Updates from: 05/12/2021 03:08:36
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Add Password Reset Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/add-password-reset-policy.md
Previously updated : 03/22/2021 Last updated : 05/11/2021
To enable self-service password reset for the sign-up or sign-in user flow:
1. Select **User flows**. 1. Select a sign-up or sign-in user flow (of type **Recommended**) that you want to customize. 1. Under **Settings** in the left menu, select **Properties**.
-1. Under **Password complexity**, select **Self-service password reset**.
+1. Under **Password configuration**, select **Self-service password reset**.
1. Select **Save**. 1. Under **Customize** in the left menu, select **Page layouts**.
-1. In the **Page Layout Version**, choose **2.1.2 - Current** or above.
+1. In the **Page Layout Version**, choose **2.1.3** or above.
1. Select **Save**. ::: zone-end
active-directory-b2c Azure Monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/azure-monitor.md
In this article, you learn how to transfer the logs to an Azure Log Analytics wo
## Deployment overview
-Azure AD B2C leverages [Azure Active Directory monitoring](../active-directory/reports-monitoring/overview-monitoring.md). To enable *Diagnostic settings* in Azure Active Directory within your Azure AD B2C tenant, you use [Azure Lighthouse](../lighthouse/concepts/azure-delegated-resource-management.md) to [delegate a resource](../lighthouse/concepts/azure-delegated-resource-management.md), which allows your Azure AD B2C (the **Service Provider**) to manage an Azure AD (the **Customer**) resource. After you complete the steps in this article, you'll have access to the *azure-ad-b2c-monitor* resource group that contains the [Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md) in your **Azure AD B2C** portal. You'll also be able to transfer the logs from Azure AD B2C to your Log Analytics workspace.
+Azure AD B2C leverages [Azure Active Directory monitoring](../active-directory/reports-monitoring/overview-monitoring.md). To enable *Diagnostic settings* in Azure Active Directory within your Azure AD B2C tenant, you use [Azure Lighthouse](../lighthouse/overview.md) to [delegate a resource](../lighthouse/concepts/architecture.md), which allows your Azure AD B2C (the **Service Provider**) to manage an Azure AD (the **Customer**) resource. After you complete the steps in this article, you'll have access to the *azure-ad-b2c-monitor* resource group that contains the [Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md) in your **Azure AD B2C** portal. You'll also be able to transfer the logs from Azure AD B2C to your Log Analytics workspace.
During this deployment, you'll authorize a user or group in your Azure AD B2C directory to configure the Log Analytics workspace instance within the tenant that contains your Azure subscription. To create the authorization, you deploy an [Azure Resource Manager](../azure-resource-manager/index.yml) template to your Azure AD tenant containing the subscription.
The workbook will display reports in the form of a dashboard.
## Create alerts
-Alerts are created by alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals. You can create alerts based on specific performance metrics or when certain events are created, absence of an event, or a number of events are created within a particular time window. For example, alerts can be used to notify you when average number of sign-in exceeds a certain threshold. For more information, see [Create alerts](../azure-monitor/alerts/tutorial-response.md).
+Alerts are created by alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals. You can create alerts based on specific performance metrics or when certain events are created, absence of an event, or a number of events are created within a particular time window. For example, alerts can be used to notify you when average number of sign-in exceeds a certain threshold. For more information, see [Create alerts](../azure-monitor/alerts/alerts-log.md).
Use the following instructions to create a new Azure Alert, which will send an [email notification](../azure-monitor/alerts/action-groups.md#configure-notifications) whenever there is a 25% drop in the **Total Requests** compare to previous period. Alert will run every 5 minutes and look for the drop within last 24 hours windows. The alerts are created using Kusto query language.
active-directory-b2c Localization String Ids https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/localization-string-ids.md
The Following are the IDs for a content definition with an ID of `api.phonefacto
| **country_code_input_placeholder_text** |Country or region | | **number_label** | Phone Number | | **error_tryagain** | The phone number you provided is busy or unavailable. Please check the number and try again. |
+| **error_sms_throttled** | You hit the limit on the number of text messages. Try again shortly. |
+| **error_phone_throttled** | You hit the limit on the number of call attempts. Try again shortly. |
+| **error_throttled** | You hit the limit on the number of verification attempts. Try again shortly. |
| **error_incorrect_code** | The verification code you have entered does not match our records. Please try again, or request a new code. | | **countryList** | See [the countries list](#phone-factor-authentication-page-example). | | **error_448** | The phone number you provided is unreachable. |
The following example shows the use of some of the user interface elements in th
<LocalizedString ElementType="UxElement" StringId="country_code_input_placeholder_text">Country or region</LocalizedString> <LocalizedString ElementType="UxElement" StringId="number_label">Phone Number</LocalizedString> <LocalizedString ElementType="UxElement" StringId="error_tryagain">The phone number you provided is busy or unavailable. Please check the number and try again.</LocalizedString>
+ <LocalizedString ElementType="UxElement" StringId="error_sms_throttled">You hit the limit on the number of text messages. Try again shortly.</LocalizedString>
+ <LocalizedString ElementType="UxElement" StringId="error_phone_throttled">You hit the limit on the number of call attempts. Try again shortly.</LocalizedString>
+ <LocalizedString ElementType="UxElement" StringId="error_throttled">You hit the limit on the number of verification attempts. Try again shortly.</LocalizedString>
<LocalizedString ElementType="UxElement" StringId="error_incorrect_code">The verification code you have entered does not match our records. Please try again, or request a new code.</LocalizedString> <LocalizedString ElementType="UxElement" StringId="countryList">{"DEFAULT":"Country/Region","AF":"Afghanistan","AX":"Åland Islands","AL":"Albania","DZ":"Algeria","AS":"American Samoa","AD":"Andorra","AO":"Angola","AI":"Anguilla","AQ":"Antarctica","AG":"Antigua and Barbuda","AR":"Argentina","AM":"Armenia","AW":"Aruba","AU":"Australia","AT":"Austria","AZ":"Azerbaijan","BS":"Bahamas","BH":"Bahrain","BD":"Bangladesh","BB":"Barbados","BY":"Belarus","BE":"Belgium","BZ":"Belize","BJ":"Benin","BM":"Bermuda","BT":"Bhutan","BO":"Bolivia","BQ":"Bonaire","BA":"Bosnia and Herzegovina","BW":"Botswana","BV":"Bouvet Island","BR":"Brazil","IO":"British Indian Ocean Territory","VG":"British Virgin Islands","BN":"Brunei","BG":"Bulgaria","BF":"Burkina Faso","BI":"Burundi","CV":"Cabo Verde","KH":"Cambodia","CM":"Cameroon","CA":"Canada","KY":"Cayman Islands","CF":"Central African Republic","TD":"Chad","CL":"Chile","CN":"China","CX":"Christmas Island","CC":"Cocos (Keeling) Islands","CO":"Colombia","KM":"Comoros","CG":"Congo","CD":"Congo (DRC)","CK":"Cook Islands","CR":"Costa Rica","CI":"Côte d'Ivoire","HR":"Croatia","CU":"Cuba","CW":"Curaçao","CY":"Cyprus","CZ":"Czech Republic","DK":"Denmark","DJ":"Djibouti","DM":"Dominica","DO":"Dominican Republic","EC":"Ecuador","EG":"Egypt","SV":"El Salvador","GQ":"Equatorial Guinea","ER":"Eritrea","EE":"Estonia","ET":"Ethiopia","FK":"Falkland Islands","FO":"Faroe Islands","FJ":"Fiji","FI":"Finland","FR":"France","GF":"French Guiana","PF":"French Polynesia","TF":"French Southern Territories","GA":"Gabon","GM":"Gambia","GE":"Georgia","DE":"Germany","GH":"Ghana","GI":"Gibraltar","GR":"Greece","GL":"Greenland","GD":"Grenada","GP":"Guadeloupe","GU":"Guam","GT":"Guatemala","GG":"Guernsey","GN":"Guinea","GW":"Guinea-Bissau","GY":"Guyana","HT":"Haiti","HM":"Heard Island and McDonald Islands","HN":"Honduras","HK":"Hong Kong SAR","HU":"Hungary","IS":"Iceland","IN":"India","ID":"Indonesia","IR":"Iran","IQ":"Iraq","IE":"Ireland","IM":"Isle of Man","IL":"Israel","IT":"Italy","JM":"Jamaica","JP":"Japan","JE":"Jersey","JO":"Jordan","KZ":"Kazakhstan","KE":"Kenya","KI":"Kiribati","KR":"Korea","KW":"Kuwait","KG":"Kyrgyzstan","LA":"Laos","LV":"Latvia","LB":"Lebanon","LS":"Lesotho","LR":"Liberia","LY":"Libya","LI":"Liechtenstein","LT":"Lithuania","LU":"Luxembourg","MO":"Macao SAR","MK":"North Macedonia","MG":"Madagascar","MW":"Malawi","MY":"Malaysia","MV":"Maldives","ML":"Mali","MT":"Malta","MH":"Marshall Islands","MQ":"Martinique","MR":"Mauritania","MU":"Mauritius","YT":"Mayotte","MX":"Mexico","FM":"Micronesia","MD":"Moldova","MC":"Monaco","MN":"Mongolia","ME":"Montenegro","MS":"Montserrat","MA":"Morocco","MZ":"Mozambique","MM":"Myanmar","NA":"Namibia","NR":"Nauru","NP":"Nepal","NL":"Netherlands","NC":"New Caledonia","NZ":"New Zealand","NI":"Nicaragua","NE":"Niger","NG":"Nigeria","NU":"Niue","NF":"Norfolk Island","KP":"North Korea","MP":"Northern Mariana Islands","NO":"Norway","OM":"Oman","PK":"Pakistan","PW":"Palau","PS":"Palestinian Authority","PA":"Panama","PG":"Papua New Guinea","PY":"Paraguay","PE":"Peru","PH":"Philippines","PN":"Pitcairn Islands","PL":"Poland","PT":"Portugal","PR":"Puerto Rico","QA":"Qatar","RE":"Réunion","RO":"Romania","RU":"Russia","RW":"Rwanda","BL":"Saint Barthélemy","KN":"Saint Kitts and Nevis","LC":"Saint Lucia","MF":"Saint Martin","PM":"Saint Pierre and Miquelon","VC":"Saint Vincent and the Grenadines","WS":"Samoa","SM":"San Marino","ST":"São Tomé and Príncipe","SA":"Saudi Arabia","SN":"Senegal","RS":"Serbia","SC":"Seychelles","SL":"Sierra Leone","SG":"Singapore","SX":"Sint Maarten","SK":"Slovakia","SI":"Slovenia","SB":"Solomon Islands","SO":"Somalia","ZA":"South Africa","GS":"South Georgia and South Sandwich Islands","SS":"South Sudan","ES":"Spain","LK":"Sri Lanka","SH":"St Helena, Ascension, Tristan da Cunha","SD":"Sudan","SR":"Suriname","SJ":"Svalbard","SZ":"Swaziland","SE":"Sweden","CH":"Switzerland","SY":"Syria","TW":"Taiwan","TJ":"Tajikistan","TZ":"Tanzania","TH":"Thailand","TL":"Timor-Leste","TG":"Togo","TK":"Tokelau","TO":"Tonga","TT":"Trinidad and Tobago","TN":"Tunisia","TR":"Turkey","TM":"Turkmenistan","TC":"Turks and Caicos Islands","TV":"Tuvalu","UM":"U.S. Outlying Islands","VI":"U.S. Virgin Islands","UG":"Uganda","UA":"Ukraine","AE":"United Arab Emirates","GB":"United Kingdom","US":"United States","UY":"Uruguay","UZ":"Uzbekistan","VU":"Vanuatu","VA":"Vatican City","VE":"Venezuela","VN":"Vietnam","WF":"Wallis and Futuna","YE":"Yemen","ZM":"Zambia","ZW":"Zimbabwe"}</LocalizedString> <LocalizedString ElementType="UxElement" StringId="error_448">The phone number you provided is unreachable.</LocalizedString>
active-directory Application Provisioning Config Problem No Users Provisioned https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/application-provisioning-config-problem-no-users-provisioned.md
Title: Users are not being provisioned in my application
description: How to troubleshoot common issues faced when you don't see users appearing in an Azure AD Gallery Application you have configured for user provisioning with Azure AD -+ Previously updated : 12/03/2020 Last updated : 05/11/2021
active-directory Application Provisioning Config Problem Scim Compatibility https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility.md
Title: Known issues with System for Cross-Domain Identity Management (SCIM) 2.0
description: How to solve common protocol compatibility issues faced when adding a non-gallery application that supports SCIM 2.0 to Azure AD -+ Previously updated : 04/07/2021 Last updated : 05/11/2021
active-directory Application Provisioning Config Problem https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/application-provisioning-config-problem.md
Title: Problem configuring user provisioning to an Azure AD Gallery app
-description: How to troubleshoot common issues faced when configuring user provisioning to an application already listed in the Azure AD Application Gallery
+ Title: Problem configuring user provisioning to an Azure Active Directory Gallery app
+description: How to troubleshoot common issues faced when configuring user provisioning to an application already listed in the Azure Active Directory Application Gallery
-+ Previously updated : 09/03/2019 Last updated : 05/11/2021 -+ # Problem configuring user provisioning to an Azure AD Gallery application
active-directory Application Provisioning Log Analytics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/application-provisioning-log-analytics.md
Title: Understand how Provisioning integrates with Azure Monitor logs in Azure A
description: Understand how Provisioning integrates with Azure Monitor logs in Azure Active Directory. -+ Previously updated : 10/12/2020 Last updated : 05/11/2021 -+ # Understand how provisioning integrates with Azure Monitor logs
AADProvisioningLogs
Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures. Or perhaps spikes in disables or deletes. Another example of where you might want to be alerted is a lack of any provisioning, which indicates something is wrong.
-To learn more about alerts, see [Respond to events with Azure Monitor Alerts](../../azure-monitor/alerts/tutorial-response.md).
+To learn more about alerts, see [Azure Monitor Log Alerts](../../azure-monitor/alerts/alerts-log.md).
Alert when there's a spike in failures. Replace the jobID with the jobID for your application.
active-directory Application Provisioning Quarantine Status https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/application-provisioning-quarantine-status.md
Title: Application Provisioning status of Quarantine | Microsoft Docs
+ Title: Quarantine status in Azure Active Directory Application Provisioning
description: When you've configured an application for automatic user provisioning, learn what a provisioning status of Quarantine means and how to clear it. -+ Previously updated : 03/18/2021 Last updated : 05/11/2021
active-directory Application Provisioning When Will Provisioning Finish Specific User https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md
Title: Find out when a specific user will be able to access an app
-description: How to find out when a critically important user be able to access an application you have configured for user provisioning with Azure AD
+ Title: Find out when a specific user will be able to access an app in Azure Active Directory Application Provisioning
+description: How to find out when a critically important user be able to access an application you have configured for user provisioning with Azure Active Directory
-+ Previously updated : 09/03/2019 Last updated : 05/11/2021
active-directory Check Status User Account Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/check-status-user-account-provisioning.md
Title: Report automatic user account provisioning to SaaS applications
+ Title: Report automatic user account provisioning from Azure Active Directory to Software as a Service (SaaS) applications
description: 'Learn how to check the status of automatic user account provisioning jobs, and how to troubleshoot the provisioning of individual users.' -+ Previously updated : 09/09/2018 Last updated : 05/11/2021
active-directory Configure Automatic User Provisioning Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/configure-automatic-user-provisioning-portal.md
Title: User provisioning management for enterprise apps in Azure Active Director
description: Learn how to manage user account provisioning for enterprise apps using the Azure Active Directory. -+ Previously updated : 03/18/2021 Last updated : 05/11/2021
active-directory Customize Application Attributes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/customize-application-attributes.md
Title: Tutorial - Customize Azure Active Directory attribute mappings
-description: Learn what attribute mappings for SaaS apps in Azure Active Directory are how you can modify them to address your business needs.
+ Title: Tutorial - Customize Azure Active Directory attribute mappings in Application Provisioning
+description: Learn what attribute mappings for Software as a Service (SaaS) apps in Azure Active Directory Application Provisioning are how you can modify them to address your business needs.
-+ Previously updated : 03/17/2021 Last updated : 05/11/2021 + # Tutorial - Customize user provisioning attribute-mappings for SaaS applications in Azure Active Directory
active-directory Define Conditional Rules For Provisioning User Accounts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md
Title: Provision apps with scoping filters | Microsoft Docs
-description: Learn how to use scoping filters to prevent objects in apps that support automated user provisioning from being provisioned if an object doesn't satisfy your business requirements.
+ Title: Use scoping filters in Azure Active Directory Application Provisioning
+description: Learn how to use scoping filters to prevent objects in apps that support automated user provisioning from being provisioned if an object doesn't satisfy your business requirements in Azure Active Directory Application Provisioning.
-+ Previously updated : 06/08/2020 Last updated : 05/11/2021 + # Attribute-based application provisioning with scoping filters
active-directory Export Import Provisioning Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/export-import-provisioning-configuration.md
Title: Export provisioning configuration and roll back to a known good state for disaster recovery
-description: Learn how to export your provisioning configuration and roll back to a known good state for disaster recovery.
+ Title: Export Application Provisioning configuration and roll back to a known good state for disaster recovery in Azure Active Directory
+description: Learn how to export your Application Provisioning configuration and roll back to a known good state for disaster recovery in Azure Active Directory.
-+ Previously updated : 03/19/2020 Last updated : 05/11/2021 + # How-to: Export provisioning configuration and roll back to a known good state
active-directory Functions For Customizing Application Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/functions-for-customizing-application-data.md
Title: Reference for writing expressions for attribute mappings in Azure Active Directory
+ Title: Reference for writing expressions for attribute mappings in Azure Active Directory Application Provisioning
description: Learn how to use expression mappings to transform attribute values into an acceptable format during automated provisioning of SaaS app objects in Azure Active Directory. Includes a reference list of functions. -+ Previously updated : 03/04/2021 Last updated : 05/11/2021 -+
-# Reference for writing expressions for attribute mappings in Azure AD
+# Reference for writing expressions for attribute mappings in Azure Active Directory
When you configure provisioning to a SaaS application, one of the types of attribute mappings that you can specify is an expression mapping. For these, you must write a script-like expression that allows you to transform your users' data into formats that are more acceptable for the SaaS application.
active-directory How Provisioning Works https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/how-provisioning-works.md
Title: Understand how Azure AD provisioning works | Microsoft Docs
-description: Understand how Azure AD provisioning works
+ Title: Understand how Application Provisioning in Azure Active Directory
+description: Understand how Application Provisioning works in Azure Active Directory .
Previously updated : 11/04/2020 Last updated : 05/11/2021 -
-# How provisioning works
+# How Application Provisioning works in Azure Active Directory
Automatic provisioning refers to creating user identities and roles in the cloud applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Before you start a deployment, you can review this article to learn how Azure AD provision works and get configuration recommendations.
active-directory Isv Automatic Provisioning Multi Tenant Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/isv-automatic-provisioning-multi-tenant-apps.md
Title: Enable automatic user provisioning for multi-tenant applications - Azure AD
-description: A guide for independent software vendors for enabling automated provisioning
+ Title: Enable automatic user provisioning for multi-tenant applications in Azure Active Directory
+description: A guide for independent software vendors for enabling automated provisioning in Azure Active Directory
-+ Previously updated : 07/23/2019 Last updated : 05/11/2021 -+
-# Enable automatic user provisioning for your multi-tenant application
+# Enable automatic user provisioning for your multi-tenant application in Azure Active Directory
Automatic user provisioning is the process of automating the creation, maintenance, and removal of user identities in target systems like your software-as-a-service applications.
active-directory Known Issues https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/known-issues.md
Title: Known issues for application provisioning in Azure AD
-description: Learn about known issues when working with automated application provisioning in Azure AD.
+ Title: Known issues for Application Provisioning in Azure Active Directory
+description: Learn about known issues when working with automated Application Provisioning in Azure Active Directory.
-+ Previously updated : 01/05/2021 Last updated : 05/11/2021
-# Known issues: Application provisioning
+# Known issues for Application Provisioning in Azure Active Directory
Known issues to be aware of when working with app provisioning. You can provide feedback about the application provisioning service on UserVoice, see [Azure AD Application Provision UserVoice](https://aka.ms/appprovisioningfeaturerequest). We closely watch UserVoice so we can improve the service. > [!NOTE]
active-directory Plan Auto User Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/plan-auto-user-provisioning.md
Title: Plan an automatic user provisioning deployment for Azure Active Directory
-description: Guidance for planning and executing automatic user provisioning
+description: Guidance for planning and executing automatic user provisioning in Azure Active Directory
-+ Previously updated : 12/31/2020 Last updated : 05/11/2021 -
-# Customer intent: As an administrator, I want to automate user provisioning to SaaS apps.
