Updates from: 04/28/2021 03:10:31
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Api Connectors Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/api-connectors-overview.md
Title: About API connectors in Azure AD B2C
-description: Use Azure Active Directory (Azure AD) API connectors to customize and extend your sign-up user flows by using web APIs.
+description: Use Azure Active Directory (Azure AD) API connectors to customize and extend your user flows by using REST APIs.
Previously updated : 10/15/2020 Last updated : 04/27/2021
+zone_pivot_groups: b2c-policy-type
# Use API connectors to customize and extend sign-up user flows ++ > [!IMPORTANT] > API connectors for sign-up is a public preview feature of Azure AD B2C. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ## Overview
-As a developer or IT administrator, you can use API connectors to integrate your sign-up user flows with web APIs to customize the sign-up experience and integrate with external systems. For example, with API connectors, you can:
+
+As a developer or IT administrator, you can use API connectors to integrate your sign-up user flows with REST APIs to customize the sign-up experience and integrate with external systems. For example, with API connectors, you can:
- **Validate user input data**. Validate against malformed or invalid user data. For example, you can validate user-provided data against existing data in an external data store or list of permitted values. If invalid, you can ask a user to provide valid data or block the user from continuing the sign-up flow. - **Integrate with a custom approval workflow**. Connect to a custom approval system for managing and limiting account creation. - **Overwrite user attributes**. Reformat or assign a value to an attribute collected from the user. For example, if a user enters the first name in all lowercase or all uppercase letters, you can format the name with only the first letter capitalized. -- **Perform identity verification**. Use an identity verification service to add an extra level of security to account creation decisions.
+- **Verify user identity**. Use an identity verification service to add an extra level of security to account creation decisions.
- **Run custom business logic**. You can trigger downstream events in your cloud systems to send push notifications, update corporate databases, manage permissions, audit databases, and perform other custom actions.
-An API connector provides Azure Active Directory with the information needed to call API endpoint by defining the HTTP endpoint URL and authentication for the API call. Once you configure an API connector, you can enable it for a specific step in a user flow. When a user reaches that step in the sign up flow, the API connector is invoked and materializes as an HTTP POST request to your API, sending user information ("claims") as key-value pairs in a JSON body. The API response can affect the execution of the user flow. For example, the API response can block a user from signing up, ask the user to re-enter information, or overwrite and append user attributes.
+An API connector provides Azure AD B2C with the information needed to call API endpoint by defining the HTTP endpoint URL and authentication for the API call. Once you configure an API connector, you can enable it for a specific step in a user flow. When a user reaches that step in the sign up flow, the API connector is invoked and materializes as an HTTP POST request to your API, sending user information ("claims") as key-value pairs in a JSON body. The API response can affect the execution of the user flow. For example, the API response can block a user from signing up, ask the user to reenter information, or overwrite and append user attributes.
## Where you can enable an API connector in a user flow
There are two places in a user flow where you can enable an API connector:
An API connector at this step in the sign-up process is invoked immediately after the user authenticates with an identity provider (like Google, Facebook, & Azure AD). This step precedes the ***attribute collection page***, which is the form presented to the user to collect user attributes. This step is not invoked if a user is registering with a local account. The following are examples of API connector scenarios you might enable at this step: - Use the email or federated identity that the user provided to look up claims in an existing system. Return these claims from the existing system, pre-fill the attribute collection page, and make them available to return in the token.-- Implement an allow or block list based on social identity.
+- Implement an allow or blocklist based on social identity.
### Before creating the user
An API connector at this step in the sign-up process is invoked after the attrib
- Validate user input data and ask a user to resubmit data. - Block a user sign-up based on data entered by the user.-- Perform identity verification.
+- Verify user identity.
- Query external systems for existing data about the user to return it in the application token or store it in Azure AD. ++
+The Identity Experience Framework, which underlies Azure Active Directory B2C (Azure AD B2C), can integrate with RESTful APIs within a user journey. This article shows how to create a user journey that interacts with a RESTful service using a [RESTful technical profile](restful-technical-profile.md).
+
+Using Azure AD B2C, you can add your own business logic to a user journey by calling your own RESTful service. The Identity Experience Framework can send and receive data from your RESTful service to exchange claims. For example, you can:
+
+- **Validate user input data**. For example, you can verify that the email address provided by the user exists in your customer's database, and if not, present an error.
+- **Process claims**. If a user enters their first name in all lowercase or all uppercase letters, your REST API can format the name with only the first letter capitalized and return it to Azure AD B2C.
+- **Enrich user data by further integrating with corporate line-of-business applications**. Your RESTful service can receive the user's email address, query the customer's database, and return the user's loyalty number to Azure AD B2C. Then return claims can be stored in the user's Azure AD account, evaluated in the next orchestration steps, or included in the access token.
+- **Run custom business logic**. You can send push notifications, update corporate databases, run a user migration process, manage permissions, audit databases, and perform any other workflows.
+
+![Diagram of a RESTful service claims exchange](media/api-connectors-overview/restful-service-claims-exchange.png)
+
+> [!NOTE]
+> If there is slow or no response from the RESTful service to Azure AD B2C, the timeout is 30 seconds and the retry count is two times (meaning there are 3 tries in total). The timeout and retry count settings are not currently configurable.
+
+## Calling a RESTful service
+
+The interaction includes a claims exchange of information between the REST API claims and Azure AD B2C. You can design the integration with the RESTful services in the following ways:
+
+- **Validation technical profile**. The call to the RESTful service happens within a [validation technical profile](validation-technical-profile.md) of the specified [self-asserted technical profile](self-asserted-technical-profile.md), or a [verification display control](display-control-verification.md) of a [display control](display-controls.md). The validation technical profile validates the user-provided data before the user journey moves forward. With the validation technical profile, you can:
+
+ - Send claims to your REST API.
+ - Validate claims, and throw custom error messages that are displayed to the user.
+ - Send back claims from the REST API to next orchestration steps.
+
+- **Claims exchange**. A direct claims exchange can be configured by calling a REST API technical profile directly from an orchestration step of a [user journey](userjourneys.md). This definition is limited to:
+
+ - Send claims to your REST API.
+ - Validate claims, and throw custom error messages that are returned to the application.
+ - Send back claims from the REST API to next orchestration steps.
+
+You can add a REST API call at any step in the user journey defined by a custom policy. For example, you can call a REST API:
+
+- During sign-in, just before Azure AD B2C validates the credentials.
+- Immediately after sign-in.
+- Before Azure AD B2C creates a new account in the directory.
+- After Azure AD B2C creates a new account in the directory.
+- Before Azure AD B2C issues an access token.
+
+![Validation technical profile collection](media/api-connectors-overview/validation-technical-profile.png)
+
+## Sending data
+
+In the [RESTful technical profile](restful-technical-profile.md), the `InputClaims` element contains a list of claims to send to your RESTful service. You can map the name of your claim to the name defined in the RESTful service, set a default value, and use [claims resolvers](claim-resolver-overview.md).
+
+You can configure how the input claims are sent to the RESTful claims provider by using the SendClaimsIn attribute. The possible values are:
+
+- **Body**, sent in the HTTP POST request body in JSON format.
+- **Form**, sent in the HTTP POST request body in an ampersand '&' separated key value format.
+- **Header**, sent in the HTTP GET request header.
+- **QueryString**, sent in the HTTP GET request query string.
+
+When the **Body** option is configured, the REST API technical profile allows you to send a complex JSON payload to an endpoint. For more information, see [Send a JSON payload](restful-technical-profile.md#send-a-json-payload).
+
+## Receiving data
+
+The `OutputClaims` element of the [RESTful technical profile](restful-technical-profile.md) contains a list of claims returned by the REST API. You may need to map the name of the claim defined in your policy to the name defined in the REST API. You can also include claims that aren't returned by the REST API identity provider, as long as you set the DefaultValue attribute.
+
+The output claims parsed by the RESTful claims provider always expect to parse a flat JSON Body response, such as:
+
+```json
+{
+ "name": "Emily Smith",
+ "email": "emily@outlook.com",
+ "loyaltyNumber": 1234
+}
+```
+
+The output claims should look like the following xml snippet:
+
+```xml
+<OutputClaims>
+ <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
+ <OutputClaim ClaimTypeReferenceId="email" />
+ <OutputClaim ClaimTypeReferenceId="loyaltyNumber" />
+</OutputClaims>
+```
+
+To parse a nested JSON Body response, set the ResolveJsonPathsInJsonTokens metadata to true. In the output claim, set the PartnerClaimType to the JSON path element you want to output.
+
+```json
+"contacts": [
+ {
+ "id": "MAINCONTACT_1",
+ "person": {
+ "name": "Emily Smith",
+ "loyaltyNumber": 1234,
+ "emails": [
+ {
+ "id": "EMAIL_1",
+ "type": "WORK",
+ "email": "email@domain.com"
+ }
+ ]
+ }
+ }
+],
+```
++
+The output claims should look like following xml snippet:
+
+```xml
+<OutputClaims>
+ <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="contacts[0].person.name" />
+ <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="contacts[0].person.emails[0].email" />
+ <OutputClaim ClaimTypeReferenceId="loyaltyNumber" PartnerClaimType="contacts[0].person.loyaltyNumber" />
+</OutputClaims>
+```
+
+## Localize the REST API
+
+In a RESTful technical profile, you may want to send the current session's language/locale, and if necessary, raise a localized error message. Using the [claims resolver](claim-resolver-overview.md), you can send a contextual claim, such as the user language. The following example shows a RESTful technical profile demonstrating this scenario.
+
+```xml
+<TechnicalProfile Id="REST-ValidateUserData">
+ <DisplayName>Validate user input data</DisplayName>
+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
+ <Metadata>
+ <Item Key="ServiceUrl">https://your-app.azurewebsites.net/api/identity</Item>
+ <Item Key="AuthenticationType">None</Item>
+ <Item Key="SendClaimsIn">Body</Item>
+ <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
+ </Metadata>
+ <InputClaims>
+ <InputClaim ClaimTypeReferenceId="userLanguage" DefaultValue="{Culture:LCID}" AlwaysUseDefaultValue="true" />
+ <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="emailAddress" />
+ </InputClaims>
+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
+</TechnicalProfile>
+```
+
+## Handling error messages
+
+Your REST API may need to return an error message, such as "The user was not found in the CRM system." If an error occurs, the REST API should return an HTTP 409 error message (Conflict response status code). For more information, see the [RESTful technical profile](restful-technical-profile.md#returning-validation-error-message).
+
+This behavior can only be achieved by calling a REST API technical profile from a validation technical profile. Letting the user to correct the data on the page and run the validation again upon page submission.
+
+If you reference a REST API technical profile directly from a user journey, the user is redirected back to the relying party application with the relevant error message.
++
+## Security considerations
+
+You protect your REST API endpoint so that only authenticated clients can communicate with it. The REST API must use an HTTPS endpoint. Set the authentication type to one of the following authentication methods.
+
+### API Key
+
+API key is a unique identifier used to authenticate a user to access a REST API endpoint. For example, [Azure Functions HTTP trigger](../azure-functions/functions-bindings-http-webhook-trigger.md#authorization-keys) includes the `code` as a query parameter in the endpoint URL.
++
+```http
+https://contoso.azurewebsites.net/api/endpoint?code=0123456789
+```
+
+API key authentication shouldn't be used alone in production. Therefore, configuration for basic or certificate authentication is always required. If you do not wish to implement any authentication method (not recommended) for development purposes, you can choose basic authentication and use temporary values for `username` and `password` that your API can disregard while you implement the authorization in your API.
+++
+The API key can be sent a custom HTTP header. For example, the [Azure Functions HTTP trigger](../azure-functions/functions-bindings-http-webhook-trigger.md#authorization-keys) uses the `x-functions-key` HTTP header to identify the requester.
++
+### Client certificate
+
+The client certificate authentication is a mutual certificate-based authentication method where the client provides a client certificate to the server to prove its identity. In this case, Azure AD B2C will use the certificate that you upload as part of the API connector configuration. This behavior happens as a part of the SSL handshake.
+
+Your API service can then limit access to only services that have proper certificates. The client certificate is a PKCS12 (PFX) X.509 digital certificate. In production environments, it should be signed by a certificate authority.
+
+### HTTP basic authentication
+
+The HTTP basic authentication is defined in [RFC 2617](https://tools.ietf.org/html/rfc2617). Azure AD B2C sends an HTTP request with the client credentials (`username` and `password`) in the `Authorization` header. The credentials are formatted as the base64-encoded string `username:password`. Your API then checks these values to determine whether to reject an API call or not.
++
+### Bearer token
+
+Bearer token authentication is defined in [OAuth2.0 Authorization Framework: Bearer Token Usage (RFC 6750)](https://www.rfc-editor.org/rfc/rfc6750.txt). In bearer token authentication, Azure AD B2C sends an HTTP request with a token in the authorization header.
+
+```http
+Authorization: Bearer <token>
+```
+
+A bearer token is an opaque string. It can be a JWT access token or any string that the REST API expects Azure AD B2C to send in the authorization header.
+
+
+## REST API platform
+
+Your REST API can be based on any platform and written in any programing language, as long as it's secure and can send and receive claims in JSON format.
+
+The request to your REST API service comes from Azure AD B2C servers. The REST API service must be published to a publicly accessible HTTPS endpoint. The REST API calls will arrive from an Azure data center IP address.
+
+Design your REST API service and its underlying components (such as the database and file system) to be highly available.
+ ## Next steps++++ - Learn how to [add an API connector to a user flow](add-api-connector.md) - Get started with our [samples](code-samples.md#api-connectors).
-<!-
+++
+See the following articles for examples of using a RESTful technical profile:
+
+- [Walkthrough: Integrate REST API claims exchanges in your Azure AD B2C user journey as validation of user input](custom-policy-rest-api-claims-validation.md)
+- [Walkthrough: Add REST API claims exchanges to custom policies in Azure Active Directory B2C](custom-policy-rest-api-claims-validation.md)
+- [Secure your REST API services](secure-rest-api.md)
+- [Reference: RESTful technical profile](restful-technical-profile.md)
+
active-directory-b2c Code Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/code-samples.md
The following tables provide links to samples for applications including iOS, An
|--| -- | | [ms-identity-javascript-react-tutorial](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/2-call-api-b2c) | A single page application (SPA) calling a web API. Authentication is done with Azure AD B2C by using MSAL React. This sample uses the authorization code flow with PKCE. | | [ms-identity-b2c-javascript-spa](https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa) | A single page application (SPA) calling a web API. Authentication is done with Azure AD B2C by using MSAL.js. This sample uses the authorization code flow with PKCE. |
-| [javascript-msal-singlepageapp](https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp) | A single page application (SPA) calling a web API. Authentication is done with Azure AD B2C by using MSAL.js. This sample uses the implicit flow.|
| [javascript-nodejs-management](https://github.com/Azure-Samples/ms-identity-b2c-javascript-nodejs-management/tree/main/Chapter1) | A single page application (SPA) calling Microsoft Graph to manage users in a B2C directory. Authentication is done with Azure AD B2C by using MSAL.js. This sample uses the authorization code flow with PKCE.| ## Console/Daemon apps
active-directory-b2c Conditional Access User Flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/conditional-access-user-flow.md
Multiple Conditional Access policies may apply to an individual user at any time
Most users have a normal behavior that can be tracked, when they fall outside of this norm it could be risky to allow them to just sign in. You may want to block that user or maybe just ask them to perform multi-factor authentication to prove that they are really who they say they are.
-A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Organizations with P2 licenses can create Conditional Access policies incorporating [Azure AD Identity Protection sign-in risk detections](https://docs.microsoft.com/azure/active-directory/identity-protection/concept-identity-protection-risks#sign-in-risk). Please note the [limitations on Identity Protection detections for B2C](https://docs.microsoft.com/azure/active-directory-b2c/identity-protection-investigate-risk?pivots=b2c-user-flow#service-limitations-and-considerations).
+A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Organizations with P2 licenses can create Conditional Access policies incorporating [Azure AD Identity Protection sign-in risk detections](../active-directory/identity-protection/concept-identity-protection-risks.md#sign-in-risk). Please note the [limitations on Identity Protection detections for B2C](./identity-protection-investigate-risk.md?pivots=b2c-user-flow#service-limitations-and-considerations).
If risk is detected, users can perform multi-factor authentication to self-remediate and close the risky sign-in event to prevent unnecessary noise for administrators.
Organizations should choose one of the following options to enable a sign-in ris
### Enable with Conditional Access APIs
-To create a Sign-in risk-based Conditional Access policy with Conditional Access APIs, please refer to the documentation for [Conditional Access APIs](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-apis#graph-api).
+To create a Sign-in risk-based Conditional Access policy with Conditional Access APIs, please refer to the documentation for [Conditional Access APIs](../active-directory/conditional-access/howto-conditional-access-apis.md#graph-api).
The following template can be used to create a Conditional Access policy with display name "CA002: Require MFA for medium+ sign-in risk" in report-only mode.
To review the result of a Conditional Access event:
## Next steps
-[Customize the user interface in an Azure AD B2C user flow](customize-ui-with-html.md)
+[Customize the user interface in an Azure AD B2C user flow](customize-ui-with-html.md)
active-directory-b2c Custom Policy Rest Api Claims Exchange https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/custom-policy-rest-api-claims-exchange.md
[!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)]
-Azure Active Directory B2C (Azure AD B2C) enables identity developers to integrate an interaction with a RESTful API in a user journey. At the end of this walkthrough, you'll be able to create an Azure AD B2C user journey that interacts with [RESTful services](custom-policy-rest-api-intro.md).
+Azure Active Directory B2C (Azure AD B2C) enables identity developers to integrate an interaction with a RESTful API in a user journey. At the end of this walkthrough, you'll be able to create an Azure AD B2C user journey that interacts with [RESTful services](api-connectors-overview.md).
In this scenario, we enrich the user's token data by integrating with a corporate line-of-business workflow. During sign-up or sign-in with local or federated account, Azure AD B2C invokes a REST API to get the user's extended profile data from a remote data source. In this sample, Azure AD B2C sends the user's unique identifier, the objectId. The REST API then returns the user's account balance (a random number). Use this sample as a starting point to integrate with your own CRM system, marketing database, or any line-of-business workflow.
You can also design the interaction as a validation technical profile. This is s
## Prerequisites - Complete the steps in [Get started with custom policies](tutorial-create-user-flows.md?pivots=b2c-custom-policy). You should have a working custom policy for sign-up and sign-in with local accounts.-- Learn how to [Integrate REST API claims exchanges in your Azure AD B2C custom policy](custom-policy-rest-api-intro.md).
+- Learn how to [Integrate REST API claims exchanges in your Azure AD B2C custom policy](api-connectors-overview.md).
## Prepare a REST API endpoint
active-directory-b2c Custom Policy Rest Api Claims Validation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/custom-policy-rest-api-claims-validation.md
[!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)]
-The Identity Experience Framework (IEF) that underpins Azure Active Directory B2C (Azure AD B2C) enables identity developers to integrate an interaction with a RESTful API in a user journey. At the end of this walkthrough, you'll be able to create an Azure AD B2C user journey that interacts with [RESTful services](custom-policy-rest-api-intro.md) to validate user input.
+The Identity Experience Framework (IEF) that underpins Azure Active Directory B2C (Azure AD B2C) enables identity developers to integrate an interaction with a RESTful API in a user journey. At the end of this walkthrough, you'll be able to create an Azure AD B2C user journey that interacts with [RESTful services](api-connectors-overview.md) to validate user input.
In this scenario, we'll add the ability for users to enter a loyalty number into the Azure AD B2C sign-up page. We'll validate whether this combination of email and loyalty number is mapped to a promotional code by sending this data to a REST API. If the REST API finds a promotional code for this user, it will be returned to Azure AD B2C. Finally, the promotional code will be inserted into the token claims for the application to consume.
You can also design the interaction as an orchestration step. This is suitable w
## Prerequisites - Complete the steps in [Get started with custom policies](tutorial-create-user-flows.md?pivots=b2c-custom-policy). You should have a working custom policy for sign-up and sign-in with local accounts.-- Learn how to [Integrate REST API claims exchanges in your Azure AD B2C custom policy](custom-policy-rest-api-intro.md).
+- Learn how to [Integrate REST API claims exchanges in your Azure AD B2C custom policy](api-connectors-overview.md).
## Prepare a REST API endpoint
active-directory-b2c Custom Policy Rest Api Intro https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/custom-policy-rest-api-intro.md
- Title: REST API claims exchanges in B2C custom policy-
-description: An introduction to creating an Azure AD B2C user journey that interacts with RESTful services.
------- Previously updated : 05/18/2020----
-# Integrate REST API claims exchanges in your Azure AD B2C custom policy
--
-The Identity Experience Framework, which underlies Azure Active Directory B2C (Azure AD B2C), can integrate with RESTful APIs within a user journey. This article shows how to create a user journey that interacts with a RESTful service using a [RESTful technical profile](restful-technical-profile.md).
-
-Using Azure AD B2C, you can add your own business logic to a user journey by calling your own RESTful service. The Identity Experience Framework can send and receive data from your RESTful service to exchange claims. For example, you can:
--- **Validate user input data**. For example, you can verify that the email address provided by the user exists in your customer's database, and if not, present an error.-- **Process claims**. If a user enters their first name in all lowercase or all uppercase letters, your REST API can format the name with only the first letter capitalized and return it to Azure AD B2C.-- **Enrich user data by further integrating with corporate line-of-business applications**. Your RESTful service can receive the user's email address, query the customer's database, and return the user's loyalty number to Azure AD B2C. Then return claims can be stored in the user's Azure AD account, evaluated in the next orchestration steps, or included in the access token.-- **Run custom business logic**. You can send push notifications, update corporate databases, run a user migration process, manage permissions, audit databases, and perform any other workflows.-
-![Diagram of a RESTful service claims exchange](media/custom-policy-rest-api-intro/restful-service-claims-exchange.png)
-
-> [!NOTE]
-> If there is slow or no response from the RESTful service to Azure AD B2C, the timeout is 30 seconds and the retry count is 2 times (meaning there are 3 tries in total). The timeout and retry count settings are not currently configurable.
-
-## Calling a RESTful service
-
-The interaction includes a claims exchange of information between the REST API claims and Azure AD B2C. You can design the integration with the RESTful services in the following ways:
--- **Validation technical profile**. The call to the RESTful service happens within a [validation technical profile](validation-technical-profile.md) of the specified [self-asserted technical profile](self-asserted-technical-profile.md), or a [verification display control](display-control-verification.md) of a [display control](display-controls.md). The validation technical profile validates the user-provided data before the user journey moves forward. With the validation technical profile, you can:-
- - Send claims to your REST API.
- - Validate claims, and throw custom error messages that are displayed to the user.
- - Send back claims from the REST API to subsequent orchestration steps.
--- **Claims exchange**. A direct claims exchange can be configured by calling a REST API technical profile directly from an orchestration step of a [user journey](userjourneys.md). This definition is limited to:-
- - Send claims to your REST API.
- - Validate claims, and throw custom error messages that are returned to the application.
- - Send back claims from the REST API to subsequent orchestration steps.
-
-You can add a REST API call at any step in the user journey defined by a custom policy. For example, you can call a REST API:
--- During sign-in, just before Azure AD B2C validates the credentials.-- Immediately after sign-in.-- Before Azure AD B2C creates a new account in the directory.-- After Azure AD B2C creates a new account in the directory.-- Before Azure AD B2C issues an access token.-
-![Validation technical profile collection](media/custom-policy-rest-api-intro/validation-technical-profile.png)
-
-## Sending data
-
-In the [RESTful technical profile](restful-technical-profile.md), the `InputClaims` element contains a list of claims to send to your RESTful service. You can map the name of your claim to the name defined in the RESTful service, set a default value, and use [claims resolvers](claim-resolver-overview.md).
-
-You can configure how the input claims are sent to the RESTful claims provider by using the SendClaimsIn attribute. The possible values are:
--- **Body**, sent in the HTTP POST request body in JSON format.-- **Form**, sent in the HTTP POST request body in an ampersand '&' separated key value format.-- **Header**, sent in the HTTP GET request header.-- **QueryString**, sent in the HTTP GET request query string.-
-When the **Body** option is configured, the REST API technical profile allows you to send a complex JSON payload to an endpoint. For more information, see [Send a JSON payload](restful-technical-profile.md#send-a-json-payload).
-
-## Receiving data
-
-The `OutputClaims` element of the [RESTful technical profile](restful-technical-profile.md) contains a list of claims returned by the REST API. You may need to map the name of the claim defined in your policy to the name defined in the REST API. You can also include claims that aren't returned by the REST API identity provider, as long as you set the DefaultValue attribute.
-
-The output claims parsed by the RESTful claims provider always expect to parse a flat JSON Body response, such as:
-
-```json
-{
- "name": "Emily Smith",
- "email": "emily@outlook.com",
- "loyaltyNumber": 1234
-}
-```
-
-The output claims should look like the following:
-
-```xml
-<OutputClaims>
- <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
- <OutputClaim ClaimTypeReferenceId="email" />
- <OutputClaim ClaimTypeReferenceId="loyaltyNumber" />
-</OutputClaims>
-```
-
-To parse a nested JSON Body response, set the ResolveJsonPathsInJsonTokens metadata to true. In the output claim, set the PartnerClaimType to the JSON path element you want to output.
-
-```json
-"contacts": [
- {
- "id": "MAINCONTACT_1",
- "person": {
- "name": "Emily Smith",
- "loyaltyNumber": 1234,
- "emails": [
- {
- "id": "EMAIL_1",
- "type": "WORK",
- "email": "email@domain.com"
- }
- ]
- }
- }
-],
-```
--
-The output claims should look like following:
-
-```xml
-<OutputClaims>
- <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="contacts[0].person.name" />
- <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="contacts[0].person.emails[0].email" />
- <OutputClaim ClaimTypeReferenceId="loyaltyNumber" PartnerClaimType="contacts[0].person.loyaltyNumber" />
-</OutputClaims>
-```
-
-## Security considerations
-
-You must protect your REST API endpoint so that only authenticated clients can communicate with it. The REST API must use an HTTPS endpoint. Set the AuthenticationType metadata to one of the following authentication methods:
--- **Client certificate** restricts access by using client certificate authentication. Only services that have the appropriate certificates can access your API. You store the client certificate in an Azure AD B2C Policy Key. Learn more about how to [secure your RESTful service by using client certificates](secure-rest-api.md#https-client-certificate-authentication).-- **Basic** secures the REST API with HTTP basic authentication. Only verified users, including Azure AD B2C, can access your API. The username and password are stored in Azure AD B2C policy keys. Learn how to [secure your RESTful services by using HTTP basic authentication](secure-rest-api.md#http-basic-authentication).-- **Bearer** restricts access using a client OAuth2 access token. The access token is stored in an Azure AD B2C policy key. Learn more about how to [secure your RESTful service by using Bearer token](secure-rest-api.md#oauth2-bearer-authentication).-
-## REST API platform
-Your REST API can be based on any platform and written in any programing language, as long as it's secure and can send and receive claims as specified in [RESTful technical profile](restful-technical-profile.md).
-
-## Localize the REST API
-In a RESTful technical profile, you may want to send the current session's language/locale, and if necessary, raise a localized error message. Using the [claims resolver](claim-resolver-overview.md), you can send a contextual claim, such as the user language. The following example shows a RESTful technical profile demonstrating this scenario.
-
-```xml
-<TechnicalProfile Id="REST-ValidateUserData">
- <DisplayName>Validate user input data</DisplayName>
- <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
- <Metadata>
- <Item Key="ServiceUrl">https://your-app.azurewebsites.net/api/identity</Item>
- <Item Key="AuthenticationType">None</Item>
- <Item Key="SendClaimsIn">Body</Item>
- <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
- </Metadata>
- <InputClaims>
- <InputClaim ClaimTypeReferenceId="userLanguage" DefaultValue="{Culture:LCID}" AlwaysUseDefaultValue="true" />
- <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="emailAddress" />
- </InputClaims>
- <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
-</TechnicalProfile>
-```
-
-## Handling error messages
-
-Your REST API may need to return an error message, such as "The user was not found in the CRM system." If an error occurs, the REST API should return an HTTP 409 error message (Conflict response status code). For more information, see the [RESTful technical profile](restful-technical-profile.md#returning-validation-error-message).
-
-This can only be achieved by calling a REST API technical profile from a validation technical profile. This allows the user to correct the data on the page and run the validation again upon page submission.
-
-An HTTP 409 response is required to prevent the processing of any subsequent validation technical profiles within this orchestration step.
-
-If you reference a REST API technical profile directly from a user journey, the user is redirected back to the relying party application with the relevant error message.
-
-## Publishing your REST API
-
-The request to your REST API service comes from Azure AD B2C servers. The REST API service must be published to a publicly accessible HTTPS endpoint. The REST API calls will arrive from an Azure data center IP address.
-
-Design your REST API service and its underlying components (such as the database and file system) to be highly available.
-
-## Next steps
-
-See the following articles for examples of using a RESTful technical profile:
--- [Walkthrough: Integrate REST API claims exchanges in your Azure AD B2C user journey as validation of user input](custom-policy-rest-api-claims-validation.md)-- [Walkthrough: Add REST API claims exchanges to custom policies in Azure Active Directory B2C](custom-policy-rest-api-claims-validation.md)-- [Secure your REST API services](secure-rest-api.md)-- [Reference: RESTful technical profile](restful-technical-profile.md)
active-directory-b2c Data Residency https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/data-residency.md
Previously updated : 03/31/2021 Last updated : 04/27/2021
# Azure Active Directory B2C: Region availability & data residency
-Region availability and data residency are two very different concepts that apply differently to Azure AD B2C from the rest of Azure. This article explains the differences between these two concepts, and compares how they apply to Azure versus Azure AD B2C.
+Azure AD B2C identity data is stored in a geographical location based on the country/region provided when you create the tenant.
+
+Region availability and data residency are two different concepts that apply to Azure AD B2C. This article explains the differences between these two concepts, and compares how they apply to Azure versus Azure AD B2C.
Azure AD B2C is **generally available worldwide** with the option for **data residency** in the **United States, Europe, or Asia Pacific**. Azure AD B2C is in **public preview** in Australia.
Azure AD B2C is **generally available worldwide** with the option for **data res
## Region availability
-Azure AD B2C is available worldwide via the Azure public cloud.
-
-This differs from the model followed by most other Azure services, which typically couple *availability* with *data residency*. You can see examples of this in both Azure's [Products Available By Region](https://azure.microsoft.com/regions/services/) page and the [Active Directory B2C pricing calculator](https://azure.microsoft.com/pricing/details/active-directory-b2c/).
+Azure AD B2C is available worldwide via the Azure public cloud. You can see examples of this feature in both Azure's [Products Available By Region](https://azure.microsoft.com/regions/services/) page and the [Active Directory B2C pricing calculator](https://azure.microsoft.com/pricing/details/active-directory-b2c/).
## Data residency
The following countries/regions are in the process of being added to the list. F
## Remote profile solution
-With Azure AD B2C [custom policies](custom-policy-overview.md), you can integrate with [RESTful API services](custom-policy-rest-api-intro.md), which allow you to store and read user profiles from a remote database (such as a marketing database, CRM system, or any line-of-business application).
+With Azure AD B2C [custom policies](custom-policy-overview.md), you can integrate with [RESTful API services](api-connectors-overview.md), which allow you to store and read user profiles from a remote database (such as a marketing database, CRM system, or any line-of-business application).
- During the sign-up and profile editing flows, Azure AD B2C calls a custom REST API to persist the user profile to the remote data source. The user's credentials are stored in Azure AD B2C directory. - Upon sign-in, after credentials validation with a local or social account, Azure AD B2C invokes the REST API, which sends the user's unique identifier as a user primary key (email address or user objectId). The REST API reads the data from the remote database and returns the user profile.
active-directory-b2c Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/faq.md
No, Azure AD Connect is not designed to work with Azure AD B2C. Consider using t
### Can my app open up Azure AD B2C pages within an iFrame?
-This feature is in public preview. For details, see [Embedded sign-in experience](https://docs.microsoft.com/azure/active-directory-b2c/embedded-login).
+This feature is in public preview. For details, see [Embedded sign-in experience](./embedded-login.md).
### Does Azure AD B2C work with CRM systems such as Microsoft Dynamics?
Yes, see [language customization](language-customization.md). We provide transla
### Can I use my own URLs on my sign-up and sign-in pages that are served by Azure AD B2C? For instance, can I change the URL from contoso.b2clogin.com to login.contoso.com?
-This feature is available in public preview. For details, see [Azure AD B2C custom domains](https://docs.microsoft.com/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow).
+This feature is available in public preview. For details, see [Azure AD B2C custom domains](./custom-domain.md?pivots=b2c-user-flow).
### How do I delete my Azure AD B2C tenant?
No, Azure AD B2C is a pay-as-you-go Azure service and is not part of Enterprise
### How do I report issues with Azure AD B2C?
-See [File support requests for Azure Active Directory B2C](support-options.md).
+See [File support requests for Azure Active Directory B2C](support-options.md).
active-directory-b2c Identity Verification Proofing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/identity-verification-proofing.md
Microsoft partners with the following ISV partners.
## Additional information -- [Custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-overview)
+- [Custom policies in Azure AD B2C](./custom-policy-overview.md)
-- [Get started with custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-get-started?tabs=applications)
+- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy&tabs=applications)
## Next steps
-Select a partner in the tables mentioned to learn how to integrate their solution with Azure AD B2C.
+Select a partner in the tables mentioned to learn how to integrate their solution with Azure AD B2C.
active-directory-b2c Implicit Flow Single Page Application https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/implicit-flow-single-page-application.md
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/
## Next steps
-### Code sample: Azure AD B2C with Microsoft Authentication Library for JavaScript
-
-[Single-page application built with msal.js for Azure AD B2C][github-msal-js-example] (GitHub)
-
-This sample on GitHub is intended to help get you started to Azure AD B2C in a simple web application built with [msal.js][github-msal-js] and using pop-up-style authentication.
-
-<!-- Links - EXTERNAL -->
-[github-msal-js-example]: https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp
-[github-msal-js]: https://github.com/AzureAD/microsoft-authentication-library-for-js
+See the code sample: [Sign-in with Azure AD B2C in a JavaScript single-page application](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-core-samples/VanillaJSTestApp/app/b2c).
active-directory-b2c Microsoft Graph Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/microsoft-graph-get-started.md
Before your scripts and applications can interact with the [Microsoft Graph API]
## Grant API access
-For your application to access data in Microsoft Graph, grant the registered application the relevant [application permissions](https://docs.microsoft.com/graph/permissions-reference). The effective permissions of your application are the full level of privileges implied by the permission. For example, to *create*, *read*, *update*, and *delete* every user in your Azure AD B2C tenant, add the **User.ReadWrite.All** permission.
+For your application to access data in Microsoft Graph, grant the registered application the relevant [application permissions](/graph/permissions-reference). The effective permissions of your application are the full level of privileges implied by the permission. For example, to *create*, *read*, *update*, and *delete* every user in your Azure AD B2C tenant, add the **User.ReadWrite.All** permission.
> [!NOTE] > The **User.ReadWrite.All** permission does not include the ability update user account passwords. If your application needs to update user account passwords, [grant user administrator role](#optional-grant-user-administrator-role). When granting [user administrator](../active-directory/roles/permissions-reference.md#user-administrator) role, the **User.ReadWrite.All** is not required. The user administrator role includes everything needed to manage users.
Now that you've registered your management application and have granted it the r
<!-- LINKS --> [ms-graph]: /graph/
-[ms-graph-api]: /graph/api/overview
+[ms-graph-api]: /graph/api/overview
active-directory-b2c Partner Biocatch https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/partner-biocatch.md
document.getElementById("clientSessionId").style.displayΓÇ»=ΓÇ»'none';
## Configure Azure AD B2C Identity Experience Framework policies
-1. Configure the initial [custom policy configuration](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-get-started).
+1. Configure the initial [custom policy configuration](./tutorial-create-user-flows.md?pivots=b2c-custom-policy).
2. Create a new file, which inherits from the extensions file.
Follow these steps to add the policy files to Azure AD B2C
## Test the solution
-1. [Register a dummy application, which redirects to JWT.MS](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga)
+1. [Register a dummy application, which redirects to JWT.MS](./tutorial-register-applications.md?tabs=app-reg-ga)
2. Under the **Identity Experience Framework**, select the policy you created
Follow these steps to add the policy files to Azure AD B2C
## Additional resources -- [Custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-overview)
+- [Custom policies in Azure AD B2C](./custom-policy-overview.md)
-- [Get started with custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-get-started?tabs=applications)
+- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy&tabs=applications)
active-directory-b2c Partner Cloudflare https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/partner-cloudflare.md
Cloudflare WAF integration includes the following components:
- **Azure AD B2C Tenant** ΓÇô The authorization server, responsible for verifying the userΓÇÖs credentials using the custom policies defined in the tenant. It's also known as the identity provider. -- [**Azure Front Door**](https://docs.microsoft.com/azure/frontdoor/front-door-overview) ΓÇô Responsible for enabling custom domains for Azure B2C tenant. All traffic from Cloudflare WAF will be routed to Azure Front Door before arriving at Azure AD B2C tenant.
+- [**Azure Front Door**](../frontdoor/front-door-overview.md) ΓÇô Responsible for enabling custom domains for Azure B2C tenant. All traffic from Cloudflare WAF will be routed to Azure Front Door before arriving at Azure AD B2C tenant.
- **Cloudflare** ΓÇô The web application firewall, which manages all traffic that is sent to the authorization server. ## Integrate with Azure AD B2C
-To use custom domains in Azure AD B2C, it's required to use custom domain feature provided by Azure Front Door. Learn how to [enable Azure AD B2C custom domains](https://docs.microsoft.com/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow).
+To use custom domains in Azure AD B2C, it's required to use custom domain feature provided by Azure Front Door. Learn how to [enable Azure AD B2C custom domains](./custom-domain.md?pivots=b2c-user-flow).
-After custom domain for Azure AD B2C is successfully configured using Azure Front Door, [test the custom domain](https://docs.microsoft.com/azure/active-directory-b2c/custom-domain?pivots=b2c-custom-policy#test-your-custom-domain) before proceeding further.
+After custom domain for Azure AD B2C is successfully configured using Azure Front Door, [test the custom domain](./custom-domain.md?pivots=b2c-custom-policy#test-your-custom-domain) before proceeding further.
## Onboard with Cloudflare
Add, update, or remove firewall rules using the firewall option available in the
- [Troubleshoot Cloudflare custom page issues](https://support.cloudflare.com/hc/en-us/articles/200172706-Configuring-Custom-Pages-Error-and-Challenge-#5QWV2KVjLnaAQ8L4tjiguw) -- [Get started with custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-get-started?tabs=applications)
+- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy&tabs=applications)
## Next steps -- [Configure a custom domain in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow)
-
+- [Configure a custom domain in Azure AD B2C](./custom-domain.md?pivots=b2c-user-flow)
active-directory-b2c Partner Dynamics 365 Fraud Protection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/partner-dynamics-365-fraud-protection.md
# Tutorial: Configure Microsoft Dynamics 365 Fraud Protection with Azure Active Directory B2C
-In this sample tutorial, we provide guidance on how to integrate [Microsoft Dynamics 365 Fraud Protection](https://docs.microsoft.com/dynamics365/fraud-protection/overview) (DFP) with the Azure Active Directory (AD) B2C.
+In this sample tutorial, we provide guidance on how to integrate [Microsoft Dynamics 365 Fraud Protection](/dynamics365/fraud-protection/overview) (DFP) with the Azure Active Directory (AD) B2C.
Microsoft DFP provides clients with the capability to assess if the risk of attempts to create new accounts and attempts to login to client's ecosystem are fraudulent. Microsoft DFP assessment can be used by the customer to block or challenge suspicious attempts to create new fake accounts or to compromise existing accounts. Account protection includes artificial intelligence empowered device fingerprinting, APIs for real-time risk assessment, rule and list experience to optimize risk strategy as per client's business needs, and a scorecard to monitor fraud protection effectiveness and trends in client's ecosystem.
Configure the application settings in the [App service in Azure](../app-service/
|FraudProtectionSettings:InstanceId | Microsoft DFP Configuration | | |FraudProtectionSettings:DeviceFingerprintingCustomerId | Your Microsoft device fingerprinting customer ID | | | FraudProtectionSettings:ApiBaseUrl | Your Base URL from Microsoft DFP Portal | Remove '-int' to call the production API instead|
-| TokenProviderConfig: Resource | Your Base URL - https://api.dfp.dynamics-int.com | Remove '-int' to call the production API instead|
+| TokenProviderConfig: Resource | Your Base URL - `https://api.dfp.dynamics-int.com` | Remove '-int' to call the production API instead|
| TokenProviderConfig:ClientId |Your Fraud Protection merchant Azure AD client app ID | | | TokenProviderConfig:Authority | https://login.microsoftonline.com/<directory_ID> | Your Fraud Protection merchant Azure AD tenant authority | | TokenProviderConfig:CertificateThumbprint* | The thumbprint of the certificate to use to authenticate against your merchant Azure AD client app |
For additional information, review the following articles:
- [Custom policies in Azure AD B2C](./custom-policy-overview.md) -- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy)
+- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy)
active-directory-b2c Restful Technical Profile https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/restful-technical-profile.md
[!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)]
-Azure Active Directory B2C (Azure AD B2C) provides support for integrating your own RESTful service. Azure AD B2C sends data to the RESTful service in an input claims collection and receives data back in an output claims collection. For more information, see [Integrate REST API claims exchanges in your Azure AD B2C custom policy](custom-policy-rest-api-intro.md).
+Azure Active Directory B2C (Azure AD B2C) provides support for integrating your own RESTful service. Azure AD B2C sends data to the RESTful service in an input claims collection and receives data back in an output claims collection. For more information, see [Integrate REST API claims exchanges in your Azure AD B2C custom policy](api-connectors-overview.md).
## Protocol
public class ResponseContent
See the following articles for examples of using a RESTful technical profile: -- [Integrate REST API claims exchanges in your Azure AD B2C custom policy](custom-policy-rest-api-intro.md)
+- [Integrate REST API claims exchanges in your Azure AD B2C custom policy](api-connectors-overview.md)
- [Walkthrough: Integrate REST API claims exchanges in your Azure AD B2C user journey as validation of user input](custom-policy-rest-api-claims-validation.md) - [Walkthrough: Add REST API claims exchanges to custom policies in Azure Active Directory B2C](custom-policy-rest-api-claims-validation.md) - [Secure your REST API services](secure-rest-api.md)
active-directory-b2c Technical Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/technical-overview.md
Previously updated : 05/28/2020 Last updated : 04/27/2021
In Azure Active Directory B2C (Azure AD B2C), a *tenant* represents your organiz
The primary resources you work with in an Azure AD B2C tenant are:
-* **Directory** - The *directory* is where Azure AD B2C stores your users' credentials and profile data, as well as your application registrations.
+* **Directory** - The *directory* is where Azure AD B2C stores your users' credentials, profile data, and your application registrations.
* **Application registrations** - You register your web, mobile, and native applications with Azure AD B2C to enable identity management. Also, any APIs you want to protect with Azure AD B2C. * **User flows** and **custom policies** - The built-in (user flows) and fully customizable (custom policies) identity experiences for your applications. * Use *user flows* for quick configuration and enablement of common identity tasks like sign up, sign in, and profile editing.
- * Use *custom policies* to enable user experiences not only for the common identity tasks, but also for crafting support for complex identity workflows unique to your organization, customers, employees, partners, and citizens.
+ * Use *custom policies* for complex identity workflows unique to your organization, customers, employees, partners, and citizens.
* **Identity providers** - Federation settings for: * *Social* identity providers like Facebook, LinkedIn, or Twitter that you want to support in your applications. * *External* identity providers that support standard identity protocols like OAuth 2.0, OpenID Connect, and more.
Azure AD B2C defines several types of user accounts. Azure Active Directory, Azu
* **Work account** - Users with work accounts can manage resources in a tenant, and with an administrator role, can also manage tenants. Users with work accounts can create new consumer accounts, reset passwords, block/unblock accounts, and set permissions or assign an account to a security group. * **Guest account** - External users you invite to your tenant as guests. A typical scenario for inviting a guest user to your Azure AD B2C tenant is to share administration responsibilities.
-* **Consumer account** - Consumer accounts are the accounts created in your Azure AD B2C directory when users complete the sign-up user journey in an application you've registered in your tenant.
+* **Consumer account** - Accounts that are managed by Azure AD B2C user flows and custom policies.
![Azure AD B2C user management page in the Azure portal](media/technical-overview/portal-01-users.png)<br/>*Figure: User directory within an Azure AD B2C tenant in the Azure portal*
With a *consumer* account, users can sign in to the applications that you've sec
A consumer account can be associated with these identity types: * **Local** identity, with the username and password stored locally in the Azure AD B2C directory. We often refer to these identities as "local accounts."
-* **Social** or **enterprise** identities, where the identity of the user is managed by a federated identity provider like Facebook, Microsoft, ADFS, or Salesforce.
+* **Social** or **enterprise** identities, where the identity of the user is managed by a federated identity provider. For example, Facebook, Microsoft, ADFS, or Salesforce.
-A user with a consumer account can sign in with multiple identities, for example username, email, employee ID, government ID, and others. A single account can have multiple identities, both local and social.
+A user with a consumer account can sign in with multiple identities. For example username, email, employee ID, government ID, and others. A single account can have multiple identities, both local and social.
![Consumer account identities](media/technical-overview/identities.png)<br/>*Figure: A single consumer account with multiple identities in Azure AD B2C*
-Azure AD B2C lets you manage common attributes of consumer account profiles like display name, surname, given name, city, and others. You can also extend the Azure AD schema to store additional information about your users. For example, their country/region or residency, preferred language, and preferences like whether they want to subscribe to a newsletter or enable multi-factor authentication.
+Azure AD B2C lets you manage common attributes of consumer account profiles. For example display name, surname, given name, city, and others. You can also extend the Azure AD schema to store additional information about your users. For example, their country/region of residency, preferred language, and preferences like whether they want to subscribe to a newsletter or enable multi-factor authentication.
-Learn more about the user account types in Azure AD B2C in [Overview of user accounts in Azure Active Directory B2C](user-overview.md).
+For more information, see [Overview of user accounts in Azure Active Directory B2C](user-overview.md).
## External identity providers
You can configure user flow settings like these to control identity experience b
* Session management * ...and more.
-Most common identity scenarios for the majority of mobile, web, and single-page applications can be defined and implemented effectively with user flows. We recommend that you use the built-in user flows unless you have complex user journey scenarios that require the full flexibility of custom policies.
+Most of the common identity scenarios for apps can be defined and implemented effectively with user flows. We recommend that you use the built-in user flows unless you have complex user journey scenarios that require the full flexibility of custom policies.
Learn more about user flows in [User flows in Azure Active Directory B2C](user-flow-overview.md). ### Custom policy
-Custom policies unlock access to the full power of the Identity Experience Framework (IEF) orchestration engine. With custom policies, you can leverage IEF to build almost any authentication, user registration, or profile editing experience that you can imagine.
+A custom policy is fully configurable and policy-driven. It orchestrates trust between entities in standard protocols. For example, OpenID Connect, OAuth, SAML, and a few non-standard ones, for example REST API-based system-to-system claims exchanges. The framework creates user-friendly, white-labeled experiences.
-The Identity Experience Framework gives you the ability to construct user journeys with any combination of steps. For example:
+The custom policy gives you the ability to construct user journeys with any combination of steps. For example:
* Federate with other identity providers * First- and third-party multi-factor authentication (MFA) challenges
Each such user journey is defined by a policy, and you can build as many or as f
![Diagram showing an example of a complex user journey enabled by IEF](media/technical-overview/custom-policy.png)
-A custom policy is defined by several XML files that refer to each other in a hierarchical chain. The XML elements define the claims schema, claims transformations, content definitions, claims providers, technical profiles, user journey orchestration steps, and other aspects of the identity experience.
-
-The powerful flexibility of custom policies is most appropriate for when you need to build complex identity scenarios. Developers configuring custom policies must define the trusted relationships in careful detail to include metadata endpoints, exact claims exchange definitions, and configure secrets, keys, and certificates as needed by each identity provider.
- Learn more about custom policies in [Custom policies in Azure Active Directory B2C](custom-policy-overview.md). ## Protocols and tokens
Learn more about custom policies in [Custom policies in Azure Active Directory B
- For external identities, Azure AD B2C supports federation with any OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML identity providers.
-The following diagram shows how Azure AD B2C can communicate using a variety of protocols within the same authentication flow:
+The following diagram shows how Azure AD B2C can communicate using various protocols within the same authentication flow:
![Diagram of OIDC-based client app federating with a SAML-based IdP](media/technical-overview/protocols.png)
-1. The relying party application initiates an authorization request to Azure AD B2C using OpenID Connect.
+1. The relying party application starts an authorization request to Azure AD B2C using OpenID Connect.
1. When a user of the application chooses to sign in using an external identity provider that uses the SAML protocol, Azure AD B2C invokes the SAML protocol to communicate with that identity provider. 1. After the user completes the sign-in operation with the external identity provider, Azure AD B2C then returns the token to the relying party application using OpenID Connect. ## Application integration
-When a user wants to sign in to your application, whether it's a web, mobile, desktop, or single-page application (SPA), the application initiates an authorization request to a user flow- or custom policy-provided endpoint. The user flow or custom policy defines and controls the user's experience. When they complete a user flow, for example the *sign-up or sign-in* flow, Azure AD B2C generates a token, then redirects the user back to your application.
+When a user wants to sign in to your application, the application initiates an authorization request to a user flow- or custom policy-provided endpoint. The user flow or custom policy defines and controls the user's experience. When they complete a user flow, for example the *sign-up or sign-in* flow, Azure AD B2C generates a token, then redirects the user back to your application.
![Mobile app with arrows showing flow between Azure AD B2C sign-in page](media/technical-overview/app-integration.png)
Multiple applications can use the same user flow or custom policy. A single appl
For example, to sign in to an application, the application uses the *sign up or sign in* user flow. After the user has signed in, they may want to edit their profile, so the application initiates another authorization request, this time using the *profile edit* user flow.
-## Seamless user experiences
+## User experiences
-In Azure AD B2C, you can craft your users' identity experiences so that the pages they're shown blend seamlessly with the look and feel of your brand. You get nearly full control of the HTML and CSS content presented to your users when they proceed through your application's identity journeys. With this flexibility, you can maintain brand and visual consistency between your application and Azure AD B2C.
+In Azure AD B2C, you can craft your users' identity experiences so that the pages are shown blend seamlessly with the look and feel of your brand. You get nearly full control of the HTML and CSS content presented to your users when they proceed through your application's identity journeys. With this flexibility, you can maintain brand and visual consistency between your application and Azure AD B2C.
![Screenshots of brand-customized sign-up sign-in page](media/technical-overview/seamless-ux.png)
If you choose to use custom policies, you can integrate with a RESTful API in a
* Enrich user data by further integrating with your corporate line-of-business application. * Using RESTful calls, you can send push notifications, update corporate databases, run a user migration process, manage permissions, audit databases, and more.
-Loyalty programs are another scenario enabled by Azure AD B2C's support for calling REST APIs. For example, your RESTful service can receive a user's email address, query your customer database, then return the user's loyalty number to Azure AD B2C. The return data can be stored in the user's directory account in Azure AD B2C, then be further evaluated in subsequent steps in the policy, or be included in the access token.
+Loyalty programs are another scenario enabled by Azure AD B2C's support for calling REST APIs. For example, your RESTful service can receive a user's email address, query your customer database, then return the user's loyalty number to Azure AD B2C.
+
+The return data can be stored in the user's directory account in Azure AD B2C. The data then can be further evaluated in subsequent steps in the policy, or be included in the access token.
![Line-of-business integration in a mobile application](media/technical-overview/lob-integration.png)
You can add a REST API call at any step in the user journey defined by a custom
* After Azure AD B2C creates a new account in the directory * Before Azure AD B2C issues an access token
-To see how to use custom policies for RESTful API integration in Azure AD B2C, see [Integrate REST API claims exchanges in your Azure AD B2C custom policy](custom-policy-rest-api-intro.md).
+To see how to use custom policies for RESTful API integration in Azure AD B2C, see [Integrate REST API claims exchanges in your Azure AD B2C custom policy](api-connectors-overview.md).
## Protect customer identities
For more information about Azure AD roles, including Azure AD B2C administration
### Multi-factor authentication (MFA)
-Azure AD B2C multi-factor authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for your users. It provides additional security by requiring a second form of authentication, and delivers strong authentication by offering a range of easy-to-use authentication methods. Your users may or may not be challenged for MFA based on configuration decisions that you can make as an administrator.
+Azure AD B2C multi-factor authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for your users. It provides additional security by requiring a second form of authentication, and delivers strong authentication by offering a range of easy-to-use authentication methods.
+
+Your users may or may not be challenged for MFA based on configuration decisions that you can make as an administrator.
See how to enable MFA in user flows in [Enable multi-factor authentication in Azure Active Directory B2C](multi-factor-authentication.md).
In an audit log, which is available for your Azure AD B2C tenant or for a partic
![Individual user audit log shown in the Azure portal](media/technical-overview/audit-log.png)
-For additional details on audit logs, see [Accessing Azure AD B2C audit logs](view-audit-logs.md).
+For more information on audit logs, see [Accessing Azure AD B2C audit logs](view-audit-logs.md).
### Usage insights
-Azure AD B2C allows you to discover when people sign up or sign in to your web app, where your users are located, and what browsers and operating systems they use. By integrating Azure Application Insights into Azure AD B2C by using custom policies, you can gain insight into how people sign up, sign in, reset their password or edit their profile. With such knowledge, you can make data-driven decisions for your upcoming development cycles.
+Azure AD B2C allows you to discover when people sign up or sign in to your app, where the users are located, and what browsers and operating systems they use.
+
+By integrating Azure Application Insights into Azure AD B2C custom policies, you can gain insight into how people sign up, sign in, reset their password or edit their profile. With such knowledge, you can make data-driven decisions for your upcoming development cycles.
-Find out more about usage analytics in [Track user behavior in Azure Active Directory B2C using Application Insights](analytics-with-application-insights.md).
+For more information, see [Track user behavior in Azure Active Directory B2C using Application Insights](analytics-with-application-insights.md).
## Next steps
active-directory-b2c Threat Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/threat-management.md
To manage password protection settings, including the lockout threshold:
## View locked-out accounts
-To obtain information about locked-out accounts, you can check the Active Directory [sign-in activity report](../active-directory/reports-monitoring/reference-sign-ins-error-codes.md). Under **Status**, select **Failure**. Failed sign-in attempts with a **Sign-in error code** of `50053` indicate a locked account:
+To obtain information about locked-out accounts, you can check the Active Directory [sign-in activity report](../active-directory/reports-monitoring/concept-sign-ins.md). Under **Status**, select **Failure**. Failed sign-in attempts with a **Sign-in error code** of `50053` indicate a locked account:
![Section of Azure AD sign-in report showing locked-out account](./media/threat-management/portal-01-locked-account.png)
-To learn about viewing the sign-in activity report in Azure Active Directory, see [Sign-in activity report error codes](../active-directory/reports-monitoring/reference-sign-ins-error-codes.md).
+To learn about viewing the sign-in activity report in Azure Active Directory, see [Sign-in activity report error codes](../active-directory/reports-monitoring/concept-sign-ins.md).
active-directory-b2c Tutorial Register Spa https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tutorial-register-spa.md
Azure AD B2C provides **two** options to enable single-page applications to sign
This is the **recommended** approach. Having limited-lifetime refresh tokens helps your application adapt to [modern browser cookie privacy limitations](../active-directory/develop/reference-third-party-cookies-spas.md), like Safari ITP.
-To take advantage of this flow, your application can use an authentication library that supports it, like [MSAL.js 2.x](https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa).
+To take advantage of this flow, your application can use an authentication library that supports it, like [MSAL.js](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser).
![Single-page applications-auth](./media/tutorial-single-page-app/spa-app-auth.svg) ### Implicit grant flow-- [OAuth 2.0 implicit flow](implicit-flow-single-page-application.md). Some frameworks, like [MSAL.js 1.x](https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp), only support the implicit grant flow. The implicit grant flow allows the application to get **ID** and **Access** tokens. Unlike the authorization code flow, implicit grant flow does not return a **Refresh token**.
+- [OAuth 2.0 implicit flow](implicit-flow-single-page-application.md). Some libraries, like [MSAL.js 1.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core), only support the implicit grant flow. The implicit grant flow allows the application to get **ID** and **Access** tokens. Unlike the authorization code flow, implicit grant flow does not return a **Refresh token**.
![Single-page applications-implicit](./media/tutorial-single-page-app/spa-app.svg)
active-directory-b2c Tutorial Single Page App Webapi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tutorial-single-page-app-webapi.md
In this section, you update the single-page web application to call the Node.js
To change the settings in the SPA:
-1. In the [active-directory-b2c-javascript-msal-singlepageapp][github-js-spa] project you downloaded or cloned in the previous tutorial, open the *apiConfig.js* file inside the *JavaScriptSPA* folder.
+1. In the [ms-identity-b2c-javascript-spa][github-js-spa] project you downloaded or cloned in the previous tutorial, open the *apiConfig.js* file inside the *App* folder.
1. Configure the sample with the URI for the *demo.read* scope you created earlier and the URL of the web API. 1. In the `apiConfig` definition, replace the `b2cScopes` value with the full URI for the *demo.read* scope (the **Scope** value you recorded earlier). 1. Change the domain in the `webApi` value to the redirect URI you added when you registered the web API application in an earlier step.
Now that you've seen an SPA request a resource from a protected web API, gain a
> [Application types that can be used in Active Directory B2C >](application-types.md) <!-- Links - EXTERNAL -->
-[github-js-spa]: https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp
+[github-js-spa]: https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa
active-directory-b2c Tutorial Single Page App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tutorial-single-page-app.md
# Tutorial: Enable authentication in a single-page application with Azure AD B2C
-This tutorial shows you how to use Azure Active Directory B2C (Azure AD B2C) to sign up and sign in users in a single-page application (SPA) using either:
-* [OAuth 2.0 authorization code flow](./authorization-code-flow.md) (using [MSAL.js 2.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser))
-* [OAuth 2.0 implicit grant flow](./implicit-flow-single-page-application.md) (using [MSAL.js 1.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core))
+This tutorial shows you how to use Azure Active Directory B2C (Azure AD B2C) to sign up and sign in users in a single-page application (SPA) using the [OAuth 2.0 authorization code flow](./authorization-code-flow.md) via [MSAL.js](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser))
In this tutorial, the first in a two-part series:
In the [second tutorial](./tutorial-register-spa.md) that you completed as part
To update an application in your Azure AD B2C tenant, you can use our new unified **App registrations** experience or our legacy **Applications (Legacy)** experience. [Learn more about the new experience](./app-registrations-training-guide.md).
-#### [App registrations (auth code flow)](#tab/app-reg-auth/)
+#### [App registrations](#tab/app-reg-auth/)
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
To update an application in your Azure AD B2C tenant, you can use our new unifie
1. Select **Overview**. 1. Record the **Application (client) ID** for use in a later step when you update the code in the single-page web application.
-#### [App registrations (implicit flow)](#tab/app-reg-implicit/)
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
-1. In the left menu, select **Azure AD B2C**. Or, select **All services** and search for and select **Azure AD B2C**.
-1. Select **App registrations**, select the **Owned applications** tab, and then select the *spaapp1* application.
-1. Under **Single-page Application**, select the **Add URI** link, then enter `http://localhost:6420`.
-1. Under **Implicit Grant**, select the checkboxes for **Access Tokens** and **ID Tokens** if not already selected and then select **Save**.
-1. Select **Overview**.
-1. Record the **Application (client) ID** for use in a later step when you update the code in the single-page web application.
- #### [Applications (Legacy)](#tab/applications-legacy/) 1. Sign in to the [Azure portal](https://portal.azure.com).
To update an application in your Azure AD B2C tenant, you can use our new unifie
In this tutorial, you configure a code sample that you download from GitHub to work with your B2C tenant. The sample demonstrates how a single-page application can use Azure AD B2C for user sign-up and sign-in, and to call a protected web API (you enable the web API in the next tutorial in the series).
-* MSAL.js 2.x authorization code flow sample:
+ [Download a zip file](https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa/archive/main.zip) or clone the sample from GitHub:
- [Download a zip file](https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa/archive/main.zip) or clone the sample from GitHub:
-
- ```
- git clone https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa.git
- ```
-* MSAL.js 1.x implicit flow sample:
-
- [Download a zip file](https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/archive/master.zip) or clone the sample from GitHub:
-
- ```
- git clone https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp.git
- ```
+ ```
+ git clone https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa.git
+ ```
## Update the sample Now that you've obtained the sample, update the code with your Azure AD B2C tenant name and the application ID you recorded in an earlier step.
-#### [Auth code flow sample](#tab/config-auth/)
- 1. Open the *authConfig.js* file inside the *App* folder. 1. In the `msalConfig` object, find the assignment for `clientId` and replace it with the **Application (client) ID** you recorded in an earlier step. 1. Open the `policies.js` file.
Now that you've obtained the sample, update the code with your Azure AD B2C tena
1. Find the assignment for `b2cScopes` and replace the URL with the scope URL you created for the Web API, for example `b2cScopes: ["https://<your-tenant-name>.onmicrosoft.com/helloapi/demo.read"]`. 1. Find the assignment for `webApi` and replace the current URL with the URL where you deployed your Web API in Step 4, for example `webApi: http://localhost:5000/hello`.
-#### [Implicit flow sample](#tab/config-implicit/)
-
-1. Open the *authConfig.js* file inside the *JavaScriptSPA* folder.
-1. In the `msalConfig` object, find the assignment for `clientId` and replace it with the **Application (client) ID** you recorded in an earlier step.
-1. Open the `policies.js` file.
-1. Find the entries under `names` and replace their assignment with the name of the user-flows you created in an earlier step, for example `B2C_1_signupsignin1`.
-1. Find the entries under `authorities` and replace them as appropriate with the names of the user-flows you created in an earlier step, for example `https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<your-sign-in-sign-up-policy>`.
-1. Open the `apiConfig.js` file.
-1. Find the assignment for `b2cScopes` and replace the URL with the scope URL you created for the Web API, for example `b2cScopes: ["https://<your-tenant-name>.onmicrosoft.com/helloapi/demo.read"]`.
