit just for this metric alone.
+
+Again, this limit is not for an individual metric. ItΓÇÖs for the sum of all such metrics across a subscription and region.
+
+## Design limitations
+
+**Do not use Application Insights for the purpose of auditing** ΓÇô The Application Insights pipeline uses the custom metrics API behind the scenes. The pipeline is optimized for a high volume of telemetry with a minimum of impact on your application. As such, it throttles or samples (takes a only a percentage of your telemetry and ignores the rest) if your incoming data stream becomes too large. Because of this behavior, you cannot use it for auditing purposes as some records are likely to be dropped.
+
+**Metrics with a variable in the name** ΓÇô Do not use a variable as part of the metric name, for example, a guid or a timestamp. This quickly causes you to hit the 50,000 time series limitation.
+
+**High cardinality metric dimensions** - Metrics with too many valid values in a dimension (a ΓÇ£high cardinalityΓÇ¥) are much more likely to hit the 50k limit. In general, you should never use a constantly changing value in a dimension or metric name. Timestamp, for example, should NEVER be a dimension. Server, customer or productid could be used, but only if you have a smaller number of each of those types. As a test, ask yourself if you would every chart such data on a graph. If you have 10 or maybe even 100 servers, it might be useful to see them all on a graph for comparison. But if you have 1000, the resulting graph would likely be difficult if not impossible to read. Best practice is to keep it to fewer to 100 valid values. Up to 300 is a grey area. If you need to go over this amount, use Azure Monitor custom logs instead.
+
+If you have a variable in the name or a high cardinality dimension, the following can occur.
+- Metrics become unreliable due to throttling
+- Metrics Explorer doesnΓÇÖt work
+- Alerting and notifications become unpredictable
+- Costs can increase unexpectedably - Microsoft is not charging while the custom metrics with dimensions are in public preview. However, once charges start in the future, you will incur unexpected charges. The plan is to charge for metrics consumption based on the number of time-series monitored and number of API calls made.
+ ## Next steps Use custom metrics from different - [Virtual Machines](../essentials/collect-custom-metrics-guestos-resource-manager-vm.md)
azure-monitor Monitor Workspace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/monitor-workspace.md
The following example creates a warning alert when the data collection has reach
- Target: Select your Log Analytics workspace - Criteria: - Signal name: Custom log search
- - Search query: `_LogOperation | where Category == "Ingestion" | where Operation == "Data Collection" | where Level == "Warning"`
+ - Search query: `_LogOperation | where Category == "Ingestion" | where Operation == "Data collection Status" | where Level == "Warning"`
- Based on: Number of results - Condition: Greater than - Threshold: 0
The following example creates a warning alert when the data collection has reach
## Next steps - Learn more about [log alerts](../alerts/alerts-log.md).-- [Collect query audit data](./query-audit.md) for your workspace.
+- [Collect query audit data](./query-audit.md) for your workspace.
azure-monitor Monitor Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/monitor-reference.md
The following table lists Azure services and the data they collect into Azure Mo
|Virtual Network | Yes | Yes | [Yes](insights/network-insights-overview.md) | | |Virtual Network - NSG Flow Logs | No | Yes | No | | |VPN Gateway | Yes | Yes | No | |
-|Windows Virtual Desktop | No | No | No | |
+|Windows Virtual Desktop | No | Yes | No | |
## Virtual machine agents The following table lists the agents that can collect data from the guest operating system of virtual machines and send data to Monitor. Each agent can collect different data and send it to either Metrics or Logs in Azure Monitor.
azure-monitor Partners https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/partners.md
Title: Partners who integrate with Azure Monitor description: Learn about Azure Monitor's partners and how you can access documentation for integrating with them.++ Previously updated : 02/19/2021- Last updated : 04/14/2021 # Azure Monitor partner integrations
azure-resource-manager Create Custom Provider Quickstart Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/custom-providers/create-custom-provider-quickstart-powershell.md
Title: Create an Azure custom resource provider with Azure PowerShell
description: Describes how to create an Azure custom resource provider with Azure PowerShell Last updated : 09/22/2020 ms.devlang: azurepowershell Previously updated : 09/22/2020-+
+ - devx-track-azurepowershell
+ - mode-api
# Quickstart: Create an Azure custom resource provider with Azure PowerShell
Remove-AzResourceGroup -Name myResourceGroup
## Next steps
-Learn more about [Azure Custom Resource Providers](overview.md).
+Learn more about [Azure Custom Resource Providers](overview.md).
azure-resource-manager Bicep File https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/bicep-file.md
param existingKeyVaultName string
## Multi-line strings
-You can break a string into multiple lines. Use three single quote characters `'''` to start and end the multi-line string.
+You can break a string into multiple lines. Use three single quote characters `'''` to start and end the multi-line string.
Characters within the multi-line string are handled as-is. Escape characters are unnecessary. You can't include `'''` in the multi-line string. String interpolation isn't currently supported.
azure-resource-manager Bicep Operators https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/bicep-operators.md
Title: Bicep operators description: Describes the Bicep operators available for Azure Resource Manager deployments. Previously updated : 04/07/2021 Last updated : 04/15/2021 # Bicep operators
-This article describes the Bicep operators that are available when you create a Bicep template and use Azure Resource Manager to deploy resources. Operators are used to calculate values, compare values, or evaluate conditions. There are three types of Bicep operators: [comparison](#comparison), [logical](#logical), and [numeric](#numeric).
+This article describes the Bicep operators that are available when you create a Bicep template and use Azure Resource Manager to deploy resources. Operators are used to calculate values, compare values, or evaluate conditions. There are three types of Bicep operators:
+
+- [comparison](#comparison)
+- [logical](#logical)
+- [numeric](#numeric)
+
+Enclosing an expression between `(` and `)` allows you to override the default Bicep operator precedence. For example, the expression x + y / z evaluates the division first and then the addition. However, the expression (x + y) / z evaluates the addition first and division second.
## Comparison
azure-resource-manager Data Types https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/data-types.md
For integers passed as inline parameters, the range of values may be limited by
Objects start with a left brace (`{`) and end with a right brace (`}`). Each property in an object consists of key and value. The key and value are separated by a colon (`:`).
-In JSON, the key is enclosed in double quotes. Each property is separated by a comma.
-
-In Bicep, the key isn't enclosed by quotes. Don't use commas to between properties.
- # [JSON](#tab/json)
+In JSON, the key is enclosed in double quotes. Each property is separated by a comma.
+ ```json "parameters": { "exampleObject": {
In Bicep, the key isn't enclosed by quotes. Don't use commas to between properti
# [Bicep](#tab/bicep)
+In Bicep, the key isn't enclosed by quotes. Don't use commas to between properties.
+ ```bicep param exampleObject object = { name: 'test name'
param exampleObject object = {
} ```
+Property accessors are used to access properties of an object. They are constructed using the `.` operator. For example:
+
+```bicep
+var x = {
+ y: {
+ z: 'Hello`
+ a: true
+ }
+ q: 42
+}
+```
+
+Given the previous declaration, the expression x.y.z evaluates to the literal string 'Hello'. Similarly, the expression x.q evaluates to the integer literal 42.
+
+Property accessors can be used with any object. This includes parameters and variables of object types and object literals. Using a property accessor on an expression of non-object type is an error.
+ ## Strings
azure-resource-manager Deployment Script Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deployment-script-template.md
Previously updated : 03/30/2021 Last updated : 04/15/2021
The following JSON is an example. For more information, see the latest [template
Property value details: -- `identity`: For deployment script API version 2020-10-01 or later, a user-assigned managed identity is optional unless you need to perform any Azure-specific actions in the script. For the API version 2019-10-01-preview, a managed identity is required as the deployment script service uses it to execute the scripts. Currently, only user-assigned managed identity is supported.
+- `identity`: For deployment script API version 2020-10-01 or later, a user-assigned managed identity is optional unless you need to perform any Azure-specific actions in the script. For the API version 2019-10-01-preview, a managed identity is required as the deployment script service uses it to execute the scripts. When the identity property is specified, the script service calls `Connect-AzAccount -Identity` before invoking the user script. Currently, only user-assigned managed identity is supported. To login with a different identity, you can call [Connect-AzAccount](https://docs.microsoft.com/powershell/module/az.accounts/connect-azaccount) in the script.
- `kind`: Specify the type of script. Currently, Azure PowerShell and Azure CLI scripts are supported. The values are **AzurePowerShell** and **AzureCLI**. - `forceUpdateTag`: Changing this value between template deployments forces the deployment script to re-execute. If you use the `newGuid()` or the `utcNow()` functions, both functions can only be used in the default value for a parameter. To learn more, see [Run script more than once](#run-script-more-than-once). - `containerSettings`: Specify the settings to customize Azure Container Instance. Deployment script requires a new Azure Container Instance. You can't specify an existing Azure Container Instance. However, you can customize the container group name by using `containerGroupName`. If not specified, the group name is automatically generated.
reference('<ResourceName>').outputs.text
## Work with outputs from CLI script
-Different from the PowerShell deployment script, CLI/bash support doesn't expose a common variable to store script outputs, instead, there's an environment variable called `AZ_SCRIPTS_OUTPUT_PATH` that stores the location where the script outputs file resides. If a deployment script is run from a Resource Manager template, this environment variable is set automatically for you by the Bash shell.
+Different from the PowerShell deployment script, CLI/bash support doesn't expose a common variable to store script outputs, instead, there's an environment variable called `AZ_SCRIPTS_OUTPUT_PATH` that stores the location where the script outputs file resides. If a deployment script is run from a Resource Manager template, this environment variable is set automatically for you by the Bash shell. The value of `AZ_SCRIPTS_OUTPUT_PATH` is */mnt/azscripts/azscriptoutput/scriptoutputs.json*.
Deployment script outputs must be saved in the `AZ_SCRIPTS_OUTPUT_PATH` location, and the outputs must be a valid JSON string object. The contents of the file must be saved as a key-value pair. For example, an array of strings is stored as `{ "MyResult": [ "foo", "bar"] }`. Storing just the array results, for example `[ "foo", "bar" ]`, is invalid.
You can control how PowerShell responds to non-terminating errors by using the `
The script service sets the resource provisioning state to **Failed** when the script encounters an error despite the setting of `$ErrorActionPreference`.
+### Use environment variables
+
+Deployment script uses these environment variables:
+
+|Environment variable|Default value|System reserved|
+|--|-||
+|AZ_SCRIPTS_AZURE_ENVIRONMENT|AzureCloud|N|
+|AZ_SCRIPTS_CLEANUP_PREFERENCE|OnExpiration|N|
+|AZ_SCRIPTS_OUTPUT_PATH|<AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY>/<AZ_SCRIPTS_PATH_SCRIPT_OUTPUT_FILE_NAME>|Y|
+|AZ_SCRIPTS_PATH_INPUT_DIRECTORY|/mnt/azscripts/azscriptinput|Y|
+|AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY|/mnt/azscripts/azscriptoutput|Y|
+|AZ_SCRIPTS_PATH_USER_SCRIPT_FILE_NAME|Azure PowerShell: userscript.ps1; Azure CLI: userscript.sh|Y|
+|AZ_SCRIPTS_PATH_PRIMARY_SCRIPT_URI_FILE_NAME|primaryscripturi.config|Y|
+|AZ_SCRIPTS_PATH_SUPPORTING_SCRIPT_URI_FILE_NAME|supportingscripturi.config|Y|
+|AZ_SCRIPTS_PATH_SCRIPT_OUTPUT_FILE_NAME|scriptoutputs.json|Y|
+|AZ_SCRIPTS_PATH_EXECUTION_RESULTS_FILE_NAME|executionresult.json|Y|
+|AZ_SCRIPTS_USER_ASSIGNED_IDENTITY|/subscriptions/|N|
+
+For more information about using `AZ_SCRIPTS_OUTPUT_PATH`, see [Work with outputs from CLI script](#work-with-outputs-from-cli-script).
+ ### Pass secured strings to deployment script Setting environment variables (EnvironmentVariable) in your container instances allows you to provide dynamic configuration of the application or script run by the container. Deployment script handles non-secured and secured environment variables in the same way as Azure Container Instance. For more information, see [Set environment variables in container instances](../../container-instances/container-instances-environment-variables.md#secure-values). For an example, see [Sample templates](#sample-templates).
azure-resource-manager Parameter Files https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/parameter-files.md
Title: Create parameter file description: Create parameter file for passing in values during deployment of an Azure Resource Manager template Previously updated : 04/12/2021 Last updated : 04/15/2021 + # Create Resource Manager parameter file
-Rather than passing parameters as inline values in your script, you may find it easier to use a JSON file that contains the parameter values. This article shows how to create the parameter file.
+Rather than passing parameters as inline values in your script, you can use a JSON file that contains the parameter values. This article shows how to create a parameter file that you use with a JSON template or Bicep file.
## Parameter file
-The parameter file has the following format:
+A parameter file uses the following format:
```json {
The parameter file has the following format:
} ```
-Notice that the parameter values are stored as plain text in the parameter file. This approach works for values that aren't sensitive, such as specifying the SKU for a resource. It doesn't work for sensitive values, such as passwords. If you need to pass a sensitive value as a parameter, store the value in a key vault, and reference the key vault in your parameter file. The sensitive value is securely retrieved during deployment.
+Notice that the parameter file stores parameter values as plain text. This approach works for values that aren't sensitive, such as a resource SKU. Plain text doesn't work for sensitive values, such as passwords. If you need to pass a parameter that contains a sensitive value, store the value in a key vault. Then reference the key vault in your parameter file. The sensitive value is securely retrieved during deployment.
-The following parameter file includes a plain text value and a value that is stored in a key vault.
+The following parameter file includes a plain text value and a sensitive value that's stored in a key vault.
```json {
For more information about using values from a key vault, see [Use Azure Key Vau
## Define parameter values
-To figure out how to define the parameter values, open the template you're deploying. Look at the parameters section of the template. The following example shows the parameters from a template.
+To determine how to define the parameter names and values, open your JSON or Bicep template. Look at the parameters section of the template. The following examples show the parameters from JSON and Bicep templates.
+
+# [JSON](#tab/json)
```json "parameters": {
To figure out how to define the parameter values, open the template you're deplo
} ```
-The first detail to notice is the name of each parameter. The values in your parameter file must match the names.
+# [Bicep](#tab/bicep)
+
+```bicep
+@maxLength(11)
+param storagePrefix string
+
+@allowed([
+ 'Standard_LRS'
+ 'Standard_GRS'
+ 'Standard_ZRS'
+ 'Premium_LRS'
+])
+param storageAccountType string = 'Standard_LRS'
+```
+++
+In the parameter file, the first detail to notice is the name of each parameter. The parameter names in your parameter file must match the parameter names in your template.
```json {
The first detail to notice is the name of each parameter. The values in your par
} ```
-Notice the type of the parameter. The values in your parameter file must have the same types. For this template, you can provide both parameters as strings.
+Notice the parameter type. The parameter types in your parameter file must use the same types as your template. In this example, both parameter types are strings.
```json {
Notice the type of the parameter. The values in your parameter file must have th
} ```
-Next, look for a default value. If a parameter has a default value, you can provide a value but you don't have to.
+Check the template for parameters with a default value. If a parameter has a default value, you can provide a value in the parameter file but it's not required. The parameter file value overrides the template's default value.
```json {
Next, look for a default value. If a parameter has a default value, you can prov
} ```
-Finally, look at the allowed values and any restrictions like max length. They tell you the range of values you can provide for the parameter.
+Check the template's allowed values and any restrictions such as maximum length. Those values specify the range of values you can provide for a parameter. In this example, `storagePrefix` can have a maximum of 11 characters and `storageAccountType` must specify an allowed value.
```json {
Finally, look at the allowed values and any restrictions like max length. They t
} ```
-Your parameter file can only contain values for parameters that are defined in the template. If your parameter file contains extra parameters that don't match parameters in the template, you receive an error.
+> [!NOTE]
+> Your parameter file can only contain values for parameters that are defined in the template. If your parameter file contains extra parameters that don't match the template's parameters, you receive an error.
## Parameter type formats
-The following example shows the formats of different parameter types.
+The following example shows the formats of different parameter types: string, integer, boolean, array, and object.
```json {
The following example shows the formats of different parameter types.
"property2": "value2" } }
- }
+ }
} ``` ## Deploy template with parameter file
-To pass a local parameter file with Azure CLI, use @ and the name of the parameter file.
+From Azure CLI you pass a local parameter file using `@` and the parameter file name. For example, `@storage.parameters.json`.
```azurecli az deployment group create \
az deployment group create \
--parameters @storage.parameters.json ```
-For more information, see [Deploy resources with ARM templates and Azure CLI](./deploy-cli.md#parameters).
+For more information, see [Deploy resources with ARM templates and Azure CLI](./deploy-cli.md#parameters). To deploy _.bicep_ files you need Azure CLI version 2.20 or higher.
-To pass a local parameter file with Azure PowerShell, use the `TemplateParameterFile` parameter.
+From Azure PowerShell you pass a local parameter file using the `TemplateParameterFile` parameter.
```azurepowershell New-AzResourceGroupDeployment -Name ExampleDeployment -ResourceGroupName ExampleResourceGroup `
- -TemplateFile c:\MyTemplates\azuredeploy.json `
- -TemplateParameterFile c:\MyTemplates\storage.parameters.json
+ -TemplateFile C:\MyTemplates\storage.json `
+ -TemplateParameterFile C:\MyTemplates\storage.parameters.json
```
-For more information, see [Deploy resources with ARM templates and Azure PowerShell](./deploy-powershell.md#pass-parameter-values)
+For more information, see [Deploy resources with ARM templates and Azure PowerShell](./deploy-powershell.md#pass-parameter-values). To deploy _.bicep_ files you need Azure PowerShell version 5.6.0 or higher.
> [!NOTE] > It's not possible to use a parameter file with the custom template blade in the portal.
-If you're using the [Azure Resource Group project in Visual Studio](create-visual-studio-deployment-project.md), make sure the parameter file has its **Build Action** set to **Content**.
+> [!TIP]
+> If you're using the [Azure Resource Group project in Visual Studio](create-visual-studio-deployment-project.md), make sure the parameter file has its **Build Action** set to **Content**.
## File name
-The general convention for naming the parameter file is to add **.parameters** to the template name. For example, if your template is named **azuredeploy.json**, your parameter file is named **azuredeploy.parameters.json**. This naming convention helps you see the connection between the template and the parameters.
+The general naming convention for the parameter file is to include _parameters_ in the template name. For example, if your template is named _azuredeploy.json_, your parameter file is named _azuredeploy.parameters.json_. This naming convention helps you see the connection between the template and the parameters.
-To deploy to different environments, create more than one parameter file. When naming the parameter file, add a way to identify its use. For example, use **azuredeploy.parameters-dev.json** and **azuredeploy.parameters-prod.json**
+To deploy to different environments, you create more than one parameter file. When you name the parameter files, identify their use such as development and production. For example, use _azuredeploy.parameters-dev.json_ and _azuredeploy.parameters-prod.json_ to deploy resources.
## Parameter precedence
It's possible to use an external parameter file, by providing the URI to the fil
## Parameter name conflicts
-If your template includes a parameter with the same name as one of the parameters in the PowerShell command, PowerShell presents the parameter from your template with the postfix **FromTemplate**. For example, a parameter named **ResourceGroupName** in your template conflicts with the **ResourceGroupName** parameter in the [New-AzResourceGroupDeployment](/powershell/module/az.resources/new-azresourcegroupdeployment) cmdlet. You're prompted to provide a value for **ResourceGroupNameFromTemplate**. You can avoid this confusion by using parameter names that aren't used for deployment commands.
-
+If your template includes a parameter with the same name as one of the parameters in the PowerShell command, PowerShell presents the parameter from your template with the postfix `FromTemplate`. For example, a parameter named `ResourceGroupName` in your template conflicts with the `ResourceGroupName` parameter in the [New-AzResourceGroupDeployment](/powershell/module/az.resources/new-azresourcegroupdeployment) cmdlet. You're prompted to provide a value for `ResourceGroupNameFromTemplate`. To avoid this confusion, use parameter names that aren't used for deployment commands.
## Next steps -- To understand how to define parameters in your template, see [Parameters in Azure Resource Manager templates](template-parameters.md).
+- For more information about how to define parameters in a template, see [Parameters in ARM templates](template-parameters.md).
- For more information about using values from a key vault, see [Use Azure Key Vault to pass secure parameter value during deployment](key-vault-parameter.md).-- For more information about parameters, see [Parameters in Azure Resource Manager templates](template-parameters.md).
azure-signalr Signalr Quickstart Azure Functions Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/signalr-quickstart-azure-functions-java.md
Title: Use Java to create a chat room with Azure Functions and SignalR Service description: A quickstart for using Azure SignalR Service and Azure Functions to create a chat room using Java. + Last updated : 03/04/2019+ ms.devlang: java- Previously updated : 03/04/2019--+
+ - devx-track-java
+ - mode-api
# Quickstart: Use Java to create a chat room with Azure Functions and SignalR Service
Having issues? Try the [troubleshooting guide](signalr-howto-troubleshoot-guide.
In this quickstart, you built and ran a real-time serverless application using Maven. Next, learn about how to create Java Azure Functions from scratch. > [!div class="nextstepaction"]
-> [Create your first function with Java and Maven](../azure-functions/create-first-function-cli-csharp.md?pivots=programming-language-java%2cprogramming-language-java)
+> [Create your first function with Java and Maven](../azure-functions/create-first-function-cli-csharp.md?pivots=programming-language-java%2cprogramming-language-java)
azure-signalr Signalr Quickstart Azure Functions Javascript https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/signalr-quickstart-azure-functions-javascript.md
Title: Use JavaScript to create a chat room with Azure Functions and SignalR Service description: A quickstart for using Azure SignalR Service and Azure Functions to create a chat room using JavaScript. + Last updated : 12/14/2019+ ms.devlang: javascript- Previously updated : 12/14/2019--+
+ - devx-track-js
+ - mode-api
# Quickstart: Use JavaScript to create a chat room with Azure Functions and SignalR Service
In this quickstart, you built and ran a real-time serverless application in VS C
> [!div class="nextstepaction"] > [Deploy Azure Functions with VS Code](/azure/developer/javascript/tutorial-vscode-serverless-node-01)-
azure-signalr Signalr Quickstart Azure Functions Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/signalr-quickstart-azure-functions-python.md
Title: Azure SignalR Service serverless quickstart - Python description: A quickstart for using Azure SignalR Service and Azure Functions to create a chat room using Python. + Last updated : 12/14/2019+ ms.devlang: python- Previously updated : 12/14/2019--+
+ - devx-track-python
+ - mode-api
# Quickstart: Create a chat room with Azure Functions and SignalR Service using Python
In this quickstart, you built and ran a real-time serverless application in VS C
> [!div class="nextstepaction"] > [Deploy Azure Functions with VS Code](/azure/developer/javascript/tutorial-vscode-serverless-node-01)-
azure-signalr Signalr Quickstart Azure Signalr Service Arm Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/signalr-quickstart-azure-signalr-service-arm-template.md
Title: 'Quickstart: Create an Azure SignalR Service - ARM template' description: In this Quickstart, learn how to create an Azure SignalR Service using an Azure Resource Manager template (ARM template). --- Last updated 10/02/2020+++
+ - subject-armqs
+ - devx-track-azurecli
+ - mode-arm
# Quickstart: Use an ARM template to deploy Azure SignalR Service
azure-sql Configure Max Degree Of Parallelism https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/configure-max-degree-of-parallelism.md
Title: "Configure the max degree of parallelism (MAXDOP)" description: Learn about the max degree of parallelism (MAXDOP). Previously updated : "03/29/2021" Last updated : "04/12/2021" dev_langs: - "TSQL"
# Configure the max degree of parallelism (MAXDOP) in Azure SQL Database [!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
- This article describes the **max degree of parallelism (MAXDOP)** in Azure SQL Database, and how it can be configured.
+ This article describes the **max degree of parallelism (MAXDOP)** configuration setting in Azure SQL Database.
> [!NOTE] > **This content is focused on Azure SQL Database.** Azure SQL Database is based on the latest stable version of the Microsoft SQL Server database engine, so much of the content is similar though troubleshooting and configuration options differ. For more on MAXDOP in SQL Server, see [Configure the max degree of parallelism Server Configuration Option](/sql/database-engine/configure-windows/configure-the-max-degree-of-parallelism-server-configuration-option). ## Overview
- In Azure SQL Database, the default MAXDOP setting for each new single database and elastic pool database is 8. This means the database engine may execute queries using multiple threads. Unlike SQL Server, where the default server-wide MAXDOP is 0 (unlimited), by default new databases in Azure SQL Database are set to MAXDOP 8. This default prevents unnecessary resource utilization and ensures consistent customer experience. It is not typically necessary to further configure the MAXDOP in Azure SQL Database workloads, but it may provide benefits as an advanced performance tuning exercise.
+ MAXDOP controls intra-query parallelism in the database engine. Higher MAXDOP values generally result in more parallel threads per query, and faster query execution.
+
+ In Azure SQL Database, the default MAXDOP setting for each new single database and elastic pool database is 8. This default prevents unnecessary resource utilization, while still allowing the database engine to execute queries faster using parallel threads. It is not typically necessary to further configure MAXDOP in Azure SQL Database workloads, though it may provide benefits as an advanced performance tuning exercise.
> [!Note]
-> In September 2020, based on years of telemetry in the Azure SQL Database service [MAXDOP 8 was chosen](https://techcommunity.microsoft.com/t5/azure-sql/changing-default-maxdop-in-azure-sql-database-and-azure-sql/ba-p/1538528) as the default for new databases as an optimal value for the widest variety of customer workloads. This default has helped to prevent performance problems due to excessive parallelism. Prior to that, the default setting for new databases was MAXDOP 0. The MAXDOP database scoped configuration option was not changed for existing databases created prior to September 2020.
+> In September 2020, based on years of telemetry in the Azure SQL Database service MAXDOP 8 was made the [default for new databases](https://techcommunity.microsoft.com/t5/azure-sql/changing-default-maxdop-in-azure-sql-database-and-azure-sql/ba-p/1538528), as the optimal value for the widest variety of customer workloads. This default helped prevent performance problems due to excessive parallelism. Prior to that, the default setting for new databases was MAXDOP 0. MAXDOP was not automatically changed for existing databases created prior to September 2020.
- In general, if the database engine chooses to execute a query using parallelism, execution time is faster. However, excess parallelism can consume excess processor resources without improving query performance. At scale, excess parallelism can negatively affect query performance for all queries executing on the same database engine instance, so setting an upper boundary for parallelism has been a common performance tuning exercise in SQL Server workloads.
+ In general, if the database engine chooses to execute a query using parallelism, execution time is faster. However, excess parallelism can consume additional processor resources without improving query performance. At scale, excess parallelism can negatively affect query performance for all queries executing on the same database engine instance. Traditionally, setting an upper bound for parallelism has been a common performance tuning exercise in SQL Server workloads.
The following table describes database engine behavior when executing queries with different MAXDOP values: | MAXDOP | Behavior | |--|--|
-| = 1 | The database engine does not execute queries using multiple concurrent threads. |
-| > 1 | The database engine sets an upper boundary for the number of parallel threads. The database engine chooses the number of extra worker threads to use. The total number of worker threads used to execute a query may be higher than specified MAXDOP value. |
-| = 0 | The database engine can use a number of parallel threads with an upper boundary dependent on the total number of logical processors. The database engine chooses the number of parallel threads to use.|
+| = 1 | The database engine uses a single serial thread to execute queries. Parallel threads are not used. |
+| > 1 | The database engine sets the number of additional [schedulers](https://docs.microsoft.com/sql/relational-databases/thread-and-task-architecture-guide#sql-server-task-scheduling) to be used by parallel threads to the MAXDOP value, or the total number of logical processors, whichever is smaller. |
+| = 0 | The database engine sets the number of additional [schedulers](https://docs.microsoft.com/sql/relational-databases/thread-and-task-architecture-guide#sql-server-task-scheduling) to be used by parallel threads to the total number of logical processors or 64, whichever is smaller. |
| | |
-
+
+> [!Note]
+> Each query executes with at least one scheduler, and one worker thread on that scheduler.
+>
+> A query executing with parallelism uses additional schedulers, and additional parallel threads. Because multiple parallel threads may execute on the same scheduler, the total number of threads used to execute a query may be higher than specified MAXDOP value or the total number of logical processors. For more information, see [Scheduling parallel tasks](/sql/relational-databases/thread-and-task-architecture-guide#scheduling-parallel-tasks).
+ ## <a name="Considerations"></a> Considerations - In Azure SQL Database, you can change the default MAXDOP value:
- Long-standing SQL Server MAXDOP considerations and [recommendations](/sql/database-engine/configure-windows/configure-the-max-degree-of-parallelism-server-configuration-option#Guidelines) are applicable to Azure SQL Database. -- MAXDOP is enforced per [task](/sql/relational-databases/system-dynamic-management-views/sys-dm-os-tasks-transact-sql). It is not enforced per [request](/sql/relational-databases/system-dynamic-management-views/sys-dm-exec-requests-transact-sql) or per query. This means that during a parallel query execution, a single request can spawn multiple tasks with an upper boundary determined by the MAXDOP. For more information, see the *Scheduling parallel tasks* section in the [Thread and Task Architecture Guide](/sql/relational-databases/thread-and-task-architecture-guide).