+
-# Plan an automatic user provisioning deployment
+# Plan an automatic user provisioning deployment in Azure Active Directory
Many organizations rely on software as a service (SaaS) applications such as ServiceNow, Zscaler, and Slack for end-user productivity. Historically IT staff have relied on manual provisioning methods such as uploading CSV files, or using custom scripts to securely manage user identities in each SaaS application. These processes are error prone, insecure, and hard to manage.
active-directory Plan Cloud Hr Provision https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/plan-cloud-hr-provision.md
Title: Plan cloud HR application to Azure Active Directory user provisioning
description: This article describes the deployment process of integrating cloud HR systems, such as Workday and SuccessFactors, with Azure Active Directory. Integrating Azure AD with your cloud HR system results in a complete identity lifecycle management system. -+ Previously updated : 11/22/2019 Last updated : 05/11/2021 -+ # Plan cloud HR application to Azure Active Directory user provisioning
active-directory Provision On Demand https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/provision-on-demand.md
Title: Provision a user on demand by using Azure Active Directory
-description: Force sync
+description: Learn how to provision users on demand in Azure Active Directory.
--++ Previously updated : 10/01/2020- Last updated : 05/11/2021+
-# On-demand provisioning
+# On-demand provisioning in Azure Active Directory
Use on-demand provisioning to provision a user into an application in seconds. Among other things, you can use this capability to: * Troubleshoot configuration issues quickly.
active-directory Provisioning Agent Release Version History https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/provisioning-agent-release-version-history.md
Title: 'Azure AD Connect Provisioning Agent: Version release history | Microsoft Docs'
-description: This article lists all releases of Azure AD Connect Provisioning Agent and describes new features and fixed issues
+ Title: Azure Active Directory Connect Provisioning Agent - Version release history
+description: This article lists all releases of Azure Active Directory Connect Provisioning Agent and describes new features and fixed issues.
-+ Previously updated : 02/26/2020 Last updated : 05/11/2021 -+
-# Azure AD Connect Provisioning Agent: Version release history
+# Azure Active Directory Connect Provisioning Agent: Version release history
[!INCLUDE [active-directory-cloud-sync-version-history.md](../../../includes/active-directory-cloud-sync-version-history.md)]--
active-directory Sap Successfactors Attribute Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/sap-successfactors-attribute-reference.md
Title: SAP SuccessFactors attribute reference
-description: Learn which attributes from SuccessFactors are supported by SuccessFactors-HR driven provisioning
+ Title: SAP SuccessFactors attribute reference for Azure Active Directory
+description: Learn which attributes from SuccessFactors are supported by SuccessFactors-HR driven provisioning in Azure Active Directory.
--++ Previously updated : 08/05/2020-- Last updated : 05/11/2021++
-# SAP SuccessFactors attribute reference
+# SAP SuccessFactors attribute reference for Azure Active Directory
In this article, you'll find information on:
active-directory Sap Successfactors Integration Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/sap-successfactors-integration-reference.md
Title: Azure Active Directory and SAP SuccessFactors integration reference
-description: Technical deep dive into SAP SuccessFactors-HR driven provisioning
+description: Technical deep dive into SAP SuccessFactors-HR driven provisioning for Azure Active Directory.
--++ Previously updated : 01/19/2021- Last updated : 05/11/2021++ # How Azure Active Directory provisioning integrates with SAP SuccessFactors
active-directory Scim Graph Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/scim-graph-scenarios.md
Title: Use SCIM, Microsoft Graph, and Azure AD to provision users and enrich apps with data
-description: Using SCIM and the Microsoft Graph together to provision users and enrich your application with the data it needs.
+ Title: Use SCIM, Microsoft Graph, and Azure Active Directory to provision users and enrich apps with data
+description: Using SCIM and the Microsoft Graph together to provision users and enrich your application with the data it needs in Azure Active Directory.
-+ Previously updated : 04/26/2020 Last updated : 05/11/2021 -+
active-directory Skip Out Of Scope Deletions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/skip-out-of-scope-deletions.md
Title: Skip deletion of out of scope users
-description: Learn how to override the default behavior of de-provisioning out of scope users.
+ Title: Skip deletion of out of scope users in Azure Active Directory Application Provisioning
+description: Learn how to override the default behavior of de-provisioning out of scope users in Azure Active Directory.
-+ Previously updated : 12/10/2019 Last updated : 05/11/2021 -+
-# Skip deletion of user accounts that go out of scope
+# Skip deletion of user accounts that go out of scope in Azure Active Directory
By default, the Azure AD provisioning engine soft deletes or disables users that go out of scope. However, for certain scenarios like Workday to AD User Inbound Provisioning, this behavior may not be the expected and you may want to override this default behavior.
active-directory Use Scim To Build Users And Groups Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/use-scim-to-build-users-and-groups-endpoints.md
Title: Build a SCIM endpoint for user provisioning to apps from Azure Active Directory
-description: Learn to develop a SCIM endpoint, integrate your SCIM API with Azure AD, and automatically provision users and groups into your cloud applications with Azure Active Directory.
+description: Learn to develop a SCIM endpoint, integrate your SCIM API with Azure Active Directory, and automatically provision users and groups into your cloud applications.
-+ Previously updated : 01/27/2021 Last updated : 05/11/2021
-# Tutorial: Develop a sample SCIM endpoint
+# Tutorial: Develop a sample SCIM endpoint in Azure Active Directory
No one wants to build a new endpoint from scratch, so we created some [reference code](https://aka.ms/scimreferencecode) for you to get started with [System for Cross-domain Identity Management (SCIM)](https://aka.ms/scimoverview). You can get your SCIM endpoint up and running with no code in just five minutes.
active-directory Use Scim To Provision Users And Groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md
Title: Tutorial - Develop a SCIM endpoint for user provisioning to apps from Azure AD
+ Title: Tutorial - Develop a SCIM endpoint for user provisioning to apps from Azure Active Directory
description: System for Cross-domain Identity Management (SCIM) standardizes automatic user provisioning. In this tutorial, you learn to develop a SCIM endpoint, integrate your SCIM API with Azure Active Directory, and start automating provisioning users and groups into your cloud applications. -+ Previously updated : 04/28/2021 Last updated : 05/11/2021 -
-# Tutorial: Develop and plan provisioning for a SCIM endpoint
+# Tutorial: Develop and plan provisioning for a SCIM endpoint in Azure Active Directory
As an application developer, you can use the System for Cross-Domain Identity Management (SCIM) user management API to enable automatic provisioning of users and groups between your application and Azure AD (AAD). This article describes how to build a SCIM endpoint and integrate with the AAD provisioning service. The SCIM specification provides a common user schema for provisioning. When used in conjunction with federation standards like SAML or OpenID Connect, SCIM gives administrators an end-to-end, standards-based solution for access management.
To design your schema, follow these steps:
|lastName|name.familyName|surName| |workMail|emails[type eq ΓÇ£workΓÇ¥].value|Mail| |manager|manager|manager|
-|tag|urn:ietf:params:scim:schemas:extension:2.0:CustomExtension:tag|extensionAttribute1|
+|tag|urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:tag|extensionAttribute1|
|status|active|isSoftDeleted (computed value not stored on user)| **Example list of required attributes**
To design your schema, follow these steps:
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "Manager": "123456" },
- "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:CustomAttribute:User": {
+ "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User": {
"tag": "701984", }, "meta": {
active-directory User Provisioning Sync Attributes For Mapping https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md
Title: Synchronize attributes to Azure Active Directory for mapping
description: When configuring user provisioning with Azure Active Directory and SaaS apps, use the directory extension feature to add source attributes that aren't synchronized by default. -+ Last updated 03/31/2021 +
-# Syncing extension attributes for app provisioning
+# Syncing extension attributes for Azure Active Directory Application Provisioning
Azure Active Directory (Azure AD) must contain all the data (attributes) required to create a user profile when provisioning user accounts from Azure AD to a [SaaS app](../saas-apps/tutorial-list.md). When customizing attribute mappings for user provisioning, you might find the attribute you want to map doesn't appear in the **Source attribute** list. This article shows you how to add the missing attribute.
active-directory User Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/user-provisioning.md
Title: What is automated SaaS app user provisioning in Azure AD
-description: An introduction to how you can use Azure AD to automatically provision, de-provision, and continuously update user accounts across multiple third-party SaaS applications.
+ Title: What is automated SaaS app user provisioning in Azure Active Directory
+description: An introduction to how you can use Azure Active Directory to automatically provision, de-provision, and continuously update user accounts across multiple third-party SaaS applications.
-+ Previously updated : 02/08/2021 Last updated : 05/11/2021
-# What is automated SaaS app user provisioning in Azure AD?
+# What is automated SaaS app user provisioning in Azure Active Directory?
In Azure Active Directory (Azure AD), the term **app provisioning** refers to automatically creating user identities and roles in the cloud ([SaaS](https://azure.microsoft.com/overview/what-is-saas/)) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Common scenarios include provisioning an Azure AD user into applications like [Dropbox](../saas-apps/dropboxforbusiness-provisioning-tutorial.md), [Salesforce](../saas-apps/salesforce-provisioning-tutorial.md), [ServiceNow](../saas-apps/servicenow-provisioning-tutorial.md), and more.
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/whats-new-docs.md
-+ # Azure Active Directory application provisioning: What's new
active-directory Workday Attribute Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/workday-attribute-reference.md
Title: Workday attribute reference
-description: Learn which which attributes that you can fetch from Workday using XPATH queries.
+ Title: Workday attribute reference for Azure Active Directory
+description: Learn which which attributes that you can fetch from Workday using XPATH queries in Azure Active Directory.
-+ Previously updated : 05/25/2020 Last updated : 05/11/2021 -+
-# Workday attribute reference
+# Workday attribute reference for Azure Active Directory
This section provides a list of attributes that you can fetch from Workday using XPATH queries. Based on the Workday Web Services API version, you plan to use, refer to the appropriate section.
active-directory Workday Integration Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/workday-integration-reference.md
Title: Azure Active Directory and Workday integration reference
-description: Technical deep dive into Workday-HR driven provisioning
+description: Technical deep dive into Workday-HR driven provisioning in Azure Active Directory
--++ Previously updated : 02/09/2021- Last updated : 05/11/2021++ # How Azure Active Directory provisioning integrates with Workday
To further secure the connectivity between Azure AD provisioning service and Wor
The default steps to [configure the Workday integration system user](../saas-apps/workday-inbound-tutorial.md#configure-integration-system-user-in-workday) grants access to retrieve all users in your Workday tenant. In certain integration scenarios, you may want to limit the access, so that users belonging only to certain supervisory organizations are returned by the Get_Workers API call and processed by the Workday Azure AD connector.
-You can fulfil this requirement by working with your Workday admin and configuring constrained integration system security groups. For more information on how this is done, please refer to [this Workday community article](https://community.workday.com/forums/customer-questions/620393) (*Workday Community login credentials are required to access this article*)
+You can fulfill this requirement by working with your Workday admin and configuring constrained integration system security groups. For more information on how this is done, please refer to [this Workday community article](https://community.workday.com/forums/customer-questions/620393) (*Workday Community login credentials are required to access this article*)
This strategy of limiting access using constrained ISSG (Integration System Security Groups) is particularly useful in the following scenarios: * **Phased rollout scenario**: You have a large Workday tenant and plan to perform a phased rollout of Workday to Azure AD automated provisioning. In this scenario, rather than excluding users who are not in scope of the current phase with Azure AD scoping filters, we recommend configuring constrained ISSG so that only in-scope workers are visible to Azure AD.
active-directory Concept Conditional Access Cloud Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md
Administrators can assign a Conditional Access policy to the following cloud app
- [Office 365](#office-365) - Azure Analysis Services - Azure DevOps
+- Azure Event Hubs
+- Azure Service Bus
- [Azure SQL Database and Azure Synapse Analytics](../../azure-sql/database/conditional-access-configure.md) - Dynamics CRM Online - Microsoft Application Insights Analytics
active-directory Claims Challenge https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/claims-challenge.md
+
+ Title: "Claims challenges and claims requests"
+
+description: Explanation of claims challenges and requests on the Microsoft identity platform.
++++++++ Last updated : 05/11/2021++
+# Customer intent: As an application developer, I want to learn how to claims challenges returned from APIs protected by the Microsoft identity platform.
++
+# Claims challenges and claims requests
+
+A **claims challenge** is a response sent from an API indicating that an access token sent by a client application has insufficient claims. This can be because the token does not satisfy the conditional access policies set for that API, or the access token has been revoked.
+
+A **claims request** is made by the client application to redirect the user back to the identity provider to retrieve a new token with claims that will satisfy the additional requirements that were not met.
+
+Applications that use enhanced security features such as [Continuous Access Evaluation (CAE)](../conditional-access/concept-continuous-access-evaluation.md) and [Conditional Access authentication context](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/granular-conditional-access-for-sensitive-data-and-actions/ba-p/1751775) must be prepared to handle claims challenges.
+
+Your application will only receive claims challenges if it declares that it can handle them using **client capabilities**.
+
+To receive information about whether client applications can handle claims challenges, an API implementer must request **xms_cc** as an optional claim in its application manifest.
+
+## Claims challenge header format
+
+The claims challenge is a directive in the www-authenticate header returned by an API when an access token is not authorized, and a new access token is required. The claims challenge comprises multiple parts: the HTTP status code of the response and the www-authenticate header, which itself has multiple parts and must contain a claims directive.
+
+``` https
+HTTP 401; Unauthorized
+
+www-authenticate =Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsiYWNycyI6eyJlc3NlbnRpYWwiOnRydWUsInZhbHVlIjoiYzEifX19"
+```
+
+ **HTTP Status Code**: Must be **401 Unauthorized**.
+
+**www-authenticate response header** containing:
+
+| Parameter | Required/optional | Description |
+|--|-|--|
+| Authentication type | Required | Must be **Bearer.**|
+| Realm | Optional | The tenant ID or tenant domain name (for example, microsoft.com) being accessed. MUST be an empty string in the case where the authentication goes through the [common endpoint](howto-convert-app-to-be-multi-tenant.md#update-your-code-to-send-requests-to-common). |
+| `authorization_uri` | Required | The URI of the authorize endpoint where an interactive authentication can be performed if necessary. If specified in realm, the tenant information MUST be included in the authorization_uri. If realm is an empty string, the authorization_uri MUST be against the [common endpoint](howto-convert-app-to-be-multi-tenant.md#update-your-code-to-send-requests-to-common). |
+| `error` | Required | Must be "insufficient_claims" when a claims challenge should be generated. |
+| `claims` | Required when error is "insufficient_claims". | A quoted string containing a base 64 encoded [claims request](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter). The claims request should request claims for the "access_token" at the top level of the JSON object. The value (claims requested) will be context-dependent and specified later in this document. For size reasons, relying party applications SHOULD minify the JSON before base 64 encoding. The raw JSON of the example above is {"access_token":{"acrs":{"essential":true,"value":"cp1"}}}. |
+
+The 401 response may contain more than one www-authenticate header. All above fields must be contained within the same www-authenticate header. The www-authenticate header with the claims challenge MAY contain other fields. Fields in the header are unordered. According to RFC 7235, each parameter name must occur only once per authentication scheme challenge.
+
+## Claims request
+
+When an application receives a claims challenge indicating that the prior access token is no longer considered valid, the application should clear the token from any local cache or user session. Then, it should redirect the signed-in user back to Azure AD to retrieve a new token using the [OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md) with a **claims** parameter that will satisfy the additional requirements that were not met.
+
+An example is provided below:
+
+``` https
+GET https://login.microsoftonline.com/14c2f153-90a7-4689-9db7-9543bf084dad/oauth2/v2.0/authorize
+?client_id=2810aca2-a927-4d26-8bca-5b32c1ef5ea9
+&redirect_uri=https%3A%2F%contoso.com%3A44321%2Fsignin-oidc
+&response_type=code
+&scope=openid%20profile%20offline_access%20user.read%20Sites.Read.All
+&response_mode=form_post
+&login_hint=kalyan%ccontoso.onmicrosoft.com
+&domain_hint=organizations
+claims=%7B%22access_token%22%3A%7B%22acrs%22%3A%7B%22essential%22%3Atrue%2C%22value%22%3A%22urn%3Amicrosoft%3Areq1%22%7D%7D%7D
+```
+
+The claims challenge should be passed as a part of all calls to Azure AD's [/authorize](v2-oauth2-auth-code-flow.md#request-an-authorization-code) endpoint until a token is successfully retrieved, after which it is no longer needed.
+
+To populate the claims parameter, the developer has to:
+
+1. Decode the base64 string received earlier.
+2. URL Encode the string and add again to the **claims** parameter.
+
+Upon completion of this flow, the application will receive an Access Token that has the additional claims that prove that the user satisfied the conditions required.
+
+## Client Capabilities
+
+Your application will only receive claims challenges if it declares that it can handle them using **client capabilities**.
+
+To avoid extra traffic or impacts to user experience, Azure AD does not assume that your app can handle claims challenged unless you explicitly opt in. An application will not receive claims challenges (and will not be able to use the related features such as CAE tokens) unless it declares it is ready to handle them with the "cp1" capability.
+
+### How to communicate client capabilities to Azure AD
+
+The following example claims parameter shows how a client application communicates its capability to Azure AD in an [OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md).
+
+```json
+Claims: {"access_token":{"xms_cc":{"values":["cp1"]}}}
+```
+
+Those using MSAL library will use the following code:
+
+```c#
+_clientApp = PublicClientApplicationBuilder.Create(App.ClientId)
+ .WithDefaultRedirectUri()
+ .WithAuthority(authority)
+ .WithClientCapabilities(new [] {"cp1"})
+ .Build();*
+```
+
+Those using Microsoft.Identity.Web can add the following code to the configuration file:
+
+```c#
+{
+ "AzureAd": {
+ "Instance": "https://login.microsoftonline.com/",
+ // the remaining settings
+ // ...
+ "ClientCapabilities": [ "cp1" ]
+},
+```
+
+An example of how the request to Azure AD will look like:
+
+```https
+GET https://login.microsoftonline.com/14c2f153-90a7-4689-9db7-9543bf084dad/oauth2/v2.0/authorize
+?client_id=2810aca2-a927-4d26-8bca-5b32c1ef5ea9
+&redirect_uri=https%3A%2F%contoso.com%3A44321%2Fsignin-oidc
+&response_type=code
+&scope=openid%20profile%20offline_access%20user.read%20Sites.Read.All
+&response_mode=form_post
+&login_hint=kalyan%ccontoso.onmicrosoft.com
+&domain_hint=organizations
+&claims=%7B%22access_token%22%3A%7B%22xms_cc%22%3A%7B%22values%22%3A%5B%22cp1%22%5D%7D%7D%7D
+```
+
+When you already have an existing payload for claims parameter, then you would add this to the existing set.
+
+For example, if you already have the following response from a Condition Access authentication context operation
+
+```json
+{"access_token":{"acrs":{"essential":true,"value":"c25"}}}
+```
+
+You would prepend the client capability in the existing **claims** payload.
+
+```json
+{"access_token":{"xms_cc":{"values":["cp1"]},"acrs":{"essential":true,"value":"c25"}}}
+```
+
+## Receiving xms_cc claim in an access token
+
+To receive information about whether client applications can handle claims challenges, an API implementer must request **xms_cc** as an optional claim in its application manifest.
+
+The **xms_cc** claim with a value of "cp1" in the access token is the authoritative way to identify a client application is capable of handling a claims challenge. **xms_cc** is an optional claim that will not always be issued in the access token, even if the client sends a claims request with "xms_cc". In order for an access token to contain the **xms_cc** claim, the resource application (that is, the API implementer) must request xms_cc as an [optional claim](active-directory-optional-claims.md) in its application manifest. When requested as an optional claim, **xms_cc** will be added to the access token only if the client application sends **xms_cc** in the claims request. The value of the **xms_cc** claim request will be included as the value of the **xms_cc** claim in the access token, if it is a known value. The only currently known value is **cp1**.
+
+The values are not case-sensitive and unordered. If more than one value is specified in the **xms_cc** claim request, those values will be a multi-valued collection as the value of the **xms_cc** claim.
+
+A request of :
+
+```json
+{ "access_token": { "xms_cc":{"values":["cp1","foo", "bar"] } }}
+```
+
+will result in a claim of
+
+```json
+"xms_cc": ["cp1", "foo", "bar"]
+```
+
+in the access token, if **cp1**, **foo** and **bar** are known capabilities.
+
+This is how the app's manifest looks like after the **xms_cc** [optional claim](active-directory-optional-claims.md) has been requested
+
+```c#
+"optionalClaims":
+{
+ "accessToken": [
+ {
+ "additionalProperties": [],
+ "essential": false,
+ "name": "xms_cc",
+ "source": null
+ }],
+ "idToken": [],
+ "saml2Token": []
+}
+```
+
+The API can then customize their responses based on whether the client is capable of handling claims challenge or not.