-1. Find the assignment for `webApi` and replace the current URL with the URL where you deployed your Web API in Step 4, for example `webApi: http://localhost:5000/hello`.
-
-* * *
Your resulting code should look similar to following:
-#### [Auth code flow sample](#tab/review-auth/)
- *authConfig.js*: ```javascript
const apiConfig = {
}; ```
-#### [Implicit flow sample](#tab/review-implicit/)
-
-*authConfig.js*:
-
-```javascript
-const msalConfig = {
- auth: {
- clientId: "e760cab2-b9a1-4c0d-86fb-ff7084abd902",
- authority: b2cPolicies.authorities.signUpSignIn.authority,
- validateAuthority: false
- },
- cache: {
- cacheLocation: "localStorage",
- storeAuthStateInCookie: true
- }
-};
-
-const loginRequest = {
- scopes: ["openid", "profile"],
-};
-
-const tokenRequest = {
- scopes: apiConfig.b2cScopes // i.e. ["https://fabrikamb2c.onmicrosoft.com/helloapi/demo.read"]
-};
-```
-
-*policies.js*:
-
-```javascript
-const b2cPolicies = {
- names: {
- signUpSignIn: "b2c_1_susi",
- forgotPassword: "b2c_1_reset",
- editProfile: "b2c_1_edit_profile"
- },
- authorities: {
- signUpSignIn: {
- authority: "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_susi",
- },
- forgotPassword: {
- authority: "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_reset",
- },
- editProfile: {
- authority: "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_edit_profile"
- }
- },
-}
-```
-
-*apiConfig.js*:
-
-```javascript
-const apiConfig = {
- b2cScopes: ["https://fabrikamb2c.onmicrosoft.com/helloapi/demo.read"],
- webApi: "https://fabrikamb2chello.azurewebsites.net/hello"
-};
-```
-
-* * *
- ## Run the sample
-1. Open a console window and navigate to the directory containing the sample.
-
- - For MSAL.js 2.x authorization code flow sample:
-
- ```console
- cd ms-identity-b2c-javascript-spa
- ```
- - For MSAL.js 1.x implicit flow sample:
+1. Open a console window and navigate to the directory containing the sample.
- ```console
- cd active-directory-b2c-javascript-msal-singlepageapp
- ```
+ ```console
+ cd ms-identity-b2c-javascript-spa
+ ```
1. Run the following commands:
active-directory-b2c User Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/user-migration.md
Previously updated : 03/11/2021 Last updated : 04/27/2021
Use the seamless migration flow if plaintext passwords in the old identity provi
- The password is stored in a one-way encrypted format, such as with a hash function. - The password is stored by the legacy identity provider in a way that you can't access. For example, when the identity provider validates credentials by calling a web service.
-The seamless migration flow still requires pre migration of user accounts, but then uses a [custom policy](user-flow-overview.md) to query a [REST API](custom-policy-rest-api-intro.md) (which you create) to set each users' password at first sign-in.
+The seamless migration flow still requires pre migration of user accounts, but then uses a [custom policy](user-flow-overview.md) to query a [REST API](api-connectors-overview.md) (which you create) to set each users' password at first sign-in.
-The seamless migration flow thus has two phases: *pre migration* and *set credentials*.
+The seamless migration flow consists of two phases: *pre migration* and *set credentials*.
### Phase 1: Pre migration
To see an example custom policy and REST API, see the [seamless user migration s
![Flowchart diagram of the seamless migration approach to user migration](./media/user-migration/diagram-01-seamless-migration.png)<br />*Diagram: Seamless migration flow*
-## Best practices
-
-### Security
+## Security
The seamless migration approach uses your own custom REST API to validate a user's credentials against the legacy identity provider. **You must protect your REST API against brute-force attacks.** An attacker can submit several passwords in the hope of eventually guessing a user's credentials. To help defeat such attacks, stop serving requests to your REST API when the number of sign-in attempts passes a certain threshold. Also, secure the communication between Azure AD B2C and your REST API. To learn how to secure your RESTful APIs for production, see [Secure RESTful API](secure-rest-api.md).
-### User attributes
+## User attributes
Not all information in the legacy identity provider should be migrated to your Azure AD B2C directory. Identify the appropriate set of user attributes to store in Azure AD B2C before migrating.
Before you start the migration process, take the opportunity to clean up your di
- Identify the set of user attributes to be stored in Azure AD B2C, and migrate only what you need. If necessary, you can create [custom attributes](user-flow-custom-attributes.md) to store more data about a user. - If you're migrating from an environment with multiple authentication sources (for example, each application has its own user directory), migrate to a unified account in Azure AD B2C.-- If multiple applications have different usernames, you can store all of them in an Azure AD B2C user account by using the identities collection. With regard to the password, let the user choose one and set it in the directory. For example, with the seamless migration, only the chosen password should be stored in the Azure AD B2C account.-- Remove unused user accounts before migration, or do not migrate stale accounts.
+- If multiple applications have different usernames, you can store all of them in an Azure AD B2C user account by using the identities collection. About the password, let the user choose one and set it in the directory. For example, with the seamless migration, only the chosen password should be stored in the Azure AD B2C account.
+- Remove unused user accounts, or don't migrate stale accounts.
-### Password policy
+## Password policy
If the accounts you're migrating have weaker password strength than the [strong password strength](../active-directory/authentication/concept-sspr-policy.md) enforced by Azure AD B2C, you can disable the strong password requirement. For more information, see [Password policy property](user-profile-attributes.md#password-policy-attribute).
active-directory-b2c User Profile Attributes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/user-profile-attributes.md
Previously updated : 03/09/2021 Last updated : 04/27/2021
The table below lists the [user resource type](/graph/api/resources/user) attrib
|immutableId |String|An identifier that is typically used for users migrated from on-premises Active Directory.|No|No|Persisted, Output| |legalAgeGroupClassification|String|Legal age group classification. Read-only and calculated based on ageGroup and consentProvidedForMinor properties. Allowed values: null, minorWithOutParentalConsent, minorWithParentalConsent, minorNoParentalConsentRequired, notAdult, and adult.|Yes|No|Persisted, Output| |legalCountry<sup>1</sup> |String|Country/Region for legal purposes.|No|No|Persisted, Output|
-|mail |String|The SMTP address for the user, for example, "bob@contoso.com". Read-only.|No|No|Persisted, Output|
|mailNickName |String|The mail alias for the user. Max length 64.|No|No|Persisted, Output| |mobile (mobilePhone) |String|The primary cellular telephone number for the user. Max length 64.|Yes|No|Persisted, Output| |netId |String|Net ID.|No|No|Persisted, Output|
active-directory-domain-services Create Gmsa https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/create-gmsa.md
For more information about gMSAs, see [Getting started with group managed servic
[create-custom-ou]: create-ou.md <!-- EXTERNAL LINKS -->
-[New-ADOrganizationalUnit]: /powershell/module/addsadministration/New-AdOrganizationalUnit
-[New-ADServiceAccount]: /powershell/module/addsadministration/New-AdServiceAccount
+[New-ADOrganizationalUnit]: /powershell/module/activedirectory/new-adorganizationalunit
+[New-ADServiceAccount]: /powershell/module/activedirectory/New-AdServiceAccount
[gmsa-overview]: /windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview [gmsa-start]: /windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts
active-directory-domain-services Deploy Azure App Proxy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/deploy-azure-app-proxy.md
With the Azure AD Application Proxy integrated with Azure AD DS, publish applica
[create-azure-ad-ds-instance]: tutorial-create-instance.md [create-join-windows-vm]: join-windows-vm.md [azure-bastion]: ../bastion/tutorial-create-host-portal.md
-[Get-ADComputer]: /powershell/module/addsadministration/get-adcomputer
-[Set-ADComputer]: /powershell/module/addsadministration/set-adcomputer
+[Get-ADComputer]: /powershell/module/activedirectory/get-adcomputer
+[Set-ADComputer]: /powershell/module/activedirectory/set-adcomputer
active-directory-domain-services Deploy Kcd https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/deploy-kcd.md
To learn more about how delegation works in Active Directory Domain Services, se
[create-azure-ad-ds-instance]: tutorial-create-instance.md [create-join-windows-vm]: join-windows-vm.md [tutorial-create-management-vm]: tutorial-create-management-vm.md
-[Set-ADComputer]: /powershell/module/addsadministration/set-adcomputer
-[Set-ADUser]: /powershell/module/addsadministration/set-aduser
+[Set-ADComputer]: /powershell/module/activedirectory/set-adcomputer
+[Set-ADUser]: /powershell/module/activedirectory/set-aduser
<!-- EXTERNAL LINKS -->
-[kcd-technet]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj553400(v=ws.11)
+[kcd-technet]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj553400(v=ws.11)
active-directory-domain-services Tutorial Configure Ldaps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/tutorial-configure-ldaps.md
Before you can use the digital certificate created in the previous step with you
On the **Security** page, choose the option for **Password** to protect the *.PFX* certificate file. The encryption algorithm must be *TripleDES-SHA1*. Enter and confirm a password, then select **Next**. This password is used in the next section to enable secure LDAP for your managed domain.
- If you export using the [PowerShell export-pfxcertificate cmdlet](/powershell/module/pkiclient/export-pfxcertificate), you need to pass the *-CryptoAlgorithmOption* flag using TripleDES_SHA1.
+ If you export using the [PowerShell export-pfxcertificate cmdlet](/powershell/module/pki/export-pfxcertificate), you need to pass the *-CryptoAlgorithmOption* flag using TripleDES_SHA1.
![Screenshot of how to encrypt the password](./media/tutorial-configure-ldaps/encrypt.png)
For the certificate subject name match, the DC will use the Azure ADDS domain na
The client attempts to establish the TLS connection using the name you provided. The traffic needs to get all the way through. The DC sends the public key of the server auth cert. The cert needs to have the right usage in the certificate, the name signed in the subject name must be compatible for the client to trust that the server is the DNS name which youΓÇÖre connecting to (that is, a wildcard will work, with no spelling mistakes), and the client must trust the issuer. You can check for any problems in that chain in the System log in Event Viewer, and filter the events where source equals Schannel. Once those pieces are in place, they form a session key.
-For more information, see [TLS Handshake](https://docs.microsoft.com/windows/win32/secauthn/tls-handshake-protocol).
+For more information, see [TLS Handshake](/windows/win32/secauthn/tls-handshake-protocol).
## Next steps
In this tutorial, you learned how to:
<!-- EXTERNAL LINKS --> [rsat]: /windows-server/remote/remote-server-administration-tools [ldap-query-basics]: /windows/desktop/ad/creating-a-query-filter
-[New-SelfSignedCertificate]: /powershell/module/pkiclient/new-selfsignedcertificate
+[New-SelfSignedCertificate]: /powershell/module/pki/new-selfsignedcertificate
active-directory Customize Application Attributes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/customize-application-attributes.md
Applications and systems that support customization of the attribute list includ
- ServiceNow - Workday to Active Directory / Workday to Azure Active Directory - SuccessFactors to Active Directory / SuccessFactors to Azure Active Directory-- Azure Active Directory ([Azure AD Graph API default attributes](/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#user-entity) and custom directory extensions are supported). Learn more about [creating extensions](https://docs.microsoft.com/azure/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping#create-an-extension-attribute-on-a-cloud-only-user) and [known limitations](https://docs.microsoft.com/azure/active-directory/app-provisioning/known-issues).
+- Azure Active Directory ([Azure AD Graph API default attributes](/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#user-entity) and custom directory extensions are supported). Learn more about [creating extensions](./user-provisioning-sync-attributes-for-mapping.md#create-an-extension-attribute-on-a-cloud-only-user) and [known limitations](./known-issues.md).
- Apps that support [SCIM 2.0](https://tools.ietf.org/html/rfc7643) - For Azure Active Directory writeback to Workday or SuccessFactors, it is supported to update relevant metadata for supported attributes (XPATH and JSONPath), but it is not supported to add new Workday or SuccessFactors attributes beyond those included in the default schema
Selecting this option will effectively force a resynchronization of all users wh
- [Writing Expressions for Attribute-Mappings](functions-for-customizing-application-data.md) - [Scoping Filters for User Provisioning](define-conditional-rules-for-provisioning-user-accounts.md) - [Using SCIM to enable automatic provisioning of users and groups from Azure Active Directory to applications](use-scim-to-provision-users-and-groups.md)-- [List of Tutorials on How to Integrate SaaS Apps](../saas-apps/tutorial-list.md)
+- [List of Tutorials on How to Integrate SaaS Apps](../saas-apps/tutorial-list.md)
active-directory What Is Application Proxy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/what-is-application-proxy.md
+
+ Title: Publish on-premises apps with Azure Active Directory Application Proxy
+description: Understand why to use Application Proxy to publish on-premises web applications externally to remote users. Learn about Application Proxy architecture, connectors, authentication methods, and security benefits.
+++++++ Last updated : 04/27/2021++++
+# Using Azure AD Application Proxy to publish on-premises apps for remote users
+
+Azure Active Directory (Azure AD) offers many capabilities for protecting users, apps, and data in the cloud and on-premises. In particular, the Azure AD Application Proxy feature can be implemented by IT professionals who want to publish on-premises web applications externally. Remote users who need access to internal apps can then access them in a secure manner.
+
+The ability to securely access internal apps from outside your network becomes even more critical in the modern workplace. With scenarios such as BYOD (Bring Your Own Device) and mobile devices, IT professionals are challenged to meet two goals:
+
+* Empower end users to be productive anytime and anywhere
+* Protect corporate assets at all times
+
+Many organizations believe they are in control and protected when resources exist within the boundaries of their corporate networks. But in today's digital workplace, that boundary has expanded with managed mobile devices and resources and services in the cloud. Now you need to manage the complexity of protecting your users' identities and data stored on their devices and apps.
+
+Perhaps you're already using Azure AD to manage users in the cloud who need to access Microsoft 365 and other SaaS applications, as well as web apps hosted on-premises. If you already have Azure AD, you can leverage it as one control plane to allow seamless and secure access to your on-premises applications. Or, maybe you're still contemplating a move to the cloud. If so, you can begin your journey to the cloud by implementing Application Proxy and taking the first step towards building a strong identity foundation.
+
+While not comprehensive, the list below illustrates some of the things you can enable by implementing App Proxy in a hybrid coexistence scenario:
+
+* Publish on-premises web apps externally in a simplified way without a DMZ
+* Support single sign-on (SSO) across devices, resources, and apps in the cloud and on-premises
+* Support multi-factor authentication for apps in the cloud and on-premises
+* Quickly leverage cloud features with the security of the Microsoft Cloud
+* Centralize user account management
+* Centralize control of identity and security
+* Automatically add or remove user access to applications based on group membership
+
+This article explains how Azure AD and Application Proxy give remote users a single sign-on (SSO) experience. Users securely connect to on-premises apps without a VPN or dual-homed servers and firewall rules. This article helps you understand how Application Proxy brings the capabilities and security advantages of the cloud to your on-premises web applications. It also describes the architecture and topologies that are possible.
+
+## Remote access in the past
+
+Previously, your control plane for protecting internal resources from attackers while facilitating access by remote users was all in the DMZ, or perimeter network. But the VPN and reverse proxy solutions deployed in the DMZ used by external clients to access corporate resources aren't suited to the cloud world. They typically suffer from the following drawbacks:
+
+* Hardware costs
+* Maintaining security (patching, monitoring ports, etc.)
+* Authenticating users at the edge
+* Authenticating users to web servers in the perimeter network
+* Maintaining VPN access for remote users with the distribution and configuration of VPN client software. Also, maintaining domain-joined servers in the DMZ, which can be vulnerable to outside attacks.
+
+In today's cloud-first world, Azure AD is best suited to control who and what gets into your network. Azure AD Application Proxy integrates with modern authentication and cloud-based technologies, like SaaS applications and identity providers. This integration enables users to access apps from anywhere. Not only is App Proxy more suited for today's digital workplace, it's more secure than VPN and reverse proxy solutions and easier to implement. Remote users can access your on-premises applications the same way they access Microsoft and other SaaS apps integrated with Azure AD. You don't need to change or update your applications to work with Application Proxy. Furthermore, App Proxy doesn't require you to open inbound connections through your firewall. With App Proxy, you simply set it and forget it.
+
+## The future of remote access
+
+In today's digital workplace, users work anywhere with multiple devices and apps. The only constant is user identity. That's why the first step to a secure network today is to use [Azure AD's identity management](../../security/fundamentals/identity-management-overview.md) capabilities as your security control plane. A model that uses identity as your control plane is typically comprised of the following components:
+
+* An identity provider to keep track of users and user-related information.
+* Device directory to maintain a list of devices that have access to corporate resources. This directory includes corresponding device information (for example, type of device, integrity etc.).
+* Policy evaluation service to determine if a user and device conforms to the policy set forth by security admins.
+* The ability to grant or deny access to organizational resources.
+
+With Application Proxy, Azure AD keeps track of users who need to access web apps published on-premises and in the cloud. It provides a central management point for those apps. While not required, it's recommended you also enable Azure AD Conditional Access. By defining conditions for how users authenticate and gain access, you further ensure the right people have access to applications.
+
+**Note:** It's important to understand that Azure AD Application Proxy is intended as a VPN or reverse proxy replacement for roaming (or remote) users who need access to internal resources. It's not intended for internal users on the corporate network. Internal users who unnecessarily use Application Proxy can introduce unexpected and undesirable performance issues.
+
+![Azure Active Directory and all your apps](media/what-is-application-proxy/azure-ad-and-all-your-apps.png)
+
+### An overview of how App Proxy works
+
+Application Proxy is an Azure AD service you configure in the Azure portal. It enables you to publish an external public HTTP/HTTPS URL endpoint in the Azure Cloud, which connects to an internal application server URL in your organization. These on-premises web apps can be integrated with Azure AD to support single sign-on. End users can then access on-premises web apps in the same way they access Microsoft 365 and other SaaS apps.
+
+Components of this feature include the Application Proxy service, which runs in the cloud, the Application Proxy connector, which is a lightweight agent that runs on an on-premises server, and Azure AD, which is the identity provider. All three components work together to provide the user with a single sign-on experience to access on-premises web applications.
+
+After signing in, external users can access on-premises web applications by using a familiar URL or [My Apps](../user-help/my-apps-portal-end-user-access.md) from their desktop or iOS/MAC devices. For example, App Proxy can provide remote access and single sign-on to Remote Desktop, SharePoint sites, Tableau, Qlik, Outlook on the web, and line-of-business (LOB) applications.
+
+![Azure AD Application Proxy architecture](media/what-is-application-proxy/azure-ad-application-proxy-architecture.png)
+
+### Authentication
+
+There are several ways to configure an application for single sign-on and the method you select depends on the authentication your application uses. Application Proxy supports the following types of applications:
+
+* Web applications
+* Web APIs that you want to expose to rich applications on different devices
+* Applications hosted behind a Remote Desktop Gateway
+* Rich client apps that are integrated with the [Microsoft Authentication Library (MSAL)](../develop/v2-overview.md)
+
+App Proxy works with apps that use the following native authentication protocol:
+
+* **[Integrated Windows Authentication (IWA)](../manage-apps/application-proxy-configure-single-sign-on-with-kcd.md).** For IWA, the Application Proxy connectors use Kerberos Constrained Delegation (KCD) to authenticate users to the Kerberos application.
+
+App Proxy also supports the following authentication protocols with third-party integration or in specific configuration scenarios:
+
+* [**Header-based authentication**](../manage-apps/application-proxy-configure-single-sign-on-with-headers.md). This sign-on method uses a third-party authentication service called PingAccess and is used when the application uses headers for authentication. In this scenario, authentication is handled by PingAccess.
+* [**Forms- or password-based authentication**](../manage-apps/application-proxy-configure-single-sign-on-password-vaulting.md). With this authentication method, users sign on to the application with a username and password the first time they access it. After the first sign-on, Azure AD supplies the username and password to the application. In this scenario, authentication is handled by Azure AD.
+* [**SAML authentication**](../manage-apps/application-proxy-configure-single-sign-on-on-premises-apps.md). SAML-based single sign-on is supported for applications that use either SAML 2.0 or WS-Federation protocols. With SAML single sign-on, Azure AD authenticates to the application by using the user's Azure AD account.
+
+For more information on supported methods, see [Choosing a single sign-on method](../manage-apps/sso-options.md#choosing-a-single-sign-on-method).
+
+### Security benefits
+
+The remote access solution offered by Application Proxy and Azure AD support several security benefits customers may take advantage of, including:
+
+* **Authenticated access**. Application Proxy is best suited to publish applications with [pre-authentication](../manage-apps/application-proxy-security.md#authenticated-access) to ensure that only authenticated connections hit your network. For applications published with pre-authentication, no traffic is allowed to pass through the App Proxy service to your on-premises environment, without a valid token. Pre-authentication, by its very nature, blocks a significant number of targeted attacks, as only authenticated identities can access the backend application.
+* **Conditional Access**. Richer policy controls can be applied before connections to your network are established. With Conditional Access, you can define restrictions on the traffic that you allow to hit your backend application. You create policies that restrict sign-ins based on location, strength of authentication, and user risk profile. As Conditional Access evolves, more controls are being added to provide additional security such as integration with Microsoft Cloud App Security (MCAS). MCAS integration enables you to configure an on-premises application for [real-time monitoring](../manage-apps/application-proxy-integrate-with-microsoft-cloud-application-security.md) by leveraging Conditional Access to monitor and control sessions in real-time based on Conditional Access policies.
+* **Traffic termination**. All traffic to the backend application is terminated at the Application Proxy service in the cloud while the session is re-established with the backend server. This connection strategy means that your backend servers are not exposed to direct HTTP traffic. They are better protected against targeted DoS (denial-of-service) attacks because your firewall isn't under attack.
+* **All access is outbound**. The Application Proxy connectors only use outbound connections to the Application Proxy service in the cloud over ports 80 and 443. With no inbound connections, there's no need to open firewall ports for incoming connections or components in the DMZ. All connections are outbound and over a secure channel.
+* **Security Analytics and Machine Learning (ML) based intelligence**. Because it's part of Azure Active Directory, Application Proxy can leverage [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) (requires [Premium P2 licensing](https://azure.microsoft.com/pricing/details/active-directory/)). Azure AD Identity Protection combines machine-learning security intelligence with data feeds from Microsoft's [Digital Crimes Unit](https://news.microsoft.com/stories/cybercrime/https://docsupdatetracker.net/index.html) and [Microsoft Security Response Center](https://www.microsoft.com/msrc) to proactively identify compromised accounts. Identity Protection offers real-time protection from high-risk sign-ins. It takes into consideration factors like accesses from infected devices, through anonymizing networks, or from atypical and unlikely locations to increase the risk profile of a session. This risk profile is used for real-time protection. Many of these reports and events are already available through an API for integration with your SIEM systems.
+
+* **Remote access as a service**. You don't have to worry about maintaining and patching on-premises servers to enable remote access. Application Proxy is an internet scale service that Microsoft owns, so you always get the latest security patches and upgrades. Unpatched software still accounts for a large number of attacks. According to the Department of Homeland Security, as many as [85 percent of targeted attacks are preventable](https://www.us-cert.gov/ncas/alerts/TA15-119A). With this service model, you don't have to carry the heavy burden of managing your edge servers anymore and scramble to patch them as needed.
+
+* **Intune integration**. With Intune, corporate traffic is routed separately from personal traffic. Application Proxy ensures that the corporate traffic is authenticated. [Application Proxy and the Intune Managed Browser](/intune/app-configuration-managed-browser#how-to-configure-application-proxy-settings-for-protected-browsers) capability can also be used together to enable remote users to securely access internal websites from iOS and Android devices.
+
+### Roadmap to the cloud
+
+Another major benefit of implementing Application Proxy is extending Azure AD to your on-premises environment. In fact, implementing App Proxy is a key step in moving your organization and apps to the cloud. By moving to the cloud and away from on-premises authentication, you reduce your on-premises footprint and use Azure AD's identity management capabilities as your control plane. With minimal or no updates to existing applications, you have access to cloud capabilities such as single sign-on, multi-factor authentication, and central management. Installing the necessary components to App Proxy is a simple process for establishing a remote access framework. And by moving to the cloud, you have access to the latest Azure AD features, updates, and functionality, such as high availability and the disaster recovery.
+
+To learn more about migrating your apps to Azure AD, see the [Migrating Your Applications to Azure Active Directory](../manage-apps/migration-resources.md).
+
+## Architecture
+
+The following diagram illustrates in general how Azure AD authentication services and Application Proxy work together to provide single sign-on to on-premises applications to end users.
+
+![Azure AD Application Proxy authentication flow](media/what-is-application-proxy/azure-ad-application-proxy-authentication-flow.png)
+
+1. After the user has accessed the application through an endpoint, the user is redirected to the Azure AD sign-in page. If you've configured Conditional Access policies, specific conditions are checked at this time to ensure that you comply with your organization's security requirements.
+2. After a successful sign-in, Azure AD sends a token to the user's client device.
+3. The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token.
+4. Application Proxy forwards the request, which is picked up by the Application Proxy [connector](../manage-apps/application-proxy-connectors.md).
+5. The connector performs any additional authentication required on behalf of the user (*Optional depending on authentication method*), requests the internal endpoint of the application server and sends the request to the on-premises application.
+6. The response from the application server is sent through the connector to the Application Proxy service.
+7. The response is sent from the Application Proxy service to the user.
+
+|**Component**|**Description**|
+|:-|:-|
+|Endpoint|The endpoint is a URL or an [end-user portal](../manage-apps/end-user-experiences.md). Users can reach applications while outside of your network by accessing an external URL. Users within your network can access the application through a URL or an end-user portal. When users go to one of these endpoints, they authenticate in Azure AD and then are routed through the connector to the on-premises application.|
+|Azure AD|Azure AD performs the authentication using the tenant directory stored in the cloud.|
+|Application Proxy service|This Application Proxy service runs in the cloud as part of Azure AD. It passes the sign-on token from the user to the Application Proxy Connector. Application Proxy forwards any accessible headers on the request and sets the headers as per its protocol, to the client IP address. If the incoming request to the proxy already has that header, the client IP address is added to the end of the comma-separated list that is the value of the header.|
+|Application Proxy connector|The connector is a lightweight agent that runs on a Windows Server inside your network. The connector manages communication between the Application Proxy service in the cloud and the on-premises application. The connector only uses outbound connections, so you don't have to open any inbound ports or put anything in the DMZ. The connectors are stateless and pull information from the cloud as necessary. For more information about connectors, like how they load-balance and authenticate, see [Understand Azure AD Application Proxy connectors](../manage-apps/application-proxy-connectors.md).|
+|Active Directory (AD)|Active Directory runs on-premises to perform authentication for domain accounts. When single sign-on is configured, the connector communicates with AD to perform any additional authentication required.|
+|On-premises application|Finally, the user is able to access an on-premises application.|
+
+Azure AD Application Proxy consists of the cloud-based Application Proxy service and an on-premises connector. The connector listens for requests from the Application Proxy service and handles connections to the internal applications. It's important to note that all communications occur over TLS, and always originate at the connector to the Application Proxy service. That is, communications are outbound only. The connector uses a client certificate to authenticate to the Application Proxy service for all calls. The only exception to the connection security is the initial setup step where the client certificate is established. See the Application Proxy [Under the hood](../manage-apps/application-proxy-security.md#under-the-hood) for more details.
+
+### Application Proxy Connectors
+
+[Application Proxy connectors](../manage-apps/application-proxy-connectors.md) are lightweight agents deployed on-premises that facilitate the outbound connection to the Application Proxy service in the cloud. The connectors must be installed on a Windows Server that has access to the backend application. Users connect to the App Proxy cloud service that routes their traffic to the apps via the connectors as illustrated below.
+
+![Azure AD Application Proxy network connections](media/what-is-application-proxy/azure-ad-application-proxy-network-connections.png)
+
+Setup and registration between a connector and the App Proxy service is accomplished as follows:
+
+1. The IT administrator opens ports 80 and 443 to outbound traffic and allows access to several URLs that are needed by the connector, the App Proxy service, and Azure AD.
+2. The admin signs into the Azure portal and runs an executable to install the connector on an on-premises Windows server.
+3. The connector starts to "listen" to the App Proxy service.
+4. The admin adds the on-premises application to Azure AD and configures settings such as the URLs users need to connect to their apps.
+
+For more information, see [Plan an Azure AD Application Proxy deployment](../manage-apps/application-proxy-deployment-plan.md).
+
+It's recommended that you always deploy multiple connectors for redundancy and scale. The connectors, in conjunction with the service, take care of all the high availability tasks and can be added or removed dynamically. Each time a new request arrives it's routed to one of the connectors that is available. When a connector is running, it remains active as it connects to the service. If a connector is temporarily unavailable, it doesn't respond to this traffic. Unused connectors are tagged as inactive and removed after 10 days of inactivity.
+
+Connectors also poll the server to find out if there is a newer version of the connector. Although you can do a manual update, connectors will update automatically as long as the Application Proxy Connector Updater service is running. For tenants with multiple connectors, the automatic updates target one connector at a time in each group to prevent downtime in your environment.
+
+> [!NOTE]
+> You can monitor the Application Proxy [version history page](../manage-apps/application-proxy-release-version-history.md) to be notified when updates have been released by subscribing to its RSS feed.
+
+Each Application Proxy connector is assigned to a [connector group](../manage-apps/application-proxy-connector-groups.md). Connectors in the same connector group act as a single unit for high availability and load balancing. You can create new groups, assign connectors to them in the Azure portal, then assign specific connectors to serve specific applications. It's recommended to have at least two connectors in each connector group for high availability.
+
+Connector groups are useful when you need to support the following scenarios:
+
+* Geographical app publishing
+* Application segmentation/isolation
+* Publishing web apps running in the cloud or on-premises
+
+For more information about choosing where to install your connectors and optimizing your network, see [Network topology considerations when using Azure Active Directory Application Proxy](../manage-apps/application-proxy-network-topology.md).
+
+## Other use cases
+
+Up to this point, we've focused on using Application Proxy to publish on-premises apps externally while enabling single sign-on to all your cloud and on-premises apps. However, there are other use cases for App Proxy that are worth mentioning. They include:
+
+* **Securely publish REST APIs**. When you have business logic or APIs running on-premises or hosted on virtual machines in the cloud, Application Proxy provides a public endpoint for API access. API endpoint access lets you control authentication and authorization without requiring incoming ports. It provides additional security through Azure AD Premium features such as multi-factor authentication and device-based Conditional Access for desktops, iOS, MAC, and Android devices using Intune. To learn more, see [How to enable native client applications to interact with proxy applications](../manage-apps/application-proxy-configure-native-client-application.md) and [Protect an API by using OAuth 2.0 with Azure Active Directory and API Management](../../api-management/api-management-howto-protect-backend-with-aad.md).
+* **Remote Desktop Services** **(RDS)**. Standard RDS deployments require open inbound connections. However, the [RDS deployment with Application Proxy](../manage-apps/application-proxy-integrate-with-remote-desktop-services.md) has a permanent outbound connection from the server running the connector service. This way, you can offer more applications to end users by publishing on-premises applications through Remote Desktop Services. You can also reduce the attack surface of the deployment with a limited set of two-step verification and Conditional Access controls to RDS.
+* **Publish applications that connect using WebSockets**. Support with [Qlik Sense](../manage-apps/application-proxy-qlik.md) is in Public Preview and will be expanded to other apps in the future.
+* **Enable native client applications to interact with proxy applications**. You can use Azure AD Application Proxy to publish web apps, but it also can be used to publish [native client applications](../manage-apps/application-proxy-configure-native-client-application.md) that are configured with the Azure AD Authentication Library (ADAL). Native client applications differ from web apps because they're installed on a device, while web apps are accessed through a browser.
+
+## Conclusion
+
+The way we work and the tools we use are changing rapidly. With more employees bringing their own devices to work and the pervasive use of Software-as-a-Service (SaaS) applications, the way organizations manage and secure their data must also evolve. Companies no longer operate solely within their own walls, protected by a moat that surrounds their border. Data travels to more locations than ever before -- across both on-premises and cloud environments. This evolution has helped increase users' productivity and ability to collaborate, but it also makes protecting sensitive data more challenging.
+
+Whether you're currently using Azure AD to manage users in a hybrid coexistence scenario or are interested in starting your journey to the cloud, implementing Azure AD Application Proxy can help reduce the size of your on-premises footprint by providing remote access as a service.
+
+Organizations should begin taking advantage of App Proxy today to take advantage of the following benefits:
+
+* Publish on-premises apps externally without the overhead associated with maintaining traditional VPN or other on-premises web publishing solutions and DMZ approach
+* Single sign-on to all applications, be they Microsoft 365 or other SaaS apps and including on-premises applications
+* Cloud scale security where Azure AD leverages Microsoft 365 telemetry to prevent unauthorized access
+* Intune integration to ensure corporate traffic is authenticated
+* Centralization of user account management
+* Automatic updates to ensure you have the latest security patches
+* New features as they are released; the most recent being support for SAML single sign-on and more granular management of application cookies
+
+## Next steps
+
+* For information about planning, operating, and managing Azure AD Application Proxy, see [Plan an Azure AD Application Proxy deployment](../manage-apps/application-proxy-deployment-plan.md).
+* To schedule a live demo or get a free 90-day trial for evaluation, see [Getting started with Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-trial).
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/whats-new-docs.md
+
+ Title: "What's new in Azure Active Directory application proxy"
+description: "New and updated documentation for the Azure Active Directory application proxy."
Last updated : 04/27/2021+++++++++
+# Azure Active Directory application proxy: What's new
+
+Welcome to what's new in Azure Active Directory application proxy documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the service, see [What's new in Azure Active Directory](../fundamentals/whats-new.md).
+
+## April 2021
+
+Application proxy content has moved out of the [application management content set](/azure/active-directory/manage-apps/) and into its own content set.
+
+## March 2021
+
+To learn about new and updated content in March, see the [what's new in application management](../manage-apps/whats-new-docs.md) content page.
active-directory Concept Continuous Access Evaluation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-continuous-access-evaluation.md
Previously updated : 08/28/2020 Last updated : 04/27/2021
In the following example, a Conditional Access administrator has configured a lo
1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator 1. Browse to **Azure Active Directory** > **Security** > **Continuous access evaluation**. 1. Choose **Enable preview**.
+1. Select **Save**.
From this page, you can optionally limit the users and groups that will be subject to the preview.
+> [!WARNING]
+> To disable continuous access evaluation please select **Enable preview** then **Disable preview** and select **Save**.
+ ![Enabling the CAE preview in the Azure portal](./media/concept-continuous-access-evaluation/enable-cae-preview.png) ## Troubleshooting
active-directory App Objects And Service Principals https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/app-objects-and-service-principals.md
The first type of service principal is the local representation, or application
When an application is given permission to access resources in a tenant (upon registration or [consent](developer-glossary.md#consent)), a service principal object is created. You can also create service principal objects in a tenant using [Azure PowerShell](howto-authenticate-service-principal-powershell.md), [Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli), [Microsoft Graph](/graph/api/serviceprincipal-post-serviceprincipals?tabs=http), the [Azure portal][AZURE-Portal], and other tools. When using the portal, a service principal is created automatically when you register an application.
-The second type of service principal is used to represent a [managed identity](/azure/active-directory/managed-identities-azure-resources/overview). Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication. When a managed identity is enabled, a service principal representing that managed identity is created in your tenant. Service principals representing managed identities can be granted access and permissions, but cannot be updated or modified directly.
+The second type of service principal is used to represent a [managed identity](../managed-identities-azure-resources/overview.md). Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication. When a managed identity is enabled, a service principal representing that managed identity is created in your tenant. Service principals representing managed identities can be granted access and permissions, but cannot be updated or modified directly.
The third type of service principal represents a legacy app (an app created before app registrations were introduced or created through legacy experiences). A legacy service principal can have credentials, service principal names, reply URLs, and other properties which are editable by an authorized user, but does not have an associated app registration. The service principal can only be used in the tenant where it was created.
In this example scenario:
<!--Reference style links --> [MS-Graph-App-Entity]: /graph/api/resources/application [MS-Graph-Sp-Entity]: /graph/api/resources/serviceprincipal
-[AZURE-Portal]: https://portal.azure.com
+[AZURE-Portal]: https://portal.azure.com
active-directory Apple Sso Plugin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/apple-sso-plugin.md
To use the Microsoft Enterprise SSO plug-in for Apple devices:
### iOS requirements: - iOS 13.0 or higher must be installed on the device.-- A Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple devices must be installed on the device. For Public Preview, these applications are the [Microsoft Authenticator app](/azure/active-directory/user-help/user-help-auth-app-overview).
+- A Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple devices must be installed on the device. For Public Preview, these applications are the [Microsoft Authenticator app](../user-help/user-help-auth-app-overview.md).
### macOS requirements:
The end user sees the familiar experience and doesn't have to sign in again in e
## Next steps
-Learn about [Shared device mode for iOS devices](msal-ios-shared-devices.md).
+Learn about [Shared device mode for iOS devices](msal-ios-shared-devices.md).
active-directory Msal B2c Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-b2c-overview.md
The [Microsoft Authentication Library for JavaScript (MSAL.js)](https://github.c
By using Azure AD B2C as an identity management service, you can customize and control how your customers sign up, sign in, and manage their profiles when they use your applications. Azure AD B2C also enables you to brand and customize the UI that your application displays during the authentication process.
-The following sections demonstrate how to:
+## Supported app types and scenarios
-- Protect a Node.js web API-- Support sign-in in a single-page application (SPA) and call *that* protected web API-- Enable password reset support
+MSAL.js enables [single-page applications](https://docs.microsoft.com/azure/active-directory-b2c/application-types#single-page-applications) to sign-in users with Azure AD B2C using the [authorization code flow with PKCE](https://docs.microsoft.com/azure/active-directory-b2c/authorization-code-flow) grant. With MSAL.js and Azure AD B2C:
-## Prerequisites
+- Users **can** authenticate with their social and local identities.
+- Users **can** be authorized to access Azure AD B2C protected resources (but not Azure AD protected resources).
+- Users **cannot** obtain tokens for Microsoft APIs (e.g. MS Graph API) using [delegated permissions](https://review.docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent?branch=master#permission-types).
+- Users with administrator privileges **can** obtain tokens for Microsoft APIs (e.g. MS Graph API) using [delegated permissions](https://review.docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent?branch=master#permission-types).
-If you haven't already, create an [Azure AD B2C tenant](../../active-directory-b2c/tutorial-create-tenant.md).
-
-## Node.js web API
-
-The following steps demonstrate how a **web API** can use Azure AD B2C to protect itself and expose selected scopes to a client application.
-
-MSAL.js for Node is currently in development. For more information, see the [roadmap](https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki#roadmap) on GitHub. We currently recommend using [passport-azure-ad](https://github.com/AzureAD/passport-azure-ad), an authentication library for Node.js developed and supported by Microsoft.
-
-### Step 1: Register your application
-
-To protect your web API with Azure AD B2C, you first need to register it. See [Register your application](../../active-directory-b2c/add-web-api-application.md) for detailed steps.
-
-### Step 2: Download the sample application
-
-Download the sample as a zip file, or clone it from GitHub:
-
-```console
-git clone https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi.git
-```
-
-### Step 3: Configure authentication
-
-1. Open the *config.json* file in the sample.
-
-2. Configure the sample with the application credentials that you obtained earlier while registering your application. Change the following lines of code by replacing the values with your tenant name, client ID, and policy name.
-
- ```json
- "credentials": {
- "tenantName": "<your-tenant-name>",
- "clientID": "<your-webapi-application-ID>"
- },
- "policies": {
- "policyName": "B2C_1_signupsignin1"
- },
- "resource": {
- "scope": ["demo.read"]
- },
- ```
-
-For more information, check out this [Node.js B2C web API sample](https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi).
-
-## JavaScript SPA
-
-The following steps demonstrate how a **single-page application** can use Azure AD B2C to sign up, sign in, and call a protected web API.
-
-### Step 1: Register your application
-
-To implement authentication, you first need to register your application. See [Register your application](../../active-directory-b2c/tutorial-register-applications.md) for detailed steps.
-
-### Step 2: Download the sample application
-
-Download the code sample's [.ZIP archive](https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/archive/master.zip) or clone the GitHub repository:
-
-```console
-git clone https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp.git
-```
-
-### Step 3: Configure authentication
-
-There are two points of interest in configuring your application:
--- Configure API endpoint and exposed scopes-- Configure authentication parameters and token scopes-
-1. Open the *apiConfig.js* file in the sample.
-
-2. Configure the sample with the parameters that you obtained earlier while registering your web API. Change the following lines of code by replacing the values with the address of your web API and exposed scopes.
-
- ```javascript
- // The current application coordinates were pre-registered in a B2C tenant.
- const apiConfig = {
- b2cScopes: ["https://fabrikamb2c.onmicrosoft.com/helloapi/demo.read"], //API scopes you exposed during api registration
- webApi: "https://fabrikamb2chello.azurewebsites.net/hello"
- };
- ```
-
-1. Open the *authConfig.js* file in the sample.
-
-1. Configure the sample with the parameters that you obtained earlier while registering your single-page application. Change the following lines of code by replacing the values with your ClientId, authority metadata and token request scopes.
-
- ```javascript
- // Config object to be passed to Msal on creation.
- const msalConfig = {
- auth: {
- clientId: "e760cab2-b9a1-4c0d-86fb-ff7084abd902",
- authority: "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/B2C_1_signupsignin1",
- validateAuthority: false
- },
- cache: {
- cacheLocation: "localStorage", // This configures where your cache will be stored
- storeAuthStateInCookie: false // Set this to "true" to save cache in cookies
- }
- };
-
- // Add here scopes for id token to be used at the MS Identity Platform endpoint
- const loginRequest = {
- scopes: ["openid", "profile"],
- };
- ```
-
-For more information, check out this [JavaScript B2C single-page application sample](https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp).
-
-## Support password reset
-
-In this section, you extend your single-page application to use the Azure AD B2C password reset user flow. Although MSAL.js doesn't currently support multiple user flows or custom policies natively, you're able to use the library to handle common use cases like password reset.
-
-The following steps assume you've already followed the steps in the preceding [JavaScript SPA](#javascript-spa) section.
-
-### Step 1: Define the authority string for password reset user flow
-
-1. First, create an object where you store your authority URIs:
-
- ```javascript
- const b2cPolicies = {
- names: {
- signUpSignIn: "b2c_1_susi",
- forgotPassword: "b2c_1_reset"
- },
- authorities: {
- signUpSignIn: {
- authority: "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_susi",
- },
- forgotPassword: {
- authority: "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_reset",
- },
- },
- }
- ```
-
-1. Next, initialize your MSAL object with the `signInSignUp` policy as default (see the preceding code snippet). When a user attempts to login, they're presented with the following screen:
-
- :::image type="content" source="media/msal-b2c-overview/user-journey-01-signin.png" alt-text="Sign-in screen displayed by Azure AD B2C":::
-
-### Step 2: Catch and handle authentication errors in your login method
-
-When a user selects **Forgot password**, your application throws an error which you should catch in your code, and then handle by presenting the appropriate user flow. In this case, the `b2c_1_reset` password reset flow.
-
-1. Extend your sign-in method as follows:
-
- ```javascript
- function signIn() {
- myMSALObj.loginPopup(loginRequest)
- .then(loginResponse => {
- console.log("id_token acquired at: " + new Date().toString());
-
- if (myMSALObj.getAccount()) {
- updateUI();
- }
-
- }).catch(function (error) {
- console.log(error);
-
- // error handling
- if (error.errorMessage) {
- // check for forgot password error
- if (error.errorMessage.indexOf("AADB2C90118") > -1) {
-
- //call login method again with the password reset user flow
- myMSALObj.loginPopup(b2cPolicies.authorities.forgotPassword)
- .then(loginResponse => {
- console.log(loginResponse);
- window.alert("Password has been reset successfully. \nPlease sign-in with your new password.");
- })
- }
- }
- });
- }
- ```
-
-1. The preceding code snippet shows you how to show the password reset screen after catching the error with the code `AADB2C90118`.
-
- After resetting their password, the user is returned back to the application to sign in again.
-
- :::image type="content" source="media/msal-b2c-overview/user-journey-02-password-reset.png" alt-text="Password reset flow screens showed by Azure AD B2C" border="false":::
-
- For more information about error codes and handling exceptions, see [MSAL error and exception codes](msal-error-handling-js.md).
+For more information, see: [Working with Azure AD B2C](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/working-with-b2c.md)
## Next steps
-Learn more about these Azure AD B2C concepts:
+Follow the tutorial on how to:
-- [User flows](../../active-directory-b2c/tutorial-create-user-flows.md?pivots=b2c-user-flow)-- [Custom policies](../../active-directory-b2c/tutorial-create-user-flows.md?pivots=b2c-custom-policy)-- [UX customization](../../active-directory-b2c/configure-user-input.md)
+- [Sign in users with Azure AD B2C in a single-page application](../../active-directory-b2c/tutorial-single-page-app.md)
+- [Call an Azure AD B2C protected web API](../../active-directory-b2c/tutorial-single-page-app-webapi.md)
active-directory Msal National Cloud https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-national-cloud.md
The following tutorials demonstrate how to build a .NET Core 2.2 MVC Web app. Th
To enable your MSAL.js application for sovereign clouds:
-### Step 1: Register your application
-
-1. Sign in to the <a href="https://portal.azure.us/" target="_blank">Azure portal</a>.
-
- To find Azure portal endpoints for other national clouds, see [App registration endpoints](authentication-national-cloud.md#app-registration-endpoints).
-
-1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.
-1. Search for and select **Azure Active Directory**.
-1. Under **Manage**, select **App registrations** > **New registration**.
-1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later.
-1. Under **Supported account types**, select **Accounts in any organizational directory**.
-1. In the **Redirect URI** section, select the **Web** platform and set the value to the application's URL based on your web server. See the next sections for instructions on how to set and obtain the redirect URL in Visual Studio and Node.
-1. Select **Register**.
-1. On the **Overview** page, note down the **Application (client) ID** value for later use.
- This tutorial requires you to enable the [implicit grant flow](v2-oauth2-implicit-grant-flow.md).
-1. Under **Manage**, select **Authentication**.
-1. Under **Implicit grant and hybrid flows**, select **ID tokens** and **Access tokens**. ID tokens and access tokens are required because this app needs to sign in users and call an API.
-1. Select **Save**.
-
-### Step 2: Set up your web server or project
--- [Download the project files](https://github.com/Azure-Samples/active-directory-javascript-graphapi-v2/archive/quickstart.zip) for a local web server, such as Node.-
- or
--- [Download the Visual Studio project](https://github.com/Azure-Samples/active-directory-javascript-graphapi-v2/archive/vsquickstart.zip).
+- Register your application in a specific portal, depending on the cloud. For more information on how to choose the portal refer [App registration endpoints](authentication-national-cloud.md#app-registration-endpoints)
+- Use any of the [samples](https://github.com/Azure-Samples/ms-identity-javascript-tutorial) from the repo with a few changes to the configuration, depending on the cloud, which is mentioned next.
+- Use a specific authority, depending on the cloud you registered the application in. For more information on authorities for different clouds, refer to [Azure AD Authentication endpoints](authentication-national-cloud.md#azure-ad-authentication-endpoints).
+- Calling the Microsoft Graph API requires an endpoint URL specific to the cloud you are using. To find Microsoft Graph endpoints for all the national clouds, refer to [Microsoft Graph and Graph Explorer service root endpoints](/graph/deployments#microsoft-graph-and-graph-explorer-service-root-endpoints).
-Then skip to [Configure your JavaScript SPA](#step-4-configure-your-javascript-spa) to configure the code sample before running it.
+Here's an example authority:
-### Step 3: Use the Microsoft Authentication Library to sign in the user
+```json
+"authority": "https://login.microsoftonline.us/Enter_the_Tenant_Info_Here"
+```
-Follow steps in the [JavaScript tutorial](tutorial-v2-javascript-spa.md#create-your-project) to create your project and integrate with MSAL to sign in the user.
+Here's an example of a Microsoft Graph endpoint, with scope:
-### Step 4: Configure your JavaScript SPA
+```json
+"endpoint" : "https://graph.microsoft.us/v1.0/me"
+"scope": "User.Read"
+```
-In the `https://docsupdatetracker.net/index.html` file created during project setup, add the application registration information. Add the following code at the top within the `<script></script>` tags in the body of your `https://docsupdatetracker.net/index.html` file:
+Here's the minimal code for authenticating a user with a sovereign cloud and calling Microsoft Graph:
```javascript const msalConfig = {
- auth:{
- clientId: "Enter_the_Application_Id_here",
+ auth: {
+ clientId: "Enter_the_Application_Id_Here",
authority: "https://login.microsoftonline.us/Enter_the_Tenant_Info_Here",
- }
-}
-
-const graphConfig = {
- graphEndpoint: "https://graph.microsoft.us",
- graphScopes: ["user.read"],
+ redirectUri: "/",
+ }
+};
+
+// Initialize MSAL
+const msalObj = new PublicClientApplication(msalConfig);
+
+// Get token using popup experience
+try {
+ const graphToken = await msalObj.acquireTokenPopup({
+ scopes: ["User.Read"]
+ });
+} catch(error) {
+ console.log(error)
}
-// create UserAgentApplication instance
-const myMSALObj = new UserAgentApplication(msalConfig);
-```
-
-In that code:
+// Call the Graph API
+const headers = new Headers();
+const bearer = `Bearer ${graphToken}`;
-- `Enter_the_Application_Id_here` is the **Application (client) ID** value for the application that you registered.-- `Enter_the_Tenant_Info_Here` is set to one of the following options:
- - If your application supports **Accounts in this organizational directory**, replace this value with the tenant ID or tenant name (for example, contoso.microsoft.com).
- - If your application supports **Accounts in any organizational directory**, replace this value with `organizations`.
+headers.append("Authorization", bearer);
- To find authentication endpoints for all the national clouds, see [Azure AD authentication endpoints](./authentication-national-cloud.md#azure-ad-authentication-endpoints).
-
- > [!NOTE]
- > Personal Microsoft accounts are not supported in national clouds.
--- `graphEndpoint` is the Microsoft Graph endpoint for the Microsoft cloud for US government.
+fetch("https://graph.microsoft.us/v1.0/me", {
+ method: "GET",
+ headers: headers
+})
+```
- To find Microsoft Graph endpoints for all the national clouds, see [Microsoft Graph endpoints in national clouds](/graph/deployments#microsoft-graph-and-graph-explorer-service-root-endpoints).
## [Python](#tab/python)
active-directory Msal Node Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-node-migration.md
app.listen(3000, () => console.log(`listening on port 3000!`));
## Next steps - [MSAL Node API reference](https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_node.html)-- [MSAL Node Code samples](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/standalone-samples)
+- [MSAL Node Code samples](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples)
active-directory Quickstart Configure App Access Web Apis https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-configure-app-access-web-apis.md
The **Grant admin consent** button is *disabled* if you aren't an admin or if no
Advance to the next quickstart in the series to learn how to configure which account types can access your application. For example, you might want to limit access only to those users in your organization (single-tenant) or allow users in other Azure AD tenants (multi-tenant) and those with personal Microsoft accounts (MSA). > [!div class="nextstepaction"]
-> [Modify the accounts supported by an application](quickstart-modify-supported-accounts.md)
+> [Modify the accounts supported by an application](./howto-modify-supported-accounts.md)
active-directory Quickstart V2 Angular https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-angular.md
In this quickstart, you download and run a code sample that demonstrates how an
> > Scroll down in the same file and update the `graphMeEndpoint`. > - Replace the string `Enter_the_Graph_Endpoint_Herev1.0/me` with `https://graph.microsoft.com/v1.0/me`
-> - `Enter_the_Graph_Endpoint_Herev1.0/me` is the endpoint that API calls will be made against. For the main (global) Microsoft Graph API service, enter `https://graph.microsoft.com/` (include the trailing forward-slash). For more information, see the [documentation](https://docs.microsoft.com/graph/deployments).
+> - `Enter_the_Graph_Endpoint_Herev1.0/me` is the endpoint that API calls will be made against. For the main (global) Microsoft Graph API service, enter `https://graph.microsoft.com/` (include the trailing forward-slash). For more information, see the [documentation](/graph/deployments).
> > > ```javascript
If you're using Node.js:
Learn how to sign in a user and acquire tokens in the Angular tutorial: > [!div class="nextstepaction"]
-> [Angular tutorial](./tutorial-v2-angular.md)
+> [Angular tutorial](./tutorial-v2-angular.md)
active-directory Quickstart V2 Javascript Auth Code React https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-javascript-auth-code-react.md
In this quickstart, you download and run a code sample that demonstrates how a J
See [How the sample works](#how-the-sample-works) for an illustration.
-This quickstart uses MSAL React with the authorization code flow. For a similar quickstart that uses MSAL.js with the implicit flow, see [Quickstart: Sign in users in JavaScript single-page apps](./quickstart-v2-javascript.md).
- > [!IMPORTANT] > MSAL React [!INCLUDE [PREVIEW BOILERPLATE](../../../includes/active-directory-develop-preview.md)]
active-directory Quickstart V2 Javascript Auth Code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-javascript-auth-code.md
In this quickstart, you download and run a code sample that demonstrates how a J
See [How the sample works](#how-the-sample-works) for an illustration.
-This quickstart uses MSAL.js v2 with the authorization code flow. For a similar quickstart that uses MSAL.js v1 with the implicit flow, see [Quickstart: Sign in users in JavaScript single-page apps](./quickstart-v2-javascript.md).
- ## Prerequisites * Azure subscription - [Create an Azure subscription for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)
active-directory Quickstart V2 Javascript https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-javascript.md
myMSALObj.acquireTokenPopup(requestObj)
For a more detailed step-by-step guide on building the application for this quickstart, see: > [!div class="nextstepaction"]
-> [Tutorial: Sign in users and call the Microsoft Graph API from a JavaScript single-page application (SPA)](tutorial-v2-javascript-spa.md)
+> [Tutorial: Sign in users and call the Microsoft Graph API from a JavaScript single-page application (SPA)](tutorial-v2-javascript-spa.md)
active-directory Reference Aadsts Error Codes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/reference-aadsts-error-codes.md
For example, if you received the error code "AADSTS50058" then do a search in [h
| AADSTS67003 | ActorNotValidServiceIdentity | | AADSTS70000 | InvalidGrant - Authentication failed. The refresh token is not valid. Error may be due to the following reasons:<ul><li>Token binding header is empty</li><li>Token binding hash does not match</li></ul> | | AADSTS70001 | UnauthorizedClient - The application is disabled. To learn more, see the troubleshooting article for error [AADSTS70001](/troubleshoot/azure/active-directory/error-code-aadsts70001-app-not-found-in-directory). |
-| AADSTS70002 | InvalidClient - Error validating the credentials. The specified client_secret does not match the expected value for this client. Correct the client_secret and try again. For more info, see [Use the authorization code to request an access token](v2-oauth2-auth-code-flow.md#request-an-access-token). |
+| AADSTS70002 | InvalidClient - Error validating the credentials. The specified client_secret does not match the expected value for this client. Correct the client_secret and try again. For more info, see [Use the authorization code to request an access token](v2-oauth2-auth-code-flow.md#redeem-a-code-for-an-access-token). |
| AADSTS70003 | UnsupportedGrantType - The app returned an unsupported grant type. | | AADSTS70004 | InvalidRedirectUri - The app returned an invalid redirect URI. The redirect address specified by the client does not match any configured addresses or any addresses on the OIDC approve list. | | AADSTS70005 | UnsupportedResponseType - The app returned an unsupported response type due to the following reasons:<ul><li>response type 'token' is not enabled for the app</li><li>response type 'id_token' requires the 'OpenID' scope -contains an unsupported OAuth parameter value in the encoded wctx</li></ul> |
active-directory Reference Saml Tokens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/reference-saml-tokens.md
The Microsoft identity platform emits several types of security tokens in the pr
> |Authentication Method | `amr` |Identifies how the subject of the token was authenticated. | `<AuthnContextClassRef>`<br>`http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod/password`<br>`</AuthnContextClassRef>` | > |First Name | `given_name` |Provides the first or "given" name of the user, as set on the Azure AD user object. | `<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">`<br>`<AttributeValue>Frank<AttributeValue>` | > |Groups | `groups` |Provides object IDs that represent the subject's group memberships. These values are unique (see Object ID) and can be safely used for managing access, such as enforcing authorization to access a resource. The groups included in the groups claim are configured on a per-application basis, through the "groupMembershipClaims" property of the application manifest. A value of null will exclude all groups, a value of "SecurityGroup" will include only Active Directory Security Group memberships, and a value of "All" will include both Security Groups and Microsoft 365 Distribution Lists. <br><br> **Notes**: <br> If the number of groups the user is in goes over a limit (150 for SAML, 200 for JWT) then an overage claim will be added the claim sources pointing at the Graph endpoint containing the list of groups for the user. | `<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">`<br>`<AttributeValue>07dd8a60-bf6d-4e17-8844-230b77145381</AttributeValue>` |
-> | Groups Overage Indicator | `groups:src1` | For token requests that are not length-limited but still too large for the token, a link to the full groups list for the user will be included. For SAML this is added as a new claim in place of the `groups` claim. <br><br> **Notes**: <br> The Azure AD Graph API is being replaced by the Microsoft Graph API. To learn more about the equivalent endpoint, see [user: getMemberObjects](https://docs.microsoft.com/graph/api/user-getmemberobjects). | `<Attribute Name=" http://schemas.microsoft.com/claims/groups.link">`<br>`<AttributeValue>https://graph.windows.net/{tenantID}/users/{userID}/getMemberObjects<AttributeValue>` |
+> | Groups Overage Indicator | `groups:src1` | For token requests that are not length-limited but still too large for the token, a link to the full groups list for the user will be included. For SAML this is added as a new claim in place of the `groups` claim. <br><br> **Notes**: <br> The Azure AD Graph API is being replaced by the Microsoft Graph API. To learn more about the equivalent endpoint, see [user: getMemberObjects](/graph/api/user-getmemberobjects). | `<Attribute Name=" http://schemas.microsoft.com/claims/groups.link">`<br>`<AttributeValue>https://graph.windows.net/{tenantID}/users/{userID}/getMemberObjects<AttributeValue>` |
> |Identity Provider | `idp` |Records the identity provider that authenticated the subject of the token. This value is identical to the value of the Issuer claim unless the user account is in a different tenant than the issuer. | `<Attribute Name=" http://schemas.microsoft.com/identity/claims/identityprovider">`<br>`<AttributeValue>https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/<AttributeValue>` | > |IssuedAt | `iat` |Stores the time at which the token was issued. It is often used to measure token freshness. | `<Assertion ID="_d5ec7a9b-8d8f-4b44-8c94-9812612142be" IssueInstant="2014-01-06T20:20:23.085Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">` | > |Issuer | `iss` |Identifies the security token service (STS) that constructs and returns the token. In the tokens that Azure AD returns, the issuer is sts.windows.net. The GUID in the Issuer claim value is the tenant ID of the Azure AD directory. The tenant ID is an immutable and reliable identifier of the directory. | `<Issuer>https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/</Issuer>` |
This is a sample of a typical SAML token.
* To learn more about managing token lifetime policy using the Microsoft Graph API, see the [Azure AD policy resource overview](/graph/api/resources/policy). * Add [custom and optional claims](active-directory-optional-claims.md) to the tokens for your application. * Use [Single Sign-On (SSO) with SAML](single-sign-on-saml-protocol.md).
-* Use the [Azure Single Sign-Out SAML protocol](single-sign-out-saml-protocol.md)
+* Use the [Azure Single Sign-Out SAML protocol](single-sign-out-saml-protocol.md)
active-directory Sample V2 Code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/sample-v2-code.md
These samples show how to write a single-page application secured with Microsoft
| Platform | Description | Link | | -- | | -- |
-| ![This image shows the JavaScript logo](media/sample-v2-code/logo_js.png) [JavaScript (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-core) | SPA calls Microsoft Graph |[javascript-graphapi-v2](https://github.com/Azure-Samples/active-directory-javascript-graphapi-v2) |
| ![This image shows the JavaScript logo](media/sample-v2-code/logo_js.png) [JavaScript (MSAL.js 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser) | SPA calls Microsoft Graph using Auth Code Flow w/ PKCE |[javascript-v2](https://github.com/Azure-Samples/ms-identity-javascript-v2) |
-| ![This image shows the JavaScript logo](media/sample-v2-code/logo_js.png) [JavaScript (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-core) | SPA calls B2C |[b2c-javascript-msal-singlepageapp](https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp) |
| ![This image shows the JavaScript logo](media/sample-v2-code/logo_js.png) [JavaScript (MSAL.js 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser) | SPA calls B2C using Auth Code Flow w/PKCE |[b2c-javascript-spa](https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa) | | ![This image shows the JavaScript logo](media/sample-v2-code/logo_js.png) [JavaScript (MSAL.js 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser) | SPA calls custom web API which in turn calls Microsoft Graph | [ms-identity-javascript-tutorial-chapter4-obo](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-AdvancedGrants/1-call-api-graph) | | ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL Angular)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular)| SPA calls Microsoft Graph | [active-directory-javascript-singlepageapp-angular](https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-angular) | | ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL Angular 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular)| SPA calls Microsoft Graph using Auth Code Flow w/ PKCE | [ms-identity-javascript-angular-spa](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa) |
-| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL Angular 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular)| SPA calls custom Web API | [ms-identity-javascript-angular-spa-aspnetcore-webapi](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnetcore-webapi) |
+| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL Angular 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular)| SPA calls custom web API | [ms-identity-javascript-angular-spa-aspnetcore-webapi](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnetcore-webapi) |
| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL Angular)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular) | SPA calls B2C |[active-directory-b2c-javascript-angular-spa](https://github.com/Azure-Samples/active-directory-b2c-javascript-angular-spa) |
-| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL Angular 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular) | SPA calls custom Web API with App Roles and Security Groups |[ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups) |
+| ![This image shows the Angular logo](media/sample-v2-code/logo_angular.png) [Angular (MSAL Angular 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular) | SPA calls custom web API with App Roles and Security Groups |[ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups) |
| ![This image shows the React logo](media/sample-v2-code/logo_react.png) [React (MSAL React)](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-react)| SPA calls Microsoft Graph using Auth Code Flow w/ PKCE | [ms-identity-javascript-react-spa](https://github.com/Azure-Samples/ms-identity-javascript-react-spa) | | ![This image shows the React logo](media/sample-v2-code/logo_react.png) [React (MSAL React)](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-react)| SPA calls custom web API | [ms-identity-javascript-react-tutorial](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/1-call-api) | | ![This image shows the React logo](media/sample-v2-code/logo_react.png) [React (MSAL.js 2.0)](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-core)| SPA calls custom Web API which in turn calls Microsoft Graph | [ms-identity-javascript-react-spa-dotnetcore-webapi-obo](https://github.com/Azure-Samples/ms-identity-javascript-react-spa-dotnetcore-webapi-obo) |
active-directory Scenario Daemon Production https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-daemon-production.md
You'll need to explain to your customers how to perform these operations. For mo
- Reference documentation for: - Instantiating [ConfidentialClientApplication](/dotnet/api/microsoft.identity.client.confidentialclientapplicationbuilder).