+- Index operations that create or rebuild an index, or that drop a clustered index, can be resource intensive. You can override the database MAXDOP value for index operations by specifying the MAXDOP index option in the `CREATE INDEX` or `ALTER INDEX` statement. The MAXDOP value is applied to the statement at execution time and is not stored in the index metadata. For more information, see [Configure Parallel Index Operations](/sql/relational-databases/indexes/configure-parallel-index-operations).
-- Index operations that create or rebuild an index, or that drop a clustered index, can be resource intensive. You can override the database max degree of parallelism value for index operations by specifying the MAXDOP index option in the `CREATE INDEX` or `ALTER INDEX` statement. The MAXDOP value is applied to the statement at execution time and is not stored in the index metadata. For more information, see [Configure Parallel Index Operations](/sql/relational-databases/indexes/configure-parallel-index-operations).
-
-- In addition to queries and index operations, the database scoped configuration option for MAXDOP also controls the parallelism of DBCC CHECKTABLE, DBCC CHECKDB, and DBCC CHECKFILEGROUP.
+- In addition to queries and index operations, the database scoped configuration option for MAXDOP also controls parallelism of other statements that may use parallel execution, such as DBCC CHECKTABLE, DBCC CHECKDB, and DBCC CHECKFILEGROUP.
-## <a name="Security"></a> Recommendations
+## <a name="Recommendations"></a> Recommendations
- Changing MAXDOP for the database can have major impact on query performance and resource utilization, both positive and negative. However, there is no single MAXDOP value that is optimal for all workloads. The recommendations for setting MAXDOP are nuanced, and depend on many factors.
+ Changing MAXDOP for the database can have major impact on query performance and resource utilization, both positive and negative. However, there is no single MAXDOP value that is optimal for all workloads. The [recommendations](/sql/database-engine/configure-windows/configure-the-max-degree-of-parallelism-server-configuration-option#Guidelines) for setting MAXDOP are nuanced, and depend on many factors.
- Some peak concurrent workloads may operate better with a different MAXDOP than others. A properly configured MAXDOP should reduce the risk of performance and availability incidents, and in some cases reduce costs by being able to avoid unnecessary resource utilization, and thus scale down to a lower service objective.
+ Some peak concurrent workloads may operate better with a different MAXDOP than others. A properly configured MAXDOP should reduce the risk of performance and availability incidents, and in some cases may reduce costs by being able to avoid unnecessary resource utilization, and thus scale down to a lower service objective.
### Excessive parallelism A higher MAXDOP often reduces duration for CPU-intensive queries. However, excessive parallelism can worsen other concurrent workload performance by starving other queries of CPU and worker thread resources. In extreme cases, excessive parallelism can consume all database or elastic pool resources, causing query timeouts, errors, and application outages.
- We recommend that customers avoid MAXDOP 0 even if it does not appear to cause problems currently. Excessive parallelism becomes most problematic when the CPU and worker threads are receiving more concurrent requests than can be supported by the service objective. Avoid MAXDOP 0 to reduce the risk of potential future problems due to excessive parallelism if a database is scaled up, or if future hardware generations in Azure SQL Database provide more cores for the same database service objective.
+> [!Tip]
+> We recommend that customers avoid setting MAXDOP to 0 even if it does not appear to cause problems currently.
+
+ Excessive parallelism becomes most problematic when there are more concurrent requests than can be supported by the CPU and worker thread resources provided by the service objective. Avoid MAXDOP 0 to reduce the risk of potential future problems due to excessive parallelism if a database is scaled up, or if future hardware generations in Azure SQL Database provide more cores for the same database service objective.
### Modifying MAXDOP
- If you determine that a different MAXDOP setting is optimal for your Azure SQL Database workload, you can use the `ALTER DATABASE SCOPED CONFIGURATION` T-SQL statement. For examples, see the [Examples using Transact-SQL](#examples) section below. Add this step to the deployment process to change MAXDOP after database creation.
+ If you determine that a MAXDOP setting different from the default is optimal for your Azure SQL Database workload, you can use the `ALTER DATABASE SCOPED CONFIGURATION` T-SQL statement. For examples, see the [Examples using Transact-SQL](#examples) section below. To change MAXDOP to a non-default value for each new database you create, add this step to your database deployment process.
- If non-default MAXDOP benefits only a subset of queries in the workload, you can override MAXDOP at the query level by adding the OPTION (MAXDOP) hint. For examples, see the [Examples using Transact-SQL](#examples) section below.
+ If non-default MAXDOP benefits only a small subset of queries in the workload, you can override MAXDOP at the query level by adding the OPTION (MAXDOP) hint. For examples, see the [Examples using Transact-SQL](#examples) section below.
Thoroughly test your MAXDOP configuration changes with load testing involving realistic concurrent query loads.
- The MAXDOP for the primary and secondary replicas can be configured independently to take advantage of different optimal MAXDOP settings for read-write and read-only workloads. This applies to Azure SQL Database [read scale-out](read-scale-out.md), [geo-replication](active-geo-replication-overview.md), and [Azure SQL Database Hyperscale secondary replicas](service-tier-hyperscale.md). By default, all secondary replicas inherit the MAXDOP configuration of the primary replica.
+ MAXDOP for the primary and secondary replicas can be configured independently if different MAXDOP settings are optimal for your read-write and read-only workloads. This applies to Azure SQL Database [read scale-out](read-scale-out.md), [geo-replication](active-geo-replication-overview.md), and [Hyperscale](service-tier-hyperscale.md) secondary replicas. By default, all secondary replicas inherit the MAXDOP configuration of the primary replica.
## <a name="Security"></a> Security
#### MAXDOP database scoped configuration
- This example shows how to use [ALTER DATABASE SCOPED CONFIGURATION](/sql/t-sql/statements/alter-database-scoped-configuration-transact-sql) statement to configure the `max degree of parallelism` option to `2`. The setting takes effect immediately. The PowerShell cmdlet [Invoke-SqlCmd](/powershell/module/sqlserver/invoke-sqlcmd) executes the T-SQL queries to set and the return the MAXDOP database scoped configuration.
+ This example shows how to use [ALTER DATABASE SCOPED CONFIGURATION](/sql/t-sql/statements/alter-database-scoped-configuration-transact-sql) statement to set the `MAXDOP` configuration to `2`. The setting takes effect immediately for new queries. The PowerShell cmdlet [Invoke-SqlCmd](/powershell/module/sqlserver/invoke-sqlcmd) executes the T-SQL queries to set and the return the MAXDOP database scoped configuration.
```powershell $dbName = "sample"
$params = @{
You can use the [Azure portal query editor](connect-query-portal.md), [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms), or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio) to execute T-SQL queries against your Azure SQL Database.
-1. Connect to the Azure SQL Database. You cannot change the database scoped configurations in the master database.
-
-2. From the Standard bar, select **New Query**.
+1. Open a new query window.
+
+2. Connect to the database where you want to change MAXDOP. You cannot change database scoped configurations in the master database.
3. Copy and paste the following example into the query window and select **Execute**. - #### MAXDOP database scoped configuration This example shows how to determine the current database MAXDOP database scoped configuration using the [sys.database_scoped_configurations](/sql/relational-databases/system-catalog-views/sys-database-scoped-configurations-transact-sql) system catalog view.
$params = @{
SELECT [value] FROM sys.database_scoped_configurations WHERE [name] = 'MAXDOP'; ```
- This example shows how to use [ALTER DATABASE SCOPED CONFIGURATION](/sql/t-sql/statements/alter-database-scoped-configuration-transact-sql) statement to configure the `max degree of parallelism` option to `8`. The setting takes effect immediately.
+ This example shows how to use [ALTER DATABASE SCOPED CONFIGURATION](/sql/t-sql/statements/alter-database-scoped-configuration-transact-sql) statement to set the `MAXDOP` configuration to `8`. The setting takes effect immediately.
```sql ALTER DATABASE SCOPED CONFIGURATION SET MAXDOP = 8; ```
-This example is for use with Azure SQL Databases with [read scale-out replicas enabled](read-scale-out.md), [geo-replication](active-geo-replication-overview.md), and [Azure SQL Database Hyperscale secondary replicas](service-tier-hyperscale.md). As an example, the primary replica is set to a different default MAXDOP as the secondary replica, anticipating that there may be differences between a read-write and a read-only workload. The `value_for_secondary` column of the `sys.database_scoped_configurations` contains settings for the secondary replica.
+This example is for use with Azure SQL Databases with [read scale-out replicas enabled](read-scale-out.md), [geo-replication](active-geo-replication-overview.md), and [Hyperscale](service-tier-hyperscale.md) secondary replicas. As an example, the primary replica is set to a different MAXDOP than the secondary replica, anticipating that there may be differences between the read-write and read-only workloads. All statements are executed on the primary replica. The `value_for_secondary` column of the `sys.database_scoped_configurations` contains settings for the secondary replica.
```sql ALTER DATABASE SCOPED CONFIGURATION SET MAXDOP = 8;
azure-sql Connect Query Go https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/connect-query-go.md
Previously updated : 02/12/2019 Last updated : 04/14/2021 # Quickstart: Use Golang to query a database in Azure SQL Database or Azure SQL Managed Instance [!INCLUDE[appliesto-sqldb-sqlmi](../includes/appliesto-sqldb-sqlmi.md)]
Get the connection information you need to connect to the database. You'll need
```bash cd SqlServerSample go get github.com/denisenkom/go-mssqldb
- go install github.com/denisenkom/go-mssqldb
``` ## Create sample data
azure-sql Serverless Tier Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/serverless-tier-overview.md
Previously updated : 2/22/2021 Last updated : 4/15/2021 # Azure SQL Database serverless [!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
Auto-pausing is triggered if all of the following conditions are true for the du
An option is provided to disable auto-pausing if desired.
-The following features do not support auto-pausing, but do support auto-scaling. If any of the following features are used, then auto-pausing should be disabled and the database will remain online regardless of the duration of database inactivity:
+The following features do not support auto-pausing, but do support auto-scaling. If any of the following features are used, then auto-pausing must be disabled and the database will remain online regardless of the duration of database inactivity:
- Geo-replication (active geo-replication and auto-failover groups). - Long-term backup retention (LTR).
azure-sql Sql Data Sync Data Sql Server Sql Database https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/sql-data-sync-data-sql-server-sql-database.md
Provisioning and deprovisioning during sync group creation, update, and deletion
- If there are tables with the same name but different schema (for example, dbo.customers and sales.customers) only one of the tables can be added into sync. - Columns with User-Defined Data Types aren't supported - Moving servers between different subscriptions isn't supported.
+- If two primary keys are only different in case (e.g. Foo and foo), Data Sync won't support this scenario.
#### Unsupported data types
backup Azure File Share Backup Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/azure-file-share-backup-overview.md
To get detailed estimates for backing up Azure file shares, you can download the
## Next steps * Learn how to [Back up Azure file shares](backup-afs.md)
-* Find answers to [Questions about backing up Azure Files](backup-azure-files-faq.md)
+* Find answers to [Questions about backing up Azure Files](backup-azure-files-faq.yml)
backup Backup Afs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-afs.md
The following steps explain how you can configure backup for individual file sha
![Create new vault](./media/backup-afs/create-new-vault.png) >[!IMPORTANT]
- >If the storage account is registered with a vault, or there are few protected shares within the storage account hosting the file share you're trying to protect, the Recovery Services vault name will be pre-populated and you wonΓÇÖt be allowed to edit it [Learn more here](backup-azure-files-faq.md#why-cant-i-change-the-vault-to-configure-backup-for-the-file-share).
+ >If the storage account is registered with a vault, or there are few protected shares within the storage account hosting the file share you're trying to protect, the Recovery Services vault name will be pre-populated and you wonΓÇÖt be allowed to edit it [Learn more here](backup-azure-files-faq.yml#why-can-t-i-change-the-vault-to-configure-backup-for-the-file-share-).
1. For the **Backup Policy** selection, do one of the following:
backup Backup Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-architecture.md
Back up deduplicated disks | | | ![Partially][yellow]<br/><br/> For DPM/MABS ser
- Azure File share: How to [create](./backup-afs.md) and [modify](./manage-afs-backup.md#modify-policy) policy. - SAP HANA: How to [create](./backup-azure-sap-hana-database.md#create-a-backup-policy) and [modify](./sap-hana-db-manage.md#change-policy) policy. - MARS: How to [create](./backup-windows-with-mars-agent.md#create-a-backup-policy) and [modify](./backup-azure-manage-mars.md#modify-a-backup-policy) policy.-- [Are there any limitations on scheduling backup based on the type of workload?](./backup-azure-backup-faq.md#are-there-limits-on-backup-scheduling)-- [What happens to the existing recovery points if I change the retention policy?](./backup-azure-backup-faq.md#what-happens-when-i-change-my-backup-policy)
+- [Are there any limitations on scheduling backup based on the type of workload?](./backup-azure-backup-faq.yml#are-there-limits-on-backup-scheduling-)
+- [What happens to the existing recovery points if I change the retention policy?](./backup-azure-backup-faq.yml#what-happens-when-i-change-my-backup-policy-)
## Architecture: Built-in Azure VM Backup
backup Backup Azure About Mars https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-about-mars.md
The MARS agent supports the following restore scenarios:
[MARS agent support matrix](./backup-support-matrix-mars-agent.md)
-[MARS agent FAQ](./backup-azure-file-folder-backup-faq.md)
+[MARS agent FAQ](./backup-azure-file-folder-backup-faq.yml)
backup Backup Azure Alternate Dpm Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-alternate-dpm-server.md
To recover data from an Azure Backup Server:
Read the other FAQs: * [Common questions](backup-azure-vm-backup-faq.yml) about Azure VM backups
-* [Common questions](backup-azure-file-folder-backup-faq.md) about the Azure Backup agent
+* [Common questions](backup-azure-file-folder-backup-faq.yml) about the Azure Backup agent
backup Backup Azure Arm Restore Vms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-arm-restore-vms.md
Title: Restore VMs by using the Azure portal
description: Restore an Azure virtual machine from a recovery point by using the Azure portal, including the Cross Region Restore feature. Previously updated : 08/02/2020 Last updated : 04/14/2021 # How to restore Azure VM data in Azure portal
If CRR is enabled, you can view the backup items in the secondary region.
1. Select **Secondary Region** to view the items in the secondary region. >[!NOTE]
->Only Backup Management Types supporting the CRR feature will be shown in the list. Currently, only support for restoring secondary region data to a secondary region is allowed.
+>Only Backup Management Types supporting the CRR feature will be shown in the list. Currently, only support for restoring secondary region data to a secondary region is allowed.<br></br>CRR for Azure VMs is supported for Azure Managed VMs (including encrypted Azure VMs).
![Virtual machines in secondary region](./media/backup-azure-arm-restore-vms/secbackedupitem.png)
backup Backup Azure Backup Exchange Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-backup-exchange-server.md
For online recovery points, there are five recovery types:
## Next steps
-* [Azure Backup FAQ](backup-azure-backup-faq.md)
+* [Azure Backup FAQ](backup-azure-backup-faq.yml)
backup Backup Azure Backup Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-backup-faq.md
- Title: Answers to common questions
-description: 'Answers to common questions about: Azure Backup features including Recovery Services vaults, what it can back up, how it works, encryption, and limits. '
- Previously updated : 07/07/2019--
-# Azure Backup - Frequently asked questions
-
-This article answers common questions about the Azure Backup service.
-
-## Recovery Services vault
-
-### Is there any limit on the number of vaults that can be created in each Azure subscription?
-
-Yes. You can create up to 500 Recovery Services vaults, per supported region of Azure Backup, per subscription. If you need additional vaults, create an additional subscription.
-
-### Are there limits on the number of servers/machines that can be registered against each vault?
-
-You can register up to 1000 Azure Virtual machines per vault. If you're using the Microsoft Azure Backup Agent, you can register up to 50 MARS agents per vault. And you can register 50 MABS servers/DPM servers to a vault.
-
-### How many datasources/items can be protected in a vault?
-
-You can protect up to 2000 datasources/items across all workloads (such as IaaS VM, SQL, AFS) in a vault.
-For example, if you've already protected 500 VMs and 400 Azure Files shares in the vault, you can only protect up to 1100 SQL databases in it.
-
-### How many policies can I create per vault?
-
-You can only have up to 200 policies per vault.
-
-### If my organization has one vault, how can I isolate data from different servers in the vault when restoring data?
-
-Server data that you want to recover together should use the same passphrase when you set up backup. If you want to isolate recovery to a specific server or servers, use a passphrase for that server or servers only. For example, human resources servers could use one encryption passphrase, accounting servers another, and storage servers a third.
-
-### Can I move my vault between subscriptions?
-
-Yes. To move a Recovery Services vault, refer this [article](backup-azure-move-recovery-services-vault.md)
-
-### Can I move backup data to another vault?
-
-No. Backup data stored in a vault can't be moved to a different vault.
-
-### Can I change the storage redundancy setting after a backup?
-
-The storage replication type by default is set to geo-redundant storage (GRS). Once you configure the backup, the option to modify is disabled and can't be changed.
-
-![Storage replication type](./media/backup-azure-backup-faq/storage-replication-type.png)
-
-If you've already configured the backup and must move from GRS to LRS, then see [How to change from GRS to LRS after configuring backup](backup-create-rs-vault.md#how-to-change-from-grs-to-lrs-after-configuring-backup).
-
-### Can I do an Item Level Restore (ILR) for VMs backed up to a Recovery Services vault?
--- ILR is supported for Azure VMs backed up by Azure VM backup. For more information, see [article](backup-azure-restore-files-from-vm.md)-- ILR isn't supported for online recovery points of on-premises VMs backed up by Azure Backup Server (MABS) or System Center DPM.-
-### How can I move data from the Recovery Services vault to on-premises?
-
-Exporting data directly from the Recovery Services vault to on-premises using Data Box is not supported. Data must be restored to a storage account, and then it can be moved to on-premises via [Data Box](../databox/data-box-overview.md) or [Import/Export](../import-export/storage-import-export-service.md).
-
-### What is the difference between a geo-redundant storage (GRS) vault with and without the Cross-Region Restore (CRR) capability enabled?
-
-In the case of a [GRS](azure-backup-glossary.md#grs) vault without [CRR](azure-backup-glossary.md#cross-region-restore-crr) capability enabled, the data in the secondary region can't be accessed until Azure declares a disaster in the primary region. In such a scenario, the restore happens from the secondary region. When CRR is enabled, even if the primary region is up and running, you can trigger a restore in the secondary region.
-
-### Can I move a subscription that contains a vault to a different Azure Active Directory?
-
-Yes. To move a subscription (that contains a vault) to a different Azure Active Directory (AD), see [Transfer subscription to a different directory](../role-based-access-control/transfer-subscription.md).
-
->[!IMPORTANT]
->Ensure that you perform the following actions after moving the subscription:<ul><li>Role-based access control permissions and custom roles are not transferrable. You must recreate the permissions and roles in the new Azure AD.</li><li>You must recreate the Managed Identity (MI) of the vault by disabling and enabling it again. Also, you must evaluate and recreate the MI permissions.</li><li>If the vault uses features which leverage MI, such as [Private Endpoints](private-endpoints.md#before-you-start) and [Customer Managed Keys](encryption-at-rest-with-cmk.md#before-you-start), you must reconfigure the features.</li></ul>
-
-### Can I move a subscription that contains a Recovery Services Vault to a different tenant?
-
-Yes. Ensure that you do the following:
-
->[!IMPORTANT]
->Ensure that you perform the following actions after moving the subscription:<ul><li>If the vault uses CMK (customer managed keys), you must update the vault. This enables the vault to recreate and reconfigure the vault managed identity and CMK (which will reside in the new tenant), otherwise the backups/restore operation will fail.</li><li>You must reconfigure the RBAC permissions in the subscription as the existing permissions canΓÇÖt be moved.</li></ul>
-
-## Azure Backup agent
-
-### Where can I find common questions about the Azure Backup agent for Azure VM backup?
--- For the agent running on Azure VMs, read this [FAQ](backup-azure-vm-backup-faq.yml).-- For the agent used to back up Azure file folders, read this [FAQ](backup-azure-file-folder-backup-faq.md).-
-## General backup
-
-### Are there limits on backup scheduling?
-
-Yes.
--- You can back up Windows Server or Windows machines up to three times a day. You can set the scheduling policy to daily or weekly schedules.-- You can back up DPM up to twice a day. You can set the scheduling policy to daily, weekly, monthly, and yearly.-- You back up Azure VMs once a day.-
-### What operating systems are supported for backup?
-
-Azure Backup supports these operating systems for backing up files and folders, and apps protected by Azure Backup Server and DPM.
-
-**OS** | **SKU** | **Details**
- | |
-Workstation | |
-Windows 10 64 bit | Enterprise, Pro, Home | Machines should be running the latest services packs and updates.
-Windows 8.1 64 bit | Enterprise, Pro | Machines should be running the latest services packs and updates.
-Windows 8 64 bit | Enterprise, Pro | Machines should be running the latest services packs and updates.
-Windows 7 64 bit | Ultimate, Enterprise, Professional, Home Premium, Home Basic, Starter | Machines should be running the latest services packs and updates.
-Server | |
-Windows Server 2019 64 bit | Standard, Datacenter, Essentials | With the latest service packs/updates.
-Windows Server 2016 64 bit | Standard, Datacenter, Essentials | With the latest service packs/updates.
-Windows Server 2012 R2 64 bit | Standard, Datacenter, Foundation | With the latest service packs/updates.
-Windows Server 2012 64 bit | Datacenter, Foundation, Standard | With the latest service packs/updates.
-Windows Storage Server 2016 64 bit | Standard, Workgroup | With the latest service packs/updates.
-Windows Storage Server 2012 R2 64 bit | Standard, Workgroup, Essential | With the latest service packs/updates.
-Windows Storage Server 2012 64 bit | Standard, Workgroup | With the latest service packs/updates.
-Windows Server 2008 R2 SP1 64 bit | Standard, Enterprise, Datacenter, Foundation | With the latest updates.
-Windows Server 2008 64 bit | Standard, Enterprise, Datacenter | With latest updates.
-
-Azure Backup doesn't support 32-bit operating systems.
-
-For Azure VM Linux backups, Azure Backup supports [the list of distributions endorsed by Azure](../virtual-machines/linux/endorsed-distros.md), except Core OS Linux and 32-bit operating system. Other bring-your-own Linux distributions might work as long as the VM agent is available on the VM, and support for Python exists.
-
-### Are there size limits for data backup?
-
-Sizes limits are as follows:
-
-OS/machine | Size limit of data source
- |
-Windows 8 or later | 54,400 GB
-Windows 7 |1700 GB
-Windows Server 2012 or later | 54,400 GB
-Windows Server 2008, Windows Server 2008 R2 | 1700 GB
-Azure VM | See the [support matrix for Azure VM backup](./backup-support-matrix-iaas.md#vm-storage-support)
-
-### How is the data source size determined?
-
-The following table explains how each data source size is determined.
-
-**Data source** | **Details**
- |
-Volume |The amount of data being backed up from single volume VM being backed up.
-SQL Server database |Size of single database size being backed up.
-SharePoint | Sum of the content and configuration databases within a SharePoint farm being backed up.
-Exchange |Sum of all Exchange databases in an Exchange server being backed up.
-BMR/System state |Each individual copy of BMR or system state of the machine being backed up.
-
-### Is there a limit on the amount of data backed up using a Recovery Services vault?
-
-There's no limit on the total amount of data you can back up using a Recovery Services vault. The individual data sources (other than Azure VMs), can be a maximum of 54,400 GB in size. For more information about limits, see the [vault limits section in the support matrix](./backup-support-matrix.md#vault-support).
-
-### Why is the size of the data transferred to the Recovery Services vault smaller than the data selected for backup?
-
-Data backed up from Azure Backup Agent, DPM, and Azure Backup Server is compressed and encrypted before being transferred. With compression and encryption is applied, the data in the vault is 30-40% smaller.
-
-### Can I delete individual files from a recovery point in the vault?
-
-No, Azure Backup doesn't support deleting or purging individual items from stored backups.
-
-### If I cancel a backup job after it starts, is the transferred backup data deleted?
-
-No. All data that was transferred into the vault before the backup job was canceled remains in the vault.
--- Azure Backup uses a checkpoint mechanism to occasionally add checkpoints to the backup data during the backup.-- Because there are checkpoints in the backup data, the next backup process can validate the integrity of the files.-- The next backup job will be incremental to the data previously backed up. Incremental backups only transfer new or changed data, which equates to better utilization of bandwidth.-
-If you cancel a backup job for an Azure VM, any transferred data is ignored. The next backup job transfers incremental data from the last successful backup job.
-
-## Retention and recovery
-
-### Are the retention policies for DPM and Windows machines without DPM the same?
-
-Yes, they both have daily, weekly, monthly, and yearly retention policies.
-
-### Can I customize retention policies?
-
-Yes, you have customize policies. For example, you can configure weekly and daily retention requirements, but not yearly and monthly.
-
-### Can I use different times for backup scheduling and retention policies?
-
-No. Retention policies can only be applied on backup points. For example, this image shows a retention policy for backups taken at 12am and 6pm.
-
-![Schedule Backup and Retention](./media/backup-azure-backup-faq/Schedule.png)
-
-### If a backup is kept for a long time, does it take more time to recover an older data point?
-
-No. The time to recover the oldest or the newest point is the same. Each recovery point behaves like a full point.
-
-### If each recovery point is like a full point, does it impact the total billable backup storage?
-
-Typical long-term retention point products store backup data as full points.
--- The full points are storage *inefficient* but are easier and faster to restore.-- Incremental copies are storage *efficient* but require you to restore a chain of data, which impacts your recovery time-
-Azure Backup storage architecture gives you the best of both worlds by optimally storing data for fast restores and incurring low storage costs. This ensures that your ingress and egress bandwidth is used efficiently. The amount of data storage, and the time needed to recover the data, is kept to a minimum. Learn more about [incremental backups](backup-architecture.md#backup-types).
-
-### Is there a limit on the number of recovery points that can be created?
-
-You can create up to 9999 recovery points per protected instance. A protected instance is a computer, server (physical or virtual), or workload that backs up to Azure.
--- Learn more about [backup and retention](./backup-support-matrix.md).-
-### How many times can I recover data that's backed up to Azure?
-
-There's no limit on the number of recoveries from Azure Backup.
-
-### When restoring data, do I pay for the egress traffic from Azure?
-
-No. Recovery is free and you aren't charged for the egress traffic.
-
-### What happens when I change my backup policy?
-
-When a new policy is applied, schedule and retention of the new policy is followed.
--- If retention is extended, existing recovery points are marked to keep them according to new policy.-- If retention is reduced, they are marked for pruning in the next cleanup job and subsequently deleted.-
-### How long is data retained when stopping backups, but selecting the option to retain backup data?
-
-When backups are stopped and the data is retained, existing policy rules for data pruning will cease and data will be retained indefinitely until initiated by the administrator for deletion.
-
-## Encryption
-
-### Is the data sent to Azure encrypted?
-
-Yes. Data is encrypted on the on-premises machine using AES256. The data is sent over a secure HTTPS link. The data transmitted in cloud is protected by HTTPS link only between storage and recovery service. iSCSI protocol secures the data transmitted between recovery service and user machine. Secure tunneling is used to protect the iSCSI channel.
-
-### Is the backup data on Azure encrypted as well?
-
-Yes. The data in Azure is encrypted-at-rest.
--- For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure.-- For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE).-
-Microsoft doesn't decrypt the backup data at any point.
-
-### What is the minimum length of the encryption key used to encrypt backup data?
-
-The encryption key used by the Microsoft Azure Recovery Services (MARS) Agent is derived from a passphrase that should be at least 16 characters long. For Azure VMs, there's no limit to the length of keys used by Azure KeyVault.
-
-### What happens if I misplace the encryption key? Can I recover the data? Can Microsoft recover the data?
-
-The key used to encrypt the backup data is present only on your site. Microsoft doesn't maintain a copy in Azure and doesn't have any access to the key. If you misplace the key, Microsoft can't recover the backup data.
-
-## Next steps
-
-Read the other FAQs:
--- [Common questions](backup-azure-vm-backup-faq.yml) about Azure VM backups.-- [Common questions](backup-azure-file-folder-backup-faq.md) about the Azure Backup agent
backup Backup Azure Backup Sharepoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-backup-sharepoint.md
If you have more than one front-end web server, and want to switch the server th
## Next steps
-* [Azure Backup Server and DPM - FAQ](backup-azure-dpm-azure-server-faq.md)
+* [Azure Backup Server and DPM - FAQ](backup-azure-dpm-azure-server-faq.yml)
* [Troubleshoot System Center Data Protection Manager](backup-azure-scdpm-troubleshooting.md)
backup Backup Azure Backup Sql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-backup-sql.md
To recover a protected entity, such as a SQL Server database, from Azure:
## Next steps
-For more information, see [Azure Backup FAQ](backup-azure-backup-faq.md).