+
+An example in C#
+
+```c#
+Claim ccClaim = context.User.FindAll(clientCapabilitiesClaim).FirstOrDefault(x => x.Type == "xms_cc");
+if (ccClaim != null && ccClaim.Value == "cp1")
+{
+ // Return formatted claims challenge as this client understands this
+}
+else
+{
+ // Throw generic exception
+ throw new UnauthorizedAccessException("The caller does not meet the authentication bar to carry our this operation. The service cannot allow this operation");
+}
+```
+
+## Next steps
+
+- [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md#request-an-authorization-code)
+- [How to use Continuous Access Evaluation enabled APIs in your applications](app-resilience-continuous-access-evaluation.md)
+- [Granular Conditional Access for sensitive data and actions](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/granular-conditional-access-for-sensitive-data-and-actions/ba-p/1751775)
active-directory Sample V2 Code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/sample-v2-code.md
The following samples show public client applications (desktop or mobile applica
| Desktop tutorial (.NET Core) - Optionally using:</p>- the cross platform token cache</p>- custom web UI | ![This image shows the .NET/C# logo](medi#authorization-code)| [ms-identity-dotnet-desktop-tutorial](https://github.com/azure-samples/ms-identity-dotnet-desktop-tutorial) | | | Desktop (WPF) | ![This image shows the .NET desktop/C# logo](medi#authorization-code)| [dotnet-desktop-msgraph-v2](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2) | [dotnet-native-aspnetcore-v2](https://aka.ms/msidentity-aspnetcore-webapi) | | Desktop (Console) | ![Image that shows the .NET/C# (Desktop) logo](medi#integrated-windows-authentication) | [dotnet-iwa-v2](https://github.com/azure-samples/active-directory-dotnet-iwa-v2) | |
+| Desktop (Console) | ![Image that shows the .NET/C# (Desktop) logo](medi) |
+| Desktop (Console) <br> Use certificates instead of secrets | ![Image that shows the .NET/C# (Desktop) logo](medi#authorization-code) | [active-directory-dotnetcore-daemon-v2](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/1-Call-MSGraph#variation-daemon-application-using-client-credentials-with-certificates) |[active-directory-dotnetcore-daemon-v2](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi#variation-daemon-application-using-client-credentials-with-certificates) |
| Desktop (Console) | ![This image shows the Java logo](medi#integrated-windows-authentication) |[ms-identity-java-desktop](https://github.com/Azure-Samples/ms-identity-java-desktop/) | | | Desktop (Console) | ![This is the .NET/C# (Desktop) logo](medi#usernamepassword) |[dotnetcore-up-v2](https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2) | | | Desktop (Console) with WAM | ![This is the logo for .NET/C# (Desktop)](media/sample-v2-code/logo_NETcore.png) | Interactive with [Web Account Manager](/windows/uwp/security/web-account-manager) (WAM) |[dotnet-native-uwp-wam](https://github.com/azure-samples/active-directory-dotnet-native-uwp-wam) | |
active-directory Howto Vm Sign In Azure Ad Linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/howto-vm-sign-in-azure-ad-linux.md
Previously updated : 05/07/2021 Last updated : 05/10/2021
The following Linux distributions are currently supported during the preview of
The following Azure regions are currently supported during the preview of this feature: - Azure Global-- Azure Government-- Azure China+
+> [!Note]
+> The preview of this feature will be supported in Azure Government and Azure China by June of 2021.
It's not supported to use this extension on Azure Kubernetes Service (AKS) clusters. For more information, see [Support policies for AKS](../../aks/support-policies.md).
VM network configuration must permit outbound access to the following endpoints
For Azure Global -- https://packages.microsoft.com ΓÇô For package installation and upgrades.-- http://169.254.169.254 ΓÇô Azure Instance Metadata Service endpoint.-- https://login.microsoftonline.com ΓÇô For PAM (pluggable authentication modules) based authentication flows.-- https://pas.windows.net ΓÇô For Azure RBAC flows.
+- `https://packages.microsoft.com` ΓÇô For package installation and upgrades.
+- `http://169.254.169.254` ΓÇô Azure Instance Metadata Service endpoint.
+- `https://login.microsoftonline.com` ΓÇô For PAM (pluggable authentication modules) based authentication flows.
+- `https://pas.windows.net` ΓÇô For Azure RBAC flows.
For Azure Government -- https://packages.microsoft.com ΓÇô For package installation and upgrades.-- http://169.254.169.254 ΓÇô Azure Instance Metadata Service endpoint.-- https://login.microsoftonline.us ΓÇô For PAM (pluggable authentication modules) based authentication flows.-- https://pasff.usgovcloudapi.net ΓÇô For Azure RBAC flows.
+- `https://packages.microsoft.com` ΓÇô For package installation and upgrades.
+- `http://169.254.169.254` ΓÇô Azure Instance Metadata Service endpoint.
+- `https://login.microsoftonline.us` ΓÇô For PAM (pluggable authentication modules) based authentication flows.
+- `https://pasff.usgovcloudapi.net` ΓÇô For Azure RBAC flows.
For Azure China -- https://packages.microsoft.com ΓÇô For package installation and upgrades.-- http://169.254.169.254 ΓÇô Azure Instance Metadata Service endpoint.-- https://login.chinacloudapi.cn ΓÇô For PAM (pluggable authentication modules) based authentication flows.-- https://pas.chinacloudapi.cn ΓÇô For Azure RBAC flows.
+- `https://packages.microsoft.com` ΓÇô For package installation and upgrades.
+- `http://169.254.169.254` ΓÇô Azure Instance Metadata Service endpoint.
+- `https://login.chinacloudapi.cn` ΓÇô For PAM (pluggable authentication modules) based authentication flows.
+- `https://pas.chinacloudapi.cn` ΓÇô For Azure RBAC flows.
### Virtual machine
For customers who are using previous version of Azure AD login for Linux that wa
--resource-group myResourceGroup \ --vm-name myVM ```
+## Using Azure Policy to ensure standards and assess compliance
+
+Use Azure policy to ensure Azure AD login is enabled for your new and existing Linux virtual machines and assess compliance of your environment at scale on your Azure policy compliance dashboard. With this capability, you can use many levels of enforcement: you can flag new and existing Linux VMs within your environment that do not have Azure AD login enabled. You can also use Azure policy to deploy the Azure AD extension on new Linux VMs that do not have Azure AD login enabled, as well as remediate existing Linux VMs to the same standard. In addition to these capabilities, you can also use policy to detect and flag Linux VMs that have non-approved local accounts created on their machines. To learn more, review [Azure policy](https://www.aka.ms/AzurePolicy).
## Troubleshoot sign-in issues
Solution 2: Perform these actions:
Virtual machine scale set VM connections may fail if the virtual machine scale set instances are running an old model. Upgrading virtual machine scale set instances to the latest model may resolve issues, especially if an upgrade has not been done since the Azure AD Login extension was installed. Upgrading an instance applies a standard virtual machine scale set configuration to the individual instance.
-### Other limitations
-
-Users that inherit access rights through nested groups or role assignments aren't currently supported. The user or group must be directly assigned the required role assignments. For example, the use of management groups or nested group role assignments won't grant the correct permissions to allow the user to sign in.
- ## Preview feedback Share your feedback about this preview feature or report issues using it on the [Azure AD feedback forum](https://feedback.azure.com/forums/169401-azure-active-directory?category_id=166032).
active-directory Howto Vm Sign In Azure Ad Windows https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md
Previously updated : 07/20/2020 Last updated : 05/10/2021
There are many security benefits of using Azure AD based authentication to login
- With Conditional Access, configure policies to require multi-factor authentication and other signals such as low user and sign in risk before you can RDP to Windows VMs. - Use Azure deploy and audit policies to require Azure AD login for Windows VMs and to flag use of no approved local account on the VMs. - Login to Windows VMs with Azure Active Directory also works for customers that use Federation Services.-- Automate and scale Azure AD join with MDM auto enrollment with Intune of Azure Windows VMs that are part for your VDI deployments. MDM enrollment does not apply to Windows Server 2019 VM depolyments
+- Automate and scale Azure AD join with MDM auto enrollment with Intune of Azure Windows VMs that are part for your VDI deployments. Auto MDM enrollment requires Azure AD P1 license. Windows Server 2019 VMs do not support MDM enrollment.
> [!NOTE]
For Azure China
- `https://enterpriseregistration.partner.microsoftonline.cn` - For device registration. - `http://169.254.169.254` - Azure Instance Metadata Service endpoint. - `https://login.chinacloudapi.cn` - For authentication flows.-- `https://pas.chinacloudapi.cn' - For Azure RBAC flows.
+- `https://pas.chinacloudapi.cn` - For Azure RBAC flows.
## Enabling Azure AD login in for Windows VM in Azure
You are now signed in to the Windows Server 2019 Azure virtual machine with the
## Using Azure Policy to ensure standards and assess compliance
-Use Azure policy to ensure Azure AD login is enabled for your new and existing Windows virtual machines and assess compliance of your environment at scale on your Azure policy compliance dashboard. With this capability, you can use many levels of enforcement: you can flag new and existing Windows VMs within your environment that do not have Azure AD login enabled. You can also use Azure policy to deploy the Azure AD extension on new Windows VMs that do not have Azure AD login enabled, as well as remediate existing Windows VMs to the same standard. In addition to these capabilities, you can also use policy to detect and flag VMs have non-approved local accounts on their machines. To learn more, review [Azure policy](https://www.aka.ms/AzurePolicy).
+Use Azure policy to ensure Azure AD login is enabled for your new and existing Windows virtual machines and assess compliance of your environment at scale on your Azure policy compliance dashboard. With this capability, you can use many levels of enforcement: you can flag new and existing Windows VMs within your environment that do not have Azure AD login enabled. You can also use Azure policy to deploy the Azure AD extension on new Windows VMs that do not have Azure AD login enabled, as well as remediate existing Windows VMs to the same standard. In addition to these capabilities, you can also use policy to detect and flag Windows VMs that have non-approved local accounts created on their machines. To learn more, review [Azure policy](https://www.aka.ms/AzurePolicy).
## Troubleshoot
active-directory Invite Internal Users https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/invite-internal-users.md
Sending an invitation to an existing internal account lets you retain that user
- **Invitation is one-way**: You can invite internal users to use B2B collaboration, but you canΓÇÖt remove the B2B credentials once theyΓÇÖre added. To change the user back to an internal-only user, youΓÇÖll need to delete the user object and create a new one. -- **Teams**: When the user accesses Teams using their external credentials, their tenant won't be available initially in the Teams tenant picker. The user can access Teams using a URL that contains the tenant context, for example: `https://team.microsoft.com/?tenantId=<TenantId>`. After that, the tenant will become available in the Teams tenant picker.
+- **Teams**: When the user accesses Teams using their external credentials, their tenant won't be available initially in the Teams tenant picker. The user can access Teams using a URL that contains the tenant context, for example: `https://teams.microsoft.com/?tenantId=<TenantId>`. After that, the tenant will become available in the Teams tenant picker.
- **On-premises synced users**: For user accounts that are synced between on-premises and the cloud, the on-premises directory remains the source of authority after theyΓÇÖre invited to use B2B collaboration. Any changes you make to the on-premises account will sync to the cloud account, including disabling or deleting the account. Therefore, you canΓÇÖt prevent the user from signing into their on-premises account while retaining their cloud account by simply deleting the on-premises account. Instead, you can set the on-premises account password to a random GUID or other unknown value.
active-directory Active Directory Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-faq.md
description: Common questions and answers about Azure and Azure Active Directory
- ms.assetid: b8207760-9714-4871-93d5-f9893de31c8f
For more information, see [Getting started with password management](../authenti
**A:** Yes, if you have password write-back enabled, the password operations performed by an admin are written back to your on-premises environment. For more answers to password-related questions, see [Password management frequently asked questions](../authentication/active-directory-passwords-faq.yml).+ **Q: What can I do if I can't remember my existing Microsoft 365/Azure AD password while trying to change my password?**
For Azure AD accounts, admins can reset passwords by using one of the following:
- [Reset accounts in the Azure portal](active-directory-users-reset-password-azure-portal.md) - [Using PowerShell](/powershell/module/msonline/set-msoluserpassword) - + ## Security **Q: Are accounts locked after a specific number of failed attempts or is there a more sophisticated strategy used?**
active-directory Service Accounts Managed Identities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/service-accounts-managed-identities.md
For more information about control and data planes, see [Control plane and data
All Azure services will eventually support managed identities. For more information, see [Services that support managed identities for Azure resources](../managed-identities-azure-resources/services-support-managed-identities.md).
-##
- ## Types of managed identities There are two types of managed identitiesΓÇösystem-assigned and user-assigned.
active-directory Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new-archive.md
You can now assign Azure AD built-in roles to cloud groups with this new feature
**Service category:** Azure AD roles **Product capability:** Access Control
-Users in the Insights Business Leader role can access a set of dashboards and insights via the [M365 Insights application](https://www.microsoft.com/microsoft-365/partners/workplaceanalytics). This includes full access to all dashboards and presented insights and data exploration functionality. However, users in this role don't have access to product configuration settings, which is the responsibility of the Insights Administrator role. To learn more about this role, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#insights-business-leader)
+Users in the Insights Business Leader role can access a set of dashboards and insights via the [Microsoft 365 Insights application](https://www.microsoft.com/microsoft-365/partners/workplaceanalytics). This includes full access to all dashboards and presented insights and data exploration functionality. However, users in this role don't have access to product configuration settings, which is the responsibility of the Insights Administrator role. To learn more about this role, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#insights-business-leader)
Users in the Insights Business Leader role can access a set of dashboards and in
**Service category:** Azure AD roles **Product capability:** Access Control
-Users in the Insights Administrator role can access the full set of administrative capabilities in the [M365 Insights application](https://www.microsoft.com/microsoft-365/partners/workplaceanalytics). A user in this role can read directory information, monitor service health, file support tickets, and access the Insights administrator settings aspects. To learn more about this role, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#insights-administrator)
+Users in the Insights Administrator role can access the full set of administrative capabilities in the [Microsoft 365 Insights application](https://www.microsoft.com/microsoft-365/partners/workplaceanalytics). A user in this role can read directory information, monitor service health, file support tickets, and access the Insights administrator settings aspects. To learn more about this role, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#insights-administrator)
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new.md
Azure AD Application Proxy native support for header-based authentication is now
+### Azure AD Connect cloud sync general availability refresh
+**Type:** Changed feature
+**Service category:** Azure AD Connect Cloud Sync
+**Product capability:** Directory
+
+Azure AD connect cloud sync now has an updated agent (version# - 1.1.359). For more details on agent updates, including bug fixes, check out the [version history](../cloud-sync/reference-version-history.md). With the updated agent, cloud sync customers can use GMSA cmdlets to set and reset their gMSA permission at a granular level. In addition that, we have changed the limit of syncing members using group scope filtering from 1499 to 50,000 (50K) members.
+
+Check out the newly available [expression builder](../cloud-sync/how-to-expression-builder.md#deploy-the-expression) for cloud sync, which, helps you build complex expressions as well as simple expressions when you do transformations of attribute values from AD to Azure AD using attribute mapping.
+++ ### Two-way SMS for MFA Server is no longer supported **Type:** Deprecated
Azure AD Application Proxy native support for header-based authentication is now
Two-way SMS for MFA Server was originally deprecated in 2018, and will not be supported after February 24, 2021. Administrators should enable another method for users who still use two-way SMS.
-Email notifications and Azure Portal Service Health notifications were sent to affected admins on December 8, 2020 and January 28, 2021. The alerts went to the Owner, Co-Owner, Admin, and Service Admin RBAC roles tied to the subscriptions. [Learn more](../authentication/how-to-authentication-two-way-sms-unsupported.md).
+Email notifications and Azure portal Service Health notifications were sent to affected admins on December 8, 2020 and January 28, 2021. The alerts went to the Owner, Co-Owner, Admin, and Service Admin RBAC roles tied to the subscriptions. [Learn more](../authentication/how-to-authentication-two-way-sms-unsupported.md).
Enhanced dynamic group service is now in Public Preview. New customers that crea
The new service also aims to complete member addition and removal because of attribute changes within a few minutes. Also, single processing failures won't block tenant processing. To learn more about creating dynamic groups, see our [documentation](../enterprise-users/groups-create-rule.md). -+
active-directory Access Reviews Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/access-reviews-overview.md
Title: What are access reviews? - Azure Active Directory | Microsoft Docs
description: Using Azure Active Directory access reviews, you can control group membership and application access to meet governance, risk management, and compliance initiatives in your organization. documentationcenter: ''-+ editor: markwahl-msft
ms.devlang: na
Last updated 10/29/2020-+
active-directory Conditional Access Exclusion https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/conditional-access-exclusion.md
Title: Manage users excluded from Conditional Access policies - Azure AD
description: Learn how to use Azure Active Directory (Azure AD) access reviews to manage users that have been excluded from Conditional Access policies documentationcenter: ''-+ editor: markwahl-msft
ms.devlang: na
Last updated 12/23/2020-+
active-directory Entitlement Management Access Package Requests https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-access-package-requests.md
Title: View requests for an access package in Azure AD entitlement management -
description: Learn how to view requests for an access package in Azure Active Directory entitlement management. documentationCenter: ''-+ editor:
ms.devlang: na
Last updated 12/23/2020-+
active-directory Entitlement Management External Users https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-external-users.md
Title: Govern access for external users in Azure AD entitlement management - Azu
description: Learn about the settings you can specify to govern access for external users in Azure Active Directory entitlement management. documentationCenter: ''-+ editor: markwahl-msft
ms.devlang: na
Last updated 12/23/2020-+
active-directory Entitlement Management Logs And Reporting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-logs-and-reporting.md
Title: Archive & report with Azure Monitor - Azure AD entitlement management
description: Learn how to archive logs and create reports with Azure Monitor in Azure Active Directory entitlement management. documentationCenter: ''-+ editor:
ms.devlang: na
Last updated 12/23/2020-+
active-directory Entitlement Management Organization https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-organization.md
Title: Add a connected organization in Azure AD entitlement management - Azure A
description: Learn how to allow people outside your organization to request access packages so that you can collaborate on projects. documentationCenter: ''-+ editor: markwahl-msft
ms.devlang: na
Last updated 12/11/2020-+
active-directory Entitlement Management Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-overview.md
Title: What is entitlement management? - Azure AD
description: Get an overview of Azure Active Directory entitlement management and how you can use it to manage access to groups, applications, and SharePoint Online sites for internal and external users. documentationCenter: ''-+ editor: markwahl-msft
ms.devlang: na
Last updated 11/23/2020-+
active-directory Entitlement Management Process https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-process.md
Title: Request process & notifications - Azure AD entitlement management
description: Learn about the request process for an access package and when email notifications are sent in Azure Active Directory entitlement management. documentationCenter: ''-+ editor: mamtakumar
ms.devlang: na
Last updated 12/23/2020-+
active-directory Entitlement Management Reports https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-reports.md
Title: View reports & logs in entitlement management - Azure AD
description: Learn how to view the user assignments report and audit logs in Azure Active Directory entitlement management. documentationCenter: ''-+ editor: jocastel-MSFT
ms.devlang: na
Last updated 12/23/2020-+
active-directory Perform Access Review https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/perform-access-review.md
Title: Review access to groups & applications in access reviews - Azure AD description: Learn how to review access of group members or application access in Azure Active Directory access reviews. -+ editor: markwahl-msft
ms.devlang: na
Last updated 12/22/2020-+
active-directory Review Your Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/review-your-access.md
Title: Review your access to groups & apps in access reviews - Azure AD description: Learn how to review your own access to groups or applications in Azure Active Directory access reviews. -+ editor: markwahl-msft
ms.devlang: na
Last updated 12/22/2020-+
active-directory Azure Pim Resource Rbac https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/privileged-identity-management/azure-pim-resource-rbac.md
With Azure Active Directory (Azure AD) Privileged Identity Management (PIM), you can view activity, activations, and audit history for Azure resources roles within your organization. This includes subscriptions, resource groups, and even virtual machines. Any resource within the Azure portal that leverages the Azure role-based access control functionality can take advantage of the security and lifecycle management capabilities in Privileged Identity Management. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Azure AD logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md). > [!NOTE]
-> If your organization has outsourced management functions to a service provider who uses [Azure delegated resource management](../../lighthouse/concepts/azure-delegated-resource-management.md), role assignments authorized by that service provider won't be shown here.
+> If your organization has outsourced management functions to a service provider who uses [Azure Lighthouse](../../lighthouse/overview.md), role assignments authorized by that service provider won't be shown here.