- - Calling [AcquireTokenForClient](/dotnet/api/microsoft.identity.client.acquiretokenforclientparameterbuilder).
+ - Calling [AcquireTokenForClient](/dotnet/api/microsoft.identity.client.acquiretokenforclientparameterbuilder?view=azure-dotnet&preserve-view=true).
- Other samples/tutorials: - [microsoft-identity-platform-console-daemon](https://github.com/Azure-Samples/microsoft-identity-platform-console-daemon) features a small .NET Core daemon console application that displays the users of a tenant querying Microsoft Graph.
active-directory Scenario Desktop Acquire Token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-acquire-token.md
The class defines the following constants:
- ``SelectAccount`` forces the STS to present the account selection dialog box that contains accounts for which the user has a session. This option is useful when application developers want to let users choose among different identities. This option drives MSAL to send ``prompt=select_account`` to the identity provider. This option is the default. It does a good job of providing the best possible experience based on the available information, such as account and presence of a session for the user. Don't change it unless you have good reason to do it. - ``Consent`` enables the application developer to force the user to be prompted for consent, even if consent was granted before. In this case, MSAL sends `prompt=consent` to the identity provider. This option can be used in some security-focused applications where the organization governance demands that the user is presented with the consent dialog box each time the application is used. - ``ForceLogin`` enables the application developer to have the user prompted for credentials by the service, even if this user prompt might not be needed. This option can be useful to let the user sign in again if acquiring a token fails. In this case, MSAL sends `prompt=login` to the identity provider. Sometimes it's used in security-focused applications where the organization governance demands that the user re-signs in each time they access specific parts of an application.-- ``Create`` triggers a sign-up experience, which is used for External Identities, by sending `prompt=create` to the identity provider. This prompt should not be sent for Azure AD B2C apps. For more information, see [Add a self-service sign-up user flow to an app](https://aka.ms/msal-net-prompt-create).
+- ``Create`` triggers a sign-up experience, which is used for External Identities, by sending `prompt=create` to the identity provider. This prompt should not be sent for Azure AD B2C apps. For more information, see [Add a self-service sign-up user flow to an app](../external-identities/self-service-sign-up-user-flow.md).
- ``Never`` (for .NET 4.5 and WinRT only) won't prompt the user, but instead tries to use the cookie stored in the hidden embedded web view. For more information, see web views in MSAL.NET. Using this option might fail. In that case, `AcquireTokenInteractive` throws an exception to notify that a UI interaction is needed. You'll need to use another `Prompt` parameter. - ``NoPrompt`` won't send any prompt to the identity provider. This option is useful only for Azure Active Directory (Azure AD) B2C edit profile policies. For more information, see [Azure AD B2C specifics](https://aka.ms/msal-net-b2c-specificities).
namespace CommonCacheMsalV3
## Next steps Move on to the next article in this scenario,
-[Call a web API from the desktop app](scenario-desktop-call-api.md).
+[Call a web API from the desktop app](scenario-desktop-call-api.md).
active-directory Scenario Spa App Registration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-spa-app-registration.md
Follow these steps to add a redirect URI for a single-page app that uses MSAL.js
You've now completed the registration of your single-page application (SPA) and configured a redirect URI to which the client will be redirected and any security tokens will be sent. By selecting one or both of **ID tokens** and **Access tokens**, you've enabled the implicit grant flow.
-Follow the [tutorial](tutorial-v2-javascript-spa.md) for further guidance.
- ## Note about authorization flows By default, an app registration created by using single-page application platform configuration enables the authorization code flow. To take advantage of this flow, your application must use MSAL.js 2.0 or later.
active-directory Scenario Spa Production https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-spa-production.md
These code samples demonstrate several key operations for a single-page app.
- [Node.js Web API (Azure AD](https://github.com/Azure-Samples/active-directory-javascript-nodejs-webapi-v2): How to validate access tokens for your back-end web API (Node.js) by using **passport-azure-ad**. -- [SPA with Azure AD B2C](https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp): How to use **MSAL.js** to sign in users in an app that's registered with **Azure Active Directory B2C** (Azure AD B2C).
+- [SPA with Azure AD B2C](https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa): How to use **MSAL.js** to sign in users in an app that's registered with **Azure Active Directory B2C** (Azure AD B2C).
-- [Node.js Web API (Azure AD B2C)](https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi): How to use **passport-azure-ad** to validate access tokens for apps registered with **Azure Active Directory B2C** (Azure AD B2C).
+- [Node.js web API (Azure AD B2C)](https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi): How to use **passport-azure-ad** to validate access tokens for apps registered with **Azure Active Directory B2C** (Azure AD B2C).
## Next steps -- [JavaScript SPA tutorial](./tutorial-v2-javascript-spa.md): Deep dive to how to sign in users and get an access token to call the **Microsoft Graph API** by using **MSAL.js**.
+- [JavaScript SPA tutorial](./tutorial-v2-javascript-auth-code.md): Deep dive to how to sign in users and get an access token to call the **Microsoft Graph API** by using **MSAL.js**.
active-directory Scenario Web App Sign User Production https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-app-sign-user-production.md
This progressive tutorial has production-ready code for a web app, including how
Learn more about the Node.js web in this tutorial:
-[Tutorial: Sign-in users in a Node.js & Express web app](https://docs.microsoft.com/azure/active-directory/develop/tutorial-v2-nodejs-webapp-msal)
+[Tutorial: Sign-in users in a Node.js & Express web app](./tutorial-v2-nodejs-webapp-msal.md)
## Sample code: Java web app
active-directory Tutorial V2 Aspnet Daemon Web App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-aspnet-daemon-web-app.md
Visual Studio will publish the project and automatically open a browser to the p
1. Add the same URL in the list of values of the **Authentication** > **Redirect URIs** menu. If you have multiple redirect URLs, make sure that there's a new entry that uses the app service's URI for each redirect URL. ## Clean up resources
-When no longer needed, delete the app object that you created in the [Register your application](#register-your-application) step. To remove the application, follow the instructions in [Remove an application authored by you or your organization](quickstart-remove-app.md#remove-an-application-authored-by-you-or-your-organization).
+When no longer needed, delete the app object that you created in the [Register your application](#register-your-application) step. To remove the application, follow the instructions in [Remove an application authored by you or your organization](./howto-remove-app.md#remove-an-application-authored-by-you-or-your-organization).
## Get help
active-directory Tutorial V2 Javascript Auth Code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-javascript-auth-code.md
The `acquireTokenSilent` method handles token acquisition and renewal without an
1. Visually indicate to the user that an interactive sign-in is required so the user can select the right time to sign in, or the application can retry `acquireTokenSilent` at a later time. This technique is commonly used when the user can use other functionality of the application without being disrupted. For example, there might be unauthenticated content available in the application. In this situation, the user can decide when they want to sign in to access the protected resource, or to refresh the outdated information. > [!NOTE]
-> This tutorial uses the `loginPopup` and `acquireTokenPopup` methods by default. If you're using Internet Explorer, we recommend that you use the `loginRedirect` and `acquireTokenRedirect` methods due to a [known issue](https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/Known-issues-on-IE-and-Edge-Browser#issues) with Internet Explorer and pop-up windows. For an example of achieving the same result by using redirect methods, see [*authRedirect.js*](https://github.com/Azure-Samples/active-directory-javascript-graphapi-v2/blob/quickstart/JavaScriptSPA/authRedirect.js) on GitHub.
+> This tutorial uses the `loginPopup` and `acquireTokenPopup` methods by default. If you're using Internet Explorer, we recommend that you use the `loginRedirect` and `acquireTokenRedirect` methods due to a [known issue](https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/Known-issues-on-IE-and-Edge-Browser#issues) with Internet Explorer and pop-up windows. For an example of achieving the same result by using redirect methods, see [*authRedirect.js*](https://github.com/Azure-Samples/ms-identity-javascript-v2/blob/master/app/authRedirect.js) on GitHub.
## Call the Microsoft Graph API
active-directory Tutorial V2 Javascript Spa https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-javascript-spa.md
The Microsoft Graph API requires the *user.read* scope to read a user's profile.
Delve deeper into single-page application (SPA) development on the Microsoft identity platform in our the multi-part scenario series. > [!div class="nextstepaction"]
-> [Scenario: Single-page application](scenario-spa-overview.md)
+> [Scenario: Single-page application](scenario-spa-overview.md)
active-directory V2 Conditional Access Dev Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-conditional-access-dev-guide.md
If the app is using the MSAL library, a failure to acquire the token is always r
## Scenario: Single-page app (SPA) using MSAL.js
-In this scenario, we walk through the case when we have a single-page app (SPA), using MSAL.js to call a Conditional Access protected web API. This is a simple architecture but has some nuances that need to be taken into account when developing around Conditional Access.
+In this scenario, we walk through the case when we have a single-page app (SPA) calling a Conditional Access protected web API using MSAL.js. This is a simple architecture but has some nuances that need to be taken into account when developing around Conditional Access.
-In MSAL.js, there are a few functions that obtain tokens: `loginPopup()`, `acquireTokenSilent(...)`, `acquireTokenPopup(…)`, and `acquireTokenRedirect(…)`.
+In MSAL.js, there are a few functions that obtain tokens: `acquireTokenSilent()`, `acquireTokenPopup()`, and `acquireTokenRedirect()`.
-* `loginPopup()` obtains an ID token through an interactive sign-in request but does not obtain access tokens for any service (including a Conditional Access protected web API).
-* `acquireTokenSilent(…)` can then be used to silently obtain an access token meaning it does not show UI in any circumstance.
-* `acquireTokenPopup(…)` and `acquireTokenRedirect(…)` are both used to interactively request a token for a resource meaning they always show sign-in UI.
+* `acquireTokenSilent()` can be used to silently obtain an access token meaning it does not show UI in any circumstance.
+* `acquireTokenPopup()` and `acquireTokenRedirect()` are both used to interactively request a token for a resource meaning they always show sign-in UI.
-When an app needs an access token to call a web API, it attempts an `acquireTokenSilent(…)`. If the token session is expired or we need to comply with a Conditional Access policy, then the *acquireToken* function fails and the app uses `acquireTokenPopup()` or `acquireTokenRedirect()`.
+When an app needs an access token to call a web API, it attempts an `acquireTokenSilent()`. If the token is expired or we need to comply with a Conditional Access policy, then the *acquireToken* function fails and the app uses `acquireTokenPopup()` or `acquireTokenRedirect()`.
![Single-page app using MSAL flow diagram](./media/v2-conditional-access-dev-guide/spa-using-msal-scenario.png)
error_description=AADSTS50076: Due to a configuration change made by your admini
Our app needs to catch the `error=interaction_required`. The application can then use either `acquireTokenPopup()` or `acquireTokenRedirect()` on the same resource. The user is forced to do a multi-factor authentication. After the user completes the multi-factor authentication, the app is issued a fresh access token for the requested resource.
-To try out this scenario, see our [JS SPA On-behalf-of code sample](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/blob/a2b257381b410c765ee01ecb611aa6f98c099eb1/2.%20Web%20API%20now%20calls%20Microsoft%20Graph/README.md). This code sample uses the Conditional Access policy and web API you registered earlier with a JS SPA to demonstrate this scenario. It shows how to properly handle the claims challenge and get an access token that can be used for your web API. Alternatively, checkout the general [Angular.js code sample](https://github.com/Azure-Samples/active-directory-javascript-graphapi-v2) for guidance on an Angular SPA
+To try out this scenario, see our [JavaScript SPA calling Node.js web API using on-behalf-of flow](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-AdvancedGrants/2-call-api-api-ca) code sample. This code sample uses the Conditional Access policy and web API you registered earlier with a JavaScript SPA to demonstrate this scenario. It shows how to properly handle the claims challenge and get an access token that can be used for your web API.
## See also
active-directory V2 Oauth2 Auth Code Flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-oauth2-auth-code-flow.md
code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq...
| `id_token` | An ID token for the user, issued via *implicit grant*. Contains a special `c_hash` claim that is the hash of the `code` in the same request. | | `state` | If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. |
-## Request an access token
+## Redeem a code for an access token
+
+All confidential clients have a choice of using client secrets (symmetric shared secrets generated by the Microsoft identity platform) and [certificate credentials](active-directory-certificate-credentials.md)(asymmetric keys uploaded by the developer). For best security, we recommend using certificate credentials. Public clients (native applications and single page apps) must not use secrets or certificates when redeeming an authorization code - always ensure that your redirect URIs correctly indicate the type of application and [are unique](reply-url.md#localhost-exceptions).
+
+### Request an access token with a client_secret
Now that you've acquired an authorization_code and have been granted permission by the user, you can redeem the `code` for an `access_token` to the desired resource. Do this by sending a `POST` request to the `/token` endpoint:
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
||-|-| | `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](active-directory-v2-protocols.md#endpoints). | | `client_id` | required | The Application (client) ID that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |
-| `grant_type` | required | Must be `authorization_code` for the authorization code flow. |
| `scope` | optional | A space-separated list of scopes. The scopes must all be from a single resource, along with OIDC scopes (`profile`, `openid`, `email`). For a more detailed explanation of scopes, refer to [permissions, consent, and scopes](v2-permissions-and-consent.md). This is a Microsoft extension to the authorization code flow, intended to allow apps to declare the resource they want the token for during token redemption.| | `code` | required | The authorization_code that you acquired in the first leg of the flow. | | `redirect_uri` | required | The same redirect_uri value that was used to acquire the authorization_code. |
+| `grant_type` | required | Must be `authorization_code` for the authorization code flow. |
+| `code_verifier` | recommended | The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). |
| `client_secret` | required for confidential web apps | The application secret that you created in the app registration portal for your app. You shouldn't use the application secret in a native app or single page app because client_secrets can't be reliably stored on devices or web pages. It's required for web apps and web APIs, which have the ability to store the client_secret securely on the server side. Like all parameters discussed here, the client secret must be URL-encoded before being sent, a step usually performed by the SDK. For more information on uri encoding, see the [URI Generic Syntax specification](https://tools.ietf.org/html/rfc3986#page-12). |+
+### Request an access token with a certificate credential
+
+```HTTP
+POST /{tenant}/oauth2/v2.0/token HTTP/1.1 // Line breaks for clarity
+Host: login.microsoftonline.com
+Content-Type: application/x-www-form-urlencoded
+
+client_id=6731de76-14a6-49ae-97bc-6eba6914391e
+&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
+&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
+&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
+&grant_type=authorization_code
+&code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
+&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
+&client_assertion=eyJhbGciOiJSUzI1NiIsIng1dCI6Imd4OHRHeXN5amNScUtqRlBuZDdSRnd2d1pJMCJ9.eyJ{a lot of characters here}M8U3bSUKKJDEg
+```
+
+| Parameter | Required/optional | Description |
+||-|-|
+| `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](active-directory-v2-protocols.md#endpoints). |
+| `client_id` | required | The Application (client) ID that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |
+| `scope` | optional | A space-separated list of scopes. The scopes must all be from a single resource, along with OIDC scopes (`profile`, `openid`, `email`). For a more detailed explanation of scopes, refer to [permissions, consent, and scopes](v2-permissions-and-consent.md). This is a Microsoft extension to the authorization code flow, intended to allow apps to declare the resource they want the token for during token redemption.|
+| `code` | required | The authorization_code that you acquired in the first leg of the flow. |
+| `redirect_uri` | required | The same redirect_uri value that was used to acquire the authorization_code. |
+| `grant_type` | required | Must be `authorization_code` for the authorization code flow. |
| `code_verifier` | recommended | The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). |
+| `client_assertion_type` | required for confidential web apps | The value must be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` in order to use a certificate credential. |
+| `client_assertion` | required for confidential web apps | An assertion (a JSON web token) that you need to create and sign with the certificate you registered as credentials for your application. Read about [certificate credentials](active-directory-certificate-credentials.md) to learn how to register your certificate and the format of the assertion.|
+
+Notice that the parameters are same as in the case of the request by shared secret except that the `client_secret` parameter is replaced by two parameters: a `client_assertion_type` and `client_assertion`.
### Successful response
Error responses will look like:
| `invalid_client` | Client authentication failed. | The client credentials aren't valid. To fix, the application administrator updates the credentials. | | `unsupported_grant_type` | The authorization server does not support the authorization grant type. | Change the grant type in the request. This type of error should occur only during development and be detected during initial testing. | | `invalid_resource` | The target resource is invalid because it does not exist, Azure AD can't find it, or it's not correctly configured. | This indicates the resource, if it exists, has not been configured in the tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. |
-| `interaction_required` | Non-standard, as the OIDC specification calls for this only on the `/authorize` endpoint.The request requires user interaction. For example, an additional authentication step is required. | Retry the `/authorize` request with the same scopes. |
+| `interaction_required` | Non-standard, as the OIDC specification calls for this only on the `/authorize` endpoint. The request requires user interaction. For example, an additional authentication step is required. | Retry the `/authorize` request with the same scopes. |
| `temporarily_unavailable` | The server is temporarily too busy to handle the request. | Retry the request after a small delay. The client application might explain to the user that its response is delayed because of a temporary condition. | |`consent_required` | The request requires user consent. This error is non-standard, as it's usually only returned on the `/authorize` endpoint per OIDC specifications. Returned when a `scope` parameter was used on the code redemption flow that the client app does not have permission to request. | The client should send the user back to the `/authorize` endpoint with the correct scope in order to trigger consent. | |`invalid_scope` | The scope requested by the app is invalid. | Update the value of the scope parameter in the authentication request to a valid value. |
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZn
Access_tokens are short lived, and you must refresh them after they expire to continue accessing resources. You can do so by submitting another `POST` request to the `/token` endpoint, this time providing the `refresh_token` instead of the `code`. Refresh tokens are valid for all permissions that your client has already received consent for - thus, a refresh token issued on a request for `scope=mail.read` can be used to request a new access token for `scope=api://contoso.com/api/UseResource`.
-Refresh tokens for web apps and native apps do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. Your application needs to expect and handle [errors returned by the token issuance endpoint](#error-codes-for-token-endpoint-errors) correctly. Single page apps, however, get a token with a 24 hour lifetime, requiring a new authentication every day. This can be done silently in an iframe when 3rd party cookies are enabled, but must be done in a top level frame (either full page navigation or a popup) in browsers without 3rd party cookies such as Safari.
+Refresh tokens for web apps and native apps do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. Your application needs to expect and handle [errors returned by the token issuance endpoint](#error-codes-for-token-endpoint-errors) correctly. Single page apps, however, get a token with a 24-hour lifetime, requiring a new authentication every day. This can be done silently in an iframe when 3rd party cookies are enabled, but must be done in a top-level frame (either full page navigation or a popup) in browsers without 3rd party cookies such as Safari.
Although refresh tokens aren't revoked when used to acquire new access tokens, you are expected to discard the old refresh token. The [OAuth 2.0 spec](https://tools.ietf.org/html/rfc6749#section-6) says: "The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client."
active-directory V2 Oauth2 On Behalf Of Flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md
The response contains a SAML token encoded in UTF8 and Base64url.
- **SubjectConfirmationData for a SAML assertion sourced from an OBO call**: If the target application requires a recipient value in **SubjectConfirmationData**, then the value must be a non-wildcard Reply URL in the resource application configuration. - **The SubjectConfirmationData node**: The node can't contain an **InResponseTo** attribute since it's not part of a SAML response. The application receiving the SAML token must be able to accept the SAML assertion without an **InResponseTo** attribute. -- **Consent**: Consent must have been granted to receive a SAML token containing user data on an OAuth flow. For information on permissions and obtaining administrator consent, see [Permissions and consent in the Azure Active Directory v1.0 endpoint](https://docs.microsoft.com/azure/active-directory/azuread-dev/v1-permissions-consent).
+- **Consent**: Consent must have been granted to receive a SAML token containing user data on an OAuth flow. For information on permissions and obtaining administrator consent, see [Permissions and consent in the Azure Active Directory v1.0 endpoint](../azuread-dev/v1-permissions-consent.md).
### Response with SAML assertion
Learn more about the OAuth 2.0 protocol and another way to perform service to se
* [OAuth 2.0 client credentials grant in Microsoft identity platform](v2-oauth2-client-creds-grant-flow.md) * [OAuth 2.0 code flow in Microsoft identity platform](v2-oauth2-auth-code-flow.md)
-* [Using the `/.default` scope](v2-permissions-and-consent.md#the-default-scope)
+* [Using the `/.default` scope](v2-permissions-and-consent.md#the-default-scope)
active-directory V2 Protocols Oidc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-protocols-oidc.md
error=access_denied&error_description=the+user+canceled+the+authentication
For a description of possible error codes and recommended client responses, see [Error codes for authorization endpoint errors](#error-codes-for-authorization-endpoint-errors).
-When you have an authorization code and an ID token, you can sign the user in and get access tokens on their behalf. To sign the user in, you must validate the ID token [exactly as described](id-tokens.md#validating-an-id_token). To get access tokens, follow the steps described in [OAuth code flow documentation](v2-oauth2-auth-code-flow.md#request-an-access-token).
+When you have an authorization code and an ID token, you can sign the user in and get access tokens on their behalf. To sign the user in, you must validate the ID token [exactly as described](id-tokens.md#validating-an-id_token). To get access tokens, follow the steps described in [OAuth code flow documentation](v2-oauth2-auth-code-flow.md#redeem-a-code-for-an-access-token).
### Calling the UserInfo endpoint
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/whats-new-docs.md
Welcome to what's new in the Microsoft identity platform documentation. This art
### New articles -- [Restore or remove a recently deleted application with the Microsoft identity platform](quickstart-restore-app.md)
+- [Restore or remove a recently deleted application with the Microsoft identity platform](./howto-restore-app.md)
### Updated articles
Welcome to what's new in the Microsoft identity platform documentation. This art
- [Configurable token lifetimes in Microsoft identity platform (preview)](active-directory-configurable-token-lifetimes.md) - [Configure token lifetime policies (preview)](configure-token-lifetimes.md) - [Microsoft identity platform authentication libraries](reference-v2-libraries.md)-- [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md)
+- [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md)
active-directory Azureadjoin Plan https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/azureadjoin-plan.md
Select **ΓÇ£Yes** if you require users to perform MFA while joining devices to A
![Require multi-factor Auth to join devices](./media/azureadjoin-plan/03.png)
-**Recommendation:** Use the user action [Register or join devices](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#user-actions) in Conditional Access for enforcing MFA for joining devices.
+**Recommendation:** Use the user action [Register or join devices](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions) in Conditional Access for enforcing MFA for joining devices.
## Configure your mobility settings
You can use this implementation to [require managed devices for cloud app access
> [Join your work device to your organization's network](../user-help/user-help-join-device-on-network.md) <!--Image references-->
-[1]: ./media/azureadjoin-plan/12.png
+[1]: ./media/azureadjoin-plan/12.png
active-directory Hybrid Azuread Join Federated Domains https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/hybrid-azuread-join-federated-domains.md
Hybrid Azure AD join requires devices to have access to the following Microsoft
Beginning with Windows 10 1803, if the instantaneous hybrid Azure AD join for a federated environment by using AD FS fails, we rely on Azure AD Connect to sync the computer object in Azure AD that's subsequently used to complete the device registration for hybrid Azure AD join. Verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), you must also configure the OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see [Configure filtering by using Azure AD Connect](../hybrid/how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering). > [!NOTE]
-> To get device registration sync join to succeed, as part of the device registration configuration, do not exclude the default device attributes from your Azure AD Connect sync configuration. To learn more about default device attributes synced to AAD, see [Attributes synchronized by Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized#windows-10).
+> To get device registration sync join to succeed, as part of the device registration configuration, do not exclude the default device attributes from your Azure AD Connect sync configuration. To learn more about default device attributes synced to AAD, see [Attributes synchronized by Azure AD Connect](../hybrid/reference-connect-sync-attributes-synchronized.md#windows-10).
If your organization requires access to the internet via an outbound proxy, Microsoft recommends [implementing Web Proxy Auto-Discovery (WPAD)](/previous-versions/tn-archive/cc995261(v%3dtechnet.10)) to enable Windows 10 computers for device registration with Azure AD. If you encounter issues configuring and managing WPAD, see [Troubleshoot automatic detection](/previous-versions/tn-archive/cc302643(v=technet.10)).
If you experience issues with completing hybrid Azure AD join for domain-joined
Learn how to [manage device identities by using the Azure portal](device-management-azure-portal.md). <!--Image references-->
-[1]: ./media/active-directory-conditional-access-automatic-device-registration-setup/12.png
+[1]: ./media/active-directory-conditional-access-automatic-device-registration-setup/12.png
active-directory Hybrid Azuread Join Managed Domains https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/hybrid-azuread-join-managed-domains.md
Familiarize yourself with these articles:
Verify that Azure AD Connect has synced the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OUs), configure the OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see [Organizational unitΓÇôbased filtering](../hybrid/how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering). > [!NOTE]
-> To get device registration sync join to succeed, as part of the device registration configuration, do not exclude the default device attributes from your Azure AD Connect sync configuration. To learn more about default device attributes synced to AAD, see [Attributes synchronized by Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized#windows-10).
+> To get device registration sync join to succeed, as part of the device registration configuration, do not exclude the default device attributes from your Azure AD Connect sync configuration. To learn more about default device attributes synced to AAD, see [Attributes synchronized by Azure AD Connect](../hybrid/reference-connect-sync-attributes-synchronized.md#windows-10).
Beginning with version 1.1.819.0, Azure AD Connect includes a wizard to configure hybrid Azure AD join. The wizard significantly simplifies the configuration process. The wizard configures the service connection points (SCPs) for device registration.
If you experience issues completing hybrid Azure AD join for domain-joined Windo
Advance to the next article to learn how to manage device identities by using the Azure portal. > [!div class="nextstepaction"]
-> [Manage device identities](device-management-azure-portal.md)
+> [Manage device identities](device-management-azure-portal.md)
active-directory Hybrid Azuread Join Manual https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/hybrid-azuread-join-manual.md
For Windows 10 devices on version 1703 or earlier, if your organization requires
Beginning with Windows 10 1803, even if a hybrid Azure AD join attempt by a device in a federated domain through AD FS fails, and if Azure AD Connect is configured to sync the computer/device objects to Azure AD, the device will try to complete the hybrid Azure AD join by using the synced computer/device. > [!NOTE]
-> To get device registration sync join to succeed, as part of the device registration configuration, do not exclude the default device attributes from your Azure AD Connect sync configuration. To learn more about default device attributes synced to Azure AD, see [Attributes synchronized by Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized#windows-10).
+> To get device registration sync join to succeed, as part of the device registration configuration, do not exclude the default device attributes from your Azure AD Connect sync configuration. To learn more about default device attributes synced to Azure AD, see [Attributes synchronized by Azure AD Connect](../hybrid/reference-connect-sync-attributes-synchronized.md#windows-10).
To verify if the device is able to access the above Microsoft resources under the system account, you can use [Test Device Registration Connectivity](/samples/azure-samples/testdeviceregconnectivity/testdeviceregconnectivity/) script.
If you experience issues completing hybrid Azure AD join for domain-joined Windo
* [Introduction to device management in Azure Active Directory](overview.md) <!--Image references-->
-[1]: ./media/hybrid-azuread-join-manual/12.png
+[1]: ./media/hybrid-azuread-join-manual/12.png
active-directory Users Bulk Download https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/users-bulk-download.md
You can see the status of your pending bulk requests in the **Bulk operation res
## Bulk download service limits
-Each bulk activity to create a list of users can run for up to one hour. This enables creation and download of a list of at least 500,000 users.
+Each bulk activity to create a list of users can run for up to one hour. This enables creation and download of a list of up to 500,000 users.
## Next steps
active-directory Users Revoke Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/users-revoke-access.md
Access tokens and refresh tokens are frequently used with thick client applicati
Azure AD then reevaluates its authorization policies. If the user is still authorized, Azure AD issues a new access token and refreshes token.
-Access tokens can be a security concern if access must be revoked within a time that is shorter than the lifetime of the token, which is usually around an hour. For this reason, Microsoft is actively working to bring [continuous access evaluation](https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-continuous-access-evaluation) to Office 365 applications, which helps ensure invalidation of access tokens in near real time.
+Access tokens can be a security concern if access must be revoked within a time that is shorter than the lifetime of the token, which is usually around an hour. For this reason, Microsoft is actively working to bring [continuous access evaluation](../conditional-access/concept-continuous-access-evaluation.md) to Office 365 applications, which helps ensure invalidation of access tokens in near real time.
## Session tokens (cookies)
For a hybrid environment with on-premises Active Directory synchronized with Azu
As an admin in the Active Directory, connect to your on-premises network, open PowerShell, and take the following actions:
-1. Disable the user in Active Directory. Refer to [Disable-ADAccount](https://docs.microsoft.com/powershell/module/addsadministration/disable-adaccount?view=win10-ps).
+1. Disable the user in Active Directory. Refer to [Disable-ADAccount](/powershell/module/activedirectory/disable-adaccount?view=win10-ps).
```PowerShell Disable-ADAccount -Identity johndoe ```
-2. Reset the userΓÇÖs password twice in the Active Directory. Refer to [Set-ADAccountPassword](https://docs.microsoft.com/powershell/module/addsadministration/set-adaccountpassword?view=win10-ps).
+2. Reset the userΓÇÖs password twice in the Active Directory. Refer to [Set-ADAccountPassword](/powershell/module/activedirectory/set-adaccountpassword?view=win10-ps).
> [!NOTE] > The reason for changing a userΓÇÖs password twice is to mitigate the risk of pass-the-hash, especially if there are delays in on-premises password replication. If you can safely assume this account isn't compromised, you may reset the password only once.
As an admin in the Active Directory, connect to your on-premises network, open P
As an administrator in Azure Active Directory, open PowerShell, run ``Connect-AzureAD``, and take the following actions:
-1. Disable the user in Azure AD. Refer to [Set-AzureADUser](https://docs.microsoft.com/powershell/module/azuread/Set-AzureADUser?view=azureadps-2.0).
+1. Disable the user in Azure AD. Refer to [Set-AzureADUser](/powershell/module/azuread/Set-AzureADUser?view=azureadps-2.0).
```PowerShell Set-AzureADUser -ObjectId johndoe@contoso.com -AccountEnabled $false ```
-2. Revoke the userΓÇÖs Azure AD refresh tokens. Refer to [Revoke-AzureADUserAllRefreshToken](https://docs.microsoft.com/powershell/module/azuread/revoke-azureaduserallrefreshtoken?view=azureadps-2.0).
+2. Revoke the userΓÇÖs Azure AD refresh tokens. Refer to [Revoke-AzureADUserAllRefreshToken](/powershell/module/azuread/revoke-azureaduserallrefreshtoken?view=azureadps-2.0).
```PowerShell Revoke-AzureADUserAllRefreshToken -ObjectId johndoe@contoso.com ```
-3. Disable the userΓÇÖs devices. Refer to [Get-AzureADUserRegisteredDevice](https://docs.microsoft.com/powershell/module/azuread/get-azureaduserregistereddevice?view=azureadps-2.0).
+3. Disable the userΓÇÖs devices. Refer to [Get-AzureADUserRegisteredDevice](/powershell/module/azuread/get-azureaduserregistereddevice?view=azureadps-2.0).
```PowerShell Get-AzureADUserRegisteredDevice -ObjectId johndoe@contoso.com | Set-AzureADDevice -AccountEnabled $false
Once admins have taken the above steps, the user can't gain new tokens for any a
- Deploy an automated provisioning and deprovisioning solution. Deprovisioning users from applications is an effective way of revoking access, especially for applications that use sessions tokens. Develop a process to deprovision users to apps that donΓÇÖt support automatic provisioning and deprovisioning. Ensure applications revoke their own session tokens and stop accepting Azure AD access tokens even if theyΓÇÖre still valid.
- - Use [Azure AD SaaS App Provisioning](https://docs.microsoft.com/azure/active-directory/app-provisioning/user-provisioning). Azure AD SaaS App Provisioning typically runs automatically every 20-40 minutes. [Configure Azure AD provisioning](https://docs.microsoft.com/azure/active-directory/saas-apps/tutorial-list) to deprovision or deactivate disabled users in applications.
+ - Use [Azure AD SaaS App Provisioning](../app-provisioning/user-provisioning.md). Azure AD SaaS App Provisioning typically runs automatically every 20-40 minutes. [Configure Azure AD provisioning](../saas-apps/tutorial-list.md) to deprovision or deactivate disabled users in applications.
- - For applications that donΓÇÖt use Azure AD SaaS App Provisioning, use [Identity Manager (MIM)](https://docs.microsoft.com/microsoft-identity-manager/mim-how-provision-users-adds) or a 3rd party solution to automate the deprovisioning of users.
+ - For applications that donΓÇÖt use Azure AD SaaS App Provisioning, use [Identity Manager (MIM)](/microsoft-identity-manager/mim-how-provision-users-adds) or a 3rd party solution to automate the deprovisioning of users.
- Identify and develop a process for applications that requires manual deprovisioning. Ensure admins can quickly run the required manual tasks to deprovision the user from these apps when needed. -- [Manage your devices and applications with Microsoft Intune](https://docs.microsoft.com/mem/intune/remote-actions/device-management). Intune-managed [devices can be reset to factory settings](https://docs.microsoft.com/mem/intune/remote-actions/devices-wipe). If the device is unmanaged, you can [wipe the corporate data from managed apps](https://docs.microsoft.com/mem/intune/apps/apps-selective-wipe). These processes are effective for removing potentially sensitive data from end usersΓÇÖ devices. However, for either process to be triggered, the device must be connected to the internet. If the device is offline, the device will still have access to any locally stored data.
+- [Manage your devices and applications with Microsoft Intune](/mem/intune/remote-actions/device-management). Intune-managed [devices can be reset to factory settings](/mem/intune/remote-actions/devices-wipe). If the device is unmanaged, you can [wipe the corporate data from managed apps](/mem/intune/apps/apps-selective-wipe). These processes are effective for removing potentially sensitive data from end usersΓÇÖ devices. However, for either process to be triggered, the device must be connected to the internet. If the device is offline, the device will still have access to any locally stored data.
> [!NOTE] > Data on the device cannot be recovered after a wipe. -- Use [Microsoft Cloud App Security (MCAS) to block data download](https://docs.microsoft.com/cloud-app-security/use-case-proxy-block-session-aad) when appropriate. If the data can only be accessed online, organizations can monitor sessions and achieve real-time policy enforcement.
+- Use [Microsoft Cloud App Security (MCAS) to block data download](/cloud-app-security/use-case-proxy-block-session-aad) when appropriate. If the data can only be accessed online, organizations can monitor sessions and achieve real-time policy enforcement.
-- Enable [Continuous Access Evaluation (CAE) in Azure AD](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation). CAE allows admins to revoke the session tokens and access tokens for applications that are CAE capable.
+- Enable [Continuous Access Evaluation (CAE) in Azure AD](../conditional-access/concept-continuous-access-evaluation.md). CAE allows admins to revoke the session tokens and access tokens for applications that are CAE capable.
## Next steps -- [Secure access practices for Azure AD administrators](https://docs.microsoft.com/azure/active-directory/roles/security-planning)-- [Add or update user profile information](../fundamentals/active-directory-users-profile-azure-portal.md)
+- [Secure access practices for Azure AD administrators](../roles/security-planning.md)
+- [Add or update user profile information](../fundamentals/active-directory-users-profile-azure-portal.md)
active-directory Add Guest To Role https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/add-guest-to-role.md
Azure Active Directory (Azure AD) B2B collaboration users are added as guest users to the directory, and guest permissions in the directory are restricted by default. Your business may need some guest users to fill higher-privilege roles in your organization. To support defining higher-privilege roles, guest users can be added to any roles you desire, based on your organization's needs.
-If a directory role is assigned to a guest user, the guest user will be granted with additional permissions that come with the role, including basic read permissions. See [Azure AD built-in roles](https://docs.microsoft.com/azure/active-directory/roles/permissions-reference).
+If a directory role is assigned to a guest user, the guest user will be granted with additional permissions that come with the role, including basic read permissions. See [Azure AD built-in roles](../roles/permissions-reference.md).
## Default role
If a directory role is assigned to a guest user, the guest user will be granted
## Next steps - [What is Azure AD B2B collaboration?](what-is-b2b.md)-- [B2B collaboration user properties](user-properties.md)
+- [B2B collaboration user properties](user-properties.md)
active-directory Active Directory Access Create New Tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-access-create-new-tenant.md
Your new tenant is created with the domain contoso.onmicrosoft.com.
## Your user account in the new tenant
-When you create a new Azure AD tenant, you become the first user of that tenant. As the first user, you're automatically assigned the [Global Admin](https://docs.microsoft.com/azure/active-directory/roles/permissions-reference#global-administrator) role. Check out your user account by navigating to the [**Users**](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/MsGraphUsers) page.
+When you create a new Azure AD tenant, you become the first user of that tenant. As the first user, you're automatically assigned the [Global Admin](../roles/permissions-reference.md#global-administrator) role. Check out your user account by navigating to the [**Users**](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/MsGraphUsers) page.
-By default, you're also listed as the [technical contact](https://docs.microsoft.com/microsoft-365/admin/manage/change-address-contact-and-more?view=o365-worldwide#what-do-these-fields-mean) for the tenant. Technical contact information is something you can change in [**Properties**](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties).
+By default, you're also listed as the [technical contact](/microsoft-365/admin/manage/change-address-contact-and-more?view=o365-worldwide#what-do-these-fields-mean) for the tenant. Technical contact information is something you can change in [**Properties**](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties).
> [!WARNING] > Ensure your directory has at least two accounts with global administrator privileges assigned to them. This will help in the case that one global administrator is locked out. For more detail see the article, [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md).
If you're not going to continue to use this application, you can delete the tena
- Learn about [role-based access using Privileged Identity Management](../../role-based-access-control/best-practices.md) and [Conditional Access](../../role-based-access-control/conditional-access-azure-management.md) to help manage your organization's application and resource access. -- Learn about Azure AD, including [basic licensing information, terminology, and associated features](active-directory-whatis.md).
+- Learn about Azure AD, including [basic licensing information, terminology, and associated features](active-directory-whatis.md).
active-directory Service Accounts Govern On Premises https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/service-accounts-govern-on-premises.md
Use the following settings with user accounts used as service accounts:
* **LogonWorkstations**: restrict permissions for where the service account can sign in. If it runs locally on a machine and accesses only resources on that machine, restrict it from logging on anywhere else.
-* [**Cannot change password**](/powershell/module/addsadministration/set-aduser): prevent the service account from changing its own password by setting the parameter to false.
+* [**Cannot change password**](/powershell/module/activedirectory/set-aduser): prevent the service account from changing its own password by setting the parameter to false.
## Build a lifecycle management process
Create service account only after relevant information is documented in your CMD
* [Account Expiry](/powershell/module/activedirectory/set-adaccountexpiration?view=winserver2012-ps&preserve-view=true)
- * For all user accounts used as service accounts, define a realistic and definite end-date for use. Set this using the "Account Expires" flag. For more details, refer to[ Set-ADAccountExpiration](/powershell/module/addsadministration/set-adaccountexpiration).
+ * For all user accounts used as service accounts, define a realistic and definite end-date for use. Set this using the "Account Expires" flag. For more details, refer to[ Set-ADAccountExpiration](/powershell/module/activedirectory/set-adaccountexpiration).
-* Log On To ([LogonWorkstation](/powershell/module/addsadministration/set-aduser))
+* Log On To ([LogonWorkstation](/powershell/module/activedirectory/set-aduser))
* [Password Policy](../../active-directory-domain-services/password-policy.md) requirements
See the following articles on securing service accounts
* [Secure user accounts](service-accounts-user-on-premises.md)
-* [Govern on-premises service accounts](service-accounts-govern-on-premises.md)
+* [Govern on-premises service accounts](service-accounts-govern-on-premises.md)
active-directory Service Accounts Governing Azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/service-accounts-governing-azure.md
Establish a review process to ensure that service accounts are regularly reviewe
**The processes for deprovisioning should include the following tasks.**
-1. Once the associated application or script is deprovisioned, [monitor sign-ins](../reports-monitoring/concept-sign-ins.md#sign-ins-report) and resource access by the service account.
+1. Once the associated application or script is deprovisioned, [monitor sign-ins](../reports-monitoring/concept-sign-ins.md) and resource access by the service account.
* If the account still is active, determine how it's being used before taking subsequent steps.
active-directory Service Accounts Principal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/service-accounts-principal.md
When using Microsoft Graph, check the documentation of the specific API, [like i
[Create a service principal](../develop/howto-create-service-principal-portal.md)
- [Monitor service principal sign-ins](../reports-monitoring/concept-sign-ins.md#sign-ins-report)
+ [Monitor service principal sign-ins](../reports-monitoring/concept-sign-ins.md)
**To learn more about securing service accounts:**
active-directory Service Accounts Standalone Managed https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/service-accounts-standalone-managed.md
sMSAs offer greater security than user accounts used as service accounts, while
* The DNS name of the host computer is changed.
- * When adding or removing an additional sam-accountname or dns-hostname parameters using [PowerShell](/powershell/module/addsadministration/set-adserviceaccount)
+ * When adding or removing an additional sam-accountname or dns-hostname parameters using [PowerShell](/powershell/module/activedirectory/set-adserviceaccount)
## When to use sMSAs
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new.md
Affected environments include:
- Azure Commercial Cloud - Office 365 GCC and WW
-For additional guidance, refer to [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](https://docs.microsoft.com/troubleshoot/azure/active-directory/enable-support-tls-environment).
+For additional guidance, refer to [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment).
For organizations using multi-geo SharePoint Online, you can now include sites f
**Service category:** Other **Product capability:** Developer Experience
-Customers can now view, restore, and permanently remove deleted app registrations from the Azure portal. This applies only to applications associated to a directory, not applications from a personal Microsoft account. [Learn more](../develop/quickstart-restore-app.md).
+Customers can now view, restore, and permanently remove deleted app registrations from the Azure portal. This applies only to applications associated to a directory, not applications from a personal Microsoft account. [Learn more](../develop/howto-restore-app.md).
Customers can now update the user type of Azure AD users when they update their
**Service category:** Azure AD Domain Services **Product capability:** Azure AD Domain Services
-The capability of replica sets in Azure AD DS is now generally available. [Learn more](https://docs.microsoft.com/azure/active-directory-domain-services/concepts-replica-sets).
+The capability of replica sets in Azure AD DS is now generally available. [Learn more](../../active-directory-domain-services/concepts-replica-sets.md).
For more information about how to better secure your organization by using autom
**Service category:** MS Graph **Product capability:** B2B/B2C
-[MS Graph API for the Company Branding](https://docs.microsoft.com/graph/api/resources/organizationalbrandingproperties) is available for the Azure AD or Microsoft 365 login experience to allow the management of the branding parameters programmatically.
+[MS Graph API for the Company Branding](/graph/api/resources/organizationalbrandingproperties) is available for the Azure AD or Microsoft 365 login experience to allow the management of the branding parameters programmatically.
Affected environments are:
Related announcement All client-server and browser-server combinations should use TLS 1.2 and modern cipher suites to maintain a secure connection to Azure Active Directory for Azure, Office 365, and Microsoft 365 services. This is change is related to [Azure Active Directory TLS 1.0 & 1.1, and 3DES Cipher Suite Deprecation in US Gov Cloud](whats-new.md#azure-active-directory-tls-10-tls-11-and-3des-deprecation-in-us-gov-cloud).
-For guidance to remove deprecating protocols dependencies, please refer to [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](https://docs.microsoft.com/troubleshoot/azure/active-directory/enable-support-tls-environment).
+For guidance to remove deprecating protocols dependencies, please refer to [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment).
Affected environments are:
- Azure US Gov - [Office 365 GCC High & DoD](/microsoft-365/compliance/tls-1-2-in-office-365-gcc)
-For guidance to remove deprecating protocols dependencies, please refer to [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](https://docs.microsoft.com/troubleshoot/azure/active-directory/enable-support-tls-environment).
+For guidance to remove deprecating protocols dependencies, please refer to [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment).
We've recently updated the [remember Multi-Factor Authentication (MFA)](../authe
For the optimal user experience, we recommend using Conditional Access sign-in frequency to extend session lifetimes on trusted devices, locations, or low-risk sessions as an alternative to the remember MFA on a trusted device setting. To get started, review our [latest guidance on optimizing the reauthentication experience](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md). -+
active-directory Create Access Review https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/create-access-review.md
na
ms.devlang: na Previously updated : 3/3/2021 Last updated : 4/27/2021
For more information, see [License requirements](access-reviews-overview.md#lice
![Create an access review - Review name and description](./media/create-access-review/select-what-review.png) 5. If you selected **Teams + Groups** in Step 1, you have two options in Step 2
- - **All Microsoft 365 groups with guest users.** Select this option if you would like to create recurring reviews on all your guest users across all your Microsoft Teams and M365 groups in your organization. You can choose to exclude certain groups by clicking on ΓÇÿSelect group(s) to excludeΓÇÖ.
+ - **All Microsoft 365 groups with guest users.** Select this option if you would like to create recurring reviews on all your guest users across all your Microsoft Teams and Microsoft 365 groups in your organization. You can choose to exclude certain groups by clicking on ΓÇÿSelect group(s) to excludeΓÇÖ.
- **Select teams + groups.** Select this option if you would like to specify a finite set of teams and/or groups to review. After clicking on this option, you will see a list of groups to the right to pick from. ![Teams and groups](./media/create-access-review/teams-groups.png) ![Teams and groups chosen in the user interface](./media/create-access-review/teams-groups-detailed.png)
-6. If you selected **Applications** in Step 1, you can then select one or more applications in Step 2.
+6. If you selected **Applications** in Step 1, you can then select one or more applications in Step 2
>[!NOTE] > Selecting multiple groups and/or applications will result in multiple access reviews created. For example, if you select 5 groups to review, that will result in 5 separate access reviews
For more information, see [License requirements](access-reviews-overview.md#lice
![Create an access review - upon completion settings](./media/create-access-review/upon-completion-settings-new.png)
-If you want to automatically remove access for denied users, set Auto apply results to resource to Enable. If you want to manually apply the results when the review completes, set the switch to Disable.
-Use the If reviewers don't respond list to specify what happens for users that are not reviewed by the reviewer within the review period. This setting does not impact users who have been reviewed by the reviewers manually. If the final reviewer's decision is Deny, then the user's access will be removed.
+ If you want to automatically remove access for denied users, set Auto apply results to resource to Enable. If you want to manually apply the results when the review completes, set the switch to Disable.
+
+ Use the If reviewers don't respond list to specify what happens for users that are not reviewed by the reviewer within the review period. This setting does not impact users who have been reviewed by the reviewers manually. If the final reviewer's decision is Deny, then the user's access will be removed.
-- **No change** - Leave user's access unchanged-- **Remove access** - Remove user's access-- **Approve access** - Approve user's access-- **Take recommendations** - Take the system's recommendation on denying or approving the user's continued access
+ - **No change** - Leave user's access unchanged
+ - **Remove access** - Remove user's access
+ - **Approve access** - Approve user's access
+ - **Take recommendations** - Take the system's recommendation on denying or approving the user's continued access
![Upon completion settings options](./media/create-access-review/upon-completion-settings-new.png)
-Use the Action to apply on denied **guest** users to specify what happens to guest users if they are denied.
-- Remove userΓÇÖs membership from the resource will remove denied userΓÇÖs access to the group or application being reviewed, they will still be able to sign-in to the tenant.-- Block user from signing-in for 30 days, then remove user from the tenant will block the denied users from signing in to the tenant, regardless if they have access to other resources. If there was a mistake or if an admin decides to re-enable oneΓÇÖs access, they can do so within 30 days after the user has been disabled. If there is no action taken on the disabled users, they will be deleted from the tenant.
+ Use the Action to apply on denied **guest** users to specify what happens to guest users if they are denied.
+ - Remove userΓÇÖs membership from the resource will remove denied userΓÇÖs access to the group or application being reviewed, they will still be able to sign-in to the tenant.
+ - Block user from signing-in for 30 days, then remove user from the tenant will block the denied users from signing in to the tenant, regardless if they have access to other resources. If there was a mistake or if an admin decides to re-enable oneΓÇÖs access, they can do so within 30 days after the user has been disabled. If there is no action taken on the disabled users, they will be deleted from the tenant.
-To learn more about best practices for removing guest users who no longer have access to resources in your organization read the article titled [Use Azure AD Identity Governance to review and remove external users who no longer have resource access.](access-reviews-external-users.md)
+ To learn more about best practices for removing guest users who no longer have access to resources in your organization read the article titled [Use Azure AD Identity Governance to review and remove external users who no longer have resource access.](access-reviews-external-users.md)
- >[!NOTE]
- >Action to apply on denied guest users is not configurable on reviews scoped to more than guest users. It is also not configurable for reviews of **All M365 groups with guest users.** When not configurable, the default option of removing user's membership from the resource is used on denied users.
+ > [!NOTE]
+ > Action to apply on denied guest users is not configurable on reviews scoped to more than guest users. It is also not configurable for reviews of **All M365 groups with guest users.** When not configurable, the default option of removing user's membership from the resource is used on denied users.
-13. In the **Enable review decision helpers** choose whether you would like your reviewer to receive recommendations during the review process.
+13. You can send notifications to additional users or groups (Preview) to receive review completion updates. This feature allows for stakeholders other than the review creator to be updated on the progress of the review. To use this feature, select **Select User(s) or Group(s)** and add an additional user or group upon you want to receive the status of completion.
+
+ ![Upon completion settings - Add additional users to receive notifications](./media/create-access-review/upon-completion-settings-additional-receivers.png)
+
+14. In the **Enable review decision helpers** choose whether you would like your reviewer to receive recommendations during the review process.
![Enable decision helpers options](./media/create-access-review/helpers.png)
-14. In the **Advanced settings** section you can choose the following
+15. In the **Advanced settings** section you can choose the following
- Set **Justification required** to **Enable** to require the reviewer to supply a reason for approval. - Set **email notifications** to **Enable** to have Azure AD send email notifications to reviewers when an access review starts, and to administrators when a review completes. - Set **Reminders** to **Enable** to have Azure AD send reminders of access reviews in progress to reviewers who have not completed their review. These reminders will be self half-way through the duration of the review. - The content of the email sent to reviewers is autogenerated based on the review details, such as review name, resource name, due date, etc. If you need a way to communicate additional information such as additional instructions or contact information, you can specify these details in the **Additional content for reviewer email** section. The information that you enter is included in the invitation and reminder emails sent to assigned reviewers. The section highlighted in the image below shows where this information is displayed. - ![additional content for reviewer](./media/create-access-review/additional-content-reviewer.png)
-15. Click on **Next: Review + Create** to move to the next page
-16. Name the access review. Optionally, give the review a description. The name and description are shown to the reviewers.
-17. Review the information and select **Create**
+16. Click on **Next: Review + Create** to move to the next page
+17. Name the access review. Optionally, give the review a description. The name and description are shown to the reviewers.
+18. Review the information and select **Create**
![create review screen](./media/create-access-review/create-review.png)
You can also create access reviews using APIs. What you do to manage access revi
- [Review access to groups or applications](perform-access-review.md) - [Review access for yourself to groups or applications](review-your-access.md)-- [Complete an access review of groups or applications](complete-access-review.md)
+- [Complete an access review of groups or applications](complete-access-review.md)
active-directory Concept Adsync Service Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/concept-adsync-service-account.md
Legend:
- Non-bold - Supported option - Local account - Local user account on the server - Domain account - Domain user account -- sMSA - [standalone Managed Service account](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10))-- gMSA - [group Managed Service account](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11))
+- sMSA - [standalone Managed Service account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10))
+- gMSA - [group Managed Service account](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11))
|Machine type |**LocalDB</br> Express**|**LocalDB/LocalSQL</br> Custom**|**Remote SQL</br> Custom**| |--|--|--|--|
A Virtual Service Account is a special type of managed local account that does n
The Virtual Service Account is intended to be used with scenarios where the sync engine and SQL are on the same server. If you use remote SQL, then we recommend using a group Managed Service Account instead.
-The Virtual Service Account cannot be used on a Domain Controller due to [Windows Data Protection API (DPAPI)](https://msdn.microsoft.com/library/ms995355.aspx) issues.
+The Virtual Service Account cannot be used on a Domain Controller due to [Windows Data Protection API (DPAPI)](/previous-versions/ms995355(v=msdn.10)) issues.
## Managed Service Account
-If you use a remote SQL Server, then we recommend to using a group Managed Service Account. For more information on how to prepare your Active Directory for group Managed Service account, see [Group Managed Service Accounts Overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11)).
+If you use a remote SQL Server, then we recommend to using a group Managed Service Account. For more information on how to prepare your Active Directory for group Managed Service account, see [Group Managed Service Accounts Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11)).
To use this option, on the [Install required components](how-to-connect-install-custom.md#install-required-components) page, select **Use an existing service account**, and select **Managed Service Account**.
The account is also granted permission to files, registry keys, and other object
## Next steps
-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
+Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
active-directory How To Connect Configure Ad Ds Connector Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md
Previously updated : 05/18/2020 Last updated : 04/21/2021
Install-WindowsFeature RSAT-AD-Tools
![Configure](media/how-to-connect-configure-ad-ds-connector-account/configure2.png) >[!NOTE]
->You can also copy the file **C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\ADSyncConfig.psm1** to a Domain Controller which already has RSAT for AD DS installed and use this PowerShell module from there.
+>You can also copy the file **C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\ADSyncConfig.psm1** to a Domain Controller which already has RSAT for AD DS installed and use this PowerShell module from there. Be aware that some of the cmdlets can only be run on the computer that is hosting Azure AD Connect.
To start using the ADSyncConfig you need to load the module in a Windows PowerShell window:
This cmdlet will set the following permissions:
- [Azure AD Connect: Accounts and permissions](reference-connect-accounts-permissions.md) - [Express Installation](how-to-connect-install-express.md) - [Custom Installation](how-to-connect-install-custom.md)-- [ADSyncConfig Reference](reference-connect-adsyncconfig.md)
+- [ADSyncConfig Reference](reference-connect-adsyncconfig.md)
active-directory How To Connect Emergency Ad Fs Certificate Rotation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-emergency-ad-fs-certificate-rotation.md
In the event that you need to rotate the AD FS certificates immediately, you can
> [!NOTE] > Microsoft highly recommends using a Hardware Security Module (HSM) to protect and secure certificates.
-> For more information see [Hardware Security Module](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#hardware-security-module-hsm) under best practices for securing AD FS.
+> For more information see [Hardware Security Module](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#hardware-security-module-hsm) under best practices for securing AD FS.
## Determine your Token Signing Certificate thumbprint In order to revoke the old Token Signing Certificate which AD FS is currently using, you need to determine the thumbprint of the token-sigining certificate. To do this, use the following steps below:
You can use the following steps to generate the new token-signing certificates.
## Generating new certificates manually if AutoCertificateRollover is set to FALSE If you are not using the default automatically generated, self-signed token signing and token decryption certificates, you must renew and configure these certificates manually. This involves creating two new token-signing certificates and importing them. Then you promote one to primary, revoke the old certificate and configure the second certificate as the secondary certificate.
-First, you must obtain a two new certificates from your certificate authority and import them into the local machine personal certificate store on each federation server. For instructions, see the [Import a Certificate](https://technet.microsoft.com/library/cc754489.aspx) article.
+First, you must obtain a two new certificates from your certificate authority and import them into the local machine personal certificate store on each federation server. For instructions, see the [Import a Certificate](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754489(v=ws.11)) article.
>[!IMPORTANT] >The reason we are creating two certificates is because Azure holds on to information regarding the previous certificate. By creating a second one, we are forcing Azure to release information about the old certificate and replace it with information about the second certificate.
To update the certificate information in Azure AD, run the following command: `U
## Replace SSL certificates In the event that you need to replace your token-signing certificate because of a compromise, you should also revoke and replace the SSL certificates for AD FS and your WAP servers.
-Revoking your SSL certificates must be done at the certificate authority (CA) that issued the certificate. These certificates are often issued by 3rd party providers such as GoDaddy. For an example, see (Revoke a certificate | SSL Certificates - GoDaddy Help US). For more information see [How Certificate Revocation Works](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee619754(v=ws.10)?redirectedfrom=MSDN).
+Revoking your SSL certificates must be done at the certificate authority (CA) that issued the certificate. These certificates are often issued by 3rd party providers such as GoDaddy. For an example, see (Revoke a certificate | SSL Certificates - GoDaddy Help US). For more information see [How Certificate Revocation Works](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee619754(v=ws.10)).
-Once the old SSL certificate has been revoked and a new one issued, you can replacing the SSL certificates. For more information see [Replacing the SSL certificate for AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap#replacing-the-ssl-certificate-for-ad-fs).
+Once the old SSL certificate has been revoked and a new one issued, you can replacing the SSL certificates. For more information see [Replacing the SSL certificate for AD FS](/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap#replacing-the-ssl-certificate-for-ad-fs).
## Remove your old certificates
If your federation partners cannot consume your federation metadata, you must ma
## Revoke refresh tokens via PowerShell
-Now we want to revoke refresh tokens for users who may have them and force them to re-logon and get new tokens. This will log users out of their phone, current webmail sessions, along with other items that are using Tokens and Refresh Tokens. Information can be found [here](https://docs.microsoft.com/powershell/module/azuread/revoke-azureaduserallrefreshtoken?view=azureadps-2.0&preserve-view=true) and you can also reference how to [Revoke user access in Azure Active Directory](../../active-directory/enterprise-users/users-revoke-access.md).
+Now we want to revoke refresh tokens for users who may have them and force them to re-logon and get new tokens. This will log users out of their phone, current webmail sessions, along with other items that are using Tokens and Refresh Tokens. Information can be found [here](/powershell/module/azuread/revoke-azureaduserallrefreshtoken?preserve-view=true&view=azureadps-2.0) and you can also reference how to [Revoke user access in Azure Active Directory](../../active-directory/enterprise-users/users-revoke-access.md).
## Next steps -- [Managing SSL Certificates in AD FS and WAP in Windows Server 2016](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap#replacing-the-ssl-certificate-for-ad-fs)-- [Obtain and Configure Token Signing and Token Decryption Certificates for AD FS](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn781426(v=ws.11)#updating-federation-partners)-- [Renew federation certificates for Microsoft 365 and Azure Active Directory](how-to-connect-fed-o365-certs.md)-------------------
+- [Managing SSL Certificates in AD FS and WAP in Windows Server 2016](/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap#replacing-the-ssl-certificate-for-ad-fs)
+- [Obtain and Configure Token Signing and Token Decryption Certificates for AD FS](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn781426(v=ws.11)#updating-federation-partners)
+- [Renew federation certificates for Microsoft 365 and Azure Active Directory](how-to-connect-fed-o365-certs.md)
active-directory How To Connect Fed O365 Certs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-fed-o365-certs.md
This article provides you additional information to manage your token signing ce
> [!IMPORTANT] > Microsoft highly recommends using a Hardware Security Module (HSM) to protect and secure certificates.
-> For more information see [Hardware Security Module](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#hardware-security-module-hsm) under best practices for securing AD FS.
+> For more information see [Hardware Security Module](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#hardware-security-module-hsm) under best practices for securing AD FS.
## Default configuration of AD FS for token signing certificates The token signing and token decrypting certificates are usually self-signed certificates, and are good for one year. By default, AD FS includes an auto-renewal process called **AutoCertificateRollover**. If you are using AD FS 2.0 or later, Microsoft 365 and Azure AD automatically update your certificate before it expires.
By default, AD FS is configured to generate token signing and token decryption c
Azure AD tries to retrieve a new certificate from your federation service metadata 30 days before the expiry of the current certificate. In case a new certificate is not available at that time, Azure AD will continue to monitor the metadata on regular daily intervals. As soon as the new certificate is available in the metadata, the federation settings for the domain are updated with the new certificate information. You can use `Get-MsolDomainFederationSettings` to verify if you see the new certificate in the NextSigningCertificate / SigningCertificate.
-For more information on Token Signing certificates in AD FS see [Obtain and Configure Token Signing and Token Decryption Certificates for AD FS](/windows-server/identity/ad-fs/operations/configure-ts-td-certs-ad-fs)
+For more information on Token Signing certificates in AD FS see [Obtain and Configure Token Signing and Token Decryption Certificates for AD FS](/windows-server/identity/ad-fs/operations/configure-ts-td-certs-ad-fs)
active-directory How To Connect Health Ad Fs Sign In https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-health-ad-fs-sign-in.md
# AD FS sign-ins in Azure AD with Connect Health - preview
-AD FS sign-ins can now be integrated into the Azure Active Directory sign-ins report by using Connect Health. The [Azure AD sign-ins Report](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-all-sign-ins#:~:text=Interactive%20user%20sign-ins%20are%20sign-ins%20where%20a%20user,to%20Azure%20AD%20or%20to%20a%20helper%20app.) report includes information about when users, applications, and managed resources sign in to Azure AD and access resources.
+AD FS sign-ins can now be integrated into the Azure Active Directory sign-ins report by using Connect Health. The [Azure AD sign-ins Report](../reports-monitoring/concept-all-sign-ins.md) report includes information about when users, applications, and managed resources sign in to Azure AD and access resources.
The Connect Health for AD FS agent correlates multiple Event IDs from AD FS, dependent on the server version, to provide information about the request and error details if the request fails. This information is correlated to the Azure AD sign-ins report schema and displayed in the Azure AD Sign-In Report UX. Alongside the report, a new Log Analytics stream is available with the AD FS data and a new Azure Monitor Workbook template. The template can be used and modified for an in-depth analysis for scenarios such as AD FS account lockouts, bad password attempts, and spikes of unexpected sign-in attempts.