+For more information, see [Azure Backup FAQ](backup-azure-backup-faq.yml).
backup Backup Azure Dpm Azure Server Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-dpm-azure-server-faq.md
- Title: Azure Backup Server and DPM FAQ
-description: In this article, discover answers to common questions about the Microsoft Azure Backup Server (MABS) and DPM (Data Protection Manager).
-- Previously updated : 07/05/2019--
-# Azure Backup Server and DPM - FAQ
-
-## General questions
-
-This article answers frequently asked questions about the Azure Backup Server and DPM.
-
-### Can I use Azure Backup Server to create a Bare Metal Recovery (BMR) backup for a physical server?
-
-Yes.
-
-### Can I register the server to multiple vaults?
-
-No. A DPM or Azure Backup server can be registered to only one vault.
-
-### Can I use DPM to back up apps in Azure Stack?
-
-No. You can use Azure Backup to protect Azure Stack, Azure Backup doesn't support using DPM to back up apps in Azure Stack.
-
-### If I've installed Azure Backup agent to protect my files and folders, can I install System Center DPM to back up on-premises workloads to Azure?
-
-Yes. But you should set up DPM first, and then install the Azure Backup agent. Installing components in this order ensures that the Azure Backup agent works with DPM. Installing the agent before installing DPM isn't advised or supported.
-
-### Why canΓÇÖt I add an external DPM server after installing UR7 and latest Azure Backup agent?
-
-For the DPM servers with data sources that are protected to the cloud (by using an update rollup earlier than Update Rollup 7), you must wait at least one day after installing the UR7 and latest Azure Backup agent, to start **Add External DPM server**. The one-day time period is needed to upload the metadata of the DPM protection groups to Azure. Protection group metadata is uploaded the first time through a nightly job.
-
-### Are there recommendations for configuring exclusions for antivirus software?
-
-Yes, it's recommended to configure antivirus exclusion. For exclusions for DPM, see [Run antivirus software on the DPM server](/system-center/dpm/run-antivirus-server). For exclusions for MABS, see [Configure antivirus for MABS server](backup-azure-mabs-troubleshoot.md#configure-antivirus-for-mabs-server).
-
-## VMware and Hyper-V backup
-
-### Can I back up VMware vCenter servers to Azure?
-
-Yes. You can use Azure Backup Server to back up VMware vCenter Server and ESXi hosts to Azure.
--- [Learn more](backup-mabs-protection-matrix.md) about supported versions.-- [Follow these steps](backup-azure-backup-server-vmware.md) to back up a VMware server.-
-### Do I need a separate license to recover a full on-premises VMware/Hyper-V cluster?
-
-You don't need separate licensing for VMware/Hyper-V protection.
--- If you're a System Center customer, use System Center Data Protection Manager (DPM) to protect VMware VMs.-- If you aren't a System Center customer, you can use Azure Backup Server (pay-as-you-go) to protect VMware VMs.-
-### Can I restore a backup of a Hyper-V or VMware VM, stored in Azure, to Azure as an Azure VM?
-
-No, this is not currently possible. You can only restore to an on-premises host.
-
-## SharePoint
-
-### Can I recover a SharePoint item to the original location if SharePoint is configured by using SQL AlwaysOn (with protection on disk)?
-
-Yes, the item can be recovered to the original SharePoint site.
-
-### Can I recover a SharePoint database to the original location if SharePoint is configured by using SQL AlwaysOn?
-
-Because SharePoint databases are configured in SQL AlwaysOn, they can't be modified unless the availability group is removed. As a result, DPM can't restore a database to the original location. You can recover a SQL Server database to another SQL Server instance.
-
-## Next steps
-
-Read the other FAQs:
--- [Learn more](backup-support-matrix-mabs-dpm.md) about Azure Backup Server and DPM support matrix.-- [Learn more](backup-azure-mabs-troubleshoot.md) about the Azure Backup Server and DPM troubleshooting guidelines.
backup Backup Azure Exchange Mabs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-exchange-mabs.md
For online recovery points, there are five recovery types:
## Next steps
-* [Azure Backup FAQ](backup-azure-backup-faq.md)
+* [Azure Backup FAQ](backup-azure-backup-faq.yml)
backup Backup Azure File Folder Backup Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-file-folder-backup-faq.md
- Title: Microsoft Azure Recovery Services (MARS) Agent ΓÇô FAQ
-description: Addresses common questions about backing up files and folders with Azure Backup.
- Previously updated : 04/05/2021---
-# Frequently asked questions - Microsoft Azure Recovery Services (MARS) agent
-
-This article answers common questions about backing up data with the Microsoft Azure Recovery Services (MARS) Agent in the [Azure Backup](backup-overview.md) service.
-
-## Configure backups
-
-### Where can I download the latest version of the MARS agent?
-
-The latest MARS agent used when backing up Windows Server machines, System Center DPM, and Microsoft Azure Backup server is available for [download](https://aka.ms/azurebackup_agent).
-
-### Where can I download the vault credentials file?
-
-In the Azure portal, navigate to **Properties** for your vault. Under **Backup Credentials**, select the checkbox for **Already using the latest Recovery Services Agent**. Select **Download**.
-
-![Download credentials](./media/backup-azure-file-folder-backup-faq/download-credentials.png)
-
-### How long are vault credentials valid?
-
-Vault credentials expire after 10 days. If the credentials file expires, download the file again from the Azure portal.
-
-### What characters are allowed for the passphrase?
-
-The passphrase should use characters from the ASCII character set, with [ASCII values less than or equal to 127](/office/vba/language/reference/user-interface-help/character-set-0127).
-
-### From what drives can I back up files and folders?
-
-You can't back up the following types of drives and volumes:
-
-* Removable media: All backup item sources must report as fixed.
-* Read-only volumes: The volume must be writable for the volume shadow copy service (VSS) to function.
-* Offline volumes: The volume must be online for VSS to function.
-* Network shares: The volume must be local to the server to be backed up using online backup.
-* BitLocker-protected volumes: The volume must be unlocked before the backup can occur.
-* File System Identification: NTFS is the only file system supported.
-
-### What file and folder types are supported?
-
-[Learn more](backup-support-matrix-mars-agent.md#supported-file-types-for-backup) about the types of files and folders supported for backup.
-
-### Can I use the MARS agent to back up files and folders on an Azure VM?
-
-Yes. Azure Backup provides VM-level backup for Azure VMs using the VM extension for the Azure VM agent. If you want to back up files and folders on the guest Windows operating system on the VM, you can install the MARS agent to do that.
-
-### Can I use the MARS agent to back up files and folders on temporary storage for the Azure VM?
-
-Yes. Install the MARS agent, and back up files and folders on the guest Windows operating system to temporary storage.
-
-* Backup jobs fail when temporary storage data is wiped out.
-* If the temporary storage data is deleted, you can only restore to non-volatile storage.
-
-### How do I register a server to another region?
-
-Backup data is sent to the datacenter of the vault in which the server is registered. The easiest way to change the datacenter is to uninstall and reinstall the agent, and then register the machine to a new vault in the region you need.
-
-### Does the MARS agent support Windows Server 2012 deduplication?
-
-Yes. The MARS agent converts the deduplicated data to normal data when it prepares the backup operation. It then optimizes the data for backup, encrypts the data, and then sends the encrypted data to the vault.
-
-### Do I need administrator permissions to install and configure the MARS agent?
-
-Yes, the installation of the MARS Agent and configuration of backups using the MARS console need the user to be a local administrator on the protected server.
-
-### What is the impact on MARS Agent backups of transferring the vault subscription to a different Azure AD directory?
-
-The change of Azure AD directory will have no impact on MARS Agent backups.
-
-## Manage backups
-
-### What happens if I rename a Windows machine configured for backup?
-
-When you rename a Windows machine, all currently configured backups are stopped.
-
-* You need to register the new machine name with the Backup vault.
-* When you register the new name with the vault, the first operation is a *full* backup.
-* If you need to recover data backed up to the vault with the old server name, use the option to restore to an alternate location in the Recover Data Wizard. [Learn more](backup-azure-restore-windows-server.md#use-instant-restore-to-restore-data-to-an-alternate-machine).
-
-### What is the maximum file path length for backup?
-
-The MARS agent relies on NTFS, and uses the filepath length specification limited by the [Windows API](/windows/win32/FileIO/naming-a-file#fully-qualified-vs-relative-paths). If the files you want to protect are longer than the allowed value, back up the parent folder or the disk drive.
-
-### What characters are allowed in file paths?
-
-The MARS agent relies on NTFS, and allows [supported characters](/windows/win32/FileIO/naming-a-file#naming-conventions) in file names/paths.
-
-### The warning "Azure Backups have not been configured for this server" appears
-
-This warning can appear even though you've configured a backup policy, when the backup schedule settings stored on the local server aren't the same as the settings stored in the backup vault.
-
-* When the server or the settings have been recovered to a known good state, backup schedules can become unsynchronized.
-* If you receive this warning, [configure](backup-azure-manage-windows-server.md) the backup policy again, and then run an on-demand backup to resynchronize the local server with Azure.
-
-### I see a few jobs are stuck in the In Progress state for a long time under Backup Jobs in the Azure portal. How can I resolve these?
-
-This can happen if a job was unable to complete due to reasons, such as network connectivity issues, machine shutdown, or process termination. No user action is required here. These jobs will automatically be marked as **Failed** after 30 days. [Learn more](backup-windows-with-mars-agent.md#run-an-on-demand-backup) to run an on-demand backup job using the MARS agent.
-
-## Manage the backup cache folder
-
-### What's the minimum size requirement for the cache folder?
-
-The size of the cache folder determines the amount of data that you're backing up.
-
-* The cache folder volumes should have free space that equals at least 5-10% of the total size of backup data.
-* If the volume has less than 5% free space, either increase the volume size, or move the cache folder to a volume with enough space by following [these steps](#how-do-i-change-the-cache-location-for-the-mars-agent).
-* If you back up Windows System State, you'll need an additional 30-35 GB of free space in the volume containing the cache folder.
-
-### How to check if scratch folder is valid and accessible?
-
-1. By default scratch folder is located at `\Program Files\Microsoft Azure Recovery Services Agent\Scratch`
-2. Make sure the path of your scratch folder location matches with the values of the registry key entries shown below:
-
- | Registry path | Registry Key | Value |
- | | | |
- | `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Azure Backup\Config` |ScratchLocation |*New cache folder location* |
- | `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Azure Backup\Config\CloudBackupProvider` |ScratchLocation |*New cache folder location* |
-
-### How do I change the cache location for the MARS agent?
-
-1. Run this command in an elevated command prompt to stop the Backup engine:
-
- ```Net stop obengine```
-2. If you've configured System State backup, open Disk Management and unmount the disk(s) with names in the format `"CBSSBVol_<ID>"`.
-3. By default, the scratch folder is located at `\Program Files\Microsoft Azure Recovery Services Agent\Scratch`
-4. Copy the entire `\Scratch` folder to a different drive that has sufficient space. Ensure the contents are copied, not moved.
-5. Update the following registry entries with the path of the newly moved scratch folder.
-
- | Registry path | Registry Key | Value |
- | | | |
- | `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Azure Backup\Config` |ScratchLocation |*New scratch folder location* |
- | `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Azure Backup\Config\CloudBackupProvider` |ScratchLocation |*New scratch folder location* |
-
-6. Restart the Backup engine at an elevated command prompt:
-
- ```command
- Net stop obengine
-
- Net start obengine
- ```
-
-7. Run an on-demand backup. After the backup finishes successfully using the new location, you can remove the original cache folder.
-
-### Where should the cache folder be located?
-
-The following locations for the cache folder aren't recommended:
-
-* Network share/removable media: The cache folder must be local to the server that needs backing up using online backup. Network locations or removable media like USB drives aren't supported.
-* Offline volumes: The cache folder must be online for expected backup using Azure Backup Agent
-
-### Are there any attributes of the cache folder that aren't supported?
-
-The following attributes or their combinations aren't supported for the cache folder:
-
-* Encrypted
-* De-duplicated
-* Compressed
-* Sparse
-* Reparse-Point
-
-The cache folder and the metadata VHD don't have the necessary attributes for the Azure Backup agent.
-
-### Is there a way to adjust the amount of bandwidth used for backup?
-
-Yes, you can use the **Change Properties** option in the MARS agent to adjust the bandwidth and timing. [Learn more](backup-windows-with-mars-agent.md#enable-network-throttling).
-
-## Restore
-
-### Manage
-
-#### Can I recover if I forgot my passphrase?
-
-The Azure Backup agent requires a passphrase (that you provided during registration) to decrypt the backed-up data during restore. Review the scenarios below to understand your options for handling a lost passphrase:
-
-| Original Machine <br> *(source machine where backups were taken)* | Passphrase | Available Options |
-| | | |
-| Available |Lost |If your original machine (where backups were taken) is available and still registered with the same Recovery Services vault, then you can regenerate the passphrase by following these [steps](./backup-azure-manage-mars.md#re-generate-passphrase). |
-| Lost |Lost |Not possible to recover the data or data isn't available |
-
-Consider the following conditions:
-
-* If you uninstall and re-register the agent on the same original machine with the
- * *Same passphrase*, then you can restore your backed-up data.
- * *Different passphrase*, then you can't restore your backed-up data.
-* If you install the agent on a *different machine* with the
- * *Same passphrase* (used in the original machine), then you can restore your backed-up data.
- * *Different passphrase*, you can't restore your backed-up data.
-* If your original machine is corrupted (preventing you from regenerating the passphrase through the MARS console), but you can restore or access the original scratch folder used by the MARS agent, then you might be able to restore (if you forgot the password). For more assistance, contact Customer Support.
-
-#### How do I recover if I lost my original machine (where backups were taken)?
-
-If you have the same passphrase (that you provided during registration) of the original machine, then you can restore the backed-up data to an alternate machine. Review the scenarios below to understand your restore options.
-
-| Original Machine | Passphrase | Available Options |
-| | | |
-| Lost |Available |You can install and register the MARS agent on another machine with the same passphrase that you provided during registration of the original machine. Choose **Recovery Option** > **Another location** to perform your restore. For more information, see this [article](./backup-azure-restore-windows-server.md#use-instant-restore-to-restore-data-to-an-alternate-machine).
-| Lost |Lost |Not possible to recover the data or data isn't available |
-
-### My backup jobs have been failing or not running for a long time. I'm past the retention period. Can I still restore?
-
-As a safety measure, Azure Backup will preserve the most recent recovery point, even if it's past the retention period. Once backups resume and fresh recovery points become available, the older recovery point will be removed according to the specified retention.
-
-### What happens if I cancel an ongoing restore job?
-
-If an ongoing restore job is canceled, the restore process stops. All files restored before the cancellation stay in configured destination (original or alternate location), without any rollbacks.
-
-### Does the MARS agent back up and restore ACLs set on files, folders, and volumes?
-
-* The MARS agent backs up ACLs set on files, folders, and volumes
-* For Volume Restore recovery option, the MARS agent provides an option to skip restoring ACL permissions to the file or folder being recovered
-* For the individual file and folders recovery option, the MARS agent will restore with ACL permissions (there's no option to skip ACL restore).
-
-## Next steps
-
-[Learn](tutorial-backup-windows-server-to-azure.md) how to back up a Windows machine.
backup Backup Azure Files Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-files-faq.md
- Title: Back up Azure Files FAQ
-description: In this article, discover answers to common questions about how to protect your Azure file shares with the Azure Backup service.
Previously updated : 04/22/2020---
-# Questions about backing up Azure Files
-
-This article answers common questions about backing up Azure Files. In some of the answers, there are links to the articles that have comprehensive information. You can also post questions about the Azure Backup service in the [Microsoft Q&A question page for discussion](/answers/topics/azure-backup.html).
-
-To quickly scan the sections in this article, use the links to the right, under **In this article**.
-
-## Configuring the backup job for Azure Files
-
-### Why can't I see some of my Storage Accounts that I want to protect, which contain valid Azure file shares?
-
-Refer to the [Support Matrix for Azure file shares backup](azure-file-share-support-matrix.md) to ensure the storage account belongs to one of the supported storage account types. It's also possible the Storage Account you're looking for is already protected or registered with another Vault. [Unregister the storage account](manage-afs-backup.md#unregister-a-storage-account) from the vault to discover the Storage Account in other vaults for protection.
-
-### Why can't I see some of my Azure file shares in the Storage Account when I'm trying to configure backup?
-
-Check if the Azure file share is already protected in the same Recovery Services vault or if it has been deleted recently.
-
-### Can I protect File Shares connected to a Sync Group in Azure Files Sync?
-
-Yes. Protection of Azure File Shares connected to Sync Groups is enabled.
-
-### When trying to back up file shares, I selected a Storage Account to discover the file shares in it. However, I didn't protect them. How do I protect these file shares with any other vault?
-
-When trying to back up, selecting a Storage Account to discover file shares within it registers the Storage Account with the vault from which this is done. If you choose to protect the file shares with a different vault, [unregister](manage-afs-backup.md#unregister-a-storage-account) the chosen Storage Account from this vault.
-
-### Why can't I change the vault to configure backup for the file share?
-
-If the storage account is already registered with a vault or other file shares in the storage account are protected using a vault , you aren't given an option to change it. All file shares in a storage account can be protected only by the same vault. If you want to change the vault, you'll need to [stop protection for all file shares in the storage account](manage-afs-backup.md#stop-protection-on-a-file-share) from the connected vault, [unregister](manage-afs-backup.md#unregister-a-storage-account) the Storage Account, and then choose a different vault for protection.
-
-### Can I change the Vault to which I back up my file shares?
-
-Yes. However, you'll need to [stop protection on the file share](manage-afs-backup.md#stop-protection-on-a-file-share) from the connected vault, [unregister](manage-afs-backup.md#unregister-a-storage-account) this Storage Account, and then protect it from a different vault.
-
-### Can I protect two different file shares from the same Storage Account to different Vaults?
-
-No. All file shares in a Storage Account can be protected only by the same Vault.
-
-## Backup
-
-### What should I do if my backups start failing due to the maximum limit reached error?
-
-You can have up to 200 Snapshots for a file share at any point in time. The limit includes snapshots taken by Azure Backup as defined by your policy. If your backups start failing after reaching the limit, delete On-Demand snapshots for successful future backups.
-
-## Restore
-
-### Can I recover from a deleted Azure file share?
-
-If the file share is in the soft deleted state, you need to first undelete the file share to perform the restore operation. The undelete operation will bring the file share into the active state where you can restore to any point in time. To learn how to undelete your file share, visit [this link](../storage/files/storage-files-enable-soft-delete.md?tabs=azure-portal#restore-soft-deleted-file-share) or see the [Undelete File Share Script](./scripts/backup-powershell-script-undelete-file-share.md). If the file share is permanently deleted, you won't be able restore the contents and snapshots.
-
-### Can I restore from backups if I stopped protection on an Azure file share?
-
-Yes. If you chose **Retain Backup Data** when you stopped protection, then you can restore from all existing restore points.
-
-### What happens if I cancel an ongoing restore job?
-
-If an ongoing restore job is canceled, the restore process stops and all files restored before the cancellation, stay in configured destination (original or alternate location) without any rollbacks.
-
-## Manage backup
-
-### Can I use PowerShell to configure/manage/restore backups of Azure File shares?
-
-Yes. Refer to the detailed documentation [here](backup-azure-afs-automation.md).
-
-### Can I access the snapshots taken by Azure Backups and mount them?
-
-All snapshots taken by Azure Backup can be accessed by viewing snapshots in the portal, PowerShell, or CLI. To learn more about Azure Files share snapshots, see [Overview of share snapshots for Azure Files](../storage/files/storage-snapshots-files.md).
-
-### What happens after I move a backed up file share to a different subscription?
-
-Once a file share is moved to a different subscription, it's considered as a new file share by Azure Backup. These are the recommended steps:
-
-Scenario: Let's say you have a file share *FS1* in subscription *S1* and it's protected using the *V1* vault. Now you want to move your file share to subscription *S2*.
-
-1. Move the desired storage account and file share (FS1) to the different subscription (S2).
-2. In the V1 vault, trigger the stop protection with delete data operation for FS1.
-3. Unregister the storage account hosting FS1 from the V1 vault.
-4. Reconfigure backup for FS1, now moved to S2, with a vault (V2) in the S2 subscription.
-
-Note that after reconfiguring backup with V2, the snapshots that were taken with V1 will no longer be managed by Azure Backup. So you'll have to delete those snapshots manually according to your requirements.
-
-### Can I move my backed up file share to a different resource group?
-
-Yes, you can move your backed up file share to a different resource group. However, you'll need to reconfigure backup for the file share as it will be treated as a new resource by Azure Backup. Also, the snapshots that were created before the resource group move will no longer be managed by Azure backup. So you'll have to delete those snapshots manually according to your requirements.
-
-### What is the maximum retention I can configure for backups?
-
-Refer to the [support matrix](azure-file-share-support-matrix.md) for details on maximum retention. Azure Backup does a real-time calculation of the number of snapshots when you enter the retention values while configuring backup policy. As soon as the number of snapshots corresponding to your defined retention values exceeds 200, the portal will show a warning requesting you to adjust your retention values. This is so you donΓÇÖt exceed the limit of maximum number of snapshots supported by Azure Files for any file share at any point in time.
-
-### What is the impact on existing recovery points and snapshots when I modify the Backup policy for an Azure file share to switch from ΓÇ£Daily Policy" to "GFS PolicyΓÇ¥?
-
-When you modify a Daily backup policy to GFS policy (adding weekly/monthly/yearly retention), the behavior is as follows:
--- **Retention**: If you're adding weekly/monthly/yearly retention as part of modifying the policy, all the future recovery points created as part of the scheduled backup will be tagged according to the new policy. All the existing recovery points will still be considered as daily recovery points and so wonΓÇÖt be tagged as weekly/monthly/yearly.--- **Snapshots and recovery points cleanup**:-
- - If daily retention is extended, the expiration date of the existing recovery points is updated according to the daily retention value configured in the new policy.
- - If daily retention is reduced, the existing recovery points and snapshots are marked for deletion in the next cleanup run job according to the daily retention value configured in the new policy, and then deleted.
-
-Here's an example of how this works:
-
-#### Existing Policy [P1]
-
-|Retention Type |Schedule |Retention |
-||||
-|Daily | Every day at 8 PM | 100 days |
-
-#### New Policy [Modified P1]
-
-| Retention Type | Schedule | Retention |
-| -- | | |
-| Daily | Every day at 9 PM | 50 days |
-| Weekly | On Sunday at 9 PM | 3 weeks |
-| Monthly | On Last Monday at 9 PM | 1 month |
-| Yearly | In Jan on Third Sunday at 9 PM | 4 years |
-
-#### Impact
-
-1. The expiration date of existing recovery points will be adjusted according to the daily retention value of the new policy: that is, 50 days. So any recovery point thatΓÇÖs older than 50 days will be marked for deletion.
-
-2. The existing recovery points wonΓÇÖt be tagged as weekly/monthly/yearly based on new policy.
-
-3. All the future backups will be triggered according to the new schedule: that is, at 9 PM.
-
-4. The expiration date of all future recovery points will be aligned with the new policy.
-
->[!NOTE]
->The policy changes will affect only the recovery points created as part of the scheduled backup job run. For on-demand backups, retention is determined by the **Retain Till** value specified at the time of taking backup.
-
-### What is the impact on existing recovery points when I modify an existing GFS Policy?
-
-When a new policy is applied on file shares, all the future scheduled backups will be taken according to the schedule configured in the modified policy. The retention of all existing recovery points is aligned according to the new retention values configured. So if the retention is extended, existing recovery points are marked to be retained according to the new policy. If the retention is reduced, they're marked for clean-up in the next cleanup job and then deleted.
-
-Here's an example of how this works:
-
-#### Existing Policy [P2]
-
-| Retention Type | Schedule | Retention |
-| -- | | |
-| Daily | Every day at 8 PM | 50 days |
-| Weekly | On Monday at 8 PM | 3 weeks |
-
-#### New Policy [Modified P2]
-
-| Retention Type | Schedule | Retention |
-| -- | - | |
-| Daily | Every day at 9 PM | 10 days |
-| Weekly | On Monday at 9 PM | 2 weeks |
-| Monthly | On Last Monday at 9 PM | 2 months |
-
-#### Impact of change
-
-1. The expiration date of existing daily recovery points will be aligned according to the new daily retention value, that is 10 days. So any daily recovery point older than 10 days will be deleted.
-
-2. The expiration date of existing weekly recovery points will be aligned according to the new weekly retention value, that is two weeks. So any weekly recovery point older than two weeks will be deleted.
-
-3. The monthly recovery points will only be created as part of future backups based on the new policy configuration.
-
-4. The expiration date of all future recovery points will be aligned with the new policy.
-
->[!NOTE]
->The policy changes will affect only the recovery points created as part of the scheduled backup. For on-demand backups, retention is determined by the **Retain Till** value specified at the time of taking the backup.
-
-## Next steps
--- [Troubleshoot problems while backing up Azure file shares](troubleshoot-azure-files.md)
backup Backup Azure Mabs Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-mabs-troubleshoot.md
We recommend you perform the following validation, before you start troubleshoot
- [Ensure Microsoft Azure Recovery Services (MARS) Agent is up to date](https://go.microsoft.com/fwlink/?linkid=229525&clcid=0x409) - [Ensure there's network connectivity between MARS agent and Azure](./backup-azure-mars-troubleshoot.md#the-microsoft-azure-recovery-service-agent-was-unable-to-connect-to-microsoft-azure-backup) - Ensure Microsoft Azure Recovery Services is running (in Service console). If necessary, restart and retry the operation-- [Ensure 5-10% free volume space is available on scratch folder location](./backup-azure-file-folder-backup-faq.md#whats-the-minimum-size-requirement-for-the-cache-folder)
+- [Ensure 5-10% free volume space is available on scratch folder location](./backup-azure-file-folder-backup-faq.yml#what-s-the-minimum-size-requirement-for-the-cache-folder-)
- If registration is failing, then ensure the server on which you're trying to install Azure Backup Server isn't already registered with another vault - If Push install fails, check if DPM agent is already present. If yes, then uninstall the agent and retry the installation - [Ensure no other process or antivirus software is interfering with Azure Backup](./backup-azure-troubleshoot-slow-backup-performance-issue.md#cause-another-process-or-antivirus-software-interfering-with-azure-backup)<br>
backup Backup Azure Manage Mars https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-manage-mars.md
We recommend the following configuration for your antivirus software to avoid co
1. **Add Path Exclusions**: To avoid degradation of performance and possible conflicts, exclude the following paths from real-time monitoring by the antivirus software: 1. `%ProgramFiles%\Microsoft Azure Recovery Services Agent` and subfolders
- 1. **Scratch folder**: If the scratch folder isn't in the standard location, add that to the exclusions as well. [See here for steps](backup-azure-file-folder-backup-faq.md#how-to-check-if-scratch-folder-is-valid-and-accessible) to determine the scratch folder location.
+ 1. **Scratch folder**: If the scratch folder isn't in the standard location, add that to the exclusions as well. [See here for steps](backup-azure-file-folder-backup-faq.yml#how-to-check-if-scratch-folder-is-valid-and-accessible-) to determine the scratch folder location.
1. **Add Binary Exclusions**: To avoid degradation of backup and console activities, exclude processes for the following binaries from real-time monitoring by the antivirus software: 1. `%ProgramFiles%\Microsoft Azure Recovery Services Agent\bin\cbengine.exe`
We recommend the following configuration for your antivirus software to avoid co
- For information about supported scenarios and limitations, refer to the [Support Matrix for the MARS Agent](./backup-support-matrix-mars-agent.md). - Learn more about [On demand backup policy retention behavior](backup-windows-with-mars-agent.md#set-up-on-demand-backup-policy-retention-behavior).-- For more frequently asked questions, see the [MARS agent FAQ](backup-azure-file-folder-backup-faq.md).
+- For more frequently asked questions, see the [MARS agent FAQ](backup-azure-file-folder-backup-faq.yml).
backup Backup Azure Mars Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-mars-troubleshoot.md
We recommend that you check the following before you start troubleshooting Micro
- [Ensure the MARS agent is up to date](https://go.microsoft.com/fwlink/?linkid=229525&clcid=0x409). - [Ensure you have network connectivity between the MARS agent and Azure](#the-microsoft-azure-recovery-service-agent-was-unable-to-connect-to-microsoft-azure-backup). - Ensure MARS is running (in Service console). If you need to, restart and retry the operation.-- [Ensure 5% to 10% free volume space is available in the scratch folder location](./backup-azure-file-folder-backup-faq.md#whats-the-minimum-size-requirement-for-the-cache-folder).
+- [Ensure 5% to 10% free volume space is available in the scratch folder location](./backup-azure-file-folder-backup-faq.yml#what-s-the-minimum-size-requirement-for-the-cache-folder-).