## View activity and activations
active-directory Groups Audit https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/privileged-identity-management/groups-audit.md
With Privileged Identity Management (PIM), you can view activity, activations, and audit history for Azure privileged access group members and owners within your Azure Active Directory (Azure AD) organization. > [!NOTE]
-> If your organization has outsourced management functions to a service provider who uses [Azure delegated resource management](../../lighthouse/concepts/azure-delegated-resource-management.md), role assignments authorized by that service provider won't be shown here.
+> If your organization has outsourced management functions to a service provider who uses [Azure Lighthouse](../../lighthouse/overview.md), role assignments authorized by that service provider won't be shown here.
Follow these steps to view the audit history for privileged access groups.
active-directory Plan Monitoring And Reporting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/plan-monitoring-and-reporting.md
Learn More About [Azure AD Administrative Roles](../roles/permissions-reference.
*Always apply the concept of least privileges to reduce the risk of an account compromise*. Consider implementing [Privileged Identity Management](../privileged-identity-management/pim-configure.md) to further secure your organization.
-##
## Deploy Azure AD reporting and monitoring
active-directory 10000Ftplans Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/10000ftplans-tutorial.md
Previously updated : 04/03/2019 Last updated : 05/03/2021 # Tutorial: Azure Active Directory integration with 10,000ft Plans
-In this tutorial, you learn how to integrate 10,000ft Plans with Azure Active Directory (Azure AD).
-Integrating 10,000ft Plans with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate 10,000ft Plans with Azure Active Directory (Azure AD). When you integrate 10,000ft Plans with Azure AD, you can:
-* You can control in Azure AD who has access to 10,000ft Plans.
-* You can enable your users to be automatically signed-in to 10,000ft Plans (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to 10,000ft Plans.
+* Enable your users to be automatically signed-in to 10,000ft Plans with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with 10,000ft Plans, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* 10,000ft Plans single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* 10,000ft Plans single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* 10,000ft Plans support **SP** initiated SSO
-* 10,000ft Plans support **Just In Time** user provisioning
+* 10,000ft Plans support **SP** initiated SSO.
+* 10,000ft Plans support **Just In Time** user provisioning.
-## Adding 10,000ft Plans from the gallery
+## Add 10,000ft Plans from the gallery
To configure the integration of 10,000ft Plans into Azure AD, you need to add 10,000ft Plans from the gallery to your list of managed SaaS apps.
-**To add 10,000ft Plans from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add a new application, click the **New application** button at the top of the dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **10,000ft Plans**, select **10,000ft Plans** from the result panel then click the **Add** button to add the application.
-
- ![10,000ft Plans in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **10,000ft Plans** in the search box.
+1. Select **10,000ft Plans** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with 10,000ft Plans based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in 10,000ft Plans needs to be established.
+## Configure and test Azure AD SSO for 10,000ft Plans
-To configure and test Azure AD single sign-on with 10,000ft Plans, you need to complete the following building blocks:
+Configure and test Azure AD SSO with 10,000ft Plans using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in 10,000ft Plans.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure 10000ft Plans Single Sign-On](#configure-10000ft-plans-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create 10000ft Plans test user](#create-10000ft-plans-test-user)** - to have a counterpart of Britta Simon in 10,000ft Plans that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with 10,000ft Plans, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure 10,000ft Plans SSO](#configure-10000ft-plans-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create 10,000ft Plans test user](#create-10000ft-plans-test-user)** - to have a counterpart of B.Simon in 10,000ft Plans that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with 10,000ft Plans, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **10,000ft Plans** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **10,000ft Plans** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![10,000ft Plans Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type the URL:
+ a. In the **Sign-on URL** text box, type the URL:
`https://app.10000ft.com` b. In the **Identifier (Entity ID)** text box, type the URL:
To configure Azure AD single sign-on with 10,000ft Plans, perform the following
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure 10000ft Plans Single Sign-On
-
-To configure single sign-on on **10,000ft Plans** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [10,000ft Plans support team](https://www.10000ft.com/plans/support). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field, enter **BrittaSimon**.
-
- b. In the **User name** field, type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to 10,000ft Plans.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to 10,000ft Plans.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **10,000ft Plans**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **10,000ft Plans**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure 10000ft Plans SSO
-2. In the applications list, select **10,000ft Plans**.
-
- ![The 10,000ft Plans link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog, select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog, click the **Assign** button.
+To configure single sign-on on **10,000ft Plans** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [10,000ft Plans support team](https://www.10000ft.com/plans/support). They set this setting to have the SAML SSO connection set properly on both sides.
### Create 10000ft Plans test user
In this section, a user called Britta Simon is created in 10,000ft Plans. 10,000
> [!NOTE] > If you need to create a user manually, you need to contact the [10,000ft Plans Client support team](https://www.10000ft.com/plans/support).
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the 10,000ft Plans tile in the Access Panel, you should be automatically signed in to the 10,000ft Plans for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to 10,000ft Plans Sign on URL where you can initiate the login flow.
-## Additional Resources
+* Go to 10,000ft Plans Sign on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the 10,000ft Plans tile in the My Apps, this will redirect to 10,000ft Plans Sign on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure 10,000ft Plans you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Bamboo Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bamboo-tutorial.md
Previously updated : 01/12/2021 Last updated : 04/20/2021 # Tutorial: Azure Active Directory integration with SAML SSO for Bamboo by resolution GmbH
In this tutorial, you'll learn how to integrate SAML SSO for Bamboo by resolutio
To configure Azure AD integration with SAML SSO for Bamboo by resolution GmbH, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* SAML SSO for Bamboo by resolution GmbH single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* SAML SSO for Bamboo by resolution GmbH single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* SAML SSO for Bamboo by resolution GmbH supports **SP and IDP** initiated SSO
-* SAML SSO for Bamboo by resolution GmbH supports **Just In Time** user provisioning
+* SAML SSO for Bamboo by resolution GmbH supports **SP and IDP** initiated SSO.
+* SAML SSO for Bamboo by resolution GmbH supports **Just In Time** user provisioning.
## Add SAML SSO for Bamboo by resolution GmbH from the gallery
In this section, you enable B.Simon to use Azure single sign-on by granting acce
1. On the right side of the main toolbar, click **Settings** > **Add-ons**.
- ![The Settings](./media/bamboo-tutorial/tutorial_bamboo_setings.png)
+ ![The Settings](./media/bamboo-tutorial/settings.png)
1. Go to SECURITY section, click on **SAML SingleSignOn** on the Menubar.
- ![The Samlsingle](./media/bamboo-tutorial/tutorial_bamboo_samlsingle.png)
+ ![The Samlsingle](./media/bamboo-tutorial/single-sign-on.png)
1. On the **SAML SIngleSignOn Plugin Configuration page**, click **Add idp**.
- ![The Add idp](./media/bamboo-tutorial/tutorial_bamboo_addidp.png)
+ ![The Add idp](./media/bamboo-tutorial/configuration.png)
1. On the **Choose your SAML Identity Provider** Page, perform the following steps:
- ![The identity provider](./media/bamboo-tutorial/tutorial_bamboo_identityprovider.png)
+ ![The identity provider](./media/bamboo-tutorial/identity-provider.png)
a. Select **Idp Type** as **AZURE AD**.
In this section, you enable B.Simon to use Azure single sign-on by granting acce
1. On the **Identity provider configuration** page click **Next**.
- ![The identity config](./media/bamboo-tutorial/tutorial_bamboo_identityconfig.png)
+ ![The identity config](./media/bamboo-tutorial/identity-configuration.png)
1. On the **Import SAML Idp Metadata** Page, click **Load File** to upload the **METADATA XML** file which you have downloaded from Azure portal.
- ![The idpmetadata](./media/bamboo-tutorial/tutorial_bamboo_idpmetadata.png)
+ ![The idpmetadata](./media/bamboo-tutorial/metadata.png)
1. Click **Next**.
active-directory Browserstack Single Sign On Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/browserstack-single-sign-on-tutorial.md
Previously updated : 06/18/2020 Last updated : 05/07/2021
In this tutorial, you'll learn how to integrate BrowserStack Single Sign-on with
* Enable your users to be automatically signed-in to BrowserStack Single Sign-on with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* BrowserStack Single Sign-on supports **SP and IDP** initiated SSO
-
-* Once you configure BrowserStack Single Sign-on you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* BrowserStack Single Sign-on supports **SP and IDP** initiated SSO.
-## Adding BrowserStack Single Sign-on from the gallery
+## Add BrowserStack Single Sign-on from the gallery
To configure the integration of BrowserStack Single Sign-on into Azure AD, you need to add BrowserStack Single Sign-on from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **BrowserStack Single Sign-on** in the search box. 1. Select **BrowserStack Single Sign-on** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for BrowserStack Single Sign-on
+## Configure and test Azure AD SSO for BrowserStack Single Sign-on
Configure and test Azure AD SSO with BrowserStack Single Sign-on using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in BrowserStack Single Sign-on.
-To configure and test Azure AD SSO with BrowserStack Single Sign-on, complete the following building blocks:
+To configure and test Azure AD SSO with BrowserStack Single Sign-on, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with BrowserStack Single Sign-on, complete th
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **BrowserStack Single Sign-on** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **BrowserStack Single Sign-on** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
-
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern: `https://login.browserstack.com/auth/realms/<REALM_ID>`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **BrowserStack Single Sign-on**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure BrowserStack Single Sign-on SSO
In this section, you create a user called B.Simon in BrowserStack Single Sign-on
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the BrowserStack Single Sign-on tile in the Access Panel, you should be automatically signed in to the BrowserStack Single Sign-on for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to BrowserStack Single Sign-on Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to BrowserStack Single Sign-on Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the BrowserStack Single Sign-on for which you set up the SSO.
-- [Try BrowserStack Single Sign-on with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the BrowserStack Single Sign-on tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the BrowserStack Single Sign-on for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect BrowserStack Single Sign-on with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure BrowserStack Single Sign-on you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Carbonite Endpoint Backup Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/carbonite-endpoint-backup-tutorial.md
Previously updated : 08/06/2019 Last updated : 05/03/2021
In this tutorial, you'll learn how to integrate Carbonite Endpoint Backup with A
* Enable your users to be automatically signed-in to Carbonite Endpoint Backup with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Carbonite Endpoint Backup supports **SP and IDP** initiated SSO
+* Carbonite Endpoint Backup supports **SP and IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Carbonite Endpoint Backup from the gallery
+## Add Carbonite Endpoint Backup from the gallery
To configure the integration of Carbonite Endpoint Backup into Azure AD, you need to add Carbonite Endpoint Backup from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Carbonite Endpoint Backup** in the search box. 1. Select **Carbonite Endpoint Backup** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Carbonite Endpoint Backup
Configure and test Azure AD SSO with Carbonite Endpoint Backup using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Carbonite Endpoint Backup.
-To configure and test Azure AD SSO with Carbonite Endpoint Backup, complete the following building blocks:
+To configure and test Azure AD SSO with Carbonite Endpoint Backup, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-2. **[Configure Carbonite Endpoint Backup SSO](#configure-carbonite-endpoint-backup-sso)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-5. **[Create Carbonite Endpoint Backup test user](#create-carbonite-endpoint-backup-test-user)** - to have a counterpart of B.Simon in Carbonite Endpoint Backup that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Carbonite Endpoint Backup SSO](#configure-carbonite-endpoint-backup-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Carbonite Endpoint Backup test user](#create-carbonite-endpoint-backup-test-user)** - to have a counterpart of B.Simon in Carbonite Endpoint Backup that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Carbonite Endpoint Backup** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Carbonite Endpoint Backup** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure Carbonite Endpoint Backup SSO
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Carbonite Endpoint Backup.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Carbonite Endpoint Backup**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Carbonite Endpoint Backup SSO
1. To automate the configuration within Carbonite Endpoint Backup, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
Follow these steps to enable Azure AD SSO in the Azure portal.
4. Click on the **Company** from the left pane.
- ![Screenshot shows Carbonite Endpoint with Company selected.](media/carbonite-endpoint-backup-tutorial/configure1.png)
+ ![Screenshot shows Carbonite Endpoint with Company selected.](media/carbonite-endpoint-backup-tutorial/company.png)
5. Click on **Single sign-on**.
- ![Screenshot shows Company with Single sign-on selected.](media/carbonite-endpoint-backup-tutorial/configure2.png)
+ ![Screenshot shows Company with Single sign-on selected.](media/carbonite-endpoint-backup-tutorial/single-sign-on.png)
6. Click on **Enable** and then click **Edit settings** to configure.
- ![Screenshot shows the Single sign-on tab with Enable and Edit settings called out.](media/carbonite-endpoint-backup-tutorial/configure3.png)
+ ![Screenshot shows the Single sign-on tab with Enable and Edit settings called out.](media/carbonite-endpoint-backup-tutorial/settings.png)
7. On the **Single sign-on** settings page, perform the following steps:
- ![Screenshot shows the Single sign-on tab with the information described in this step.](media/carbonite-endpoint-backup-tutorial/configure4.png)
+ ![Screenshot shows the Single sign-on tab with the information described in this step.](media/carbonite-endpoint-backup-tutorial/save.png)
1. In the **Identity provider name** textbox, paste the **Azure AD Identifier** value, which you have copied from the Azure portal.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. Click **Save**.
-### Create an Azure AD test user
-
-In this section, you'll create a test user in the Azure portal called B.Simon.
-
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. Select **New user** at the top of the screen.
-1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Carbonite Endpoint Backup.
-
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Carbonite Endpoint Backup**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add User link](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button.
- ### Create Carbonite Endpoint Backup test user 1. In a different web browser window, sign in to your Carbonite Endpoint Backup company site as an administrator. 1. Click on the **Users** from the left pane and then click **Add user**.
- ![Screenshot shows the Carbonite Endpoint page with Users and Add users selected.](media/carbonite-endpoint-backup-tutorial/adduser1.png)
+ ![Screenshot shows the Carbonite Endpoint page with Users and Add users selected.](media/carbonite-endpoint-backup-tutorial/add-user-1.png)
1. On the **Add user** page, perform the following steps:
- ![Screenshot shows the Add user page where you can perform the steps described here.](media/carbonite-endpoint-backup-tutorial/adduser2.png)
+ ![Screenshot shows the Add user page where you can perform the steps described here.](media/carbonite-endpoint-backup-tutorial/add-user-2.png)
1. Enter the **Email**, **First name**, **Last name** of the user and provide the required permissions to the user according to the Organizational requirements. 1. Click **Add user**.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Carbonite Endpoint Backup Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Carbonite Endpoint Backup Sign-on URL directly and initiate the login flow from there.
-When you click the Carbonite Endpoint Backup tile in the Access Panel, you should be automatically signed in to the Carbonite Endpoint Backup for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Carbonite Endpoint Backup for which you set up the SSO.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Carbonite Endpoint Backup tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Carbonite Endpoint Backup for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Carbonite Endpoint Backup you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Cezannehrsoftware Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cezannehrsoftware-tutorial.md
To configure Azure AD single sign-on with Cezanne HR Software, perform the follo
1. In a different web browser window, sign-on to your Cezanne HR Software tenant as an administrator.
-2. On the left navigation pane, click **System Setup**. Go to **Security Settings**. Then navigate to **Single Sign-On Configuration**.
+2. On the side menu, click **Administration**. Then navigate to **Security Settings** and click on **Single Sign-On**.
- ![Screenshot shows the Cezanne H R Software tenant with Security Settings and Single Sign-On Configuration selected.](./media/cezannehrsoftware-tutorial/tutorial_cezannehrsoftware_000.png)
+ ![Screenshot shows the Cezanne H R Software tenant with Security Settings and Single Sign-On Configuration selected.](https://user-images.githubusercontent.com/80324891/115692888-4c266900-a357-11eb-867d-7408b0ef16aa.png)
3. In the **Allow users to log in using the following Single Sign-On (SSO) Service** panel, check the **SAML 2.0** box and select the **Advanced Configuration** option.
- ![Screenshot shows the Allow users pane with SAML 2.0 and Advanced Configuration selected.](./media/cezannehrsoftware-tutorial/tutorial_cezannehrsoftware_001.png)
+ ![Screenshot shows the Allow users pane with SAML 2.0 and Advanced Configuration selected.](https://user-images.githubusercontent.com/80324891/115693054-72e49f80-a357-11eb-93c7-9986770ac17e.png)
4. Click **Add New** button. ![Screenshot shows the Add New button.](./media/cezannehrsoftware-tutorial/tutorial_cezannehrsoftware_002.png)
-5. Perform the following steps on **SAML 2.0 IDENTITY PROVIDERS** section.
+5. Enter the following fields on **SAML 2.0 IDENTITY PROVIDERS** section and click **OK**.
![Screenshot shows a pane where you can enter the values described in this step.](./media/cezannehrsoftware-tutorial/tutorial_cezannehrsoftware_003.png)
- a. Enter the name of your Identity Provider as the **Display Name**.
+ a. **Display Name** - Enter the name of your Identity Provider as the Display Name..
- b. In the **Entity Identifier** textbox, paste the value of **Azure Ad Identifier** which you have copied from the Azure portal.
+ b. **Entity Identifier** - In the Entity Identifier textbox, paste the value of Azure Ad Identifier which you have copied from the Azure portal.
- c. Change the **SAML Binding** to 'POST'.
+ c. **SAML Binding** - Change the SAML Binding to 'POST'.
- d. In the **Security Token Service Endpoint** textbox, paste the value of **Login URL** which you have copied from the Azure portal.
+ d. **Security Token Service Endpoint** - In the Security Token Service Endpoint textbox, paste the value of Login URL which you have copied from the Azure portal.
- e. In the User ID Attribute Name textbox, enter `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`.
+ e. **User ID Attribute Name** - In the User ID Attribute Name textbox, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
- f. Click **Upload** icon to upload the downloaded certificate from Azure portal.
+ f. **Public Key Certificate** - Click Upload icon to upload the downloaded certificate from Azure portal.
- g. Click the **Ok** button.
+6. Click OK.
-6. Click **Save** button.
+7. Click Save button.
- ![Screenshot shows the Save button for Single Sign-on Configuration.](./media/cezannehrsoftware-tutorial/tutorial_cezannehrsoftware_004.png)
### Create an Azure AD test user
In order to enable Azure AD users to log into Cezanne HR Software, they must be
1. Log into your Cezanne HR Software company site as an administrator.
-2. On the left navigation pane, click **System Setup**. Go to **Manage Users**. Then navigate to **Add New User**.
+2. On the side menu, click **Administration**. Then navigate to **Users** and click **Add New User**
- ![Screenshot shows the Cezanne H R Software tenant with Manage Users and Add New User selected.](./media/cezannehrsoftware-tutorial/tutorial_cezannehrsoftware_005.png "New User")
+ ![Screenshot shows the Cezanne H R Software tenant with Manage Users and Add New User selected.](https://user-images.githubusercontent.com/80324891/115694050-6ad92f80-a358-11eb-81be-148de665e185.png)
3. On **PERSON DETAILS** section, perform below steps:
- ![Screenshot shows the PERSON DETAILS section where you can enter the values described in this step.](./media/cezannehrsoftware-tutorial/tutorial_cezannehrsoftware_006.png "New User")
+ ![Screenshot shows the PERSON DETAILS section where you can enter the values described in this step.](https://user-images.githubusercontent.com/80324891/115694321-a70c9000-a358-11eb-8325-de2582d135ec.png)
a. Set **Internal User** as OFF.
- b. In the **First Name** textbox, type the First Name of user like **Britta**.
+ b. Enter First Name
- c. In the **Last Name** textbox, type the last Name of user like **Simon**.
+ c. Enter Last Name
- d. In the **E-mail** textbox, type the email address of user like Brittasimon@contoso.com.
+ d. Enter E-mail Address.
4. On **Account Information** section, perform below steps:
- ![Screenshot shows ACCOUNT INFORMATION where you can enter the values described in this step.](./media/cezannehrsoftware-tutorial/tutorial_cezannehrsoftware_007.png "New User")
+ ![Screenshot shows ACCOUNT INFORMATION where you can enter the values described in this step.](https://user-images.githubusercontent.com/80324891/115694501-d3c0a780-a358-11eb-8873-0fc778b43775.png)
a. In the **Username** textbox, type the email of user like Brittasimon@contoso.com.
In order to enable Azure AD users to log into Cezanne HR Software, they must be
c. Select **HR Professional** as **Security Role**. d. Click **OK**.