The report has a known issue where the "Authentication Requirement" field in the
## Related links * [Azure AD Connect Health](./whatis-azure-ad-connect.md) * [Azure AD Connect Health Agent Installation](how-to-connect-health-agent-install.md)
-* [Risky IP report](how-to-connect-health-adfs-risky-ip.md)
-----
+* [Risky IP report](how-to-connect-health-adfs-risky-ip.md)
active-directory How To Connect Selective Password Hash Synchronization https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-selective-password-hash-synchronization.md
Both scenarios rely on setting the adminDescription attribute of users to a spec
This attribute can be set either: - using the Active Directory Users and Computers UI-- using `Set-ADUser` PowerShell cmdlet. For more information see [Set-ADUser](https://docs.microsoft.com/powershell/module/addsadministration/set-aduser).
+- using `Set-ADUser` PowerShell cmdlet. For more information see [Set-ADUser](/powershell/module/activedirectory/set-aduser).
Once all configurations are complete, you need edit the attribute **adminDescrip
## Next Steps - [What is password hash synchronization?](whatis-phs.md)-- [How password hash sync works](how-to-connect-password-hash-synchronization.md)
+- [How password hash sync works](how-to-connect-password-hash-synchronization.md)
active-directory How To Connect Single Object Sync https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-single-object-sync.md
To run the Single Object Sync tool, perform the following steps:
1. Open a new Windows PowerShell session on your Azure AD Connect server with the Run as Administrator option.
- 2. Set the [execution policy](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy) to RemoteSigned or Unrestricted.
+ 2. Set the [execution policy](/powershell/module/microsoft.powershell.security/set-executionpolicy) to RemoteSigned or Unrestricted.
3. Disable the sync scheduler after verifying that no synchronization operations are running.
The Single Object Sync tool **is** intended for investigating and troubleshootin
## Next steps - [Troubleshooting object synchronization](tshoot-connect-objectsync.md) - [Troubleshoot object not synchronizing](tshoot-connect-object-not-syncing.md)-- [End-to-end troubleshooting of Azure AD Connect objects and attributes](https://docs.microsoft.com/troubleshoot/azure/active-directory/troubleshoot-aad-connect-objects-attributes)
+- [End-to-end troubleshooting of Azure AD Connect objects and attributes](/troubleshoot/azure/active-directory/troubleshoot-aad-connect-objects-attributes)
active-directory How To Connect Staged Rollout https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-staged-rollout.md
For an overview of the feature, view this "Azure Active Directory: What is stage
- You have an Azure Active Directory (Azure AD) tenant with federated domains. - You have decided to move to either of two options:
- - **Option A** - *password hash synchronization (sync)* + *seamless single sign-on (SSO)*. For more information, see [What is password hash sync](whatis-phs.md) and [What is seamless SSO](how-to-connect-sso.md)
- - **Option B** - *pass-through authentication* + *seamless SSO*. For more information, see [What is pass-through authentication](how-to-connect-pta.md)
+ - **Option A** - *password hash synchronization (sync)*. For more information, see [What is password hash sync](whatis-phs.md)
+ - **Option B** - *pass-through authentication*. For more information, see [What is pass-through authentication](how-to-connect-pta.md)
- Although *seamless SSO* is optional, we recommend enabling it to achieve a silent sign-in experience for users who are running domain-joined machines from inside a corporate network.
+ For both options, we recommend enabling single sign-on (SSO) to achieve a silent sign-in experience.
+ For Windows 7 or 8.1 domain-joined devices, we recommend using seamless SSO. For more information, see [What is seamless SSO](how-to-connect-sso.md).
+ For Windows 10, Windows Server 2016 and later versions, itΓÇÖs recommended to use SSO via [Primary Refresh Token (PRT)](../devices/concept-primary-refresh-token.md) with [Azure AD joined devices](../devices/concept-azure-ad-join.md), [hybrid Azure AD joined devices](../devices/concept-azure-ad-join-hybrid.md) or personal registered devices via Add Work or School Account.
- You have configured all the appropriate tenant-branding and conditional access policies you need for users who are being migrated to cloud authentication.
active-directory Reference Connect Version History https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/reference-connect-version-history.md
Please follow this link to read more about [auto upgrade](how-to-connect-install
## 1.6.2.4 >[!IMPORTANT] > Update per March 30, 2021: we have discovered an issue in this build. After installation of this build, the Health services are not registered. We recommend not installing this build. We will release a hotfix shortly.
-> If you already installed this build, you can manually register the Health services by using the cmdlet as shown in [this article](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-health-agent-install#manually-register-azure-ad-connect-health-for-sync)
+> If you already installed this build, you can manually register the Health services by using the cmdlet as shown in [this article](./how-to-connect-health-agent-install.md#manually-register-azure-ad-connect-health-for-sync)
>[!NOTE] > - This release will be made available for download only. > - The upgrade to this release will require a full synchronization due to sync rule changes.
-> - This release defaults the AADConnect server to the new V2 end point. Note that this end point is not supported in the German national cloud and if you need to deploy this version in this environment you need to follow [these instructions](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-endpoint-api-v2#rollback) to switch back to the V1 end point. Failure to do so will result in errors in synchronization.
+> - This release defaults the AADConnect server to the new V2 end point. Note that this end point is not supported in the German national cloud and if you need to deploy this version in this environment you need to follow [these instructions](./how-to-connect-sync-endpoint-api-v2.md#rollback) to switch back to the V1 end point. Failure to do so will result in errors in synchronization.
### Release status 3/19/2021: Released for download, not available for auto upgrade
Please follow this link to read more about [auto upgrade](how-to-connect-install
- The updated rule will be disabled by default. However, a new sync rule ΓÇ£Out to AD - Group SOAInAAD - ExchangeΓÇ¥ which is added will be enabled. - Depending on the Cloned Custom Sync Rule's precedence, AADConnect will flow the Mail and Exchange attributes. - If the Cloned Custom Sync Rule does not flow some Mail and Exchange attributes, then new Exchange Sync Rule will add those attributes.
+ - Added support for [Selective Password hash Synchronization](./how-to-connect-selective-password-hash-synchronization.md)
+ - Added the new [Single Object Sync cmdlet](./how-to-connect-single-object-sync.md). Use this cmdlet to troubleshoot your Azure AD Connect sync configuration.
- Azure AD Connect now supports the Hybrid Identity Administrator role for configuring the service. - Updated AADConnectHealth agent to 3.1.83.0
+ - New version of the [ADSyncTools PowerShell module](./reference-connect-adsynctools.md), which has several new or improved cmdlets.
- Clear-ADSyncToolsMsDsConsistencyGuid - ConvertFrom-ADSyncToolsAadDistinguishedName
Please follow this link to read more about [auto upgrade](how-to-connect-install
- Get-ADSyncAADConnectorExportApiVersion - to get export AWS API version - Changes made to synchronization rules are now tracked to assist troubleshooting changes in the service. The cmdlet "Get-ADSyncRuleAudit" will retrieve tracked changes.
+ - Updated the Add-ADSyncADDSConnectorAccount cmdlet in the the [ADSyncConfig PowerShell module](./how-to-connect-configure-ad-ds-connector-account.md#using-the-adsyncconfig-powershell-module) to allow a user in ADSyncAdmin group to change the AD DS Connector account.
### Bug fixes - Updated disabled foreground color to satisfy luminosity requirements on a white background. Added additional conditions for navigation tree to set foreground text color to white when a disabled page is selected to satisfy luminosity requirements.
We fixed a bug in the sync errors compression utility that was not handling surr
## Next steps
-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
+Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
active-directory Migrate Application Authentication To Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migrate-application-authentication-to-azure-active-directory.md
After migration, you may choose to send communication informing the users of the
During the process of the migration, your app may already have a test environment used during regular deployments. You can continue to use this environment for migration testing. If a test environment is not currently available, you may be able to set one up using Azure App Service or Azure Virtual Machines, depending on the architecture of the application. You may choose to set up a separate test Azure AD tenant to use as you develop your app configurations. This tenant will start in a clean state and will not configured to sync with any system.
-You can test each app by logging in with a test user and make sure all functionality is the same as prior to the migration. If you determine during testing that users will need to update their [MFA](/azure/active-directory/authentication/howto-mfa-userstates) or [SSPR](../authentication/tutorial-enable-sspr.md)settings, or you are adding this functionality during the migration, be sure to add that to your end-user communication plan. See [MFA](https://aka.ms/mfatemplates) and [SSPR](https://aka.ms/ssprtemplates) end-user communication templates.
+You can test each app by logging in with a test user and make sure all functionality is the same as prior to the migration. If you determine during testing that users will need to update their [MFA](../authentication/howto-mfa-userstates.md) or [SSPR](../authentication/tutorial-enable-sspr.md)settings, or you are adding this functionality during the migration, be sure to add that to your end-user communication plan. See [MFA](https://aka.ms/mfatemplates) and [SSPR](https://aka.ms/ssprtemplates) end-user communication templates.
Once you have migrated the apps, go to the [Azure portal](https://aad.portal.azure.com/) to test if the migration was a success. Follow the instructions below:
Identity deployment issue depending on your Enterprise Agreement with Microsoft.
- **Engage the Product Engineering team:** If you are working on a major customer deployment with millions of users, you are entitled to support from the Microsoft account team or your Cloud Solutions Architect. Based on the projectΓÇÖs deployment complexity, you can work directly with the [Azure Identity Product Engineering team.](https://aad.portal.azure.com/#blade/Microsoft_Azure_Marketplace/MarketplaceOffersBlade/selectedMenuItemId/solutionProviders) -- **Azure AD Identity blog:** Subscribe to the [Azure AD Identity blog](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/bg-p/Identity) to stay up to date with all the latest product announcements, deep dives, and roadmap information provided directly by the Identity engineering team.
+- **Azure AD Identity blog:** Subscribe to the [Azure AD Identity blog](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/bg-p/Identity) to stay up to date with all the latest product announcements, deep dives, and roadmap information provided directly by the Identity engineering team.
active-directory My Apps Deployment Plan https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/my-apps-deployment-plan.md
For more information, see [Configure how end-users consent to applications](../m
### Group owner consent for apps accessing data
-Group and team owners can authorize applications, such as applications published by third-party vendors, to access your organization's data associated with a group. See [Resource-specific consent in Microsoft Teams](https://docs.microsoft.com/microsoftteams/resource-specific-consent) to learn more.
+Group and team owners can authorize applications, such as applications published by third-party vendors, to access your organization's data associated with a group. See [Resource-specific consent in Microsoft Teams](/microsoftteams/resource-specific-consent) to learn more.
You can configure whether you'd like to allow or disable this feature.
You can use [Privileged Identity Management](../privileged-identity-management/p
[Plan a deployment of Azure AD Multi-Factor Authentication](../authentication/howto-mfa-getstarted.md)
-[Plan an Application Proxy deployment](application-proxy-deployment-plan.md)
-
+[Plan an Application Proxy deployment](application-proxy-deployment-plan.md)
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/whats-new-docs.md
Welcome to what's new in Azure Active Directory application management documenta
- [Understand linked sign-on](configure-linked-sign-on.md) - [Understand password-based single sign-on](configure-password-single-sign-on-non-gallery-applications.md) - [Understand SAML-based single sign-on](configure-saml-single-sign-on.md)-- [Troubleshoot common problem adding or removing an application to Azure Active Directory](troubleshoot-adding-apps.md)
+- [Troubleshoot common problem adding or removing an application to Azure Active Directory](/troubleshoot/azure/active-directory/troubleshoot-adding-apps)
- [Viewing apps using your Azure AD tenant for identity management](application-types.md) - [Understand how users are assigned to apps in Azure Active Directory](ways-users-get-assigned-to-applications.md) - [Quickstart: Delete an application from your Azure Active Directory (Azure AD) tenant](delete-application-portal.md)
Welcome to what's new in Azure Active Directory application management documenta
### Updated articles - [Quickstart: Add an application to your Azure Active Directory (Azure AD) tenant](add-application-portal.md)-- [Troubleshoot common problem adding or removing an application to Azure Active Directory](troubleshoot-adding-apps.md)
+- [Troubleshoot common problem adding or removing an application to Azure Active Directory](/troubleshoot/azure/active-directory/troubleshoot-adding-apps)
- [Managing consent to applications and evaluating consent requests](manage-consent-requests.md) - [Viewing apps using your Azure AD tenant for identity management](application-types.md) - [Understand how users are assigned to apps in Azure Active Directory](ways-users-get-assigned-to-applications.md)
active-directory How To Use Vm Sign In https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-sign-in.md
documentationcenter:
editor: - ms.devlang: na
Last updated 01/29/2021 -+ # How to use managed identities for Azure resources on an Azure VM for sign-in
active-directory Services Support Managed Identities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md
Refer to the following document to reconfigure a managed identity if you have mo
Refer to the following documents to use managed identity with [Azure Automation](../../automation/automation-intro.md): * [Automation account authentication overview - Managed identities](../../automation/automation-security-overview.md#managed-identities-preview)
-* [Enable and use managed identity for Automation](https://docs.microsoft.com/azure/automation/enable-managed-identity-for-automation)
+* [Enable and use managed identity for Automation](../../automation/enable-managed-identity-for-automation.md)
### Azure Blueprints
Refer to the following list to configure managed identity for Azure Service Fabr
| User assigned | Not Available | Not Available | Not Available | Not Available |
-For more information, see [How to enable system-assigned managed identity for Azure Spring Cloud application](~/articles/spring-cloud/spring-cloud-howto-enable-system-assigned-managed-identity.md).
+For more information, see [How to enable system-assigned managed identity for Azure Spring Cloud application](../../spring-cloud/how-to-enable-system-assigned-managed-identity.md).
### Azure Stack Edge
Refer to the following list to configure access to Azure Resource
> Microsoft Power BI also [supports managed identities](../../stream-analytics/powerbi-output-managed-identity.md).
-[check]: media/services-support-managed-identities/check.png "Available"
+[check]: media/services-support-managed-identities/check.png "Available"
active-directory Tutorial Linux Vm Access Nonaad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-nonaad.md
To complete these steps, you need an SSH client.  If you are using Windows, you
>[!IMPORTANT] > All Azure SDKs support the Azure.Identity library that makes it easy to acquire Azure AD tokens to access target services. Learn more about [Azure SDKs](https://azure.microsoft.com/downloads/) and leverage the Azure.Identity library.
-> - [.NET](https://docs.microsoft.com/dotnet/api/overview/azure/identity-readme?view=azure-dotnet)
-> - [JAVA](https://docs.microsoft.com/java/api/overview/azure/identity-readme?view=azure-java-stable)
-> - [Javascript](https://docs.microsoft.com/javascript/api/overview/azure/identity-readme?view=azure-node-latest)
-> - [Python](https://docs.microsoft.com/python/api/overview/azure/identity-readme?view=azure-python)
+> - [.NET](/dotnet/api/overview/azure/identity-readme?view=azure-dotnet)
+> - [JAVA](/java/api/overview/azure/identity-readme?view=azure-java-stable)
+> - [Javascript](/javascript/api/overview/azure/identity-readme?view=azure-node-latest)
+> - [Python](/python/api/overview/azure/identity-readme?view=azure-python)
1. In the portal, navigate to your Linux VM and in the **Overview**, click **Connect**. 
active-directory Pim How To Start Security Review https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/privileged-identity-management/pim-how-to-start-security-review.md
Previously updated : 4/05/2021 Last updated : 4/27/2021
This article describes how to create one or more access reviews for privileged A
## Prerequisite license > [!Note] > Currently, you can scope an access review to service principals with access to Azure AD and Azure resource roles (Preview) with an Azure Active Directory Premium P2 edition active in your tenant. The licensing model for service principals will be finalized for general availability of this feature and additional licenses may be required.
This article describes how to create one or more access reviews for privileged A
1. Sign in to [Azure portal](https://portal.azure.com/) with a user that is a member of the Privileged role administrator role.
-1. Select **Identity Governance**
+2. Select **Identity Governance**
-1. Select **Azure AD roles** under **Azure AD Privileged Identity Management**.
+3. Select **Azure AD roles** under **Azure AD Privileged Identity Management**.
-1. Select **Azure AD roles** again under **Manage**.
+4. Select **Azure AD roles** again under **Manage**.
-1. Under Manage, select **Access reviews**, and then select **New**.
+5. Under Manage, select **Access reviews**, and then select **New**.
![Azure AD roles - Access reviews list showing the status of all reviews](./media/pim-how-to-start-security-review/access-reviews.png)
-Click **New** to create a new access review.
+6. Click **New** to create a new access review.
-1. Name the access review. Optionally, give the review a description. The name and description are shown to the reviewers.
+7. Name the access review. Optionally, give the review a description. The name and description are shown to the reviewers.
![Create an access review - Review name and description](./media/pim-how-to-start-security-review/name-description.png)
-1. Set the **Start date**. By default, an access review occurs once, starts the same time it's created, and it ends in one month. You can change the start and end dates to have an access review start in the future and last however many days you want.
+8. Set the **Start date**. By default, an access review occurs once, starts the same time it's created, and it ends in one month. You can change the start and end dates to have an access review start in the future and last however many days you want.
![Start date, frequency, duration, end, number of times, and end date](./media/pim-how-to-start-security-review/start-end-dates.png)
-1. To make the access review recurring, change the **Frequency** setting from **One time** to **Weekly**, **Monthly**, **Quarterly**, **Annually**, or **Semi-annually**. Use the **Duration** slider or text box to define how many days each review of the recurring series will be open for input from reviewers. For example, the maximum duration that you can set for a monthly review is 27 days, to avoid overlapping reviews.
+9. To make the access review recurring, change the **Frequency** setting from **One time** to **Weekly**, **Monthly**, **Quarterly**, **Annually**, or **Semi-annually**. Use the **Duration** slider or text box to define how many days each review of the recurring series will be open for input from reviewers. For example, the maximum duration that you can set for a monthly review is 27 days, to avoid overlapping reviews.
-1. Use the **End** setting to specify how to end the recurring access review series. The series can end in three ways: it runs continuously to start reviews indefinitely, until a specific date, or after a defined number of occurrences has been completed. You, another User administrator, or another Global administrator can stop the series after creation by changing the date in **Settings**, so that it ends on that date.
+10. Use the **End** setting to specify how to end the recurring access review series. The series can end in three ways: it runs continuously to start reviews indefinitely, until a specific date, or after a defined number of occurrences has been completed. You, another User administrator, or another Global administrator can stop the series after creation by changing the date in **Settings**, so that it ends on that date.
-1. In the **Users Scope** section, select the scope of the review. To review users and groups with access to the Azure AD role, select **Users and Groups**, or select **(Preview) Service Principals** to review the machine accounts with access to the Azure AD role.
+11. In the **Users Scope** section, select the scope of the review. To review users and groups with access to the Azure AD role, select **Users and Groups**, or select **(Preview) Service Principals** to review the machine accounts with access to the Azure AD role.
![Users scope to review role membership of](./media/pim-how-to-start-security-review/users.png)
-1. Under **Review role membership**, select the privileged Azure AD roles to review.
+12. Under **Review role membership**, select the privileged Azure AD roles to review.
> [!NOTE] > - Roles selected here include both [permanent and eligible roles](../privileged-identity-management/pim-how-to-add-role-to-user.md).
Click **New** to create a new access review.
![Review membership pane listing Azure resource roles you can select](./media/pim-how-to-start-security-review/review-membership-azure-resource-roles.png)
-1. In the **Reviewers** section, select one or more people to review all the users. Or you can select to have the members review their own access.
+13. In the **Reviewers** section, select one or more people to review all the users. Or you can select to have the members review their own access.
![Reviewers list of selected users or members (self)](./media/pim-how-to-start-security-review/reviewers.png)
Click **New** to create a new access review.
- **Approve access** - Approve user's access - **Take recommendations** - Take the system's recommendation on denying or approving the user's continued access
+1. You can send notifications to additional users or groups (Preview) to receive review completion updates. This feature allows for stakeholders other than the review creator to be updated on the progress of the review. To use this feature, select **Select User(s) or Group(s)** and add an additional user or group upon you want to receive the status of completion.
+
+ ![Upon completion settings - Add additional users to receive notifications](./media/pim-how-to-start-security-review/upon-completion-settings-additional-receivers.png)
+ ### Advanced settings 1. To specify additional settings, expand the **Advanced settings** section.
active-directory Pim Resource Roles Start Access Review https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/privileged-identity-management/pim-resource-roles-start-access-review.md
na
ms.devlang: na Previously updated : 04/05/2021 Last updated : 04/27/2021
The need for access to privileged Azure resource roles by employees changes over
## Prerequisite license > [!Note] > Currently, you can scope an access review to service principals with access to Azure AD and Azure resource roles (Preview) with an Azure Active Directory Premium P2 edition active in your tenant. The licensing model for service principals will be finalized for general availability of this feature and additional licenses may be required.
The need for access to privileged Azure resource roles by employees changes over
- **Approve access** - Approve user's access - **Take recommendations** - Take the system's recommendation on denying or approving the user's continued access
+1. You can send notifications to additional users or groups (Preview) to receive review completion updates. This feature allows for stakeholders other than the review creator to be updated on the progress of the review. To use this feature, select **Select User(s) or Group(s)** and add an additional user or group upon you want to receive the status of completion.
+
+ ![Upon completion settings - Add additional users to receive notifications](./media/pim-resource-roles-start-access-review/upon-completion-settings-additional-receivers.png)
+ ### Advanced settings 1. To specify additional settings, expand the **Advanced settings** section.
active-directory Concept All Sign Ins https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-all-sign-ins.md
Each JSON download consists of four different files:
## Next steps
-* [Sign-in activity report error codes](reference-sign-ins-error-codes.md)
+* [Sign-in activity report error codes](./concept-sign-ins.md)
* [Azure AD data retention policies](reference-reports-data-retention.md)
-* [Azure AD report latencies](reference-reports-latencies.md)
+* [Azure AD report latencies](reference-reports-latencies.md)
active-directory Concept Audit Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-audit-logs.md
You can also access the Microsoft 365 activity logs programmatically by using th
- [Azure AD audit activity reference](reference-audit-activities.md) - [Azure AD logs retention reference](reference-reports-data-retention.md) - [Azure AD log latencies reference](reference-reports-latencies.md)-- [Unknown actors in audit report](https://docs.microsoft.com/troubleshoot/azure/active-directory/unknown-actors-in-audit-reports)
+- [Unknown actors in audit report](/troubleshoot/azure/active-directory/unknown-actors-in-audit-reports)
active-directory Concept Sign Ins https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-sign-ins.md
You can also access the Microsoft 365 activity logs programmatically by using th
## Next steps
-* [Sign-in activity report error codes](reference-sign-ins-error-codes.md)
+* [Sign-in activity report error codes]()
* [Azure AD data retention policies](reference-reports-data-retention.md) * [Azure AD report latencies](reference-reports-latencies.md)
-* [First party Microsoft applications in sign-ins report](https://docs.microsoft.com/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-for-commonly-used-microsoft-applications)
+* [First party Microsoft applications in sign-ins report](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-for-commonly-used-microsoft-applications)
active-directory Howto Troubleshoot Sign In Errors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/howto-troubleshoot-sign-in-errors.md
You need:
6. The failure reason describes the error. For example, in the above scenario, the failure reason is **Invalid username or password or Invalid on-premises username or password**. The fix is to simply sign-in again with the correct username and password.
-7. You can get additional information, including ideas for remediation, by searching for the error code, **50126** in this example, in the [sign-ins error codes reference](reference-sign-ins-error-codes.md).
+7. You can get additional information, including ideas for remediation, by searching for the error code, **50126** in this example, in the [sign-ins error codes reference](./concept-sign-ins.md).
8. If all else fails, or the issue persists despite taking the recommended course of action, [open a support ticket](../fundamentals/active-directory-troubleshooting-support-howto.md) following the steps in the **Troubleshooting and support** tab. ## Next steps
-* [Sign-ins error codes reference](reference-sign-ins-error-codes.md)
-* [Sign-ins report overview](concept-sign-ins.md)
+* [Sign-ins error codes reference](./concept-sign-ins.md)
+* [Sign-ins report overview](concept-sign-ins.md)
active-directory Permissions Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/permissions-reference.md
Previously updated : 04/20/2021 Last updated : 04/26/2021
This article lists the Azure AD built-in roles you can assign to allow managemen
> | [Attack Payload Author](#attack-payload-author) | Can create attack payloads that an administrator can initiate later. | 9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f | > | [Attack Simulation Administrator](#attack-simulation-administrator) | Can create and manage all aspects of attack simulation campaigns. | c430b396-e693-46cc-96f3-db01bf8bb62a | > | [Authentication Administrator](#authentication-administrator) | Can access to view, set and reset authentication method information for any non-admin user. | c4e39bd9-1100-46d3-8c65-fb160da0071f |
-> | [Authentication Policy Administrator](#authentication-policy-administrator) | Can create and manage all aspects of authentication methods and password protection policies. | 0526716b-113d-4c15-b2c8-68e3c22b9f80 |
+> | [Authentication Policy Administrator](#authentication-policy-administrator) | Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials. | 0526716b-113d-4c15-b2c8-68e3c22b9f80 |
> | [Azure AD Joined Device Local Administrator](#azure-ad-joined-device-local-administrator) | Users assigned to this role are added to the local administrators group on Azure AD-joined devices. | 9f06204d-73c1-4d4c-880a-6edb90606fd8 | > | [Azure DevOps Administrator](#azure-devops-administrator) | Can manage Azure DevOps organization policy and settings. | e3973bdf-4987-49ae-837a-ba8e231c7286 | > | [Azure Information Protection Administrator](#azure-information-protection-administrator) | Can manage all aspects of the Azure Information Protection product. | 7495fdc4-34c4-4d15-a289-98788ce399fd |
This article lists the Azure AD built-in roles you can assign to allow managemen
> | [Intune Administrator](#intune-administrator) | Can manage all aspects of the Intune product. | 3a2c62db-5318-420d-8d74-23affee5d9d5 | > | [Kaizala Administrator](#kaizala-administrator) | Can manage settings for Microsoft Kaizala. | 74ef975b-6605-40af-a5d2-b9539d836353 | > | [Knowledge Administrator](#knowledge-administrator) | Can configure knowledge, learning, and other intelligent features. | b5a8dcf3-09d5-43a9-a639-8e29ef291470 |
+> | [Knowledge Manager](#knowledge-manager) | Can organize, create, manage, and promote topics and knowledge. | 744ec460-397e-42ad-a462-8b3f9747a02c |
> | [License Administrator](#license-administrator) | Can manage product licenses on users and groups. | 4d6ac14f-3453-41d0-bef9-a3e0c569773a | > | [Message Center Privacy Reader](#message-center-privacy-reader) | Can read security messages and updates in Office 365 Message Center only. | ac16e43d-7b2d-40e0-ac05-243ff356ab5b | > | [Message Center Reader](#message-center-reader) | Can read messages and updates for their organization in Office 365 Message Center only. | 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b |
The [Authentication administrator](#authentication-administrator) and [Privilege
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
+> | microsoft.directory/organization/strongAuthentication/read | Read the strong authentication property for an organization |
> | microsoft.directory/organization/strongAuthentication/update | Update strong auth properties of an organization | > | microsoft.directory/userCredentialPolicies/create | Create credential policies for users | > | microsoft.directory/userCredentialPolicies/delete | Delete credential policies for users |
The [Authentication administrator](#authentication-administrator) and [Privilege
> | microsoft.directory/userCredentialPolicies/basic/update | Update basic policies for users | > | microsoft.directory/userCredentialPolicies/owners/update | Update owners of credential policies for users | > | microsoft.directory/userCredentialPolicies/tenantDefault/update | Update policy.isOrganizationDefault property |
+> | microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read | Read a verifiable credential card |
+> | microsoft.directory/verifiableCredentials/configuration/contracts/cards/revoke | Revoke a verifiable credential card |
+> | microsoft.directory/verifiableCredentials/configuration/contracts/create | Create a verifiable credential contract |
+> | microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read | Read a verifiable credential contract |
+> | microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/update | Update a verifiable credential contract |
+> | microsoft.directory/verifiableCredentials/configuration/create | Create configuration required to create and manage verifiable credentials |
+> | microsoft.directory/verifiableCredentials/configuration/delete | Delete configuration required to create and manage verifiable credentials and delete all of its verifiable credentials |
+> | microsoft.directory/verifiableCredentials/configuration/allProperties/read | Read configuration required to create and manage verifiable credentials |
+> | microsoft.directory/verifiableCredentials/configuration/allProperties/update | Update configuration required to create and manage verifiable credentials |
+> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
## Azure AD Joined Device Local Administrator
Users with this role have access to all administrative features in Azure Active
> | microsoft.directory/organization/allProperties/allTasks | Create and delete organizations, and read and update all properties | > | microsoft.directory/policies/allProperties/allTasks | Create and delete policies, and read and update all properties | > | microsoft.directory/conditionalAccessPolicies/allProperties/allTasks | Manage all properties of conditional access policies |
+> | microsoft.directory/crossTenantAccessPolicies/allProperties/allTasks | |
> | microsoft.directory/privilegedIdentityManagement/allProperties/read | Read all resources in Privileged Identity Management | > | microsoft.directory/provisioningLogs/allProperties/read | Read all properties of provisioning logs | > | microsoft.directory/roleAssignments/allProperties/allTasks | Create and delete role assignments, and read and update all role assignment properties |
Users with this role have access to all administrative features in Azure Active
> | microsoft.directory/servicePrincipalCreationPolicies/delete | Delete service principal creation policies | > | microsoft.directory/servicePrincipalCreationPolicies/standard/read | Read standard properties of service principal creation policies | > | microsoft.directory/servicePrincipalCreationPolicies/basic/update | Update basic properties of service principal creation policies |
+> | microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read | Read a verifiable credential card |
+> | microsoft.directory/verifiableCredentials/configuration/contracts/cards/revoke | Revoke a verifiable credential card |
+> | microsoft.directory/verifiableCredentials/configuration/contracts/create | Create a verifiable credential contract |
+> | microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read | Read a verifiable credential contract |
+> | microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/update | Update a verifiable credential contract |
+> | microsoft.directory/verifiableCredentials/configuration/create | Create configuration required to create and manage verifiable credentials |
+> | microsoft.directory/verifiableCredentials/configuration/delete | Delete configuration required to create and manage verifiable credentials and delete all of its verifiable credentials |
+> | microsoft.directory/verifiableCredentials/configuration/allProperties/read | Read configuration required to create and manage verifiable credentials |
+> | microsoft.directory/verifiableCredentials/configuration/allProperties/update | Update configuration required to create and manage verifiable credentials |
> | microsoft.azure.advancedThreatProtection/allEntities/allTasks | Manage all aspects of Azure Advanced Threat Protection | > | microsoft.azure.informationProtection/allEntities/allTasks | Manage all aspects of Azure Information Protection | > | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
Users with this role have access to all administrative features in Azure Active
> | microsoft.office365.complianceManager/allEntities/allTasks | Manage all aspects of Office 365 Compliance Manager | > | microsoft.office365.desktopAnalytics/allEntities/allTasks | Manage all aspects of Desktop Analytics | > | microsoft.office365.exchange/allEntities/basic/allTasks | Manage all aspects of Exchange Online |
+> | microsoft.office365.knowledge/contentUnderstanding/allProperties/allTasks | Read and update all properties of content understanding in Microsoft 365 admin center |
+> | microsoft.office365.knowledge/contentUnderstanding/analytics/allProperties/read | Read analytics reports of content understanding in Microsoft 365 admin center |
+> | microsoft.office365.knowledge/knowledgeNetwork/allProperties/allTasks | Read and update all properties of knowledge network in Microsoft 365 admin center |
+> | microsoft.office365.knowledge/knowledgeNetwork/topicVisibility/allProperties/allTasks | Manage topic visibility of knowledge network in Microsoft 365 admin center |
+> | microsoft.office365.knowledge/learningSources/allProperties/allTasks | Manage learning sources and all their properties in Learning App. |
> | microsoft.office365.lockbox/allEntities/allTasks | Manage all aspects of Customer Lockbox | > | microsoft.office365.messageCenter/messages/read | Read messages in Message Center in the Microsoft 365 admin center, excluding security messages | > | microsoft.office365.messageCenter/securityMessages/read | Read security messages in Message Center in the Microsoft 365 admin center |
Users in this role can read settings and administrative information across Micro
> Global reader role has a few limitations right now - > >- [OneDrive admin center](https://admin.onedrive.com/) - OneDrive admin center does not support the Global reader role
->- [M365 admin center](https://admin.microsoft.com/Adminportal/Home#/homepage) - Global reader can't read integrated apps. You won't find the **Integrated apps** tab under **Settings** in the left pane of M365 Admin Center.
+>- [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home#/homepage) - Global reader can't read integrated apps. You won't find the **Integrated apps** tab under **Settings** in the left pane of Microsoft 365 admin center.
>- [Office Security & Compliance Center](https://sip.protection.office.com/homepage) - Global reader can't read SCC audit logs, do content search, or see Secure Score. >- [Teams admin center](https://admin.teams.microsoft.com) - Global reader cannot read **Teams lifecycle**, **Analytics & reports**, **IP phone device management** and **App catalog**. >- [Privileged Access Management (PAM)](/office365/securitycompliance/privileged-access-management-overview) doesn't support the Global reader role.
Users in this role can read settings and administrative information across Micro
> | microsoft.directory/deviceManagementPolicies/standard/read | Read standard properties on device management application policies | > | microsoft.directory/deviceRegistrationPolicy/standard/read | Read standard properties on device registration policies | > | microsoft.directory/groups/hiddenMembers/read | Read hidden members of a group |
+> | microsoft.directory/organization/strongAuthentication/read | Read the strong authentication property for an organization |
> | microsoft.directory/policies/standard/read | Read basic properties on policies | > | microsoft.directory/policies/owners/read | Read owners of policies | > | microsoft.directory/policies/policyAppliedTo/read | Read policies.policyAppliedTo property |
Users in this role can read settings and administrative information across Micro
> | microsoft.directory/servicePrincipals/synchronization/standard/read | Read provisioning settings associated with your service principal | > | microsoft.directory/signInReports/allProperties/read | Read all properties on sign-in reports, including privileged properties | > | microsoft.directory/users/strongAuthentication/read | Read the strong authentication property for users |
+> | microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read | Read a verifiable credential card |
+> | microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read | Read a verifiable credential contract |
+> | microsoft.directory/verifiableCredentials/configuration/allProperties/read | Read configuration required to create and manage verifiable credentials |
> | microsoft.commerce.billing/allEntities/read | Read all resources of Office 365 billing | > | microsoft.office365.exchange/allEntities/standard/read | Read all resources of Exchange Online | > | microsoft.office365.messageCenter/messages/read | Read messages in Message Center in the Microsoft 365 admin center, excluding security messages |
This role can create and manage all security groups. However, Intune Admin does
> | microsoft.directory/groups.security/delete | Delete Security groups with the exclusion of role-assignable groups | > | microsoft.directory/groups.security/basic/update | Update basic properties on Security groups with the exclusion of role-assignable groups | > | microsoft.directory/groups.security/classification/update | Update classification property of the Security groups with the exclusion of role-assignable groups |
-> | microsoft.directory/groups.security/dynamicMembershipRule/update | Update dynamicMembershipRule property of the Security groups with the exclusion of role-assignable groups |
+> | microsoft.directory/groups.security/dynamicMembershipRule/update | Update dynamic membership rule of Security groups, excluding role-assignable groups |
> | microsoft.directory/groups.security/members/update | Update members of Security groups with the exclusion of role-assignable groups | > | microsoft.directory/groups.security/owners/update | Update owners of Security groups with the exclusion of role-assignable groups | > | microsoft.directory/groups.security/visibility/update | Update visibility property of the Security groups with the exclusion of role-assignable groups |
Users in this role have full access to all knowledge, learning and intelligent f
> | microsoft.directory/groups.security/owners/update | Update owners of Security groups with the exclusion of role-assignable groups | > | microsoft.office365.knowledge/contentUnderstanding/allProperties/allTasks | Read and update all properties of content understanding in Microsoft 365 admin center | > | microsoft.office365.knowledge/knowledgeNetwork/allProperties/allTasks | Read and update all properties of knowledge network in Microsoft 365 admin center |
+> | microsoft.office365.knowledge/learningSources/allProperties/allTasks | Manage learning sources and all their properties in Learning App. |
> | microsoft.office365.protectionCenter/sensitivityLabels/allProperties/read | Read all properties of sensitivity labels in the Security and Compliance centers | > | microsoft.office365.sharePoint/allEntities/allTasks | Create and delete all resources, and read and update standard properties in SharePoint | > | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests | > | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
+## Knowledge Manager
+
+Users in this role can create and manage content, like topics, acronyms and learning content. These users are primarily responsible for the quality and structure of knowledge. This user has full rights to topic management actions to confirm a topic, approve edits, or delete a topic. This role can also manage taxonomies as part of the term store management tool and create content centers.
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | | |
+> | microsoft.directory/groups.security/create | Create Security groups with the exclusion of role-assignable groups |
+> | microsoft.directory/groups.security/createAsOwner | Create Security groups with the exclusion of role-assignable groups and creator is added as the first owner |
+> | microsoft.directory/groups.security/delete | Delete Security groups with the exclusion of role-assignable groups |
+> | microsoft.directory/groups.security/basic/update | Update basic properties on Security groups with the exclusion of role-assignable groups |
+> | microsoft.directory/groups.security/members/update | Update members of Security groups with the exclusion of role-assignable groups |
+> | microsoft.directory/groups.security/owners/update | Update owners of Security groups with the exclusion of role-assignable groups |
+> | microsoft.office365.knowledge/contentUnderstanding/analytics/allProperties/read | Read analytics reports of content understanding in Microsoft 365 admin center |
+> | microsoft.office365.knowledge/knowledgeNetwork/topicVisibility/allProperties/allTasks | Manage topic visibility of knowledge network in Microsoft 365 admin center |
+> | microsoft.office365.sharePoint/allEntities/allTasks | Create and delete all resources, and read and update standard properties in SharePoint |
+> | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
+> | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
+ ## License Administrator Users in this role can add, remove, and update license assignments on users, groups (using group-based licensing), and manage the usage location on users. The role does not grant the ability to purchase or manage subscriptions, create or manage groups, or create or manage users beyond the usage location. This role has no access to view, create, or manage support tickets.
Windows Defender ATP and EDR | Assign roles<br>Manage machine groups<br>Configur
> | microsoft.directory/conditionalAccessPolicies/basic/update | Update basic properties for conditional access policies | > | microsoft.directory/conditionalAccessPolicies/owners/update | Update owners for conditional access policies | > | microsoft.directory/conditionalAccessPolicies/tenantDefault/update | Update the default tenant for conditional access policies |
+> | microsoft.directory/crossTenantAccessPolicies/create | Create cross-tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/delete | Delete cross-tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/standard/read | Read basic properties of cross-tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/owners/read | Read owners of cross-tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/policyAppliedTo/read | Read the policyAppliedTo property of cross-tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/basic/update | Update basic properties of cross-tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/owners/update | Update owners of cross-tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/tenantDefault/update | Update the default tenant for cross-tenant access policies |
> | microsoft.directory/privilegedIdentityManagement/allProperties/read | Read all resources in Privileged Identity Management | > | microsoft.directory/provisioningLogs/allProperties/read | Read all properties of provisioning logs | > | microsoft.directory/servicePrincipals/policies/update | Update policies of service principals |
active-directory 4Me Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/4me-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to 4me Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the 4me tile in the My Apps, this will redirect to 4me Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the 4me tile in the My Apps, this will redirect to 4me Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure 4me you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure 4me you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Adglobalview Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/adglobalview-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the ADP Globalview (Deprecated) for which you set up the SSO
-* You can use Microsoft My Apps. When you click the ADP Globalview (Deprecated) tile in the My Apps, you should be automatically signed in to the ADP Globalview (Deprecated) for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the ADP Globalview (Deprecated) tile in the My Apps, you should be automatically signed in to the ADP Globalview (Deprecated) for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure ADP Globalview (Deprecated) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure ADP Globalview (Deprecated) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Adobecaptivateprime Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/adobecaptivateprime-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Adobe Captivate Prime for which you set up the SSO.
-* You can use Microsoft My Apps. When you click the Adobe Captivate Prime tile in the My Apps, you should be automatically signed in to the Adobe Captivate Prime for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Adobe Captivate Prime tile in the My Apps, you should be automatically signed in to the Adobe Captivate Prime for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Adobe Captivate Prime you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Adobe Captivate Prime you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Anaplan Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/anaplan-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Anaplan Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Anaplan tile in the My Apps, this will redirect to Anaplan Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Anaplan tile in the My Apps, this will redirect to Anaplan Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Anaplan you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Anaplan you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Andfrankly Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/andfrankly-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the &frankly for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the &frankly tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the &frankly for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the &frankly tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the &frankly for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure &frankly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure &frankly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Beeline Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/beeline-tutorial.md
To configure Azure AD single sign-on with Beeline, perform the following steps:
``` > [!NOTE]
- > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Beeline Client support team](https://www.beeline.com/support-beeline/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Beeline Client support team](https://www.beeline.com/contact-support/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-5. The Beeline application expects the SAML assertions in a specific format. Please work with [Beeline support team](https://www.beeline.com/support-beeline/) first to identify the correct user identifier which will be mapped into the application. Also please take the guidance from [Beeline support team](https://www.beeline.com/support-beeline/) about the attribute which they want to use for this mapping. You can manage the value of this attribute from the **User Attributes** tab of the application. The following screenshot shows an example for this. Here we have mapped the **User Identifier** claim with the **userprincipalname** attribute, which provides unique user ID, which will be sent to the Beeline application in every successful SAML response.
+5. The Beeline application expects the SAML assertions in a specific format. Please work with [Beeline support team](https://www.beeline.com/contact-support/) first to identify the correct user identifier which will be mapped into the application. Also please take the guidance from [Beeline support team](https://www.beeline.com/contact-support/) about the attribute which they want to use for this mapping. You can manage the value of this attribute from the **User Attributes** tab of the application. The following screenshot shows an example for this. Here we have mapped the **User Identifier** claim with the **userprincipalname** attribute, which provides unique user ID, which will be sent to the Beeline application in every successful SAML response.
![image](common/edit-attribute.png)
To configure Azure AD single sign-on with Beeline, perform the following steps:
### Configure Beeline Single Sign-On
-To configure single sign-on on **Beeline** side, you need to send the downloaded **Federation Metadata XML** and the User Access URL from the Azure portal properties to [Beeline support team](https://www.beeline.com/support-beeline/). They require the metadata and User Access URL so that the SAML SSO connection is configured properly on both sides.
+To configure single sign-on on **Beeline** side, you need to send the downloaded **Federation Metadata XML** and the User Access URL from the Azure portal properties to [Beeline support team](https://www.beeline.com/contact-support/). They require the metadata and User Access URL so that the SAML SSO connection is configured properly on both sides.
### Create an Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting
### Create Beeline test user
-In this section, you will create a user, Britta Simon, in Beeline. The Beeline application needs all users to be provisioned in the application before doing Single Sign On. So work with the [Beeline support team](https://www.beeline.com/support-beeline/) to provision all these users into the application.
+In this section, you will create a user, Britta Simon, in Beeline. The Beeline application needs all users to be provisioned in the application before doing Single Sign On. So work with the [Beeline support team](https://www.beeline.com/contact-support/) to provision all these users into the application.
### Test single sign-on
When you click the Beeline tile in the Access Panel, you should be automatically
- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) -- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
active-directory Bentley Automatic User Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bentley-automatic-user-provisioning-tutorial.md
# Tutorial: Configure Bentley - Automatic User Provisioning for automatic user provisioning
-This tutorial describes the steps you need to perform in both Bentley - Automatic User Provisioning and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Bentley - Automatic User Provisioning](https://www.bentley.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both Bentley - Automatic User Provisioning and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Bentley - Automatic User Provisioning](https://www.bentley.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities supported
This tutorial describes the steps you need to perform in both Bentley - Automati
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* A Federated account with Bentley IMS. ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and Bentley - Automatic User Provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and Bentley - Automatic User Provisioning](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure Bentley - Automatic User Provisioning to support provisioning with Azure AD
Reach out to the Bentley User Provisioning [support](https://communities.bentley
## Step 3. Add Bentley - Automatic User Provisioning from the Azure AD application gallery
-Add Bentley - Automatic User Provisioning from the Azure AD application gallery to start managing provisioning to Bentley - Automatic User Provisioning. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Add Bentley - Automatic User Provisioning from the Azure AD application gallery to start managing provisioning to Bentley - Automatic User Provisioning. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users and groups to Bentley - Automatic User Provisioning, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+* When assigning users and groups to Bentley - Automatic User Provisioning, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 5. Configure automatic user provisioning to Bentley - Automatic User Provisioning
This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Bentley - Automatic User Provisioning**.
-9. Review the user attributes that are synchronized from Azure AD to Bentley - Automatic User Provisioning in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Bentley - Automatic User Provisioning for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Bentley - Automatic User Provisioning API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to Bentley - Automatic User Provisioning in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Bentley - Automatic User Provisioning for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Bentley - Automatic User Provisioning API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for Filtering| ||||
This section guides you through the steps to configure the Azure AD provisioning
|members|Reference| |urn:ietf:params:scim:schemas:extension:Bentley:2.0:Group:description|String|
-12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
13. To enable the Azure AD provisioning service for Bentley - Automatic User Provisioning, change the **Provisioning Status** to **On** in the **Settings** section.
This operation starts the initial synchronization cycle of all users and groups
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-2. Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## Connector limitations * The enterprise extension attribute "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager" is not supported and will be removed. ## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Boxcryptor Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/boxcryptor-provisioning-tutorial.md
# Tutorial: Configure Boxcryptor for automatic user provisioning
-This tutorial describes the steps you need to perform in both Boxcryptor and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Boxcryptor](https://www.boxcryptor.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both Boxcryptor and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Boxcryptor](https://www.boxcryptor.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities Supported
This tutorial describes the steps you need to perform in both Boxcryptor and Azu
> * Remove users in Boxcryptor when they do not require access anymore > * Keep user attributes synchronized between Azure AD and Boxcryptor > * Provision groups and group memberships in Boxcryptor
-> * [Single sign-on](https://docs.microsoft.com/azure/active-directory/saas-apps/boxcryptor-tutorial) to Boxcryptor (recommended)
+> * [Single sign-on](./boxcryptor-tutorial.md) to Boxcryptor (recommended)
## Prerequisites The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* Boxcryptor Single sign-on enabled [subscription](https://www.boxcryptor.com/pricing/for-teams). ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and Boxcryptor](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and Boxcryptor](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure Boxcryptor to support provisioning with Azure AD To configure provisioning on Boxcryptor, reach out to your Boxcryptor account manager or the [Boxcryptor support team](mailto:support@boxcryptor.com) who will enable provisioning on Boxcryptor and reach out to you with your Boxcryptor Tenant URL and Secret Token. These values will be entered in the **Tenant URL** and **Secret Token** field in the Provisioning tab of your Boxcryptor application in the Azure portal. ## Step 3. Add Boxcryptor from the Azure AD application gallery
-Add Boxcryptor from the Azure AD application gallery to start managing provisioning to Boxcryptor. If you have previously setup Boxcryptor for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Add Boxcryptor from the Azure AD application gallery to start managing provisioning to Boxcryptor. If you have previously setup Boxcryptor for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users and groups to Boxcryptor, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+* When assigning users and groups to Boxcryptor, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 5. Configure automatic user provisioning to Boxcryptor
This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Boxcryptor**.
-9. Review the user attributes that are synchronized from Azure AD to Boxcryptor in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Boxcryptor for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Boxcryptor API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to Boxcryptor in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Boxcryptor for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Boxcryptor API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for Filtering| ||||
This section guides you through the steps to configure the Azure AD provisioning
|externalId|String| |members|Reference|
-12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
13. To enable the Azure AD provisioning service for Boxcryptor, change the **Provisioning Status** to **On** in the **Settings** section.
This operation starts the initial synchronization cycle of all users and groups
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-2. Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Brightspace Desire2learn Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/brightspace-desire2learn-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Brightspace by Desire2Learn for which you set up the SSO.
-* You can use Microsoft My Apps. When you click the Brightspace by Desire2Learn tile in the My Apps, you should be automatically signed in to the Brightspace by Desire2Learn for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Brightspace by Desire2Learn tile in the My Apps, you should be automatically signed in to the Brightspace by Desire2Learn for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Brightspace by Desire2Learn you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Brightspace by Desire2Learn you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Browserstack Single Sign On Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/browserstack-single-sign-on-provisioning-tutorial.md
# Tutorial: Configure BrowserStack Single Sign-on for automatic user provisioning
-This tutorial describes the steps you need to perform in both BrowserStack Single Sign-on and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users to [BrowserStack Single Sign-on](https://www.browserstack.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both BrowserStack Single Sign-on and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users to [BrowserStack Single Sign-on](https://www.browserstack.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities supported
This tutorial describes the steps you need to perform in both BrowserStack Singl
> * Create users in BrowserStack Single Sign-on > * Remove users in BrowserStack Single Sign-on when they do not require access anymore > * Keep user attributes synchronized between Azure AD and BrowserStack Single Sign-on
-> * [Single sign-on](https://docs.microsoft.com/azure/active-directory/saas-apps/browserstack-single-sign-on-tutorial) to BrowserStack Single Sign-on (recommended)
+> * [Single sign-on](./browserstack-single-sign-on-tutorial.md) to BrowserStack Single Sign-on (recommended)
## Prerequisites The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* A user account in BrowserStack with **Owner** permissions. * An [Enterprise plan](https://www.browserstack.com/pricing) with BrowserStack. * [Single Sign-on](https://www.browserstack.com/docs/enterprise/single-sign-on/azure-ad) integration with BrowserStack (mandatory). ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and BrowserStack Single Sign-on](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and BrowserStack Single Sign-on](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure BrowserStack Single Sign-on to support provisioning with Azure AD
The scenario outlined in this tutorial assumes that you already have the followi
## Step 3. Add BrowserStack Single Sign-on from the Azure AD application gallery
-Add BrowserStack Single Sign-on from the Azure AD application gallery to start managing provisioning to BrowserStack Single Sign-on. If you have previously setup BrowserStack Single Sign-on for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Add BrowserStack Single Sign-on from the Azure AD application gallery to start managing provisioning to BrowserStack Single Sign-on. If you have previously setup BrowserStack Single Sign-on for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users to BrowserStack Single Sign-on, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+* When assigning users to BrowserStack Single Sign-on, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 5. Configure automatic user provisioning to BrowserStack Single Sign-on
This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to BrowserStack Single Sign-on**.
-9. Review the user attributes that are synchronized from Azure AD to BrowserStack Single Sign-on in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in BrowserStack Single Sign-on for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the BrowserStack Single Sign-on API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to BrowserStack Single Sign-on in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in BrowserStack Single Sign-on for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the BrowserStack Single Sign-on API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for Filtering| |||--|
This section guides you through the steps to configure the Azure AD provisioning
|urn:ietf:params:scim:schemas:extension:Bstack:2.0:User:bstack_product|String|
-10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
11. To enable the Azure AD provisioning service for BrowserStack Single Sign-on, change the **Provisioning Status** to **On** in the **Settings** section.
This operation starts the initial synchronization cycle of all users defined in
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment: -- Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully-- Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion-- If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+- Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+- Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+- If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## Connector limitations
Once you've configured provisioning, use the following resources to monitor your
## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) * [Configuring attribute-mappings in BrowserStack Single Sign-on](https://www.browserstack.com/docs/enterprise/auto-user-provisioning/azure-ad) * [Setup and enable auto user provisioning in BrowserStack](https://www.browserstack.com/docs/enterprise/auto-user-provisioning/azure-ad#setup-and-enable-auto-user-provisioning) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Cerby Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cerby-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Cerby Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Cerby tile in the My Apps, this will redirect to Cerby Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Cerby tile in the My Apps, this will redirect to Cerby Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Cerby you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Cerby you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Check Point Identity Awareness Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/check-point-identity-awareness-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Check Point Identity Awareness Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Check Point Identity Awareness tile in the My Apps, this will redirect to Check Point Identity Awareness Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Check Point Identity Awareness tile in the My Apps, this will redirect to Check Point Identity Awareness Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Check Point Identity Awareness you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Check Point Identity Awareness you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Chromeriver Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/chromeriver-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Chromeriver for which you set up the SSO.
-* You can use Microsoft My Apps. When you click the Chromeriver tile in the My Apps, you should be automatically signed in to the Chromeriver for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Chromeriver tile in the My Apps, you should be automatically signed in to the Chromeriver for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Chromeriver you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Chromeriver you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Cisco Intersight Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cisco-intersight-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Cisco Intersight Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Cisco Intersight tile in the My Apps, this will redirect to Cisco Intersight Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Cisco Intersight tile in the My Apps, this will redirect to Cisco Intersight Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Cisco Intersight you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Cisco Intersight you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Ciscocloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ciscocloud-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Cisco Cloud for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the Cisco Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Cisco Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Cisco Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Cisco Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Cisco Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Cisco Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Clarizen Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/clarizen-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Clarizen One for which you set up the SSO.
-* You can use Microsoft My Apps. When you click the Clarizen One tile in the My Apps, you should be automatically signed in to the Clarizen One for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Clarizen One tile in the My Apps, you should be automatically signed in to the Clarizen One for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Clarizen One you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Clarizen One you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Clickup Productivity Platform Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/clickup-productivity-platform-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to ClickUp Productivity Platform Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the ClickUp Productivity Platform tile in the My Apps, this will redirect to ClickUp Productivity Platform Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the ClickUp Productivity Platform tile in the My Apps, this will redirect to ClickUp Productivity Platform Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure ClickUp Productivity Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure ClickUp Productivity Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Codility Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/codility-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Codility for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Codility tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Codility for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Codility tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Codility for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Codility you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Codility you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Cylanceprotect Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cylanceprotect-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the CylancePROTECT for which you set up the SSO.
-* You can use Microsoft My Apps. When you click the CylancePROTECT tile in the My Apps, you should be automatically signed in to the CylancePROTECT for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the CylancePROTECT tile in the My Apps, you should be automatically signed in to the CylancePROTECT for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure CylancePROTECT you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure CylancePROTECT you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Desknets Neo Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/desknets-neo-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to desknet's NEO Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the desknet's NEO tile in the My Apps, this will redirect to desknet's NEO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the desknet's NEO tile in the My Apps, this will redirect to desknet's NEO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure desknet's NEO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure desknet's NEO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Dropboxforbusiness Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/dropboxforbusiness-tutorial.md
Follow these steps to enable Azure AD SSO in the Azure portal.
b. In the **Identifier (Entity ID)** text box, type the value: `Dropbox`
+ c. In the **Reply URL** field, enter `https://www.dropbox.com/saml_login`
> [!NOTE] > The **Dropbox Sign SSO ID** can be found in the Dropbox site at Dropbox > Admin console > Settings > Single sign-on > SSO sign-in URL.
In this section, you test your Azure AD single sign-on configuration with follow
## Next steps
-Once you configure Dropbox Business you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Dropbox Business you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Dynatrace Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/dynatrace-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Dynatrace for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the Dynatrace tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Dynatrace for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Dynatrace tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Dynatrace for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Dynatrace you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Dynatrace you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Eab Navigate Impl Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/eab-navigate-impl-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to EAB Implementation Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the EAB Implementation tile in the My Apps, this will redirect to EAB Implementation Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the EAB Implementation tile in the My Apps, this will redirect to EAB Implementation Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure EAB Implementation you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure EAB Implementation you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Eab Navigate Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/eab-navigate-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to EAB Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the EAB tile in the My Apps, this will redirect to EAB Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the EAB tile in the My Apps, this will redirect to EAB Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Egnyte Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/egnyte-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Egnyte Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Egnyte tile in the My Apps, this will redirect to Egnyte Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Egnyte tile in the My Apps, this will redirect to Egnyte Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Egnyte you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Egnyte you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Egress Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/egress-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Egress for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the Egress tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Egress for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Egress tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Egress for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Egress you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Egress you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Eletive Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/eletive-provisioning-tutorial.md
# Tutorial: Configure Eletive for automatic user provisioning
-This tutorial describes the steps you need to perform in both Eletive and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Eletive](https://app.eletive.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both Eletive and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Eletive](https://app.eletive.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities Supported
This tutorial describes the steps you need to perform in both Eletive and Azure
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* A user account in Eletive with administration access. ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and Eletive](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and Eletive](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure Eletive to support provisioning with Azure AD
The scenario outlined in this tutorial assumes that you already have the followi
## Step 3. Add Eletive from the Azure AD application gallery
-Add Eletive from the Azure AD application gallery to start managing provisioning to Eletive. If you have previously setup Eletive for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Add Eletive from the Azure AD application gallery to start managing provisioning to Eletive. If you have previously setup Eletive for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users and groups to Eletive, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add roles.
+* When assigning users and groups to Eletive, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control the scope by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control the scope by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 5. Configure automatic user provisioning to Eletive
This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Eletive**.
-9. Review the user attributes that are synchronized from Azure AD to Eletive in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Eletive for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Eletive API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to Eletive in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Eletive for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Eletive API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for Filtering| ||||
This section guides you through the steps to configure the Azure AD provisioning
|userType|String| |urn:ietf:params:scim:schemas:extension:eletive:2.0:User:participateInSurvey|String|
-10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
11. To enable the Azure AD provisioning service for Eletive, change the **Provisioning Status** to **On** in the **Settings** section.
This operation starts the initial synchronization cycle of all users and groups
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-2. Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## More resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Envoy Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/envoy-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Envoy Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Envoy tile in the My Apps, this will redirect to Envoy Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Envoy tile in the My Apps, this will redirect to Envoy Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Envoy you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Envoy you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Equinix Federation App Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/equinix-federation-app-tutorial.md
Go to Equinix Federation App Sign-on URL directly, and initiate the login flow f
## Next steps
-Once you configure Equinix Federation App you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Equinix Federation App you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Exium Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/exium-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Exium Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Exium tile in the My Apps, this will redirect to Exium Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Exium tile in the My Apps, this will redirect to Exium Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Exium you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Exium you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Fcm Hub Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fcm-hub-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the FCM HUB for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the FCM HUB tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the FCM HUB for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the FCM HUB tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the FCM HUB for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure FCM HUB you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure FCM HUB you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Five9 Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/five9-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Five9 Plus Adapter (CTI, Contact Center Agents) for which you set up the SSO.
-* You can use Microsoft My Apps. When you click the Five9 Plus Adapter (CTI, Contact Center Agents) tile in the My Apps, you should be automatically signed in to the Five9 Plus Adapter (CTI, Contact Center Agents) for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Five9 Plus Adapter (CTI, Contact Center Agents) tile in the My Apps, you should be automatically signed in to the Five9 Plus Adapter (CTI, Contact Center Agents) for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Five9 Plus Adapter (CTI, Contact Center Agents) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Five9 Plus Adapter (CTI, Contact Center Agents) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Formcom Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/formcom-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Form.com Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Form.com tile in the My Apps, this will redirect to Form.com Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Form.com tile in the My Apps, this will redirect to Form.com Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Form.com you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Form.com you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Fortes Change Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fortes-change-cloud-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Fortes Change Cloud for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Fortes Change Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Fortes Change Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Fortes Change Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Fortes Change Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory G Suite Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/g-suite-provisioning-tutorial.md
Once you've configured provisioning, use the following resources to monitor your
* 10/17/2020 - Added support for additional G Suite user and group attributes. * 10/17/2020 - Updated G Suite target attribute names to match what is defined [here](https://developers.google.com/admin-sdk/directory). * 10/17/2020 - Updated default attribute mappings.
-* 03/18/2021 - Manager email is now synchronized instead of ID for all new users. For any existing users that were provisioned with a manager as an ID, you can do a restart through [Microsoft Graph](https://docs.microsoft.com/graph/api/synchronization-synchronizationjob-restart?view=graph-rest-beta&tabs=http&preserve-view=true) with scope "full" to ensure that the email is provisioned. This change only impacts the GSuite provisioning job and not the older provisioning job beginning with Goov2OutDelta. Note, the manager email is provisioned when the user is first created or when the manager changes. The manager email is not provisioned if the manager changes their email address.
+* 03/18/2021 - Manager email is now synchronized instead of ID for all new users. For any existing users that were provisioned with a manager as an ID, you can do a restart through [Microsoft Graph](/graph/api/synchronization-synchronizationjob-restart?preserve-view=true&tabs=http&view=graph-rest-beta) with scope "full" to ensure that the email is provisioned. This change only impacts the GSuite provisioning job and not the older provisioning job beginning with Goov2OutDelta. Note, the manager email is provisioned when the user is first created or when the manager changes. The manager email is not provisioned if the manager changes their email address.
## Additional resources
Once you've configured provisioning, use the following resources to monitor your
## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Gigya Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/gigya-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Gigya Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Gigya tile in the My Apps, this will redirect to Gigya Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Gigya tile in the My Apps, this will redirect to Gigya Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Gigya you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Gigya you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Github Enterprise Managed User Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/github-enterprise-managed-user-tutorial.md
In this tutorial, you configure and test Azure AD SSO in a test environment.
* GitHub Enterprise Managed User supports **SP and IDP** initiated SSO. * GitHub Enterprise Managed User supports **Just In Time** user provisioning.
-* GitHub Enterprise Managed User supports [**Automated** user provisioning](https://docs.microsoft.com/azure/active-directory/saas-apps/github-enterprise-managed-user-provisioning-tutorial).
+* GitHub Enterprise Managed User supports [**Automated** user provisioning](./github-enterprise-managed-user-provisioning-tutorial.md).
## Adding GitHub Enterprise Managed User from the gallery
To configure single sign-on on **GitHub Enterprise Managed User** side, you need
In this section, a user called B.Simon is created in GitHub Enterprise Managed User. GitHub Enterprise Managed User supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in GitHub Enterprise Managed User, a new one is created when you attempt to access GitHub Enterprise Managed User.
-GitHub Enterprise Managed User also supports automatic user provisioning, you can find more details [here](https://docs.microsoft.com/azure/active-directory/saas-apps/github-enterprise-managed-user-provisioning-tutorial) on how to configure automatic user provisioning.
+GitHub Enterprise Managed User also supports automatic user provisioning, you can find more details [here](./github-enterprise-managed-user-provisioning-tutorial.md) on how to configure automatic user provisioning.