- [Check if another process or antivirus software is interfering with Azure Backup](./backup-azure-troubleshoot-slow-backup-performance-issue.md#cause-another-process-or-antivirus-software-interfering-with-azure-backup). - If the backup job completed with warnings, see [Backup Jobs Completed with Warning](#backup-jobs-completed-with-warning) - If scheduled backup fails but manual backup works, see [Backups don't run according to schedule](#backups-dont-run-according-to-schedule).
We recommend that you check the following before you start troubleshooting Micro
| Cause | Recommended actions | | | |
-| **Vault credentials aren't valid** <br/> <br/> Vault credential files might be corrupt, might have expired, or they might have a different file extension than *.vaultCredentials*. (For example, they might have been downloaded more than 10 days before the time of registration.)| [Download new credentials](backup-azure-file-folder-backup-faq.md#where-can-i-download-the-vault-credentials-file) from the Recovery Services vault on the Azure portal. Then take these steps, as appropriate: <ul><li> If you've already installed and registered MARS, open the Microsoft Azure Backup Agent MMC console. Then select **Register Server** in the **Actions** pane to complete the registration with the new credentials. <br/> <li> If the new installation fails, try reinstalling with the new credentials.</ul> **Note**: If multiple vault credential files have been downloaded, only the latest file is valid for the next 10 days. We recommend that you download a new vault credential file.
+| **Vault credentials aren't valid** <br/> <br/> Vault credential files might be corrupt, might have expired, or they might have a different file extension than *.vaultCredentials*. (For example, they might have been downloaded more than 10 days before the time of registration.)| [Download new credentials](backup-azure-file-folder-backup-faq.yml#where-can-i-download-the-vault-credentials-file-) from the Recovery Services vault on the Azure portal. Then take these steps, as appropriate: <ul><li> If you've already installed and registered MARS, open the Microsoft Azure Backup Agent MMC console. Then select **Register Server** in the **Actions** pane to complete the registration with the new credentials. <br/> <li> If the new installation fails, try reinstalling with the new credentials.</ul> **Note**: If multiple vault credential files have been downloaded, only the latest file is valid for the next 10 days. We recommend that you download a new vault credential file.
| **Proxy server/firewall is blocking registration** <br/>or <br/>**No internet connectivity** <br/><br/> If your machine or proxy server has limited internet connectivity and you don't ensure access for the necessary URLs, the registration will fail.| Take these steps:<br/> <ul><li> Work with your IT team to ensure the system has internet connectivity.<li> If you don't have a proxy server, ensure the proxy option isn't selected when you register the agent. [Check your proxy settings](#verifying-proxy-settings-for-windows).<li> If you do have a firewall/proxy server, work with your networking team to ensure these URLs and IP addresses have access:<br/> <br> **URLs**<br> `www.msftncsi.com` <br> .Microsoft.com <br> .WindowsAzure.com <br> .microsoftonline.com <br> .windows.net <br>`www.msftconnecttest.com`<br><br>**IP addresses**<br> 20.190.128.0/18 <br> 40.126.0.0/18<br> <br/></ul></ul>Try registering again after you complete the preceding troubleshooting steps.<br></br> If your connection is via Azure ExpressRoute, make sure the settings are configured as described in [Azure ExpressRoute support](backup-support-matrix-mars-agent.md#azure-expressroute-support). | **Antivirus software is blocking registration** | If you have antivirus software installed on the server, add necessary exclusion rules to the antivirus scan for these files and folders: <br/><ul> <li> CBengine.exe <li> CSC.exe<li> The scratch folder. Its default location is C:\Program Files\Microsoft Azure Recovery Services Agent\Scratch. <li> The bin folder at C:\Program Files\Microsoft Azure Recovery Services Agent\Bin.
We recommend that you check the following before you start troubleshooting Micro
| Error code | Reasons | Recommendations | | - | | | | 0x80070570 | The file or directory is corrupted and unreadable. | Run **chkdsk** on the source volume. |
- | 0x80070002, 0x80070003 | The system cannot find the file specified. | [Ensure the scratch folder isn't full](./backup-azure-file-folder-backup-faq.md#manage-the-backup-cache-folder) <br><br> Check if the volume where scratch space is configured exists (not deleted) <br><br> [Ensure the MARS agent is excluded from the antivirus installed on the machine](./backup-azure-troubleshoot-slow-backup-performance-issue.md#cause-another-process-or-antivirus-software-interfering-with-azure-backup) |
+ | 0x80070002, 0x80070003 | The system cannot find the file specified. | [Ensure the scratch folder isn't full](/backup-azure-file-folder-backup-faq.yml#manage-the-backup-cache-folder) <br><br> Check if the volume where scratch space is configured exists (not deleted) <br><br> [Ensure the MARS agent is excluded from the antivirus installed on the machine](./backup-azure-troubleshoot-slow-backup-performance-issue.md#cause-another-process-or-antivirus-software-interfering-with-azure-backup) |
| 0x80070005 | Access Is Denied | [Check if antivirus or other third-party software is blocking access](./backup-azure-troubleshoot-slow-backup-performance-issue.md#cause-another-process-or-antivirus-software-interfering-with-azure-backup) | | 0x8007018b | Access to the cloud file is denied. | OneDrive files, Git Files, or any other files that can be in offline state on the machine |
We recommend that you check the following before you start troubleshooting Micro
| Error | Possible causes | Recommended actions | ||||
-|<br />The activation did not complete successfully. The current operation failed due to an internal service error [0x1FC07]. Retry the operation after some time. If the issue persists, please contact Microsoft support. | <li> The scratch folder is located on a volume that doesn't have enough space. <li> The scratch folder has been incorrectly moved. <li> The OnlineBackup.KEK file is missing. | <li>Upgrade to the [latest version](https://aka.ms/azurebackup_agent) of the MARS agent.<li>Move the scratch folder or cache location to a volume with free space that's between 5% and 10% of the total size of the backup data. To correctly move the cache location, refer to the steps in [Common questions about backing up files and folders](./backup-azure-file-folder-backup-faq.md#manage-the-backup-cache-folder).<li> Ensure that the OnlineBackup.KEK file is present. <br>*The default location for the scratch folder or the cache path is C:\Program Files\Microsoft Azure Recovery Services Agent\Scratch*. |
+|<br />The activation did not complete successfully. The current operation failed due to an internal service error [0x1FC07]. Retry the operation after some time. If the issue persists, please contact Microsoft support. | <li> The scratch folder is located on a volume that doesn't have enough space. <li> The scratch folder has been incorrectly moved. <li> The OnlineBackup.KEK file is missing. | <li>Upgrade to the [latest version](https://aka.ms/azurebackup_agent) of the MARS agent.<li>Move the scratch folder or cache location to a volume with free space that's between 5% and 10% of the total size of the backup data. To correctly move the cache location, refer to the steps in [Common questions about backing up files and folders](/backup-azure-file-folder-backup-faq.yml#manage-the-backup-cache-folder).<li> Ensure that the OnlineBackup.KEK file is present. <br>*The default location for the scratch folder or the cache path is C:\Program Files\Microsoft Azure Recovery Services Agent\Scratch*. |
## Encryption passphrase not correctly configured | Error | Possible causes | Recommended actions | ||||
-| <br />Error 34506. The encryption passphrase stored on this computer is not correctly configured. | <li> The scratch folder is located on a volume that doesn't have enough space. <li> The scratch folder has been incorrectly moved. <li> The OnlineBackup.KEK file is missing. | <li>Upgrade to the [latest version](https://aka.ms/azurebackup_agent) of the MARS Agent.<li>Move the scratch folder or cache location to a volume with free space that's between 5% and 10% of the total size of the backup data. To correctly move the cache location, refer to the steps in [Common questions about backing up files and folders](./backup-azure-file-folder-backup-faq.md#manage-the-backup-cache-folder).<li> Ensure that the OnlineBackup.KEK file is present. <br>*The default location for the scratch folder or the cache path is C:\Program Files\Microsoft Azure Recovery Services Agent\Scratch*. |
+| <br />Error 34506. The encryption passphrase stored on this computer is not correctly configured. | <li> The scratch folder is located on a volume that doesn't have enough space. <li> The scratch folder has been incorrectly moved. <li> The OnlineBackup.KEK file is missing. | <li>Upgrade to the [latest version](https://aka.ms/azurebackup_agent) of the MARS Agent.<li>Move the scratch folder or cache location to a volume with free space that's between 5% and 10% of the total size of the backup data. To correctly move the cache location, refer to the steps in [Common questions about backing up files and folders](/backup-azure-file-folder-backup-faq.yml#manage-the-backup-cache-folder).<li> Ensure that the OnlineBackup.KEK file is present. <br>*The default location for the scratch folder or the cache path is C:\Program Files\Microsoft Azure Recovery Services Agent\Scratch*. |
## Backups don't run according to schedule
Backup operation may fail if the cache folder (also referred as scratch folder)
For MARS agent operations to succeed the cache folder needs to adhere to the following requirements: -- [Ensure 5% to 10% free volume space is available in the scratch folder location](backup-azure-file-folder-backup-faq.md#whats-the-minimum-size-requirement-for-the-cache-folder)-- [Ensure scratch folder location is valid and accessible](backup-azure-file-folder-backup-faq.md#how-to-check-if-scratch-folder-is-valid-and-accessible)-- [Ensure file attributes on the cache folder are supported](backup-azure-file-folder-backup-faq.md#are-there-any-attributes-of-the-cache-folder-that-arent-supported)
+- [Ensure 5% to 10% free volume space is available in the scratch folder location](backup-azure-file-folder-backup-faq.yml#what-s-the-minimum-size-requirement-for-the-cache-folder-)
+- [Ensure scratch folder location is valid and accessible](backup-azure-file-folder-backup-faq.yml#how-to-check-if-scratch-folder-is-valid-and-accessible-)
+- [Ensure file attributes on the cache folder are supported](backup-azure-file-folder-backup-faq.yml#are-there-any-attributes-of-the-cache-folder-that-aren-t-supported-)
- [Ensure the allocated shadow copy storage space is sufficient for backup process](#increase-shadow-copy-storage) - [Ensure there are no other processes (ex. anti-virus software) restricting access to cache folder](#another-process-or-antivirus-software-blocking-access-to-cache-folder)
This section covers the common errors that you encounter while using MARS agent.
Error message | Recommended action --|--
-Microsoft Azure Recovery Services Agent was unable to access backup checksum stored in scratch location | To resolve this issue, perform the following steps and restart the server <br/> - [Check if there is an antivirus or other processes locking the scratch location files](#another-process-or-antivirus-software-blocking-access-to-cache-folder)<br/> - [Check if the scratch location is valid and accessible to the MARS agent.](backup-azure-file-folder-backup-faq.md#how-to-check-if-scratch-folder-is-valid-and-accessible)
+Microsoft Azure Recovery Services Agent was unable to access backup checksum stored in scratch location | To resolve this issue, perform the following steps and restart the server <br/> - [Check if there is an antivirus or other processes locking the scratch location files](#another-process-or-antivirus-software-blocking-access-to-cache-folder)<br/> - [Check if the scratch location is valid and accessible to the MARS agent.](backup-azure-file-folder-backup-faq.yml#how-to-check-if-scratch-folder-is-valid-and-accessible-)
### SalVhdInitializationError Error message | Recommended action --|--
-Microsoft Azure Recovery Services Agent was unable to access the scratch location to initialize VHD | To resolve this issue, perform the following steps and restart the server <br/> - [Check if antivirus or other processes are locking the scratch location files](#another-process-or-antivirus-software-blocking-access-to-cache-folder)<br/> - [Check if the scratch location is valid and accessible to the MARS agent.](backup-azure-file-folder-backup-faq.md#how-to-check-if-scratch-folder-is-valid-and-accessible)
+Microsoft Azure Recovery Services Agent was unable to access the scratch location to initialize VHD | To resolve this issue, perform the following steps and restart the server <br/> - [Check if antivirus or other processes are locking the scratch location files](#another-process-or-antivirus-software-blocking-access-to-cache-folder)<br/> - [Check if the scratch location is valid and accessible to the MARS agent.](backup-azure-file-folder-backup-faq.yml#how-to-check-if-scratch-folder-is-valid-and-accessible-)
### SalLowDiskSpace
backup Backup Azure Microsoft Azure Backup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-microsoft-azure-backup.md
Use the following steps to upgrade MABS:
## Troubleshooting If Microsoft Azure Backup server fails with errors during the setup phase (or backup or restore), refer to this [error codes document](https://support.microsoft.com/kb/3041338) for more information.
-You can also refer to [Azure Backup related FAQs](backup-azure-backup-faq.md)
+You can also refer to [Azure Backup related FAQs](backup-azure-backup-faq.yml)
## Next steps
backup Backup Azure Monitor Alert Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-monitor-alert-faq.md
- Title: Monitoring Alert and Reports FAQ
-description: In this article, discover answers to common questions about the Azure Backup Monitoring Alert and Azure Backup reports.
-- Previously updated : 07/08/2019--
-# Azure Backup Monitoring Alert - FAQ
-
-This article answers common questions about Azure Backup monitoring and reporting.
-
-## Configure Azure Backup reports
-
-### How do I check if reporting data has started flowing into a Log Analytics (LA) Workspace?
-
-Navigate to the LA Workspace you've configured. Navigate to the **Logs** menu item, and run the query `CoreAzureBackup | take 1`. If you see a record being returned, it means data has started flowing into the workspace. The initial data push may take up to 24 hours.
-
-### What is the frequency of data push to an LA Workspace?
-
-The diagnostic data from the vault is pumped to the Log Analytics workspace with some lag. Every event arrives at the Log Analytics workspace 20 to 30 minutes after it's pushed from the Recovery Services vault. Here are further details about the lag:
-
-* Across all solutions, the backup service's built-in alerts are pushed as soon as they're created. So they usually appear in the Log Analytics workspace after 20 to 30 minutes.
-* Across all solutions, on-demand backup jobs and restore jobs are pushed as soon as they finish.
-* For all solutions except SQL backup, scheduled backup jobs are pushed as soon as they finish.
-* For SQL backup, because log backups can occur every 15 minutes, information for all the completed scheduled backup jobs, including logs, is batched and pushed every 6 hours.
-* Across all solutions, other information such as the backup item, policy, recovery points, storage, and so on, is pushed at least once per day.
-* A change in the backup configuration (such as changing policy or editing policy) triggers a push of all related backup information.
-
-### How long can I retain reporting data?
-
-After you create an LA Workspace, you can choose to retain data for a maximum of 2 years. By default, an LA Workspace retains data for 31 days.
-
-### Will I see all my data in reports after I configure the LA Workspace?
-
- All the data generated after you configure diagnostics settings is pushed to the LA Workspace and is available in reports. In-progress jobs aren't pushed for reporting. After the job finishes or fails, it's sent to reports.
-
-### Can I view reports across vaults and subscriptions?
-
-Yes, you can view reports across vaults and subscriptions as well as regions. Your data may reside in a single LA Workspace or a group of LA Workspaces.
-
-### Can I view reports across tenants?
-
-If you're an [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/) user with delegated access to your customers' subscriptions or LA Workspaces, you can use Backup Reports to view data across all your tenants.
-
-## Recovery Services vault
-
-### How long does it take for the Azure Backup agent job status to reflect in the portal?
-
-The Azure portal can take up to 15 minutes to reflect the Azure Backup agent job status.
-
-### When a backup job fails, how long does it take to raise an alert?
-
-An alert is raised within 20 minutes of the Azure Backup failure.
-
-### Is there a case where an email wonΓÇÖt be sent if notifications are configured?
-
-Yes. In the following situations, notifications aren't sent:
-
-* If notifications are configured hourly, and an alert is raised and resolved within the hour
-* When a job is canceled
-* If a second backup job fails because the original backup job is in progress
-
-## Next steps
-
-Read the other FAQs:
-
-* [Common questions](backup-azure-vm-backup-faq.yml) about Azure VM backups.
-* [Common questions](backup-azure-file-folder-backup-faq.md) about the Azure Backup agent
backup Backup Azure Move Recovery Services Vault https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-move-recovery-services-vault.md
All public regions and sovereign regions are supported, except France Central, F
- During vault move across resource groups, both the source and target resource groups are locked preventing the write and delete operations. For more information, see this [article](../azure-resource-manager/management/move-resource-group-and-subscription.md). - Only admin subscription has the permissions to move a vault.-- For moving vaults across subscriptions, the target subscription must reside in the same tenant as the source subscription and its state must be enabled. To move a vault to a different Azure AD directory, see [Transfer subscription to a different directory](../role-based-access-control/transfer-subscription.md) and [Recovery Service vault FAQs](backup-azure-backup-faq.md#recovery-services-vault).
+- For moving vaults across subscriptions, the target subscription must reside in the same tenant as the source subscription and its state must be enabled. To move a vault to a different Azure AD directory, see [Transfer subscription to a different directory](../role-based-access-control/transfer-subscription.md) and [Recovery Service vault FAQs](/backup-azure-backup-faq.yml#recovery-services-vault).
- You must have permission to perform write operations on the target resource group. - Moving the vault only changes the resource group. The Recovery Services vault will reside on the same location and it can't be changed. - You can move only one Recovery Services vault, per region, at a time.
backup Backup Azure Recovery Services Vault Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-recovery-services-vault-overview.md
Azure Advisor provides hourly [recommendations](../advisor/advisor-high-availabi
## Additional resources - [Vault supported and unsupported scenarios](backup-support-matrix.md#vault-support)-- [Vault frequently asked questions](backup-azure-backup-faq.md)
+- [Vault frequently asked questions](backup-azure-backup-faq.yml)
## Next steps
backup Backup Azure Restore Windows Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-restore-windows-server.md
These steps include the following terminology:
5. Provide the vault credential file that corresponds to the sample vault, and select **Next**.
- If the vault credential file is invalid (or expired), [download a new vault credential file from the sample vault](backup-azure-file-folder-backup-faq.md#where-can-i-download-the-vault-credentials-file) in the Azure portal. After you provide a valid vault credential, the name of the corresponding backup vault appears.
+ If the vault credential file is invalid (or expired), [download a new vault credential file from the sample vault](backup-azure-file-folder-backup-faq.yml#where-can-i-download-the-vault-credentials-file-) in the Azure portal. After you provide a valid vault credential, the name of the corresponding backup vault appears.
6. On the **Select Backup Server** page, select the source machine from the list of displayed machines, and provide the passphrase. Then select **Next**.
These steps include the following terminology:
* Now that you've recovered your files and folders, you can [manage your backups](backup-azure-manage-windows-server.md).
-* Find [Common questions about backing up files and folders](backup-azure-file-folder-backup-faq.md).
+* Find [Common questions about backing up files and folders](backup-azure-file-folder-backup-faq.yml).
backup Backup Azure Sap Hana Database Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-sap-hana-database-troubleshoot.md
In the preceding scenarios, we recommend that you trigger a re-register operatio
## Next steps -- Review the [frequently asked questions](./sap-hana-faq-backup-azure-vm.md) about backing up SAP HANA databases on Azure VMs.
+- Review the [frequently asked questions](./sap-hana-faq-backup-azure-vm.yml) about backing up SAP HANA databases on Azure VMs.
backup Backup Azure Sql Database https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-sql-database.md
Before you start, verify the following requirements:
1. Make sure you have a SQL Server instance running in Azure. You can [quickly create a SQL Server instance](../azure-sql/virtual-machines/windows/sql-vm-create-portal-quickstart.md) in the marketplace. 2. Review the [feature considerations](sql-support-matrix.md#feature-considerations-and-limitations) and [scenario support](sql-support-matrix.md#scenario-support).
-3. [Review common questions](faq-backup-sql-server.md) about this scenario.
+3. [Review common questions](faq-backup-sql-server.yml) about this scenario.
## Set VM permissions
backup Backup Azure Sql Mabs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-sql-mabs.md
To recover a protected entity, such as a SQL Server database, from Azure:
### Next steps
-For more information, see [Azure Backup FAQ](backup-azure-backup-faq.md).
+For more information, see [Azure Backup FAQ](backup-azure-backup-faq.yml).
backup Backup Azure System State Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-system-state-troubleshoot.md
We recommend you perform the following validation steps, before you start troubl
- [Ensure Microsoft Azure Recovery Services (MARS) Agent is up to date](https://go.microsoft.com/fwlink/?linkid=229525&clcid=0x409) - [Ensure there's network connectivity between MARS agent and Azure](./backup-azure-mars-troubleshoot.md#the-microsoft-azure-recovery-service-agent-was-unable-to-connect-to-microsoft-azure-backup) - Ensure Microsoft Azure Recovery Services is running (in Service console). If necessary, restart and retry the operation-- [Ensure 5-10% free volume space is available on scratch folder location](./backup-azure-file-folder-backup-faq.md#whats-the-minimum-size-requirement-for-the-cache-folder)
+- [Ensure 5-10% free volume space is available on scratch folder location](./backup-azure-file-folder-backup-faq.yml#what-s-the-minimum-size-requirement-for-the-cache-folder-)
- [Check if another process or antivirus software is interfering with Azure Backup](./backup-azure-troubleshoot-slow-backup-performance-issue.md#cause-another-process-or-antivirus-software-interfering-with-azure-backup) - [Scheduled backup fails, but manual backup works](./backup-azure-mars-troubleshoot.md#backups-dont-run-according-to-schedule) - Ensure your OS has the latest updates
backup Backup Azure Troubleshoot Slow Backup Performance Issue https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-troubleshoot-slow-backup-performance-issue.md
This article provides troubleshooting guidance to help you diagnose the cause of
Before you start troubleshooting issues, we recommend that you download and install the [latest Azure Backup agent](https://aka.ms/azurebackup_agent). We make frequent updates to the Backup agent to fix various issues, add features, and improve performance.
-We also strongly recommend that you review the [Azure Backup service FAQ](backup-azure-backup-faq.md) to make sure you're not experiencing any of the common configuration issues.
+We also strongly recommend that you review the [Azure Backup service FAQ](backup-azure-backup-faq.yml) to make sure you're not experiencing any of the common configuration issues.
[!INCLUDE [support-disclaimer](../../includes/support-disclaimer.md)]
If you're trying to back up large disks, then it's recommended to use [Azure Dat
## Next steps
-* [Common questions about backing up files and folders](backup-azure-file-folder-backup-faq.md)
+* [Common questions about backing up files and folders](backup-azure-file-folder-backup-faq.yml)
backup Backup Create Rs Vault https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-create-rs-vault.md
Title: Create and configure Recovery Services vaults description: In this article, learn how to create and configure Recovery Services vaults that store the backups and recovery points. Learn how to use Cross Region Restore to restore in a secondary region. Previously updated : 05/30/2019 Last updated : 04/14/2021
Since this process is at the storage level, there are [pricing implications](htt
>- Cross Region Restore for SQL and SAP HANA databases is in preview in all Azure public regions. >- CRR is a vault level opt-in feature for any GRS vault (turned off by default). >- After opting-in, it might take up to 48 hours for the backup items to be available in secondary regions.
->- Currently CRR for Azure VMs is supported only for Azure Resource Manger Azure VMs. Classic Azure VMs won't be supported. When additional management types support CRR, then they'll be **automatically** enrolled.
+>- Currently, CRR for Azure VMs is supported for Azure Resource Manager Azure VMs and encrypted Azure VMs. Classic Azure VMs won't be supported. When additional management types support CRR, then they'll be **automatically** enrolled.
>- Cross Region Restore **currently can't be reverted back** to GRS or LRS once the protection is initiated for the first time. >- Currently, secondary region [RPO](azure-backup-glossary.md#rpo-recovery-point-objective) is up to 12 hours from the primary region, even though [read-access geo-redundant storage (RA-GRS)](../storage/common/storage-redundancy.md#redundancy-in-a-secondary-region) replication is 15 minutes.
backup Backup Encryption https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-encryption.md
Azure Backup includes encryption on two levels:
## Next steps - [Azure Storage encryption for data at rest](../storage/common/storage-service-encryption.md)-- [Azure Backup FAQ](backup-azure-backup-faq.md#encryption) for any questions you may have about encryption
+- [Azure Backup FAQ](/backup-azure-backup-faq.yml#encryption) for any questions you may have about encryption
backup Backup Mabs Install Azure Stack https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-mabs-install-azure-stack.md
It's possible to change an Azure subscription from *Expired* or *Deprovisioned*
## Troubleshooting If Microsoft Azure Backup server fails with errors during the setup phase (or backup or restore), see the [error codes document](https://support.microsoft.com/kb/3041338).
-You can also refer to [Azure Backup related FAQs](backup-azure-backup-faq.md)
+You can also refer to [Azure Backup related FAQs](backup-azure-backup-faq.yml)
## Next steps
backup Backup Support Matrix Iaas https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-support-matrix-iaas.md
Here's how you can back up and restore Azure VMs with the Azure Backup service.
**Scenario** | **Backup** | **Agent** |**Restore** | | | Direct backup of Azure VMs | Back up the entire VM. | No additional agent is needed on the Azure VM. Azure Backup installs and uses an extension to the [Azure VM agent](../virtual-machines/extensions/agent-windows.md) that's running on the VM. | Restore as follows:<br/><br/> - **Create a basic VM**. This is useful if the VM has no special configuration such as multiple IP addresses.<br/><br/> - **Restore the VM disk**. Restore the disk. Then attach it to an existing VM, or create a new VM from the disk by using PowerShell.<br/><br/> - **Replace VM disk**. If a VM exists and it uses managed disks (unencrypted), you can restore a disk and use it to replace an existing disk on the VM.<br/><br/> - **Restore specific files/folders**. You can restore files/folders from a VM instead of from the entire VM.
-Direct backup of Azure VMs (Windows only) | Back up specific files/folders/volume. | Install the [Azure Recovery Services agent](backup-azure-file-folder-backup-faq.md).<br/><br/> You can run the MARS agent alongside the backup extension for the Azure VM agent to back up the VM at file/folder level. | Restore specific folders/files.
+Direct backup of Azure VMs (Windows only) | Back up specific files/folders/volume. | Install the [Azure Recovery Services agent](backup-azure-file-folder-backup-faq.yml).<br/><br/> You can run the MARS agent alongside the backup extension for the Azure VM agent to back up the VM at file/folder level. | Restore specific folders/files.
Back up Azure VM to backup server | Back up files/folders/volumes; system state/bare metal files; app data to System Center DPM or to Microsoft Azure Backup Server (MABS).<br/><br/> DPM/MABS then backs up to the backup vault. | Install the DPM/MABS protection agent on the VM. The MARS agent is installed on DPM/MABS.| Restore files/folders/volumes; system state/bare metal files; app data. Learn more about backup [using a backup server](backup-architecture.md#architecture-back-up-to-dpmmabs) and about [support requirements](backup-support-matrix-mabs-dpm.md).
backup Backup Support Matrix https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-support-matrix.md
Title: Azure Backup support matrix description: Provides a summary of support settings and limitations for the Azure Backup service. Previously updated : 02/17/2019 Last updated : 04/14/2021
The following table describes the features of Recovery Services vaults:
| **Vaults in subscription** | Up to 500 Recovery Services vaults in a single subscription. **Machines in a vault** | Up to 2000 datasources across all workloads (like Azure VMs, SQL Server VM, MABS Servers, and so on) can be protected in a single vault.<br><br>Up to 1,000 Azure VMs in a single vault.<br/><br/> Up to 50 MABS servers can be registered in a single vault.
-**Data sources** | Maximum size of an individual [data source](./backup-azure-backup-faq.md#how-is-the-data-source-size-determined) is 54,400 GB. This limit doesn't apply to Azure VM backups. No limits apply to the total amount of data you can back up to the vault.
+**Data sources** | Maximum size of an individual [data source](./backup-azure-backup-faq.yml#how-is-the-data-source-size-determined-) is 54,400 GB. This limit doesn't apply to Azure VM backups. No limits apply to the total amount of data you can back up to the vault.
**Backups to vault** | **Azure VMs:** Once a day.<br/><br/>**Machines protected by DPM/MABS:** Twice a day.<br/><br/> **Machines backed up directly by using the MARS agent:** Three times a day. **Backups between vaults** | Backup is within a region.<br/><br/> You need a vault in every Azure region that contains VMs you want to back up. You can't back up to a different region. **Move vaults** | You can [move vaults](./backup-azure-move-recovery-services-vault.md) across subscriptions or between resource groups in the same subscription. However, moving vaults across regions isn't supported.