+ ![Screenshot shows OK button.](https://user-images.githubusercontent.com/80324891/115694644-f6eb5700-a358-11eb-9b23-a87a24921052.png)
5. Navigate to **Single Sign-On** tab and select **Add New** in the **SAML 2.0 Identifiers** area.
- ![Screenshot shows the Single Sign-On tab where you can select Add New.](./media/cezannehrsoftware-tutorial/tutorial_cezannehrsoftware_008.png "User")
+ ![Screenshot shows the Single Sign-On tab where you can select Add New.](https://user-images.githubusercontent.com/80324891/115694716-0b2f5400-a359-11eb-9192-d31f6c9d3e3e.png)
-6. Choose your Identity Provider for the **Identity Provider** and in the text box of **User Identifier**, enter the email address of Britta Simon account.
+6. Choose your Identity Provider for the **Identity Provider** and in the text box of **User Identifier**, enter the user email address.
- ![Screenshot shows the SAML 2.0 Identifiers where you can select your Identity Provider and User Identifier.](./media/cezannehrsoftware-tutorial/tutorial_cezannehrsoftware_009.png "User")
+ ![Screenshot shows the SAML 2.0 Identifiers where you can select your Identity Provider and User Identifier.](https://user-images.githubusercontent.com/80324891/115694865-28fcb900-a359-11eb-9cd3-496a93124cc4.png)
7. Click **Save** button.
- ![Screenshot shows the Save button for User Settings.](./media/cezannehrsoftware-tutorial/tutorial_cezannehrsoftware_010.png "User")
+ ![Screenshot shows the Save button for User Settings.](https://user-images.githubusercontent.com/80324891/115694880-3023c700-a359-11eb-85d4-83d057660cfb.png)
### Test single sign-on
When you click the Cezanne HR Software tile in the Access Panel, you should be a
- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) -- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
active-directory Everbridge Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/everbridge-tutorial.md
Previously updated : 01/27/2021 Last updated : 05/10/2021 # Tutorial: Azure Active Directory integration with Everbridge
Follow these steps to enable Azure AD SSO in the Azure portal.
4. To configure the **Everbridge** application as the **Everbridge manager portal**, in the **Basic SAML Configuration** section, follow these steps:
- ![Everbridge domain and URLs single sign-on information](common/idp-intiated.png)
- a. In the **Identifier** box, enter a URL that follows the pattern. `https://sso.everbridge.net/<API_Name>`
Follow these steps to enable Azure AD SSO in the Azure portal.
* If you want to configure the application in IDP-initiated mode, follow these steps:
- ![Everbridge domain and URLs single sign-on information for IDP-initiated mode](common/idp-intiated.png)
- a. In the **Identifier** box, enter a URL that follows the pattern `https://sso.everbridge.net/<API_Name>/<Organization_ID>` b. In the **Reply URL** box, enter a URL that follows the pattern `https://member.everbridge.net/saml/SSO/<API_Name>/<Organization_ID>/alias/defaultAlias` * If you want to configure the application in SP-initiated mode, select **Set additional URLs** and follow this step:
- ![Everbridge domain and URLs single sign-on information for SP-initiated mode](common/both-signonurl.png)
- a. In the **Sign on URL** box, enter a URL that follows the pattern `https://member.everbridge.net/saml/login/<API_Name>/<Organization_ID>/alias/defaultAlias?disco=true` > [!NOTE]
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Everbridge SSO
+## Configure Everbridge SSO
To configure SSO on **Everbridge** as an **Everbridge manager portal** application, follow these steps. 1. In a different web browser window, sign in to Everbridge as an administrator.
-1. In the menu on the top, select the **Settings** tab. Under **Security**, select **Single Sign-On**.
+1. In the menu on the top, select the **Settings** tab. Under **Security**, select **Single Sign-On for Manager Portal**.
- ![Configure single sign-on](./media/everbridge-tutorial/sso.png)
+ ![Configure single sign-on](./media/everbridge-tutorial/settings.png)
a. In the **Name** box, enter the name of the identifier provider. An example is your company name.
To configure SSO on **Everbridge** as an **Everbridge manager portal** applicati
g. Select **Save**.
-### Configure Everbridge as Everbridge member portal SSO
+## Configure Everbridge as Everbridge member portal SSO
To configure single sign-on on **Everbridge** as an **Everbridge member portal**, send the downloaded **Federation Metadata XML** to the [Everbridge support team](mailto:support@everbridge.com). They set this setting to have the SAML SSO connection set properly on both sides.
To configure single sign-on on **Everbridge** as an **Everbridge member portal**
In this section, you create the test user Britta Simon in Everbridge. To add users in the Everbridge platform, work with the [Everbridge support team](mailto:support@everbridge.com). Users must be created and activated in Everbridge before you use single sign-on.
-### Test SSO
+## Test SSO
In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Fieldglass Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fieldglass-tutorial.md
Previously updated : 02/07/2019 Last updated : 05/03/2021 # Tutorial: Azure Active Directory integration with Fieldglass
-In this tutorial, you learn how to integrate Fieldglass with Azure Active Directory (Azure AD).
-Integrating Fieldglass with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Fieldglass with Azure Active Directory (Azure AD). When you integrate Fieldglass with Azure AD, you can:
-* You can control in Azure AD who has access to Fieldglass.
-* You can enable your users to be automatically signed-in to Fieldglass (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Fieldglass.
+* Enable your users to be automatically signed-in to Fieldglass with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Fieldglass, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Fieldglass single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Fieldglass single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Fieldglass supports **IDP** initiated SSO
+* Fieldglass supports **IDP** initiated SSO.
-## Adding Fieldglass from the gallery
+## Add Fieldglass from the gallery
To configure the integration of Fieldglass into Azure AD, you need to add Fieldglass from the gallery to your list of managed SaaS apps.
-**To add Fieldglass from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Fieldglass**, select **Fieldglass** from result panel then click **Add** button to add the application.
-
- ![Fieldglass in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Fieldglass** in the search box.
+1. Select **Fieldglass** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with Fieldglass based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Fieldglass needs to be established.
+## Configure and test Azure AD SSO for Fieldglass
-To configure and test Azure AD single sign-on with Fieldglass, you need to complete the following building blocks:
+Configure and test Azure AD SSO with Fieldglass using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Fieldglass.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Fieldglass Single Sign-On](#configure-fieldglass-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Fieldglass test user](#create-fieldglass-test-user)** - to have a counterpart of Britta Simon in Fieldglass that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with Fieldglass, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Fieldglass SSO](#configure-fieldglass-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Fieldglass test user](#create-fieldglass-test-user)** - to have a counterpart of B.Simon in Fieldglass that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with Fieldglass, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Fieldglass** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **Fieldglass** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Set up Single Sign-On with SAML** page, perform the following steps:
- ![Fieldglass Domain and URLs single sign-on information](common/idp-intiated.png)
-
- a. In the **Identifier** text box, type a URL as `https://www.fieldglass.com` or follow the pattern: `https://<company name>.fgvms.com`
+ a. In the **Identifier** text box, type the URL as: `https://www.fieldglass.com` or follow the pattern: `https://<company name>.fgvms.com`
- b. In the **Reply URL** text box, type a URL using the following pattern:
+ b. In the **Reply URL** text box, type a URL using one of the following patterns:
- ```http
- https://www.fieldglass.net/<company name>
- https://<company name>.fgvms.com/<company name>
- ```
+ | Reply URL |
+ |--|
+ | https://www.fieldglass.net/<company name> |
+ | https://<company name>.fgvms.com/<company name> |
+ |
> [!NOTE] > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Fieldglass Client support team](https://www.fieldglass.com/customer-support) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Fieldglass, perform the following step
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Fieldglass Single Sign-On
-
-To configure single sign-on on **Fieldglass** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Fieldglass support team](https://www.fieldglass.com/customer-support). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
+In this section, you'll create a test user in the Azure portal called B.Simon.
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Fieldglass.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Fieldglass**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Fieldglass.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Fieldglass**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **Fieldglass**.
+## Configure Fieldglass SSO
- ![The Fieldglass link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Fieldglass** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Fieldglass support team](https://www.fieldglass.com/customer-support). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Fieldglass test user In this section, you create a user called Britta Simon in Fieldglass. Work with [Fieldglass support team](https://www.fieldglass.com/customer-support) to add the users in the Fieldglass platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Fieldglass tile in the Access Panel, you should be automatically signed in to the Fieldglass for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Fieldglass for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Fieldglass tile in the My Apps, you should be automatically signed in to the Fieldglass for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Fieldglass you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Fluxxlabs Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fluxxlabs-tutorial.md
Previously updated : 05/21/2020 Last updated : 04/20/2021
In this tutorial, you'll learn how to integrate Fluxx Labs with Azure Active Dir
* Enable your users to be automatically signed-in to Fluxx Labs with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Fluxx Labs supports **IDP** initiated SSO
-* Once you configure Fluxx Labs you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Fluxx Labs supports **IDP** initiated SSO.
-## Adding Fluxx Labs from the gallery
+## Add Fluxx Labs from the gallery
To configure the integration of Fluxx Labs into Azure AD, you need to add Fluxx Labs from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Fluxx Labs** in the search box. 1. Select **Fluxx Labs** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Fluxx Labs
+## Configure and test Azure AD SSO for Fluxx Labs
Configure and test Azure AD SSO with Fluxx Labs using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Fluxx Labs.
-To configure and test Azure AD SSO with Fluxx Labs, complete the following building blocks:
+To configure and test Azure AD SSO with Fluxx Labs, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Fluxx Labs, complete the following build
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Fluxx Labs** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal on the **Fluxx Labs** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Set up Single Sign-On with SAML** page, perform the following steps:
- a. In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type a URL using one of the following patterns:
| Environment | URL Pattern| |-|| | Production | `https://<subdomain>.fluxx.io` | | Pre production | `https://<subdomain>.preprod.fluxxlabs.com`|
- b. In the **Reply URL** text box, type a URL using the following pattern:
+ b. In the **Reply URL** text box, type a URL using one of the following patterns:
| Environment | URL Pattern| |-||
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Fluxx Labs**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Fluxx Labs SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
2. Select **Admin** below the **Settings** section.
- ![Screenshot that shows the "Settings" section with "Admin" selected.](./media/fluxxlabs-tutorial/config1.png)
+ ![Screenshot that shows the "Settings" section with "Admin" selected.](./media/fluxxlabs-tutorial/configure-1.png)
3. In the Admin Panel, Select **Plug-ins** > **Integrations** and then select **SAML SSO-(Disabled)**
- ![Screenshot that shows the "Integrations" tab with "S A M L S S O- (Disabled) selected.](./media/fluxxlabs-tutorial/config2.png)
+ ![Screenshot that shows the "Integrations" tab with "S A M L S S O- (Disabled) selected.](./media/fluxxlabs-tutorial/configure-2.png)
4. In the attribute section, perform the following steps:
- ![Screenshot that shows the "Attributes" section with "S A M L S S O" checked, values entered in fields, and the "Save" button selected.](./media/fluxxlabs-tutorial/config3.png)
+ ![Screenshot that shows the "Attributes" section with "S A M L S S O" checked, values entered in fields, and the "Save" button selected.](./media/fluxxlabs-tutorial/configure-3.png)
a. Select the **SAML SSO** checkbox.
To enable Azure AD users to sign in to Fluxx Labs, they must be provisioned into
2. Click on the below displayed **icon**.
- ![Screenshot that shows administrator options with the "Plus" icon selected under "Your Dashboard is Empty".](./media/fluxxlabs-tutorial/config6.png)
+ ![Screenshot that shows administrator options with the "Plus" icon selected under "Your Dashboard is Empty".](./media/fluxxlabs-tutorial/configure-6.png)
3. On the dashboard, click on the below displayed icon to open the **New PEOPLE** card.
- ![Screenshot that shows the "Contact Management" menu with the "Plus" icon next to "People" selected.](./media/fluxxlabs-tutorial/config4.png)
+ ![Screenshot that shows the "Contact Management" menu with the "Plus" icon next to "People" selected.](./media/fluxxlabs-tutorial/configure-4.png)
4. On the **NEW PEOPLE** section, perform the following steps:
- ![Fluxx Labs Configuration](./media/fluxxlabs-tutorial/config5.png)
+ ![Fluxx Labs Configuration](./media/fluxxlabs-tutorial/configure-5.png)
a. Fluxx Labs use email as the unique identifier for SSO logins. Populate the **SSO UID** field with the userΓÇÖs email address, that matches the email address, which they are using as login with SSO.
To enable Azure AD users to sign in to Fluxx Labs, they must be provisioned into
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Fluxx Labs tile in the Access Panel, you should be automatically signed in to the Fluxx Labs for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)--- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Fluxx Labs for which you set up the SSO.
-- [Try Fluxx Labs with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the Fluxx Labs tile in the My Apps, you should be automatically signed in to the Fluxx Labs for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Fluxx Labs with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Fluxx Labs you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Front Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/front-tutorial.md
Previously updated : 02/15/2019 Last updated : 05/06/2021 # Tutorial: Azure Active Directory integration with Front
-In this tutorial, you learn how to integrate Front with Azure Active Directory (Azure AD).
-Integrating Front with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Front with Azure Active Directory (Azure AD). When you integrate Front with Azure AD, you can:
-* You can control in Azure AD who has access to Front.
-* You can enable your users to be automatically signed-in to Front (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Front.
+* Enable your users to be automatically signed-in to Front with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Front, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Front single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Front single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Front supports **IDP** initiated SSO
+* Front supports **IDP** initiated SSO.
## Adding Front from the gallery To configure the integration of Front into Azure AD, you need to add Front from the gallery to your list of managed SaaS apps.
-**To add Front from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Front**, select **Front** from result panel then click **Add** button to add the application.
-
- ![Front in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Front based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Front needs to be established.
-
-To configure and test Azure AD single sign-on with Front, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Front Single Sign-On](#configure-front-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Front test user](#create-front-test-user)** - to have a counterpart of Britta Simon in Front that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Front** in the search box.
+1. Select **Front** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-### Configure Azure AD single sign-on
+## Configure and test Azure AD SSO for Front
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Configure and test Azure AD SSO with Front using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Front.
-To configure Azure AD single sign-on with Front, perform the following steps:
+To configure and test Azure AD SSO with Front, perform the following steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **Front** application integration page, select **Single sign-on**.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Front SSO](#configure-front-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Front test user](#create-front-test-user)** - to have a counterpart of B.Simon in Front that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Configure single sign-on link](common/select-sso.png)
+## Configure Azure AD SSO
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Single sign-on select mode](common/select-saml-option.png)
+1. In the Azure portal, on the **Front** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Set up Single Sign-On with SAML** page, perform the following steps:
- ![Front Domain and URLs single sign-on information](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern: `https://<companyname>.frontapp.com`
To configure Azure AD single sign-on with Front, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Front Single Sign-On
-
-1. Sign-on to your Front tenant as an administrator.
-
-2. Go to **Settings (cog icon at the bottom of the left sidebar) > Preferences**.
-
- ![Screenshot that shows the "Settings (cog icon)" selected with "Preferences" highlighted.](./media/front-tutorial/tutorial_front_000.png)
-
-3. Click **Single Sign On** link.
-
- ![Screenshot that shows the "Company preferences" section with the "Single Sign On" link selected.](./media/front-tutorial/tutorial_front_001.png)
-
-4. Select **SAML** in the drop-down list of **Single Sign On**.
-
- ![Screenshot that shows the "Single Sign On" drop-down list with "S A M L" selected.](./media/front-tutorial/tutorial_front_002.png)
+### Create an Azure AD test user
-5. In the **Entry Point** textbox put the value of **Login URL** from Azure AD application configuration wizard.
-
- ![Screenshot that shows the "Entry Point" text box.](./media/front-tutorial/tutorial_front_003.png)
+In this section, you'll create a test user in the Azure portal called B.Simon.
-6. Open your downloaded **Certificate(Base64)** file in notepad, copy the content of it into your clipboard, and then paste it to the **Signing certificate** textbox.
-
- ![Screenshot that shows "Signing certificate" highlighted, with the text box greyed out.](./media/front-tutorial/tutorial_front_004.png)
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
-7. On the **Service provider settings** section, perform the following steps:
-
- ![Configure Single Sign-On On App side](./media/front-tutorial/tutorial_front_005.png)
-
- a. Copy the value of **Entity ID** and paste it into the **Identifier** textbox in **Front Domain and URLs** section in Azure portal.
-
- b. Copy the value of **ACS URL** and paste it into the **Reply URL** textbox in **Front Domain and URLs** section in Azure portal.
-
-8. Click **Save** button.
-
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
+### Assign the Azure AD test user
- ![The User dialog box](common/user-properties.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Front.
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Front**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
- d. Click **Create**.
+## Configure Front SSO
-### Assign the Azure AD test user
+1. Log in to your Front website as an administrator.
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Front.
+2. Go to the **settings** and select the**Preferences**.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Front**.
+3. Perform the following steps in the **Company preferences** page.
+
+ ![Screenshot that shows the "Company preferences" section with the "Single Sign On" link selected.](./media/front-tutorial/single-sign-on.png)
- ![Enterprise applications blade](common/enterprise-applications.png)
+ a. Click **Single Sign On** on the left side navigation.
-2. In the applications list, select **Front**.
+ b. Select **SAML** in the drop-down list of **Single Sign On**.
- ![The Front link in the Applications list](common/all-applications.png)
+ c. In the **Entry Point** textbox enter the value of **Login URL** which you have copied from the Azure portal.
-3. In the menu on the left, select **Users and groups**.
+ d. Select the **Requested authentication context** type as **Disabled**.
- ![The "Users and groups" link](common/users-groups-blade.png)
+ e. Open your downloaded **Certificate(Base64)** file in notepad, copy the content of it into your clipboard, and then paste it to the **Signing certificate** textbox.
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
+7. On the **Service provider settings** section, perform the following steps:
- ![The Add Assignment pane](common/add-assign-user.png)
+ ![Configure Single Sign-On On App side](./media/front-tutorial/service-provider.png)
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+ a. Copy the value of **Entity ID** and paste it into the **Identifier** textbox in **Front Domain and URLs** section in Azure portal.
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+ b. Copy the value of **ACS URL** and paste it into the **Reply URL** textbox in **Front Domain and URLs** section in Azure portal.
+
+8. Click **Save** button.
-7. In the **Add Assignment** dialog click the **Assign** button.
### Create Front test user In this section, you create a user called Britta Simon in Front. Work with [Front Client support team](mailto:support@frontapp.com) to add the users in the Front platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Front tile in the Access Panel, you should be automatically signed in to the Front for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Front for which you set up the SSO
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Front tile in the My Apps, you should be automatically signed in to the Front for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Front you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Heroku Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/heroku-tutorial.md
Previously updated : 02/15/2019 Last updated : 05/05/2021 # Tutorial: Azure Active Directory integration with Heroku
-In this tutorial, you learn how to integrate Heroku with Azure Active Directory (Azure AD).
-Integrating Heroku with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Heroku with Azure Active Directory (Azure AD). When you integrate Heroku with Azure AD, you can:
-* You can control in Azure AD who has access to Heroku.
-* You can enable your users to be automatically signed-in to Heroku (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Heroku.
+* Enable your users to be automatically signed-in to Heroku with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Heroku, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Heroku single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Heroku single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Heroku supports **SP** initiated SSO
-* Heroku supports **Just In Time** user provisioning
+* Heroku supports **SP** initiated SSO.
+* Heroku supports **Just In Time** user provisioning.
-## Adding Heroku from the gallery
+## Add Heroku from the gallery
To configure the integration of Heroku into Azure AD, you need to add Heroku from the gallery to your list of managed SaaS apps.
-**To add Heroku from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Heroku**, select **Heroku** from result panel then click **Add** button to add the application.
-
- ![Heroku in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Heroku based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Heroku needs to be established.
-
-To configure and test Azure AD single sign-on with Heroku, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Heroku** in the search box.
+1. Select **Heroku** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Heroku Single Sign-On](#configure-heroku-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Heroku test user](#create-heroku-test-user)** - to have a counterpart of Britta Simon in Heroku that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Heroku
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Heroku using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Heroku.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Heroku, perform the following steps:
-To configure Azure AD single sign-on with Heroku, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Heroku SSO](#configure-heroku-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Heroku test user](#create-heroku-test-user)** - to have a counterpart of B.Simon in Heroku that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Heroku** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Heroku** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Heroku Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern: `https://sso.heroku.com/saml/<company-name>/init`
To configure Azure AD single sign-on with Heroku, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- b. Azure Ad Identifier
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Heroku.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Heroku**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Heroku Single Sign-On
+## Configure Heroku SSO
1. In a different web browser window, sign-on to your Heroku tenant as an administrator.
To configure Azure AD single sign-on with Heroku, perform the following steps:
6. Copy the **Heroku Login URL** and **Heroku Entity ID** values and go back to **Basic SAML Configuration** section in Azure portal and paste these values into the **Sign-On Url** and **Identifier (Entity ID)** textboxes respectively.