## Test SSO
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the GitHub Enterprise Managed User for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the GitHub Enterprise Managed User tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the GitHub Enterprise Managed User for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the GitHub Enterprise Managed User tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the GitHub Enterprise Managed User for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure GitHub Enterprise Managed User you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure GitHub Enterprise Managed User you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Grammarly Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/grammarly-provisioning-tutorial.md
# Tutorial: Configure Grammarly for automatic user provisioning
-This tutorial describes the steps you need to perform in both Grammarly and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Grammarly](https://www.grammarly.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both Grammarly and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Grammarly](https://www.grammarly.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities Supported
This tutorial describes the steps you need to perform in both Grammarly and Azur
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (e.g. Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (e.g. Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* A Grammarly Business account with admin access. ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-1. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-1. Determine what data to [map between Azure AD and Grammarly](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+1. Determine what data to [map between Azure AD and Grammarly](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure Grammarly to support provisioning with Azure AD
After you've configured provisioning, use the following resources to monitor you
## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Grammarly Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/grammarly-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Grammarly for which you set up the SSO.
-* You can use Microsoft My Apps. When you click the Grammarly tile in the My Apps, you should be automatically signed in to the Grammarly for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Grammarly tile in the My Apps, you should be automatically signed in to the Grammarly for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Grammarly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Grammarly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Greenhouse Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/greenhouse-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Greenhouse for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Greenhouse tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Greenhouse for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Greenhouse tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Greenhouse for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
active-directory Holmes Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/holmes-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Holmes for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Holmes tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Holmes for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Holmes tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Holmes for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Holmes you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Holmes you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Idc Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/idc-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the IDC for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the IDC tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the IDC for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the IDC tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the IDC for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
- Once you configure IDC you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+ Once you configure IDC you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Infor Cloudsuite Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/infor-cloudsuite-provisioning-tutorial.md
The objective of this tutorial is to demonstrate the steps to be performed in In
The scenario outlined in this tutorial assumes that you already have the following prerequisites: * An Azure AD tenant
-* [A Infor CloudSuite tenant](https://www.infor.com/products/infor-os)
+* [A Infor CloudSuite tenant](https://www.infor.com/products)
* A user account in Infor CloudSuite with Admin permissions. ## Assigning users to Infor CloudSuite
For more information on how to read the Azure AD provisioning logs, see [Reporti
## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Iqnavigatorvms Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/iqnavigatorvms-tutorial.md
Follow these steps to enable Azure AD SSO in the Azure portal.
`https://<subdomain>.iqnavigator.com` > [!NOTE]
- > These values are not real. Update these values with the actual Reply URL and Relay State. Contact [IQNavigator VMS Client support team](https://www.beeline.com/support-iqn/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Reply URL and Relay State. Contact [IQNavigator VMS Client support team](https://www.beeline.com/contact-support/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. IQNavigator application expect the Unique User Identifier value in the Name Identifier claim. Customer can map the correct value for the Name Identifier claim. In this case we have mapped the user.UserPrincipalName for the demo purpose. But according to your organization settings you should map the correct value for it.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Configure IQNavigator VMS SSO
-To configure single sign-on on **IQNavigator VMS** side, you need to send the **App Federation Metadata Url** to [IQNavigator VMS support team](https://www.beeline.com/support-iqn/). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on **IQNavigator VMS** side, you need to send the **App Federation Metadata Url** to [IQNavigator VMS support team](https://www.beeline.com/contact-support/). They set this setting to have the SAML SSO connection set properly on both sides.
### Create IQNavigator VMS test user
-In this section, you create a user called Britta Simon in IQNavigator VMS. Work with [IQNavigator VMS support team](https://www.beeline.com/support-iqn/) to add the users in the IQNavigator VMS platform. Users must be created and activated before you use single sign-on.
+In this section, you create a user called Britta Simon in IQNavigator VMS. Work with [IQNavigator VMS support team](https://www.beeline.com/contact-support/) to add the users in the IQNavigator VMS platform. Users must be created and activated before you use single sign-on.
## Test SSO
When you click the IQNavigator VMS tile in the Access Panel, you should be autom
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try IQNavigator VMS with Azure AD](https://aad.portal.azure.com/)
+- [Try IQNavigator VMS with Azure AD](https://aad.portal.azure.com/)
active-directory Jostle Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/jostle-provisioning-tutorial.md
# Tutorial: Configure Jostle for automatic user provisioning
-This tutorial describes the steps you need to perform in both Jostle and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Jostle](https://www.jostle.me/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both Jostle and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Jostle](https://www.jostle.me/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities Supported
The next step is to obtain the **API URL** and **API key** from Jostle:
1. Next, youΓÇÖll use the **API URL** and **API key** to configure the integration in Azure. ## Step 3. Add Jostle from the Azure AD application gallery
-Add Jostle from the Azure AD application gallery to start managing provisioning to Jostle. If you have previously setup Jostle for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-gallery-app.md).
+Add Jostle from the Azure AD application gallery to start managing provisioning to Jostle. If you have previously setup Jostle for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
active-directory Logicgate Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/logicgate-provisioning-tutorial.md
# Tutorial: Configure LogicGate for automatic user provisioning
-This tutorial describes the steps you need to perform in both LogicGate and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [LogicGate](https://www.logicgate.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both LogicGate and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [LogicGate](https://www.logicgate.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities Supported
This tutorial describes the steps you need to perform in both LogicGate and Azur
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (e.g. Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (e.g. Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* A LogicGate tenant with the Enterprise plan or better enabled. * A user account in LogicGate with Admin permissions. ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and LogicGate](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and LogicGate](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure LogicGate to support provisioning with Azure AD
The scenario outlined in this tutorial assumes that you already have the followi
## Step 3. Add LogicGate from the Azure AD application gallery
-Add LogicGate from the Azure AD application gallery to start managing provisioning to LogicGate. If you have previously setup LogicGate for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Add LogicGate from the Azure AD application gallery to start managing provisioning to LogicGate. If you have previously setup LogicGate for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users and groups to LogicGate, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+* When assigning users and groups to LogicGate, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 5. Configure automatic user provisioning to LogicGate
This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to LogicGate**.
-9. Review the user attributes that are synchronized from Azure AD to LogicGate in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in LogicGate for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the LogicGate API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to LogicGate in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in LogicGate for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the LogicGate API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for filtering| ||||
This section guides you through the steps to configure the Azure AD provisioning
|name.givenName|String| |name.familyName|String|
-10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
11. To enable the Azure AD provisioning service for LogicGate, change the **Provisioning Status** to **On** in the **Settings** section.
This operation starts the initial synchronization cycle of all users and groups
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-2. Check the [progress bar](/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Logmein Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/logmein-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the LogMeIn for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the LogMeIn tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the LogMeIn for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the LogMeIn tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the LogMeIn for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure the LogMeIn you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-aad)
+Once you configure the LogMeIn you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
active-directory M Files Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/m-files-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to M-Files Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the M-Files tile in the My Apps, this will redirect to M-Files Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the M-Files tile in the My Apps, this will redirect to M-Files Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure M-Files you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure M-Files you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Mobicontrol Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mobicontrol-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to MobiControl Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the MobiControl tile in the My Apps, this will redirect to MobiControl Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the MobiControl tile in the My Apps, this will redirect to MobiControl Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure MobiControl you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure MobiControl you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Mongodb Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mongodb-cloud-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the MongoDB Cloud for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the MongoDB Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the MongoDB Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the MongoDB Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the MongoDB Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure MongoDB Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure MongoDB Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Moqups Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/moqups-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Moqups for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Moqups tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Moqups for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Moqups tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Moqups for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Moqups you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Moqups you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Netskope User Authentication Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/netskope-user-authentication-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Netskope User Authentication for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the Netskope User Authentication tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Netskope User Authentication for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Netskope User Authentication tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Netskope User Authentication for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Netskope User Authentication you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Netskope User Authentication you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory New Relic Limited Release Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/new-relic-limited-release-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the New Relic for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the New Relic tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the New Relic for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the New Relic tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the New Relic for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure New Relic you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure New Relic you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Olfeo Saas Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/olfeo-saas-provisioning-tutorial.md
# Tutorial: Configure Olfeo SAAS for automatic user provisioning
-This tutorial describes the steps you need to do in both Olfeo SAAS and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Olfeo SAAS](https://www.olfeo.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to do in both Olfeo SAAS and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Olfeo SAAS](https://www.olfeo.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities Supported
The scenario outlined in this tutorial assumes that you already have the followi
## Step 3. Add Olfeo SAAS from the Azure AD application gallery
-Add Olfeo SAAS from the Azure AD application gallery to start managing provisioning to Olfeo SAAS. If you have previously setup Olfeo SAAS for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-gallery-app.md).
+Add Olfeo SAAS from the Azure AD application gallery to start managing provisioning to Olfeo SAAS. If you have previously setup Olfeo SAAS for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
active-directory Oracle Peoplesoft Protected By F5 Big Ip Apm Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/oracle-peoplesoft-protected-by-f5-big-ip-apm-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Oracle PeopleSoft-Protected by F5 BIG-IP APM for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the Oracle PeopleSoft-Protected by F5 BIG-IP APM tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Oracle PeopleSoft-Protected by F5 BIG-IP APM for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Oracle PeopleSoft-Protected by F5 BIG-IP APM tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Oracle PeopleSoft-Protected by F5 BIG-IP APM for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Oracle PeopleSoft-Protected by F5 BIG-IP APM you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Oracle PeopleSoft-Protected by F5 BIG-IP APM you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Outsystems Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/outsystems-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the OutSystems Azure AD for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the OutSystems Azure AD tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the OutSystems Azure AD for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the OutSystems Azure AD tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the OutSystems Azure AD for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure OutSystems Azure AD you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure OutSystems Azure AD you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Thoughtworks Mingle Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/thoughtworks-mingle-tutorial.md
To configure Azure AD single sign-on with Thoughtworks Mingle, perform the follo
`https://<companyname>.mingle.thoughtworks.com` > [!NOTE]
- > The value is not real. Update the value with the actual Sign-On URL. Contact [Thoughtworks Mingle Client support team](https://support.thoughtworks.com/hc/categories/201743486-Mingle-Community-Support) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > The value is not real. Update the value with the actual Sign-On URL. Contact Thoughtworks Mingle Client support team to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
When you click the Thoughtworks Mingle tile in the Access Panel, you should be a
- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) -- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
aks Csi Secrets Store Driver https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/csi-secrets-store-driver.md
+
+ Title: Use the Secrets Store CSI driver for Azure Kubernetes Service secrets
+description: Learn how to use the secrets store CSI driver to integrate secrets stores with Azure Kubernetes Service (AKS).
++++ Last updated : 03/30/2021+++
+# Use the Secrets Store CSI Driver for Kubernetes in an Azure Kubernetes Service (AKS) cluster (preview)
+
+The Secrets Store CSI Driver for Kubernetes allows for the integration of Azure Key Vault as a secrets store with a Kubernetes cluster via a [CSI volume][kube-csi].
+
+## Prerequisites
+
+- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+
+- Before you start, install the latest version of the [Azure CLI](/cli/azure/install-azure-cli-windows).
+
+## Features
+
+- Mount secrets, keys, and/or certs to a pod using a CSI volume
+- Supports CSI Inline volumes (Kubernetes version v1.15+)
+- Supports mounting multiple secrets store objects as a single volume
+- Supports pod portability with the SecretProviderClass CRD
+- Supports windows containers (Kubernetes version v1.18+)
+- Sync with Kubernetes Secrets (Secrets Store CSI Driver v0.0.10+)
+- Supports auto rotation of mounted contents and synced Kubernetes secrets (Secrets Store CSI Driver v0.0.15+)
+
+## Register the `AKS-AzureKeyVaultSecretsProvider` preview feature
++
+To create an AKS cluster that can use the Secrets Store CSI Driver, you must enable the `AKS-AzureKeyVaultSecretsProvider` feature flag on your subscription.
+
+Register the `AKS-AzureKeyVaultSecretsProvider` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
+
+```azurecli-interactive
+az feature register --namespace "Microsoft.ContainerService" --name "AKS-AzureKeyVaultSecretsProvider"
+```
+
+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:
+
+```azurecli-interactive
+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKS-AzureKeyVaultSecretsProvider')].{Name:name,State:properties.state}"
+```
+
+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:
+
+```azurecli-interactive
+az provider register --namespace Microsoft.ContainerService
+```
+
+## Create an AKS cluster with Secrets Store CSI Driver support
+
+> [!NOTE]
+> If you plan to provide access to the cluster via a user-assigned or system-assigned managed identity, enable Azure Active Directory on your cluster with the flag `enable-managed-identity`. See [Use managed identities in Azure Kubernetes Service][aks-managed-identity] for more.
+
+To create an AKS cluster with Secrets Store CSI Driver capability, use the [az-aks-create][az-aks-create] command with the addon `azure-keyvault-secrets-provider`:
+
+```azurecli-interactive
+az aks create -n myAKSCluster -g myResourceGroup --enable-addons azure-keyvault-secrets-provider
+```
+
+## Upgrade an existing AKS cluster with Secrets Store CSI Driver support
+
+> [!NOTE]
+> If you plan to provide access to the cluster via a user-assigned or system-assigned managed identity, enable Azure Active Directory on your cluster with the flag `enable-managed-identity`. See [Use managed identities in Azure Kubernetes Service][aks-managed-identity] for more.
+
+To upgrade an existing AKS cluster with Secrets Store CSI Driver capability, use the [az-aks-create][az-aks-create] command with the addon `azure-keyvault-secrets-provider`:
+
+```azurecli-interactive
+az aks upgrade -n myAKSCluster -g myResourceGroup --enable-addons azure-keyvault-secrets-provider
+```
+
+These commands will install the Secrets Store CSI Driver and the Azure Key Vault provider on your nodes. Verify by listing all pods from all namespaces and ensuring your output looks similar to the following:
+
+```bash
+kubectl get pods -n kube-system
+
+NAMESPACE NAME READY STATUS RESTARTS AGE
+kube-system aks-secrets-store-csi-driver-4vpkj 3/3 Running 2 4m25s
+kube-system aks-secrets-store-csi-driver-ctjq6 3/3 Running 2 4m21s
+kube-system aks-secrets-store-csi-driver-tlvlq 3/3 Running 2 4m24s
+kube-system aks-secrets-store-provider-azure-5p4nb 1/1 Running 0 4m21s
+kube-system aks-secrets-store-provider-azure-6pqmv 1/1 Running 0 4m24s
+kube-system aks-secrets-store-provider-azure-f5qlm 1/1 Running 0 4m25s
+```
+
+### Enabling autorotation
+
+> [!NOTE]
+> When enabled, the Secrets Store CSI Driver will update the pod mount and the Kubernetes Secret defined in secretObjects of the SecretProviderClass by polling for changes every two minutes.
+
+To enable autorotation of secrets, use the flag `enable-secret-rotation` when creating your cluster:
+
+```azurecli-interactive
+az aks create -n myAKSCluster2 -g myResourceGroup --enable-addons azure-keyvault-secrets-provider --enable-secret-rotation --rotation-poll-interval 5m
+```
+
+## Create or use an existing Azure Key Vault
+
+In addition to an AKS cluster, you will need an Azure Key Vault resource containing the secret content. To deploy an Azure Key Vault instance, follow these steps:
+
+1. [Create a key vault][create-key-vault]
+2. [Set a secret in a key vault][set-secret-key-vault]
+
+Take note of the following properties for use in the next section:
+
+- Name of secret object in Key Vault
+- Secret content type (secret, key, cert)
+- Name of Key Vault resource
+- Azure Tenant ID the Subscription belongs to
+
+## Create and apply your own SecretProviderClass object
+
+To use and configure the Secrets Store CSI driver for your AKS cluster, create a SecretProviderClass custom resource.
+
+Here is an example making use of a Service Principal to access the key vault:
+
+```yml
+apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
+kind: SecretProviderClass
+metadata:
+ name: azure-kvname
+spec:
+ provider: azure
+ parameters:
+ usePodIdentity: "false" # [OPTIONAL] if not provided, will default to "false"
+ keyvaultName: "kvname" # the name of the KeyVault
+ cloudName: "" # [OPTIONAL for Azure] if not provided, azure environment will default to AzurePublicCloud
+ objects: |
+ array:
+ - |
+ objectName: secret1
+ objectType: secret # object types: secret, key or cert
+ objectVersion: "" # [OPTIONAL] object versions, default to latest if empty
+ - |
+ objectName: key1
+ objectType: key
+ objectVersion: ""
+ tenantId: "<tenant-id>" # the tenant ID of the KeyVault
+```
+
+For more information, see [Create your own SecretProviderClass Object][sample-secret-provider-class]. Be sure to use the values you took note of above.
+
+## Provide identity to access Azure Key Vault
+
+The example in this article uses a Service Principal, but the Azure Key Vault provider offers four methods of access. Review them and choose the one that best fits your use case. Be aware additional steps may be required depending on the chosen method, such as granting the Service Principal permissions to get secrets from key vault.
+
+- [Service Principal][service-principal-access]
+- [Pod Identity][pod-identity-access]
+- [User-assigned Managed Identity][ua-mi-access]
+- [System-assigned Managed Identity][sa-mi-access]
+
+### Apply the SecretProviderClass to your cluster
+
+Next, deploy the SecretProviderClass you created. For example:
+
+```bash
+kubectl apply -f ./new-secretproviderclass.yaml
+```
+
+## Update and apply your cluster's deployment YAML
+
+To ensure your cluster is using the new custom resource, update the deployment YAML. For a more comprehensive example, take a look at a [sample deployment][sample-deployment] using Service Principal to access Azure Key Vault. Be sure to follow any additional steps from your chosen method of key vault access.
+
+```yml
+kind: Pod
+apiVersion: v1
+metadata:
+ name: busybox-secrets-store-inline
+spec:
+ containers:
+ - name: busybox
+ image: k8s.gcr.io/e2e-test-images/busybox:1.29
+ command:
+ - "/bin/sh"
+ - "10000"
+ volumeMounts:
+ - name: secrets-store-inline
+ mountPath: "/mnt/secrets-store"
+ readOnly: true
+ volumes:
+ - name: secrets-store-inline
+ csi:
+ driver: secrets-store.csi.k8s.io
+ readOnly: true
+ volumeAttributes:
+ secretProviderClass: "azure-kvname"
+ nodePublishSecretRef: # Only required when using service principal mode
+ name: secrets-store-creds # Only required when using service principal mode. The name of the Kubernetes secret that contains the service principal credentials to access keyvault.
+```
+
+Apply the updated deployment to the cluster:
+
+```bash
+kubectl apply -f ./my-deployment.yaml
+```
+
+## Validate the secrets
+
+After the pod starts, the mounted content at the volume path specified in your deployment YAML is available.
+
+```Bash
+## show secrets held in secrets-store
+kubectl exec busybox-secrets-store-inline -- ls /mnt/secrets-store/
+
+## print a test secret 'secret1' held in secrets-store
+kubectl exec busybox-secrets-store-inline -- cat /mnt/secrets-store/secret1
+```
+
+## Disable Secrets Store CSI Driver
+
+To disable the Secrets Store CSI Driver capability in an existing cluster, use the az aks command with the disable-addon `azure-keyvault-secrets-provider`:
+
+```azurecli-interactive
+az aks disable-addons -n myAKSCluster -g myResourceGroup --addons azure-keyvault-secrets-provider
+```
+
+## Next steps
+<!-- Add a context sentence for the following links -->
+After learning how to use the CSI Secrets Store Driver with an AKS Cluster, see the following resources:
+
+- [Run the Azure Key Vault provider for Secrets Store CSI Driver][key-vault-provider]
+- [Enable CSI drivers for Azure Disks and Azure Files on AKS][csi-storage-drivers]
+
+<!-- Links -->
+<!-- Internal -->
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[key-vault-provider]: ../key-vault/general/key-vault-integrate-kubernetes.md
+[csi-storage-drivers]: ./csi-storage-drivers.md
+[create-key-vault]: ../key-vault/general/quick-create-cli.md
+[set-secret-key-vault]: ../key-vault/secrets/quick-create-portal.md
+[aks-managed-identity]: ./use-managed-identity.md
+
+<!-- External -->
+[kube-csi]: https://kubernetes-csi.github.io/docs/
+[key-vault-provider-install]: https://azure.github.io/secrets-store-csi-driver-provider-azure/getting-started/installation
+[sample-secret-provider-class]: https://azure.github.io/secrets-store-csi-driver-provider-azure/getting-started/usage/#create-your-own-secretproviderclass-object
+[service-principal-access]: https://azure.github.io/secrets-store-csi-driver-provider-azure/configurations/identity-access-modes/service-principal-mode/
+[pod-identity-access]: https://azure.github.io/secrets-store-csi-driver-provider-azure/configurations/identity-access-modes/pod-identity-mode/
+[ua-mi-access]: https://azure.github.io/secrets-store-csi-driver-provider-azure/configurations/identity-access-modes/user-assigned-msi-mode/
+[sa-mi-access]: https://azure.github.io/secrets-store-csi-driver-provider-azure/configurations/identity-access-modes/system-assigned-msi-mode/
+[sample-deployment]: https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/examples/service-principal/pod-inline-volume-service-principal.yaml
aks Kubernetes Service Principal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-service-principal.md
Title: Service principals for Azure Kubernetes Services (AKS)
description: Create and manage an Azure Active Directory service principal for a cluster in Azure Kubernetes Service (AKS) Previously updated : 06/16/2020- Last updated : 04/22/2021+ #Customer intent: As a cluster operator, I want to understand how to create a service principal and delegate permissions for AKS to access required resources. In large enterprise environments, the user that deploys the cluster (or CI/CD system), may not have permissions to create this service principal automatically when the cluster is created.
To create an Azure AD service principal, you must have permissions to register a
If you are using a service principal from a different Azure AD tenant, there are additional considerations around the permissions available when you deploy the cluster. You may not have the appropriate permissions to read and write directory information. For more information, see [What are the default user permissions in Azure Active Directory?][azure-ad-permissions]
+### [Azure CLI](#tab/azure-cli)
+ You also need the Azure CLI version 2.0.59 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+### [Azure PowerShell](#tab/azure-powershell)
+
+You also need Azure PowerShell version 5.0.0 or later installed. Run `Get-InstalledModule -Name Az` to find the version. If you need to install or upgrade, see [Install the Azure Az PowerShell module][install-the-azure-az-powershell-module].
+++ ## Automatically create and use a service principal
+### [Azure CLI](#tab/azure-cli)
+ When you create an AKS cluster in the Azure portal or using the [az aks create][az-aks-create] command, Azure can automatically generate a service principal. In the following Azure CLI example, a service principal is not specified. In this scenario, the Azure CLI creates a service principal for the AKS cluster. To successfully complete the operation, your Azure account must have the proper rights to create a service principal.
In the following Azure CLI example, a service principal is not specified. In thi
az aks create --name myAKSCluster --resource-group myResourceGroup ```
+### [Azure PowerShell](#tab/azure-powershell)
+
+When you create an AKS cluster in the Azure portal or using the [New-AzAksCluster][new-azakscluster] command, Azure can automatically generate a service principal.
+
+In the following Azure PowerShell example, a service principal is not specified. In this scenario, Azure PowerShell creates a service principal for the AKS cluster. To successfully complete the operation, your Azure account must have the proper rights to create a service principal.
+
+```azurepowershell-interactive
+New-AzAksCluster -Name myAKSCluster -ResourceGroupName myResourceGroup
+```
+++ ## Manually create a service principal
+### [Azure CLI](#tab/azure-cli)
+ To manually create a service principal with the Azure CLI, use the [az ad sp create-for-rbac][az-ad-sp-create] command. In the following example, the `--skip-assignment` parameter prevents any additional default assignments being assigned: ```azurecli-interactive
The output is similar to the following example. Make a note of your own `appId`
} ```
+### [Azure PowerShell](#tab/azure-powershell)
+
+To manually create a service principal with Azure PowerShell, use the [New-AzADServicePrincipal][new-azadserviceprincipal] command. In the following example, the `-SkipAssignment` parameter prevents any additional default assignments being assigned:
+
+```azurepowershell-interactive
+New-AzADServicePrincipal -DisplayName myAKSClusterServicePrincipal -SkipAssignment -OutVariable sp
+```
+
+The output is similar to the following example. The values are also stored in a variable that is used when you create an AKS cluster in the next section.
+
+```Output
+Secret : System.Security.SecureString
+ServicePrincipalNames : {559513bd-0c19-4c1a-87cd-851a26afd5fc, http://myAKSClusterServicePrincipal}
+ApplicationId : 559513bd-0c19-4c1a-87cd-851a26afd5fc
+ObjectType : ServicePrincipal
+DisplayName : myAKSClusterServicePrincipal
+Id : 559513bd-0c19-4c1a-87cd-851a26afd5fc
+Type :
+```
+
+To decrypt the value stored in the **Secret** secure string, you use the following example.
+
+```azurepowershell-interactive
+$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($sp.Secret)
+[System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
+```
+
+For more information, see [Create an Azure service principal with Azure PowerShell][create-an-azure-service-principal-with-azure-powershell]
+++ ## Specify a service principal for an AKS cluster
+### [Azure CLI](#tab/azure-cli)
+ To use an existing service principal when you create an AKS cluster using the [az aks create][az-aks-create] command, use the `--service-principal` and `--client-secret` parameters to specify the `appId` and `password` from the output of the [az ad sp create-for-rbac][az-ad-sp-create] command: ```azurecli-interactive
If you deploy an AKS cluster using the Azure portal, on the *Authentication* pag
![Image of browsing to Azure Vote](media/kubernetes-service-principal/portal-configure-service-principal.png)
+### [Azure PowerShell](#tab/azure-powershell)
+
+To use an existing service principal when you create an AKS cluster, you'll need to convert the service principal `ApplicationId` and `Secret` to a **PSCredential** object as shown in the following example.
+
+```azurepowershell-interactive
+$Cred = New-Object -TypeName System.Management.Automation.PSCredential ($sp.ApplicationId, $sp.Secret)
+```
+
+When running the `New-AzAksCluster` command, you specify the `ServicePrincipalIdAndSecret` parameter with the previously created **PSCredential** object as its value.
+
+```azurepowershell-interactive
+New-AzAksCluster -ResourceGroupName myResourceGroup -Name myAKSCluster -ServicePrincipalIdAndSecret $Cred
+```
+
+> [!NOTE]
+> If you're using an existing service principal with customized secret, ensure the secret is no longer than 190 bytes.
+
+If you deploy an AKS cluster using the Azure portal, on the *Authentication* page of the **Create Kubernetes cluster** dialog, choose to **Configure service principal**. Select **Use existing**, and specify the following values:
+
+- **Service principal client ID** is your *ApplicationId*
+- **Service principal client secret** is the decrypted *Secret* value
+
+![Image of browsing to Azure Vote](media/kubernetes-service-principal/portal-configure-service-principal.png)
+++ ## Delegate access to other Azure resources The service principal for the AKS cluster can be used to access other resources. For example, if you want to deploy your AKS cluster into an existing Azure virtual network subnet or connect to Azure Container Registry (ACR), you need to delegate access to those resources to the service principal.
+### [Azure CLI](#tab/azure-cli)
+ To delegate permissions, create a role assignment using the [az role assignment create][az-role-assignment-create] command. Assign the `appId` to a particular scope, such as a resource group or virtual network resource. A role then defines what permissions the service principal has on the resource, as shown in the following example: ```azurecli
az role assignment create --assignee <appId> --scope <resourceScope> --role Cont
The `--scope` for a resource needs to be a full resource ID, such as */subscriptions/\<guid\>/resourceGroups/myResourceGroup* or */subscriptions/\<guid\>/resourceGroups/myResourceGroupVnet/providers/Microsoft.Network/virtualNetworks/myVnet*
+### [Azure PowerShell](#tab/azure-powershell)
+
+To delegate permissions, create a role assignment using the [New-AzRoleAssignment][new-azroleassignment] command. Assign the `ApplicationId` to a particular scope, such as a resource group or virtual network resource. A role then defines what permissions the service principal has on the resource, as shown in the following example:
+
+```azurepowershell-interactive
+New-AzRoleAssignment -ApplicationId <ApplicationId> -Scope <resourceScope> -RoleDefinitionName Contributor
+```
+
+The `Scope` for a resource needs to be a full resource ID, such as */subscriptions/\<guid\>/resourceGroups/myResourceGroup* or */subscriptions/\<guid\>/resourceGroups/myResourceGroupVnet/providers/Microsoft.Network/virtualNetworks/myVnet*
+++ > [!NOTE]
-> If you have removed the Contributor role assignment from the node resource group, the operations below may fail.
+> If you have removed the Contributor role assignment from the node resource group, the operations below may fail.
The following sections detail common delegations that you may need to make. ### Azure Container Registry
+### [Azure CLI](#tab/azure-cli)
+ If you use Azure Container Registry (ACR) as your container image store, you need to grant permissions to the service principal for your AKS cluster to read and pull images. Currently, the recommended configuration is to use the [az aks create][az-aks-create] or [az aks update][az-aks-update] command to integrate with a registry and assign the appropriate role for the service principal. For detailed steps, see [Authenticate with Azure Container Registry from Azure Kubernetes Service][aks-to-acr].
+### [Azure PowerShell](#tab/azure-powershell)
+
+If you use Azure Container Registry (ACR) as your container image store, you need to grant permissions to the service principal for your AKS cluster to read and pull images. Currently, the recommended configuration is to use the [New-AzAksCluster][new-azakscluster] or [Set-AzAksCluster][set-azakscluster] command to integrate with a registry and assign the appropriate role for the service principal. For detailed steps, see [Authenticate with Azure Container Registry from Azure Kubernetes Service][aks-to-acr].
+++ ### Networking You may use advanced networking where the virtual network and subnet or public IP addresses are in another resource group. Assign the [Network Contributor][rbac-network-contributor] built-in role on the subnet within the virtual network. Alternatively, you can create a [custom role][rbac-custom-role] with permissions to access the network resources in that resource group. See [AKS service permissions][aks-permissions] for more details.
If you use Virtual Kubelet to integrate with AKS and choose to run Azure Contain
## Additional considerations
+### [Azure CLI](#tab/azure-cli)
+ When using AKS and Azure AD service principals, keep the following considerations in mind. - The service principal for Kubernetes is a part of the cluster configuration. However, don't use the identity to deploy the cluster.
When using AKS and Azure AD service principals, keep the following consideration
- When you specify the service principal **Client ID**, use the value of the `appId`. - On the agent node VMs in the Kubernetes cluster, the service principal credentials are stored in the file `/etc/kubernetes/azure.json` - When you use the [az aks create][az-aks-create] command to generate the service principal automatically, the service principal credentials are written to the file `~/.azure/aksServicePrincipal.json` on the machine used to run the command.-- If you do not specifically pass a service principal in additional AKS CLI commands, the default service principal located at `~/.azure/aksServicePrincipal.json` is used.
+- If you do not specifically pass a service principal in additional AKS CLI commands, the default service principal located at `~/.azure/aksServicePrincipal.json` is used.
- You can also optionally remove the aksServicePrincipal.json file, and AKS will create a new service principal. - When you delete an AKS cluster that was created by [az aks create][az-aks-create], the service principal that was created automatically is not deleted. - To delete the service principal, query for your cluster *servicePrincipalProfile.clientId* and then delete with [az ad sp delete][az-ad-sp-delete]. Replace the following resource group and cluster names with your own values:
When using AKS and Azure AD service principals, keep the following consideration
az ad sp delete --id $(az aks show -g myResourceGroup -n myAKSCluster --query servicePrincipalProfile.clientId -o tsv) ```
+### [Azure PowerShell](#tab/azure-powershell)
+
+When using AKS and Azure AD service principals, keep the following considerations in mind.
+
+- The service principal for Kubernetes is a part of the cluster configuration. However, don't use the identity to deploy the cluster.
+- By default, the service principal credentials are valid for one year. You can [update or rotate the service principal credentials][update-credentials] at any time.
+- Every service principal is associated with an Azure AD application. The service principal for a Kubernetes cluster can be associated with any valid Azure AD application name (for example: *https://www.contoso.org/example*). The URL for the application doesn't have to be a real endpoint.
+- When you specify the service principal **Client ID**, use the value of the `ApplicationId`.
+- On the agent node VMs in the Kubernetes cluster, the service principal credentials are stored in the file `/etc/kubernetes/azure.json`
+- When you use the [New-AzAksCluster][new-azakscluster] command to generate the service principal automatically, the service principal credentials are written to the file `~/.azure/aksServicePrincipal.json` on the machine used to run the command.
+- If you do not specifically pass a service principal in additional AKS PowerShell commands, the default service principal located at `~/.azure/aksServicePrincipal.json` is used.
+- You can also optionally remove the aksServicePrincipal.json file, and AKS will create a new service principal.
+- When you delete an AKS cluster that was created by [New-AzAksCluster][new-azakscluster], the service principal that was created automatically is not deleted.
+ - To delete the service principal, query for your cluster *ServicePrincipalProfile.ClientId* and then delete with [Remove-AzADServicePrincipal][remove-azadserviceprincipal]. Replace the following resource group and cluster names with your own values:
+
+ ```azurepowershell-interactive
+ $ClientId = (Get-AzAksCluster -ResourceGroupName myResourceGroup -Name myAKSCluster ).ServicePrincipalProfile.ClientId
+ Remove-AzADServicePrincipal -ApplicationId $ClientId
+ ```
++ ## Troubleshoot
+### [Azure CLI](#tab/azure-cli)
+ The service principal credentials for an AKS cluster are cached by the Azure CLI. If these credentials have expired, you encounter errors deploying AKS clusters. The following error message when running [az aks create][az-aks-create] may indicate a problem with the cached service principal credentials: ```console
ls -la $HOME/.azure/aksServicePrincipal.json
The default expiration time for the service principal credentials is one year. If your *aksServicePrincipal.json* file is older than one year, delete the file and try to deploy an AKS cluster again.
+### [Azure PowerShell](#tab/azure-powershell)
+
+The service principal credentials for an AKS cluster are cached by Azure PowerShell. If these credentials have expired, you encounter errors deploying AKS clusters. The following error message when running [New-AzAksCluster][new-azakscluster] may indicate a problem with the cached service principal credentials:
+
+```console
+Operation failed with status: 'Bad Request'.
+Details: The credentials in ServicePrincipalProfile were invalid. Please see https://aka.ms/aks-sp-help for more details.
+(Details: adal: Refresh request failed. Status Code = '401'.
+```
+
+Check the age of the credentials file using the following command:
+
+```azurepowershell-interactive
+Get-ChildItem -Path $HOME/.azure/aksServicePrincipal.json
+```
+
+The default expiration time for the service principal credentials is one year. If your *aksServicePrincipal.json* file is older than one year, delete the file and try to deploy an AKS cluster again.
+++ ## Next steps For more information about Azure Active Directory service principals, see [Application and service principal objects][service-principal].
For information on how to update the credentials, see [Update or rotate the cred
<!-- LINKS - internal --> [aad-service-principal]:../active-directory/develop/app-objects-and-service-principals.md [acr-intro]: ../container-registry/container-registry-intro.md
-[az-ad-sp-create]: /cli/azure/ad/sp#az_ad_sp_create_for_rbac
+[az-ad-sp-create]: /cli/azure/ad/sp#az-ad-sp-create-for-rbac
[az-ad-sp-delete]: /cli/azure/ad/sp#az_ad_sp_delete [azure-load-balancer-overview]: ../load-balancer/load-balancer-overview.md [install-azure-cli]: /cli/azure/install-azure-cli [service-principal]:../active-directory/develop/app-objects-and-service-principals.md [user-defined-routes]: ../load-balancer/load-balancer-overview.md
-[az-ad-app-list]: /cli/azure/ad/app#az_ad_app_list
-[az-ad-app-delete]: /cli/azure/ad/app#az_ad_app_delete
-[az-aks-create]: /cli/azure/aks#az_aks_create
-[az-aks-update]: /cli/azure/aks#az_aks_update
+[az-ad-app-list]: /cli/azure/ad/app#az-ad-app-list
+[az-ad-app-delete]: /cli/azure/ad/app#az-ad-app-delete
+[az-aks-create]: /cli/azure/aks#az-aks-create
+[az-aks-update]: /cli/azure/aks#az-aks-update
[rbac-network-contributor]: ../role-based-access-control/built-in-roles.md#network-contributor [rbac-custom-role]: ../role-based-access-control/custom-roles.md [rbac-storage-contributor]: ../role-based-access-control/built-in-roles.md#storage-account-contributor
-[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create
+[az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create
[aks-to-acr]: cluster-container-registry-integration.md [update-credentials]: update-credentials.md [azure-ad-permissions]: ../active-directory/fundamentals/users-default-permissions.md [aks-permissions]: concepts-identity.md#aks-service-permissions
+[install-the-azure-az-powershell-module]: /powershell/azure/install-az-ps
+[new-azakscluster]: /powershell/module/az.aks/new-azakscluster
+[new-azadserviceprincipal]: /powershell/module/az.resources/new-azadserviceprincipal
+[create-an-azure-service-principal-with-azure-powershell]: /powershell/azure/create-azure-service-principal-azureps
+[new-azroleassignment]: /powershell/module/az.resources/new-azroleassignment
+[set-azakscluster]: /powershell/module/az.aks/set-azakscluster
+[remove-azadserviceprincipal]: /powershell/module/az.resources/remove-azadserviceprincipal
aks Private Clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/private-clusters.md
As mentioned, virtual network peering is one way to access your private cluster.
> If you are using [Bring Your Own Route Table with kubenet](./configure-kubenet.md#bring-your-own-subnet-and-route-table-with-kubenet) and Bring Your Own DNS with Private Cluster, the cluster creation will fail. You will need to associate the [RouteTable](./configure-kubenet.md#bring-your-own-subnet-and-route-table-with-kubenet) in the node resource group to the subnet after the cluster creation failed, in order to make the creation successful. ## Limitations
+* AKS-RunCommand does not work on clusters with AKS managed AAD and Private link enabled.
* IP authorized ranges can't be applied to the private api server endpoint, they only apply to the public API server * [Azure Private Link service limitations][private-link-service] apply to private clusters. * No support for Azure DevOps Microsoft-hosted Agents with private clusters. Consider to use [Self-hosted Agents](/azure/devops/pipelines/agents/agents?tabs=browser).
aks Servicemesh Linkerd Install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/servicemesh-linkerd-install.md
You can also follow additional scenarios using:
<!-- LINKS - external --> [linkerd]: https://linkerd.io/
-[linkerd-cncf]: https://landscape.cncf.io/selected=linkerd
+[linkerd-cncf]: https://landscape.cncf.io/?selected=linkerd
[linkerd-faq]: https://linkerd.io/2/faq/ [linkerd-architecture]: https://linkerd.io/2/reference/architecture/ [linkerd-getting-started]: https://linkerd.io/2/getting-started/
aks Use Multiple Node Pools https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/use-multiple-node-pools.md
A workload may require splitting a cluster's nodes into separate pools for logic
* All subnets assigned to nodepools must belong to the same virtual network. * System pods must have access to all nodes/pods in the cluster to provide critical functionality such as DNS resolution and tunneling kubectl logs/exec/port-forward proxy.
-* If you expand your VNET after creating the cluster you must update your cluster (perform any managed clster operation but node pool operations don't count) before adding a subnet outside the original cidr. AKS will error out on the agent pool add now though we originally allowed it. If you don't know how to reconcile your cluster file a support ticket.
+* If you expand your VNET after creating the cluster you must update your cluster (perform any managed cluster operation but node pool operations don't count) before adding a subnet outside the original cidr. AKS will error out on the agent pool add now though we originally allowed it. If you don't know how to reconcile your cluster file a support ticket.
* Calico Network Policy is not supported. * Azure Network Policy is not supported. * Kube-proxy expects a single contiguous cidr and uses it this for three optmizations. See this [K.E.P.](https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/2450-Remove-knowledge-of-pod-cluster-CIDR-from-iptables-rules) and --cluster-cidr [here](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/) for details. In azure cni your first node pool's subnet will be given to kube-proxy.
analysis-services Analysis Services Database Users https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-database-users.md
description: Learn how to manage database roles and users on an Analysis Service
Previously updated : 04/15/2020 Last updated : 04/27/2021
analysis-services Analysis Services Gateway Install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-gateway-install.md
description: Learn how to install and configure an On-premises data gateway to c
Previously updated : 07/29/2020 Last updated : 04/27/2021
# Install and configure an on-premises data gateway
-An on-premises data gateway is required when one or more Azure Analysis Services servers in the same region connect to on-premises data sources. While the gateway you install is the same as used by other services like Power BI, Power Apps, and Logic Apps, when installing for Azure Analysis Services, there are some additional steps you need to complete. This install article is specific to **Azure Analysis Services**.
+An on-premises data gateway is required when one or more Azure Analysis Services servers in the same region connect to on-premises data sources. While the gateway you install is the same as used by other services like Power BI, Power Apps, and Logic Apps, when installing for Azure Analysis Services, there are some additional steps you need to complete. This install article is specific to **Azure Analysis Services**.
To learn more about how Azure Analysis Services works with the gateway, see [Connecting to on-premises data sources](analysis-services-gateway.md). To learn more about advanced installation scenarios and the gateway in general, see [On-premises data gateways documentation](/data-integration/gateway/service-gateway-onprem).
That's it. If you need to open ports or do any troubleshooting, be sure to check
## Next steps
-* [Manage Analysis Services](analysis-services-manage.md)
-* [Get data from Azure Analysis Services](analysis-services-connect.md)
-* [Use gateway for data sources on an Azure Virtual Network](analysis-services-vnet-gateway.md)
+* [Connecting to on-premises data sources](analysis-services-gateway.md)
+* [Data sources supported in Azure Analysis Services](analysis-services-datasource.md)
+* [Use gateway for data sources on an Azure Virtual Network](analysis-services-vnet-gateway.md)
+* [Frequently asked questions about Analysis Services network connectivity](analysis-services-network-faq.md)
analysis-services Analysis Services Gateway https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-gateway.md
description: An On-premises gateway is necessary if your Analysis Services serve
Previously updated : 07/29/2020 Last updated : 04/27/2021
analysis-services Analysis Services Logging https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-logging.md
description: Describes how to setup up logging to monitoring your Azure Analysis
Previously updated : 05/19/2020 Last updated : 04/27/2021
analysis-services Analysis Services Long Operations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-long-operations.md
description: This article describes best practices for long running operations.
Previously updated : 04/14/2020 Last updated : 04/27/2021
analysis-services Analysis Services Odc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-odc.md
description: Learn how to create an Office Data Connection file to connect to an
Previously updated : 12/01/2019 Last updated : 04/27/2021
analysis-services Analysis Services Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-powershell.md
description: Describes Azure Analysis Services PowerShell cmdlets for common adm
Previously updated : 05/19/2020 Last updated : 04/27/2021
analysis-services Analysis Services Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-samples.md
description: This article describes resources to learn about code, project, and
Previously updated : 10/30/2019 Last updated : 04/27/2021
analysis-services Analysis Services Scale Out https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-scale-out.md
description: Replicate Azure Analysis Services servers with scale-out. Client qu
Previously updated : 09/10/2020 Last updated : 04/27/2021
analysis-services Analysis Services Service Principal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-service-principal.md
description: Learn how to create a service principal for automating Azure Analys
Previously updated : 07/07/2020 Last updated : 04/27/2021
analysis-services Analysis Services Vnet Gateway https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-vnet-gateway.md
description: Learn how to configure an Azure Analysis Services server to use a g
Previously updated : 05/19/2020 Last updated : 04/27/2021
app-service App Service Key Vault References https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-key-vault-references.md
description: Learn how to set up Azure App Service and Azure Functions to use Az
Previously updated : 02/05/2021 Last updated : 04/23/2021
To use a Key Vault reference for an application setting, set the reference as th
> [!TIP] > Most application settings using Key Vault references should be marked as slot settings, as you should have separate vaults for each environment.
+### Considerations for Azure Files mounting
+
+Apps can use the `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` application setting to mount Azure Files as the file system. This setting has additional validation checks to ensure that the app can be properly started. The platform relies on having a content share within Azure Files, and it assumes a default name unless one is specified via the `WEBSITE_CONTENTSHARE` setting. For any requests which modify these settings, the platform will attempt to validate if this content share exists, and it will attempt to create it if not. If it cannot locate or create the content share, the request is blocked.
+
+When using Key Vault references for this setting, this validation check will fail by default, as the secret itself cannot be resolved while processing the incoming request. To avoid this issue, you can skip the validation by setting `WEBSITE_SKIP_CONTENTSHARE_VALIDATION` to "1". This will bypass all checks, and the content share will not be created for you. You should ensure it is created in advance.
+
+> [!CAUTION]
+> If you skip validation and either the connection string or content share are invalid, the app will be unable to start properly and will only serve HTTP 500 errors.
+
+As part of creating the site, it is also possible that attempted mounting of the content share could fail due to managed identity permissions not being propagated or the virtual network integration not being set up. You can defer setting up Azure Files until later in the deployment template to accommodate this. See [Azure Resource Manager deployment](#azure-resource-manager-deployment) to learn more. App Service will use a default file system until Azure Files is set up, and files are not copied over, so you will need to ensure that no deployment attempts occur during the interim period before Azure Files is mounted.
+ ### Azure Resource Manager deployment When automating resource deployments through Azure Resource Manager templates, you may need to sequence your dependencies in a particular order to make this feature work. Of note, you will need to define your application settings as their own resource, rather than using a `siteConfig` property in the site definition. This is because the site needs to be defined first so that the system-assigned identity is created with it and can be used in the access policy.
app-service App Service Web Configure Tls Mutual Auth https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-web-configure-tls-mutual-auth.md
When you enable mutual auth for your application, all paths under the root of yo
1. Next to **Client exclusion paths**, click the edit icon.
-1. Click **New path**, specify a path, and click **OK**.
+1. Click **New path**, specify a path, or a list of paths separated by `,` or `;`, and click **OK**.
1. Click **Save** at the top of the page.
-In the following screenshot, anything under the `/public` path for your app does not request a client certificate.
+In the following screenshot, any path for your app that starts with `/public` does not request a client certificate. Path matching is case-insensitive.
![Certificate Exclusion Paths][exclusion-paths]
app-service App Service Web Tutorial Connect Msi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-web-tutorial-connect-msi.md
All that's left now is to publish your changes to Azure.
In the publish page, click **Publish**.
+> [!IMPORTANT]
+> Ensure that your app service name doesn't match with any existing [App Registrations](../active-directory/manage-apps/add-application-portal.md). This will lead to Principal ID conflicts.
+ **If you came from [Tutorial: Build an ASP.NET Core and SQL Database app in Azure App Service](tutorial-dotnetcore-sqldb-app.md)**, publish your changes using Git, with the following commands: ```bash
app-service Configure Language Nodejs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-language-nodejs.md
description: Learn how to configure a Node.js app in the native Windows instance
ms.devlang: nodejs Previously updated : 06/02/2020 Last updated : 04/23/2021 zone_pivot_groups: app-service-platform-windows-linux
For more information on how App Service runs and builds Node.js apps in Linux, s
The Node.js containers come with [PM2](https://pm2.keymetrics.io/), a production process manager. You can configure your app to start with PM2, or with NPM, or with a custom command. -- [Run custom command](#run-custom-command)-- [Run npm start](#run-npm-start)-- [Run with PM2](#run-with-pm2)
+|Tool|Purpose|
+|--|--|
+|[Run with PM2](#run-with-pm2)|**Recommended** - Production or staging use. PM2 provides a full-service app management platform.|
+|[Run npm start](#run-npm-start)|Development use only.|
+|[Run custom command](#run-custom-command)|Either development or staging.|
++
+### Run with PM2
+
+The container automatically starts your app with PM2 when one of the common Node.js files is found in your project:
+
+- *bin/www*
+- *server.js*
+- *app.js*
+- *index.js*
+- *hostingstart.js*
+- One of the following [PM2 files](https://pm2.keymetrics.io/docs/usage/application-declaration/#process-file): *process.json* and *ecosystem.config.js*
+
+You can also configure a custom start file with the following extensions:
+
+- A *.js* file
+- A [PM2 file](https://pm2.keymetrics.io/docs/usage/application-declaration/#process-file) with the extension *.json*, *.config.js*, *.yaml*, or *.yml*
+
+To add a custom start file, run the following command in the [Cloud Shell](https://shell.azure.com):
+
+```azurecli-interactive
+az webapp config set --resource-group <resource-group-name> --name <app-name> --startup-file "<filname-with-extension>"
+```
### Run custom command
To use a custom *package.json* in your project, run the following command in the
az webapp config set --resource-group <resource-group-name> --name <app-name> --startup-file "<filename>.json" ```
-### Run with PM2
-
-The container automatically starts your app with PM2 when one of the common Node.js files is found in your project:
--- *bin/www*-- *server.js*-- *app.js*-- *index.js*-- *hostingstart.js*-- One of the following [PM2 files](https://pm2.keymetrics.io/docs/usage/application-declaration/#process-file): *process.json* and *ecosystem.config.js*-
-You can also configure a custom start file with the following extensions:
--- A *.js* file-- A [PM2 file](https://pm2.keymetrics.io/docs/usage/application-declaration/#process-file) with the extension *.json*, *.config.js*, *.yaml*, or *.yml*-
-To add a custom start file, run the following command in the [Cloud Shell](https://shell.azure.com):
-
-```azurecli-interactive
-az webapp config set --resource-group <resource-group-name> --name <app-name> --startup-file "<filname-with-extension>"
-```
## Debug remotely
app-service Deploy Zip https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-zip.md
description: Learn how to deploy your app to Azure App Service with a ZIP file (
Last updated 08/12/2019 -+
app-service Private Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/networking/private-endpoint.md
description: Connect privately to a Web App using Azure Private Endpoint
ms.assetid: 2dceac28-1ba6-4904-a15d-9e91d5ee162c Previously updated : 04/23/2021 Last updated : 04/27/2021
Remote Debugging functionality is not available when Private Endpoint is enabled
FTP access is provided through the inbound public IP address. Private Endpoint does not support FTP access to the Web App.
-There is a known limitation affecting Private Endpoints and traffic routing with slots. As of April 2021, automatic and manual request routing between slots will result in a "403 Access Denied". This limitation will be removed in a future release.
+There is a known limitation affecting Private Endpoints and traffic routing with slots (aka [Test in Production feature][TiP]). As of April 2021, automatic and manual request routing between slots will result in a "403 Access Denied". This limitation will be removed in a future release.
We are improving Private Link feature and Private Endpoint regularly, check [this article][pllimitations] for up-to-date information about limitations.
We are improving Private Link feature and Private Endpoint regularly, check [thi
[howtoguide4]: ../scripts/template-deploy-private-endpoint.md [howtoguide5]: https://github.com/Azure/azure-quickstart-templates/tree/master/101-webapp-privateendpoint-vnet-injection [howtoguide6]: ../scripts/terraform-secure-backend-frontend.md
+[TiP]: https://docs.microsoft.com/azure/app-service/deploy-staging-slots#route-traffic
app-service Quickstart Arm Template Uiex https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-arm-template-uiex.md
ms.assetid: 582bb3c2-164b-42f5-b081-95bfcb7a502a Last updated 10/16/2020-+ zone_pivot_groups: app-service-platform-windows-linux
app-service Quickstart Arm Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-arm-template.md
ms.assetid: 582bb3c2-164b-42f5-b081-95bfcb7a502a Last updated 10/16/2020-+ zone_pivot_groups: app-service-platform-windows-linux adobe-target: true adobe-target-activity: DocsExpΓÇô386541ΓÇôA/BΓÇôEnhanced-Readability-QuickstartsΓÇô2.19.2021
app-service Quickstart Ruby https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-ruby.md
description: Get started with Azure App Service by deploying your first Ruby app
keywords: azure app service, linux, oss, ruby, rails ms.assetid: 6d00c73c-13cb-446f-8926-923db4101afa Previously updated : 07/11/2019 Last updated : 04/27/2021
app-service Troubleshoot Diagnostic Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/troubleshoot-diagnostic-logs.md
The following table shows the supported log types and descriptions:
| AppServiceEnvironmentPlatformLogs | Yes | N/A | Yes | Yes | App Service Environment: scaling, configuration changes, and status logs| | AppServiceAuditLogs | Yes | Yes | Yes | Yes | Login activity via FTP and Kudu | | AppServiceFileAuditLogs | Yes | Yes | TBA | TBA | File changes made to the site content; **only available for Premium tier and above** |
-| AppServiceAppLogs | ASP .NET & Java Tomcat <sup>1</sup> | ASP .NET & Java Tomcat <sup>1</sup> | Java SE & Tomcat Blessed Images <sup>2</sup> | Java SE & Tomcat Blessed Images <sup>2</sup> | Application logs |
+| AppServiceAppLogs | ASP .NET & Tomcat <sup>1</sup> | ASP .NET & Tomcat <sup>1</sup> | Java SE & Tomcat Blessed Images <sup>2</sup> | Java SE & Tomcat Blessed Images <sup>2</sup> | Application logs |
| AppServiceIPSecAuditLogs | Yes | Yes | Yes | Yes | Requests from IP Rules | | AppServicePlatformLogs | TBA | Yes | Yes | Yes | Container operation logs | | AppServiceAntivirusScanAuditLogs | Yes | Yes | Yes | Yes | [Anti-virus scan logs](https://azure.github.io/AppService/2020/12/09/AzMon-AppServiceAntivirusScanAuditLogs.html) using Microsoft Defender; **only available for Premium tier** |
-<sup>1</sup> For Java Tomcat apps, add "TOMCAT_USE_STARTUP_BAT" to the app settings and set it to false or 0. Need to be on the *latest* Tomcat version and use *java.util.logging*.
+<sup>1</sup> For Tomcat apps, add "TOMCAT_USE_STARTUP_BAT" to the app settings and set it to false or 0. Need to be on the *latest* Tomcat version and use *java.util.logging*.
<sup>2</sup> For Java SE apps, add "$WEBSITE_AZMON_PREVIEW_ENABLED" to the app settings and set it to true or to 1.
app-service Tutorial Auth Aad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-auth-aad.md
description: Learn how to use App Service authentication and authorization to se
keywords: app service, azure app service, authN, authZ, secure, security, multi-tiered, azure active directory, azure ad ms.devlang: dotnet Previously updated : 04/29/2020 Last updated : 04/26/2021 zone_pivot_groups: app-service-platform-windows-linux
In **Resource groups**, find and select your resource group. In **Overview**, se
:::image type="content" source="./media/tutorial-auth-aad/portal-navigate-back-end.png" alt-text="Screenshot of the Resource groups window, showing the Overview for an example resource group and a back-end app's management page selected.":::
-In your back-end app's left menu, select **Authentication / Authorization**, then enable App Service Authentication by selecting **On**.
+In your back-end app's left menu, select **Authentication**, and then click **Add identity provider**.
-In **Action to take when request is not authenticated**, select **Log in with Azure Active Directory**.
+In the **Add an identity provider** page, select **Microsoft** as the **Identity provider** to sign in Microsoft and Azure AD identities.
-Under **Authentication Providers**, select **Azure Active Directory**.
+For **App registration** > **App registration type**, select **Create new app registration**.
-
-Select **Express**, then accept the default settings to create a new AD app and select **OK**.
+For **App registration** > **Supported account types**, select **Current tenant-single tenant**.
-In the **Authentication / Authorization** page, select **Save**.
+In the **App Service authentication settings** section, leave **Authentication** set to **Require authentication** and **Unauthenticated requests** set to **HTTP 302 Found redirect: recommended for websites**.
-Once you see the notification with the message `Successfully saved the Auth Settings for <back-end-app-name> App`, refresh the portal page.
+At the bottom of the **Add an identity provider** page, click **Add** to enable authentication for your web app.
-Select **Azure Active Directory** again, and then select the **Azure AD App**.
-Copy the **Client ID** of the Azure AD application to a notepad. You need this value later.
+The **Authentication** page opens. Copy the **Client ID** of the Azure AD application to a notepad. You need this value later.
:::image type="content" source="./media/tutorial-auth-aad/get-application-id-back-end.png" alt-text="Screenshot of the Azure Active Directory Settings window showing the Azure AD App, and the Azure AD Applications window showing the Client ID to copy.":::
automation Hybrid Runbook Worker https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/hybrid-runbook-worker.md
The following issues are possible causes:
#### Resolution ##### Mistyped workspace ID or key
-To verify if the agent's workspace ID or workspace key was mistyped, see [Adding or removing a workspace - Windows agent](../../azure-monitor/platform/agent-manage.md#windows-agent) for the Windows agent or [Adding or removing a workspace - Linux agent](../../azure-monitor/platform/agent-manage.md#linux-agent) for the Linux agent. Make sure to select the full string from the Azure portal, and copy and paste it carefully.
+To verify if the agent's workspace ID or workspace key was mistyped, see [Adding or removing a workspace - Windows agent](../../azure-monitor/agents/agent-manage.md#windows-agent) for the Windows agent or [Adding or removing a workspace - Linux agent](../../azure-monitor/agents/agent-manage.md#linux-agent) for the Linux agent. Make sure to select the full string from the Azure portal, and copy and paste it carefully.
##### Configuration not downloaded
If you don't see your problem here or you can't resolve your issue, try one of t
* Get answers from Azure experts through [Azure Forums](https://azure.microsoft.com/support/forums/). * Connect with [@AzureSupport](https://twitter.com/azuresupport), the official Microsoft Azure account for improving customer experience. Azure Support connects the Azure community to answers, support, and experts.
-* File an Azure support incident. Go to the [Azure support site](https://azure.microsoft.com/support/options/), and select **Get Support**.