Azure Backup has added the Cross Region Restore feature to strengthen data avail
| Backup Management type | Supported | Supported Regions | | - | | -- |
-| Azure VM | Supported for Azure VMs with both managed and unmanaged disks. Not supported for classic VMs. | Available in all Azure public regions and sovereign regions except for France Central, Australia Central, South Africa North, UAE North, Switzerland North, Germany West Central, Norway East, UG IOWA, and UG Virginia. <br>For information about use in those regions, contact [AskAzureBackupTeam@microsoft.com](mailto:AskAzureBackupTeam@microsoft.com) |
+| Azure VM | Supported for Azure VMs (including encrypted Azure VMs) with both managed and unmanaged disks. Not supported for classic VMs. | Available in all Azure public regions and sovereign regions except for France Central, Australia Central, South Africa North, UAE North, Switzerland North, Germany West Central, Norway East, UG IOWA, and UG Virginia. <br>For information about use in those regions, contact [AskAzureBackupTeam@microsoft.com](mailto:AskAzureBackupTeam@microsoft.com) |
| SQL /SAP HANA | In preview | Available in all Azure public regions and sovereign regions except for France Central, Australia Central, South Africa North, UAE North, Switzerland North, Germany West Central, Norway East, UG IOWA, and UG Virginia. <br>For information about use in those regions, contact [AskAzureBackupTeam@microsoft.com](mailto:AskAzureBackupTeam@microsoft.com) | | MARS Agent/On premises | No | N/A | | AFS (Azure file shares) | No | N/A |
backup Backup The Mabs Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-the-mabs-server.md
DpmSync -ReallocateReplica
## Next steps - [MABS support matrix](backup-support-matrix-mabs-dpm.md)-- [MABS FAQ](backup-azure-dpm-azure-server-faq.md)
+- [MABS FAQ](backup-azure-dpm-azure-server-faq.yml)
backup Backup Windows With Mars Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-windows-with-mars-agent.md
For more information, see [Create a backup policy](#create-a-backup-policy).
## Next steps * Learn how to [Restore files in Azure](backup-azure-restore-windows-server.md).
-* Find [Common questions about backing up files and folders](backup-azure-file-folder-backup-faq.md)
+* Find [Common questions about backing up files and folders](backup-azure-file-folder-backup-faq.yml)
backup Configure Reports https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/configure-reports.md
The widgets in the Backup report are powered by Kusto queries, which run on the
## Next steps
-[Learn more about monitoring and reporting with Azure Backup](./backup-azure-monitor-alert-faq.md)
+[Learn more about monitoring and reporting with Azure Backup](./backup-azure-monitor-alert-faq.yml)
backup Disk Backup Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/disk-backup-faq.md
- Title: Frequently asked questions about Azure Disk Backup
-description: Get answers to frequently asked questions about Azure Disk Backup
- Previously updated : 01/07/2021--
-# Frequently asked questions about Azure Disk Backup
-
-This article answers frequently asked questions about Azure Disk Backup. For more information on the [Azure Disk backup](disk-backup-overview.md) region availability, supported scenarios and limitations, see the [support matrix](disk-backup-support-matrix.md).
-
-## Frequently asked questions
-
-### Can I back up the disk using the Azure Disk Backup solution if the same disk is backed up using Azure virtual machine backup?
-
-Azure Backup offers side-by-side support for backup of managed disk using Disk backup and the [Azure VM backup](backup-azure-vms-introduction.md) solutions. This is useful when you need once-a-day application consistent backup of virtual machines and also more frequent backups of the OS disk or a specific data disk, which are crash consistent without impacting the production application performance.
-
-### How do I find the snapshot resource group that I used to configure backup for a disk?
-
-In the **Backup Instance** screen, you can find the snapshot resource group field in the **Essentials** section. You can search and select your backup instance of the corresponding disk from Backup center or the Backup vault.
-
-![Snapshot resource group field](./media/disk-backup-faq/snapshot-resource-group.png)
-
-### What is a snapshot resource group?
-
-Azure Disk Backup offers operational tier backup for managed disk. That is, the snapshots that are created during the scheduled and on-demand backup operations are stored in a resource group within your subscription. Azure Backup offers instant restore because the incremental snapshots are stored within your subscription. This resource group is known as the snapshot resource group. For more information, see [Configure backup](backup-managed-disks.md#configure-backup).
-
-### Why must the snapshot resource group be in same subscription as that of the disk being backed up?
-
-You can't create an incremental snapshot for a particular disk outside of that disk's subscription. So choose the resource group within the same subscription as that of the disk to be backed up. Learn more about [incremental snapshot](../virtual-machines/disks-incremental-snapshots.md#restrictions) for managed disks.
-
-### Why do I need to provide role assignments to be able to configure backups, perform scheduled and on-demand backups, and restore operations?
-
-Azure Disk Backup uses the least privilege approach to discover, protect, and restore the managed disks in your subscriptions. To achieve this, Azure Backup uses the managed identity of the [Backup vault](backup-vault-overview.md) to access other Azure resources. A system assigned managed identity is restricted to one per resource and is tied to the lifecycle of this resource. You can grant permissions to the managed identity by using Azure role-based access control (Azure RBAC). Managed identity is a service principal of a special type that may only be used with Azure resources. Learn more about [managed identities](../active-directory/managed-identities-azure-resources/overview.md). By default, the Backup vault won't have permission to access the disk to be backed up, create periodic snapshots, delete snapshots after retention period, and to restore a disk from backup. By explicitly granting role assignments to the Backup vault's managed identity, you're in control of managing permissions to the resources on the subscriptions.
-
-### Why does backup policy limit the retention duration?
-
-Azure Disk Backup uses incremental snapshots, which are limited to 200 snapshots per disk. To allow you to take on-demand backups aside from scheduled backups, backup policy limits the total backups to 180. Learn more about [incremental snapshots](../virtual-machines/disks-incremental-snapshots.md#restrictions) for managed disks.
-
-### How does the hourly and daily backup frequency work in the backup policy?
-
-Azure Disk Backup offers multiple backups per day. If you require more frequent backups, choose the **Hourly** backup frequency. The backups are scheduled based on the **Time** interval selected. For example, if you select **Every 4 hours**, then the backups are taken at approximately every 4 hours so that the backups are distributed equally across the day. If once a day backup is sufficient enough, then choose the **Daily** backup frequency. In the daily backup frequency, you can specify the time of the day when your backups will be taken. It's important to note that the time of the day indicates the backup start time and not the time when the backup completes. The time required to complete the backup operation is dependent on various factors including the churn rate between consecutive backups. However, Azure Disk backup is an agentless backup that uses [incremental snapshots](../virtual-machines/disks-incremental-snapshots.md) that don't impact the production application performance.
-
-### Why does the Backup vaultΓÇÖs redundancy setting not apply to the backups stored in operational tier (the snapshot resource group)?
-
-Azure Backup uses [incremental snapshots](../virtual-machines/disks-incremental-snapshots.md#restrictions) of managed disks that store only the delta changes to disks since the last snapshot on Standard HDD storage, regardless of the storage type of the parent disk. For more reliability, incremental snapshots are stored on Zone Redundant Storage (ZRS) by default in regions that support ZRS. Currently, Azure Disk Backup supports operational backups of managed disks that don't copy the backups to Backup vault storage. So the backup storage redundancy setting of the Backup vault doesn't apply to the recovery points.
-
-### Can I use Backup Center to configure backups and manage backup instances for Azure Disks?
-
-Yes, Azure Disk Backup is integrated into [Backup Center](backup-center-overview.md), which provides a **single unified management experience** in Azure for enterprises to govern, monitor, operate, and analyze backups at scale. You can also use Backup vault to back up, restore, and manage the backup instances that are protected within the vault.
-
-### Why do I need to create a Backup vault and not use a Recovery Services vault?
-
-A Backup vault is a storage entity in Azure that houses backup data for certain newer workloads that Azure Backup supports. You can use Backup vaults to hold backup data for various Azure services, such Azure Database for PostgreSQL servers, Azure Disks, and newer workloads that Azure Backup will support. Backup vaults make it easy to organize your backup data, while minimizing management overhead. Refer to [Backup vaults](./backup-vault-overview.md) to learn more.
-
-### Can the disk to be backed up and the Backup vault be in different subscriptions?
-
-Yes, the source-managed disk to be backed up and the Backup vault can be in different subscriptions.
-
-### Can the disk to be backed up and the Backup vault be in different regions?
-
-No, currently the source-managed disk to be backed up and the Backup vault must be in the same region.
-
-### Can I restore a disk into a different subscription?
-
-Yes, you can restore the disk onto a different subscription than that of the source-managed disk from which the backup is taken.
-
-### Can I back up multiple disks together?
-
-No, point-in-time snapshots of multiple disks attached to a virtual machine isn't supported. For more information, see [Configure backup](backup-managed-disks.md#configure-backup) and to learn more about limitations, refer to the [support matrix](disk-backup-support-matrix.md).
-
-### What is a target resource group?
-
-During a restore operation, you can choose the subscription and a resource group where you want to restore the disk to. Azure Backup will create new disks from the recovery point in the selected resource group. This is referred to as a target resource group. Note that the Backup vault's managed identity requires the role assignment on the target resource group to be able to perform restore operation successfully. For more information, see the [restore documentation](restore-managed-disks.md).
-
-### What are the permissions used by Azure Backup during backup and restore operation?
-
-Following are the actions used in the **Disk Backup Reader** role assigned on the **disk** to be backed up:
-
-"Microsoft.Compute/disks/read"
-
-"Microsoft.Compute/disks/beginGetAccess/action"
-
-Following are the actions used in the **Disk Snapshot Contributor** role assigned on the **Snapshot resource group**:
-
-"Microsoft.Compute/snapshots/delete"
-
-"Microsoft.Compute/snapshots/write"
-
-ΓÇ£Microsoft.Compute/snapshots/read"
-
-"Microsoft.Storage/storageAccounts/write"
-
-"Microsoft.Storage/storageAccounts/read"
-
-"Microsoft.Storage/storageAccounts/delete"
-
-"Microsoft.Resources/subscriptions/resourceGroups/read"
-
-"Microsoft.Storage/storageAccounts/listkeys/action"
-
-"Microsoft.Compute/snapshots/beginGetAccess/action"
-
-"Microsoft.Compute/snapshots/endGetAccess/action"
-
-"Microsoft.Compute/disks/beginGetAccess/action"
-
-Following are the actions used in the **Disk Restore Operator** role assigned on **Target Resource Group**:
-
-"Microsoft.Compute/disks/write"
-
-"Microsoft.Compute/disks/read"
-
-"Microsoft.Resources/subscriptions/resourceGroups/read"
-
->[!NOTE]
->The permissions on these roles may change in the future, based on the features being added by the Azure Backup service.
-
-## Next steps
--- [Azure Disk Backup support matrix](disk-backup-support-matrix.md)
backup Faq Backup Sql Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/faq-backup-sql-server.md
- Title: FAQ - Backing up SQL Server databases on Azure VMs
-description: Find answers to common questions about backing up SQL Server databases on Azure VMs with Azure Backup.
-- Previously updated : 04/23/2019-
-# FAQ about SQL Server databases that are running on an Azure VM backup
-
-This article answers common questions about backing up SQL Server databases that run on Azure virtual machines (VMs) and use the [Azure Backup](backup-overview.md) service.
-
-## Can I use Azure Backup for IaaS VM as well as SQL Server on the same machine?
-
-Yes, you can have both VM backup and SQL backup on the same VM. In this case, we internally trigger copy-only full backup on the VM to not truncate the logs.
-
-## Does the solution retry or auto-heal the backups?
-
-Under some circumstances, the Azure Backup service triggers remedial backups. Auto-heal can happen for any of the six conditions mentioned below:
--- If log or differential backup fails due to LSN Validation Error, next log or differential backup is instead converted to a full backup.-- If no full backup has happened before a log or differential backup, that log or differential backup is instead converted to a full backup.-- If the latest full backup's point-in-time is older than 15 days, the next log or differential backup is instead converted to a full backup.-- All the backup jobs that get canceled due to an extension upgrade are re-triggered after the upgrade is completed and the extension is started.-- If you choose to overwrite the database during Restore, the next log/differential backup fails and a full backup is triggered instead.-- In cases where a full backup is required to reset the log chains due to change in database recovery model, a full gets triggered automatically on the next schedule.-
-Auto-heal as a capability is enabled for all users by default. However if you choose to opt-out of it, then perform the following steps:
--- On the SQL Server instance, in the *C:\Program Files\Azure Workload Backup\bin* folder, create or edit the **ExtensionSettingsOverrides.json** file.-- In the **ExtensionSettingsOverrides.json**, set *{"EnableAutoHealer": false}*.-- Save your changes and close the file.-- On the SQL Server instance, open **Task Manage** and then restart the **AzureWLBackupCoordinatorSvc** service.-
-## Can I control how many concurrent backups run on the SQL server?
-
-Yes. You can throttle the rate at which the backup policy runs to minimize the impact on a SQL Server instance. To change the setting:
-
-1. On the SQL Server instance, in the *C:\Program Files\Azure Workload Backup\bin* folder, create the *ExtensionSettingsOverrides.json* file.
-2. In the *ExtensionSettingsOverrides.json* file, change the **DefaultBackupTasksThreshold** setting to a lower value (for example, 5). <br>
- `{"DefaultBackupTasksThreshold": 5}`
-<br>
-The default value of DefaultBackupTasksThreshold is **20**.
-
-3. Save your changes and close the file.
-4. On the SQL Server instance, open **Task Manager**. Restart the **AzureWLBackupCoordinatorSvc** service.<br/> <br/>
- While this method helps if the backup application is consuming a large quantity of resources, SQL Server [Resource Governor](/sql/relational-databases/resource-governor/resource-governor) is a more generic way to specify limits on the amount of CPU, physical IO, and memory that incoming application requests can use.
-
-> [!NOTE]
-> In the UX you can still go ahead and schedule as many backups at any given time. However they'll be processed in a sliding window of say, 5, according to the above example.
-
-## Can I run a full backup from a secondary replica?
-
-According to SQL limitations, you can run Copy Only Full backup on Secondary Replica. However, Full backup isn't allowed.
-
-## Can I protect availability groups on-premises?
-
-No. Azure Backup protects SQL Server databases running in Azure. If an availability group (AG) is spread between Azure and on-premises machines, the AG can be protected only if the primary replica is running in Azure. Also, Azure Backup protects only the nodes that run in the same Azure region as the Recovery Services vault.
-
-## Can I protect availability groups across regions?
-
-The Azure Backup Recovery Services vault can detect and protect all nodes that are in the same region as the vault. If your SQL Server Always On availability group spans multiple Azure regions, set up the backup from the region that has the primary node. Azure Backup can detect and protect all databases in the availability group according to your backup preference. When your backup preference isn't met, backups fail and you get the failure alert.
-
-## Do successful backup jobs create alerts?
-
-No. Successful backup jobs don't generate alerts. Alerts are sent only for backup jobs that fail. Detailed behavior for portal alerts is documented [here](backup-azure-monitoring-built-in-monitor.md). However, if you're interested in having alerts even for successful jobs, you can use [Monitoring using Azure Monitor](backup-azure-monitoring-use-azuremonitor.md).
-
-## Can I see scheduled backup jobs in the Backup Jobs menu?
-
-The **Backup Job** menu shows all scheduled and on-demand operations, except the scheduled log backups since they can be very frequent. For scheduled log jobs, use [Monitoring using Azure Monitor](backup-azure-monitoring-use-azuremonitor.md).
-
-## Are future databases automatically added for backup?
-
-Yes, you can achieve this capability with [auto-protection](backup-sql-server-database-azure-vms.md#enable-auto-protection).
-
-## If I delete a database from an autoprotected instance, what will happen to the backups?
-
-If a database is dropped from an autoprotected instance, the database backups are still attempted. This implies that the deleted database begins to show up as unhealthy under **Backup Items** and is still protected.
-
-The correct way to stop protecting this database is to do **Stop Backup** with **delete data** on this database.
-
-## If I do stop backup operation of an autoprotected database what will be its behavior?
-
-If you do **stop backup with retain data**, no future backups will take place and the existing recovery points will remain intact. The database will still be considered as protected and be shown under the **Backup items**.
-
-If you do **stop backup with delete data**, no future backups will take place and the existing recovery points will also be deleted. The database will be considered un-protected and be shown under the instance in the Configure Backup. However, unlike other up-protected databases that can be selected manually or that can get autoprotected, this database appears greyed out and canΓÇÖt be selected. The only way to re-protect this database is to disable auto-protection on the instance. You can now select this database and configure protection on it or re-enable auto-protection on the instance again.
-
-## If I change the name of the database after it has been protected, what will be the behavior?
-
-A renamed database is treated as a new database. So the service will treat this situation as if the database weren't found and with fail the backups.
-
-You can select the database, which is now renamed and configure protection on it. If the auto-protection is enabled on the instance, the renamed database will be automatically detected and protected.
-
-## Why canΓÇÖt I see an added database for an autoprotected instance?
-
-A database that you [add to an autoprotected instance](backup-sql-server-database-azure-vms.md#enable-auto-protection) might not immediately appear under protected items. This is because the discovery typically runs every 8 hours. However, you can discover and protect new databases immediately if you manually run a discovery by selecting **Rediscover DBs**, as shown in the following image:
-
- ![Manually discover a newly added database](./media/backup-azure-sql-database/view-newly-added-database.png)
-
-## Can I protect databases on virtual machines that have Azure Disk Encryption (ADE) enabled?
-Yes, you can protect databases on virtual machines that have Azure Disk Encryption (ADE) enabled.
-
-## Can I protect databases that have TDE (Transparent Data Encryption) turned on and will the database stay encrypted through the entire backup process?
-
-Yes, Azure Backup supports backup of SQL Server databases or server with TDE enabled. Backup supports [TDE](/sql/relational-databases/security/encryption/transparent-data-encryption) with keys managed by Azure, or with customer-managed keys (BYOK). Backup doesn't perform any SQL encryption as part of the backup process so the database will stay encrypted when backed up.
-
-## Does Azure Backup perform a checksum operation on the data stream?
-
-We do perform a checksum operation on the data stream. However, this isn't to be confused with [SQL checksum](/sql/relational-databases/backup-restore/enable-or-disable-backup-checksums-during-backup-or-restore-sql-server).
-Azure workload backup computes the checksum on the data stream and stores it explicitly during the backup operation. This checksum stream is then taken as a reference and cross-verified with the checksum of the data stream during the restore operation to make sure that the data is consistent.
-
-## Next steps
-
-Learn how to [back up a SQL Server database](backup-azure-sql-database.md) that's running on an Azure VM.
backup Guidance Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/guidance-best-practices.md
As a backup user or administrator, you should be able to monitor all backup solu
We recommend that you read the following articles as starting points for using Azure Backup: * [Azure Backup overview](backup-overview.md)
-* [Frequently Asked Questions](backup-azure-backup-faq.md)
+* [Frequently Asked Questions](backup-azure-backup-faq.yml)
backup Install Mars Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/install-mars-agent.md
If you've already installed the agent on any machines, make sure that you're run
![Add vault credentials by using the Register Server Wizard](./media/backup-configure-vault/register1.png)
-1. On the **Encryption Setting** page, specify a passphrase that will be used to encrypt and decrypt backups for the machine. [See here](backup-azure-file-folder-backup-faq.md#what-characters-are-allowed-for-the-passphrase) for more information on allowed passphrase characters.
+1. On the **Encryption Setting** page, specify a passphrase that will be used to encrypt and decrypt backups for the machine. [See here](backup-azure-file-folder-backup-faq.yml#what-characters-are-allowed-for-the-passphrase-) for more information on allowed passphrase characters.
* Save the passphrase in a secure location. You need it to restore a backup. * If you lose or forget the passphrase, Microsoft can't help you recover the backup data.
backup Manage Monitor Sql Database Backup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/manage-monitor-sql-database-backup.md
To stop protection for a database:
> >For more information about the delete data option, see the FAQ below: >
->- [If I delete a database from an autoprotected instance, what will happen to the backups?](faq-backup-sql-server.md#if-i-delete-a-database-from-an-autoprotected-instance-what-will-happen-to-the-backups)
->- [If I do stop backup operation of an autoprotected database what will be its behavior?](faq-backup-sql-server.md#if-i-change-the-name-of-the-database-after-it-has-been-protected-what-will-be-the-behavior)
+>- [If I delete a database from an autoprotected instance, what will happen to the backups?](faq-backup-sql-server.yml#if-i-delete-a-database-from-an-autoprotected-instance--what-will-happen-to-the-backups-)
+>- [If I do stop backup operation of an autoprotected database what will be its behavior?](faq-backup-sql-server.yml#if-i-change-the-name-of-the-database-after-it-has-been-protected--what-will-be-the-behavior-)
> >
backup Quick Backup Vm Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/quick-backup-vm-portal.md
Title: Quickstart - Back up a VM with the Azure portal description: In this Quickstart, learn how to create a Recovery Services vault, enable protection on an Azure VM, and backup the VM, with the Azure portal.- Last updated 05/12/2020-+
+ms.devlang: azurecli
+
+ - mvc
+ - mode-portal
# Back up a virtual machine in Azure
backup Restore All Files Volume Mars https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/restore-all-files-volume-mars.md
These steps include the following terminology:
1. Provide the vault credential file that corresponds to the sample vault, and select **Next**.
- If the vault credential file is invalid (or expired), [download a new vault credential file from the sample vault](backup-azure-file-folder-backup-faq.md#where-can-i-download-the-vault-credentials-file) in the Azure portal. After you provide a valid vault credential, the name of the corresponding backup vault appears.
+ If the vault credential file is invalid (or expired), [download a new vault credential file from the sample vault](backup-azure-file-folder-backup-faq.yml#where-can-i-download-the-vault-credentials-file-) in the Azure portal. After you provide a valid vault credential, the name of the corresponding backup vault appears.
1. On the **Select Backup Server** page, select the source machine from the list of displayed machines, and provide the passphrase. Then select **Next**.
These steps include the following terminology:
## Next steps - Now that you've recovered your files and folders, you can [manage your backups](backup-azure-manage-windows-server.md).-- Find [common questions about backing up files and folders](backup-azure-file-folder-backup-faq.md).
+- Find [common questions about backing up files and folders](backup-azure-file-folder-backup-faq.yml).
backup Restore Managed Disks Ps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/restore-managed-disks-ps.md
$job = Search-AzDataProtectionJobInAzGraph -Subscription $sub -ResourceGroupName
## Next steps -- [Azure Disk Backup FAQ](disk-backup-faq.md)
+- [Azure Disk Backup FAQ](disk-backup-faq.yml)
backup Restore Managed Disks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/restore-managed-disks.md
After you trigger the restore operation, the backup service creates a job for tr
## Next steps -- [Azure Disk Backup FAQ](disk-backup-faq.md)
+- [Azure Disk Backup FAQ](disk-backup-faq.yml)
backup Sap Hana Faq Backup Azure Vm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/sap-hana-faq-backup-azure-vm.md
- Title: FAQ - Back up SAP HANA databases on Azure VMs
-description: In this article, discover answers to common questions about backing up SAP HANA databases using the Azure Backup service.
- Previously updated : 11/7/2019--
-# Frequently asked questions ΓÇô Back up SAP HANA databases on Azure VMs
-
-This article answers common questions about backing up SAP HANA databases using the Azure Backup service.
-
-## Backup
-
-### How many full backups are supported per day?
-
-We support only one full backup per day. You can't have differential backup and full backup triggered on the same day.
-
-### Do successful backup jobs create alerts?
-
-No. Successful backup jobs don't generate alerts. Alerts are sent only for backup jobs that fail. Detailed behavior for portal alerts is documented [here](./backup-azure-monitoring-built-in-monitor.md). However, if you're interested having alerts even for successful jobs, you can use [Azure Monitor](./backup-azure-monitoring-use-azuremonitor.md).
-
-### Can I see scheduled backup jobs in the Backup Jobs menu?
-
-The Backup Job menu will only show on-demand backup jobs. For scheduled jobs, use [Azure Monitor](./backup-azure-monitoring-use-azuremonitor.md).
-
-### Are future databases automatically added for backup?
-
-No, this isn't currently supported.
-
-### If I delete a database from an instance, what will happen to the backups?
-
-If a database is dropped from an SAP HANA instance, the database backups are still attempted. This implies that the deleted database begins to show up as unhealthy under **Backup Items** and is still protected.
-The correct way to stop protecting this database is to perform **Stop Backup with delete data** on this database.
-
-### If I change the name of the database after it has been protected, what will the behavior be?
-
-A renamed database is treated as a new database. Therefore, the service will treat this situation as if the database weren't found and will fail the backups. The renamed database will appear as a new database and must be configured for protection.
-
-### What are the prerequisites to back up SAP HANA databases on an Azure VM?
-
-Refer to the [prerequisites](tutorial-backup-sap-hana-db.md#prerequisites) and [What the pre-registration script does](tutorial-backup-sap-hana-db.md#what-the-pre-registration-script-does) sections.
-
-### What permissions should be set so Azure can back up SAP HANA databases?
-
-Running the pre-registration script sets the required permissions to allow Azure to back up SAP HANA databases. You can find more about what the pre-registration script does [here](tutorial-backup-sap-hana-db.md#what-the-pre-registration-script-does).
-
-### Will backups work after migrating SAP HANA from SDC to MDC?
-
-Refer to [this section](./backup-azure-sap-hana-database-troubleshoot.md#sdc-to-mdc-upgrade-with-a-change-in-sid) of the troubleshooting guide.
-
-### What should be done while upgrading within the same version?
-
-Refer to [this section](backup-azure-sap-hana-database-troubleshoot.md#sdc-version-upgrade-or-mdc-version-upgrade-on-the-same-vm) in the troubleshooting guide.
-
-### Can Azure HANA Backup be set up against a virtual IP (load balancer) and not a virtual machine?
-
-Currently we don't have the capability to set up the solution against a virtual IP alone. We need a virtual machine to execute the solution.
-
-### How can I move an on-demand backup to the local file system instead of the Azure vault?
-
-1. Wait for the currently running backup to complete on the desired database (check from studio for completion).
-1. Disable log backups and set the catalog backup to **Filesystem** for the desired DB using the following steps:
-1. Double-click **SYSTEMDB** -> **configuration** -> **Select Database** -> **Filter (log)**
- 1. Set enable_auto_log_backup to **no**.
- 1. Set catalog_backup_using_backint to **false**.
-1. Take an on-demand backup (full / differential/ incremental) on the desired database, and wait for the backup and catalog backup to complete.
-1. If you want to also move the log backups to the Filesystem, set enable_auto_log_backup to **yes**.
-1. Revert to the previous settings to allow backups to flow to the Azure vault:
- 1. Set enable_auto_log_backup to **yes**.
- 1. Set catalog_backup_using_backint to **true**.
-
->[!NOTE]
->Moving backups to the local Filesystem and switching back again to the Azure vault may cause a log chain break of the log backups in the vault. This will trigger a full backup, which once successfully completed will start backing up the logs.
-
-### How can I use SAP HANA Backup with my HANA Replication set-up?
-
-Currently, Azure Backup doesn't have the capability to understand an HSR set-up. This means that the primary and secondary nodes of the HSR will be treated as two individual, unrelated VMs. You'll first need to configure backup on the primary node. When a fail-over happens, backup must be configured on the secondary node (which now becomes the primary node). There's no automatic fail-over of backup to the other node.
-
-To back up data from the active (primary) node at any given point in time, you can **switch protection** to the secondary node, which has now become the primary after fail-over.
-
-To perform this **switch protection**, follow these steps:
--- [Stop protection](sap-hana-db-manage.md#stop-protection-for-an-sap-hana-database) (with retain data) on primary-- Run the [pre-registration script](https://aka.ms/scriptforpermsonhana) on the secondary node-- [Discover the databases](tutorial-backup-sap-hana-db.md#discover-the-databases) on the secondary node and [configure backups](tutorial-backup-sap-hana-db.md#configure-backup) on them-
-These steps must be performed manually after every fail-over. You can perform these steps through command line / HTTP REST in addition to the Azure portal. To automate these steps, you can use an Azure runbook.
-
-Here is a detailed example of how **switch protection** must be performed:
-
-In this example, you have two nodes - Node 1 (primary) and Node 2 (secondary) in the HSR set-up. Backups are configured on Node 1. As mentioned above, don't attempt yet to configure backups on Node 2.
-
-When the first failover happens, Node 2 becomes the primary. Then,
-
-1. Stop protection of Node 1 (previous primary) with the retain data option.
-1. Run the pre-registration script on Node 2 (which is now the primary).
-1. Discover databases on Node 2, assign backup policy, and configure backups.
-
-Then a first full backup is triggered on Node 2 and after that completes, log backups start.
-
-When the next fail-over happens, Node 1 becomes primary again and Node 2 becomes secondary. Now repeat the process:
-
-1. Stop protection of Node 2 with retain data option.
-1. Run the pre-registration script on Node 1 (which has become the primary again)
-1. Then [Resume backup](sap-hana-db-manage.md#resume-protection-for-an-sap-hana-database) on Node 1 with the required policy (as the backups were stopped earlier on Node 1).
-
-Then full backup will again be triggered on Node 1 and after that completes, log backups start.
-
-## Restore
-
-### Why can't I see the HANA system I want my database to be restored to?
-
-Check if all the prerequisites for the restore to target SAP HANA instance are met. For more information, see [Prerequisites - Restore SAP HANA databases in Azure VM](./sap-hana-db-restore.md#prerequisites).
-
-### Why is the Overwrite DB restore failing for my database?
-
-Ensure that the **Force Overwrite** option is selected while restoring.