- ![Configure Single Sign-On](./media/heroku-tutorial/tutorial_heroku_52.png)
+ ![Configure Single Sign-On](./media/heroku-tutorial/single-sign-on.png)
7. Click **Next**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Heroku.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Heroku**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Heroku**.
-
- ![The Heroku link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Heroku test user
-In this section, you create a user called Britta Simon in Heroku. Heroku supports just-in-time provisioning, which is enabled by default.
-
-There is no action item for you in this section. A new user is created when accessing Heroku if the user doesn't exist yet.
-After the account is provisioned, the end user receives a verification email and needs to click the acknowledgement link.
-
-> [!NOTE]
-> If you need to create a user manually, you need to contact the [Heroku Client support team](https://www.heroku.com/support).
+In this section, a user called B.Simon is created in Heroku. Heroku supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Heroku, a new one is created after authentication.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Heroku tile in the Access Panel, you should be automatically signed in to the Heroku for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Heroku Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Heroku Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Heroku tile in the My Apps, this will redirect to Heroku Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Heroku you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Hive Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hive-tutorial.md
Previously updated : 01/31/2020 Last updated : 05/07/2021
In this tutorial, you'll learn how to integrate Hive with Azure Active Directory
* Enable your users to be automatically signed-in to Hive with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Hive supports **SP and IDP** initiated SSO
-* Hive supports **Just In Time** user provisioning
-* Once you configure the Hive you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session controls extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Hive supports **SP and IDP** initiated SSO.
+* Hive supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Hive from the gallery
+## Add Hive from the gallery
To configure the integration of Hive into Azure AD, you need to add Hive from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Hive** in the search box. 1. Select **Hive** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Hive
+## Configure and test Azure AD SSO for Hive
Configure and test Azure AD SSO with Hive using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Hive.
-To configure and test Azure AD SSO with Hive, complete the following building blocks:
+To configure and test Azure AD SSO with Hive, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Hive SSO](#configure-hive-sso)** - to configure the single sign-on settings on application side.
- * **[Create Hive test user](#create-hive-test-user)** - to have a counterpart of B.Simon in Hive that is linked to the Azure AD representation of user.
+ 1. **[Create Hive test user](#create-hive-test-user)** - to have a counterpart of B.Simon in Hive that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Hive** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Hive** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type the URL: `https://hive.com`
Follow these steps to enable Azure AD SSO in the Azure portal.
`https://app.hive.com/sso/saml/${workspaceId}` > [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. You will get the `{workspaceId}` explained later in the tutorial. Contact [Hive Client support team](https://help.hive.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Reply URL and Sign-on URL. You will get the `{workspaceId}` explained later in the tutorial. Contact [Hive Client support team](https://help.hive.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Hive application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Hive**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Hive SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on the **User Profile** and click **Your workspace**.
- ![Screenshot shows the Hive website with Your workspace selected from the menu.](./media/hive-tutorial/configure1.png)
+ ![Screenshot shows the Hive website with Your workspace selected from the menu.](./media/hive-tutorial/profile.png)
1. Click **Auth** and perform the following steps:
- ![Screenshot shows the Auth page where do the tasks described.](./media/hive-tutorial/configure2.png)
+ ![Screenshot shows the Auth page where do the tasks described.](./media/hive-tutorial/authentication.png)
a. Copy **Your Workspace ID** and append it to the **SignOn URL** and **Reply URL** in the **Basic SAML Configuration Section** in the Azure portal.
In this section, a user called B.Simon is created in Hive. Hive supports just-in
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-When you click the Hive tile in the Access Panel, you should be automatically signed in to the Hive for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Hive Sign on URL where you can initiate the login flow.
-## Additional resources
+* Go to Hive Sign-on URL directly and initiate the login flow from there.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+#### IDP initiated:
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Hive for which you set up the SSO.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Hive tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Hive for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [Try Hive with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Hive you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Itslearning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/itslearning-tutorial.md
Previously updated : 03/19/2019 Last updated : 05/06/2021 # Tutorial: Azure Active Directory integration with itslearning
-In this tutorial, you learn how to integrate itslearning with Azure Active Directory (Azure AD).
-Integrating itslearning with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate itslearning with Azure Active Directory (Azure AD). When you integrate itslearning with Azure AD, you can:
-* You can control in Azure AD who has access to itslearning.
-* You can enable your users to be automatically signed-in to itslearning (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to itslearning.
+* Enable your users to be automatically signed-in to itslearning with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with itslearning, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* itslearning single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* itslearning single sign-on enabled subscription.
## Scenario description
-In this tutorial, you configure and test Azure AD single sign-on in a test environment.
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* itslearning supports **SP** initiated SSO.
-* itslearning supports **SP** initiated SSO
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
## Adding itslearning from the gallery To configure the integration of itslearning into Azure AD, you need to add itslearning from the gallery to your list of managed SaaS apps.
-**To add itslearning from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **itslearning**, select **itslearning** from result panel then click **Add** button to add the application.
-
- ![itslearning in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **itslearning** in the search box.
+1. Select **itslearning** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with itslearning based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in itslearning needs to be established.
+## Configure and test Azure AD SSO for itslearning
-To configure and test Azure AD single sign-on with itslearning, you need to complete the following building blocks:
+Configure and test Azure AD SSO with itslearning using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in itslearning.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure itslearning Single Sign-On](#configure-itslearning-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create itslearning test user](#create-itslearning-test-user)** - to have a counterpart of Britta Simon in itslearning that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with itslearning, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure itslearning SSO](#configure-itslearning-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create itslearning test user](#create-itslearning-test-user)** - to have a counterpart of B.Simon in itslearning that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with itslearning, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **itslearning** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **itslearning** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![itslearning Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type the URL:
- ```http
- https://www.itslearning.com/index.aspx
- https://us1.itslearning.com/index.aspx
- ```
-
- b. In the **Identifier (Entity ID)** text box, type the URL:
+ a. In the **Identifier (Entity ID)** text box, type the URL:
`urn:mace:saml2v2.no:
+ b. In the **Reply URL** text box, type one of the following URLs:
+
+ | Reply URL |
+ |-|
+ | `https://www.itsltest.com/elogin/AssertionConsumerService.aspx` |
+ | `https://www.itslearning.com/elogin/AssertionConsumerService.aspx` |
+ |
+
+ c. In the **Sign on URL** text box, type one of the following URLs:
+
+ | Sign on URL |
+ |-|
+ | `https://www.itslearning.com/index.aspx` |
+ | `https://us1.itslearning.com/index.aspx` |
+ |
+ 5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. ![The Certificate download link](common/metadataxml.png)
To configure Azure AD single sign-on with itslearning, perform the following ste
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
- b. Azure AD Identifier
+In this section, you'll create a test user in the Azure portal called B.Simon.
- c. Logout URL
-
-### Configure itslearning Single Sign-On
-
-To configure single sign-on on **itslearning** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [itslearning support team](mailto:support@itslearning.com). They set this setting to have the SAML SSO connection set properly on both sides.
-
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com.
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to itslearning.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **itslearning**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **itslearning**.
-
- ![The itslearning link in the Applications list](common/all-applications.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to itslearning.
-3. In the menu on the left, select **Users and groups**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **itslearning**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![The "Users and groups" link](common/users-groups-blade.png)
+## Configure itslearning SSO
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **itslearning** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [itslearning support team](mailto:support@itslearning.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create itslearning test user
-In this section, you create a user called Britta Simon in itslearning. Work with [itslearning support team](mailto:support@itslearning.com) to add the users in the itslearning platform. Users must be created and activated before you use single sign-on.
+In this section, you create a user called Britta Simon in itslearning. Work with [itslearning support team](mailto:support@itslearning.com) to add the users in the itslearning platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the itslearning tile in the Access Panel, you should be automatically signed in to the itslearning for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to itslearning Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to itslearning Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the itslearning tile in the My Apps, this will redirect to itslearning Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure itslearning you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Lessonly Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/lessonly-tutorial.md
Previously updated : 02/12/2020 Last updated : 04/20/2021
In this tutorial, you'll learn how to integrate Lesson.ly with Azure Active Dire
* Enable your users to be automatically signed-in to Lesson.ly with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Lesson.ly supports **SP** initiated SSO
-* Lesson.ly supports **Just In Time** user provisioning
-* Once you configure Lesson.ly you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Lesson.ly supports **SP** initiated SSO.
+* Lesson.ly supports **Just In Time** user provisioning.
-## Adding Lesson.ly from the gallery
+## Add Lesson.ly from the gallery
To configure the integration of Lesson.ly into Azure AD, you need to add Lesson.ly from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Lesson.ly** in the search box. 1. Select **Lesson.ly** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Lesson.ly
+## Configure and test Azure AD SSO for Lesson.ly
Configure and test Azure AD SSO with Lesson.ly using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Lesson.ly.
-To configure and test Azure AD SSO with Lesson.ly, complete the following building blocks:
+To configure and test Azure AD SSO with Lesson.ly, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Lesson.ly SSO](#configure-lessonly-sso)** - to configure the single sign-on settings on application side.
- * **[Create Lesson.ly test user](#create-lessonly-test-user)** - to have a counterpart of B.Simon in Lesson.ly that is linked to the Azure AD representation of user.
+ 1. **[Create Lesson.ly test user](#create-lessonly-test-user)** - to have a counterpart of B.Simon in Lesson.ly that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Lesson.ly** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Lesson.ly** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Lesson.ly**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Lesson.ly SSO
There is no action item for you in this section. A new user will be created duri
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Lesson.ly tile in the Access Panel, you should be automatically signed in to the Lesson.ly for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Lesson.ly Sign-on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Lesson.ly Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Lesson.ly tile in the My Apps, this will redirect to Lesson.ly Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Lesson.ly with Azure AD](https://aad.portal.azure.com/)
+Once you configure Lesson.ly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Linkedinsalesnavigator Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/linkedinsalesnavigator-tutorial.md
Previously updated : 12/17/2019 Last updated : 05/10/2021
In this tutorial, you'll learn how to integrate LinkedIn Sales Navigator with Az
* Enable your users to be automatically signed-in to LinkedIn Sales Navigator with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* LinkedIn Sales Navigator supports **SP and IDP** initiated SSO
-* LinkedIn Sales Navigator supports **Just In Time** user provisioning
-* LinkedIn Sales Navigator supports [**Automated** user provisioning](linkedinsalesnavigator-provisioning-tutorial.md)
+* LinkedIn Sales Navigator supports **SP and IDP** initiated SSO.
+* LinkedIn Sales Navigator supports **Just In Time** user provisioning.
+* LinkedIn Sales Navigator supports **Automated** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding LinkedIn Sales Navigator from the gallery
+## Add LinkedIn Sales Navigator from the gallery
To configure the integration of LinkedIn Sales Navigator into Azure AD, you need to add LinkedIn Sales Navigator from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **LinkedIn Sales Navigator** in the search box. 1. Select **LinkedIn Sales Navigator** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for LinkedIn Sales Navigator
+## Configure and test Azure AD SSO for LinkedIn Sales Navigator
Configure and test Azure AD SSO with LinkedIn Sales Navigator using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in LinkedIn Sales Navigator.
-To configure and test Azure AD SSO with LinkedIn Sales Navigator, complete the following building blocks:
+To configure and test Azure AD SSO with LinkedIn Sales Navigator, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure LinkedIn Sales Navigator SSO](#configure-linkedin-sales-navigator-sso)** - to configure the single sign-on settings on application side.
- * **[Create LinkedIn Sales Navigator test user](#create-linkedin-sales-navigator-test-user)** - to have a counterpart of B.Simon in LinkedIn Sales Navigator that is linked to the Azure AD representation of user.
+ 1. **[Create LinkedIn Sales Navigator test user](#create-linkedin-sales-navigator-test-user)** - to have a counterpart of B.Simon in LinkedIn Sales Navigator that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **LinkedIn Sales Navigator** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **LinkedIn Sales Navigator** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, enter the **Entity ID** value, you will copy Entity ID value from the Linkedin Portal explained later in this tutorial.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **LinkedIn Sales Navigator**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure LinkedIn Sales Navigator SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In **Account Center**, click **Global Settings** under **Settings**. Also, select **Sales Navigator** from the dropdown list.
- ![Screenshot shows the Application Settings where you can select Sales Navigator.](./media/linkedinsalesnavigator-tutorial/tutorial_linkedin_admin_01.png)
+ ![Screenshot shows the Application Settings where you can select Sales Navigator.](./media/linkedinsalesnavigator-tutorial/settings.png)
1. Click on **OR Click Here to load and copy individual fields from the form** and perform the following steps:
- ![Screenshot shows Single Sign-On where you can enter the values described.](./media/linkedinsalesnavigator-tutorial/tutorial_linkedin_admin_031.png)
+ ![Screenshot shows Single Sign-On where you can enter the values described.](./media/linkedinsalesnavigator-tutorial/values.png)
a. Copy **Entity Id** and paste it into the **Identifier** text box in the **Basic SAML Configuration** in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Go to **LinkedIn Admin Settings** section. Upload the XML file that you have downloaded from the Azure portal by clicking on the **Upload XML file** option.
- ![Screenshot shows Configure the LinkedIn service provider S S O settings where you can upload an X M L file.](./media/linkedinsalesnavigator-tutorial/tutorial_linkedin_metadata_03.png)
+ ![Screenshot shows Configure the LinkedIn service provider S S O settings where you can upload an X M L file.](./media/linkedinsalesnavigator-tutorial/metadata.png)
1. Click **On** to enable SSO. SSO status changes from **Not Connected** to **Connected**
- ![Screenshot shows Single Sign-On where you can enable Authenticate users with S S O.](./media/linkedinsalesnavigator-tutorial/tutorial_linkedin_admin_05.png)
+ ![Screenshot shows Single Sign-On where you can enable Authenticate users with S S O.](./media/linkedinsalesnavigator-tutorial/authentication.png)
### Create LinkedIn Sales Navigator test user Linked Sales Navigator Application supports Just in Time (JIT) user provisioning and after authentication users are created in the application automatically. Activate **Automatically assign licenses** to assign a license to the user.
- ![Creating an Azure AD test user](./media/linkedinsalesnavigator-tutorial/LinkedinUserprovswitch.png)
+ ![Creating an Azure AD test user](./media/linkedinsalesnavigator-tutorial/provisioning.png)
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to LinkedIn Sales Navigator Sign on URL where you can initiate the login flow.
-When you click the LinkedIn Sales Navigator tile in the Access Panel, you should be automatically signed in to the LinkedIn Sales Navigator for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to LinkedIn Sales Navigator Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the LinkedIn Sales Navigator for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the LinkedIn Sales Navigator tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the LinkedIn Sales Navigator for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try LinkedIn Sales Navigator with Azure AD](https://aad.portal.azure.com/)
+Once you configure LinkedIn Sales Navigator you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Ms Azure Sso Access For Ethidex Compliance Office Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ms-azure-sso-access-for-ethidex-compliance-office-tutorial.md
Previously updated : 09/06/2019 Last updated : 05/06/2021
In this tutorial, you'll learn how to integrate MS Azure SSO Access for Ethidex
* Enable your users to be automatically signed-in to MS Azure SSO Access for Ethidex Compliance OfficeΓäó with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
## Prerequisites
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* MS Azure SSO Access for Ethidex Compliance OfficeΓäó supports **IDP** initiated SSO
+* MS Azure SSO Access for Ethidex Compliance OfficeΓäó supports **IDP** initiated SSO.
## Adding MS Azure SSO Access for Ethidex Compliance OfficeΓäó from the gallery To configure the integration of MS Azure SSO Access for Ethidex Compliance OfficeΓäó into Azure AD, you need to add MS Azure SSO Access for Ethidex Compliance OfficeΓäó from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **MS Azure SSO Access for Ethidex Compliance OfficeΓäó** in the search box. 1. Select **MS Azure SSO Access for Ethidex Compliance OfficeΓäó** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for MS Azure SSO Access for Ethidex Compliance OfficeΓäó
+## Configure and test Azure AD SSO for MS Azure SSO Access for Ethidex Compliance OfficeΓäó
Configure and test Azure AD SSO with MS Azure SSO Access for Ethidex Compliance OfficeΓäó using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in MS Azure SSO Access for Ethidex Compliance OfficeΓäó.
-To configure and test Azure AD SSO with MS Azure SSO Access for Ethidex Compliance OfficeΓäó, complete the following building blocks:
+To configure and test Azure AD SSO with MS Azure SSO Access for Ethidex Compliance OfficeΓäó, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with MS Azure SSO Access for Ethidex Complian
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **MS Azure SSO Access for Ethidex Compliance OfficeΓäó** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **MS Azure SSO Access for Ethidex Compliance OfficeΓäó** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
![image](common/edit-attribute.png)
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Raw)** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/certificateraw.png)
+ ![The Certificate download link](common/certificatebase64.png)
1. On the **Set up MS Azure SSO Access for Ethidex Compliance OfficeΓäó** section, copy the appropriate URL(s) based on your requirement.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **MS Azure SSO Access for Ethidex Compliance OfficeΓäó**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure MS Azure SSO Access for Ethidex Compliance Office SSO
-To configure single sign-on on **MS Azure SSO Access for Ethidex Compliance OfficeΓäó** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [MS Azure SSO Access for Ethidex Compliance OfficeΓäó support team](mailto:support@ethidex.com). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on **MS Azure SSO Access for Ethidex Compliance OfficeΓäó** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [MS Azure SSO Access for Ethidex Compliance OfficeΓäó support team](mailto:support@ethidex.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create MS Azure SSO Access for Ethidex Compliance Office test user
In this section, you create a user called B.Simon in MS Azure SSO Access for Eth
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the MS Azure SSO Access for Ethidex Compliance OfficeΓäó tile in the Access Panel, you should be automatically signed in to the MS Azure SSO Access for Ethidex Compliance OfficeΓäó for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Ethidex Compliance OfficeΓäó for which you set up the SSO
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Ethidex Compliance OfficeΓäó tile in the My Apps, you should be automatically signed in to the Ethidex Compliance OfficeΓäó for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) -- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try MS Azure SSO Access for Ethidex Compliance OfficeΓäó with Azure AD](https://aad.portal.azure.com/)
+Once you configure Ethidex Compliance OfficeΓäó you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Oc Tanner Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/oc-tanner-tutorial.md
Previously updated : 01/28/2020 Last updated : 05/07/2021 # Tutorial: Azure Active Directory single sign-on (SSO) integration with O.C. Tanner - AppreciateHub
In this tutorial, you'll learn how to integrate O.C. Tanner - AppreciateHub with
* Enable your users to be automatically signed-in to O.C. Tanner - AppreciateHub with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* O.C. Tanner - AppreciateHub supports **IDP** initiated SSO
-
-* Once you configure the O.C. Tanner - AppreciateHub you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session controls extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* O.C. Tanner - AppreciateHub supports **IDP** initiated SSO.
-## Adding O.C. Tanner - AppreciateHub from the gallery
+## Add O.C. Tanner - AppreciateHub from the gallery
To configure the integration of O.C. Tanner - AppreciateHub into Azure AD, you need to add O.C. Tanner - AppreciateHub from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **O.C. Tanner - AppreciateHub** in the search box. 1. Select **O.C. Tanner - AppreciateHub** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for O.C. Tanner - AppreciateHub
+## Configure and test Azure AD SSO for O.C. Tanner - AppreciateHub
Configure and test Azure AD SSO with O.C. Tanner - AppreciateHub using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in O.C. Tanner - AppreciateHub.
-To configure and test Azure AD SSO with O.C. Tanner - AppreciateHub, complete the following building blocks:
+To configure and test Azure AD SSO with O.C. Tanner - AppreciateHub, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure O.C. Tanner - AppreciateHub SSO](#configure-oc-tannerappreciatehub-sso)** - to configure the single sign-on settings on application side.
- * **[Create O.C. Tanner - AppreciateHub test user](#create-oc-tannerappreciatehub-test-user)** - to have a counterpart of B.Simon in O.C. Tanner - AppreciateHub that is linked to the Azure AD representation of user.
+ 1. **[Create O.C. Tanner - AppreciateHub test user](#create-oc-tannerappreciatehub-test-user)** - to have a counterpart of B.Simon in O.C. Tanner - AppreciateHub that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **O.C. Tanner - AppreciateHub** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **O.C. Tanner - AppreciateHub** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
- ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **O.C. Tanner - AppreciateHub**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure O.C. Tanner - AppreciateHub SSO
Ask your [O.C. Tanner - AppreciateHub support team](mailto:sso@octanner.com) to
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the O.C. Tanner - AppreciateHub tile in the Access Panel, you should be automatically signed in to the O.C. Tanner - AppreciateHub for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)--- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the O.C. Tanner - AppreciateHub for which you set up the SSO.