+* File an Azure support incident. Go to the [Azure support site](https://azure.microsoft.com/support/options/), and select **Get Support**.
availability-zones Az Region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/availability-zones/az-region.md
To achieve comprehensive business continuity on Azure, build your application ar
| Products | Resiliency | |--|:-:|
-| [Application Gateway (V2)](https://docs.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) | :large_blue_diamond: |
-| [Azure Backup](https://docs.microsoft.com/azure/backup/backup-create-rs-vault#set-storage-redundancy) | :large_blue_diamond: |
-| [Azure Cosmos DB](https://docs.microsoft.com/azure/cosmos-db/high-availability#availability-zone-support) | :large_blue_diamond: |
-| [Azure Data Lake Storage Gen 2](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-introduction) | :large_blue_diamond: |
-| [Azure Express Route](https://docs.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute) | :large_blue_diamond: |
-| [Azure Public IP](https://docs.microsoft.com/azure/virtual-network/public-ip-addresses) | :large_blue_diamond: |
-| Azure SQL Database ([General Purpose Tier](https://docs.microsoft.com/azure/azure-sql/database/high-availability-sla)) | :large_blue_diamond: |
-| Azure SQL Database([Premium & Business Critical Tier](https://docs.microsoft.com/azure/azure-sql/database/high-availability-sla)) | :large_blue_diamond: |
-| [Disk Storage](https://docs.microsoft.com/azure/storage/common/storage-redundancy) | :large_blue_diamond: |
-| [Event Hubs](https://docs.microsoft.com/azure/event-hubs/event-hubs-geo-dr#availability-zones) | :large_blue_diamond: |
-| [Key Vault](https://docs.microsoft.com/azure/key-vault/general/disaster-recovery-guidance) | :large_blue_diamond: |
-| [Load Balancer](https://docs.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones) | :large_blue_diamond: |
-| [Service Bus](https://docs.microsoft.com/azure/service-bus-messaging/service-bus-geo-dr#availability-zones) | :large_blue_diamond: |
-| [Service Fabric](https://docs.microsoft.com/azure/service-fabric/service-fabric-cross-availability-zones#:~:text=An%20Availability%20Zone%20is%20a%20unique%20physical%20location,zones.%20This%20will%20ensure%20high-availability%20of%20your%20applications) | :large_blue_diamond: |
-| [Storage Account](https://docs.microsoft.com/azure/storage/common/storage-redundancy) | :large_blue_diamond: |
-| Storage: [Hot/Cool Blob Storage Tiers](https://docs.microsoft.com/azure/storage/common/storage-redundancy) | :large_blue_diamond: |
-| Storage: [Managed Disks](https://docs.microsoft.com/azure/virtual-machines/managed-disks-overview) | :large_blue_diamond: |
-| [Virtual Machines Scale Sets](https://docs.microsoft.com/azure/virtual-machine-scale-sets/scripts/cli-sample-zone-redundant-scale-set) | :large_blue_diamond: |
-| [Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Av2-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Bs-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [DSv2-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [DSv3-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Dv2-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Dv3-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [ESv3-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Ev3-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [F-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [FS-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Shared Image Gallery](https://docs.microsoft.com/azure/virtual-machines/shared-image-galleries#make-your-images-highly-available) | :large_blue_diamond: |
-| [Virtual Network](https://docs.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) | :large_blue_diamond: |
-| [VPN Gateway](https://docs.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways) | :large_blue_diamond: |
+| [Application Gateway (V2)](../application-gateway/application-gateway-autoscaling-zone-redundant.md) | :large_blue_diamond: |
+| [Azure Backup](../backup/backup-create-rs-vault.md#set-storage-redundancy) | :large_blue_diamond: |
+| [Azure Cosmos DB](../cosmos-db/high-availability.md#availability-zone-support) | :large_blue_diamond: |
+| [Azure Data Lake Storage Gen 2](../storage/blobs/data-lake-storage-introduction.md) | :large_blue_diamond: |
+| [Azure Express Route](../expressroute/designing-for-high-availability-with-expressroute.md) | :large_blue_diamond: |
+| [Azure Public IP](../virtual-network/public-ip-addresses.md) | :large_blue_diamond: |
+| Azure SQL Database ([General Purpose Tier](../azure-sql/database/high-availability-sla.md)) | :large_blue_diamond: |
+| Azure SQL Database([Premium & Business Critical Tier](../azure-sql/database/high-availability-sla.md)) | :large_blue_diamond: |
+| [Disk Storage](../storage/common/storage-redundancy.md) | :large_blue_diamond: |
+| [Event Hubs](../event-hubs/event-hubs-geo-dr.md#availability-zones) | :large_blue_diamond: |
+| [Key Vault](../key-vault/general/disaster-recovery-guidance.md) | :large_blue_diamond: |
+| [Load Balancer](../load-balancer/load-balancer-standard-availability-zones.md) | :large_blue_diamond: |
+| [Service Bus](../service-bus-messaging/service-bus-geo-dr.md#availability-zones) | :large_blue_diamond: |
+| [Service Fabric](../service-fabric/service-fabric-cross-availability-zones.md) | :large_blue_diamond: |
+| [Storage Account](../storage/common/storage-redundancy.md) | :large_blue_diamond: |
+| Storage: [Hot/Cool Blob Storage Tiers](../storage/common/storage-redundancy.md) | :large_blue_diamond: |
+| Storage: [Managed Disks](../virtual-machines/managed-disks-overview.md) | :large_blue_diamond: |
+| [Virtual Machines Scale Sets](../virtual-machine-scale-sets/scripts/cli-sample-zone-redundant-scale-set.md) | :large_blue_diamond: |
+| [Virtual Machines](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Av2-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Bs-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [DSv2-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [DSv3-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Dv2-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Dv3-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [ESv3-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Ev3-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [F-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [FS-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Shared Image Gallery](../virtual-machines/shared-image-galleries.md#make-your-images-highly-available) | :large_blue_diamond: |
+| [Virtual Network](../vpn-gateway/create-zone-redundant-vnet-gateway.md) | :large_blue_diamond: |
+| [VPN Gateway](../vpn-gateway/about-zone-redundant-vnet-gateways.md) | :large_blue_diamond: |
**Mainstream services**
To achieve comprehensive business continuity on Azure, build your application ar
| Products | Resiliency | |--|:-:|
-| [App Service Environments](https://docs.microsoft.com/azure/app-service/environment/zone-redundancy) | :large_blue_diamond: |
-| [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) | :large_blue_diamond: |
-| [Azure API Management](https://docs.microsoft.com/azure/api-management/zone-redundancy) | :large_blue_diamond: |
-| [Azure Bastion](https://docs.microsoft.com/azure/bastion/bastion-overview) | :large_blue_diamond: |
-| [Azure Cache for Redis](https://docs.microsoft.com/azure/azure-cache-for-redis/cache-high-availability) | :large_blue_diamond: |
-| [Azure Cognitive Search](https://docs.microsoft.com/azure/search/search-performance-optimization#availability-zones) | :large_blue_diamond: |
-| Azure Cognitive
-| [Azure Data Explorer](https://docs.microsoft.com/azure/data-explorer/create-cluster-database-portal) | :large_blue_diamond: |
-| Azure Database for MySQL ΓÇô [Flexible Server](https://docs.microsoft.com/azure/mysql/flexible-server/concepts-high-availability) | :large_blue_diamond: |
-| Azure Database for PostgreSQL ΓÇô [Flexible Server](https://docs.microsoft.com/azure/postgresql/flexible-server/overview) | :large_blue_diamond: |
-| [Azure DDoS Protection](https://docs.microsoft.com/azure/ddos-protection/ddos-faq) | :large_blue_diamond: |
-| [Azure Disk Encryption](https://docs.microsoft.com/azure/virtual-machines/disks-redundancy) | :large_blue_diamond: |
-| [Azure Firewall](https://docs.microsoft.com/azure/firewall/deploy-availability-zone-powershell#:~:text=For%20more%20information%20about%20Azure%20Firewall%20Availability%20Zones%2C,This%20creates%20a%20zone-redundant%20IP%20address%20by%20default) | :large_blue_diamond: |
-| [Azure Firewall Manager](https://docs.microsoft.com/azure/firewall-manager/quick-firewall-policy) | :large_blue_diamond: |
-| [Azure Kubernetes Service (AKS)](https://docs.microsoft.com/azure/aks/availability-zones) | :large_blue_diamond: |
-| [Azure Private Link](https://docs.microsoft.com/azure/private-link/private-link-overview) | :large_blue_diamond: |
-| [Azure Site Recovery](https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery) | :large_blue_diamond: |
-| Azure SQL: [Virtual Machine](https://docs.microsoft.com/azure/azure-sql/database/high-availability-sla) | :large_blue_diamond: |
-| [Azure Web Application Firewall](https://docs.microsoft.com/azure/firewall/deploy-availability-zone-powershell#:~:text=For%20more%20information%20about%20Azure%20Firewall%20Availability%20Zones%2C,This%20creates%20a%20zone-redundant%20IP%20address%20by%20default) | :large_blue_diamond: |
-| [Container Registry](https://docs.microsoft.com/azure/container-registry/zone-redundancy) | :large_blue_diamond: |
-| [Event Grid](https://docs.microsoft.com/azure/event-grid/overview) | :large_blue_diamond: |
-| [Network Watcher](https://docs.microsoft.com/azure/network-watcher/frequently-asked-questions#service-availability-and-redundancy) | :large_blue_diamond: |
-| Network Watcher: [Traffic Analytics](https://docs.microsoft.com/azure/network-watcher/frequently-asked-questions#service-availability-and-redundancy) | :large_blue_diamond: |
-| [Power BI Embedded](https://docs.microsoft.com/power-bi/admin/service-admin-failover#what-does-high-availability) | :large_blue_diamond: |
-| [Premium Blob Storage](https://docs.microsoft.com/azure/storage/blobs/storage-blob-performance-tiers#:~:text=Table%201%20%20%20%20Area%20%20,%20%20Currently%20supports%20only%20locally-redundan%20...%20) | :large_blue_diamond: |
-| Storage: [Azure Premium Files](https://docs.microsoft.com/azure/storage/files/storage-files-planning) | :large_blue_diamond: |
-| Virtual Machines: [Azure Dedicated Host](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Ddsv4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Ddv4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Dsv4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Dv4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Edsv4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Edv4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Esv4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Ev4-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [Fsv2-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| Virtual Machines: [M-Series](https://docs.microsoft.com/azure/virtual-machines/windows/create-powershell-availability-zone) | :large_blue_diamond: |
-| [Virtual WAN](https://docs.microsoft.com/azure/virtual-wan/virtual-wan-about#how-are-availability-zones-and-resiliency-handled-in-virtual-wan) | :large_blue_diamond: |
-| Virtual WAN: [ExpressRoute](https://docs.microsoft.com/azure/virtual-wan/virtual-wan-about#how-are-availability-zones-and-resiliency-handled-in-virtual-wan) | :large_blue_diamond: |
-| Virtual WAN: [Point-to-Site VPN Gateway](https://docs.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways) | :large_blue_diamond: |
-| Virtual WAN: [Site-to-Site VPN Gateway](https://docs.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways) | :large_blue_diamond: |
+| [App Service Environments](../app-service/environment/zone-redundancy.md) | :large_blue_diamond: |
+| [Azure Active Directory Domain Services](../active-directory-domain-services/overview.md) | :large_blue_diamond: |
+| [Azure API Management](../api-management/zone-redundancy.md) | :large_blue_diamond: |
+| [Azure Bastion](../bastion/bastion-overview.md) | :large_blue_diamond: |
+| [Azure Cache for Redis](../azure-cache-for-redis/cache-high-availability.md) | :large_blue_diamond: |
+| [Azure Cognitive Search](../search/search-performance-optimization.md#availability-zones) | :large_blue_diamond: |
+| Azure Cognitive
+| [Azure Data Explorer](/azure/data-explorer/create-cluster-database-portal) | :large_blue_diamond: |
+| Azure Database for MySQL ΓÇô [Flexible Server](../mysql/flexible-server/concepts-high-availability.md) | :large_blue_diamond: |
+| Azure Database for PostgreSQL ΓÇô [Flexible Server](../postgresql/flexible-server/overview.md) | :large_blue_diamond: |
+| [Azure DDoS Protection](../ddos-protection/ddos-faq.md) | :large_blue_diamond: |
+| [Azure Disk Encryption](../virtual-machines/disks-redundancy.md) | :large_blue_diamond: |
+| [Azure Firewall](../firewall/deploy-availability-zone-powershell.md) | :large_blue_diamond: |
+| [Azure Firewall Manager](../firewall-manager/quick-firewall-policy.md) | :large_blue_diamond: |
+| [Azure Kubernetes Service (AKS)](../aks/availability-zones.md) | :large_blue_diamond: |
+| [Azure Private Link](../private-link/private-link-overview.md) | :large_blue_diamond: |
+| [Azure Site Recovery](../site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery.md) | :large_blue_diamond: |
+| Azure SQL: [Virtual Machine](../azure-sql/database/high-availability-sla.md) | :large_blue_diamond: |
+| [Azure Web Application Firewall](../firewall/deploy-availability-zone-powershell.md) | :large_blue_diamond: |
+| [Container Registry](../container-registry/zone-redundancy.md) | :large_blue_diamond: |
+| [Event Grid](../event-grid/overview.md) | :large_blue_diamond: |
+| [Network Watcher](../network-watcher/frequently-asked-questions.md#service-availability-and-redundancy) | :large_blue_diamond: |
+| Network Watcher: [Traffic Analytics](../network-watcher/frequently-asked-questions.md#service-availability-and-redundancy) | :large_blue_diamond: |
+| [Power BI Embedded](/power-bi/admin/service-admin-failover#what-does-high-availability) | :large_blue_diamond: |
+| [Premium Blob Storage](../storage/blobs/storage-blob-performance-tiers.md) | :large_blue_diamond: |
+| Storage: [Azure Premium Files](../storage/files/storage-files-planning.md) | :large_blue_diamond: |
+| Virtual Machines: [Azure Dedicated Host](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Ddsv4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Ddv4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Dsv4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Dv4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Edsv4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Edv4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Esv4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Ev4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [Fsv2-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| Virtual Machines: [M-Series](../virtual-machines/windows/create-powershell-availability-zone.md) | :large_blue_diamond: |
+| [Virtual WAN](../virtual-wan/virtual-wan-about.md#how-are-availability-zones-and-resiliency-handled-in-virtual-wan) | :large_blue_diamond: |
+| Virtual WAN: [ExpressRoute](../virtual-wan/virtual-wan-about.md#how-are-availability-zones-and-resiliency-handled-in-virtual-wan) | :large_blue_diamond: |
+| Virtual WAN: [Point-to-Site VPN Gateway](../vpn-gateway/about-zone-redundant-vnet-gateways.md) | :large_blue_diamond: |
+| Virtual WAN: [Site-to-Site VPN Gateway](../vpn-gateway/about-zone-redundant-vnet-gateways.md) | :large_blue_diamond: |
**Specialized Services**
Azure Availability Zones are available with your Azure subscription. Learn more
## Next steps > [!div class="nextstepaction"]
-> [Regions and Availability Zones in Azure](az-overview.md)
+> [Regions and Availability Zones in Azure](az-overview.md)
azure-app-configuration Howto Leverage Json Content Type https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/howto-leverage-json-content-type.md
az appconfig kv export -d file --format json --path "~/Export.json" --separator
``` > [!NOTE]
-> If your App Configuration store has some key-values without JSON content-type, they will also be exported to the same file in string format. If you want to export only the JSON key-values, assign a unique label or prefix to your JSON key-values and use label or prefix filtering during export.
+> If your App Configuration store has some key-values without JSON content-type, they will also be exported to the same file in string format.
## Consuming JSON key-values in applications
azure-arc Migrate To Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/migrate-to-managed-instance.md
This method uses Azure Blob Storage as a temporary storage location that you can
### Step 1: Provision Azure blob storage
-1. Follow the steps described in [Create an Azure Blob Storage account](../../storage/blobs/storage-blob-create-account-block-blob.md?tabs=azure-portal)
+1. Follow the steps described in [Create an Azure Blob Storage account](../../storage/common/storage-account-create.md?tabs=azure-portal)
1. Launch Azure Storage Explorer 1. [Sign in to Azure](../../vs-azure-tools-storage-manage-with-storage-explorer.md?tabs=windows#sign-in-to-azure) to access the blob storage created in previous step 1. Right-click on the blob storage account and select **Create Blob Container** to create a new container where the backup file will be stored
azure-arc Azure Rbac https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/azure-rbac.md
A conceptual overview of this feature is available in [Azure RBAC - Azure Arc en
## Prerequisites -- [Install or upgrade Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) to version >= 2.16.0
+- [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to version >= 2.16.0
- Install the `connectedk8s` Azure CLI extension of version >= 1.1.0:
azure-arc Cluster Connect https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/cluster-connect.md
A conceptual overview of this feature is available in [Cluster connect - Azure A
## Prerequisites -- [Install or upgrade Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) to version >= 2.16.0
+- [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to version >= 2.16.0
- Install the `connectedk8s` Azure CLI extension of version >= 1.1.0:
You must be logged in to the server (Error:Error while retrieving group info. Er
``` To get past this error:
-1. Create a [service principal](https://docs.microsoft.com/cli/azure/create-an-azure-service-principal-azure-cli), which is less likely to be a member of more than 200 groups.
-1. [Sign in](https://docs.microsoft.com/cli/azure/create-an-azure-service-principal-azure-cli#sign-in-using-a-service-principal) to Azure CLI with the service principal before running `az connectedk8s proxy` command.
+1. Create a [service principal](/cli/azure/create-an-azure-service-principal-azure-cli), which is less likely to be a member of more than 200 groups.
+1. [Sign in](/cli/azure/create-an-azure-service-principal-azure-cli#sign-in-using-a-service-principal) to Azure CLI with the service principal before running `az connectedk8s proxy` command.
## Next steps
azure-arc Custom Locations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/custom-locations.md
A conceptual overview of this feature is available in [Custom locations - Azure
## Prerequisites -- [Install or upgrade Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) to version >= 2.16.0.
+- [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to version >= 2.16.0.
- `connectedk8s` (version >= 1.1.0), `k8s-extension` (version >= 0.2.0) and `customlocation` (version >= 0.1.0) Azure CLI extensions. Install these Azure CLI extensions by running the following commands:
azure-arc Extensions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/extensions.md
A conceptual overview of this feature is available in [Cluster extensions - Azur
## Prerequisites -- [Install or upgrade Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) to version >= 2.16.0.
+- [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to version >= 2.16.0.
- `connectedk8s` (version >= 1.1.0) and `k8s-extension` (version >= 0.2.0) Azure CLI extensions. Install these Azure CLI extensions by running the following commands: ```azurecli
az k8s-extension create --name azuremonitor-containers --extension-type Microso
> [!NOTE] > * The service is unable to retain sensitive information for more than 48 hours. If Azure Arc enabled Kubernetes agents don't have network connectivity for more than 48 hours and cannot determine whether to create an extension on the cluster, then the extension transitions to `Failed` state. Once in `Failed` state, you will need to run `k8s-extension create` again to create a fresh extension Azure resource.
-> * * Azure Monitor for containers is a singleton extension (only one required per cluster). You'll need to clean up any previous Helm chart installations of Azure Monitor for containers (without extensions) before installing the same via extensions. Follow the instructions for [deleting the Helm chart before running `az k8s-extension create`](https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-optout-hybrid).
+> * * Azure Monitor for containers is a singleton extension (only one required per cluster). You'll need to clean up any previous Helm chart installations of Azure Monitor for containers (without extensions) before installing the same via extensions. Follow the instructions for [deleting the Helm chart before running `az k8s-extension create`](../../azure-monitor/containers/container-insights-optout-hybrid.md).
**Required parameters**
azure-arc Quickstart Connect Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/quickstart-connect-cluster.md
In this quickstart, we'll reap the benefits of Azure Arc enabled Kubernetes and
* Install the [latest release of Helm 3](https://helm.sh/docs/intro/install).
-* [Install or upgrade Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) to version >= 2.16.0
+* [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to version >= 2.16.0
* Install the `connectedk8s` Azure CLI extension of version >= 1.0.0: ```azurecli
az connectedk8s delete --name AzureArcTest1 --resource-group AzureArcTest
Advance to the next article to learn how to deploy configurations to your connected Kubernetes cluster using GitOps. > [!div class="nextstepaction"]
-> [Deploy configurations using Gitops](tutorial-use-gitops-connected-cluster.md)
+> [Deploy configurations using Gitops](tutorial-use-gitops-connected-cluster.md)
azure-arc Tutorial Gitops Ci Cd https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/tutorial-gitops-ci-cd.md
This tutorial assumes familiarity with Azure DevOps, Azure Repos and Pipelines,
## Import application and GitOps repos into Azure Repos
-Import an [application repo](https://docs.microsoft.com/azure/azure-arc/kubernetes/conceptual-gitops-ci-cd#application-repo) and a [GitOps repo](https://docs.microsoft.com/azure/azure-arc/kubernetes/conceptual-gitops-ci-cd#gitops-repo) into Azure Repos. For this tutorial, use the following example repos:
+Import an [application repo](./conceptual-gitops-ci-cd.md#application-repo) and a [GitOps repo](./conceptual-gitops-ci-cd.md#gitops-repo) into Azure Repos. For this tutorial, use the following example repos:
* **arc-cicd-demo-src** application repo * URL: https://github.com/Azure/arc-cicd-demo-src
In this tutorial, you have set up a full CI/CD workflow that implements DevOps f
Advance to our conceptual article to learn more about GitOps and configurations with Azure Arc enabled Kubernetes. > [!div class="nextstepaction"]
-> [CI/CD Workflow using GitOps - Azure Arc enabled Kubernetes](https://docs.microsoft.com/azure/azure-arc/kubernetes/conceptual-gitops-ci-cd)
+> [CI/CD Workflow using GitOps - Azure Arc enabled Kubernetes](./conceptual-gitops-ci-cd.md)
azure-arc Agent Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/agent-overview.md
Title: Overview of the Connected Machine agent description: This article provides a detailed overview of the Azure Arc enabled servers agent available, which supports monitoring virtual machines hosted in hybrid environments. Previously updated : 03/25/2021 Last updated : 04/27/2021
Metadata information about the connected machine is collected after the Connecte
* Operating system name, type, and version * Computer name
+* Computer manufacturer and model
* Computer fully qualified domain name (FQDN) * Connected Machine agent version * Active Directory and DNS fully qualified domain name (FQDN)
Metadata information about the connected machine is collected after the Connecte
* Connected Machine agent version * Public key for managed identity * Policy compliance status and details (if using Azure Policy Guest Configuration policies)
+* SQL Server installed (Boolean value)
+* Cluster resource ID (for Azure Stack HCI nodes)
The following metadata information is requested by the agent from Azure:
The following versions of the Windows and Linux operating system are officially
- Windows Server 2008 R2, Windows Server 2012 R2 and higher (including Server Core) - Ubuntu 16.04 and 18.04 LTS (x64)-- CentOS Linux 7 (x64)
+- CentOS Linux 7 and 8 (x64)
- SUSE Linux Enterprise Server (SLES) 15 (x64)-- Red Hat Enterprise Linux (RHEL) 7 (x64)
+- Red Hat Enterprise Linux (RHEL) 7 and 8 (x64)
- Amazon Linux 2 (x64) - Oracle Linux 7
azure-arc Agent Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/agent-release-notes.md
Title: What's new with Azure Arc enabled servers agent description: This article has release notes for Azure Arc enabled servers agent. For many of the summarized issues, there are links to more details. Previously updated : 03/31/2021 Last updated : 04/27/2021 # What's new with Azure Arc enabled servers agent
The Azure Arc enabled servers Connected Machine agent receives improvements on a
- Known issues - Bug fixes
+## April 2021
+
+Version 1.5
+
+### New feature
+
+- Added support for Red Hat Enterprise Linux 8 and CentOS Linux 8.
+- New `-useStderr` parameter to direct error and verbose output to stderr.
+- New `-json` parameter to direct output results in JSON format (when used with -useStderr).
+- Collect other instance metadata - Manufacturer, model, if SQL Server is installed (Boolean), and cluster resource ID (for Azure Stack HCI nodes).
+
## March 2021 Version 1.4
-## New feature
+### New feature
- Added support for private endpoints, which is currently in limited preview. - Expanded list of exit codes for azcmagent. - Agent configuration parameters can now be read from a file with the `--config` parameter.
-## Fixed
+### Fixed
Network endpoint checks are now faster.
azure-arc Manage Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-agent.md
Title: Managing the Azure Arc enabled servers agent description: This article describes the different management tasks that you will typically perform during the lifecycle of the Azure Arc enabled servers Connected Machine agent. Previously updated : 02/10/2021 Last updated : 04/27/2021
The Azcmagent tool (Azcmagent.exe) is used to configure the Azure Arc enabled se
* **Version** - Shows the Connected Machine agent version.
+* **-useStderr** - Directs error and verbose output to stderr. Include the `-json` parameter to output the results in JSON format.
+ * **-h or --help** - Shows available command-line parameters For example, to see detailed help for the **Connect** parameter, type `azcmagent connect -h`.
azure-cache-for-redis Cache Web App Aspnet Core Howto https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-web-app-aspnet-core-howto.md
After a few moments, the resource group and all of its resources are deleted.
For information on deploying to Azure, see: > [!div class="nextstepaction"]
-> [Tutorial: Build an ASP.NET Core and SQL Database app in Azure App Service](/azure/app-service/tutorial-dotnetcore-sqldb-app)
+> [Tutorial: Build an ASP.NET Core and SQL Database app in Azure App Service](../app-service/tutorial-dotnetcore-sqldb-app.md)
For information about storing the cache connection secret in Azure Key Vault, see:
Want to scale your cache from a lower tier to a higher tier?
Want to optimize and save on your cloud spending? > [!div class="nextstepaction"]
-> [Start analyzing costs with Cost Management](../cost-management-billing/costs/quick-acm-cost-analysis.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn)
+> [Start analyzing costs with Cost Management](../cost-management-billing/costs/quick-acm-cost-analysis.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn)
azure-functions Analyze Telemetry Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/analyze-telemetry-data.md
In addition to telemetry data collected by Application Insights, you can also ge
| Metric | Description | | - | - |
-| **FunctionExecutionCount** | Function execution count indicates the number of times your function app has executed. This correlates to the number of times a function runs in your app. This metric isn't currently supported for Premium and Dedicated (App Service) plans running on Linux. |
+| **FunctionExecutionCount** | Function execution count indicates the number of times your function app has executed. This correlates to the number of times a function runs in your app. |
| **FunctionExecutionUnits** | Function execution units are a combination of execution time and your memory usage. Memory data isn't a metric currently available through Azure Monitor. However, if you want to optimize the memory usage of your app, can use the performance counter data collected by Application Insights. This metric isn't currently supported for Premium and Dedicated (App Service) plans running on Linux.| To learn more about calculating costs for a Consumption plan using Application Insights data, see [Estimating Consumption plan costs](functions-consumption-costs.md). To learn more about using Monitor Explorer to view metrics, see [Getting started with Azure Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md).
To learn more about calculating costs for a Consumption plan using Application I
Learn more about monitoring Azure Functions: + [Monitor Azure Functions](functions-monitoring.md)
-+ [How to configure monitoring for Azure Functions](configure-monitoring.md)
++ [How to configure monitoring for Azure Functions](configure-monitoring.md)
azure-functions Functions App Settings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-app-settings.md
Valid values:
| `powershell` | [PowerShell](functions-reference-powershell.md) | | `python` | [Python](functions-reference-python.md) |
+## MDMaxBackgroundUpgradePeriod
+
+Controls the managed dependencies background update period for PowerShell function apps, with a default value of `7.00:00:00` (weekly).
+
+Each PowerShell worker process initiates checking for module upgrades on the PowerShell Gallery on process start and every `MDMaxBackgroundUpgradePeriod` after that. When a new module version is available in the PowerShell Gallery, it's installed to the file system and made available to PowerShell workers. Decreasing this value lets your function app get newer module versions sooner, but it also increases the app resource usage (network I/O, CPU, storage). Increasing this value decreases the app's resource usage, but it may also delay delivering new module versions to your app.
+
+|Key|Sample value|
+|||
+|MDMaxBackgroundUpgradePeriod|7.00:00:00|
+
+To learn more, see [Dependency management](functions-reference-powershell.md#dependency-management).
+
+## MDNewSnapshotCheckPeriod
+
+Specifies how often each PowerShell worker checks whether managed dependency upgrades have been installed. The default frequency is `01:00:00` (hourly).
+
+After new module versions are installed to the file system, every PowerShell worker process must be restarted. Restarting PowerShell workers affects your app availability as it can interrupt current function execution. Until all PowerShell worker processes are restarted, function invocations may use either the old or the new module versions. Restarting all PowerShell workers completes within `MDNewSnapshotCheckPeriod`.
+
+Within every `MDNewSnapshotCheckPeriod`, the PowerShell worker checks whether or not managed dependency upgrades have been installed. When upgrades have been installed, a restart is initiated. Increasing this value decreases the frequency of interruptions because of restarts. However, the increase might also increase the time during which function invocations could use either the old or the new module versions, non-deterministically.
+
+|Key|Sample value|
+|||
+|MDNewSnapshotCheckPeriod|01:00:00|
+
+To learn more, see [Dependency management](functions-reference-powershell.md#dependency-management).
++
+## MDMinBackgroundUpgradePeriod
+
+The period of time after a previous managed dependency upgrade check before another upgrade check is started, with a default of `1.00:00:00` (daily).
+
+To avoid excessive module upgrades on frequent Worker restarts, checking for module upgrades isn't performed when any worker has already initiated that check in the last `MDMinBackgroundUpgradePeriod`.
+
+|Key|Sample value|
+|||
+|MDMinBackgroundUpgradePeriod|1.00:00:00|
+
+To learn more, see [Dependency management](functions-reference-powershell.md#dependency-management).
+ ## PIP\_EXTRA\_INDEX\_URL The value for this setting indicates a custom package index URL for Python apps. Use this setting when you need to run a remote build using custom dependencies that are found in an extra package index.
The file path to the function app code and configuration in an event-driven scal
Only used when deploying to a Premium plan or to a Consumption plan running on Windows. Not supported for Consumptions plans running Linux. Changing or removing this setting may cause your function app to not start. To learn more, see [this troubleshooting article](functions-recover-storage-account.md#storage-account-application-settings-were-deleted).
-When using a Azure Resource Manager to create a function app during deployment, don't include WEBSITE_CONTENTSHARE in the template. This application setting is generated during deployment. To learn more, see [Automate resource deployment for your function app](functions-infrastructure-as-code.md#windows).
+When using an Azure Resource Manager template to create a function app during deployment, don't include WEBSITE_CONTENTSHARE in the template. This application setting is generated during deployment. To learn more, see [Automate resource deployment for your function app](functions-infrastructure-as-code.md#windows).
## WEBSITE\_DNS\_SERVER
Allows you to set the timezone for your function app.
## WEBSITE\_VNET\_ROUTE\_ALL
-Indicates whether all outbound traffic from the app is routed through the virtual network. A setting value of `1` indicates that all traffic is routed through the virtual network. You need to use this setting when using using features of [Regional virtual network integration](functions-networking-options.md#regional-virtual-network-integration). It's also used when a [virtual network NAT gateway is used to define a static outbound IP address](functions-how-to-use-nat-gateway.md).
+Indicates whether all outbound traffic from the app is routed through the virtual network. A setting value of `1` indicates that all traffic is routed through the virtual network. You need this setting when using features of [Regional virtual network integration](functions-networking-options.md#regional-virtual-network-integration). It's also used when a [virtual network NAT gateway is used to define a static outbound IP address](functions-how-to-use-nat-gateway.md).
|Key|Sample value| |||
azure-functions Functions Compare Logic Apps Ms Flow Webjobs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-compare-logic-apps-ms-flow-webjobs.md
You can mix and match services when you build an orchestration, calling function
| **Actions** | Each activity is an Azure function; write code for activity functions |[Large collection of ready-made actions](../logic-apps/logic-apps-workflow-actions-triggers.md)| | **Monitoring** | [Azure Application Insights](../azure-monitor/app/app-insights-overview.md) | [Azure portal](../logic-apps/quickstart-create-first-logic-app-workflow.md), [Azure Monitor logs](../logic-apps/monitor-logic-apps.md)| | **Management** | [REST API](durable/durable-functions-http-api.md), [Visual Studio](/visualstudio/azure/vs-azure-tools-resources-managing-with-cloud-explorer) | [Azure portal](../logic-apps/quickstart-create-first-logic-app-workflow.md), [REST API](/rest/api/logic/), [PowerShell](/powershell/module/az.logicapp), [Visual Studio](../logic-apps/manage-logic-apps-with-visual-studio.md) |
-| **Execution context** | Can run [locally](functions-runtime-overview.md) or in the cloud | Runs only in the cloud|
+| **Execution context** | Can run [locally](./functions-kubernetes-keda.md) or in the cloud | Runs only in the cloud|
<a name="function"></a>
azure-functions Functions Event Grid Blob Trigger https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-event-grid-blob-trigger.md
This article demonstrates how to debug and deploy a local Event Grid Blob trigge
- Create or use an existing function app - Create or use an existing storage account - Have version 5.0+ of the [Microsoft.Azure.WebJobs.Extensions.Storage extension](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Storage/5.0.0-beta.2) installed-- Have version 2.1.0+ of the [Event Grid extension](https://docs.microsoft.com/azure/azure-functions/functions-bindings-event-grid) installed - Download [ngrok](https://ngrok.com/) to allow Azure to call your local function ## Create a new function
This article demonstrates how to debug and deploy a local Event Grid Blob trigge
http://localhost:7071/runtime/webhooks/blobs?functionName=Host.Functions.{functionname} ```
+ # [Java](#tab/java)
+
+ ```http
+ http://localhost:7071/runtime/webhooks/blobs?functionName=Host.Functions.{functionname}
+ ```
+ Note your function app's name and that the trigger type is a blob trigger, which is indicated by `blobs` in the url. This will be needed when setting up endpoints later in the how to guide.
This article demonstrates how to debug and deploy a local Event Grid Blob trigge
Add **"source": "EventGrid"** to the function.json binding data. ```json
+ {
+ "scriptFile": "__init__.py",
+ "bindings": [
{
- "scriptFile": "__init__.py",
- "bindings": [
- {
- "name": "myblob",
- "type": "blobTrigger",
- "direction": "in",
- "path": "samples-workitems/{name}",
- "source": "EventGrid",
- "connection": "MyStorageAccountConnectionString"
- }
- ]
+ "name": "myblob",
+ "type": "blobTrigger",
+ "direction": "in",
+ "path": "samples-workitems/{name}",
+ "source": "EventGrid",
+ "connection": "MyStorageAccountConnectionString"
}
+ ]
+ }
```+
+ # [Java](#tab/java)
+ **Press F5** to build the function. Once the build is complete, add **"source": "EventGrid"** to the **function.json** binding data.
+
+ ```json
+ {
+ "scriptFile" : "../java-1.0-SNAPSHOT.jar",
+ "entryPoint" : "com.function.{MyFunctionName}.run",
+ "bindings" : [ {
+ "type" : "blobTrigger",
+ "direction" : "in",
+ "name" : "content",
+ "path" : "samples-workitems/{name}",
+ "dataType" : "binary",
+ "source": "EventGrid",
+ "connection" : "MyStorageAccountConnectionString"
+ } ]
+ }
+ ```
+ 1. Set a breakpoint in your function on the line that handles logging.
-1. **Press F5** to start a debugging session.
+1. Start a debugging session.
+
+ # [C#](#tab/csharp)
+ **Press F5** to start a debugging session.
+
+ # [Python](#tab/python)
+ **Press F5** to start a debugging session.
+
+ # [Java](#tab/java)
+ Open a new terminal and run the below mvn command to start the debugging session.
+
+ ```bash
+ mvn azure-functions:run
+ ```
+
+
[!INCLUDE [functions-event-grid-local-dev](../../includes/functions-event-grid-local-dev.md)]
https://<FUNCTION-APP-NAME>.azurewebsites.net/runtime/webhooks/blobs?functionNam
https://<FUNCTION-APP-NAME>.azurewebsites.net/runtime/webhooks/blobs?functionName=Host.Functions.<FUNCTION-NAME>&code=<BLOB-EXTENSION-KEY> ```
+# [Java](#tab/java)
+
+```http
+https://<FUNCTION-APP-NAME>.azurewebsites.net/runtime/webhooks/blobs?functionName=Host.Functions.<FUNCTION-NAME>&code=<BLOB-EXTENSION-KEY>
+```
+ ## Clean up resources
To clean up the resources created in this article, delete the event grid subscri
## Next steps - [Automate resizing uploaded images using Event Grid](../event-grid/resize-images-on-storage-blob-upload-event.md)-- [Event Grid trigger for Azure Functions](./functions-bindings-event-grid.md)
+- [Event Grid trigger for Azure Functions](./functions-bindings-event-grid.md)
azure-functions Functions How To Azure Devops https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-how-to-azure-devops.md
Last updated 04/18/2019 -+ # Continuous delivery by using Azure DevOps
azure-functions Functions Recover Storage Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-recover-storage-account.md
Your function app must be able to access the storage account. Common issues that
* The function app is deployed to your App Service Environment (ASE) without the correct network rules to allow traffic to and from the storage account. * The storage account firewall is enabled and not configured to allow traffic to and from functions. For more information, see [Configure Azure Storage firewalls and virtual networks](../storage/common/storage-network-security.md?toc=%2fazure%2fstorage%2ffiles%2ftoc.json).
-* Verify that the `allowSharedKeyAccess` setting is set to `true` which is its default value. For more information, see [Prevent Shared Key authorization for an Azure Storage account](https://docs.microsoft.com/azure/storage/common/shared-key-authorization-prevent?tabs=portal#verify-that-shared-key-access-is-not-allowed).
+* Verify that the `allowSharedKeyAccess` setting is set to `true` which is its default value. For more information, see [Prevent Shared Key authorization for an Azure Storage account](../storage/common/shared-key-authorization-prevent.md?tabs=portal#verify-that-shared-key-access-is-not-allowed).
## Daily execution quota is full
For more information about inbound rule configuration, see the "Network Security
Learn about monitoring your function apps: > [!div class="nextstepaction"]
-> [Monitor Azure Functions](functions-monitoring.md)
+> [Monitor Azure Functions](functions-monitoring.md)
azure-functions Functions Reference Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-reference-powershell.md
Produce-MyOutputValue | Push-OutputBinding -Name myQueue
* When the output binding only accepts a singleton value, calling `Push-OutputBinding` a second time raises an error.
-#### `Push-OutputBinding` syntax
+#### Push-OutputBinding syntax
The following are valid parameters for calling `Push-OutputBinding`:
PS >Push-OutputBinding -Name outQueue -Value @("output #3", "output #4")
When written to the queue, the message contains these four values: "output #1", "output #2", "output #3", and "output #4".
-#### `Get-OutputBinding` cmdlet
+#### Get-OutputBinding cmdlet
You can use the `Get-OutputBinding` cmdlet to retrieve the values currently set for your output bindings. This cmdlet retrieves a hashtable that contains the names of the output bindings with their respective values.
When you create a new PowerShell functions project, dependency management is ena
When you update the requirements.psd1 file, updated modules are installed after a restart.
-> [!NOTE]
-> Managed dependencies requires access to www.powershellgallery.com to download modules. When running locally, make sure that the runtime can access this URL by adding any required firewall rules.
+### Target specific versions
-> [!NOTE]
-> Managed dependencies currently don't support modules that require the user to accept a license, either by accepting the license interactively, or by providing `-AcceptLicense` switch when invoking `Install-Module`.
+You may want to target a specific version of a module in your requirements.psd1 file. For example, if you wanted to use an older version of Az.Accounts than the one in the included Az module, you would need to target a specific version as shown in the following example:
+
+```powershell
+@{
+ Az.Accounts = '1.9.5'
+}
+```
+
+In this case, you also need to add an import statement to the top of your profile.ps1 file, which looks like the following example:
+
+```powershell
+Import-Module Az.Accounts -RequiredVersion '1.9.5'
+```
+
+In this way, the older version of the Az.Account module is loaded first when the function is started.
+
+### Dependency management considerations
+
+The following considerations apply when using dependency management:
+++ Managed dependencies requires access to <https://www.powershellgallery.com> to download modules. When running locally, make sure that the runtime can access this URL by adding any required firewall rules.
-The following application settings can be used to change how the managed dependencies are downloaded and installed. Your app upgrade starts within `MDMaxBackgroundUpgradePeriod`, and the upgrade process completes within approximately the `MDNewSnapshotCheckPeriod`.
++ Managed dependencies currently don't support modules that require the user to accept a license, either by accepting the license interactively, or by providing `-AcceptLicense` switch when invoking `Install-Module`.+
+### Dependency management app settings
+
+The following application settings can be used to change how the managed dependencies are downloaded and installed.
| Function App setting | Default value | Description | | -- | - | -- |
-| **`MDMaxBackgroundUpgradePeriod`** | `7.00:00:00` (7 days) | Each PowerShell worker process initiates checking for module upgrades on the PowerShell Gallery on process start and every `MDMaxBackgroundUpgradePeriod` after that. When a new module version is available in the PowerShell Gallery, it's installed to the file system and made available to PowerShell workers. Decreasing this value lets your function app get newer module versions sooner, but it also increases the app resource usage (network I/O, CPU, storage). Increasing this value decreases the app's resource usage, but it may also delay delivering new module versions to your app. |
-| **`MDNewSnapshotCheckPeriod`** | `01:00:00` (1 hour) | After new module versions are installed to the file system, every PowerShell worker process must be restarted. Restarting PowerShell workers affects your app availability as it can interrupt current function execution. Until all PowerShell worker processes are restarted, function invocations may use either the old or the new module versions. Restarting all PowerShell workers complete within `MDNewSnapshotCheckPeriod`. Increasing this value decreases the frequency of interruptions, but may also increase the period of time when function invocations use either the old or the new module versions non-deterministically. |
-| **`MDMinBackgroundUpgradePeriod`** | `1.00:00:00` (1 day) | To avoid excessive module upgrades on frequent Worker restarts, checking for module upgrades isn't performed when any worker has already initiated that check in the last `MDMinBackgroundUpgradePeriod`. |
+| **MDMaxBackgroundUpgradePeriod** | `7.00:00:00` (seven days) | Controls the background update period for PowerShell function apps. To learn more, see [MDMaxBackgroundUpgradePeriod](functions-app-settings.md#mdmaxbackgroundupgradeperiod). |
+| **MDNewSnapshotCheckPeriod** | `01:00:00` (one hour) | Specifies how often each PowerShell worker checks whether managed dependency upgrades have been installed. To learn more, see [MDNewSnapshotCheckPeriod](functions-app-settings.md#mdnewsnapshotcheckperiod).|
+| **MDMinBackgroundUpgradePeriod** | `1.00:00:00` (one day) | The period of time after a previous upgrade check before another upgrade check is started. To learn more, see [MDMinBackgroundUpgradePeriod](functions-app-settings.md#mdminbackgroundupgradeperiod).|
+
+Essentially, your app upgrade starts within `MDMaxBackgroundUpgradePeriod`, and the upgrade process completes within approximately the `MDNewSnapshotCheckPeriod`.
-Leveraging your own custom modules is a little different than how you would do it normally.
+## Custom modules
+
+Leveraging your own custom modules in Azure Functions differs from how you would do it normally for PowerShell.
On your local computer, the module gets installed in one of the globally available folders in your `$env:PSModulePath`. When running in Azure, you don't have access to the modules installed on your machine. This means that the `$env:PSModulePath` for a PowerShell function app differs from `$env:PSModulePath` in a regular PowerShell script.
In Functions, `PSModulePath` contains two paths:
* A `Modules` folder that exists at the root of your function app. * A path to a `Modules` folder that is controlled by the PowerShell language worker. -
-### Function app-level `Modules` folder
+### Function app-level modules folder
To use custom modules, you can place modules on which your functions depend in a `Modules` folder. From this folder, modules are automatically available to the functions runtime. Any function in the function app can use these modules. > [!NOTE]
-> Modules specified in the requirements.psd1 file are automatically downloaded and included in the path so you don't need to include them in the modules folder. These are stored locally in the `$env:LOCALAPPDATA/AzureFunctions` folder and in the `/data/ManagedDependencies` folder when run in the cloud.
+> Modules specified in the [requirements.psd1 file](#dependency-management) are automatically downloaded and included in the path so you don't need to include them in the modules folder. These are stored locally in the `$env:LOCALAPPDATA/AzureFunctions` folder and in the `/data/ManagedDependencies` folder when run in the cloud.
To take advantage of the custom module feature, create a `Modules` folder in the root of your function app. Copy the modules you want to use in your functions to this location.
PSFunctionApp
When you start your function app, the PowerShell language worker adds this `Modules` folder to the `$env:PSModulePath` so that you can rely on module autoloading just as you would in a regular PowerShell script.
-### Language worker level `Modules` folder
+### Language worker level modules folder
Several modules are commonly used by the PowerShell language worker. These modules are defined in the last position of `PSModulePath`.
Azure PowerShell uses some _process-level_ contexts and state to help save you f
There's immense value in concurrency with Azure PowerShell, since some operations can take a considerable amount of time. However, you must proceed with caution. If you suspect that you're experiencing a race condition, set the PSWorkerInProcConcurrencyUpperBound app setting to `1` and instead use [language worker process level isolation](functions-app-settings.md#functions_worker_process_count) for concurrency.
-## Configure function `scriptFile`
+## Configure function scriptFile
By default, a PowerShell function is executed from `run.ps1`, a file that shares the same parent directory as its corresponding `function.json`.
When you work with PowerShell functions, be aware of the considerations in the f
When developing Azure Functions in the [serverless hosting model](consumption-plan.md), cold starts are a reality. *Cold start* refers to period of time it takes for your function app to start running to process a request. Cold start happens more frequently in the Consumption plan because your function app gets shut down during periods of inactivity.
-### Bundle modules instead of using `Install-Module`
+### Bundle modules instead of using Install-Module
Your script is run on every invocation. Avoid using `Install-Module` in your script. Instead use `Save-Module` before publishing so that your function doesn't have to waste time downloading the module. If cold starts are impacting your functions, consider deploying your function app to an [App Service plan](dedicated-plan.md) set to *always on* or to a [Premium plan](functions-premium-plan.md).
azure-functions Streaming Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/streaming-logs.md
Title: Stream execution logs in Azure Functions
description: 115-145 characters including spaces. This abstract displays in the search result. Last updated 9/1/2020 -+ # Customer intent: As a developer, I want to be able to configure streaming logs so that I can see what's happening in my functions in near real time.
azure-government Documentation Accelerate Compliance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/compliance/documentation-accelerate-compliance.md
Microsoft is able to scale through its partners. Scale is what will allow us to
## Publishing to Azure Marketplace
-1. Join the Partner Network - ItΓÇÖs a requirement for publishing but easy to sign up. Instructions are located here: [Ensure you have a MPN ID and Partner Center Account](/azure/marketplace/create-account.md#create-a-partner-center-account-and-enroll-in-the-commercial-marketplace).
+1. Join the Partner Network - ItΓÇÖs a requirement for publishing but easy to sign up. Instructions are located here: [Ensure you have a MPN ID and Partner Center Account](/azure/marketplace/create-account#create-a-partner-center-account-and-enroll-in-the-commercial-marketplace).
2. Enable your partner center account as Publisher / Developer for Marketplace, follow the instructions [here](../../marketplace/create-account.md). 3. With an enabled Partner Center Account, publish listing as a SaaS App as instructed [here](../../marketplace/create-new-saas-offer.md).
For a list of existing Azure Marketplace offerings in this space, visit [this pa
* To learn how Azure Blueprints help you when using Azure Policy review the [blog post](https://azure.microsoft.com/blog/new-azure-blueprint-simplifies-compliance-with-nist-sp-800-53/). ## Next steps
-Review the documentation above. If you are still facing issues reach out to [Azure Government Partner Inquiries](mailto:azgovpartinf@microsoft.com).
+Review the documentation above. If you are still facing issues reach out to [Azure Government Partner Inquiries](mailto:azgovpartinf@microsoft.com).
azure-government Documentation Government Stig Linux Vm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-stig-linux-vm.md
Previously updated : 04/02/2021 Last updated : 04/27/2021 # Deploy STIG-compliant Linux Virtual Machines (Preview)
When no longer needed, you can delete the resource group, virtual machine, and a
Select the resource group for the virtual machine, then select **Delete**. Confirm the name of the resource group to finish deleting the resources.
+## Support
+
+Contact Azure support to get assistance with issues related to STIG solution templates. You can create and manage support requests in the Azure portal. For more information see, [Create an Azure support request](../azure-portal/supportability/how-to-create-azure-support-request.md). Use the following support paths when creating a ticket:
+
+Azure -> Virtual Machine running Linux -> Cannot create a VM -> Troubleshoot my ARM template error
++ ## Next steps This quickstart showed you how to deploy a STIG-compliant Linux virtual machine (Preview) on Azure or Azure Government. For more information about creating virtual machines in:
azure-government Documentation Government Stig Windows Vm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-stig-windows-vm.md
Previously updated : 04/02/2021 Last updated : 04/27/2021 # Deploy STIG-compliant Windows Virtual Machines (Preview)
When no longer needed, you can delete the resource group, virtual machine, and a
Select the resource group for the virtual machine, then select **Delete**. Confirm the name of the resource group to finish deleting the resources.
+## Support
+
+Contact Azure support to get assistance with issues related to STIG solution templates. You can create and manage support requests in the Azure portal. For more information see, [Create an Azure support request](../azure-portal/supportability/how-to-create-azure-support-request.md). Use the following support paths when creating a ticket:
+
+Azure -> Virtual Machine running Windows -> Cannot create a VM -> Troubleshoot my ARM template error
++ ## Next steps This quickstart showed you how to deploy a STIG-compliant Windows virtual machine (Preview) on Azure or Azure Government. For more information about creating virtual machines in:
azure-maps Web Sdk Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/web-sdk-best-practices.md
Generally, when looking to improve performance of the map, look for ways to redu
## Security basics
-The single most important part of your application is its security. If your application isnΓÇÖt secure a hacker can ruin any application, no matter how good the user experience might be. The following are some tips to keep your Azure Maps application secure. When using Azure, be sure to familiarize yourself with the security tools available to you. See this document for an [introduction to Azure security](https://docs.microsoft.com/azure/security/fundamentals/overview).
+The single most important part of your application is its security. If your application isnΓÇÖt secure a hacker can ruin any application, no matter how good the user experience might be. The following are some tips to keep your Azure Maps application secure. When using Azure, be sure to familiarize yourself with the security tools available to you. See this document for an [introduction to Azure security](../security/fundamentals/overview.md).
> [!IMPORTANT] > Azure Maps provides two methods of authentication.
When data is added to the Azure Maps interactive map SDKs, it is rendered locall
If your application is loading data that should not be publicly accessible, make sure that the data is stored in a secure location, is accessed in a secure manner, and that the application itself is locked down and only available to your desired users. If any of these steps are skipped, an unauthorized person has the potential to access this data. Azure Active Directory can assist you with locking this down.
-See this tutorial on [adding authentication to your web app running on Azure App Service](https://docs.microsoft.com/azure/app-service/scenario-secure-app-authentication-app-service)
+See this tutorial on [adding authentication to your web app running on Azure App Service](../app-service/scenario-secure-app-authentication-app-service.md)
### Use the latest versions of Azure Maps
See the following articles for more tips on improving the user experience in you
Learn more about the terminology used by Azure Maps and the geospatial industry. > [!div class="nextstepaction"]
-> [Azure Maps glossary](glossary.md)
+> [Azure Maps glossary](glossary.md)
azure-monitor Agent Linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/agent-linux.md
The following are not supported:
- CIS - SELINUX
-CIS and SELINUX hardening support is planned for [Azure Monitoring Agent](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-overview). Further hardening and customization methods are not supported nor planned for OMS Agent.
+CIS and SELINUX hardening support is planned for [Azure Monitoring Agent](./azure-monitor-agent-overview.md). Further hardening and customization methods are not supported nor planned for OMS Agent.
## Agent prerequisites
The default cache size is 10 MB but can be modified in the [omsagent.conf file](
- Review [Managing and maintaining the Log Analytics agent for Windows and Linux](agent-manage.md) to learn about how to reconfigure, upgrade, or remove the agent from the virtual machine. -- Review [Troubleshooting the Linux agent](agent-linux-troubleshoot.md) if you encounter issues while installing or managing the agent.
+- Review [Troubleshooting the Linux agent](agent-linux-troubleshoot.md) if you encounter issues while installing or managing the agent.
azure-monitor Diagnostics Extension Windows Install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/diagnostics-extension-windows-install.md
Last updated 02/17/2020 -+ # Install and configure Windows Azure diagnostics extension (WAD) [Azure diagnostics extension](diagnostics-extension-overview.md) is an agent in Azure Monitor that collects monitoring data from the guest operating system and workloads of Azure virtual machines and other compute resources. This article provides details on installing and configuring the Windows diagnostics extension and a description of how the data is stored in and Azure Storage account.
azure-monitor Azure Web Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/azure-web-apps.md
For the latest information on the Application Insights agent/extension, check ou
When you create a web app with the `ASP.NET` or `ASP.NET Core` runtimes in Azure App Services it deploys a single static HTML page as a starter website. The static webpage also loads a ASP.NET managed web part in IIS. This allows for testing codeless server-side monitoring, but does not support automatic client-side monitoring.
-If you wish to test out codeless server and client-side monitoring for ASP.NET or ASP.NET Core in a Azure App Services web app we recommend following the official guides for [creating a ASP.NET Core web app](../../app-service/quickstart-dotnetcore.md) and [creating an ASP.NET Framework web app](../../app-service/quickstart-dotnet-framework.md) and then use the instructions in the current article to enable monitoring.
+If you wish to test out codeless server and client-side monitoring for ASP.NET or ASP.NET Core in a Azure App Services web app we recommend following the official guides for [creating a ASP.NET Core web app](../../app-service/quickstart-dotnetcore.md) and [creating an ASP.NET Framework web app](../../app-service/quickstart-dotnetcore.md?tabs=netframework48) and then use the instructions in the current article to enable monitoring.
### Connection string and instrumentation key
For the latest updates and bug fixes [consult the release notes](./web-app-exten
* [Monitor service health metrics](../data-platform.md) to make sure your service is available and responsive. * [Receive alert notifications](../alerts/alerts-overview.md) whenever operational events happen or metrics cross a threshold. * Use [Application Insights for JavaScript apps and web pages](javascript.md) to get client telemetry from the browsers that visit a web page.
-* [Set up Availability web tests](monitor-web-app-availability.md) to be alerted if your site is down.
+* [Set up Availability web tests](monitor-web-app-availability.md) to be alerted if your site is down.
azure-monitor Java In Process Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/java-in-process-agent.md
See [configuration options](./java-standalone-config.md) for full details.
See the [configuration options](./java-standalone-config.md#auto-collected-azure-sdk-telemetry-preview) to enable this preview feature and capture the telemetry emitted by these Azure SDKs:
-* [App Configuration](https://docs.microsoft.com/java/api/overview/azure/data-appconfiguration-readme) 1.1.10+
-* [Cognitive Search](https://docs.microsoft.com/java/api/overview/azure/search-documents-readme) 11.3.0+
-* [Communication Chat](https://docs.microsoft.com/java/api/overview/azure/communication-chat-readme) 1.0.0+
-* [Communication Common](https://docs.microsoft.com/java/api/overview/azure/communication-common-readme) 1.0.0+
-* [Communication Identity](https://docs.microsoft.com/java/api/overview/azure/communication-identity-readme) 1.0.0+
-* [Communication Sms](https://docs.microsoft.com/java/api/overview/azure/communication-sms-readme) 1.0.0+
-* [Cosmos DB](https://docs.microsoft.com/java/api/overview/azure/cosmos-readme) 4.13.0+
-* [Event Grid](https://docs.microsoft.com/java/api/overview/azure/messaging-eventgrid-readme) 4.0.0+
-* [Event Hubs](https://docs.microsoft.com/java/api/overview/azure/messaging-eventhubs-readme) 5.6.0+
-* [Event Hubs - Azure Blob Storage Checkpoint Store](https://docs.microsoft.com/java/api/overview/azure/messaging-eventhubs-checkpointstore-blob-readme) 1.5.1+
-* [Form Recognizer](https://docs.microsoft.com/java/api/overview/azure/ai-formrecognizer-readme) 3.0.6+
-* [Identity](https://docs.microsoft.com/java/api/overview/azure/identity-readme) 1.2.4+
-* [Key Vault - Certificates](https://docs.microsoft.com/java/api/overview/azure/security-keyvault-certificates-readme) 4.1.6+
-* [Key Vault - Keys](https://docs.microsoft.com/java/api/overview/azure/security-keyvault-keys-readme) 4.2.6+
-* [Key Vault - Secrets](https://docs.microsoft.com/java/api/overview/azure/security-keyvault-secrets-readme) 4.2.6+
-* [Service Bus](https://docs.microsoft.com/java/api/overview/azure/messaging-servicebus-readme) 7.1.0+
-* [Text Analytics](https://docs.microsoft.com/java/api/overview/azure/ai-textanalytics-readme) 5.0.4+
+* [App Configuration](/java/api/overview/azure/data-appconfiguration-readme) 1.1.10+
+* [Cognitive Search](/java/api/overview/azure/search-documents-readme) 11.3.0+
+* [Communication Chat](/java/api/overview/azure/communication-chat-readme) 1.0.0+
+* [Communication Common](/java/api/overview/azure/communication-common-readme) 1.0.0+
+* [Communication Identity](/java/api/overview/azure/communication-identity-readme) 1.0.0+
+* [Communication Sms](/java/api/overview/azure/communication-sms-readme) 1.0.0+
+* [Cosmos DB](/java/api/overview/azure/cosmos-readme) 4.13.0+
+* [Event Grid](/java/api/overview/azure/messaging-eventgrid-readme) 4.0.0+
+* [Event Hubs](/java/api/overview/azure/messaging-eventhubs-readme) 5.6.0+
+* [Event Hubs - Azure Blob Storage Checkpoint Store](/java/api/overview/azure/messaging-eventhubs-checkpointstore-blob-readme) 1.5.1+
+* [Form Recognizer](/java/api/overview/azure/ai-formrecognizer-readme) 3.0.6+
+* [Identity](/java/api/overview/azure/identity-readme) 1.2.4+
+* [Key Vault - Certificates](/java/api/overview/azure/security-keyvault-certificates-readme) 4.1.6+
+* [Key Vault - Keys](/java/api/overview/azure/security-keyvault-keys-readme) 4.2.6+
+* [Key Vault - Secrets](/java/api/overview/azure/security-keyvault-secrets-readme) 4.2.6+
+* [Service Bus](/java/api/overview/azure/messaging-servicebus-readme) 7.1.0+
+* [Text Analytics](/java/api/overview/azure/ai-textanalytics-readme) 5.0.4+
[//]: # "the above names and links scraped from https://azure.github.io/azure-sdk/releases/latest/java.html" [//]: # "and version sync'd manually against the oldest version in maven central built on azure-core 1.14.0"
import com.microsoft.applicationinsights.web.internal.ThreadContext;
RequestTelemetry requestTelemetry = ThreadContext.getRequestTelemetryContext().getHttpRequestTelemetry(); String requestId = requestTelemetry.getId(); String operationId = requestTelemetry.getContext().getOperation().getId();
-```
+```
azure-monitor Status Monitor V2 Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/status-monitor-v2-get-started.md
If you don't have an Azure subscription, create a [free account](https://azure.m
### Install prerequisites -- To enable monitoring you will require a connection string. A connection string is displayed on the Overview blade of your Application Insights resource. For more information, see page [Connection Strings](https://docs.microsoft.com/azure/azure-monitor/app/sdk-connection-string?tabs=net#finding-my-connection-string).
+- To enable monitoring you will require a connection string. A connection string is displayed on the Overview blade of your Application Insights resource. For more information, see page [Connection Strings](./sdk-connection-string.md?tabs=net#finding-my-connection-string).
> [!NOTE] > As of April 2020, PowerShell Gallery has deprecated TLS 1.1 and 1.0.
Enable-ApplicationInsightsMonitoring -ConnectionString 'xxxxxxxx-xxxx-xxxx-xxxx-
Do more with Application Insights Agent: - Review the [detailed instructions](status-monitor-v2-detailed-instructions.md) for an explanation of the commands found here.-- Use our guide to [troubleshoot](status-monitor-v2-troubleshoot.md) Application Insights Agent.-
+- Use our guide to [troubleshoot](status-monitor-v2-troubleshoot.md) Application Insights Agent.
azure-monitor Autoscale Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/autoscale/autoscale-overview.md
You can set up autoscale via
| API Management service|[Automatically scale an Azure API Management instance](../../api-management/api-management-howto-autoscale.md) | Azure Data Explorer Clusters|[Manage Azure Data Explorer clusters scaling to accommodate changing demand](/azure/data-explorer/manage-cluster-horizontal-scaling)| | Logic Apps |[Adding integration service environment (ISE) capacity](../../logic-apps/ise-manage-integration-service-environment.md#add-ise-capacity)|
-| Spring Cloud |[Set up autoscale for microservice applications](../../spring-cloud/spring-cloud-tutorial-setup-autoscale.md)|
+| Spring Cloud |[Set up autoscale for microservice applications](../../spring-cloud/how-to-setup-autoscale.md)|
| Service Bus |[Automatically update messaging units of an Azure Service Bus namespace](../../service-bus-messaging/automate-update-messaging-units.md)| ## Next steps
azure-monitor Container Insights Enable Existing Clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/containers/container-insights-enable-existing-clusters.md
Title: Monitor an Azure Kubernetes Service (AKS) cluster deployed | Microsoft Do
description: Learn how to enable monitoring of an Azure Kubernetes Service (AKS) cluster with Container insights already deployed in your subscription. Last updated 09/12/2019-+ # Enable monitoring of Azure Kubernetes Service (AKS) cluster already deployed
azure-monitor Container Insights Enable New Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/containers/container-insights-enable-new-cluster.md
Title: Monitor a new Azure Kubernetes Service (AKS) cluster | Microsoft Docs
description: Learn how to enable monitoring for a new Azure Kubernetes Service (AKS) cluster with Container insights subscription. Last updated 04/25/2019-+ # Enable monitoring of a new Azure Kubernetes Service (AKS) cluster
azure-monitor Container Insights Optout https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/containers/container-insights-optout.md
Title: How to Stop Monitoring Your Azure Kubernetes Service cluster | Microsoft
description: This article describes how you can discontinue monitoring of your Azure AKS cluster with Container insights. Last updated 08/19/2019 -
azure-monitor Resource Logs Schema https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/essentials/resource-logs-schema.md
The schema for resource logs varies depending on the resource and log category.
| Service Bus |[Azure Service Bus logs](../../service-bus-messaging/service-bus-diagnostic-logs.md) | | SQL Database | [Azure SQL Database logging](../../azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure.md) | | Stream Analytics |[Job logs](../../stream-analytics/stream-analytics-job-diagnostic-logs.md) |
-| Storage | [Blobs](/azure/storage/blobs/monitor-blob-storage-reference#resource-logs-preview), [Files](/azure/storage/files/storage-files-monitoring-reference#resource-logs-preview), [Queues](/azure/storage/queues/monitor-queue-storage-reference#resource-logs-preview), [Tables](/azure/storage/tables/monitor-table-storage-reference#resource-logs-preview) |
+| Storage | [Blobs](../../storage/blobs/monitor-blob-storage-reference.md#resource-logs-preview), [Files](../../storage/files/storage-files-monitoring-reference.md#resource-logs-preview), [Queues](../../storage/queues/monitor-queue-storage-reference.md#resource-logs-preview), [Tables](../../storage/tables/monitor-table-storage-reference.md#resource-logs-preview) |
| Traffic Manager | [Traffic Manager Log schema](../../traffic-manager/traffic-manager-diagnostic-logs.md) | | Virtual Networks | Schema not available. | | Virtual Network Gateways | Schema not available. |
The schema for resource logs varies depending on the resource and log category.
* [Learn more about resource logs](../essentials/platform-logs-overview.md) * [Stream resource resource logs to **Event Hubs**](./resource-logs.md#send-to-azure-event-hubs) * [Change resource log diagnostic settings using the Azure Monitor REST API](/rest/api/monitor/diagnosticsettings)
-* [Analyze logs from Azure storage with Log Analytics](./resource-logs.md#send-to-log-analytics-workspace)
+* [Analyze logs from Azure storage with Log Analytics](./resource-logs.md#send-to-log-analytics-workspace)
azure-monitor Sql Insights Enable https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/insights/sql-insights-enable.md
Each type of SQL offers methods for your monitoring virtual machine to securely
SQL insights supports accessing your Azure SQL Database via it's public endpoint as well as from it's virtual network.
-For access via the public endpoint, you would add a rule under the **Firewall settings** page and the [IP firewall settings](https://docs.microsoft.com/azure/azure-sql/database/network-access-controls-overview#ip-firewall-rules) section. For specifying access from a virtual network, you can set [virtual network firewall rules](https://docs.microsoft.com/azure/azure-sql/database/network-access-controls-overview#virtual-network-firewall-rules) and set the [service tags required by the Azure Monitor agent](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-overview#networking). [This article](https://docs.microsoft.com/azure/azure-sql/database/network-access-controls-overview#ip-vs-virtual-network-firewall-rules) describes the differences between these two types of firewall rules.
+For access via the public endpoint, you would add a rule under the **Firewall settings** page and the [IP firewall settings](../../azure-sql/database/network-access-controls-overview.md#ip-firewall-rules) section. For specifying access from a virtual network, you can set [virtual network firewall rules](../../azure-sql/database/network-access-controls-overview.md#virtual-network-firewall-rules) and set the [service tags required by the Azure Monitor agent](../agents/azure-monitor-agent-overview.md#networking). [This article](../../azure-sql/database/network-access-controls-overview.md#ip-vs-virtual-network-firewall-rules) describes the differences between these two types of firewall rules.
:::image type="content" source="media/sql-insights-enable/set-server-firewall.png" alt-text="Set server firewall" lightbox="media/sql-insights-enable/set-server-firewall.png":::
For access via the public endpoint, you would add a rule under the **Firewall se
### Azure SQL Managed Instances
-If your monitoring virtual machine will be in the same VNet as your SQL MI resources, then see [Connect inside the same VNet](https://docs.microsoft.com/azure/azure-sql/managed-instance/connect-application-instance#connect-inside-the-same-vnet). If your monitoring virtual machine will be in the different VNet than your SQL MI resources, then see [Connect inside a different VNet](https://docs.microsoft.com/azure/azure-sql/managed-instance/connect-application-instance#connect-inside-a-different-vnet).
+If your monitoring virtual machine will be in the same VNet as your SQL MI resources, then see [Connect inside the same VNet](../../azure-sql/managed-instance/connect-application-instance.md#connect-inside-the-same-vnet). If your monitoring virtual machine will be in the different VNet than your SQL MI resources, then see [Connect inside a different VNet](../../azure-sql/managed-instance/connect-application-instance.md#connect-inside-a-different-vnet).