-
-### Why do I see the "Source and target systems for restore are incompatible" error?
-
-Refer to the SAP HANA Note [1642148](https://launchpad.support.sap.com/#/notes/1642148) to see what restore types are currently supported.
-
-### Can I use a backup of a database running on SLES to restore to an RHEL HANA system or vice versa?
-
-Yes, you can use streaming backups triggered on a HANA database running on SLES to restore it to an RHEL HANA system and vice versa. That is, cross OS restore is possible using streaming backups. However, you'll have to ensure that the HANA system you want to restore to, and the HANA system used for restore, are both compatible for restore according to SAP. Refer to SAP HANA Note [1642148](https://launchpad.support.sap.com/#/notes/1642148) to see which restore types are compatible.
-
-## Policy
-
-### Different options available during creation of a new policy for SAP HANA backup
-
-Before creating a policy, you should be clear on the requirements of RPO and RTO and its relevant cost implications.
-
-RPO (Recovery-point-objective) indicates how much data loss is acceptable for the user/customer. This is determined by the log backup frequency. More frequent log backups indicate lower RPO and the minimum value supported by Azure Backup service is 15 minutes. So log backup frequency can be 15 minutes or higher.
-
-RTO (Recovery-time-objective) indicates how fast the data should be restored to the last available point-in-time after a data loss scenario. This depends on the recovery strategy employed by HANA, which is usually dependent on how many files are required for restore. This has cost implications as well, and the following table should help in understanding all scenarios and their implications.
-
-|Backup policy |RTO |Cost |
-||||
-|Daily Full + logs | Fastest, since we need only one full copy + required logs for point-in-time restore | Costliest option since a full copy is taken daily and so more and more data is accumulated in backend until the retention time |
-|Weekly Full + daily differential + logs | Slower than the above option, but faster than the next option since we require one full copy + one differential copy + logs for point-in-time restore | Less expensive option since the daily differential is usually smaller than full and a full copy is taken only once a week |
-|Weekly Full + daily incremental + logs | Slowest since we need one full copy + 'n' incrementals + logs for point-in-time recovery | Least expensive option since the daily incremental will be smaller than differential and a full copy is taken only weekly |
-
-> [!NOTE]
-> The above options are the most common, but not the only options. For example, you can have a weekly full backup + differentials twice a week + logs.
-
-Therefore, you can select the policy variant based on RPO and RTO objectives and cost considerations.
-
-### Impact of modifying a policy
-
-A few principles should be kept in mind when determining the impact of switching a backup item's policy from Policy 1 (P1) to Policy 2 (P2) or of editing Policy 1 (P1).
--- All changes are also applied retroactively. The latest backup policy is applied on the recovery points taken earlier as well. For example, assume that the daily full retention is 30 days and 10 recovery points were taken according to the currently active policy. If the daily full's retention is changed to 10 days, then the previous point's expiry time is also recalculated as start time + 10 days and deleted if they're expired.-- The scope of change also includes day of backup, type of backup along with retention. For example: If a policy is changed from daily full to weekly full on Sundays, all earlier fulls that aren't on Sundays will be marked for deletion.-- A parent isn't deleted until the child is active/not-expired. Every backup type has an expiration time according to the currently active policy. But a full backup type is considered as parent to subsequent 'differentials', 'incrementals' and 'logs'. A 'differential' and a 'log' aren't parents to anyone else. An 'incremental' can be a parent to subsequent 'incremental'. Even if a 'parent' is marked for deletion, it's not actually deleted if the child 'differentials' or 'logs' aren't expired. For example, if a policy is changed from daily full to weekly full on Sundays, all earlier fulls that aren't on Sundays will be marked for deletion. But they aren't actually deleted until the logs that were taken daily earlier are expired. In other words, they're retained according to the latest log duration. Once the logs expire, both the logs and these fulls will be deleted.-
-With these principles, you can read the following table to understand the implications of a policy change.
-
-|Old policy/ New policy |Daily fulls + logs | Weekly fulls + daily differentials + logs |Weekly fulls + daily incrementals + logs |
-|||||
-|Daily fulls + logs | - | The previous fulls that aren't on the same day of the week are marked for deletion but kept until the log retention period | The previous fulls that aren't on the same day of the week are marked for deletion but kept until the log retention period |
-|Weekly fulls + daily differentials + logs | The previous weekly fulls retention is recalculated as per latest policy. The previous differentials are immediately deleted | - | The previous differentials are immediately deleted |
-|Weekly fulls + daily incrementals + logs | The previous weekly fulls retention is recalculated as per latest policy. The previous incrementals are immediately deleted | The previous incrementals are immediately deleted | - |
-
-## Next steps
-
-Learn how to [back up SAP HANA databases](./backup-azure-sap-hana-database.md) running on Azure VMs.
backup Sql Support Matrix https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/sql-support-matrix.md
Azure Backup supports a consistent data transfer rate of 200 Mbps for full and d
- The underlying VM (containing the SQL Server instance, which hosts the database) is configured with the required network throughput. If the maximum throughput of the VM is less than 200 Mbps, Azure Backup canΓÇÖt transfer data at the optimum speed.<br></br>Also, the disk that contains the database files must have enough throughput provisioned. [Learn more](../virtual-machines/disks-performance.md) about disk throughput and performance in Azure VMs. - Processes, which are running in the VM, are not consuming the VM bandwidth. -- The backup schedules are spread across a subset of databases. Multiple backups running concurrently on a VM shares the network consumption rate between the backups. [Learn more](faq-backup-sql-server.md#can-i-control-how-many-concurrent-backups-run-on-the-sql-server) about how to control the number of concurrent backups.
+- The backup schedules are spread across a subset of databases. Multiple backups running concurrently on a VM shares the network consumption rate between the backups. [Learn more](faq-backup-sql-server.yml#can-i-control-how-many-concurrent-backups-run-on-the-sql-server-) about how to control the number of concurrent backups.
>[!NOTE] > [Download the detailed Resource Planner](https://download.microsoft.com/download/A/B/5/AB5D86F0-DCB7-4DC3-9872-6155C96DE500/SQL%20Server%20in%20Azure%20VM%20Backup%20Scale%20Calculator.xlsx) to calculate the approximate number of protected databases that are recommended per server based on the VM resources, bandwidth and the backup policy.
backup Troubleshoot Azure Files https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/troubleshoot-azure-files.md
Check if the backed-up file share is permanently deleted. If yes, stop the backu
For more information about backing up Azure file shares, see: - [Back up Azure file shares](backup-afs.md)-- [Back up Azure file share FAQ](backup-azure-files-faq.md)
+- [Back up Azure file share FAQ](backup-azure-files-faq.yml)
backup Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/whats-new.md
For more information, see [Azure Resource Manager templates for Azure Backup](ba
Azure Backup now supports incremental backups for SAP HANA databases hosted on Azure VMs. This allows for faster and more cost-efficient backups of your SAP HANA data.
-For more information, see [various options available during creation of a backup policy](sap-hana-faq-backup-azure-vm.md#policy) and [how to create a backup policy for SAP HANA databases](tutorial-backup-sap-hana-db.md#creating-a-backup-policy).
+For more information, see [various options available during creation of a backup policy](/sap-hana-faq-backup-azure-vm.yml#policy) and [how to create a backup policy for SAP HANA databases](tutorial-backup-sap-hana-db.md#creating-a-backup-policy).
## Backup Center (in preview)
baremetal-infrastructure Concepts Baremetal Infrastructure Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/baremetal-infrastructure/concepts-baremetal-infrastructure-overview.md
Title: Overview of BareMetal Infrastructure on Azure
+ Title: What is BareMetal Infrastructure on Azure?
description: Provides an overview of the BareMetal Infrastructure on Azure. Previously updated : 04/08/2021 Last updated : 04/14/2021 # What is BareMetal Infrastructure on Azure?
BareMetal Infrastructure offers these benefits:
- Application aware snapshots, archive, mirroring, and cloning
+## BareMetal benefits
+
+BareMetal Infrastructure is intended for mission critical workloads that require certification to run your enterprise applications. The BareMetal instances are dedicated only to you, and you'll have full access (root access) to the operating system (OS). You manage OS and application installation according to your needs. For security, the instances are provisioned within your Azure Virtual Network (VNet) with no internet connectivity. Only services running on your virtual machines (VMs), and other Azure services in same Tier 2 network, can communicate with your BareMetal instances.
+
+BareMetal Infrastructure offers these benefits:
+
+- Certified hardware for specialized workloads
+- SAP (Refer to [SAP Note #1928533](https://launchpad.support.sap.com/#/notes/1928533))
+- Oracle (Refer to [Oracle document ID #948372.1](https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=52088246571495&id=948372.1&_adf.ctrl-state=kwnkj1hzm_52))
+- Non-hypervised BareMetal instance, single tenant ownership
+- Low latency between Azure hosted application VMs to BareMetal instances (0.35 ms)
+- All Flash SSD and NVMe support
+- Database up to 1 PB/tenant
+- IOPS up to 1.2 million/tenant
+- 50-GB network bandwidth
+ ## SKU availability in Azure regions BareMetal Infrastructure offers multiple SKUs certified for specialized workloads. Use the workload-specific SKUs to meet your needs.
BareMetal Infrastructure for specialized workloads is available in the following
## Managing BareMetal instances in Azure
-Depending on your needs, the application topologies of BareMetal Infrastructure can be complex. You may deploy multiple instances, in one or more locations, with shared or dedicated storage, and specialized LAN and WAN connections. So for BareMetal Infrastructure, Azure offers a consultative capture of that information by a CSA/GBB in the field in a provisioning portal.
+Depending on your needs, the application topologies of BareMetal Infrastructure can be complex. You may deploy multiple instances, in one or more locations, with shared or dedicated storage and specialized LAN and WAN connections. So for BareMetal Infrastructure, Azure offers a consultative capture of that information by a CSA/GBB in the field in a provisioning portal.
-By the time your BareMetal Infrastructure is provisioned, the OS, networks, storage volumes, placements in zones and regions, and WAN connections between locations is already pre-configured. You are set to register your OS licenses (BYOL), configure the OS, and install the application layer.
+By the time your BareMetal Infrastructure is provisioned, the OS, networks, storage volumes, placements in zones and regions, and WAN connections between locations are already pre-configured. You're set to register your OS licenses (BYOL), configure the OS, and install the application layer.
-You will be able to see all the BareMetal Infrastructure resources, and their state and attributes, in the Azure portal. You can also operate the instances and open service requests and support tickets from there.
+You'll be able to see all the BareMetal resources, and their state and attributes, in the Azure portal. You can also operate the instances and open service requests and support tickets from there.
## Operational model BareMetal Infrastructure is ISO 27001, ISO 27017, SOC 1, and SOC 2 compliant. It also uses a bring-your-own-license (BYOL) model: OS, specialized workload, and third-party applications.
baremetal-infrastructure Know Baremetal Terms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/baremetal-infrastructure/know-baremetal-terms.md
In this article, we'll cover some important terms related to the BareMetal Infra
- **Tenant**: A customer deploying a BareMetal instance stamp gets isolated as a *tenant.* A tenant is isolated in the networking, storage, and compute layer from other tenants. Storage and compute units assigned to the different tenants can't see each other or communicate with each other on the BareMetal instance stamp level. A customer can choose to have deployments into different tenants. Even then, there's no communication between tenants on the BareMetal instance stamp level. ## Next steps+ Now that you've been introduced to important terminology of the BareMetal Infrastructure, you may want to learn about: - More details of the [BareMetal Infrastructure](concepts-baremetal-infrastructure-overview.md). - How to [Connect BareMetal Infrastructure instances in Azure](connect-baremetal-infrastructure.md).
baremetal-infrastructure Oracle Baremetal Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/baremetal-infrastructure/workloads/oracle/oracle-baremetal-architecture.md
+
+ Title: Architecture of BareMetal Infrastructure for Oracle
+description: Learn about the architecture of several configurations of BareMetal Infrastructure for Oracle.
++ Last updated : 04/14/2021++
+# Architecture of BareMetal Infrastructure for Oracle
+
+In this article, we'll look at the architectural options for BareMetal Infrastructure for Oracle and the features each supports.
+
+## Single instance
+
+This topology supports a single instance of Oracle Database with Oracle Data Guard for migrating to the BareMetal Infrastructure. It supports using standby node for high availability and maintenance work.
+
+[![Diagram showing the architecture of a single instance of Oracle Database with Oracle Data Guard.](media/oracle-baremetal-architecture/single-instance-architecture.png)](media/oracle-baremetal-architecture/single-instance-architecture.png#lightbox)
+
+## Oracle Real Application Clusters (RAC) One Node
+
+This topology supports a RAC configuration with shared storage and GRID cluster. Database instances run only on one node (active-passive configuration).
+
+Features include:
+
+- Active-passive with Oracle RAC One Node
+
+ - Automatic fail-over
+
+ - Fast restart on second node
+
+- Real-time fail-over and scalability with Oracle RAC
+
+- Zero downtime rolling maintenance
+
+[![Diagram showing the architecture of an Oracle RAC One Node active-passive configuration.](media/oracle-baremetal-architecture/one-node-rac-architecture.png)](media/oracle-baremetal-architecture/one-node-rac-architecture.png#lightbox)
+
+## RAC
+
+This topology supports an Oracle RAC configuration with shared storage and Grid cluster while multiple instances per database run concurrently (active-active configuration).
+
+- Performance is easy to scale through online provisioning of added servers.
+- Users are active on all servers, and all servers share access to the same Oracle Database.
+- All types of database maintenance can be performed either online or in rolling fashion for minimal or zero downtime.
+- Oracle Active Data Guard (ADG) standby systems can easily serve a dual-purpose as test systems.
+
+This configuration allows you to test all changes on an exact copy of the production database before they're applied to the production environment.
+
+> [!NOTE]
+> If you intend to use Active Data Guard Far Sync (synchronous mode), you'll need to consider the regional zones where this feature is supported. For geographical distributed regions only, we recommend using Data Guard with asynchronous mode.
+
+[![Diagram showing the architecture of an Oracle RAC active-active configuration.](media/oracle-baremetal-architecture/rac-architecture.png)](media/oracle-baremetal-architecture/rac-architecture.png#lightbox)
+
+## Next steps
+
+Learn about provisioning your BareMetal instances for Oracle workloads.
+
+> [!div class="nextstepaction"]
+> [Provision BareMetal Infrastructure for Oracle](oracle-baremetal-provision.md)
+
baremetal-infrastructure Oracle Baremetal Ethernet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/baremetal-infrastructure/workloads/oracle/oracle-baremetal-ethernet.md
+
+ Title: Ethernet configuration of BareMetal for Oracle
+description: Learn about the configuration of Ethernet interfaces on BareMetal instances for Oracle workloads.
++ Last updated : 04/14/2021++
+# Ethernet configuration of BareMetal for Oracle
+
+In this article, we'll look at the configuration of Ethernet interfaces on BareMetal instances for Oracle workloads.
+
+Each provisioned BareMetal instance for Oracle comes pre-configured with sets of Ethernet interfaces. The Ethernet interfaces are categorized into four types:
+
+- Used for or by client access.
+- Used for node-to-node communication. This interface is configured on all servers irrespective of the topology requested. It is used only for scale-out scenarios.
+- Used for node-to-storage connectivity.
+- Used for disaster recovery (DR) setup and connectivity to global reach for cross-region connectivity.
+
+## Architecture
+
+The following diagram illustrates the architecture of the BareMetal Infrastructure pre-configured Ethernet interfaces.
+
+[![Diagram showing the architecture of the pre-configured Ethernet interfaces for Oracle workloads.](media/oracle-baremetal-ethernet/architecture-ethernet.png)](media/oracle-baremetal-ethernet/architecture-ethernet.png#lightbox)
+
+The default configuration comes with one client IP interface (eth1), connecting from your Azure Virtual Network (VNET) by which you can use Secure Shell (SSH) to access a BareMetal instance.
+
+> [!NOTE]
+> For another client interface (eth10) from a different Azure VNET, contact your Microsoft CSA to submit a service request. For instance, if you want development/test as well as production/DR environments.
+
+| **NIC logical interface** | **Name with RHEL OS** | **Use case** |
+| | | |
+| A | eth1.tenant | Client to BareMetal instance |
+| C | eth2.tenant | Node-to-storage; supports the coordination and access to the storage controllers for management of the storage environment. |
+| B | eth3.tenant | Node-to-node (Private interconnect) |
+| C | eth4.tenant | Reserved/ iSCSI |
+| C | eth5.tenant | Reserved/ Log Backup |
+| C | eth6.tenant | Node-to-storage_Data Backup (RMAN, Snapshot) |
+| C | eth7.tenant | Node-to-storage_dNFS-Pri; provides connectivity with the NetApp storage array. |
+| C | eth8.tenant | Node-to-storage_dNFS-Sec; provides connectivity with the NetApp storage array. |
+| D | eth9.tenant | DR connectivity for Global reach setup for accessing BMI in another region. |
+| A | \*eth10.tenant | \* Client to BareMetal instance
+ |
+
+If necessary, you can define more network interface controller (NIC) cards on your own. However, the configurations of existing NICs *can't* be changed.
+
+## Usage rules
+
+For BareMetal instances, the default will have nine assigned IP addresses on the four logical NICs. The following usage rules apply:
+
+- Ethernet "A" should have an assigned IP address that is outside of the server IP pool address range that you submitted to Microsoft. This IP address shouldn't be maintained in the etc/hosts directory of the OS.
+- Ethernet "B" should be maintained exclusively in the etc/hosts directory for communication between the various instances. Maintain these IP addresses in scale-out Oracle Real Application Clusters (RAC) configurations as the IP addresses used for the inter-node configuration.
+- Ethernet "C" should have an assigned IP address that is used for communication to NFS storage. This type of address shouldn't be maintained in the etc/hosts directory.
+- Ethernet "D" should be used exclusively for global reach setup towards accessing BareMetal instances in your DR region.
+
+## Next step
+
+Learn more about BareMetal Infrastructure for Oracle architecture.
+
+> [!div class="nextstepaction"]
+> [Architecture of BareMetal Infrastructure for Oracle](oracle-baremetal-architecture.md)
baremetal-infrastructure Oracle Baremetal Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/baremetal-infrastructure/workloads/oracle/oracle-baremetal-overview.md
+
+ Title: What is BareMetal Infrastructure for Oracle?
+description: Learn about the features BareMetal Infrastructure offers for Oracle workloads.
++ Last updated : 04/14/2021++
+# What is BareMetal Infrastructure for Oracle?
+
+This article gives an overview of the features BareMetal Infrastructure offers for Oracle workloads.
+
+BareMetal Infrastructure for Oracle is based on Oracle-certified Unified Computing System (UCS) and FLexPod. The FlexPod platform delivers pre-validated storage, networking, and server technologies. It offers NFS storage, providing integration using DirectNFS protocol. The BareMetal servers are dedicated to you, with no hypervisor on the BareMetal instances.
+
+These instances are for running mission critical applications requiring an Oracle workload. BareMetal instances provide low latency (0.35 ms) to your applications running in Azure virtual machines (VMs). BareMetal provides shared storage disk and supports multi-casting required for node-to-node communication with a dedicated private interconnect network.
+
+Other features of BareMetal Infrastructure for Oracle include:
+
+- Oracle certified UCS blades - UCSB200-M5, UCSB460-M4, UCSB480-M5
+- Oracle Real Application Clusters (RAC) node-to-node (multi-cast) communication using private virtual LAN (VLAN) -40 Gb.
+- Microsoft-managed hardware
+ - Redundant storage, network, power, management
+ - Monitoring for Infra, repairs, and replacement
+ - Includes Azure ExpressRoute to the customer's domain controller
+ - Secured physical and network security, can access all Azure cloud services
+
+### Supported protocols
+
+The following protocols are used for different mount points within BareMetal servers for Oracle workload.
+
+- OS mount ΓÇô iSCSI
+- Data/log ΓÇô NFSv3
+- backup/archieve ΓÇô NFSv4
+
+### Licensing
+
+- You bring your own on-premises operating system and Oracle licenses.
+
+### Operating system
+
+Servers are pre-loaded with operating system RHEL 7.6.
+
+## Next steps
+
+Learn about the SKUs for Oracle BareMetal workloads.
+
+> [!div class="nextstepaction"]
+> [BareMetal SKUs for Oracle workloads](oracle-baremetal-skus.md)
baremetal-infrastructure Oracle Baremetal Patching https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/baremetal-infrastructure/workloads/oracle/oracle-baremetal-patching.md
+
+ Title: Patching considerations for BareMetal for Oracle
+description: Learn about operating system/kernel patching considerations for BareMetal Infrastructure for Oracle.
++ Last updated : 04/14/2021++
+# Patching considerations for BareMetal for Oracle
+
+In this article, we'll look at important operating system/kernel patching considerations for BareMetal Infrastructure for Oracle.
+
+For proper network performance and system stability, install the OS-specific version of eNIC and fNIC drivers as shown in following compatibility table.
+
+Servers are delivered to customers with compatible versions. During operating system (OS)/kernel patching, however, drivers can be rolled back to the default driver versions. So be sure to confirm that the appropriate driver version is running following OS/kernel patching operations.
+
+| OS Vendor | OS Package Version | Firmware Version | eNIC Driver | fNIC Driver |
+| | | | | |
+| Red Hat | RHEL 7.6 | 3.2.3i | 2.3.0.53 | 1.6.0.34 |
+| Red Hat | RHEL 7.6 | 4.1.1b | 2.3.0.53 | 1.6.0.34 |
+
+## Next steps
+
+Learn about the Ethernet configuration of BareMetal for Oracle.
+
+> [!div class="nextstepaction"]
+> [Ethernet configuration of BareMetal for Oracle](oracle-baremetal-ethernet.md)
+
baremetal-infrastructure Oracle Baremetal Provision https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/baremetal-infrastructure/workloads/oracle/oracle-baremetal-provision.md
+
+ Title: Provision BareMetal for Oracle
+description: Learn about provisioning your BareMetal Infrastructure for Oracle.
++ Last updated : 04/14/2021++
+# Provision BareMetal for Oracle
+
+In this article, we'll look at how to provision your BareMetal Infrastructure instances for Oracle workloads.
+
+The first step to provision your BareMetal instances is to work with your Microsoft CSA. They'll help you based on your specific workload needs and the architecture you're deploying, whether single instance, One Node RAC, or RAC. For more information on these topologies, see [Architecture of BareMetal Infrastructure for Oracle](oracle-baremetal-architecture.md).
+
+## Prerequisites
+
+> [!div class="checklist"]
+> * An active Azure subscription
+> * Microsoft Premier support contract
+> * Licenses for Red Hat Enterprise Linux 7.6
+> * Oracle support contract
+> * Licenses and software installation components for Oracle
+> * ExpressRoute connected **on-premises to Azure** (**Optionally**, configure ExpressRoute Global Reach for direct connectivity from on-premises to the Oracle Database)
+> * Virtual network
+> * Gateway creation
+> * Virtual machines (VMs) in the virtual network (jump boxes)
+
+## Information to provide Microsoft Operations
+
+You'll need to provide the following information to your CSA:
+
+1. Virtual network address space. This range must be /24 subnet; for example, 10.11.0.0/24.
+2. P2P range. This range must be a /29 subnet; for example, 10.12.0.0/29.
+3. Server IP address pool. The recommended range is /24; for example, 10.13.0.0/24.
+4. Server IP address. Pick an IP address from the Server IP address pool.
+
+ > [!Note]
+ > The first thirty IP addresses are reserved for Microsoft infrastructure configuration. So, in this example, your first available IP address for a blade would be 10.13.0.30.
+
+5. The Azure Region required; for example, West US2.
+6. The BareMetal Infrastructure SKU required; for example, S192 (two machines).
+
+## Storage requirements
+
+Work with your CSA representative for your storage needs during the provisioning request, including expected storage needs based on future growth. Added storage is in 1-TB increments.
+
+For volumes, we follow Oracle's [Optimal Flexible Architecture (OFA) standard](https://docs.oracle.com/en/database/oracle/oracle-database/19/ladbi/about-the-optimal-flexible-architecture-standard.html#GUID-6619CDB7-9667-426E-8471-5A996707D093), with Basic tier and Enterprise configuration. If you have custom storage requirements other than standard "T-shirt sizing," make your custom request through your CSA.
+
+| Basic Configuration(POC/ Testing) | Description | Small | Medium | Large |
+| | | | | |
+| /u01 | Oracle binaries | 500 GB | 500 GB | 500 GB |
+| /u02 | Read Intensive/Admin | 500 GB | 1 TB | 5 TB |
+| /u03 | Write Intensive/Logs | 500 GB | 1 TB | 5 TB |
+| /u09 | Backup | 5 TB | 10 TB | 15 TB |
+
+| Enterprise Configuration | Description | Small | Medium | Large | Extra Large |
+| | | | | | |
+| /u01 | Oracle binaries | 500 GB | 500 GB | 500 GB | 500 GB |
+| /u02 | Admin | 100 GB | 100 GB | 100 GB | 100 GB |
+| /u10 to /u59 | Read Intensive | 500 GB | 5 TB | 10 TB | 20 TB |
+| /u60 to /u89 | Write Intensive | 500 GB | 5 TB | 10 TB | 20 TB |
+| /u90 to /u91 | Redo Logs | 500 GB | 500 GB | 1 TB | 1 TB |
+| /u95 | Archive | 10 TB | 10 TB | 20 TB | 20 TB |
+| /u98 | Backup | 25 TB | 25 TB | 50 TB | 50 TB |
+
+## Next step
+
+Learn more about BareMetal Infrastructure for Oracle.
+
+> [!div class="nextstepaction"]
+> [What is BareMetal Infrastructure on Azure?](../../concepts-baremetal-infrastructure-overview.md)
baremetal-infrastructure Oracle Baremetal Skus https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/baremetal-infrastructure/workloads/oracle/oracle-baremetal-skus.md
+
+ Title: BareMetal SKUs for Oracle workloads
+description: Learn about the SKUs for the Oracle BareMetal Infrastructure workloads.
++ Last updated : 04/14/2021++
+# BareMetal SKUs for Oracle workloads
+
+In this article, we'll take a look at specialized BareMetal Infrastructure SKUs for Oracle workloads.
+
+BareMetal Infrastructure for Oracle SKUs range from two sockets up to four sockets. You can also choose from various CPU cores and memory sizes to meet the requirements of your workload. Here's a table summarizing features of available SKUs.
+
+| **Oracle Certified** **hardware** | **Model** | **Total Memory** | **Storage** | **Availability** |
+| | | | | |
+| YES | SAP HANA on Azure S32m- 2 x Intel® Xeon® Processor I623416 CPU cores and 32 CPU threads | 1.5 TB | | Available |
+| YES | SAP HANA on Azure S64m- 4 x Intel® Xeon® Processor I623432 CPU cores and 64 CPU threads | 3.0 TB | | Available |
+| YES | SAP HANA on Azure S96– 2 x Intel® Xeon® Processor E7-8890 v448 CPU cores and 96 CPU threads | 768 GB | 3.0 TB | Available |
+| YES | SAP HANA on Azure S224 – 4 x Intel® Xeon® Platinum 8276 processor 112 CPU cores and 224 CPU threads | 3.0 TB | 6.3 TB | Available |
+| YES | SAP HANA on Azure S224m– 4 x Intel® Xeon® Platinum 8276 processor 112 CPU cores and 224 CPU threads | 6.0 TB | 10.5 TB | Available |
+
+- CPU cores = sum of non-hyper-threaded CPU cores (the total number of physical processors) of the server unit.
+- CPU threads = sum of compute threads provided by hyper-threaded CPU cores (the total number of logical processors) of the server unit. Most units are configured by default to use Hyper-Threading Technology.
+- Servers are dedicated to customers.
+- Customer has root access (No hypervisor).
+- Servers aren't directly on Azure VNETs.
+
+## Next steps
+
+Learn about the storage offered by BareMetal Infrastructure for Oracle.
+
+> [!div class="nextstepaction"]
+> [Storage on BareMetal for Oracle workloads](oracle-baremetal-storage.md)
baremetal-infrastructure Oracle Baremetal Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/baremetal-infrastructure/workloads/oracle/oracle-baremetal-storage.md
+
+ Title: Storage on BareMetal for Oracle workloads
+description: Learn about the storage offered by the BareMetal Infrastructure for Oracle workloads.
++ Last updated : 04/14/2021++
+# Storage on BareMetal for Oracle workloads
+
+In this article, we'll give an overview of the storage offered by the BareMetal Infrastructure for Oracle workloads.
+
+BareMetal Infrastructure for Oracle offers NetApp Network File System (NFS) storage. NFS storage does not require Oracle Real Application Clusters (RAC) certification. For more information, see [Oracle RAC Technologies Matrix for Linux Clusters](https://www.oracle.com/database/technologies/tech-generic-linux-new.html).
+
+This storage offering includes Tier 3 support from an OEM partner, using either A700s or A800s storage controllers.