-- [Try O.C. Tanner - AppreciateHub with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the O.C. Tanner - AppreciateHub tile in the My Apps, you should be automatically signed in to the O.C. Tanner - AppreciateHub for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect O.C. Tanner - AppreciateHub with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure O.C. Tanner - AppreciateHub you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Overdrive Books Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/overdrive-books-tutorial.md
Previously updated : 02/15/2021 Last updated : 05/06/2021 # Tutorial: Azure Active Directory integration with Overdrive
Follow these steps to enable Azure AD SSO in the Azure portal.
> [!NOTE] > The value is not real. Update the value with the actual Sign-On URL. Contact [Overdrive Client support team](https://help.overdrive.com/) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
+5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **App Federation Metadata URL** from the given options as per your requirement and save it on your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![The Certificate download link](common/copy-metadataurl.png)
6. On the **Set up Overdrive** section, copy the appropriate URL(s) as per your requirement.
In this section, you enable Britta Simon to use Azure single sign-on by granting
## Configure Overdrive SSO
-To configure single sign-on on **Overdrive** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Overdrive support team](https://help.overdrive.com/). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on **Overdrive** side, you need to send the **App Federation Metadata URL** to [Overdrive support team](https://help.overdrive.com/). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Overdrive test user
active-directory Perceptyx Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/perceptyx-tutorial.md
Previously updated : 06/14/2019 Last updated : 05/10/2021
In this tutorial, you'll learn how to integrate Perceptyx with Azure Active Dire
* Enable your users to be automatically signed-in to Perceptyx with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get one-month free trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
* Perceptyx single sign-on (SSO) enabled subscription. ## Scenario description
-In this tutorial, you configure and test Azure AD SSO in a test environment. Perceptyx supports **IDP** initiated SSO.
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+* Perceptyx supports **IDP** initiated SSO.
-## Adding Perceptyx from the gallery
+## Add Perceptyx from the gallery
To configure the integration of Perceptyx into Azure AD, you need to add Perceptyx from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Perceptyx** in the search box. 1. Select **Perceptyx** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Perceptyx
Configure and test Azure AD SSO with Perceptyx using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Perceptyx.
-To configure and test Azure AD SSO with Perceptyx, complete the following building blocks:
+To configure and test Azure AD SSO with Perceptyx, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-2. **[Configure Perceptyx SSO](#configure-perceptyx-sso)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-5. **[Create Perceptyx test user](#create-perceptyx-test-user)** - to have a counterpart of B.Simon in Perceptyx that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Perceptyx SSO](#configure-perceptyx-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Perceptyx test user](#create-perceptyx-test-user)** - to have a counterpart of B.Simon in Perceptyx that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Perceptyx** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Perceptyx** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** page, enter the values for the following fields:
+1. On the **Basic SAML Configuration** page, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://<SubDomain>.perceptyx.com/<SurveyId>/index.cgi/saml-login?o=B`
Follow these steps to enable Azure AD SSO in the Azure portal.
![The Certificate download link](common/copy-metadataurl.png)
-### Configure Perceptyx SSO
-
-To configure single sign-on on **Perceptyx** side, you need to send the **App Federation Metadata Url** to [Perceptyx support team](mailto:customersupport@perceptyx.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Perceptyx**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button.
+## Configure Perceptyx SSO
+
+To configure single sign-on on **Perceptyx** side, you need to send the **App Federation Metadata Url** to [Perceptyx support team](mailto:customersupport@perceptyx.com). They set this setting to have the SAML SSO connection set properly on both sides.
+ ### Create Perceptyx test user In this section, you create a user called B.Simon in Perceptyx. Work with [Perceptyx support team](mailto:customersupport@perceptyx.com) to add the users in the Perceptyx platform. Users must be created and activated before you use single sign-on.
-### Test SSO
+## Test SSO
-When you select the Perceptyx tile in the Access Panel, you should be automatically signed in to the Perceptyx for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Perceptyx for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Perceptyx tile in the My Apps, you should be automatically signed in to the Perceptyx for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Perceptyx you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Purecloud By Genesys Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/purecloud-by-genesys-tutorial.md
Previously updated : 02/11/2021 Last updated : 05/07/2021
To enable Azure AD SSO in the Azure portal, follow these steps:
1. In the **Basic SAML Configuration** section, if you want to configure the application in **IDP**-initiated mode, enter the values for the following fields: a. In the **Identifier** box, enter the URLs that corresponds to your region:-
- ```http
- https://login.mypurecloud.com/saml
- https://login.mypurecloud.de/saml
- https://login.mypurecloud.jp/saml
- https://login.mypurecloud.ie/saml
- https://login.mypurecloud.au/saml
- ```
+
+ | Identifier URL |
+ ||
+ | https://login.mypurecloud.com/saml |
+ | https://login.mypurecloud.de/saml |
+ | https://login.mypurecloud.jp/saml |
+ | https://login.mypurecloud.ie/saml |
+ | https://login.mypurecloud.com.au/saml |
+ |
b. In the **Reply URL** box, enter the URLs that corresponds to your region:
- ```http
- https://login.mypurecloud.com/saml
- https://login.mypurecloud.de/saml
- https://login.mypurecloud.jp/saml
- https://login.mypurecloud.ie/saml
- https://login.mypurecloud.com.au/saml
- ```
+ | Reply URL |
+ ||
+ | https://login.mypurecloud.com/saml |
+ | https://login.mypurecloud.de/saml |
+ | https://login.mypurecloud.jp/saml |
+ | https://login.mypurecloud.ie/saml |
+ | https://login.mypurecloud.com.au/saml |
+ |
1. Select **Set additional URLs** and take the following step if you want to configure the application in **SP** initiated mode: In the **Sign-on URL** box, enter the URLs that corresponds to your region:
- ```http
- https://login.mypurecloud.com
- https://login.mypurecloud.de
- https://login.mypurecloud.jp
- https://login.mypurecloud.ie
- https://login.mypurecloud.com.au
- ```
+ |Sign-on URL |
+ ||
+ | https://login.mypurecloud.com |
+ | https://login.mypurecloud.de |
+ | https://login.mypurecloud.jp |
+ | https://login.mypurecloud.ie |
+ | https://login.mypurecloud.com.au |
+ |
1. PureCloud by Genesys application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes:
active-directory Samsara Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/samsara-tutorial.md
Previously updated : 09/15/2020 Last updated : 05/05/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Samsara supports **SP** and **IDP** initiated SSO
-* Samsara supports **Just In Time** user provisioning
+* Samsara supports **SP** and **IDP** initiated SSO.
+* Samsara supports **Just In Time** user provisioning.
-## Adding Samsara from the gallery
+## Add Samsara from the gallery
To configure the integration of Samsara into Azure AD, you need to add Samsara from the gallery to your list of managed SaaS apps. 1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 1. On the left navigation pane, select the **Azure Active Directory** service.-
- ![The Azure Active Directory button](common/select-azuread.png)
-
1. Navigate to **Enterprise Applications** and then select **All Applications**.-
- ![The Enterprise applications blade](common/enterprise-applications.png)
- 1. To add new application, select **New application**.-
- ![The New application button](common/add-new-app.png)
- 1. In the **Add from the gallery** section, type **Samsara** in the search box.-
- ![OneTrust Privacy Management Software in the results list](common/search-new-app.png)
- 1. Select **Samsara** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Samsara Configure and test Azure AD SSO with Samsara using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Samsara.
To configure and test Azure AD SSO with Samsara, perform the following steps:
Follow these steps to enable Azure AD SSO in the Azure portal. 1. In the Azure portal, on the **Samsara** application integration page, find the **Manage** section and select **single sign-on**.-
- ![Configure single sign-on link](common/select-sso.png)
- 1. On the **Select a single sign-on method** page, select **SAML**.-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set-up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
- a. In the **Sign-on URL** text box, type a URL using the following pattern:
+ a. In the **Sign-on URL** text box, type a URL using one of the following patterns:
`https://cloud.samsara.com/signin/<ORGID>` for US cloud customers `https://cloud.eu.samsara.com/signin/<ORGID>` for EU cloud customers
Follow these steps to enable Azure AD SSO in the Azure portal.
> [!NOTE] > These values are not real. Update these values with the actual Sign-on URL, Reply URL, and Identifier. Contact the [Samsara Client support team](mailto:support@samsara.com) to get these values, or in Samsara, go to **Settings** > **Single-Sign-On** > **New SAML Connection** to obtain the \<ORGID\>. You also can refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
![The Certificate download link](common/certificatebase64.png)
-1. On the **Set up Samsara** section, copy the **login URL**
+1. On the **Set-up Samsara** section, copy the **login URL**
![Copy configuration URLs](common/copy-configuration-urls.png)
In this section, a user called B.Simon is created in Samsara. Samsara supports j
In this section, you test your Azure AD single sign-on configuration with following options.
-1. Click on **Test this application** in Azure portal. This will redirect to Samsara Sign-on URL where you can initiate the login flow.
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Samsara Sign on URL where you can initiate the login flow.
+
+* Go to Samsara Sign-on URL directly and initiate the login flow from there.
-2. Go to Samsara Sign-on URL directly and initiate the login flow from there.
+#### IDP initiated:
-3. You can use Microsoft Access Panel. When you click the Samsara tile in the Access Panel, this will redirect to Samsara Sign-on URL. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Samsara for which you set up the SSO.
+You can also use Microsoft My Apps to test the application in any mode. When you click the Samsara tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Samsara for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
## Next steps
-Once you configure Samsara you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Samsara you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Samsung Knox And Business Services Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/samsung-knox-and-business-services-tutorial.md
Previously updated : 01/27/2021 Last updated : 05/11/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Samsung Knox and Business Services supports **SP** initiated SSO
+* Samsung Knox and Business Services supports **SP** initiated SSO.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields: * In the **Sign on URL** text box, type the URL:
- `https://www.samsungknox.com`
+ `https://www2.samsungknox.com/en/sso/login/ad`
* In the **Reply URL (assertion consumer service URL)** text box, type the URL: `https://central.samsungknox.com/ams/ad/saml/acs`
active-directory Sectigo Certificate Manager Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sectigo-certificate-manager-tutorial.md
Previously updated : 04/15/2019 Last updated : 05/04/2021 # Tutorial: Azure Active Directory integration with Sectigo Certificate Manager
-In this tutorial, you learn how to integrate Sectigo Certificate Manager (also called SCM) with Azure Active Directory (Azure AD).
+In this tutorial, you'll learn how to integrate Sectigo Certificate Manager with Azure Active Directory (Azure AD). When you integrate Sectigo Certificate Manager with Azure AD, you can:
-Integrating Sectigo Certificate Manager with Azure AD gives you the following benefits:
-
-* You can use Azure AD to control who has access to Sectigo Certificate Manager.
-* Users can be automatically signed in to Sectigo Certificate Manager with their Azure AD accounts (single sign-on).
-* You can manage your accounts in one central location, the Azure portal.
-
-For more information about software as a service (SaaS) app integration with Azure AD, see [Single sign-on to applications in Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
+* Control in Azure AD who has access to Sectigo Certificate Manager.
+* Enable your users to be automatically signed-in to Sectigo Certificate Manager with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
In this tutorial, you configure and test Azure AD single sign-on in a test envir
Sectigo Certificate Manager supports the following features:
-* **SP-initiated single sign-on**
-* **IDP-initiated single sign-on**
-
-## Add Sectigo Certificate Manager in the Azure portal
-
-To integrate Sectigo Certificate Manager with Azure AD, you must add Sectigo Certificate Manager to your list of managed SaaS apps.
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-
-1. In the left menu, select **Azure Active Directory**.
-
- ![The Azure Active Directory option](common/select-azuread.png)
-
-1. Select **Enterprise applications** > **All applications**.
-
- ![The Enterprise applications pane](common/enterprise-applications.png)
+* **SP-initiated single sign-on**.
+* **IDP-initiated single sign-on**.
-1. To add an application, select **New application**.
-
- ![The New application option](common/add-new-app.png)
-
-1. In the search box, enter **Sectigo Certificate Manager**. In the search results, select **Sectigo Certificate Manager**, and then select **Add**.
-
- ![Sectigo Certificate Manager in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-In this section, you configure and test Azure AD single sign-on with Sectigo Certificate Manager based on a test user named **Britta Simon**. For single sign-on to work, you must establish a linked relationship between an Azure AD user and the related user in Sectigo Certificate Manager.
+## Add Sectigo Certificate Manager in the Azure portal
-To configure and test Azure AD single sign-on with Sectigo Certificate Manager, you must complete the following building blocks:
+To configure the integration of Sectigo Certificate Manager into Azure AD, you need to add Sectigo Certificate Manager from the gallery to your list of managed SaaS apps.
-| Task | Description |
-| | |
-| **[Configure Azure AD single sign-on](#configure-azure-ad-single-sign-on)** | Enables your users to use this feature. |
-| **[Configure Sectigo Certificate Manager single sign-on](#configure-sectigo-certificate-manager-single-sign-on)** | Configures the single sign-on settings in the application. |
-| **[Create an Azure AD test user](#create-an-azure-ad-test-user)** | Tests Azure AD single sign-on for a user named Britta Simon. |
-| **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** | Enables Britta Simon to use Azure AD single sign-on. |
-| **[Create a Sectigo Certificate Manager test user](#create-a-sectigo-certificate-manager-test-user)** | Creates a counterpart of Britta Simon in Sectigo Certificate Manager that is linked to the Azure AD representation of the user. |
-| **[Test single sign-on](#test-single-sign-on)** | Verifies that the configuration works. |
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Sectigo Certificate Manager** in the search box.
+1. Select **Sectigo Certificate Manager** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-### Configure Azure AD single sign-on
+## Configure and test Azure AD SSO for Sectigo Certificate Manager
-In this section, you configure Azure AD single sign-on with Sectigo Certificate Manager in the Azure portal.
+Configure and test Azure AD SSO with Sectigo Certificate Manager using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Sectigo Certificate Manager.
-1. In the [Azure portal](https://portal.azure.com/), in the **Sectigo Certificate Manager** application integration pane, select **Single sign-on**.
+To configure and test Azure AD SSO with Sectigo Certificate Manager, perform the following steps:
- ![Configure single sign-on option](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Sectigo Certificate Manager SSO](#configure-sectigo-certificate-manager-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Sectigo Certificate Manager test user](#create-sectigo-certificate-manager-test-user)** - to have a counterpart of B.Simon in Sectigo Certificate Manager that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the **Select a single sign-on method** pane, select **SAML** or **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the **Set up Single Sign-On with SAML** pane, select **Edit** (the pencil icon) to open the **Basic SAML Configuration** pane.
+1. In the Azure portal, on the **Sectigo Certificate Manager** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
-1. In the **Basic SAML Configuration** section complete the following steps:
+1. In the **Basic SAML Configuration** section perform the following steps:
1. In the **Identifier (Entity ID)** box, for the main Sectigo Certificate Manager instance, enter **https:\//cert-manager.com/shibboleth**. 1. In the **Reply URL** box, for the main Sectigo Certificate Manager instance, enter **https:\//cert-manager.com/Shibboleth.sso/SAML2/POST**. > [!NOTE]
- > Although in general, the **Sign-on URL** is mandatory for *SP-initiated mode*, it isn't needed to log in from Sectigo Certificate Manager.
+ > Although in general, the **Sign-on URL** is mandatory for **SP-initiated mode**, it isn't needed to log in from Sectigo Certificate Manager.
-1. Optionally, in the **Basic SAML Configuration** section, to configure *IDP-initiated mode* and to allow **Test** to work, complete the following steps:
+1. Optionally, in the **Basic SAML Configuration** section, to configure **IDP-initiated mode** and to allow **Test** to work, perform the following steps:
1. Select **Set additional URLs**. 1. In the **Relay State** box, enter your Sectigo Certificate Manager customer-specific URL. For the main Sectigo Certificate Manager instance, enter **https:\//cert-manager.com/customer/\<customerURI\>/idp**.
- ![Sectigo Certificate Manager domain and URLs single sign-on information](common/idp-relay.png)
-
-1. In the **User Attributes & Claims** section, complete the following steps:
+1. In the **User Attributes & Claims** section, perform the following steps:
1. Delete all **Additional claims**.
In this section, you configure Azure AD single sign-on with Sectigo Certificate
![The Federation Metadata XML download option](common/metadataxml.png)
-### Configure Sectigo Certificate Manager single sign-on
-
-To configure single sign-on on the Sectigo Certificate Manager side, send the downloaded Federation Metadata XML file to the [Sectigo Certificate Manager support team](https://sectigo.com/support). The Sectigo Certificate Manager support team uses the information you send them to ensure that the SAML single sign-on connection is set properly on both sides.
- ### Create an Azure AD test user
-In this section, you create a test user named Britta Simon in the Azure portal.
-
-1. In the Azure portal, select **Azure Active Directory** > **Users** > **All users**.
-
- ![The Users and All users options](common/users.png)
-
-1. Select **New user**.
-
- ![The New user option](common/new-user.png)
+In this section, you'll create a test user in the Azure portal called B.Simon.
-1. In the **User** pane, complete the following steps:
-
- 1. In the **Name** box, enter **BrittaSimon**.
-
- 1. In the **User name** box, enter **brittasimon\@\<your-company-domain>.\<extension\>**. For example, **brittasimon\@contoso.com**.
-
- 1. Select the **Show password** check box. Record the value that's displayed in the **Password** box.
-
- 1. Select **Create**.
-
- ![The User pane](common/user-properties.png)
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you grant Britta Simon access to Sectigo Certificate Manager so that the user can use Azure single sign-on.
-
-1. In the Azure portal, select **Enterprise applications** > **All applications** > **Sectigo Certificate Manager**.
-
- ![The Enterprise applications pane](common/enterprise-applications.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Sectigo Certificate Manager.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
1. In the applications list, select **Sectigo Certificate Manager**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Sectigo Certificate Manager in the applications list](common/all-applications.png)
-
-1. In the menu, select **Users and groups**.
-
- ![The Users and groups option](common/users-groups-blade.png)
-
-1. Select **Add user**. Then, in the **Add assignment** pane, select **Users and groups**.
-
- ![The Add assignment pane](common/add-assign-user.png)
+## Configure Sectigo Certificate Manager SSO
-1. In the **Users and groups** pane, select **Britta Simon** in the list of users. Choose **Select**.
-
-1. If you are expecting a role value in the SAML assertion, in the **Select role** pane, select the relevant role for the user from the list. Choose **Select**.
-
-1. In the **Add Assignment** pane, select **Assign**.
+To configure single sign-on on the Sectigo Certificate Manager side, send the downloaded Federation Metadata XML file to the [Sectigo Certificate Manager support team](https://sectigo.com/support). The Sectigo Certificate Manager support team uses the information you send them to ensure that the SAML single sign-on connection is set properly on both sides.
-### Create a Sectigo Certificate Manager test user
+### Create Sectigo Certificate Manager test user
In this section, you create a user named Britta Simon in Sectigo Certificate Manager. Work with the [Sectigo Certificate Manager support team](https://sectigo.com/support) to add the user in the Sectigo Certificate Manager platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
In this section, you test your Azure AD single sign-on configuration.
Select **Sectigo Certificate Manager** in the My Apps portal. If configured cor
## Next steps
-To learn more, review these articles:
--- [List of tutorials for integrating SaaS apps with Azure Active Directory](./tutorial-list.md)-- [Single sign-on to applications in Azure Active Directory](../manage-apps/what-is-single-sign-on.md)-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Sectigo Certificate Manager you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Securejoinnow Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/securejoinnow-tutorial.md
Previously updated : 08/07/2019 Last updated : 05/10/2021
In this tutorial, you'll learn how to integrate SecureW2 JoinNow Connector with
* Enable your users to be automatically signed-in to SecureW2 JoinNow Connector with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* SecureW2 JoinNow Connector supports **SP** initiated SSO
---
+* SecureW2 JoinNow Connector supports **SP** initiated SSO.
-
-## Adding SecureW2 JoinNow Connector from the gallery
+## Add SecureW2 JoinNow Connector from the gallery
To configure the integration of SecureW2 JoinNow Connector into Azure AD, you need to add SecureW2 JoinNow Connector from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **SecureW2 JoinNow Connector** in the search box. 1. Select **SecureW2 JoinNow Connector** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for SecureW2 JoinNow Connector
Configure and test Azure AD SSO with SecureW2 JoinNow Connector using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SecureW2 JoinNow Connector.