### Azure virtual machine and Azure SQL virtual machine
-If your monitoring virtual machine is in the same VNet as your SQL virtual machine resources, then see [Connect to SQL Server within a virtual network](https://docs.microsoft.com/azure/azure-sql/virtual-machines/windows/ways-to-connect-to-sql#connect-to-sql-server-within-a-virtual-network). If your monitoring virtual machine will be in the different VNet than your SQL virtual machine resources, then see [Connect to SQL Server over the internet](https://docs.microsoft.com/azure/azure-sql/virtual-machines/windows/ways-to-connect-to-sql#connect-to-sql-server-over-the-internet).
+If your monitoring virtual machine is in the same VNet as your SQL virtual machine resources, then see [Connect to SQL Server within a virtual network](../../azure-sql/virtual-machines/windows/ways-to-connect-to-sql.md#connect-to-sql-server-within-a-virtual-network). If your monitoring virtual machine will be in the different VNet than your SQL virtual machine resources, then see [Connect to SQL Server over the internet](../../azure-sql/virtual-machines/windows/ways-to-connect-to-sql.md#connect-to-sql-server-over-the-internet).
## Store monitoring password in Key Vault You should store your SQL user connection passwords in a Key Vault rather than entering them directly into your monitoring profile connection strings.
If you do not see data, see [Troubleshooting SQL insights](sql-insights-troubles
## Next steps -- See [Troubleshooting SQL insights](sql-insights-troubleshoot.md) if SQL insights isn't working properly after being enabled.
+- See [Troubleshooting SQL insights](sql-insights-troubleshoot.md) if SQL insights isn't working properly after being enabled.
azure-monitor Sql Insights Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/insights/sql-insights-overview.md
See [Troubleshooting SQL insights](sql-insights-troubleshoot.md) for instruction
## Data collected by SQL insights SQL insights performs all monitoring remotely. We do not install any agents on the virtual machines running SQL Server.
-SQL insights uses dedicated monitoring virtual machines to remotely collect data from your SQL resources. Each monitoring virtual machine will have the [Azure Monitor agent](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-overview) and the Workload insights (WLI) extension installed. The WLI extension includes the open source [Telegraf agent](https://www.influxdata.com/time-series-platform/telegraf/). SQL insights uses [data collection rules](https://docs.microsoft.com/azure/azure-monitor/agents/data-collection-rule-overview) to specify the data collection settings for Telegraf's [SQL Server plugin](https://www.influxdata.com/integration/microsoft-sql-server/).
+SQL insights uses dedicated monitoring virtual machines to remotely collect data from your SQL resources. Each monitoring virtual machine will have the [Azure Monitor agent](../agents/azure-monitor-agent-overview.md) and the Workload insights (WLI) extension installed. The WLI extension includes the open source [Telegraf agent](https://www.influxdata.com/time-series-platform/telegraf/). SQL insights uses [data collection rules](../agents/data-collection-rule-overview.md) to specify the data collection settings for Telegraf's [SQL Server plugin](https://www.influxdata.com/integration/microsoft-sql-server/).
Different sets of data are available for Azure SQL Database, Azure SQL Managed Instance, and SQL Server. The tables below describe the available data. You can customize which data sets to collect and the frequency of collection when you [create a monitoring profile](sql-insights-enable.md#create-sql-monitoring-profile).
The tables below have the following columns:
## Next steps - See [Enable SQL insights](sql-insights-enable.md) for instructions on enabling SQL insights-- See [Frequently asked questions](../faq.md#sql-insights-preview) for frequently asked questions about SQL insights
+- See [Frequently asked questions](../faq.md#sql-insights-preview) for frequently asked questions about SQL insights
azure-monitor Wire Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/insights/wire-data.md
Last updated 03/26/2021
> >Support for Wire Data solution will end on **March 31, 2022**. Until the retirement date, existing customers using the Wire Data 2.0 (preview) solution may continue to use it. >
->New and existing customers should install the [VM insights](../vm/vminsights-enable-overview.md) or [Service Map solution](../vm/service-map.md). The Map data set they collect is comparable to the Wire Data 2.0 (preview) data set. VM insights includes the Service Map data set along with additional performance data and features for analysis. Both offerings have [connections with Azure Sentinel](https://docs.microsoft.com/azure/sentinel/connect-data-sources#map-data-types-with-azure-sentinel-connection-options).
+>New and existing customers should install the [VM insights](../vm/vminsights-enable-overview.md) or [Service Map solution](../vm/service-map.md). The Map data set they collect is comparable to the Wire Data 2.0 (preview) data set. VM insights includes the Service Map data set along with additional performance data and features for analysis. Both offerings have [connections with Azure Sentinel](../../sentinel/connect-data-sources.md#map-data-types-with-azure-sentinel-connection-options).
Wire data is consolidated network and performance data collected from Windows-connected and Linux-connected computers with the Log Analytics agent, including those monitored by Operations Manager in your environment. Network data is combined with your other log data to help you correlate data.
In addition to the Log Analytics agent, the Wire Data solution uses Microsoft De
## Migrate to Azure Monitor VM insights or Service Map
-In many cases, we see that customers often have both Wire Data 2.0 (preview) and [VM insights](../vm/vminsights-overview.md) or [Service Map solution](../vm/service-map.md) already enabled on the same VMs. This means you have the replacement offering enabled on your VM. You can simply [remove the Wire Data 2.0 (preview) solution from your Log Analytics workspace](https://docs.microsoft.com/azure/azure-monitor/insights/solutions?tabs=portal#remove-a-monitoring-solution).
+In many cases, we see that customers often have both Wire Data 2.0 (preview) and [VM insights](../vm/vminsights-overview.md) or [Service Map solution](../vm/service-map.md) already enabled on the same VMs. This means you have the replacement offering enabled on your VM. You can simply [remove the Wire Data 2.0 (preview) solution from your Log Analytics workspace](./solutions.md?tabs=portal#remove-a-monitoring-solution).
-If you have VMs that only have Wire Data 2.0 (preview) enabled on them, then you can onboard the VMs to [VM insights](../vm/vminsights-enable-overview.md) or [Service Map solution](../vm/service-map.md) and then [remove the Wire Data 2.0 (preview) solution from your Log Analytics workspace](https://docs.microsoft.com/azure/azure-monitor/insights/solutions?tabs=portal#remove-a-monitoring-solution).
+If you have VMs that only have Wire Data 2.0 (preview) enabled on them, then you can onboard the VMs to [VM insights](../vm/vminsights-enable-overview.md) or [Service Map solution](../vm/service-map.md) and then [remove the Wire Data 2.0 (preview) solution from your Log Analytics workspace](./solutions.md?tabs=portal#remove-a-monitoring-solution).
## Migrate your queries to the VMConnection table from Azure Monitor VM insights
VMConnection
### More examples queries
-Refer to the [VM insights log search documentation](https://docs.microsoft.com/azure/azure-monitor/vm/vminsights-log-search) and the [VM insights alert documentation](https://docs.microsoft.com/azure/azure-monitor/vm/vminsights-alerts#sample-alert-queries) for additional example queries.
+Refer to the [VM insights log search documentation](../vm/vminsights-log-search.md) and the [VM insights alert documentation](../vm/vminsights-alerts.md#sample-alert-queries) for additional example queries.
## Uninstall Wire Data 2.0 Solution
To uninstall Wire Data 2.0 you simply need to remove the Solution from your Log
* the Wire Data Management pack being removed from the VMs that are connected to the Workspace * the Wire Data data type no longer appearing in your Workspace
-Follow [these instructions](https://docs.microsoft.com/azure/azure-monitor/insights/solutions?tabs=portal#remove-a-monitoring-solution) to remove the Wire Data solution.
+Follow [these instructions](./solutions.md?tabs=portal#remove-a-monitoring-solution) to remove the Wire Data solution.
>[!NOTE] >If you have either the Service Map or VM insights solution on your workspace then the management pack will not be removed, as these solutions also use this management pack.
A record with a type of _WireData_ is created for each type of input data. WireD
## Next steps -- See [Deploy VM insights](./vminsights-enable-overview.md) for requirements and methods that to enable monitoring for your virtual machines.-- [Search logs](../logs/log-query-overview.md) to view detailed wire data search records.
+- See [Deploy VM insights](../vm/vminsights-enable-overview.md) for requirements and methods that to enable monitoring for your virtual machines.
+- [Search logs](../logs/log-query-overview.md) to view detailed wire data search records.
azure-monitor Customer Managed Keys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/customer-managed-keys.md
description: Information and steps to configure Customer-managed key to encrypt
Previously updated : 01/10/2021 Last updated : 04/21/2021
Authorization: Bearer <token>
## Storing encryption key (KEK)
-Create or use an Azure Key Vault that you already have to generate, or import a key to be used for data encryption. The Azure Key Vault must be configured as recoverable to protect your key and the access to your data in Azure Monitor. You can verify this configuration under properties in your Key Vault, both *Soft delete* and *Purge protection* should be enabled.
+Create or use existing Azure Key Vault in the region that the cluster is planed, then generate or import a key to be used for logs encryption. The Azure Key Vault must be configured as recoverable to protect your key and the access to your data in Azure Monitor. You can verify this configuration under properties in your Key Vault, both *Soft delete* and *Purge protection* should be enabled.
![Soft delete and purge protection settings](media/customer-managed-keys/soft-purge-protection.png)
All operations on the cluster require the `Microsoft.OperationalInsights/cluster
This step updates Azure Monitor Storage with the key and version to be used for data encryption. When updated, your new key is being used to wrap and unwrap the Storage key (AEK).
-Select the current version of your key in Azure Key Vault to get the key identifier details.
+>[!IMPORTANT]
+>- Key rotation can be automatic or require explicit key update, see [Key rotation](#key-rotation) to determine approach that is suitable for you before updating the key identifier details in cluster.
+>- Cluster update should not include both identity and key identifier details in the same operation. If you need to update both, the update should be in two consecutive operations.
![Grant Key Vault permissions](media/customer-managed-keys/key-identifier-8bit.png) Update KeyVaultProperties in cluster with key identifier details.
->[!NOTE]
->Key rotation supports two modes: auto-rotation or explicit key version update, see [Key rotation](#key-rotation) to determine the best approach for you.
- The operation is asynchronous and can take a while to complete. # [Azure portal](#tab/portal)
Customer-Managed key is provided on dedicated cluster and these operations are r
- Your Azure Key Vault, cluster and workspaces must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions.
+- Cluster update should not include both identity and key identifier details in the same operation. In case you need to update both, the update should be in two consecutive operations.
+ - Lockbox isn't available in China currently. - [Double encryption](../../storage/common/storage-service-encryption.md#doubly-encrypt-data-with-infrastructure-encryption) is configured automatically for clusters created from October 2020 in supported regions. You can verify if your cluster is configured for double encryption by sending a GET request on the cluster and observing that the `isDoubleEncryptionEnabled` value is `true` for clusters with Double encryption enabled.
azure-monitor Logs Dedicated Clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/logs-dedicated-clusters.md
After you create your *Cluster* resource and it is fully provisioned, you can ed
- **keyVaultProperties** - Updates the key in Azure Key Vault. See [Update cluster with Key identifier details](../logs/customer-managed-keys.md#update-cluster-with-key-identifier-details). It contains the following parameters: *KeyVaultUri*, *KeyName*, *KeyVersion*. - **billingType** - The *billingType* property determines the billing attribution for the *cluster* resource and its data: - **Cluster** (default) - The Capacity Reservation costs for your Cluster are attributed to the *Cluster* resource.
- - **Workspaces** - The Capacity Reservation costs for your Cluster are attributed proportionately to the workspaces in the Cluster, with the *Cluster* resource being billed some of the usage if the total ingested data for the day is under the Capacity Reservation. See [Log Analytics Dedicated Clusters](./manage-cost-storage.md#log-analytics-dedicated-clusters) to learn more about the Cluster pricing model.
+ - **Workspaces** - The Capacity Reservation costs for your Cluster are attributed proportionately to the workspaces in the Cluster, with the *Cluster* resource being billed some of the usage if the total ingested data for the day is under the Capacity Reservation. See [Log Analytics Dedicated Clusters](./manage-cost-storage.md#log-analytics-dedicated-clusters) to learn more about the Cluster pricing model.
+ - **Identity** - The identity to be used to authenticate to your Key Valt. This can be System-assigned or User-assigned.
+
+>[!IMPORTANT]
+>Cluster update should not include both identity and key identifier details in the same operation. If you need to update both, the update should be in two consecutive operations.
> [!NOTE] > The *billingType* property is not supported in PowerShell.
Use the following REST call to delete a cluster:
- Cluster move to another resource group or subscription isn't supported currently.
+- Cluster update should not include both identity and key identifier details in the same operation. In case you need to update both, the update should be in two consecutive operations.
+ - Lockbox isn't available in China currently. - [Double encryption](../../storage/common/storage-service-encryption.md#doubly-encrypt-data-with-infrastructure-encryption) is configured automatically for clusters created from October 2020 in supported regions. You can verify if your cluster is configured for double encryption by sending a GET request on the cluster and observing that the `isDoubleEncryptionEnabled` value is `true` for clusters with Double encryption enabled.
azure-monitor Manage Cost Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/manage-cost-storage.md
None of the legacy pricing tiers has regional-based pricing.
## Log Analytics and Azure Defender (Security Center)
-[Azure Defender (Security Center)](../../security-center/index.yml) billing is closely tied to Log Analytics billing. Azure Defender provides 500 MB/node/day allocation against the following subset of [security data types](/azure/azure-monitor/reference/tables/tables-category#security) (WindowsEvent, SecurityAlert, SecurityBaseline, SecurityBaselineSummary, SecurityDetection, SecurityEvent, WindowsFirewall, MaliciousIPCommunication, LinuxAuditLog, SysmonEvent, ProtectionStatus) and the Update and UpdateSummary data types when the Update Management solution is not running on the workspace or solution targeting is enabled [learn more](https://docs.microsoft.com/azure/security-center/security-center-pricing#what-data-types-are-included-in-the-500-mb-free-data-limit). If the workspace is in the legacy Per Node pricing tier, the Azure Defender and Log Analytics allocations are combined and applied jointly to all billable ingested data.
+[Azure Defender (Security Center)](../../security-center/index.yml) billing is closely tied to Log Analytics billing. Azure Defender provides 500 MB/node/day allocation against the following subset of [security data types](/azure/azure-monitor/reference/tables/tables-category#security) (WindowsEvent, SecurityAlert, SecurityBaseline, SecurityBaselineSummary, SecurityDetection, SecurityEvent, WindowsFirewall, MaliciousIPCommunication, LinuxAuditLog, SysmonEvent, ProtectionStatus) and the Update and UpdateSummary data types when the Update Management solution is not running on the workspace or solution targeting is enabled [learn more](../../security-center/security-center-pricing.md#what-data-types-are-included-in-the-500-mb-data-daily-allowance). If the workspace is in the legacy Per Node pricing tier, the Azure Defender and Log Analytics allocations are combined and applied jointly to all billable ingested data.
## Change the data retention period
You can track changes made to the daily cap using this query:
_LogOperation | where Operation == "Workspace Configuration" | where Detail contains "Daily quota" ```
-Learn more about the [_LogOperation](https://docs.microsoft.com/azure/azure-monitor/logs/monitor-workspace) function.
+Learn more about the [_LogOperation](./monitor-workspace.md) function.
### View the effect of the Daily Cap
Usage
While we present a visual cue in the Azure portal when your data limit threshold is met, this behavior doesn't necessarily align to how you manage operational issues requiring immediate attention. To receive an alert notification, you can create a new alert rule in Azure Monitor. To learn more, see [how to create, view, and manage alerts](../alerts/alerts-metric.md).
-To get you started, here are the recommended settings for the alert querying the `Operation` table using the `_LogOperation` function ([learn more](https://docs.microsoft.com/azure/azure-monitor/logs/monitor-workspace)).
+To get you started, here are the recommended settings for the alert querying the `Operation` table using the `_LogOperation` function ([learn more](./monitor-workspace.md)).
- Target: Select your Log Analytics resource - Criteria:
Note that the clause `where _IsBillable = true` filters out data types from cert
### Data volume by solution
-The query used to view the billable data volume by solution over the last month (excluding the last partial day) can be built using the [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) data type as:
+The query used to view the billable data volume by solution over the last month (excluding the last partial day) can be built using the [Usage](/azure/azure-monitor/reference/tables/usage) data type as:
```kusto Usage
Some suggestions for reducing the volume of logs collected include:
| Source of high data volume | How to reduce data volume | | -- | - |
-| Data Collection Rules | The [Azure Monitor Agent](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-overview) uses Data Collection Rules to manage the collection of data. You can [limit the collection of data](https://docs.microsoft.com/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent#limit-data-collection-with-custom-xpath-queries) using custom XPath queries. |
+| Data Collection Rules | The [Azure Monitor Agent](../agents/azure-monitor-agent-overview.md) uses Data Collection Rules to manage the collection of data. You can [limit the collection of data](../agents/data-collection-rule-azure-monitor-agent.md#limit-data-collection-with-custom-xpath-queries) using custom XPath queries. |
| Container Insights | [Configure Container Insights](../containers/container-insights-cost.md#controlling-ingestion-to-reduce-cost) to collect only the data you required. | | Security events | Select [common or minimal security events](../../security-center/security-center-enable-data-collection.md#data-collection-tier) <br> Change the security audit policy to collect only needed events. In particular, review the need to collect events for <br> - [audit filtering platform](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772749(v=ws.10)) <br> - [audit registry](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v%3dws.10))<br> - [audit file system](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772661(v%3dws.10))<br> - [audit kernel object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941615(v%3dws.10))<br> - [audit handle manipulation](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772626(v%3dws.10))<br> - audit removable storage | | Performance counters | Change [performance counter configuration](../agents/data-sources-performance-counters.md) to: <br> - Reduce the frequency of collection <br> - Reduce number of performance counters |
To be notified when data collection stops, use the steps described in *Create da
## Late arriving data
-Situations can arise where data is ingested with very old timestamps, for instance if an agent cannot communicate to Log Analytics due to a connectivity issue, or situations when a host has an incorrectly time date/time. To diagnose these issues, use the `_TimeReceived` column ([learn more](https://docs.microsoft.com/azure/azure-monitor/logs/log-standard-columns#_timereceived)) in addition to the `TimeGenerated` column. `TimeReceived` is the time when the the record was received by the Azure Monitor ingestion point in the Azure cloud.
+Situations can arise where data is ingested with very old timestamps, for instance if an agent cannot communicate to Log Analytics due to a connectivity issue, or situations when a host has an incorrectly time date/time. To diagnose these issues, use the `_TimeReceived` column ([learn more](./log-standard-columns.md#_timereceived)) in addition to the `TimeGenerated` column. `TimeReceived` is the time when the the record was received by the Azure Monitor ingestion point in the Azure cloud.
## Limits summary
There are some additional Log Analytics limits, some of which depend on the Log
- Change [performance counter configuration](../agents/data-sources-performance-counters.md). - To modify your event collection settings, review [event log configuration](../agents/data-sources-windows-events.md). - To modify your syslog collection settings, review [syslog configuration](../agents/data-sources-syslog.md).-- To modify your syslog collection settings, review [syslog configuration](../agents/data-sources-syslog.md).
+- To modify your syslog collection settings, review [syslog configuration](../agents/data-sources-syslog.md).
azure-monitor Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/service-limits.md
This article lists limits in different areas of Azure Monitor.
## Next Steps - [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/)-- [Monitoring usage and estimated costs in Azure Monitor](/azure/azure-monitor/usage-estimated-costs)-- [Manage usage and costs for Application Insights](app/pricing.md)
+- [Monitoring usage and estimated costs in Azure Monitor](./usage-estimated-costs.md)
+- [Manage usage and costs for Application Insights](app/pricing.md)
azure-netapp-files Troubleshoot Dual Protocol Volumes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/troubleshoot-dual-protocol-volumes.md
This article describes resolutions to error conditions you might have when creat
| The SMB or dual-protocol volume creation fails with the following error: <br> `{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-A452\". Reason: Kerberos Error: Pre-authentication information was invalid Details: Error: Machine account creation procedure failed\n [ 567] Loaded the preliminary configuration.\n [ 671] Successfully connected to ip 10.x.x.x, port 88 using TCP\n**[ 1099] FAILURE: Could not authenticate as\n** 'user@contoso.com': CIFS server account password does\n** not match password stored in Active Directory\n** (KRB5KDC_ERR_PREAUTH_FAILED)\n. "}]}` | Make sure that the password entered for joining the AD connection is correct. | | The SMB or dual-protocol volume creation fails with the following error: <br> `{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError","message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-D9A2\". Reason: SecD Error: ou not found Details: Error: Machine account creation procedure failed\n [ 561] Loaded the preliminary configuration.\n [ 665] Successfully connected to ip 10.x.x.x, port 88 using TCP\n [ 1039] Successfully connected to ip 10.x.x.x, port 389 using TCP\n**[ 1147] FAILURE: Specifed OU 'OU=AADDC Com' does not exist in\n** contoso.com\n. "}]}` | Make sure that the OU path specified for joining the AD connection is correct. If you use Azure ADDS, make sure that the organizational unit path is `OU=AADDC Computers`. | | The SMB or dual-protocol volume creation fails with the following error: <br> `Failed to create the Active Directory machine account \"SMB-ANF-VOL. Reason: LDAP Error: Local error occurred Details: Error: Machine account creation procedure failed. [nnn] Loaded the preliminary configuration. [nnn] Successfully connected to ip 10.x.x.x, port 88 using TCP [nnn] Successfully connected to ip 10.x.x.x, port 389 using [nnn] Entry for host-address: 10.x.x.x not found in the current source: FILES. Ignoring and trying next available source [nnn] Source: DNS unavailable. Entry for host-address:10.x.x.x found in any of the available sources\n*[nnn] FAILURE: Unable to SASL bind to LDAP server using GSSAPI: local error [nnn] Additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot determine realm for numeric host address) [nnn] Unable to connect to LDAP (Active Directory) service on contoso.com (Error: Local error) [nnn] Unable to make a connection (LDAP (Active Directory):contosa.com, result: 7643. ` | The pointer (PTR) record of the AD host machine might be missing on the DNS server. You need to create a reverse lookup zone on the DNS server, and then add a PTR record of the AD host machine in that reverse lookup zone. <br> For example, assume that the IP address of the AD machine is `10.x.x.x`, the hostname of the AD machine (as found by using the `hostname` command) is `AD1`, and the domain name is `contoso.com`. The PTR record added to the reverse lookup zone should be `10.x.x.x` -> `contoso.com`. |
-| The SMB or dual-protocol volume creation fails with the following error: <br> `Failed to create the Active Directory machine account \"SMB-ANF-VOL\". Reason: Kerberos Error: KDC has no support for encryption type Details: Error: Machine account creation procedure failed [nnn]Loaded the preliminary configuration. [nnn]Successfully connected to ip 10.x.x.x, port 88 using TCP [nnn]FAILURE: Could not authenticate as 'contosa.com': KDC has no support for encryption type (KRB5KDC_ERR_ETYPE_NOSUPP) ` | Make sure that [AES Encryption](/azure/azure-netapp-files/create-active-directory-connections#create-an-active-directory-connection) is enabled both in the Active Directory connection and for the service account. |
+| The SMB or dual-protocol volume creation fails with the following error: <br> `Failed to create the Active Directory machine account \"SMB-ANF-VOL\". Reason: Kerberos Error: KDC has no support for encryption type Details: Error: Machine account creation procedure failed [nnn]Loaded the preliminary configuration. [nnn]Successfully connected to ip 10.x.x.x, port 88 using TCP [nnn]FAILURE: Could not authenticate as 'contosa.com': KDC has no support for encryption type (KRB5KDC_ERR_ETYPE_NOSUPP) ` | Make sure that [AES Encryption](./create-active-directory-connections.md#create-an-active-directory-connection) is enabled both in the Active Directory connection and for the service account. |
| The SMB or dual-protocol volume creation fails with the following error: <br> `Failed to create the Active Directory machine account \"SMB-NTAP-VOL\". Reason: LDAP Error: Strong authentication is required Details: Error: Machine account creation procedure failed\n [ 338] Loaded the preliminary configuration.\n [ nnn] Successfully connected to ip 10.x.x.x, port 88 using TCP\n [ nnn ] Successfully connected to ip 10.x.x.x, port 389 using TCP\n [ 765] Unable to connect to LDAP (Active Directory) service on\n dc51.area51.com (Error: Strong(er) authentication\n required)\n*[ nnn] FAILURE: Unable to make a connection (LDAP (Active\n* Directory):contoso.com), result: 7609\n. "` | The LDAP Signing option is not selected, but the AD client has LDAP signing. [Enable LDAP Signing](create-active-directory-connections.md#create-an-active-directory-connection) and retry. | ## Next steps * [Create an SMB volume](azure-netapp-files-create-volumes-smb.md) * [Create a dual-protocol volume](create-volumes-dual-protocol.md)
-* [Configure an NFS client for Azure NetApp Files](configure-nfs-clients.md)
+* [Configure an NFS client for Azure NetApp Files](configure-nfs-clients.md)
azure-percept Concept Security Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/concept-security-configuration.md
This checklist is a starting point for firewall rules:
|*.auth.azureperceptdk.azure.net|443|Azure DK SOM Authentication and Authorization| |*.auth.projectsantacruz.azure.net|443|Azure DK SOM Authentication and Authorization|
-Additionally, review the list of [connections used by Azure IoT Edge](https://docs.microsoft.com/azure/iot-edge/production-checklist#allow-connections-from-iot-edge-devices).
+Additionally, review the list of [connections used by Azure IoT Edge](../iot-edge/production-checklist.md#allow-connections-from-iot-edge-devices).
## Additional recommendations for deployment to production
azure-percept Overview Azure Percept Dk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/overview-azure-percept-dk.md
Azure Percept DK is an edge AI development kit designed for developing vision an
- Hardware root of trust security built in. Learn more about [Azure Percept security](./overview-percept-security.md). -- Seamless integration with [Azure Percept Studio](https://go.microsoft.com/fwlink/?linkid=2135819) and other Azure services, such as Azure IoT Hub, Azure Cognitive Services, and [Live Video Analytics](https://docs.microsoft.com/azure/media-services/live-video-analytics-edge/overview).
+- Seamless integration with [Azure Percept Studio](https://go.microsoft.com/fwlink/?linkid=2135819) and other Azure services, such as Azure IoT Hub, Azure Cognitive Services, and [Live Video Analytics](../media-services/live-video-analytics-edge/overview.md).
- Compatible with [Azure Percept Audio](./overview-azure-percept-audio.md), an optional accessory for building AI audio solutions.
azure-percept Overview Update Experience https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/overview-update-experience.md
# Azure Percept DK update experience overview
-With Azure Percept DK, you may update your dev kit OS and firmware over-the-air (OTA) or via USB. OTA updating is an easy way keep devices up-to-date through the [Device Update for IoT Hub](https://docs.microsoft.com/azure/iot-hub-device-update/) service. USB updates are available for users who are unable to use OTA updates or when a factory reset of the device is needed. Check out the following how-to guides to get started with Azure Percept DK device updates:
+With Azure Percept DK, you may update your dev kit OS and firmware over-the-air (OTA) or via USB. OTA updating is an easy way keep devices up-to-date through the [Device Update for IoT Hub](../iot-hub-device-update/index.yml) service. USB updates are available for users who are unable to use OTA updates or when a factory reset of the device is needed. Check out the following how-to guides to get started with Azure Percept DK device updates:
- [Set up Azure IoT Hub to deploy over-the-air (OTA) updates to your Azure Percept DK](./how-to-set-up-over-the-air-updates.md) - [Update your Azure Percept DK over-the-air (OTA)](./how-to-update-over-the-air.md)
azure-percept Quickstart Percept Dk Set Up https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/quickstart-percept-dk-set-up.md
To verify if your Azure account is an ΓÇ£ownerΓÇ¥ or ΓÇ£contributorΓÇ¥ within th
- Select the S1 (standard) pricing tier. > [!NOTE]
- > If you end up needing a higher [message throughput](https://docs.microsoft.com/azure/iot-hub/iot-hub-scaling#message-throughput) for your edge AI applications, you may [upgrade your IoT Hub to a higher standard tier](https://docs.microsoft.com/azure/iot-hub/iot-hub-upgrade) in the Azure Portal at any time. B and F tiers do NOT support Azure Percept.
+ > If you end up needing a higher [message throughput](../iot-hub/iot-hub-scaling.md#message-throughput) for your edge AI applications, you may [upgrade your IoT Hub to a higher standard tier](../iot-hub/iot-hub-upgrade.md) in the Azure Portal at any time. B and F tiers do NOT support Azure Percept.
1. IoT Hub deployment may take a few minutes. When the deployment is complete, click **Register**.
azure-relay Service Bus Dotnet Hybrid App Using Service Bus Relay https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/service-bus-dotnet-hybrid-app-using-service-bus-relay.md
In this section, you build a simple ASP.NET application that displays data retri
![Specify authentication][18] 1. Back in **Create a new ASP.NET Web Application**, select **Create** to create the MVC app.
-1. Configure Azure resources for a new web app. Follow the steps in [Publish your web app](../app-service/quickstart-dotnet-framework.md#launch-the-publish-wizard). Then, return to this tutorial and continue to the next step.
+1. Configure Azure resources for a new web app. Follow the steps in [Publish your web app](../app-service/quickstart-dotnetcore.md?tabs=netframework48#publish-your-web-app). Then, return to this tutorial and continue to the next step.
1. In **Solution Explorer**, right-click **Models** and then select **Add** > **Class**. 1. Name the class *Product.cs*, then select **Add**.
Advance to the following tutorial:
[37]: ./media/service-bus-dotnet-hybrid-app-using-service-bus-relay/hy-service1.png [38]: ./media/service-bus-dotnet-hybrid-app-using-service-bus-relay/hy-service2.png [41]: ./media/service-bus-dotnet-hybrid-app-using-service-bus-relay/getting-started-multi-tier-40.png
-[43]: ./media/service-bus-dotnet-hybrid-app-using-service-bus-relay/getting-started-hybrid-43.png
+[43]: ./media/service-bus-dotnet-hybrid-app-using-service-bus-relay/getting-started-hybrid-43.png
azure-resource-manager Tutorial Create Managed App With Custom Provider https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/managed-applications/tutorial-create-managed-app-with-custom-provider.md
You can go to managed application instance and perform **custom action** in "Ove
## Looking for help
-If you have questions about Azure Managed Applications, you can try asking on [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-managed-app) with tag azure-managed-app or [Microsoft Q&A](https://docs.microsoft.com/answers/topics/azure-managed-applications.html) with tag azure-managed-application. A similar question may have already been asked and answered, so check first before posting. Please use respective tags for faster response.
+If you have questions about Azure Managed Applications, you can try asking on [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-managed-app) with tag azure-managed-app or [Microsoft Q&A](/answers/topics/azure-managed-applications.html) with tag azure-managed-application. A similar question may have already been asked and answered, so check first before posting. Please use respective tags for faster response.
## Next steps To publish your managed application to the Azure Marketplace, see [Azure managed applications in the Marketplace](../../marketplace/create-new-azure-apps-offer.md).
-Learn more about [Azure Custom Providers](../custom-providers/overview.md).
+Learn more about [Azure Custom Providers](../custom-providers/overview.md).
azure-resource-manager Control Plane And Data Plane https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/control-plane-and-data-plane.md
All requests for control plane operations are sent to the Azure Resource Manager
* For Azure Germany, the URL is `https://management.microsoftazure.de/`. * For Microsoft Azure China 21Vianet, the URL is `https://management.chinacloudapi.cn`.
-To discover which operations use the Azure Resource Manager URL, see the [Azure REST API](/rest/api/azure/). For example, the [create or update operation](/rest/api/mysql/databases/createorupdate) for MySql is a control plane operation because the request URL is:
+To discover which operations use the Azure Resource Manager URL, see the [Azure REST API](/rest/api/azure/). For example, the [create or update operation](/rest/api/mysql/flexibleserver(preview)/servers/update) for MySql is a control plane operation because the request URL is:
```http PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DBforMySQL/servers/{serverName}/databases/{databaseName}?api-version=2017-12-01
The control plane includes two scenarios for handling requests - "green field" a
## Data plane
-Requests for data plane operations are sent to an endpoint that is specific to your instance. For example, the [Detect Language operation](/azure/cognitive-services/text-analytics/how-tos/text-analytics-how-to-language-detection) in Cognitive Services is a data plane operation because the request URL is:
+Requests for data plane operations are sent to an endpoint that is specific to your instance. For example, the [Detect Language operation](../../cognitive-services/text-analytics/how-tos/text-analytics-how-to-language-detection.md) in Cognitive Services is a data plane operation because the request URL is:
```http POST {Endpoint}/text/analytics/v2.0/languages
You can use some policies to govern data plane operations. For more information,
* For an overview of Azure Resource Manager, see [What is Azure Resource Manager?](overview.md)
-* To learn more about the effect of policy definitions on new resources and existing resources., see [Evaluate the impact of a new Azure Policy definition](../../governance/policy/concepts/evaluate-impact.md).
+* To learn more about the effect of policy definitions on new resources and existing resources., see [Evaluate the impact of a new Azure Policy definition](../../governance/policy/concepts/evaluate-impact.md).
azure-resource-manager Networking Move Limitations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/move-limitations/networking-move-limitations.md
This article describes how to move virtual networks and other networking resourc
## Dependent resources > [!NOTE]
-> Please note that VPN Gateways associated with public IP addresses are not currently able to move between resource groups or subscriptions.
+> Please note that VPN Gateways associated with Public IP Standard SKU addresses are not currently able to move between resource groups or subscriptions.
When moving a resource, you must also move its dependent resources (e.g. public IP addresses, virtual network gateways, all associated connection resources). Local network gateways can be in a different resource group.
azure-resource-manager Request Limits And Throttling https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/request-limits-and-throttling.md
The Microsoft.Network resource provider applies the following throttle limits:
| write / delete (PUT) | 1000 per 5 minutes | | read (GET) | 10000 per 5 minutes |
+> [!NOTE]
+> **Azure Private DNS** has a throttle limit of 500 read (GET) operations per 5 minutes.
+>
+ ### Compute throttling For information about throttling limits for compute operations, see [Troubleshooting API throttling errors - Compute](/troubleshoot/azure/virtual-machines/troubleshooting-throttling-errors).
msrest.http_logger : 'x-ms-ratelimit-remaining-subscription-writes': '1199'
* For a complete PowerShell example, see [Check Resource Manager Limits for a Subscription](https://github.com/Microsoft/csa-misc-utils/tree/master/psh-GetArmLimitsViaAPI). * For more information about limits and quotas, see [Azure subscription and service limits, quotas, and constraints](../../azure-resource-manager/management/azure-subscription-service-limits.md).
-* To learn about handling asynchronous REST requests, see [Track asynchronous Azure operations](async-operations.md).
+* To learn about handling asynchronous REST requests, see [Track asynchronous Azure operations](async-operations.md).
azure-resource-manager Resource Name Rules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/resource-name-rules.md
This article lists resources by resource provider namespace. For a list of how r
Resource names are case-insensitive unless noted in the valid characters column.
+> [!NOTE]
+> When retreiving resource names using various APIs, returned vaules may display different case vaules than what is listed in the valid characters table.
+ In the following tables, the term alphanumeric refers to: * **a** through **z** (lowercase letters)
azure-resource-manager Bicep Tutorial Use Parameter File https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/bicep-tutorial-use-parameter-file.md
Title: Tutorial - use parameter file to deploy Azure Resource Manager Bicep file description: Use parameter files that contain the values to use for deploying your Bicep file. Previously updated : 03/10/2021 Last updated : 04/27/2021
New-AzResourceGroup `
New-AzResourceGroupDeployment ` -Name prodenvironment ` -ResourceGroupName myResourceGroupProd `
- -TemplateFile $templateFile `
+ -TemplateFile $bicepFile `
-TemplateParameterFile $parameterFile ```
az group create \
az deployment group create \ --name prodenvironment \ --resource-group myResourceGroupProd \
- --template-file $templateFile \
+ --template-file $bicepFile \
--parameters $prodParameterFile ```
azure-resource-manager Deploy Github Actions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-github-actions.md
Title: Deploy Resource Manager templates by using GitHub Actions
description: Describes how to deploy Azure Resource Manager templates (ARM templates) by using GitHub Actions. Last updated 10/13/2020-+ # Deploy ARM templates by using GitHub Actions
azure-resource-manager Deploy To Tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-to-tenant.md
Title: Deploy resources to tenant description: Describes how to deploy resources at the tenant scope in an Azure Resource Manager template. Previously updated : 01/13/2021 Last updated : 04/27/2021 # Tenant deployments with ARM templates
As your organization matures, you may need to define and assign [policies](../..
Not all resource types can be deployed to the tenant level. This section lists which resource types are supported.
-For Azure Policies, use:
-
-* [policyAssignments](/azure/templates/microsoft.authorization/policyassignments)
-* [policyDefinitions](/azure/templates/microsoft.authorization/policydefinitions)
-* [policySetDefinitions](/azure/templates/microsoft.authorization/policysetdefinitions)
- For Azure role-based access control (Azure RBAC), use: * [roleAssignments](/azure/templates/microsoft.authorization/roleassignments)
For configuring the portal, use:
* [tenantConfigurations](/azure/templates/microsoft.portal/tenantconfigurations)
+Built-in policy definitions are tenant-level resources, but you can't deploy custom policy definitions at the tenant. For an example of assigning a built-in policy definition to a resource, see [tenantResourceId example](./template-functions-resource.md#tenantresourceid-example).
+ ## Schema The schema you use for tenant deployments is different than the schema for resource group deployments.
azure-resource-manager Deployment Script Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deployment-script-template.md
The following JSON is an example. For more information, see the latest [template
Property value details: -- `identity`: For deployment script API version 2020-10-01 or later, a user-assigned managed identity is optional unless you need to perform any Azure-specific actions in the script. For the API version 2019-10-01-preview, a managed identity is required as the deployment script service uses it to execute the scripts. When the identity property is specified, the script service calls `Connect-AzAccount -Identity` before invoking the user script. Currently, only user-assigned managed identity is supported. To login with a different identity, you can call [Connect-AzAccount](https://docs.microsoft.com/powershell/module/az.accounts/connect-azaccount) in the script.
+- `identity`: For deployment script API version 2020-10-01 or later, a user-assigned managed identity is optional unless you need to perform any Azure-specific actions in the script. For the API version 2019-10-01-preview, a managed identity is required as the deployment script service uses it to execute the scripts. When the identity property is specified, the script service calls `Connect-AzAccount -Identity` before invoking the user script. Currently, only user-assigned managed identity is supported. To login with a different identity, you can call [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) in the script.
- `kind`: Specify the type of script. Currently, Azure PowerShell and Azure CLI scripts are supported. The values are **AzurePowerShell** and **AzureCLI**. - `forceUpdateTag`: Changing this value between template deployments forces the deployment script to re-execute. If you use the `newGuid()` or the `utcNow()` functions, both functions can only be used in the default value for a parameter. To learn more, see [Run script more than once](#run-script-more-than-once). - `containerSettings`: Specify the settings to customize Azure Container Instance. Deployment script requires a new Azure Container Instance. You can't specify an existing Azure Container Instance. However, you can customize the container group name by using `containerGroupName`. If not specified, the group name is automatically generated.
In this article, you learned how to use deployment scripts. To walk through a de
> [Tutorial: Use deployment scripts in Azure Resource Manager templates](./template-tutorial-deployment-script.md) > [!div class="nextstepaction"]
-> [Learn module: Extend ARM templates by using deployment scripts](/learn/modules/extend-resource-manager-template-deployment-scripts/)
+> [Learn module: Extend ARM templates by using deployment scripts](/learn/modules/extend-resource-manager-template-deployment-scripts/)
azure-resource-manager Error Register Resource Provider https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/error-register-resource-provider.md
Title: Resource provider registration errors
description: Describes how to resolve Azure resource provider registration errors when deploying resources with Azure Resource Manager. Last updated 02/15/2019 -+ # Resolve errors for resource provider registration
azure-resource-manager Quickstart Create Templates Use The Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md
Title: Deploy template - Azure portal description: Learn how to create your first Azure Resource Manager template (ARM template) using the Azure portal, and how to deploy it. Previously updated : 03/26/2021 Last updated : 04/27/2021 -+ #Customer intent: As a developer new to Azure deployment, I want to learn how to use the Azure portal to create and edit Resource Manager templates, so I can use the templates to deploy Azure resources.
azure-resource-manager Template Tutorial Add Parameters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-tutorial-add-parameters.md
Last updated 03/31/2020 - # Tutorial: Add parameters to your ARM template
azure-resource-manager Template Tutorial Use Parameter File https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-tutorial-use-parameter-file.md
Last updated 09/10/2020 -+ # Tutorial: Use parameter files to deploy your ARM template
azure-resource-manager Test Cases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/test-cases.md
Test name: **CommandToExecute Must Use ProtectedSettings For Secrets**
In a Custom Script Extension, use the encrypted property `protectedSettings` when `commandToExecute` includes secret data such as a password. Examples of secret data types are `secureString`, `secureObject`, `list()` functions, or scripts. For more information about Custom Script Extension for virtual machines, see [Windows](
-/azure/virtual-machines/extensions/custom-script-windows), [Linux](/azure/virtual-machines/extensions/custom-script-linux), and the schema [Microsoft.Compute virtualMachines/extensions](/azure/templates/microsoft.compute/virtualmachines/extensions).
+/azure/virtual-machines/extensions/custom-script-windows), [Linux](../../virtual-machines/extensions/custom-script-linux.md), and the schema [Microsoft.Compute virtualMachines/extensions](/azure/templates/microsoft.compute/virtualmachines/extensions).
In this example, a template with a parameter named `adminPassword` and type `secureString` **passes** the test because the encrypted property `protectedSettings` includes `commandToExecute`.
The test **fails** if the unencrypted property `settings` includes `commandToExe
## Next steps * To learn about running the test toolkit, see [Use ARM template test toolkit](test-toolkit.md).
-* For a Microsoft Learn module that covers using the test toolkit, see [Preview changes and validate Azure resources by using what-if and the ARM template test toolkit](/learn/modules/arm-template-test/).
+* For a Microsoft Learn module that covers using the test toolkit, see [Preview changes and validate Azure resources by using what-if and the ARM template test toolkit](/learn/modules/arm-template-test/).
azure-signalr Signalr Howto Troubleshoot Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/signalr-howto-troubleshoot-guide.md
Normally, this scenario is caused by async over sync or by `Task.Result`/`Task.W
See [ASP.NET Core performance best practices](/aspnet/core/performance/performance-best-practices#avoid-blocking-calls).
-See more about [thread pool starvation](https://docs.microsoft.com/archive/blogs/vancem/diagnosing-net-core-threadpool-starvation-with-perfview-why-my-service-is-not-saturating-all-cores-or-seems-to-stall).
+See more about [thread pool starvation](/archive/blogs/vancem/diagnosing-net-core-threadpool-starvation-with-perfview-why-my-service-is-not-saturating-all-cores-or-seems-to-stall).
### How to detect thread pool starvation
Check your thread count. If there are no spikes at that time, take these steps:
:::image type="content" source="media/signalr-howto-troubleshoot-guide/metrics-thread-count.png" alt-text="Screenshot of the Max thread count pane in Azure App Service.":::
-* If you're using the .NET Framework, you can find [metrics](https://docs.microsoft.com/dotnet/framework/debug-trace-profile/performance-counters#lock-and-thread-performance-counters) in the performance monitor in your server VM.
-* If you're using .NET Core in a container, see [Collect diagnostics in containers](https://docs.microsoft.com/dotnet/core/diagnostics/diagnostics-in-containers).
+* If you're using the .NET Framework, you can find [metrics](/dotnet/framework/debug-trace-profile/performance-counters#lock-and-thread-performance-counters) in the performance monitor in your server VM.
+* If you're using .NET Core in a container, see [Collect diagnostics in containers](/dotnet/core/diagnostics/diagnostics-in-containers).
You also can use code to detect thread pool starvation:
Take ASP.NET Core one for example (ASP.NET one is similar):
In this guide, you learned about how to handle the common issues. You could also learn more generic troubleshooting methods. > [!div class="nextstepaction"]
-> [How to troubleshoot connectivity and message delivery issues](./signalr-howto-troubleshoot-method.md)
+> [How to troubleshoot connectivity and message delivery issues](./signalr-howto-troubleshoot-method.md)
azure-signalr Signalr Quickstart Azure Functions Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/signalr-quickstart-azure-functions-python.md
Make sure you have a code editor such as [Visual Studio Code](https://code.visua
Install the [Azure Functions Core Tools](https://github.com/Azure/azure-functions-core-tools#installing) (version 2.7.1505 or higher) to run Python Azure Function apps locally.
-Azure Functions requires [Python 3.6+](https://www.python.org/downloads/). (See [Supported Python versions](/azure/azure-functions/functions-reference-python#python-version))
+Azure Functions requires [Python 3.6+](https://www.python.org/downloads/). (See [Supported Python versions](../azure-functions/functions-reference-python.md#python-version))
[!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
Having issues? Try the [troubleshooting guide](signalr-howto-troubleshoot-guide.
In this quickstart, you built and ran a real-time serverless application in VS Code. Next, learn more about how to deploy Azure Functions from VS Code. > [!div class="nextstepaction"]
-> [Deploy Azure Functions with VS Code](/azure/developer/javascript/tutorial-vscode-serverless-node-01)
+> [Deploy Azure Functions with VS Code](/azure/developer/javascript/tutorial-vscode-serverless-node-01)
azure-signalr Signalr Quickstart Azure Signalr Service Arm Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/signalr-quickstart-azure-signalr-service-arm-template.md
- subject-armqs
- - devx-track-azurecli
- mode-arm
azure-sql Azure Sql Iaas Vs Paas What Is Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/azure-sql-iaas-vs-paas-what-is-overview.md
For **SQL on Azure VM**, Microsoft provides an availability SLA of 99.95% that c
**Azure SQL Managed Instance** greatly simplifies the migration of existing applications to Azure, enabling you to bring migrated database applications to market in Azure quickly.
-**SQL on Azure VM** is perfect if your existing or new applications require large databases or access to all features in SQL Server or Windows/Linux, and you want to avoid the time and expense of acquiring new on-premises hardware. It is also a good fit when you want to migrate existing on-premises applications and databases to Azure as-is - in cases where SQL Database or SQL Managed Instance is not a good fit. Since you do not need to change the presentation, application, and data layers, you save time and budget on re-architecting your existing solution. Instead, you can focus on migrating all your solutions to Azure and in doing some performance optimizations that may be required by the Azure platform. For more information, see [Performance Best Practices for SQL Server on Azure Virtual Machines](virtual-machines/windows/performance-guidelines-best-practices.md).
+**SQL on Azure VM** is perfect if your existing or new applications require large databases or access to all features in SQL Server or Windows/Linux, and you want to avoid the time and expense of acquiring new on-premises hardware. It is also a good fit when you want to migrate existing on-premises applications and databases to Azure as-is - in cases where SQL Database or SQL Managed Instance is not a good fit. Since you do not need to change the presentation, application, and data layers, you save time and budget on re-architecting your existing solution. Instead, you can focus on migrating all your solutions to Azure and in doing some performance optimizations that may be required by the Azure platform. For more information, see [Performance Best Practices for SQL Server on Azure Virtual Machines](./virtual-machines/windows/performance-guidelines-best-practices-checklist.md).
[!INCLUDE [sql-database-create-manage-portal](includes/sql-database-create-manage-portal.md)]
For **SQL on Azure VM**, Microsoft provides an availability SLA of 99.95% that c
- See [Your first Azure SQL Managed Instance](managed-instance/instance-create-quickstart.md) to get started with SQL Managed Instance. - See [SQL Database pricing](https://azure.microsoft.com/pricing/details/sql-database/). - See [Provision a SQL Server virtual machine in Azure](virtual-machines/windows/create-sql-vm-portal.md) to get started with SQL Server on Azure VMs.-- [Identify the right SQL Database or SQL Managed Instance SKU for your on-premises database](/sql/dma/dma-sku-recommend-sql-db/).
+- [Identify the right SQL Database or SQL Managed Instance SKU for your on-premises database](/sql/dma/dma-sku-recommend-sql-db/).
azure-sql Active Geo Replication Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/active-geo-replication-overview.md
Previously updated : 08/27/2020 Last updated : 04/28/2021 # Creating and using active geo-replication - Azure SQL Database
Last updated 08/27/2020
Active geo-replication is an Azure SQL Database feature that allows you to create readable secondary databases of individual databases on a server in the same or different data center (region).
+> [!NOTE]
+> Active geo-replication for Azure SQL Hyperscale [is now in public preview](https://aka.ms/hsgeodr). Current limitations include: only one geo-secondary in the same or a different region, only forced failover supported, restore database from geo-secondary not supported, using a geo-secondary as the source database for Database Copy, or as the primary for another geo-secondary is not supported.
++ > [!NOTE] > Active geo-replication is not supported by Azure SQL Managed Instance. For geographic failover of instances of SQL Managed Instance, use [Auto-failover groups](auto-failover-group-overview.md).
azure-sql Auditing Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/auditing-overview.md
An auditing policy can be defined for a specific database or as a default [serve
- You can write audit logs to a an Azure Storage account behind a VNet or firewall. For specific instructions see, [Write audit to a storage account behind VNet and firewall](audit-write-storage-account-behind-vnet-firewall.md). - For details about the log format, hierarchy of the storage folder and naming conventions, see the [Blob Audit Log Format Reference](./audit-log-format.md). - Auditing on [Read-Only Replicas](read-scale-out.md) is automatically enabled. For further details about the hierarchy of the storage folders, naming conventions, and log format, see the [SQL Database Audit Log Format](audit-log-format.md).-- When using Azure AD Authentication, failed logins records will *not* appear in the SQL audit log. To view failed login audit records, you need to visit the [Azure Active Directory portal](../../active-directory/reports-monitoring/reference-sign-ins-error-codes.md), which logs details of these events.
+- When using Azure AD Authentication, failed logins records will *not* appear in the SQL audit log. To view failed login audit records, you need to visit the [Azure Active Directory portal](../../active-directory/reports-monitoring/concept-sign-ins.md), which logs details of these events.
- Logins are routed by the gateway to the specific instance where the database is located. In the case of AAD logins, the credentials are verified before attempting to use that user to login into the requested database. In the case of failure, the requested database is never accessed, so no auditing occurs. In the case of SQL logins, the credentials are verified on the requested data, so in this case they can be audited. Successful logins, which obviously reach the database, are audited in both cases. - After you've configured your auditing settings, you can turn on the new threat detection feature and configure emails to receive security alerts. When you use threat detection, you receive proactive alerts on anomalous database activities that can indicate potential security threats. For more information, see [Getting started with threat detection](threat-detection-overview.md).
You can manage Azure SQL Database auditing using [Azure Resource Manager](../../
- [Deploy an Azure SQL Database with Auditing enabled to write audit logs to Event Hubs](https://github.com/Azure/azure-quickstart-templates/tree/master/201-sql-auditing-server-policy-to-eventhub) > [!NOTE]
-> The linked samples are on an external public repository and are provided 'as is', without warranty, and are not supported under any Microsoft support program/service.
+> The linked samples are on an external public repository and are provided 'as is', without warranty, and are not supported under any Microsoft support program/service.
azure-sql Auto Failover Group Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/auto-failover-group-overview.md
Previously updated : 03/26/2021 Last updated : 04/28/2021 # Use auto-failover groups to enable transparent and coordinated failover of multiple databases
Last updated 03/26/2021
The auto-failover groups feature allows you to manage the replication and failover of a group of databases on a server or all databases in a managed instance to another region. It is a declarative abstraction on top of the existing [active geo-replication](active-geo-replication-overview.md) feature, designed to simplify deployment and management of geo-replicated databases at scale. You can initiate failover manually or you can delegate it to the Azure service based on a user-defined policy. The latter option allows you to automatically recover multiple related databases in a secondary region after a catastrophic failure or other unplanned event that results in full or partial loss of the SQL Database or SQL Managed Instance availability in the primary region. A failover group can include one or multiple databases, typically used by the same application. Additionally, you can use the readable secondary databases to offload read-only query workloads. Because auto-failover groups involve multiple databases, these databases must be configured on the primary server. Auto-failover groups support replication of all databases in the group to only one secondary server or instance in a different region.
+>[!NOTE]
+>Auto-failover groups are not currently supported in the [Hyperscale](service-tier-hyperscale.md) service tier. For geographic failover of a Hyperscale database, use [active geo-replication](active-geo-replication-overview.md).
+ > [!NOTE] > If you want multiple Azure SQL Database secondaries in the same or different regions, use [active geo-replication](active-geo-replication-overview.md).
azure-sql Block Crud Tsql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/block-crud-tsql.md
This feature allows Azure administrators to block the creation or modification o
## Overview
-To block creation or modification of resources through T-SQL and enforce resource management through an Azure Resource Manager template (ARM template) for a given subscription, the subscription level preview features in Azure portal can be used. This is particularly useful when you are using [Azure Policies](/azure/governance/policy/overview) to enforce organizational standards through ARM templates. Since T-SQL does not adhere to the Azure Policies, a block on T-SQL create or modify operations can be applied. The syntax blocked includes CRUD (create, update, delete) statements for databases in Azure SQL, specifically `CREATE DATABASE`, `ALTER DATABASE`, and `DROP DATABASE` statements.
+To block creation or modification of resources through T-SQL and enforce resource management through an Azure Resource Manager template (ARM template) for a given subscription, the subscription level preview features in Azure portal can be used. This is particularly useful when you are using [Azure Policies](../../governance/policy/overview.md) to enforce organizational standards through ARM templates. Since T-SQL does not adhere to the Azure Policies, a block on T-SQL create or modify operations can be applied. The syntax blocked includes CRUD (create, update, delete) statements for databases in Azure SQL, specifically `CREATE DATABASE`, `ALTER DATABASE`, and `DROP DATABASE` statements.
T-SQL CRUD operations can be blocked via Azure portal, [PowerShell](/powershell/module/az.resources/register-azproviderfeature), or [Azure CLI](/cli/azure/feature#az_feature_register).
To remove the block on T-SQL create or modify operations from your subscription,
## Next steps - [An overview of Azure SQL Database security capabilities](security-overview.md)-- [Azure SQL Database security best practices](security-best-practice.md)
+- [Azure SQL Database security best practices](security-best-practice.md)
azure-sql Configure Max Degree Of Parallelism https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/configure-max-degree-of-parallelism.md
| MAXDOP | Behavior | |--|--| | = 1 | The database engine uses a single serial thread to execute queries. Parallel threads are not used. |
-| > 1 | The database engine sets the number of additional [schedulers](https://docs.microsoft.com/sql/relational-databases/thread-and-task-architecture-guide#sql-server-task-scheduling) to be used by parallel threads to the MAXDOP value, or the total number of logical processors, whichever is smaller. |
-| = 0 | The database engine sets the number of additional [schedulers](https://docs.microsoft.com/sql/relational-databases/thread-and-task-architecture-guide#sql-server-task-scheduling) to be used by parallel threads to the total number of logical processors or 64, whichever is smaller. |
+| > 1 | The database engine sets the number of additional [schedulers](/sql/relational-databases/thread-and-task-architecture-guide#sql-server-task-scheduling) to be used by parallel threads to the MAXDOP value, or the total number of logical processors, whichever is smaller. |
+| = 0 | The database engine sets the number of additional [schedulers](/sql/relational-databases/thread-and-task-architecture-guide#sql-server-task-scheduling) to be used by parallel threads to the total number of logical processors or 64, whichever is smaller. |
| | | > [!Note]
REBUILD WITH
## Next steps
-* [Monitor and Tune for Performance](/sql/relational-databases/performance/monitor-and-tune-for-performance)
+* [Monitor and Tune for Performance](/sql/relational-databases/performance/monitor-and-tune-for-performance)
azure-sql Database Copy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/database-copy.md
description: Create a transactionally consistent copy of an existing database in
-+ ms.devlang:
azure-sql Doc Changes Updates Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/doc-changes-updates-release-notes.md
This table provides a quick comparison for the change in terminology:
| Feature | Details | | | |
-| [Distributed transactions](/azure/azure-sql/database/elastic-transactions-overview) | Distributed transactions across Managed Instances. |
-| [Instance pools](/azure/sql-database/sql-database-instance-pools) | A convenient and cost-efficient way to migrate smaller SQL instances to the cloud. |
+| [Distributed transactions](./elastic-transactions-overview.md) | Distributed transactions across Managed Instances. |
+| [Instance pools](../managed-instance/instance-pools-overview.md) | A convenient and cost-efficient way to migrate smaller SQL instances to the cloud. |
| [Instance-level Azure AD server principals (logins)](/sql/t-sql/statements/create-login-transact-sql) | Create instance-level logins using a [CREATE LOGIN FROM EXTERNAL PROVIDER](/sql/t-sql/statements/create-login-transact-sql?view=azuresqldb-mi-current&preserve-view=true) statement. | | [Transactional Replication](../managed-instance/replication-transactional-overview.md) | Replicate the changes from your tables into other databases in SQL Managed Instance, SQL Database, or SQL Server. Or update your tables when some rows are changed in other instances of SQL Managed Instance or SQL Server. For information, see [Configure replication in Azure SQL Managed Instance](../managed-instance/replication-between-two-instances-configure-tutorial.md). | | Threat detection |For information, see [Configure threat detection in Azure SQL Managed Instance](../managed-instance/threat-detection-configure.md).|
The following features are enabled in the SQL Managed Instance deployment model
### Changing the connection type does not affect connections through the failover group endpoint
-If an instance participates in an [auto-failover group](https://docs.microsoft.com/azure/azure-sql/database/auto-failover-group-overview), changing the instance's [connection type](https://docs.microsoft.com/azure/azure-sql/managed-instance/connection-types-overview) does not take effect for the connections established through the failover group listener endpoint.
+If an instance participates in an [auto-failover group](./auto-failover-group-overview.md), changing the instance's [connection type](../managed-instance/connection-types-overview.md) does not take effect for the connections established through the failover group listener endpoint.
**Workaround**: Drop and recreate auto-failover group afer changing the connection type.
For updates and improvements to all Azure services, see [Service updates](https:
## Contribute to content
-To contribute to the Azure SQL documentation, see the [Docs contributor guide](/contribute/).
+To contribute to the Azure SQL documentation, see the [Docs contributor guide](/contribute/).
azure-sql Planned Maintenance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/planned-maintenance.md
Maintenance event can produce single or multiple reconfigurations, depending on
## How to simulate a planned maintenance event
-Ensuring that your client application is resilient to maintenance events prior to deploying to production will help mitigate the risk of application faults and will contribute to application availability for your end users.You can test behavior of your client application during planned maintenance events by [Testing Application Fault Resiliency](https://docs.microsoft.com/azure/azure-sql/database/high-availability-sla#testing-application-fault-resiliency) via PowerShell, CLI or REST API. Also see [initiating manual failover](https://aka.ms/mifailover-techblog) for Managed Instance. It will produce identical behavior as maintenance event bringing primary replica offline.
+Ensuring that your client application is resilient to maintenance events prior to deploying to production will help mitigate the risk of application faults and will contribute to application availability for your end users.You can test behavior of your client application during planned maintenance events by [Testing Application Fault Resiliency](./high-availability-sla.md#testing-application-fault-resiliency) via PowerShell, CLI or REST API. Also see [initiating manual failover](https://aka.ms/mifailover-techblog) for Managed Instance. It will produce identical behavior as maintenance event bringing primary replica offline.
## Retry logic
The maintenance Window feature allows for the configuration of predictable maint
- Learn more about [Resource Health](resource-health-to-troubleshoot-connectivity.md) for Azure SQL Database and Azure SQL Managed Instance. - For more information about retry logic, see [Retry logic for transient errors](troubleshoot-common-connectivity-issues.md#retry-logic-for-transient-errors).-- Configure maintenance window schedules with the [Maintenance window](maintenance-window.md) feature.
+- Configure maintenance window schedules with the [Maintenance window](maintenance-window.md) feature.
azure-sql Saas Tenancy App Design Patterns https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/saas-tenancy-app-design-patterns.md
Other management features that scale well include the following:
#### Automation
-The management operations can be scripted and offered through a [devops](https://docs.microsoft.com/azure/devops/user-guide/what-is-azure-devops) model. The operations can even be automated and exposed in the application.
+The management operations can be scripted and offered through a [devops](/azure/devops/user-guide/what-is-azure-devops) model. The operations can even be automated and exposed in the application.
For example, you could automate the recovery of a single tenant to an earlier point in time. The recovery only needs to restore the one single-tenant database that stores the tenant. This restore has no impact on other tenants, which confirms that management operations are at the finely granular level of each individual tenant.
The following table summarizes the differences between the main tenancy models.
[image-mt-app-db-per-tenant-pool-153p]: media/saas-tenancy-app-design-patterns/saas-multi-tenant-app-database-per-tenant-pool-15.png "Design of multi-tenant app with database-per-tenant, using elastic pool."
-[image-mt-app-sharded-mt-db-174s]: media/saas-tenancy-app-design-patterns/saas-multi-tenant-app-sharded-multi-tenant-databases-17.png "Design of multi-tenant app with sharded multi-tenant databases."