+
+BareMetal Infrastructure storage offers these premium storage capabilities:
+
+- Storage volumes for Data/log/quorum/FSA offered via the dNFS protocol.
+- Disk redundancy (*Protection against up to two disk failures*).
+- Scale out your data to multiple volumes limited to 100 TB per volume.
+- Scale out to multiple storage controllers up to 12 controllers.
+- No disk level management (*add/remove disks*), automatically taken care by Infra.
+- No downtime for redistributing the file contents to different volumes.
+- Ability to grow/shrink volumes.
+- SnapCenter integration for backup using cloning and SnapVault.
+- Data encryption at rest, supporting FIPS (140-2).
+
+## Next steps
+
+Learn about BareMetal Infrastructure patching considerations.
+
+> [!div class="nextstepaction"]
+> [Patching considerations for BareMetal for Oracle](oracle-baremetal-patching.md)
+
batch Quick Create Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/quick-create-portal.md
Title: Azure Quickstart - Run your first Batch job in the Azure portal description: This quickstart shows how to use the Azure portal to create a Batch account, a pool of compute nodes, and a job that runs basic tasks on the pool.- Last updated 08/17/2020-++
+ - mvc
+ - mode-portal
# Quickstart: Run your first Batch job in the Azure portal
batch Quick Create Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/quick-create-template.md
Title: Azure Quickstart - Create a Batch account - Azure Resource Manager template description: This quickstart shows how to create a Batch account by using an ARM template.- Last updated 08/17/2020-++
+ - subject-armqs
+ - mode-arm
# Quickstart: Create a Batch account by using ARM template
batch Quick Run Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/quick-run-python.md
Title: Quickstart - Use Python API to run an Azure Batch job description: In this quickstart, you run an Azure Batch sample job and tasks using the Batch Python client library. Learn the key concepts of the Batch service.- Last updated 08/17/2020-++
+ - seo-python-october2019
+ - mvc
+ - devx-track-python
+ - mode-api
# Quickstart: Use Python API to run an Azure Batch job
blockchain Create Member Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/create-member-powershell.md
Title: Create an Azure Blockchain Service member - Azure PowerShell description: Create an Azure Blockchain Service member for a blockchain consortium using Azure PowerShell.+ Last updated 9/22/2020 --+
+ - references_regions
+ - devx-track-azurepowershell
+ - mode-api
#Customer intent: As a network operator, I want use Azure Blockchain Service so that I can create a blockchain member on Azure
next quickstart to use Azure Blockchain Development Kit for Ethereum to attach t
Blockchain Service member. > [!div class="nextstepaction"]
-> [Use Visual Studio Code to connect to Azure Blockchain Service](connect-vscode.md)
+> [Use Visual Studio Code to connect to Azure Blockchain Service](connect-vscode.md)
blockchain Create Member Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/create-member-template.md
Title: Create an Azure Blockchain Service member by using Azure Resource Manager template description: Learn how to create an Azure Blockchain Service member by using Azure Resource Manager template. --- Last updated 09/16/2020+++
+ - subject-armqs
+ - references_regions
+ - mode-arm
# Quickstart: Create an Azure Blockchain Service member using an ARM template
To delete the resource group:
In this quickstart, you deployed an Azure Blockchain Service member and a new consortium. Try the next quickstart to use Azure Blockchain Development Kit for Ethereum to attach to an Azure Blockchain Service member. > [!div class="nextstepaction"]
-> [Use Visual Studio Code to connect to Azure Blockchain Service](connect-vscode.md)
+> [Use Visual Studio Code to connect to Azure Blockchain Service](connect-vscode.md)
blockchain Create Member https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/create-member.md
Title: Create an Azure Blockchain Service member - Azure portal description: Create an Azure Blockchain Service member for a blockchain consortium using the Azure portal.+ Last updated 07/16/2020 --+
+ - references_regions
+ - mode-portal
#Customer intent: As a network operator, I want use Azure Blockchain Service so that I can create a managed ledger on Azure.
certification How To Troubleshoot Pnp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/certification/how-to-troubleshoot-pnp.md
+
+ Title: Troubleshoot your IoT Plug and Play device
+description: A guide of recommended troubleshooting steps for partners certifying an IoT Plug and Play device.
++++ Last updated : 04/15/2021+++
+# Troubleshoot your IoT Plug and Play certification project
+
+During the Connect & test phase of your IoT Plug and Play certification project, you may run into some scenarios that prevent you from passing the Azure for IoT Certification Service (AICS) testing.
+
+## Prerequisites
+
+- You should be signed in and have a project for your device created on the [Azure Certified Device portal](https://certify.azure.com). For more information, view the [tutorial](tutorial-01-creating-your-project.md).
+
+## When AICS tests aren't passing
+
+AICS test may not pass because of several causes. Follow these steps to check for common issues and troubleshoot your device.
+
+1. Double-check that your device code is setting the Model ID Payload during DPS provisioning. This is a requirement for AICS to validate your device.
+1. You can view the telemetry logs from previous test runs by pressing the `View Logs` button to identify what is causing the test to fail. Both the test messaging and raw data are available for review.
+
+ ![Review test data](./media/images/review-logs.png)
+
+1. In some instances where the logs indicate `Failed to get Digital Twin Model ID of device xx due to DeviceNotConnected`, try rebooting the device and restarting the device provisioning process.
+1. If the automated tests continue to fail, then you can `request a manual review` of the results to substitute. This will trigger a request for **manual validation** with the Azure Certified Device team.
+
+ ![Request manual review](./media/images/request-manual-review.png)
+
+## When you see "Passed with warnings"
+
+While running the tests, if you receive a result of `Passed with warnings`, this means that some telemetry was not received during the testing period. This may be due to a dependency of the telemetry on longer time intervals or external triggers that were not available. You can proceed with submitting your device for review, during which the review team will determine if **manual validation** is necessary in the future.
+
+## When you need help with the model repository
+
+For IoT Plug and Play issues related to the model repository, refer to [our Docs guidance about the device model repository](https://docs.microsoft.com/azure/iot-pnp/concepts-model-repository).
+
+## Next steps
+
+Hopefully this guide helps you continue with your IoT Plug and Play certification journey! Once you have passed AICS, you can then proceed with our tutorials to submit and publish your device.
+
+- [Tutorial: Testing your device](tutorial-03-testing-your-device.md)
cloudfoundry Cloudfoundry Deploy Your First App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloudfoundry/cloudfoundry-deploy-your-first-app.md
Running the `cf app` command on the application shows that Cloud Foundry is crea
[pcf-azuremarketplace]: https://azuremarketplace.microsoft.com/marketplace/apps/pivotal.pivotal-cloud-foundry [pcf-custom]: https://docs.pivotal.io/pivotalcf/1-10/customizing/azure.html [oss-cf-bosh]: https://github.com/cloudfoundry-incubator/bosh-azure-cpi-release/tree/master/docs
-[pcf-azuremarketplace-pivotaldocs]: https://docs.pivotal.io/pivotalcf/customizing/pcf_azure.html
+[pcf-azuremarketplace-pivotaldocs]: https://docs.pivotal.io/ops-manager/2-10/install/pcf_azure.html
[cf-cli]: https://github.com/cloudfoundry/cli [cloudshell-docs]: ../cloud-shell/overview.md [cf-orgs-spaces-docs]: https://docs.cloudfoundry.org/concepts/roles.html
Running the `cf app` command on the application shows that Cloud Foundry is crea
<!-- IMAGES --> [cf-push-output]: ./media/cloudfoundry-deploy-your-first-app/cf-push-output.png
-[hello-spring-cloud-basic]: ./media/cloudfoundry-deploy-your-first-app/hello-spring-cloud-basic.png
+[hello-spring-cloud-basic]: ./media/cloudfoundry-deploy-your-first-app/hello-spring-cloud-basic.png
cloudfoundry Cloudfoundry Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloudfoundry/cloudfoundry-get-started.md
Microsoft provides best-effort support for OSS CF through the following communit
Pivotal Cloud Foundry includes the same core platform as the OSS distribution, along with a set of proprietary management tools and enterprise support. To run PCF on Azure, you must acquire a license from Pivotal. The PCF offer from the Azure marketplace includes a 90-day trial license.
-The tools include [Pivotal Operations Manager](https://docs.pivotal.io/pivotalcf/customizing/), a web application that simplifies deployment and management of a Cloud Foundry foundation, and [Pivotal Apps Manager](https://docs.pivotal.io/pivotalcf/console/), a web application for managing users and applications.
+The tools include [Pivotal Operations Manager](https://docs.pivotal.io/ops-manager/2-10/install/), a web application that simplifies deployment and management of a Cloud Foundry foundation, and [Pivotal Apps Manager](https://docs.pivotal.io/pivotalcf/console/), a web application for managing users and applications.
In addition to the support channels listed for OSS CF above, a PCF license entitles you to contact Pivotal for support. Microsoft and Pivotal have also enabled support workflows that allow you to contact either party for assistance and have your inquiry routed appropriately depending on where the issue lies.
cognitive-services Overview Ocr https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/overview-ocr.md
The **Read** call takes images and documents as its input. They have the followi
* Supported file formats: JPEG, PNG, BMP, PDF, and TIFF * For PDF and TIFF files, up to 2000 pages (only first two pages for the free tier) are processed. * The file size must be less than 50 MB (4 MB for the free tier) and dimensions at least 50 x 50 pixels and at most 10000 x 10000 pixels.
-* The PDF dimensions must be at most 17 x 17 inches, corresponding to legal or A3 paper sizes and smaller.
## Read API
The Computer Vision [Read API](https://centraluseuap.dev.cognitive.microsoft.com
![How OCR converts images and documents into structured output with extracted text](./Images/how-ocr-works.svg)
+### Key features
+
+The Read API includes the following features.
+
+* Print text extraction in 73 languages
+* Handwritten text extraction in English
+* Text lines and words with location and confidence scores
+* No language identification required
+* Support for mixed languages, mixed mode (print and handwritten)
+* Select pages and page ranges from large, multi-page documents
+* Natural reading order for text lines
+* Handwriting classification for text lines
+* Available as Distroless Docker container for on-premise deployment
+
+Learn [how to use the OCR features](./vision-api-how-to-topics/call-read-api.md).
## Use the cloud API or deploy on-premise The Read 3.x cloud APIs are the preferred option for most customers because of ease of integration and fast productivity out of the box. Azure and the Computer Vision service handle scale, performance, data security, and compliance needs while you focus on meeting your customers' needs.
cognitive-services Spatial Analysis Operations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/spatial-analysis-operations.md
This is an example of the DETECTOR_NODE_CONFIG parameters for all Spatial Analys
| `zones` | list| List of zones. | | `name` | string| Friendly name for this zone.| | `polygon` | list| Each value pair represents the x,y for vertices of a polygon. The polygon represents the areas in which people are tracked or counted and polygon points are based on normalized coordinates (0-1), where the top left corner is (0.0, 0.0) and the bottom right corner is (1.0, 1.0).
-| `threshold` | float| Events are egressed when the confidence of the AI models is greater or equal this value. |
+| `threshold` | float| Events are egressed when the person is greater than this number of pixels inside the zone. |
| `type` | string| For **cognitiveservices.vision.spatialanalysis-personcount** this should be `count`.| | `trigger` | string| The type of trigger for sending an event. Supported values are `event` for sending events when the count changes or `interval` for sending events periodically, irrespective of whether the count has changed or not. | `output_frequency` | int | The rate at which events are egressed. When `output_frequency` = X, every X event is egressed, ex. `output_frequency` = 2 means every other event is output. The `output_frequency` is applicable to both `event` and `interval`. |
This is an example of a JSON input for the SPACEANALYTICS_CONFIG parameter that
| `line` | list| The definition of the line. This is a directional line allowing you to understand "entry" vs. "exit".| | `start` | value pair| x, y coordinates for line's starting point. The float values represent the position of the vertex relative to the top,left corner. To calculate the absolute x, y values, you multiply these values with the frame size. | | `end` | value pair| x, y coordinates for line's ending point. The float values represent the position of the vertex relative to the top,left corner. To calculate the absolute x, y values, you multiply these values with the frame size. |
-| `threshold` | float| Events are egressed when the confidence of the AI models is greater or equal this value. The default value is 16. This is the recommended value to achieve maximum accuracy. |
+| `threshold` | float| Events are egressed when the person is greater than this number of pixels inside the zone. The default value is 16. This is the recommended value to achieve maximum accuracy. |
| `type` | string| For **cognitiveservices.vision.spatialanalysis-personcrossingline** this should be `linecrossing`.| |`trigger`|string|The type of trigger for sending an event.<br>Supported Values: "event": fire when someone crosses the line.| | `focus` | string| The point location within person's bounding box used to calculate events. Focus's value can be `footprint` (the footprint of person), `bottom_center` (the bottom center of person's bounding box), `center` (the center of person's bounding box). The default value is footprint.|
This is an example of a JSON input for the SPACEANALYTICS_CONFIG parameter that
| `zones` | list| List of zones. | | `name` | string| Friendly name for this zone.| | `polygon` | list| Each value pair represents the x,y for vertices of polygon. The polygon represents the areas in which people are tracked or counted. The float values represent the position of the vertex relative to the top,left corner. To calculate the absolute x, y values, you multiply these values with the frame size.
-| `threshold` | float| Events are egressed when the confidence of the AI models is greater or equal this value. The default value is 48 when type is zonecrossing and 16 when time is DwellTime. These are the recommended values to achieve maximum accuracy. |
+| `threshold` | float| Events are egressed when the person is greater than this number of pixels inside the zone. The default value is 48 when type is zonecrossing and 16 when time is DwellTime. These are the recommended values to achieve maximum accuracy. |
| `type` | string| For **cognitiveservices.vision.spatialanalysis-personcrossingpolygon** this should be `zonecrossing` or `zonedwelltime`.| | `trigger`|string|The type of trigger for sending an event<br>Supported Values: "event": fire when someone enters or exits the zone.| | `focus` | string| The point location within person's bounding box used to calculate events. Focus's value can be `footprint` (the footprint of person), `bottom_center` (the bottom center of person's bounding box), `center` (the center of person's bounding box). The default value is footprint.|
This is an example of a JSON input for the SPACEANALYTICS_CONFIG parameter that
| `zones` | list| List of zones. | | `name` | string| Friendly name for this zone.| | `polygon` | list| Each value pair represents the x,y for vertices of polygon. The polygon represents the areas in which people are counted and the distance between people is measured. The float values represent the position of the vertex relative to the top,left corner. To calculate the absolute x, y values, you multiply these values with the frame size.
-| `threshold` | float| Events are egressed when the confidence of the AI models is greater or equal this value. |
+| `threshold` | float| Events are egressed when the person is greater than this number of pixels inside the zone. |
| `type` | string| For **cognitiveservices.vision.spatialanalysis-persondistance** this should be `people_distance`.| | `trigger` | string| The type of trigger for sending an event. Supported values are `event` for sending events when the count changes or `interval` for sending events periodically, irrespective of whether the count has changed or not. | `output_frequency` | int | The rate at which events are egressed. When `output_frequency` = X, every X event is egressed, ex. `output_frequency` = 2 means every other event is output. The `output_frequency` is applicable to both `event` and `interval`.|
cognitive-services Cognitive Services Encryption Keys Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Encryption/cognitive-services-encryption-keys-portal.md
Previously updated : 05/28/2020 Last updated : 04/07/2021
The process to enable Customer-Managed Keys with Azure Key Vault for Cognitive S
* [QnA Maker encryption of data at rest](../QnAMaker/encrypt-data-at-rest.md) * [Translator encryption of data at rest](../translator/encrypt-data-at-rest.md)
+## Speech
+
+* [Speech encryption of data at rest](../speech-service/speech-encryption-of-data-at-rest.md)
+ ## Decision * [Content Moderator encryption of data at rest](../Content-Moderator/encrypt-data-at-rest.md) * [Personalizer encryption of data at rest](../personalizer/encrypt-data-at-rest.md)
+* [Metrics Advisor encryption of data at rest](../metrics-advisor/encryption.md)
## Next steps
cognitive-services How To Custom Commands Setup Web Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-custom-commands-setup-web-endpoints.md
In this article, you will learn how to setup web endpoints in a Custom Commands
- Integrate the web endpoints response into a custom JSON payload, send, and visualize it from a C# UWP Speech SDK client application ## Prerequisites+ > [!div class = "checklist"] > * [Visual Studio 2019](https://visualstudio.microsoft.com/downloads/) > * An Azure subscription key for Speech service:
In this article, you will learn how to setup web endpoints in a Custom Commands
> * A Speech SDK enabled client app: [How-to: end activity to client application](./how-to-custom-commands-setup-speech-sdk.md)
-## Setup web endpoints
+## Deploy an external web endpoint using Azure Function App
+
+* For the sake of this tutorial, you need an HTTP endpoint which maintains states for all the devices which you set up in the **TurnOnOff** command of your custom commands application.
+
+* If you already have a web endpoint you want to call, skip to the [next section](#setup-web-endpoints-in-custom-commands). Alternatively, in the next section, we have provided you with a default hosted web endpoint which you can use if you want to skip this section.
+
+### Input format of Azure Function
+* Next, you will deploy an endpoint using [Azure Functions](../../azure-functions/index.yml).
+The following is the general format of an Custom Commands event that is passed to your Azure function. Use this information when you're writing you function app.
+
+ ```json
+ {
+ "conversationId": "string",
+ "currentCommand": {
+ "name": "string",
+ "parameters": {
+ "SomeParameterName": "string",
+ "SomeOtherParameterName": "string"
+ }
+ },
+ "currentGlobalParameters": {
+ "SomeGlobalParameterName": "string",
+ "SomeOtherGlobalParameterName": "string"
+ }
+ }
+ ```
+
+
+* Let's review the key attributes of this input:
+
+ | Attribute | Explanation |
+ | - | |
+ | **conversationId** | The unique identifier of the conversation. Note that this ID can be generated from the client app. |
+ | **currentCommand** | The command that's currently active in the conversation. |
+ | **name** | The name of the command. The `parameters` attribute is a map with the current values of the parameters. |
+ | **currentGlobalParameters** | A map like `parameters`, but used for global parameters. |
++
+* For the **DeviceState** Azure Function, an example Custom Commands event will look like following. This will act as an **input** to the function app.
+
+ ```json
+ {
+ "conversationId": "someConversationId",
+ "currentCommand": {
+ "name": "TurnOnOff",
+ "parameters": {
+ "item": "tv",
+ "value": "on"
+ }
+ }
+ }
+ ```
+
+### Output format of Azure Function
+
+#### Output consumed by a Custom Commands application
+In this case you can set the output format must adhere to the following format. Follow [Update a command from a web endpoint](./how-to-custom-commands-update-command-from-web-endpoint.md) for more details.
+
+```json
+{
+ "updatedCommand": {
+ "name": "SomeCommandName",
+ "updatedParameters": {
+ "SomeParameterName": "SomeParameterValue"
+ },
+ "cancel": false
+ },
+ "updatedGlobalParameters": {
+ "SomeGlobalParameterName": "SomeGlobalParameterValue"
+ }
+}
+```
+
+#### Output consumed by a client application
+In this case you can set the output format to suit your client's need.
+* For our **DeviceState** endpoint, output of the Azure function is consumed by a client application instead of the Custom Commands application. Example **output** of the Azure function should like following:
+
+ ```json
+ {
+ "TV": "on",
+ "Fan": "off"
+ }
+ ```
+
+* Also, this output should be written to an external storage, so that you can accordingly maintain the state of devices. The external storage state will be used in the [Integrate with client application section](#integrate-with-client-application).
++
+### Host Azure Function
+
+1. Create table storage account to save device state.
+ 1. Go to Azure portal and create a new resource of type **Storage account** by name **devicestate**.
+ 1. Copy the **Connection string** value from **devicestate -> Access keys**.
+ 1. You will need to add this string to the downloaded sample Function App code.
+ 1. Download sample [Function App code](https://aka.ms/speech/cc-function-app-sample).
+ 1. Open the downloaded solution in VS 2019. In file **Connections.json**, replace **STORAGE_ACCOUNT_SECRET_CONNECTION_STRING** value to the copied secret from *step a*.
+1. Download the **DeviceStateAzureFunction** code.
+1. [Deploy](../../azure-functions/index.yml) the Functions App to Azure.
+
+ 1. Wait for deployment to succeed and go the deployed resource on the Azure portal.
+ 1. Select **Functions** in the left pane, and then select **DeviceState**.
+ 1. In the new window, select **Code + Test** and then select **Get function URL**.
+
+## Setup web endpoints in Custom Commands
+Let's hook up the Azure function with the existing Custom Commands application.
+In this section, you will use an existing default **DeviceState** endpoint. If you created your own web-endpoint using Azure Function or otherwise, use that instead of the default https://webendpointexample.azurewebsites.net/api/DeviceState.
1. Open the Custom Commands application you previously created. 1. Go to "Web endpoints", click "New web endpoint".
In this article, you will learn how to setup web endpoints in a Custom Commands
| Headers | Key: app, Value: take the first 8 digits of your applicationId | The header parameters to include in the request header.| > [!NOTE]
- > - The example web endpoint created using [Azure Function](../../azure-functions/index.yml), which hooks up with the database that saves the device state of the tv and fan
+ > - The example web endpoint created using [Azure function](../../azure-functions/index.yml), which hooks up with the database that saves the device state of the tv and fan
> - The suggested header is only needed for the example endpoint > - To make sure the value of the header is unique in our example endpoint, take the first 8 digits of your applicationId > - In real world, the web endpoint can be the endpoint to the [IOT hub](../../iot-hub/about-iot-hub.md) that manages your devices
Remove one of the query parameters, save, retrain, and test
## Integrate with client application
-In [How-to: Send activity to client application (Preview)](./how-to-custom-commands-send-activity-to-client.md), you added a **Send activity to client** action. The activity is sent to the client application whether or not **Call web endpoint** action is successful or not.
+In [How-to: Send activity to client application](./how-to-custom-commands-send-activity-to-client.md), you added a **Send activity to client** action. The activity is sent to the client application whether or not **Call web endpoint** action is successful or not.
However, in most of the cases you only want to send activity to the client application when the call to the web endpoint is successful. In this example, this is when the device's state is successfully updated. 1. Delete the **Send activity to client** action you previously added.
cognitive-services Local Search Java Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/bing-local-business-search/quickstarts/local-search-java-quickstart.md
description: Use this quickstart to begin sending requests in Java to the Bing Local Business Search API, which is an Azure Cognitive Service. + Last updated : 05/12/2020+ - Previously updated : 05/12/2020--+
+ - devx-track-java
+ - mode-api
# Quickstart: Send a query to the Bing Local Business Search API using Java
public class LocalSearchCls {
## Next steps - [Local Business Search C# quickstart](local-quickstart.md) - [Local Business Search Node.js quickstart](local-search-node-quickstart.md)-- [Local Business Search Python quickstart](local-search-python-quickstart.md)
+- [Local Business Search Python quickstart](local-search-python-quickstart.md)
cognitive-services Local Search Python Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/bing-local-business-search/quickstarts/local-search-python-quickstart.md
description: Use this quickstart to start using the Bing Local Business Search API in Python. + Last updated : 05/12/2020+ - Previously updated : 05/12/2020--+
+ - devx-track-python
+ - mode-api
# Quickstart: Send a query to the Bing Local Business Search API in Python
print (json.dumps(json.loads(result), indent=4))
## Next steps - [Local Business Search Java quickstart](local-search-java-quickstart.md) - [Local Business Search C# quickstart](local-quickstart.md)-- [Local Business Search Node.js quickstart](local-search-node-quickstart.md)
+- [Local Business Search Node.js quickstart](local-search-node-quickstart.md)
cognitive-services Concept Identification Cards https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/concept-identification-cards.md
Previously updated : 03/15/2021 Last updated : 04/14/2021
-# Form Recognizer prebuilt identification card (ID) model
+# Form Recognizer prebuilt identification (ID) document model
-Azure Form Recognizer can analyze and extract information from government identification cards (IDs) using its prebuilt IDs model. It combines our powerful [Optical Character Recognition (OCR)](../computer-vision/overview-ocr.md) capabilities with ID recognition capabilities to extract key information from Worldwide Passports and U.S. Driver's Licenses (all 50 states and D.C.). The IDs API extracts key information from these identity documents, such as first name, last name, date of birth, document number, and more. This API is available in the Form Recognizer v2.1 preview as a cloud service and as an on-premise container.
+Azure Form Recognizer can analyze and extract information from government-issued identification documents (IDs) using its prebuilt IDs model. It combines our powerful [Optical Character Recognition (OCR)](../computer-vision/overview-ocr.md) capabilities with ID recognition capabilities to extract key information from Worldwide Passports and U.S. Driver's Licenses (all 50 states and D.C.). The IDs API extracts key information from these identity documents, such as first name, last name, date of birth, document number, and more. This API is available in the Form Recognizer v2.1 preview as a cloud service and as an on-premise container.
-## What does the ID service do?
+## What does the ID service do?
-The prebuilt IDs service extracts the key values from worldwide passports and U.S. Driver's Licenses and returns them in an organized structured JSON response.
+The prebuilt IDs service extracts the key values from worldwide passports and U.S. Driver's Licenses and returns them in an organized structured JSON response.
+
+### **Driver's license example**
![Sample Driver's License](./media/id-example-drivers-license.JPG)
+### **Passport example**
+ ![Sample Passport](./media/id-example-passport-result.JPG) ### Fields extracted
-|Name| Type | Description | Value |
+|Name| Type | Description | Value |
|:--|:-|:-|:-|
-| Country | country | Country code compliant with ISO 3166 standard | "USA" |
-| DateOfBirth | date | DOB in YYYY-MM-DD format | "1980-01-01" |
-| DateOfExpiration | date | Expiration date in YYYY-MM-DD format | "2019-05-05" |
-| DocumentNumber | string | Relevant passport number, driver's license number, etc. | "340020013" |
-| FirstName | string | Extracted given name and middle initial if applicable | "JENNIFER" |
-| LastName | string | Extracted surname | "BROOKS" |
+| Country | country | Country code compliant with ISO 3166 standard | "USA" |
+| DateOfBirth | date | DOB in YYYY-MM-DD format | "1980-01-01" |
+| DateOfExpiration | date | Expiration date in YYYY-MM-DD format | "2019-05-05" |
+| DocumentNumber | string | Relevant passport number, driver's license number, etc. | "340020013" |
+| FirstName | string | Extracted given name and middle initial if applicable | "JENNIFER" |
+| LastName | string | Extracted surname | "BROOKS" |
| Nationality | country | Country code compliant with ISO 3166 standard | "USA" |
-| Sex | gender | Possible extracted values include "M", "F" and "X" | "F" |
+| Sex | gender | Possible extracted values include "M", "F" and "X" | "F" |
| MachineReadableZone | object | Extracted Passport MRZ including two lines of 44 characters each | "P<USABROOKS<<JENNIFER<<<<<<<<<<<<<<<<<<<<<<< 3400200135USA8001014F1905054710000307<715816" |
-| DocumentType | string | Document type, for example, Passport, Driver's License | "passport" |
+| DocumentType | string | Document type, for example, Passport, Driver's License | "passport" |
| Address | string | Extracted address (Driver's License only) | "123 STREET ADDRESS YOUR CITY WA 99999-1234"|
-| Region | string | Extracted region, state, province, etc. (Driver's License only) | "Washington" |
+| Region | string | Extracted region, state, province, etc. (Driver's License only) | "Washington" |
### Additional features
The IDs API also returns the following information:
> [!NOTE] > Pre-built IDs does not detect ID authenticity >
- > Form Recognizer Pre-built IDs extracts key data from ID data. However, it does not detect the validity or authenticity of the original identity document.
+ > Form Recognizer Pre-built IDs extracts key data from ID data. However, it does not detect the validity or authenticity of the original identity document.
## Try it out
To try out the Form Recognizer IDs service, go to the online Sample UI Tool:
[!INCLUDE [input requirements](./includes/input-requirements-receipts.md)]
-## Supported ID types
+## Supported ID types
-* **Pre-built IDs v2.1-preview.3** Extracts key values from worldwide passports, and U.S. Driver's Licenses.
+* **Pre-built IDs v2.1-preview.3** Extracts key values from worldwide passports, and U.S. Driver's Licenses.
> [!NOTE]
- > ID type support
+ > ID type support
> > Currently supported ID types include worldwide passport and U.S. Driver's Licenses. We are actively seeking to expand our ID support to other identity documents around the world.
See the following example of a successful JSON response:
The `readResults` node contains all of the recognized text. Text is organized by page, then by line, then by individual words. The `documentResults` node contains the ID values that the model discovered. This node is also where you'll find useful key/value pairs like the first name, last name, document number, and more. ```json
-{
+{
"status": "succeeded", "createdDateTime": "2021-03-04T22:29:33Z", "lastUpdatedDateTime": "2021-03-04T22:29:36Z",
The `readResults` node contains all of the recognized text. Text is organized by
... } ],
-
+ "documentResults": [ { "docType": "prebuilt:idDocument:passport",
The `readResults` node contains all of the recognized text. Text is organized by
} ``` - ## Next steps -- Try your own IDs and samples in the [Form Recognizer Sample UI](https://fott-preview.azurewebsites.net/).-- Complete a [Form Recognizer quickstart](quickstarts/client-library.md) to get started writing an ID processing app with Form Recognizer in the development language of your choice.
+* Try your own IDs and samples in the [Form Recognizer Sample UI](https://fott-preview.azurewebsites.net/).
+* Complete a [Form Recognizer quickstart](quickstarts/client-library.md) to get started writing an ID processing app with Form Recognizer in the development language of your choice.
## See also
cognitive-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/overview.md
Explore the [REST API reference documentation](https://westus.dev.cognitive.micr
### [v2.0](#tab/v2-0)
-Explore the [REST API reference documentation](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1-preview-3/operations/AnalyzeWithCustomForm) to learn more. If you're familiar with a previous version of the API, see the [What's new](./whats-new.md) article to learn about recent changes.
+Explore the [REST API reference documentation](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2/operations/AnalyzeLayoutAsync) to learn more. If you're familiar with a previous version of the API, see the [What's new](./whats-new.md) article to learn about recent changes.
cognitive-services Client Library https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/quickstarts/client-library.md
Previously updated : 01/29/2021 Last updated : 04/14/2021 zone_pivot_groups: programming-languages-set-formre
keywords: forms processing, automated data processing
# Quickstart: Use the Form Recognizer client library or REST API
-Get started with the Form Recognizer using the development language of your choice. Azure Form Recognizer is a cognitive service that lets you build automated data processing software using machine learning technology. Identify and extract text, key/value pairs, selection marks, table data and more from your form documents&mdash;the service outputs structured data that includes the relationships in the original file. You can use Form Recognizer via the REST API or SDK. Follow these steps to install the SDK package and try out the example code for basic tasks.
+Get started with the Form Recognizer using the development language of your choice. Azure Form Recognizer is a cognitive service that lets you build automated data processing software using machine learning technology. Identify and extract text, key/value pairs, selection marks, table data and more from your form documents&mdash;the service outputs structured data that includes the relationships in the original file. You can use Form Recognizer via the REST API or SDK. Follow these steps to install the SDK package and try out the example code for basic tasks.
Use Form Recognizer to: * [Analyze Layout](#analyze-layout)
+* [Analyze receipts](#analyze-receipts)
+* [Analyze business cards](#analyze-business-cards)
* [Analyze invoices](#analyze-invoices)
+* [Analyze identity documents](#analyze-identity-documents)
* [Train a custom model](#train-a-custom-model) * [Analyze forms with a custom model](#analyze-forms-with-a-custom-model)
-* [Analyze receipts](#analyze-receipts)
-* [Analyze business cards](#analyze-business-cards)
* [Manage your custom models](#manage-your-custom-models) ::: zone pivot="programming-language-csharp"
cognitive-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/whats-new.md
Previously updated : 03/15/2021 Last updated : 04/14/2021 <!-- markdownlint-disable MD024 -->
+<!-- markdownlint-disable MD036 -->
# What's new in Form Recognizer? The Form Recognizer service is updated on an ongoing basis. Use this article to stay up to date with feature enhancements, fixes, and documentation updates.
+## April 2021
+<!-- markdownlint-disable MD029 -->
+
+### SDK updates (API version 2.1-preview.3)
+
+### **C# version 3.1.0-beta.4**
+
+* **New methods to analyze data from identity documents**:
+
+ **[StartRecognizeIdDocumentsFromUriAsync](/dotnet/api/azure.ai.formrecognizer.formrecognizerclient.startrecognizeiddocumentsasync?view=azure-dotnet-preview&preserve-view=true)**
+
+ **[StartRecognizeIdDocumentsAsync](/dotnet/api/azure.ai.formrecognizer.formrecognizerclient.startrecognizeiddocumentsasync?view=azure-dotnet-preview&preserve-view=true)**
+
+ For a list of field values, _see_ [Fields extracted](concept-identification-cards.md#fields-extracted) in our Form Recognizer documentation.
+
+* Expanded the set of document languages that can be provided to the **[StartRecognizeContent](/dotnet/api/azure.ai.formrecognizer.formrecognizerclient.startrecognizecontent?view=azure-dotnet-preview&preserve-view=true)** method.
+
+* **New property `Pages` supported by the following classes**:
+
+ **[RecognizeBusinessCardsOptions](/dotnet/api/azure.ai.formrecognizer.recognizebusinesscardsoptions?view=azure-dotnet-preview&preserve-view=true)**</br>
+ **[RecognizeCustomFormsOptions](/dotnet/api/azure.ai.formrecognizer.recognizecustomformsoptions?view=azure-dotnet-preview&preserve-view=true)**</br>
+ **[RecognizeInvoicesOptions](/dotnet/api/azure.ai.formrecognizer.recognizeinvoicesoptions?view=azure-dotnet-preview&preserve-view=true)**</br>
+ **[RecognizeReceiptsOptions](/dotnet/api/azure.ai.formrecognizer.recognizereceiptsoptions?view=azure-dotnet-preview&preserve-view=true)**</br>
+
+ The `Pages` property allows you to select individual or a range of pages for multi-page PDF and TIFF documents. For individual pages, enter the page number, for example, `3`. For a range of pages (like page 2 and pages 5-7) enter the p age numbers and ranges separated by commas: `2, 5-7`.
+
+* **New property `ReadingOrder` supported for the following class**:
+
+ **[RecognizeContentOptions](/dotnet/api/azure.ai.formrecognizer.recognizecontentoptions?view=azure-dotnet-preview&preserve-view=true)**
+
+ The `ReadingOrder` property is an optional parameter that allows you to specify which reading order algorithmΓÇö`basic` or `natural`ΓÇöshould be applied to order the extraction of text elements. If not specified, the default value is `basic`.
+
+#### Breaking changes
+
+* The client defaults to the latest supported service version, which is currently **2.1-preview.3**.
+
+* **[StartRecognizeCustomForms](/dotnet/api/azure.ai.formrecognizer.formrecognizerclient.startrecognizecustomforms?view=azure-dotnet-preview&preserve-view=true#Azure_AI_FormRecognizer_FormRecognizerClient_StartRecognizeCustomForms_System_String_System_IO_Stream_Azure_AI_FormRecognizer_RecognizeCustomFormsOptions_System_Threading_CancellationToken_)** method now throws a `RequestFailedException()` when an invalid file is passed.
+
+### **Java version 3.1.0-beta.3**
+
+* **New methods to analyze data from identity documents**:
+
+ **[beginRecognizeIdDocumentsFromUrl](/java/api/com.azure.ai.formrecognizer.formrecognizerclient.beginrecognizeiddocumentsfromurl?view=azure-java-preview&preserve-view=true)**
+
+ **[beginRecognizeIdDocuments](/java/api/com.azure.ai.formrecognizer.formrecognizerclient.beginrecognizeiddocuments?view=azure-java-preview&preserve-view=true)**
+
+ For a list of field values, _see_ [Fields extracted](concept-identification-cards.md#fields-extracted) in our Form Recognizer documentation.
+
+* **Bitmap Image file (.bmp) support for custom forms and training methods in the `FormContentType` enum**:
+
+* `image/bmp`
+
+* **New property `Pages` supported by the following classes**:
+
+ **[RecognizeBusinessCardsOptions](/java/api/com.azure.ai.formrecognizer.models.recognizebusinesscardsoptions?view=azure-java-preview&preserve-view=true)**</br>
+ **[RecognizeCustomFormOptions](/java/api/com.azure.ai.formrecognizer.models.recognizecustomformsoptions?view=azure-java-preview&preserve-view=true)**</br>
+ **[RecognizeInvoicesOptions](/java/api/com.azure.ai.formrecognizer.models.recognizeinvoicesoptions?view=azure-java-preview&preserve-view=true)**</br>
+ **[RecognizeReceiptsOptions](/java/api/com.azure.ai.formrecognizer.models.recognizereceiptsoptions?view=azure-java-preview&preserve-view=true)**</br>
+
+ The `Pages` property allows you to select individual or a range of pages for multi-page PDF and TIFF documents. For individual pages, enter the page number, for example, `3`. For a range of pages (like page 2 and pages 5-7) enter the page numbers and ranges separated by commas: `2, 5-7`.
+
+* **Bitmap Image file (.bmp) support for custom forms and training methods in the [FormContentType](/java/api/com.azure.ai.formrecognizer.models.formcontenttype?view=azure-java-preview&preserve-view=true#fields) fields**:
+
+ `image/bmp`
+
+* **New keyword argument `ReadingOrder` supported for the following methods**:
+
+* **[beginRecognizeContent](https://docs.microsoft.com/java/api/com.azure.ai.formrecognizer.formrecognizerclient.beginrecognizecontent?view=azure-java-preview&preserve-view=true)**</br>
+**[beginRecognizeContentFromUrl](/java/api/com.azure.ai.formrecognizer.formrecognizerclient.beginrecognizecontentfromurl?view=azure-java-preview&preserve-view=true)**</br>
+
+ The `ReadingOrder` keyword argument is an optional parameter that allows you to specify which reading order algorithmΓÇö`basic` or `natural`ΓÇöshould be applied to order the extraction of text elements. If not specified, the default value is `basic`.
+
+* The client defaults to the latest supported service version, which currently is **2.1-preview.3**.
+
+### **JavaScript version 3.1.0-beta.3**
+
+* **New methods to analyze data from identity documents**:
+
+ **[beginRecognizeIdDocumentsFromUrl](/javascript/api/@azure/ai-form-recognizer/formrecognizerclient?view=azure-node-preview&preserve-view=true&branch=main#beginRecognizeIdDocumentsFromUrl_string__BeginRecognizeIdDocumentsOptions_)**
+
+ **[beginRecognizeIdDocuments](/javascript/api/@azure/ai-form-recognizer/formrecognizerclient?view=azure-node-preview&preserve-view=true&branch=main#beginRecognizeIdDocuments_FormRecognizerRequestBody__BeginRecognizeIdDocumentsOptions_)**
+
+ For a list of field values, _see_ [Fields extracted](concept-identification-cards.md#fields-extracted) in our Form Recognizer documentation.
+
+* **New field values added to the FieldValue interface**:
+
+ `gender`ΓÇöpossible values are `M` `F` or `X`.</br>
+ `country`ΓÇöpossible values follow [ISO alpha-3](https://www.iso.org/obp/ui/#search) three-letter country code string.
+
+* **New option `pages` supported by all form recognition methods (custom forms and all prebuilt models). The argument allows you to select individual or a range of pages for multi-page PDF and TIFF documents. For individual pages, enter the page number, for example, `3`. For a range of pages (like page 2 and pages 5-7) enter the page numbers and ranges separated by commas: `2, 5-7`.
+
+* Added support for a **[ReadingOrder](/javascript/api/@azure/ai-form-recognizer/readingorder?view=azure-node-preview&preserve-view=true)** type to the content recognition methods. This option enables you to control the algorithm that the service uses to determine how recognized lines of text should be ordered. You can specify which reading order algorithmΓÇö`basic` or `natural`ΓÇöshould be applied to order the extraction of text elements. If not specified, the default value is `basic`.
+
+* Split **[FormField](/javascript/api/@azure/ai-form-recognizer/formfield?view=azure-node-preview&preserve-view=true)** type into several different interfaces. This should not cause any API compatibility issues except in certain edge cases (undefined valueType).
+
+* Migrated to the **2.1-preview.3** Form Recognizer service endpoint for all REST API calls.
+
+### **Python version 3.1.0b4**
+
+* **New methods to analyze data from identity documents**:
+
+ **[begin_recognize_id_documents_from_url](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formrecognizerclient?view=azure-python&preserve-view=true)**
+
+ **[begin_recognize_id_documents](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formrecognizerclient?view=azure-python&preserve-view=true)**
+
+ For a list of field values, _see_ [Fields extracted](concept-identification-cards.md#fields-extracted) in our Form Recognizer documentation.
+
+* **New field values added to the [FieldValueType](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.fieldvaluetype?view=azure-python-preview&preserve-view=true) enum**:
+
+ genderΓÇöpossible values are `M` `F` or `X`.
+
+ countryΓÇöpossible values follow [ISO alpha-3 Country Codes](https://www.iso.org/obp/ui/#search).
+
+* **Bitmap Image file (.bmp) support for custom forms and training methods in the [FormContentType](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formcontenttype?view=azure-python-preview&preserve-view=true) enum**:
+
+ image/bmp
+
+* **New keyword argument `pages` supported by the following methods**:
+
+ **[begin_recognize_receipts](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formrecognizerclient?view=azure-python-preview&preserve-view=true&branch=main#begin-recognize-receipts-receipt-kwargs-)**
+
+ **[begin_recognize_receipts_from_url](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formrecognizerclient?view=azure-python-preview&preserve-view=true#begin-recognize-receipts-from-url-receipt-url-kwargs-)**
+
+ **[begin_recognize_business_cards](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formrecognizerclient?view=azure-python-preview&preserve-view=true#begin-recognize-business-cards-business-card-kwargs-)**
+
+ **[begin_recognize_business_cards_from_url](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formrecognizerclient?view=azure-python-preview&preserve-view=true#begin-recognize-business-cards-from-url-business-card-url-kwargs-)**
+
+ **[begin_recognize_invoices](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formrecognizerclient?view=azure-python-preview&preserve-view=true#begin-recognize-invoices-invoice-kwargs-)**
+
+ **[begin_recognize_invoices_from_url](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formrecognizerclient?view=azure-python-preview&preserve-view=true#begin-recognize-invoices-from-url-invoice-url-kwargs-)**
+
+ **[begin_recognize_content](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formrecognizerclient?view=azure-python-preview&preserve-view=true#begin-recognize-content-form-kwargs-)**
+
+ **[begin_recognize_content_from_url](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formrecognizerclient?view=azure-python-preview&preserve-view=true#begin-recognize-content-from-url-form-url-kwargs-)**
+
+ The `pages` keyword argument allows you to select individual or a range of pages for multi-page PDF and TIFF documents. For individual pages, enter the page number, for example, `3`. For a range of pages (like page 2 and pages 5-7) enter the page numbers and ranges separated by commas: `2, 5-7`.
+
+* **New keyword argument `readingOrder` supported for the following methods**:
+
+ **[begin_recognize_content](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formrecognizerclient?view=azure-python-preview&preserve-view=true#begin-recognize-content-form-kwargs-)**
+
+ **[begin_recognize_content_from_url](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formrecognizerclient?view=azure-python-preview&preserve-view=true#begin-recognize-content-from-url-form-url-kwargs-)**
+
+ The `readingOrder` keyword argument is an optional parameter that allows you to specify which reading order algorithmΓÇö`basic` or `natural`ΓÇöshould be applied to order the extraction of text elements. If not specified, the default value is `basic`.
+ ## March 2021 **Form Recognizer v2.1 public preview 3 is now available.** v2.1-preview.3 has been released, including the following features: -- **New prebuilt ID model** The new prebuilt ID model enables customers to take IDs and return structured data to automate processing. It combines our powerful Optical Character Recognition (OCR) capabilities with ID understanding models to extract key information from passports and U.S. driver licenses, such as name, date of birth, issue date, expiration date, and more.
+* **New prebuilt ID model** The new prebuilt ID model enables customers to take IDs and return structured data to automate processing. It combines our powerful Optical Character Recognition (OCR) capabilities with ID understanding models to extract key information from passports and U.S. driver licenses, such as name, date of birth, issue date, expiration date, and more.
[Learn more about the prebuilt ID model](concept-identification-cards.md) :::image type="content" source="./media/id-canada-passport-example.png" alt-text="passport example" lightbox="./media/id-canada-passport-example.png"::: -- **Line-item extraction for prebuilt invoice model** - Prebuilt Invoice model now supports line item extraction; it now extracts full items and their parts - description, amount, quantity, product ID, date and more. With a simple API/SDK call you can extract useful data from your invoices - text, table, key-value pairs, and line items.
+* **Line-item extraction for prebuilt invoice model** - Prebuilt Invoice model now supports line item extraction; it now extracts full items and their parts - description, amount, quantity, product ID, date and more. With a simple API/SDK call, you can extract useful data from your invoices - text, table, key-value pairs, and line items.
[Learn more about the prebuilt invoice model](concept-invoices.md) -- **Supervised table labeling and training, empty-value labeling** - In addition to Form Recognizer's [state-of-the-art deep learning automatic table extraction capabilities](https://techcommunity.microsoft.com/t5/azure-ai/enhanced-table-extraction-from-documents-with-form-recognizer/ba-p/2058011), it now enables customers to label and train on tables. This new release includes the ability to label and train on line items/tables (dynamic and fixed) and train a custom model to extract key-value pairs and line items. Once a model is trained, the model will extract line items as part of the JSON output in the documentResults section.
+* **Supervised table labeling and training, empty-value labeling** - In addition to Form Recognizer's [state-of-the-art deep learning automatic table extraction capabilities](https://techcommunity.microsoft.com/t5/azure-ai/enhanced-table-extraction-from-documents-with-form-recognizer/ba-p/2058011), it now enables customers to label and train on tables. This new release includes the ability to label and train on line items/tables (dynamic and fixed) and train a custom model to extract key-value pairs and line items. Once a model is trained, the model will extract line items as part of the JSON output in the documentResults section.
:::image type="content" source="./media/table-labeling.png" alt-text="Table labeling" lightbox="./media/table-labeling.png":::
- In addition to labeling tables, you and now label empty values and regions; if some documents in your training set do not have values for certain fields, you can use this so that your model will know to extract values properly from analyzed documents.
+ In addition to labeling tables, you can now label empty values and regions; if some documents in your training set do not have values for certain fields, you can label them so that your model will know to extract values properly from analyzed documents.
-- **Support for 66 new languages** - Form Recognizer's Layout API and Custom Models now support 73 languages.
+* **Support for 66 new languages** - Form Recognizer's Layout API and Custom Models now support 73 languages.
[Learn more about Form Recognizer's language support](language-support.md) -- **Natural reading order, handwriting classification, and page selection** - With this update, you can choose to get the text line outputs in the natural reading order instead of the default left-to-right and to-to-bottom ordering. Use the new readingOrder query parameter and set it to "natural" value for a more human-friendly reading order output. In addition, for Latin languages, Form Recognizer will classify text lines as handwritten style or not and give a confidence score.
+* **Natural reading order, handwriting classification, and page selection** - With this update, you can choose to get the text line outputs in the natural reading order instead of the default left-to-right and top-to-bottom ordering. Use the new readingOrder query parameter and set it to "natural" value for a more human-friendly reading order output. In addition, for Latin languages, Form Recognizer will classify text lines as handwritten style or not and give a confidence score.
-- **Prebuilt receipt model quality improvements** This update includes a number of quality improvements for the prebuilt Receipt model, especially around line item extraction.
+* **Prebuilt receipt model quality improvements** This update includes many quality improvements for the prebuilt Receipt model, especially around line item extraction.
## November 2020 ### New features
-**Form Recognizer v2.1 public preview 2 is now available.** v2.1-preview.2 has been released, including the following features:
+**Form Recognizer v2.1 public preview 2 is now available.** v2.1-preview.2 has been released, including the following features:
-- **New prebuilt invoice model** - The new prebuilt Invoice model enables customers to take invoices in a variety of formats and return structured data to automate the invoice processing. It combines our powerful Optical Character Recognition (OCR) capabilities with invoice understanding deep learning models to extract key information from invoices in English. It extracts the text, tables, and information such as customer, vendor, invoice ID, invoice due date, total, amount due, tax amount, ship to, bill to, and more.
+- **New prebuilt invoice model** - The new prebuilt Invoice model enables customers to take invoices in various formats and return structured data to automate the invoice processing. It combines our powerful Optical Character Recognition (OCR) capabilities with invoice understanding deep learning models to extract key information from invoices in English. It extracts key text, tables, and information such as customer, vendor, invoice ID, invoice due date, total, amount due, tax amount, ship to, and bill to.
> [Learn more about the prebuilt invoice model](concept-invoices.md) :::image type="content" source="./media/invoice-example.jpg" alt-text="invoice example" lightbox="./media/invoice-example.jpg"::: -- **Enhanced table extraction** - Form Recognizer now provides enhanced table extraction, which combines our powerful Optical Character Recognition (OCR) capabilities with a deep learning table extraction model. Form Recognizer can extract data from tables, including complex tables with merged columns, rows, no borders and more.
-
+- **Enhanced table extraction** - Form Recognizer now provides enhanced table extraction, which combines our powerful Optical Character Recognition (OCR) capabilities with a deep learning table extraction model. Form Recognizer can extract data from tables, including complex tables with merged columns, rows, no borders and more.
+ :::image type="content" source="./media/tables-example.jpg" alt-text="tables example" lightbox="./media/tables-example.jpg":::
-
+ > [Learn more about Layout extraction](concept-layout.md) - **Client library update** - The latest versions of the [client libraries](quickstarts/client-library.md) for .NET, Python, Java, and JavaScript support the Form Recognizer 2.1 API.
The Form Recognizer service is updated on an ongoing basis. Use this article to
> [Try out the Form Recognizer Sample Tool](https://fott-preview.azurewebsites.net/) ![FOTT example](./media/ui-preview.jpg)
-
+ - **Feedback Loop** - When Analyzing files via the sample labeling tool you can now also add it to the training set and adjust the labels if necessary and train to improve the model. - **Auto Label Documents** - Automatically labels additional documents based on previous labeled documents in the project.
The Form Recognizer service is updated on an ongoing basis. Use this article to
### New features
-**Form Recognizer v2.1 public preview is now available.** V2.1-preview.1 has been released, including the following features:
+**Form Recognizer v2.1 public preview is now available.** V2.1-preview.1 has been released, including the following features:
-- **REST API reference is available** - View the [v2.1-preview.1 reference](https://westcentralus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1-preview-1/operations/AnalyzeBusinessCardAsync)
+- **REST API reference is available** - View the [v2.1-preview.1 reference](https://westcentralus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1-preview-1/operations/AnalyzeBusinessCardAsync)
- **New languages supported In addition to English**, the following [languages](language-support.md) are now supported: for `Layout` and `Train Custom Model`: English (`en`), Chinese (Simplified) (`zh-Hans`), Dutch (`nl`), French (`fr`), German (`de`), Italian (`it`), Portuguese (`pt`) and Spanish (`es`).-- **Checkbox / Selection Mark detection** ΓÇô Form Recognizer supports detection and extraction of selection marks such as check boxes and radio buttons. Selection Marks are extracted in `Layout` and you can now also label and train in `Train Custom Model` - _Train with Labels_ to extract key value pairs for selection marks. -- **Model Compose** - allows multiple models to be composed and called with a single model ID. When a document is submitted to be analyzed with a composed model ID, a classification step is first performed to route it to the correct custom model. Model Compose is available for `Train Custom Model` - _Train with labels_.
+- **Checkbox / Selection Mark detection** ΓÇô Form Recognizer supports detection and extraction of selection marks such as check boxes and radio buttons. Selection Marks are extracted in `Layout` and you can now also label and train in `Train Custom Model` - _Train with Labels_ to extract key value pairs for selection marks.
+- **Model Compose** - allows multiple models to be composed and called with a single model ID. When a you submit a document to be analyzed with a composed model ID, a classification step is first performed to route it to the correct custom model. Model Compose is available for `Train Custom Model` - _Train with labels_.
- **Model name** - add a friendly name to your custom models for easier management and tracking. - **[New pre-built model for Business Cards](concept-business-cards.md)** for extracting common fields in English, language business cards. - **[New locales for pre-built Receipts](concept-receipts.md)** in addition to EN-US, support is now available for EN-AU, EN-CA, EN-GB, EN-IN
The Form Recognizer service is updated on an ongoing basis. Use this article to
**v2.0** includes the following update: -- The [client libraries](quickstarts/client-library.md) for NET, Python, Java, and JavaScript have entered General Availability.
+- The [client libraries](quickstarts/client-library.md) for NET, Python, Java, and JavaScript have entered General Availability.
-**New samples** are available on GitHub.
+**New samples** are available on GitHub.
-- The [Knowledge Extraction Recipes - Forms Playbook](https://github.com/microsoft/knowledge-extraction-recipes-forms) collects best practices from real Form Recognizer customer engagements and provides usable code samples, checklists, and sample pipelines used in developing these projects. -- The [sample labeling tool](https://github.com/microsoft/OCR-Form-Tools) has been updated to support the new v2.1 functionality. See this [quickstart](quickstarts/label-tool.md) for getting started with the tool.
+- The [Knowledge Extraction Recipes - Forms Playbook](https://github.com/microsoft/knowledge-extraction-recipes-forms) collects best practices from real Form Recognizer customer engagements and provides usable code samples, checklists, and sample pipelines used in developing these projects.
+- The [sample labeling tool](https://github.com/microsoft/OCR-Form-Tools) has been updated to support the new v2.1 functionality. See this [quickstart](quickstarts/label-tool.md) for getting started with the tool.
- The [Intelligent Kiosk](https://github.com/microsoft/Cognitive-Samples-IntelligentKiosk/blob/master/Documentation/FormRecognizer.md) Form Recognizer sample shows how to integrate `Analyze Receipt` and `Train Custom Model` - _Train without Labels_. ## July 2020
The Form Recognizer service is updated on an ongoing basis. Use this article to
### New features <!-- markdownlint-disable MD004 --> * **v2.0 reference available** - View the [v2.0 API Reference](https://westus2.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2/operations/AnalyzeWithCustomForm) and the updated SDKs for [.NET](/dotnet/api/overview/azure/ai.formrecognizer-readme), [Python](/python/api/overview/azure/), [Java](/java/api/overview/azure/ai-formrecognizer-readme), and [JavaScript](/javascript/api/overview/azure/).
-* **Table enhancements and Extraction enhancements** - includes accuracy improvements and table extractions enhancements, specifically, the capability to learn tables headers and structures in _custom train without labels_.
+* **Table enhancements and Extraction enhancements** - includes accuracy improvements and table extractions enhancements, specifically, the capability to learn tables headers and structures in _custom train without labels_.
* **Currency support** - Detection and extraction of global currency symbols. * **Azure Gov** - Form Recognizer is now also available in Azure Gov.
-* **Enhanced security features**:
- * **Bring your own key** - Form Recognizer automatically encrypts your data when persisted to the cloud to protect it and to help you to meet your organizational security and compliance commitments. By default, your subscription uses Microsoft-managed encryption keys. You can now also manage your subscription with your own encryption keys. [Customer-managed keys, also known as bring your own key (BYOK)](./encrypt-data-at-rest.md), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.
- * **Private endpoints** ΓÇô Enables you on a virtual network (VNet) to [securely access data over a Private Link.](../../private-link/private-link-overview.md)
+* **Enhanced security features**:
+ * **Bring your own key** - Form Recognizer automatically encrypts your data when persisted to the cloud to protect it and to help you to meet your organizational security and compliance commitments. By default, your subscription uses Microsoft-managed encryption keys. You can now also manage your subscription with your own encryption keys. [Customer-managed keys, also known as bring your own key (BYOK)](./encrypt-data-at-rest.md), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.
+ * **Private endpoints** ΓÇô Enables you on a virtual network to [securely access data over a Private Link.](../../private-link/private-link-overview.md)
## June 2020
The Form Recognizer service is updated on an ongoing basis. Use this article to
* **CopyModel API added to client SDKs** - You can now use the client SDKs to copy models from one subscription to another. See [Back up and recover models](./disaster-recovery.md) for general information on this feature. * **Azure Active Directory integration** - You can now use your Azure AD credentials to authenticate your Form Recognizer client objects in the SDKs.
-* **SDK-specific changes** - This includes both minor feature additions and breaking changes. See the SDK changelogs for more information.
+* **SDK-specific changes** - This change includes both minor feature additions and breaking changes. See the SDK changelogs for more information.
* [C# SDK Preview 3 changelog](https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/formrecognizer/Azure.AI.FormRecognizer/CHANGELOG.md) * [Python SDK Preview 3 changelog](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/formrecognizer/azure-ai-formrecognizer/CHANGELOG.md) * [Java SDK Preview 3 changelog](https://github.com/Azure/azure-sdk-for-jav)
The Form Recognizer service is updated on an ongoing basis. Use this article to
### New features
-* **SDK support for Form Recognizer API v2.0 Public Preview** - This month we expanded our service support to include a preview SDK for Form Recognizer v2.0 (preview) release. Use the links below to get started with your language of choice:
+* **SDK support for Form Recognizer API v2.0 Public Preview** - This month we expanded our service support to include a preview SDK for Form Recognizer v2.0 (preview) release. Use the links below to get started with your language of choice:
* [.NET SDK](/dotnet/api/overview/azure/ai.formrecognizer-readme) * [Java SDK](/java/api/overview/azure/ai-formrecognizer-readme) * [Python SDK](/python/api/overview/azure/ai-formrecognizer-readme)
The Form Recognizer service is updated on an ongoing basis. Use this article to
* **Copy Custom Model** You can now copy models between regions and subscriptions using the new Copy Custom Model feature. Before invoking the Copy