+[image-mt-app-sharded-mt-db-174s]: media/saas-tenancy-app-design-patterns/saas-multi-tenant-app-sharded-multi-tenant-databases-17.png "Design of multi-tenant app with sharded multi-tenant databases."
azure-sql Service Tier Hyperscale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/service-tier-hyperscale.md
Previously updated : 1/13/2021 Last updated : 3/31/2021 # Hyperscale service tier
These are the current limitations to the Hyperscale service tier as of GA. We'r
| Elastic Pools | Elastic Pools aren't currently supported with Hyperscale.| | Migration to Hyperscale is currently a one-way operation | Once a database is migrated to Hyperscale, it can't be migrated directly to a non-Hyperscale service tier. At present, the only way to migrate a database from Hyperscale to non-Hyperscale is to export/import using a bacpac file or other data movement technologies (Bulk Copy, Azure Data Factory, Azure Databricks, SSIS, etc.) Bacpac export/import from Azure portal, from PowerShell using [New-AzSqlDatabaseExport](/powershell/module/az.sql/new-azsqldatabaseexport) or [New-AzSqlDatabaseImport](/powershell/module/az.sql/new-azsqldatabaseimport), from Azure CLI using [az sql db export](/cli/azure/sql/db#az_sql_db_export) and [az sql db import](/cli/azure/sql/db#az_sql_db_import), and from [REST API](/rest/api/sql/) is not supported. Bacpac import/export for smaller Hyperscale databases (up to 200 GB) is supported using SSMS and [SqlPackage](/sql/tools/sqlpackage) version 18.4 and later. For larger databases, bacpac export/import may take a long time, and may fail for various reasons.| | Migration of databases with In-Memory OLTP objects | Hyperscale supports a subset of In-Memory OLTP objects, including memory-optimized table types, table variables, and natively compiled modules. However, when any kind of In-Memory OLTP objects are present in the database being migrated, migration from Premium and Business Critical service tiers to Hyperscale is not supported. To migrate such a database to Hyperscale, all In-Memory OLTP objects and their dependencies must be dropped. After the database is migrated, these objects can be recreated. Durable and non-durable memory-optimized tables are not currently supported in Hyperscale, and must be changed to disk tables.|
-| Geo Replication | You can't yet configure geo-replication for Azure SQL Database Hyperscale. |
-| Database Copy | Database copy on Hyperscale is now in public preview. |
+| Geo-replication | [Geo-replication](active-geo-replication-overview.md) on Hyperscale is now in public preview. |
+| Database Copy | [Database copy](database-copy.md) on Hyperscale is now in public preview. |
| Intelligent Database Features | With the exception of the "Force Plan" option, all other Automatic Tuning options aren't yet supported on Hyperscale: options may appear to be enabled, but there won't be any recommendations or actions made. | | Query Performance Insights | Query Performance Insights is currently not supported for Hyperscale databases. | | Shrink Database | DBCC SHRINKDATABASE or DBCC SHRINKFILE isn't currently supported for Hyperscale databases. |
azure-sql Sql Data Sync Agent Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/sql-data-sync-agent-overview.md
If you want to run the local agent from a different computer than it is currentl
4. Wait while the client agent downloads the list of on-premises databases that were registered earlier. 5. Provide database credentials for all databases that display as unreachable. These databases must be reachable from the new computer on which the agent is installed.
+### How do I delete the Sync metadata database if the Sync agent is still associated with it
+
+In order to delete a Sync metadata database that has a Sync agent associated with it, you must first delete the Sync agent. To delete the agent, do the following things:
+
+1. Select the Sync database.
+2. Go to the **Sync to other databases** page.
+3. Select the Sync agent and click on **Delete**.
+ ## <a name="agent-tshoot"></a> Troubleshoot Data Sync Agent issues - [The client agent install, uninstall, or repair fails](#agent-install)
For more info about SQL Data Sync, see the following articles:
- Troubleshoot - [Troubleshoot issues with Azure SQL Data Sync]sql-data-sync-troubleshoot.md) - Update the sync schema - With Transact-SQL - [Automate replication of schema changes with SQL Data Sync in Azure](sql-data-sync-update-sync-schema.md)
- - With PowerShell - [Use PowerShell to update the sync schema in an existing sync group](scripts/update-sync-schema-in-sync-group.md)
+ - With PowerShell - [Use PowerShell to update the sync schema in an existing sync group](scripts/update-sync-schema-in-sync-group.md)
azure-sql Api References Create Manage Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/api-references-create-manage-instance.md
description: Learn about creating and configuring managed instances of Azure SQL
- ms.devlang:
azure-sql Machine Learning Services Differences https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/machine-learning-services-differences.md
Last updated 03/17/2021
# Key differences between Machine Learning Services in Azure SQL Managed Instance and SQL Server
-This article describes the few, key differences in functionality between [Machine Learning Services in Azure SQL Managed Instance](machine-learning-services-overview.md) and [SQL Server Machine Learning Services](https://docs.microsoft.com/sql/advanced-analytics/what-is-sql-server-machine-learning).
+This article describes the few, key differences in functionality between [Machine Learning Services in Azure SQL Managed Instance](machine-learning-services-overview.md) and [SQL Server Machine Learning Services](/sql/advanced-analytics/what-is-sql-server-machine-learning).
## Language support
There is no support in SQL Managed Instance for packages that depend on external
For more information about managing Python and R packages, see: -- [Get Python package information](https://docs.microsoft.com/sql/machine-learning/package-management/python-package-information?context=/azure/azure-sql/managed-instance/context/ml-context&view=azuresqldb-mi-current&preserve-view=true)-- [Get R package information](https://docs.microsoft.com/sql/machine-learning/package-management/r-package-information?context=/azure/azure-sql/managed-instance/context/ml-context&view=azuresqldb-mi-current&preserve-view=true)
+- [Get Python package information](/sql/machine-learning/package-management/python-package-information?context=%2fazure%2fazure-sql%2fmanaged-instance%2fcontext%2fml-context&preserve-view=true&view=azuresqldb-mi-current)
+- [Get R package information](/sql/machine-learning/package-management/r-package-information?context=%2fazure%2fazure-sql%2fmanaged-instance%2fcontext%2fml-context&preserve-view=true&view=azuresqldb-mi-current)
## Resource governance
sp_configure 'external scripts enabled', 0;
RECONFIGURE WITH OVERRIDE; ```
-The total resources available to SQL Managed Instance depend on which service tier you choose. For more information, see [Azure SQL Database purchasing models](/azure/sql-database/sql-database-service-tiers).
+The total resources available to SQL Managed Instance depend on which service tier you choose. For more information, see [Azure SQL Database purchasing models](../database/purchasing-models.md).
### Insufficient memory error
Machine Learning Services is currently not supported on [Azure SQL Managed Insta
- See the overview, [Machine Learning Services in Azure SQL Managed Instance](machine-learning-services-overview.md). - To learn how to use Python in Machine Learning Services, see [Run Python scripts](/sql/machine-learning/tutorials/quickstart-python-create-script?context=/azure/azure-sql/managed-instance/context/ml-context&view=azuresqldb-mi-current&preserve-view=true).-- To learn how to use R in Machine Learning Services, see [Run R scripts](/sql/machine-learning/tutorials/quickstart-r-create-script?context=/azure/azure-sql/managed-instance/context/ml-context&view=azuresqldb-mi-current&preserve-view=true).
+- To learn how to use R in Machine Learning Services, see [Run R scripts](/sql/machine-learning/tutorials/quickstart-r-create-script?context=/azure/azure-sql/managed-instance/context/ml-context&view=azuresqldb-mi-current&preserve-view=true).
azure-sql Access To Sql Database Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/access-to-sql-database-guide.md
Last updated 03/19/2021
In this guide, you learn [how to migrate](https://azure.microsoft.com/migration/migration-journey) your Microsoft Access database to an Azure SQL database by using [SQL Server Migration](https://azure.microsoft.com/en-us/migration/sql-server/) Assistant for Access (SSMA for Access).
-For other migration guides, see [Azure Database Migration Guide](https://docs.microsoft.com/data-migration).
+For other migration guides, see [Azure Database Migration Guide](/data-migration).
## Prerequisites
The Data SQL Engineering team developed these resources. This team's core charte
- To assess the application access layer, see [Data Access Migration Toolkit (preview)](https://marketplace.visualstudio.com/items?itemName=ms-databasemigration.data-access-migration-toolkit).-- For information about how to perform Data Access Layer A/B testing, see [Overview of Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
+- For information about how to perform Data Access Layer A/B testing, see [Overview of Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
azure-sql Db2 To Sql Database Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/db2-to-sql-database-guide.md
Last updated 11/06/2020
In this guide, you learn [how to migrate](https://azure.microsoft.com/migration/migration-journey) your IBM Db2 databases to Azure SQL Database, by using [SQL Server Migration](https://azure.microsoft.com/en-us/migration/sql-server/) Assistant for Db2.
-For other migration guides, see [Azure Database Migration Guides](https://docs.microsoft.com/data-migration).
+For other migration guides, see [Azure Database Migration Guides](/data-migration).
## Prerequisites
The Data SQL Engineering team developed these resources. This team's core charte
- [Cloud Migration Resources](https://azure.microsoft.com/migration/resources) - To assess the application access layer, see [Data Access Migration Toolkit](https://marketplace.visualstudio.com/items?itemName=ms-databasemigration.data-access-migration-toolkit).-- For details on how to perform data access layer A/B testing, see [Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
+- For details on how to perform data access layer A/B testing, see [Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
azure-sql Mysql To Sql Database Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/mysql-to-sql-database-guide.md
Last updated 03/19/2021
In this guide, you learn [how to migrate](https://azure.microsoft.com/migration/migration-journey) your MySQL database to an Azure SQL database by using [SQL Server Migration](https://azure.microsoft.com/en-us/migration/sql-server/) Assistant for MySQL (SSMA for MySQL).
-For other migration guides, see [Azure Database Migration Guide](https://docs.microsoft.com/data-migration).
+For other migration guides, see [Azure Database Migration Guide](/data-migration).
## Prerequisites
The Data SQL Engineering team developed these resources. This team's core charte
- For migration videos, see [Overview of the migration journey and recommended migration and assessment tools and services](https://azure.microsoft.com/resources/videos/overview-of-migration-and-recommended-tools-services/). -- For more [cloud migration resources](https://azure.microsoft.com/migration/resources/), see [cloud migration solutions](https://azure.microsoft.com/migration).-
+- For more [cloud migration resources](https://azure.microsoft.com/migration/resources/), see [cloud migration solutions](https://azure.microsoft.com/migration).
azure-sql Oracle To Sql Database Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/oracle-to-sql-database-guide.md
Last updated 08/25/2020
In this guide, you learn [how to migrate](https://azure.microsoft.com/migration/migration-journey) your Oracle schemas to Azure SQL Database by using [SQL Server Migration](https://azure.microsoft.com/en-us/migration/sql-server/) Assistant for Oracle (SSMA for Oracle).
-For other migration guides, see [Azure Database Migration Guides](https://docs.microsoft.com/data-migration).
+For other migration guides, see [Azure Database Migration Guides](/data-migration).
## Prerequisites
The Data SQL Engineering team developed these resources. This team's core charte
- [Cloud Migration Resources](https://azure.microsoft.com/migration/resources) - For video content, see:
- - [Overview of the migration journey and the tools and services recommended for performing assessment and migration](https://azure.microsoft.com/resources/videos/overview-of-migration-and-recommended-tools-services/)
+ - [Overview of the migration journey and the tools and services recommended for performing assessment and migration](https://azure.microsoft.com/resources/videos/overview-of-migration-and-recommended-tools-services/)
azure-sql Sap Ase To Sql Database https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/sap-ase-to-sql-database.md
Last updated 03/19/2021
In this guide, you learn [how to migrate](https://azure.microsoft.com/migration/migration-journey) your SAP Adapter Server Enterprise (ASE) databases to an Azure SQL database by using [SQL Server Migration](https://azure.microsoft.com/en-us/migration/sql-server/) Assistant for SAP Adapter Server Enterprise.
-For other migration guides, see [Azure Database Migration Guide](https://docs.microsoft.com/data-migration).
+For other migration guides, see [Azure Database Migration Guide](/data-migration).
## Prerequisites
For more information about these issues and the steps to mitigate them, see the
- [Cloud Migration Resources](https://azure.microsoft.com/migration/resources) - To assess the application access layer, see [Data Access Migration Toolkit (preview)](https://marketplace.visualstudio.com/items?itemName=ms-databasemigration.data-access-migration-toolkit).-- For details on how to perform Data Access Layer A/B testing see [Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
+- For details on how to perform Data Access Layer A/B testing see [Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
azure-sql Sql Server To Sql Database Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/sql-server-to-sql-database-guide.md
You can migrate SQL Server running on-premises or on:
- Compute Engine (Google Cloud Platform - GCP) - Cloud SQL for SQL Server (Google Cloud Platform ΓÇô GCP)
-For more migration information, see the [migration overview](sql-server-to-sql-database-overview.md). For other migration guides, see [Database Migration](https://docs.microsoft.com/data-migration).
+For more migration information, see the [migration overview](sql-server-to-sql-database-overview.md). For other migration guides, see [Database Migration](/data-migration).
:::image type="content" source="media/sql-server-to-database-overview/migration-process-flow-small.png" alt-text="Migration process flow":::
To learn more, see [managing Azure SQL Database after migration](../../database/
- [Cloud Migration Resources](https://azure.microsoft.com/migration/resources) - To assess the Application access layer, see [Data Access Migration Toolkit (Preview)](https://marketplace.visualstudio.com/items?itemName=ms-databasemigration.data-access-migration-toolkit)-- For details on how to perform Data Access Layer A/B testing see [Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
+- For details on how to perform Data Access Layer A/B testing see [Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
azure-sql Sql Server To Sql Database Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/sql-server-to-sql-database-overview.md
You can migrate SQL Server databases running on-premises or on:
- Compute Engine in Google Cloud Platform (GCP). - Cloud SQL for SQL Server in GCP.
-For other migration guides, see [Database Migration](https://docs.microsoft.com/data-migration).
+For other migration guides, see [Database Migration](/data-migration).
## Overview
The Data SQL Engineering team developed these resources. This team's core charte
- To assess the application access layer, see [Data Access Migration Toolkit (Preview)](https://marketplace.visualstudio.com/items?itemName=ms-databasemigration.data-access-migration-toolkit). -- For details on how to perform A/B testing for the data access layer, see [Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
+- For details on how to perform A/B testing for the data access layer, see [Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
azure-sql Db2 To Managed Instance Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/managed-instance/db2-to-managed-instance-guide.md
Last updated 11/06/2020
This guide teaches you to migrate your IBM Db2 databases to Azure SQL Managed Instance, by using the SQL Server Migration Assistant for Db2.
-For other migration guides, see [Azure Database Migration Guides](https://docs.microsoft.com/data-migration).
+For other migration guides, see [Azure Database Migration Guides](/data-migration).
## Prerequisites
The Data SQL Engineering team developed these resources. This team's core charte
- [Best practices for costing and sizing workloads migrated to Azure](/azure/cloud-adoption-framework/migrate/azure-best-practices/migrate-best-practices-costs) - To assess the application access layer, see [Data Access Migration Toolkit](https://marketplace.visualstudio.com/items?itemName=ms-databasemigration.data-access-migration-toolkit).-- For details on how to perform data access layer A/B testing, see [Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
+- For details on how to perform data access layer A/B testing, see [Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
azure-sql Oracle To Managed Instance Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/managed-instance/oracle-to-managed-instance-guide.md
Last updated 11/06/2020
In this guide, you learn how to migrate your Oracle schemas to Azure SQL Managed Instance by using SQL Server Migration Assistant for Oracle (SSMA for Oracle).
-For other migration guides, see [Azure Database Migration Guides](https://docs.microsoft.com/data-migration).
+For other migration guides, see [Azure Database Migration Guides](/data-migration).
## Prerequisites
The Data SQL Engineering team developed these resources. This team's core charte
- [Best practices for costing and sizing workloads for migration to Azure](/azure/cloud-adoption-framework/migrate/azure-best-practices/migrate-best-practices-costs) - For video content, see:
- - [Overview of the migration journey and the tools and services recommended for performing assessment and migration](https://azure.microsoft.com/resources/videos/overview-of-migration-and-recommended-tools-services/)
+ - [Overview of the migration journey and the tools and services recommended for performing assessment and migration](https://azure.microsoft.com/resources/videos/overview-of-migration-and-recommended-tools-services/)
azure-sql Sql Server To Managed Instance Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide.md
You can migrate SQL Server running on-premises or on:
- Compute Engine (Google Cloud Platform - GCP) - Cloud SQL for SQL Server (Google Cloud Platform ΓÇô GCP)
-For more migration information, see the [migration overview](sql-server-to-managed-instance-overview.md). For other migration guides, see [Database Migration](https://docs.microsoft.com/data-migration).
+For more migration information, see the [migration overview](sql-server-to-managed-instance-overview.md). For other migration guides, see [Database Migration](/data-migration).
:::image type="content" source="media/sql-server-to-managed-instance-overview/migration-process-flow-small.png" alt-text="Migration process flow":::
azure-sql Sql Server To Managed Instance Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-overview.md
You can migrate SQL Server databases running on-premises or on:
- Compute Engine in Google Cloud Platform (GCP). - Cloud SQL for SQL Server in GCP.
-For other migration guides, see [Database Migration](https://docs.microsoft.com/data-migration).
+For other migration guides, see [Database Migration](/data-migration).
## Overview
The Data SQL Engineering team developed these resources. This team's core charte
- To assess the application access layer, see [Data Access Migration Toolkit (Preview)](https://marketplace.visualstudio.com/items?itemName=ms-databasemigration.data-access-migration-toolkit). -- For details on how to perform A/B testing at the data access layer, see [Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
+- For details on how to perform A/B testing at the data access layer, see [Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
azure-sql Db2 To Sql On Azure Vm Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/virtual-machines/db2-to-sql-on-azure-vm-guide.md
Last updated 11/06/2020
This guide teaches you to migrate your user databases from IBM Db2 to SQL Server on Azure VM, by using the SQL Server Migration Assistant for Db2.
-For other migration guides, see [Azure Database Migration Guides](https://docs.microsoft.com/data-migration).
+For other migration guides, see [Azure Database Migration Guides](/data-migration).
## Prerequisites
After migration, review the [Post-migration validation and optimization guide](/
For Microsoft and third-party services and tools that are available to assist you with various database and data migration scenarios, see [Data migration services and tools](../../../dms/dms-tools-matrix.md).
-For video content, see [Overview of the migration journey](https://azure.microsoft.com/resources/videos/overview-of-migration-and-recommended-tools-services/).
+For video content, see [Overview of the migration journey](https://azure.microsoft.com/resources/videos/overview-of-migration-and-recommended-tools-services/).
azure-sql Oracle To Sql On Azure Vm Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/virtual-machines/oracle-to-sql-on-azure-vm-guide.md
Last updated 11/06/2020
This guide teaches you to migrate your Oracle schemas to SQL Server on Azure Virtual Machines by using SQL Server Migration Assistant for Oracle.
-For other migration guides, see [Database Migration](https://docs.microsoft.com/data-migration).
+For other migration guides, see [Database Migration](/data-migration).
## Prerequisites
To publish your schema and migrate the data, follow these steps:
![Screenshot that shows a SQL Server instance in SSMA.](./media/oracle-to-sql-on-azure-vm-guide/validate-in-ssms.png) Instead of using SSMA, you could use SQL Server Integration Services (SSIS) to migrate the data. To learn more, see: -- The article [SQL Server Integration Services](https://docs.microsoft.com//sql/integration-services/sql-server-integration-services).
+- The article [SQL Server Integration Services](//sql/integration-services/sql-server-integration-services).
- The white paper [SSIS for Azure and Hybrid Data Movement](https://download.microsoft.com/download/D/2/0/D20E1C5F-72EA-4505-9F26-FEF9550EFD44/SSIS%20Hybrid%20and%20Azure.docx).
The Data SQL Engineering team developed these resources. This team's core charte
- [Get free extended support for SQL Server 2008 and SQL Server 2008 R2](../../virtual-machines/windows/sql-server-2008-extend-end-of-support.md) - To assess the application access layer, use [Data Access Migration Toolkit Preview](https://marketplace.visualstudio.com/items?itemName=ms-databasemigration.data-access-migration-toolkit).-- For details on how to do data access layer A/B testing, see [Overview of Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).--
+- For details on how to do data access layer A/B testing, see [Overview of Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
azure-sql Sql Server To Sql On Azure Vm Individual Databases Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-individual-databases-guide.md
You can migrate SQL Server running on-premises or on:
- Amazon Relational Database Service (AWS RDS). - Compute Engine (Google Cloud Platform [GCP]).
-For information about extra migration strategies, see the [SQL Server VM migration overview](sql-server-to-sql-on-azure-vm-migration-overview.md). For other migration guides, see [Azure Database Migration Guides](https://docs.microsoft.com/data-migration).
+For information about extra migration strategies, see the [SQL Server VM migration overview](sql-server-to-sql-on-azure-vm-migration-overview.md). For other migration guides, see [Azure Database Migration Guides](/data-migration).
:::image type="content" source="media/sql-server-to-sql-on-azure-vm-migration-overview/migration-process-flow-small.png" alt-text="Diagram that shows a migration process flow.":::
Before you begin your migration, you need to discover the topology of your SQL e
Azure Migrate assesses migration suitability of on-premises computers, performs performance-based sizing, and provides cost estimations for running on-premises. To plan for the migration, use Azure Migrate to [identify existing data sources and details about the features](../../../migrate/concepts-assessment-calculation.md) your SQL Server instances use. This process involves scanning the network to identify all of your SQL Server instances in your organization with the version and features in use. > [!IMPORTANT]
-> When you choose a target Azure virtual machine for your SQL Server instance, be sure to consider the [Performance guidelines for SQL Server on Azure Virtual Machines](../../virtual-machines/windows/performance-guidelines-best-practices.md).
+> When you choose a target Azure virtual machine for your SQL Server instance, be sure to consider the [Performance guidelines for SQL Server on Azure Virtual Machines](../../virtual-machines/windows/performance-guidelines-best-practices-checklist.md).
For more discovery tools, see the [services and tools](../../../dms/dms-tools-matrix.md#business-justification-phase) available for data migration scenarios.
The following table provides a list of components and recommended migration meth
| **Feature** | **Component** | **Migration methods** | | | | | | **Databases** | Model | Script with SQL Server Management Studio. |
-|| TempDB | Plan to move tempDB onto [Azure VM temporary disk (SSD)](../../virtual-machines/windows/performance-guidelines-best-practices.md#temporary-disk)) for best performance. Be sure to pick a VM size that has a sufficient local SSD to accommodate your tempDB. |
+|| TempDB | Plan to move tempDB onto [Azure VM temporary disk (SSD)](../../virtual-machines/windows/performance-guidelines-best-practices-checklist.md#storage)) for best performance. Be sure to pick a VM size that has a sufficient local SSD to accommodate your tempDB. |
|| User databases with FileStream | Use the [Backup and restore](../../virtual-machines/windows/migrate-to-vm-from-sql-server.md#back-up-and-restore) methods for migration. Data Migration Assistant doesn't support databases with FileStream. | | **Security** | SQL Server and Windows logins | Use Data Migration Assistant to [migrate user logins](/sql/dma/dma-migrateserverlogins). | || SQL Server roles | Script with SQL Server Management Studio. |
The post-migration phase is crucial for reconciling any data accuracy issues, ve
For more information about these issues and the steps to mitigate them, see: - [Post-migration validation and optimization guide](/sql/relational-databases/post-migration-validation-and-optimization-guide)-- [Tuning performance in Azure SQL virtual machines](../../virtual-machines/windows/performance-guidelines-best-practices.md)
+- [Tuning performance in Azure SQL virtual machines](../../virtual-machines/windows/performance-guidelines-best-practices-checklist.md)
- [Azure cost optimization center](https://azure.microsoft.com/overview/cost-optimization/) ## Next steps
For more information about these issues and the steps to mitigate them, see:
- [Get free extended support for SQL Server 2008 and SQL Server 2008 R2](../../virtual-machines/windows/sql-server-2008-extend-end-of-support.md) - To assess the application access layer, see [Data Access Migration Toolkit (preview)](https://marketplace.visualstudio.com/items?itemName=ms-databasemigration.data-access-migration-toolkit).-- For information about how to perform A/B testing for the data access layer, see [Overview of Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
+- For information about how to perform A/B testing for the data access layer, see [Overview of Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
azure-sql Sql Server To Sql On Azure Vm Migration Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-migration-overview.md
You can migrate SQL Server running on-premises or on:
- Amazon Relational Database Service (AWS RDS) - Compute Engine (Google Cloud Platform - GCP)
-For other migration guides, see [Database Migration](https://docs.microsoft.com/data-migration).
+For other migration guides, see [Database Migration](/data-migration).
## Overview
Save on costs by bringing your own license with the [Azure Hybrid Benefit licens
## Choose appropriate target Azure Virtual Machines run in many different regions of Azure and also offer a variety of [machine sizes](../../../virtual-machines/sizes.md) and [Storage options](../../../virtual-machines/disks-types.md).
-When determining the correct size of VM and Storage for your SQL Server workload, refer to the [Performance Guidelines for SQL Server on Azure Virtual Machines.](../../virtual-machines/windows/performance-guidelines-best-practices.md#vm-size-guidance). To determine the VM size and storage requirements for your workload. it is recommended that these are sized through a Performance-Based [Azure Migrate Assessment](../../../migrate/concepts-assessment-calculation.md#types-of-assessments). If this is not an available option, see the following article on creating your own [baseline for performance](https://azure.microsoft.com/services/virtual-machines/sql-server/).
+When determining the correct size of VM and Storage for your SQL Server workload, refer to the [Performance Guidelines for SQL Server on Azure Virtual Machines.](../../virtual-machines/windows/performance-guidelines-best-practices-checklist.md#vm-size). To determine the VM size and storage requirements for your workload. it is recommended that these are sized through a Performance-Based [Azure Migrate Assessment](../../../migrate/concepts-assessment-calculation.md#types-of-assessments). If this is not an available option, see the following article on creating your own [baseline for performance](https://azure.microsoft.com/services/virtual-machines/sql-server/).
Consideration should also be made on the correct installation and configuration of SQL Server on a VM. It is recommended to use the [Azure SQL virtual machine image gallery](../../virtual-machines/windows/create-sql-vm-portal.md) as this allows you to create a SQL Server VM with the right version, edition, and operating system. This will also register the Azure VM with the SQL Server [Resource Provider](../../virtual-machines/windows/create-sql-vm-portal.md) automatically, enabling features such as Automated Backups and Automated Patching.
azure-sql Availability Group Manually Configure Prerequisites Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-manually-configure-prerequisites-tutorial.md
Next, create three VMs - two SQL Server VMs and one VM for an additional cluster
<br/> > [!NOTE]
-> The machine sizes suggested here are meant for testing availability groups in Azure Virtual Machines. For the best performance on production workloads, see the recommendations for SQL Server machine sizes and configuration in [Performance best practices for SQL Server in Azure Virtual Machines](performance-guidelines-best-practices.md?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json).
+> The machine sizes suggested here are meant for testing availability groups in Azure Virtual Machines. For the best performance on production workloads, see the recommendations for SQL Server machine sizes and configuration in [Performance best practices for SQL Server in Azure Virtual Machines](./performance-guidelines-best-practices-checklist.md?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json).
> After the three VMs are fully provisioned, you need to join them to the **corp.contoso.com** domain and grant CORP\Install administrative rights to the machines.
Repeat these steps on the second SQL Server VM.
## Next steps
-* [Create a SQL Server Always On availability group on Azure Virtual Machines](availability-group-manually-configure-tutorial.md)
+* [Create a SQL Server Always On availability group on Azure Virtual Machines](availability-group-manually-configure-tutorial.md)
azure-sql Create Sql Vm Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/create-sql-vm-portal.md
On the **Basics** tab, provide the following information:
1. Choose a location for your **Region**. 1. For the purpose of this guide, leave **Availability options** set to _No infrastructure redundancy required_. To find out more information about availability options, see [Availability](../../../virtual-machines/availability.md). 1. In the **Image** list, select _Free SQL Server License: SQL Server 2017 Developer on Windows Server 2016_.
- 1. Choose to **Change size** for the **Size** of the virtual machine and select the **A2 Basic** offering. Be sure to clean up your resources once you're done with them to prevent any unexpected charges. For production workloads, see the recommended machine sizes and configuration in [Performance best practices for SQL Server in Azure Virtual Machines](performance-guidelines-best-practices.md).
+ 1. Choose to **Change size** for the **Size** of the virtual machine and select the **A2 Basic** offering. Be sure to clean up your resources once you're done with them to prevent any unexpected charges. For production workloads, see the recommended machine sizes and configuration in [Performance best practices for SQL Server in Azure Virtual Machines](./performance-guidelines-best-practices-checklist.md).
![Instance details](./media/create-sql-vm-portal/basics-instance-details.png)
azure-sql Doc Changes Updates Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/doc-changes-updates-release-notes.md
Azure allows you to deploy a virtual machine (VM) with an image of SQL Server bu
* [Provision SQL Server on a Windows VM](create-sql-vm-portal.md) * [Migrate a database to SQL Server on an Azure VM](migrate-to-vm-from-sql-server.md) * [High availability and disaster recovery for SQL Server on Azure Virtual Machines](business-continuity-high-availability-disaster-recovery-hadr-overview.md)
-* [Performance best practices for SQL Server on Azure Virtual Machines](performance-guidelines-best-practices.md)
+* [Performance best practices for SQL Server on Azure Virtual Machines](./performance-guidelines-best-practices-checklist.md)
* [Application patterns and development strategies for SQL Server on Azure Virtual Machines](application-patterns-development-strategies.md) **Linux VMs**:
azure-sql Frequently Asked Questions Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/frequently-asked-questions-faq.md
This article provides answers to some of the most common questions about running
Yes. The SQL Server installation media is located in a folder on the **C** drive. Run **Setup.exe** from that location to add new SQL Server instances or to change other installed features of SQL Server on the machine. Note that some features, such as Automated Backup, Automated Patching, and Azure Key Vault Integration, only operate against the default instance, or a named instance that was configured properly (See Question 3). Customers using [Software Assurance through the Azure Hybrid Benefit](licensing-model-azure-hybrid-benefit-ahb-change.md) or the **pay-as-you-go** licensing model can install multiple instances of SQL Server on the virtual machine without incurring extra licensing costs. Additional SQL Server instances may strain system resources unless configured correctly. 1. **What is the maximum number of instances on a VM?**
- SQL Server 2012 to SQL Server 2019 can support [50 instances](/sql/sql-server/editions-and-components-of-sql-server-version-15#RDBMSSP) on a stand-alone server. This is the same limit regardless of in Azure on-premises. See [best practices](performance-guidelines-best-practices.md#multiple-instances) to learn how to better prepare your environment.
+ SQL Server 2012 to SQL Server 2019 can support [50 instances](/sql/sql-server/editions-and-components-of-sql-server-version-15#RDBMSSP) on a stand-alone server. This is the same limit regardless of in Azure on-premises. See [best practices](./performance-guidelines-best-practices-checklist.md) to learn how to better prepare your environment.
1. **Can I uninstall the default instance of SQL Server?**
This article provides answers to some of the most common questions about running
* [Provision SQL Server on a Windows VM](create-sql-vm-portal.md) * [Migrating a Database to SQL Server on an Azure VM](migrate-to-vm-from-sql-server.md) * [High Availability and Disaster Recovery for SQL Server on Azure Virtual Machines](business-continuity-high-availability-disaster-recovery-hadr-overview.md)
-* [Performance best practices for SQL Server on Azure Virtual Machines](performance-guidelines-best-practices.md)
+* [Performance best practices for SQL Server on Azure Virtual Machines](./performance-guidelines-best-practices-checklist.md)
* [Application Patterns and Development Strategies for SQL Server on Azure Virtual Machines](application-patterns-development-strategies.md) **Linux VMs**:
This article provides answers to some of the most common questions about running
* [Overview of SQL Server on a Linux VM](../linux/sql-server-on-linux-vm-what-is-iaas-overview.md) * [Provision SQL Server on a Linux VM](../linux/sql-vm-create-portal-quickstart.md) * [FAQ (Linux)](../linux/frequently-asked-questions-faq.md)
-* [SQL Server on Linux documentation](/sql/linux/sql-server-linux-overview)
+* [SQL Server on Linux documentation](/sql/linux/sql-server-linux-overview)
azure-sql Performance Guidelines Best Practices Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-storage.md
For example, the [M-series](../../../virtual-machines/m-series.md) documentation
Likewise, you can see that the Standard_M32ts supports 20,000 uncached disk IOPS and 500 MBps uncached disk throughput. This limit is governed at the virtual machine level regardless of the underlying premium disk storage.
-For more information, see [uncached and cached limits](../../../virtual-machines/linux/disk-performance-linux.md#virtual-machine-uncached-vs-cached-limits).
+For more information, see [uncached and cached limits](../../../virtual-machines/disks-performance.md#virtual-machine-uncached-vs-cached-limits).
### Cached and temp storage throughput
For more information on disk capping limitations and using caching to avoid capp
## Write Acceleration
-Write Acceleration is a disk feature that is only available for the [M-Series](https://docs.microsoft.com/azure/virtual-machines/m-series) Virtual Machines (VMs). The purpose of Write Acceleration is to improve the I/O latency of writes against Azure Premium Storage when you need single digit I/O latency due to high volume mission critical OLTP workloads or data warehouse environments.
+Write Acceleration is a disk feature that is only available for the [M-Series](../../../virtual-machines/m-series.md) Virtual Machines (VMs). The purpose of Write Acceleration is to improve the I/O latency of writes against Azure Premium Storage when you need single digit I/O latency due to high volume mission critical OLTP workloads or data warehouse environments.
Use Write Acceleration to improve write latency to the drive hosting the log files. Do not use Write Acceleration for SQL Server data files.
For security best practices, see [Security considerations for SQL Server on Azur
For detailed testing of SQL Server performance on Azure VMs with TPC-E and TPC_C benchmarks, refer to the blog [Optimize OLTP performance](https://techcommunity.microsoft.com/t5/sql-server/optimize-oltp-performance-with-sql-server-on-azure-vm/ba-p/916794).
-Review other SQL Server Virtual Machine articles at [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
+Review other SQL Server Virtual Machine articles at [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
azure-sql Performance Guidelines Best Practices Vm Size https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-vm-size.md
There is typically a trade-off between optimizing for costs and optimizing for p
Review the following checklist for a brief overview of the VM size best practices that the rest of the article covers in greater detail: -- Use VM sizes with 4 or more vCPU like the [Standard_M8-4ms](/azure/virtual-machines/m-series), the [E4ds_v4](../../../virtual-machines/edv4-edsv4-series.md#edv4-series), or the [DS12_v2](../../../virtual-machines/dv2-dsv2-series-memory.md#dsv2-series-11-15) or higher.
+- Use VM sizes with 4 or more vCPU like the [Standard_M8-4ms](../../../virtual-machines/m-series.md), the [E4ds_v4](../../../virtual-machines/edv4-edsv4-series.md#edv4-series), or the [DS12_v2](../../../virtual-machines/dv2-dsv2-series-memory.md#dsv2-series-11-15) or higher.
- Use [memory optimized](../../../virtual-machines/sizes-memory.md) virtual machine sizes for the best performance of SQL Server workloads. -- The [DSv2 11-15](../../../virtual-machines/dv2-dsv2-series-memory.md), [Edsv4](../../../virtual-machines/edv4-edsv4-series.md) series, the [M-](/azure/virtual-machines/m-series), and the [Mv2-](../../../virtual-machines/mv2-series.md) series offer the optimal memory-to-vCore ratio required for OLTP workloads. Both M series VMs offer the highest memory-to-vCore ratio required for mission critical workloads and are also ideal for data warehouse workloads.
+- The [DSv2 11-15](../../../virtual-machines/dv2-dsv2-series-memory.md), [Edsv4](../../../virtual-machines/edv4-edsv4-series.md) series, the [M-](../../../virtual-machines/m-series.md), and the [Mv2-](../../../virtual-machines/mv2-series.md) series offer the optimal memory-to-vCore ratio required for OLTP workloads. Both M series VMs offer the highest memory-to-vCore ratio required for mission critical workloads and are also ideal for data warehouse workloads.
- Consider a higher memory-to-vCore ratio for mission critical and data warehouse workloads. - Leverage the Azure Virtual Machine marketplace images as the SQL Server settings and storage options are configured for optimal SQL Server performance. - Collect the target workload's performance characteristics and use them to determine the appropriate VM size for your business.
The [memory optimized virtual machine sizes](../../../virtual-machines/sizes-mem
### M, Mv2, and Mdsv2 series
-The [M-series](/azure/virtual-machines/m-series) offers vCore counts and memory for some of the largest SQL Server workloads.
+The [M-series](../../../virtual-machines/m-series.md) offers vCore counts and memory for some of the largest SQL Server workloads.
The [Mv2-series](../../../virtual-machines/mv2-series.md) has the highest vCore counts and memory and is recommended for mission critical and data warehouse workloads. Mv2-series instances are memory optimized VM sizes providing unparalleled computational performance to support large in-memory databases and workloads with a high memory-to-CPU ratio that is perfect for relational database servers, large caches, and in-memory analytics.
-The [Standard_M64ms](/azure/virtual-machines/m-series) has a 28 memory-to-vCore ratio for example.
+The [Standard_M64ms](../../../virtual-machines/m-series.md) has a 28 memory-to-vCore ratio for example.
[Mdsv2 Medium Memory series](../../..//virtual-machines/msv2-mdsv2-series.md) is a new M-series that is currently in [preview](https://aka.ms/Mv2MedMemoryPreview) that offers a range of M-series level Azure virtual machines with a midtier memory offering. These machines are well suited for SQL Server workloads with a minimum of 10 memory-to-vCore support up to 30.
The vCPU count can be constrained to one-half to one-quarter of the original VM
These new VM sizes have a suffix that specifies the number of active vCPUs to make them easier to identify.
-For example, the [M64-32ms](../../../virtual-machines/constrained-vcpu.md) requires licensing only 32 SQL Server vCores with the memory, I/O, and throughput of the [M64ms](/azure/virtual-machines/m-series) and the [M64-16ms](../../../virtual-machines/constrained-vcpu.md) requires licensing only 16 vCores. Though while the [M64-16ms](../../../virtual-machines/constrained-vcpu.md) has a quarter of the SQL Server licensing cost of the M64ms, the compute cost of the virtual machine will be the same.
+For example, the [M64-32ms](../../../virtual-machines/constrained-vcpu.md) requires licensing only 32 SQL Server vCores with the memory, I/O, and throughput of the [M64ms](../../../virtual-machines/m-series.md) and the [M64-16ms](../../../virtual-machines/constrained-vcpu.md) requires licensing only 16 vCores. Though while the [M64-16ms](../../../virtual-machines/constrained-vcpu.md) has a quarter of the SQL Server licensing cost of the M64ms, the compute cost of the virtual machine will be the same.
> [!NOTE] > - Medium to large data warehouse workloads may still benefit from [constrained vCore VMs](../../../virtual-machines/constrained-vcpu.md), but data warehouse workloads are commonly characterized by fewer users and processes addressing larger amounts of data through query plans that run in parallel.
To learn more, see the other articles in this series:
For security best practices, see [Security considerations for SQL Server on Azure Virtual Machines](security-considerations-best-practices.md).
-Review other SQL Server Virtual Machine articles at [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
+Review other SQL Server Virtual Machine articles at [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
azure-sql Security Considerations Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/security-considerations-best-practices.md
For more information about virtual machine security, see the [virtual machines s
## Next steps
-If you are also interested in best practices around performance, see [Performance Best Practices for SQL Server on Azure Virtual Machines](performance-guidelines-best-practices.md).
+If you are also interested in best practices around performance, see [Performance Best Practices for SQL Server on Azure Virtual Machines](./performance-guidelines-best-practices-checklist.md).
For other topics related to running SQL Server in Azure VMs, see [SQL Server on Azure Virtual Machines overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
azure-sql Sql Server On Azure Vm Iaas What Is Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview.md
If you require high availability, consider configuring SQL Server Availability G
## Performance
-Azure virtual machines offer different machine sizes to meet various workload demands. SQL Server VMs also provide automated storage configuration, which is optimized for your performance requirements. For more information about configuring storage for SQL Server VMs, see [Storage configuration for SQL Server VMs](storage-configuration.md). To fine-tune performance, see the [Performance best practices for SQL Server on Azure Virtual Machines](performance-guidelines-best-practices.md).
+Azure virtual machines offer different machine sizes to meet various workload demands. SQL Server VMs also provide automated storage configuration, which is optimized for your performance requirements. For more information about configuring storage for SQL Server VMs, see [Storage configuration for SQL Server VMs](storage-configuration.md). To fine-tune performance, see the [Performance best practices for SQL Server on Azure Virtual Machines](./performance-guidelines-best-practices-checklist.md).
## Get started with SQL Server VMs
azure-sql Storage Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/storage-configuration.md
When provisioning an Azure VM using a SQL Server gallery image, select **Change
Select the type of workload you're deploying your SQL Server for under **Storage optimization**. With the **General** optimization option, by default you will have one data disk with 5000 max IOPS, and you will use this same drive for your data, transaction log, and TempDB storage.
-Selecting either **Transactional processing** (OLTP) or **Data warehousing** will create a separate disk for data, a separate disk for the transaction log, and use local SSD for TempDB. There are no storage differences between **Transactional processing** and **Data warehousing**, but it does change your [stripe configuration, and trace flags](#workload-optimization-settings). Choosing premium storage sets the caching to *ReadOnly* for the data drive, and *None* for the log drive as per [SQL Server VM performance best practices](performance-guidelines-best-practices.md).
+Selecting either **Transactional processing** (OLTP) or **Data warehousing** will create a separate disk for data, a separate disk for the transaction log, and use local SSD for TempDB. There are no storage differences between **Transactional processing** and **Data warehousing**, but it does change your [stripe configuration, and trace flags](#workload-optimization-settings). Choosing premium storage sets the caching to *ReadOnly* for the data drive, and *None* for the log drive as per [SQL Server VM performance best practices](./performance-guidelines-best-practices-checklist.md).
![SQL Server VM Storage Configuration During Provisioning](./media/storage-configuration/sql-vm-storage-configuration.png)
To enable Write Acceleration using the Azure portal, follow these steps:
For more throughput, you can add additional data disks and use disk striping. To determine the number of data disks, analyze the throughput and bandwidth required for your SQL Server data files, including the log and tempdb. Throughput and bandwidth limits vary by VM size. To learn more, see [VM Size](../../../virtual-machines/sizes.md)
-* For Windows 8/Windows Server 2012 or later, use [Storage Spaces](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831739(v=ws.11)) with the following guidelines:
+* For Windows 8/Windows Server 2012 or later, use [Storage Spaces](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831739(v=ws.11)) with the following guidelines:
1. Set the interleave (stripe size) to 64 KB (65,536 bytes) to avoid performance impact due to partition misalignment. This must be set with PowerShell.
For example, the following PowerShell creates a new storage pool with the interl
-AllocationUnitSize 65536 -Confirm:$false ```
- * For Windows 2008 R2 or earlier, you can use dynamic disks (OS striped volumes) and the stripe size is always 64 KB. This option is deprecated as of Windows 8/Windows Server 2012. For information, see the support statement at [Virtual Disk Service is transitioning to Windows Storage Management API](https://docs.microsoft.com/windows/win32/w8cookbook/vds-is-transitioning-to-wmiv2-based-windows-storage-management-api).
+ * For Windows 2008 R2 or earlier, you can use dynamic disks (OS striped volumes) and the stripe size is always 64 KB. This option is deprecated as of Windows 8/Windows Server 2012. For information, see the support statement at [Virtual Disk Service is transitioning to Windows Storage Management API](/windows/win32/w8cookbook/vds-is-transitioning-to-wmiv2-based-windows-storage-management-api).
- * If you are using [Storage Spaces Direct (S2D)](https://docs.microsoft.com/windows-server/storage/storage-spaces/storage-spaces-direct-in-vm) with [SQL Server Failover Cluster Instances](https://docs.microsoft.com/azure/azure-sql/virtual-machines/windows/failover-cluster-instance-storage-spaces-direct-manually-configure), you must configure a single pool. Although different volumes can be created on that single pool, they will all share the same characteristics, such as the same caching policy.
+ * If you are using [Storage Spaces Direct (S2D)](/windows-server/storage/storage-spaces/storage-spaces-direct-in-vm) with [SQL Server Failover Cluster Instances](./failover-cluster-instance-storage-spaces-direct-manually-configure.md), you must configure a single pool. Although different volumes can be created on that single pool, they will all share the same characteristics, such as the same caching policy.
* Determine the number of disks associated with your storage pool based on your load expectations. Keep in mind that different VM sizes allow different numbers of attached data disks. For more information, see [Sizes for virtual machines](../../../virtual-machines/sizes.md?toc=/azure/virtual-machines/windows/toc.json). ## Next steps
-For other topics related to running SQL Server in Azure VMs, see [SQL Server on Azure Virtual Machines](sql-server-on-azure-vm-iaas-what-is-overview.md).
+For other topics related to running SQL Server in Azure VMs, see [SQL Server on Azure Virtual Machines](sql-server-on-azure-vm-iaas-what-is-overview.md).
azure-sql Storage Migrate To Ultradisk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/storage-migrate-to-ultradisk.md
At this point, the database comes online with the log in the new location.
## Next steps
-Review the [performance best practices](performance-guidelines-best-practices.md) for additional settings to improve performance.
+Review the [performance best practices](./performance-guidelines-best-practices-checklist.md) for additional settings to improve performance.
For an overview of SQL Server on Azure Virtual Machines, see the following articles: - [Overview of SQL Server on Windows VMs](sql-server-on-azure-vm-iaas-what-is-overview.md)-- [Overview of SQL Server on Linux VMs](../linux/sql-server-on-linux-vm-what-is-iaas-overview.md)
+- [Overview of SQL Server on Linux VMs](../linux/sql-server-on-linux-vm-what-is-iaas-overview.md)
azure-vmware Concepts Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/concepts-identity.md
To prevent the creation of roles that can't be assigned or deleted, Azure VMware
>[!NOTE] >NSX-T 2.5 is currently supported for all new private clouds.
-Use the *administrator* account to access NSX-T Manager. It has full privileges and lets you create and manage Tier-1 (T1) Gateways, segments (logical switches), and all services. The privileges give you access to the NSX-T Tier-0 (T0) Gateway. A change to the T0 Gateway could result in degraded network performance or no private cloud access. Open a support request in the Azure portal to request any changes to your NSX-T T0 Gateway.
+Use the *admin* account to access NSX-T Manager. It has full privileges and lets you create and manage Tier-1 (T1) Gateways, segments (logical switches), and all services. The privileges give you access to the NSX-T Tier-0 (T0) Gateway. A change to the T0 Gateway could result in degraded network performance or no private cloud access. Open a support request in the Azure portal to request any changes to your NSX-T T0 Gateway.
+
+>[!TIP]
+>You can use the [simplified NSX feature in the Azure portal](configure-nsx-network-components-azure-portal.md) as an alternative to using NSX-T Manager.
## Next steps
azure-vmware Concepts Private Clouds Clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/concepts-private-clouds-clusters.md
Title: Concepts - Private clouds and clusters description: Learn about the key capabilities of Azure VMware Solution software-defined data centers and vSphere clusters. Previously updated : 04/23/2021 Last updated : 04/27/2021 # Azure VMware Solution private cloud and cluster concepts
azure-vmware Concepts Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/concepts-storage.md
Title: Concepts - Storage
description: Learn about storage capacity, storage policies, fault tolerance, and storage integration in Azure VMware Solution private clouds. Previously updated : 04/23/2021 Last updated : 04/26/2021 # Azure VMware Solution storage concepts
-Azure VMware Solution private clouds provide native, cluster-wide storage with VMware vSAN. All local storage from each host in a cluster is used in a vSAN datastore, and data-at-rest encryption is available and enabled by default. You can use Azure Storage resources to extend storage capabilities of your private clouds.
+Azure VMware Solution private clouds provide native, cluster-wide storage with VMware vSAN. Local storage from each host in a cluster is used in a vSAN datastore, and data-at-rest encryption is available and enabled by default. You can use Azure Storage resources to extend storage capabilities of your private clouds.
## vSAN clusters
-The [AV36 SKU](https://azure.microsoft.com/pricing/details/azure-vmware/) includes two 1.6-TB NVMe cache and eight 1.9-TB raw storage capacity. These are then split into two disk groups. The size of the raw capacity tier of a cluster is the per-host capacity times the number of hosts. For example, a four host cluster provides 61.6-TB raw capacity in the vSAN capacity tier.
+Local storage in each cluster host is used as part of a vSAN datastore. All diskgroups use an NVMe cache tier of 1.6 TB with the raw, per host, SSD-based capacity of 15.4 TB. The size of the raw capacity tier of a cluster is the per host capacity times the number of hosts. For example, a four host cluster provides 61.6-TB raw capacity in the vSAN capacity tier.
Local storage in cluster hosts is used in cluster-wide vSAN datastore. All datastores are created as part of private cloud deployment and are available for use immediately. The **cloudadmin** user and all users assigned to the CloudAdmin role can manage datastores with these vSAN privileges:
Local storage in cluster hosts is used in cluster-wide vSAN datastore. All datas
- Datastore.UpdateVirtualMachineMetadata >[!IMPORTANT]
->You can't change the name of datastores or clusters.
+>You can't change the name of datastores or clusters. You can select a cluster name other than "Cluster-n" where n > 1 when provisioning from somewhere other than the portal (AzureCLI or PowerShell).
## Storage policies and fault tolerance
azure-vmware Configure Alerts For Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/configure-alerts-for-azure-vmware-solution.md
Last updated 04/02/2021
# Configure Azure Alerts in Azure VMware Solution
-In this article, you'll learn how to configure [Azure Action Groups](/azure/azure-monitor/alerts/action-groups) in [Microsoft Azure Alerts](/azure/azure-monitor/alerts/alerts-overview) to receive notifications of triggered events that you define. You'll also learn about using [Azure Monitor Metrics](/azure/azure-monitor/essentials/data-platform-metrics) to gain deeper insights into your Azure VMware Solution private cloud.
+In this article, you'll learn how to configure [Azure Action Groups](../azure-monitor/alerts/action-groups.md) in [Microsoft Azure Alerts](../azure-monitor/alerts/alerts-overview.md) to receive notifications of triggered events that you define. You'll also learn about using [Azure Monitor Metrics](../azure-monitor/essentials/data-platform-metrics.md) to gain deeper insights into your Azure VMware Solution private cloud.
## Supported metrics and activities
The following metrics are visible through Azure Monitor Metrics.
## Next steps Now that you've configured an alert rule for your Azure VMware Solution private cloud, you may want to learn even more about:-- [Azure Monitor Metrics](/azure/azure-monitor/essentials/data-platform-metrics)-- [Azure Monitor Alerts](/azure/azure-monitor/alerts/alerts-overview)-- [Azure Action Groups](/azure/azure-monitor/alerts/action-groups)-
-You can also continue with one of the other [Azure VMware Solution](index.yml) how-to guides.
----
+- [Azure Monitor Metrics](../azure-monitor/essentials/data-platform-metrics.md)
+- [Azure Monitor Alerts](../azure-monitor/alerts/alerts-overview.md)
+- [Azure Action Groups](../azure-monitor/alerts/action-groups.md)
+You can also continue with one of the other [Azure VMware Solution](index.yml) how-to guides.
azure-vmware Deploy Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/deploy-azure-vmware-solution.md
In the planning phase, you defined whether you to use an *existing* or *new* Exp
You should have connectivity between the Azure Virtual Network where the ExpressRoute terminates and the Azure VMware Solution private cloud.
-1. Use a [virtual machine](/azure/virtual-machines/windows/quick-create-portal#create-virtual-machine) within the Azure Virtual Network where the Azure VMware Solution ExpressRoute terminates (see [Step 3. Connect to Azure Virtual Network with ExpressRoute](#step-3-connect-to-azure-virtual-network-with-expressroute)).
+1. Use a [virtual machine](../virtual-machines/windows/quick-create-portal.md#create-virtual-machine) within the Azure Virtual Network where the Azure VMware Solution ExpressRoute terminates (see [Step 3. Connect to Azure Virtual Network with ExpressRoute](#step-3-connect-to-azure-virtual-network-with-expressroute)).
1. Log into the Azure [portal](https://portal.azure.com). 2. Navigate to a VM that is in the running state, and under **Settings**, select **Networking** and select the network interface resource.
You should have connectivity between the Azure Virtual Network where the Express
In the next section, you'll connect Azure VMware Solution to your on-premises network through ExpressRoute. > [!div class="nextstepaction"]
-> [Connect to your on-premises environment](tutorial-expressroute-global-reach-private-cloud.md)
+> [Connect to your on-premises environment](tutorial-expressroute-global-reach-private-cloud.md)
azure-vmware Ecosystem Migration Vms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/ecosystem-migration-vms.md
Our migration partners have industry-leading migration solutions in VMware-based
You aren't required to use VMware HCX as a migration tool, which means you can also migrate physical workloads into Azure VMware Solution. Additionally, migrations to your Azure VMware Solution environment don't need an ExpressRoute connection if it's not available within your source environment. Migrations can be done to multiple locations if you decide to host those workloads in multiple Azure regions.
-For more information on these solutions, see [RiverMeadow](https://www.rivermeadow.com/migrating-to-vmware-on-azure).
+You can find more information on these backup solutions here:
+- [RiverMeadow](https://www.rivermeadow.com/migrating-to-vmware-on-azure).
azure-vmware Move Ea Csp Subscriptions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/move-ea-csp-subscriptions.md
Title: Move EA and CSP Azure VMware Solution subscriptions
-description: Learn how to move the private cloud from one subscription to another. The movement can be made for various reasons such as billing.
+ Title: Move Azure VMware Solution subscription to another subscription
+description: This article describes how to move Azure VMware Solution subscription to another subscription. You might move your resources for various reasons, such as billing.
+ Previously updated : 03/15/2021 Last updated : 04/26/2021+
+# Customer intent: As an Azure service administrator, I want to move my Azure VMware Solution subscription to another subscription.
-# Move EA and CSP Azure VMware Solution subscriptions
+# Move Azure VMware Solution subscription to another subscription
+
+This article describes how to move an Azure VMware Solution subscription to another subscription. You might move your subscription for various reasons, like billing.
-In this article, you'll learn how to move the private cloud from one subscription to another. The movement can be made for various reasons such as billing.
+## Prerequisites
+You should have at least contributor rights on both **source** and **target** subscriptions.
>[!IMPORTANT]
->You should have at least contributor rights on both source and target subscriptions. VNet and VNet gateway cannot be moved from one subscription to another. Additionally, moving your subscriptions has no impact on the management and workloads, like the vCenter, NSX, and workload virtual machines.
+>VNet and VNet gateway cannot be moved from one subscription to another. Additionally, moving your subscriptions has no impact on the management and workloads, like the vCenter, NSX, and workload virtual machines.
+
+## Prepare and move
+
+1. In the Azure portal, select the private cloud you want to move.
-1. Sign into the Azure portal and select the private cloud you want to move.
+ :::image type="content" source="media/move-subscriptions/source-subscription-id.png" alt-text="Screenshot that shows the overview details of the selected private cloud.":::
+
+1. From a command prompt, ping the components and workloads to verify that they are pinging from the same subscription.
+
+ :::image type="content" source="media/move-subscriptions/verify-components-workloads.png" alt-text="Screenshot that shows the ping command and the results of the ping.":::
1. Select the **Subscription (change)** link.
- :::image type="content" source="media/private-cloud-overview-subscription-id.png" alt-text="Screenshot showing the private cloud details.":::
+ :::image type="content" source="media/move-subscriptions/private-cloud-overview-subscription-id.png" alt-text="Screenshot showing the private cloud details.":::
1. Provide the subscription details for **Target** and select **Next**.
- :::image type="content" source="media/move-resources-subscription-target.png" alt-text="Screenshot of the target resource." lightbox="media/move-resources-subscription-target.png":::
+ :::image type="content" source="media/move-subscriptions/move-resources-subscription-target.png" alt-text="Screenshot of the target resource.":::
+
+1. Confirm the validation of the resources you selected to move. This validates all the resources selected to be moved. During the validation of the selected resources, youΓÇÖll see **Pending validation** for the Validation status.
+
+ :::image type="content" source="media/move-subscriptions/pending-move-resources-subscription-target.png" alt-text="Screenshot showing the resource being moved.":::
-1. Confirm the validation of the resources you selected to move and select **Next**.
+1. Once the validation is successful, select **Next** to start the migration of your private cloud.
- :::image type="content" source="media/confirm-move-resources-subscription-target.png" alt-text="Screenshot showing the resource being moved." lightbox="media/confirm-move-resources-subscription-target.png":::
+ :::image type="content" source="media/move-subscriptions/move-resources-succeeded.png" alt-text=" Screenshot that shows the validation status of Succeeded.":::
1. Select the check box indicating you understand that the tools and scripts associated will not work until you update them to use the new resource IDs. Then select **Move**.
- :::image type="content" source="media/review-move-resources-subscription-target.png" alt-text="Screenshot showing the summary of the selected resource being moved. " lightbox="media/review-move-resources-subscription-target.png":::
+ :::image type="content" source="media/move-subscriptions/review-move-resources-subscription-target.png" alt-text="Screenshot showing the summary of the selected resource being moved.":::
+
+## Verify the move
+
+A notification appears once the resource move is complete.
++
+The new subscription appears in the private cloud Overview.
++
+## Next steps
+Learn more about:
+
+- [Move guidance for networking resources](/azure/azure-resource-manager/management/move-limitations/networking-move-limitations)
+- [Move guidance for virtual machines](/azure/azure-resource-manager/management/move-limitations/virtual-machines-move-limitations)
+- [Move guidance for App Service resources](/azure/azure-resource-manager/management/move-limitations/app-service-move-limitations)
- A notification appears once the resource move is complete. The new subscription appears in the private cloud Overview.
- :::image type="content" source="media/moved-subscription-target.png" alt-text="Screenshot showing a new subscription." lightbox="media/moved-subscription-target.png":::
azure-vmware Production Ready Deployment Steps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/production-ready-deployment-steps.md
Title: Plan the Azure VMware Solution deployment
description: This article outlines an Azure VMware Solution deployment workflow. The final result is an environment ready for virtual machine (VM) creation and migration. Previously updated : 04/23/2021 Last updated : 04/27/2021 # Plan the Azure VMware Solution deployment
azure-vmware Reserved Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/reserved-instance.md
CSPs that want to purchase reserved instances for their customers must use the *
5. Select **Purchase Now** and then select **Azure VMware Solution**.
- :::image type="content" source="media/reserved-instances/csp-buy-ri-azure-portal.png" alt-text="Microsoft Azure portal reservations" lightbox="media/reserved-instances/csp-buy-ri-azure-portal.png":::
+ :::image type="content" source="media/reserved-instances/csp-buy-reserved-instance-azure-portal.png" alt-text="Microsoft Azure portal reservations" lightbox="media/reserved-instances/csp-buy-reserved-instance-azure-portal.png":::
6. Enter the required fields. The selected attributes that match running Azure VMware Solution hosts qualify for the reservation discount. Attributes include the SKU, regions (where applicable), and scope. Reservation scope selects where the reservation savings apply.
azure-vmware Reset Vsphere Credentials https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/reset-vsphere-credentials.md
In addition to this how-to, you can also view the video for [resetting the vCent
First let's reset your Azure VMare Solution components credentials. Your vCenter Server CloudAdmin and NSX-T admin credentials donΓÇÖt expire; however, you can follow these steps to generate new passwords for these accounts. > [!NOTE]
-> If you use your CloudAdmin credentials for connected services like HCX, vRealize Orchestrator, vRealizae Operations Manager or VMware Horizon, your connections will stop working once you update your password. These services should be stopped before initiating the password rotation. Failure to do so may result in temporary locks on your vCenter CloudAdmin and NSX-T admin accounts, as these services will continuously call using your old credentials. For more information about setting up separate accounts for connected services, see [Access and Identity Concepts](https://docs.microsoft.com/azure/azure-vmware/concepts-identity).
+> If you use your CloudAdmin credentials for connected services like HCX, vRealize Orchestrator, vRealizae Operations Manager or VMware Horizon, your connections will stop working once you update your password. These services should be stopped before initiating the password rotation. Failure to do so may result in temporary locks on your vCenter CloudAdmin and NSX-T admin accounts, as these services will continuously call using your old credentials. For more information about setting up separate accounts for connected services, see [Access and Identity Concepts](./concepts-identity.md).
1. From the Azure portal, open an Azure Cloud Shell session.
Now that you've covered resetting vCenter Server and NSX-T Manager credentials f
- [Configuring NSX network components in Azure VMware Solution](configure-nsx-network-components-azure-portal.md). - [Lifecycle management of Azure VMware Solution VMs](lifecycle-management-of-azure-vmware-solution-vms.md).-- [Deploying disaster recovery of virtual machines using Azure VMware Solution](disaster-recovery-for-virtual-machines.md).
+- [Deploying disaster recovery of virtual machines using Azure VMware Solution](disaster-recovery-for-virtual-machines.md).
azure-vmware Tutorial Expressroute Global Reach Private Cloud https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/tutorial-expressroute-global-reach-private-cloud.md
Title: Peer on-premises environments to Azure VMware Solution
description: Learn how to create ExpressRoute Global Reach peering to a private cloud in Azure VMware Solution. Previously updated : 04/23/2021 Last updated : 04/27/2021 # Peer on-premises environments to Azure VMware Solution
In this step of the quick start, you'll use the [information gathered during the
ExpressRoute Global Reach connects your on-premises environment to your Azure VMware Solution private cloud. The ExpressRoute Global Reach connection is established between the private cloud ExpressRoute circuit and an existing ExpressRoute connection to your on-premises environments.
-The ExpressRoute circuit you use when you [configure networking for your VMware private cloud in Azure](tutorial-configure-networking.md) requires you to create and use authorization keys. You'll have already used one authorization key from the ExpressRoute circuit, and in this tutorial, you'll create a second authorization key to peer with your on-premises ExpressRoute circuit.
>[!NOTE]
-> You can connect through VPN, but that's out of scope for this quick start document.
+>You can connect through VPN, but that's out of scope for this quick start document.
This tutorial results in a connection as shown in the diagram. :::image type="content" source="media/pre-deployment/azure-vmware-solution-on-premises-diagram.png" alt-text="Diagram showing ExpressRoute Global Reach on-premises network connectivity." lightbox="media/pre-deployment/azure-vmware-solution-on-premises-diagram.png" border="false":::
-In this tutorial, you learn how to:
-
-> [!div class="checklist"]
-> * Create a second authorization key for _circuit 2_, the private cloud ExpressRoute circuit.
-> * Use either the Azure portal or the Azure CLI in a Cloud Shell method in the subscription of _circuit 1_ to enable on-premises-to-private cloud ExpressRoute Global Reach peering.
- ## Before you begin Before you enable connectivity between two ExpressRoute circuits using ExpressRoute Global Reach, review the documentation on how to [enable connectivity in different Azure subscriptions](../expressroute/expressroute-howto-set-global-reach-cli.md#enable-connectivity-between-expressroute-circuits-in-different-azure-subscriptions). ## Prerequisites--- Established connectivity to and from an Azure VMware Solution private cloud with its ExpressRoute circuit peered with an ExpressRoute gateway in an Azure virtual network (VNet) ΓÇô which is circuit 2 from peering procedures.-- A separate, functioning ExpressRoute circuit used to connect on-premises environments to Azure ΓÇô which is circuit 1 from the peering procedures' perspective.-- A /29 non-overlapping [network address bl