-To configure and test Azure AD SSO with SecureW2 JoinNow Connector, complete the following building blocks:
+To configure and test Azure AD SSO with SecureW2 JoinNow Connector, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-2. **[Configure SecureW2 JoinNow Connector SSO](#configure-securew2-joinnow-connector-sso)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-5. **[Create SecureW2 JoinNow Connector test user](#create-securew2-joinnow-connector-test-user)** - to have a counterpart of B.Simon in SecureW2 JoinNow Connector that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure SecureW2 JoinNow Connector SSO](#configure-securew2-joinnow-connector-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create SecureW2 JoinNow Connector test user](#create-securew2-joinnow-connector-test-user)** - to have a counterpart of B.Simon in SecureW2 JoinNow Connector that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **SecureW2 JoinNow Connector** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **SecureW2 JoinNow Connector** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<organization-identifier>-auth.securew2.com/auth/saml/SSO`
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure SecureW2 JoinNow Connector SSO
-
-To configure single sign-on on **SecureW2 JoinNow Connector** side, you need to send the downloaded **Metadata XML** and appropriate copied URLs from Azure portal to [SecureW2 JoinNow Connector support team](mailto:support@securew2.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **SecureW2 JoinNow Connector**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button.
+## Configure SecureW2 JoinNow Connector SSO
+
+To configure single sign-on on **SecureW2 JoinNow Connector** side, you need to send the downloaded **Metadata XML** and appropriate copied URLs from Azure portal to [SecureW2 JoinNow Connector support team](mailto:support@securew2.com). They set this setting to have the SAML SSO connection set properly on both sides.
+ ### Create SecureW2 JoinNow Connector test user In this section, you create a user called Britta Simon in SecureW2 JoinNow Connector. Work with [SecureW2 JoinNow Connector support team](mailto:support@securew2.com) to add the users in the SecureW2 JoinNow Connector platform. Users must be created and activated before you use single sign-on.
-### Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the SecureW2 JoinNow Connector tile in the Access Panel, you should be automatically signed in to the SecureW2 JoinNow Connector for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to SecureW2 JoinNow Connector Sign-on URL where you can initiate the login flow.
-## Additional resources
+* Go to SecureW2 JoinNow Connector Sign-on URL directly and initiate the login flow from there.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the SecureW2 JoinNow Connector tile in the My Apps, this will redirect to SecureW2 JoinNow Connector Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure SecureW2 JoinNow Connector you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Seismic Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/seismic-tutorial.md
Previously updated : 08/27/2020 Last updated : 05/07/2021 # Tutorial: Azure Active Directory integration with Seismic
-In this tutorial, you learn how to integrate Seismic with Azure Active Directory (Azure AD).
-Integrating Seismic with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Seismic with Azure Active Directory (Azure AD). When you integrate Seismic with Azure AD, you can:
-* You can control in Azure AD who has access to Seismic.
-* You can enable your users to be automatically signed-in to Seismic (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Seismic.
+* Enable your users to be automatically signed-in to Seismic with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Seismic, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Seismic single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Seismic single sign-on (SSO) enabled subscription.
> [!NOTE] > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
To configure Azure AD integration with Seismic, you need the following items:
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Seismic supports **SP** initiated SSO
-* Once you configure Seismic you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+* Seismic supports **SP** initiated SSO.
-## Adding Seismic from the gallery
+## Add Seismic from the gallery
To configure the integration of Seismic into Azure AD, you need to add Seismic from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Seismic** in the search box. 1. Select **Seismic** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO
+## Configure and test Azure AD SSO for Seismic
-In this section, you configure and test Azure AD single sign-on with Seismic based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Seismic needs to be established.
+Configure and test Azure AD SSO with Seismic using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Seismic.
-To configure and test Azure AD single sign-on with Seismic, you need to complete the following building blocks:
+To configure and test Azure AD SSO with Seismic, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-2. **[Configure Seismic SSO](#configure-seismic-sso)** - to configure the Single Sign-On settings on application side.
- * **[Create Seismic test user](#create-seismic-test-user)** - to have a counterpart of Britta Simon in Seismic that is linked to the Azure AD representation of user.
-3. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Seismic SSO](#configure-seismic-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Seismic test user](#create-seismic-test-user)** - to have a counterpart of B.Simon in Seismic that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Seismic** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Seismic** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Seismic Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.seismic.com`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Seismic**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Seismic SSO
To configure single sign-on on **Seismic** side, you need to send the downloaded
In this section, you create a user called Britta Simon in Seismic. Work with [Seismic support team](mailto:support@seismic.com) to add the users in the Seismic platform. Users must be created and activated before you use single sign-on.
-### Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Seismic tile in the Access Panel, you should be automatically signed in to the Seismic for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Seismic Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Seismic Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Seismic tile in the My Apps, this will redirect to Seismic Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Seismic you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Smartrecruiters Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/smartrecruiters-tutorial.md
Previously updated : 03/07/2019 Last updated : 05/03/2021 # Tutorial: Azure Active Directory integration with SmartRecruiters
-In this tutorial, you learn how to integrate SmartRecruiters with Azure Active Directory (Azure AD).
-Integrating SmartRecruiters with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate SmartRecruiters with Azure Active Directory (Azure AD). When you integrate SmartRecruiters with Azure AD, you can:
-* You can control in Azure AD who has access to SmartRecruiters.
-* You can enable your users to be automatically signed-in to SmartRecruiters (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to SmartRecruiters.
+* Enable your users to be automatically signed-in to SmartRecruiters with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with SmartRecruiters, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* SmartRecruiters single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* SmartRecruiters single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* SmartRecruiters supports **SP and IDP** initiated SSO
+* SmartRecruiters supports **SP and IDP** initiated SSO.
-## Adding SmartRecruiters from the gallery
+## Add SmartRecruiters from the gallery
To configure the integration of SmartRecruiters into Azure AD, you need to add SmartRecruiters from the gallery to your list of managed SaaS apps.
-**To add SmartRecruiters from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **SmartRecruiters**, select **SmartRecruiters** from result panel then click **Add** button to add the application.
-
- ![SmartRecruiters in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with SmartRecruiters based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in SmartRecruiters needs to be established.
-
-To configure and test Azure AD single sign-on with SmartRecruiters, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **SmartRecruiters** in the search box.
+1. Select **SmartRecruiters** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure SmartRecruiters Single Sign-On](#configure-smartrecruiters-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create SmartRecruiters test user](#create-smartrecruiters-test-user)** - to have a counterpart of Britta Simon in SmartRecruiters that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for SmartRecruiters
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with SmartRecruiters using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SmartRecruiters.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with SmartRecruiters, perform the following steps:
-To configure Azure AD single sign-on with SmartRecruiters, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure SmartRecruiters SSO](#configure-smartrecruiters-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create SmartRecruiters test user](#create-smartrecruiters-test-user)** - to have a counterpart of B.Simon in SmartRecruiters that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **SmartRecruiters** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **SmartRecruiters** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern: `https://www.smartrecruiters.com/web-sso/saml/<companyname>`
To configure Azure AD single sign-on with SmartRecruiters, perform the following
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern: `https://www.smartrecruiters.com/web-sso/saml/<companyname>/login`
To configure Azure AD single sign-on with SmartRecruiters, perform the following
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SmartRecruiters.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **SmartRecruiters**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure SmartRecruiters Single Sign-On
+## Configure SmartRecruiters SSO
1. In a different web browser window, log in to your SmartRecruiters company site as an administrator.
To configure Azure AD single sign-on with SmartRecruiters, perform the following
1. In the **Configuration** section, click **Web SSO**.
- ![Screenshot shows Web S S O selected from Configuration.](./media/smartrecruiters-tutorial/configure1.png)
+ ![Screenshot shows Web S S O selected from Configuration.](./media/smartrecruiters-tutorial/configuration-section.png)
1. Toggle **Enable Web SSO**.
- ![Screenshot shows the Enable Web S S O control.](./media/smartrecruiters-tutorial/configure2.png)
+ ![Screenshot shows the Enable Web S S O control.](./media/smartrecruiters-tutorial/enable-web.png)
1. In **Identity Provider Configuration**, perform the following steps:
- ![Screenshot shows Identity Provider Configuration where you can enter the values described.](./media/smartrecruiters-tutorial/configure4.png)
+ ![Screenshot shows Identity Provider Configuration where you can enter the values described.](./media/smartrecruiters-tutorial/identity-provider.png)
a. In **Identity Provider URL** textbox, paste the value of **Login URL** which you have copied from Azure portal.
To configure Azure AD single sign-on with SmartRecruiters, perform the following
1. Click **Save Web SSO configuration**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to SmartRecruiters.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **SmartRecruiters**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **SmartRecruiters**.
-
- ![The SmartRecruiters link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create SmartRecruiters test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, you create a user called Britta Simon in SmartRecruiters. Work with [SmartRecruiters support team](https://www.smartrecruiters.com/about-us/contact-us/) to add the users in the SmartRecruiters platform. Users must be created and activated before you use single sign-on.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create SmartRecruiters test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you create a user called Britta Simon in SmartRecruiters. Work with [SmartRecruiters support team](https://www.smartrecruiters.com/about-us/contact-us/) to add the users in the SmartRecruiters platform. Users must be created and activated before you use single sign-on.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to SmartRecruiters Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to SmartRecruiters Sign-on URL directly and initiate the login flow from there.
-When you click the SmartRecruiters tile in the Access Panel, you should be automatically signed in to the SmartRecruiters for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the SmartRecruiters for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the SmartRecruiters tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SmartRecruiters for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure SmartRecruiters you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Visma Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/visma-tutorial.md
Previously updated : 11/18/2019 Last updated : 05/10/2021
In this tutorial, you'll learn how to integrate Visma with Azure Active Director
* Enable your users to be automatically signed-in to Visma with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Visma supports **SP and IDP** initiated SSO
-* Visma supports **Just In Time** user provisioning
+* Visma supports **SP and IDP** initiated SSO.
+* Visma supports **Just In Time** user provisioning.
-## Adding Visma from the gallery
+## Add Visma from the gallery
To configure the integration of Visma into Azure AD, you need to add Visma from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Visma** in the search box. 1. Select **Visma** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Visma
+## Configure and test Azure AD SSO for Visma
Configure and test Azure AD SSO with Visma using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Visma.
-To configure and test Azure AD SSO with Visma, complete the following building blocks:
+To configure and test Azure AD SSO with Visma, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Visma SSO](#configure-visma-sso)** - to configure the single sign-on settings on application side.
- * **[Create Visma test user](#create-visma-test-user)** - to have a counterpart of B.Simon in Visma that is linked to the Azure AD representation of user.
+ 1. **[Create Visma test user](#create-visma-test-user)** - to have a counterpart of B.Simon in Visma that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Visma** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Visma** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Setup single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.my.connect.visma.com`
Follow these steps to enable Azure AD SSO in the Azure portal.
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Visma Client support team](https://www.visma.com/contact) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+1. On the **Setup single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
![The Certificate download link](common/copy-metadataurl.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Visma**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Visma SSO
In this section, a user called B.Simon is created in Visma. Visma supports just-
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Visma Sign on URL where you can initiate the login flow.
-When you click the Visma tile in the Access Panel, you should be automatically signed in to the Visma for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Visma Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Visma for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Visma tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Visma for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Visma with Azure AD](https://aad.portal.azure.com/)
+Once you configure Visma you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Whitesource Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/whitesource-tutorial.md
Previously updated : 09/20/2019 Last updated : 04/22/2021
In this tutorial, you'll learn how to integrate Whitesource with Azure Active Di
* Enable your users to be automatically signed-in to Whitesource with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Whitesource supports **SP** initiated SSO
+* Whitesource supports **SP** initiated SSO.
+
+* Whitesource supports **Just In Time** user provisioning.
-* Whitesource supports **Just In Time** user provisioning
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Whitesource from the gallery
+## Add Whitesource from the gallery
To configure the integration of Whitesource into Azure AD, you need to add Whitesource from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Whitesource** in the search box. 1. Select **Whitesource** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Whitesource
+## Configure and test Azure AD SSO for Whitesource
Configure and test Azure AD SSO with Whitesource using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Whitesource.
-To configure and test Azure AD SSO with Whitesource, complete the following building blocks:
+To configure and test Azure AD SSO with Whitesource, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Whitesource, complete the following buil
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Whitesource** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal on the **Whitesource** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.cloudapp.azure.com/`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ b. In the **Identifier (Entity ID)** text box, type the value:
`com.whitesource.sp` > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Whitesource Client support team](https://www.whitesourcesoftware.com/contact-us/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These value is not real. Update these value with the actual Sign on URL. Contact [Whitesource Client support team](https://www.whitesourcesoftware.com/contact-us/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Whitesource**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Whitesource SSO
In this section, a user called B.Simon is created in Whitesource. Whitesource su
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Whitesource tile in the Access Panel, you should be automatically signed in to the Whitesource for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Whitesource Sign-on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Whitesource Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Whitesource tile in the My Apps, this will redirect to Whitesource Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Whitesource with Azure AD](https://aad.portal.azure.com/)
+Once you configure Whitesource you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory Yardione Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/yardione-tutorial.md
Previously updated : 03/29/2019 Last updated : 05/04/2021 # Tutorial: Azure Active Directory integration with YardiOne
-In this tutorial, you learn how to integrate YardiOne with Azure Active Directory (Azure AD).
-Integrating YardiOne with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate YardiOne with Azure Active Directory (Azure AD). When you integrate YardiOne with Azure AD, you can:
-* You can control in Azure AD who has access to YardiOne.
-* You can enable your users to be automatically signed-in to YardiOne (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to YardiOne.
+* Enable your users to be automatically signed-in to YardiOne with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with YardiOne, you need the following items: * An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
-* YardiOne single sign-on enabled subscription
+* YardiOne single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* YardiOne supports **SP** initiated SSO
+* YardiOne supports **SP** initiated SSO.
-* YardiOne supports **Just In Time** user provisioning
+* YardiOne supports **Just In Time** user provisioning.
-## Adding YardiOne from the gallery
+## Add YardiOne from the gallery
To configure the integration of YardiOne into Azure AD, you need to add YardiOne from the gallery to your list of managed SaaS apps.
-**To add YardiOne from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **YardiOne**, select **YardiOne** from result panel then click **Add** button to add the application.
-
- ![YardiOne in the results list](common/search-new-app.png)
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **YardiOne** in the search box.
+1. Select **YardiOne** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for YardiOne
-In this section, you configure and test Azure AD single sign-on with YardiOne based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in YardiOne needs to be established.
+Configure and test Azure AD SSO with YardiOne using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in YardiOne.
-To configure and test Azure AD single sign-on with YardiOne, you need to complete the following building blocks:
+To configure and test Azure AD SSO with YardiOne, perform the following steps:
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure YardiOne Single Sign-On](#configure-yardione-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create YardiOne test user](#create-yardione-test-user)** - to have a counterpart of Britta Simon in YardiOne that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure YardiOne SSO](#configure-yardione-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create YardiOne test user](#create-yardione-test-user)** - to have a counterpart of B.Simon in YardiOne that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD single sign-on
+## Configure Azure AD SSO
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Follow these steps to enable Azure AD SSO in the Azure portal.
-To configure Azure AD single sign-on with YardiOne, perform the following steps:
+1. In the Azure portal, on the **YardiOne** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-1. In the [Azure portal](https://portal.azure.com/), on the **YardiOne** application integration page, select **Single sign-on**.
-
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![YardiOne Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<y1-subdomain>.yardione.com`
To configure Azure AD single sign-on with YardiOne, perform the following steps:
![The Certificate download link](common/copy-metadataurl.png)
-### Configure YardiOne Single Sign-On
-
-To configure single sign-on on **YardiOne** side, you need to send the **App Federation Metadata Url** to [YardiOne support team](https://clientcentral.yardi.com/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
+In this section, you'll create a test user in the Azure portal called B.Simon.
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to YardiOne.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **YardiOne**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to YardiOne.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **YardiOne**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **YardiOne**.
+## Configure YardiOne SSO
- ![The YardiOne link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **YardiOne** side, you need to send the **App Federation Metadata Url** to [YardiOne support team](https://clientcentral.yardi.com/). They set this setting to have the SAML SSO connection set properly on both sides.
### Create YardiOne test user
In this section, a user called Britta Simon is created in YardiOne. YardiOne sup
>[!Note] >If you need to create a user manually, contact [YardiOne support team](https://clientcentral.yardi.com).
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the YardiOne tile in the Access Panel, you should be automatically signed in to the YardiOne for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to YardiOne Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to YardiOne Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the YardiOne tile in the My Apps, this will redirect to YardiOne Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure YardiOne you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
advisor Azure Advisor Score https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/advisor/azure-advisor-score.md
If you dismiss a recommendation from Advisor, it will be omitted from the calcul
### Why did my score change?
-You score can change if you remediate impacted resources by adopting the best practices that Advisor recommends. If you or anyone with permissions on your subscription has modified or created new resources, you might also see fluctuations in your score. Your score is based on a ratio of the cost-impacted resources relative to the total cost of all resources.
+Your score can change if you remediate impacted resources by adopting the best practices that Advisor recommends. If you or anyone with permissions on your subscription has modified or created new resources, you might also see fluctuations in your score. Your score is based on a ratio of the cost-impacted resources relative to the total cost of all resources.
### How does Advisor calculate the retail cost of resources on a subscription?
aks Csi Secrets Store Driver https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/csi-secrets-store-driver.md
Last updated 03/30/2021-+ # Use the Secrets Store CSI Driver for Kubernetes in an Azure Kubernetes Service (AKS) cluster (preview)
aks Enable Host Encryption https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/enable-host-encryption.md
description: Learn how to configure a host-based encryption in an Azure Kubernet
Last updated 03/03/2021 -+
aks Kubernetes Action https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-action.md
jobs:
steps: - uses: actions/checkout@main
- # Connect to Azure Container registry (ACR)
+ # Connect to Azure Container Registry (ACR)
- uses: azure/docker-login@v1 with: login-server: ${{ env.REGISTRY_NAME }}.azurecr.io username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }}
- # Container build and push to a Azure Container registry (ACR)
+ # Container build and push to a Azure Container Registry (ACR)
- run: | docker build . -t ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.APP_NAME }}:${{ github.sha }} docker push ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.APP_NAME }}:${{ github.sha }}
jobs:
steps: - uses: actions/checkout@main
- # Connect to Azure Container registry (ACR)
+ # Connect to Azure Container Registry (ACR)
- uses: azure/docker-login@v1 with: login-server: ${{ env.REGISTRY_NAME }}.azurecr.io username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }}
- # Container build and push to a Azure Container registry (ACR)
+ # Container build and push to a Azure Container Registry (ACR)
- run: | docker build . -t ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.APP_NAME }}:${{ github.sha }} docker push ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.APP_NAME }}:${{ github.sha }}
aks Kubernetes Service Principal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-service-principal.md
description: Create and manage an Azure Active Directory service principal for a
Last updated 04/22/2021-+ #Customer intent: As a cluster operator, I want to understand how to create a service principal and delegate permissions for AKS to access required resources. In large enterprise environments, the user that deploys the cluster (or CI/CD system), may not have permissions to create this service principal automatically when the cluster is created.
For information on how to update the credentials, see [Update or rotate the cred
<!-- LINKS - internal --> [aad-service-principal]:../active-directory/develop/app-objects-and-service-principals.md [acr-intro]: ../container-registry/container-registry-intro.md
-[az-ad-sp-create]: /cli/azure/ad/sp#az-ad-sp-create-for-rbac
+[az-ad-sp-create]: /cli/azure/ad/sp#az_ad_sp_create_for_rbac
[az-ad-sp-delete]: /cli/azure/ad/sp#az_ad_sp_delete [azure-load-balancer-overview]: ../load-balancer/load-balancer-overview.md [install-azure-cli]: /cli/azure/install-azure-cli [service-principal]:../active-directory/develop/app-objects-and-service-principals.md [user-defined-routes]: ../load-balancer/load-balancer-overview.md
-[az-ad-app-list]: /cli/azure/ad/app#az-ad-app-list
-[az-ad-app-delete]: /cli/azure/ad/app#az-ad-app-delete
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-update]: /cli/azure/aks#az-aks-update
+[az-ad-app-list]: /cli/azure/ad/app#az_ad_app_list
+[az-ad-app-delete]: /cli/azure/ad/app#az_ad_app_delete
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-update]: /cli/azure/aks#az_aks_update
[rbac-network-contributor]: ../role-based-access-control/built-in-roles.md#network-contributor [rbac-custom-role]: ../role-based-access-control/custom-roles.md [rbac-storage-contributor]: ../role-based-access-control/built-in-roles.md#storage-account-contributor
aks Windows Container Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/windows-container-cli.md
The following example output shows the resource group created successfully:
To run an AKS cluster that supports node pools for Windows Server containers, your cluster needs to use a network policy that uses [Azure CNI][azure-cni-about] (advanced) network plugin. For more detailed information to help plan out the required subnet ranges and network considerations, see [configure Azure CNI networking][use-advanced-networking]. Use the [az aks create][az-aks-create] command to create an AKS cluster named *myAKSCluster*. This command will create the necessary network resources if they don't exist. * The cluster is configured with two nodes.
-* The `--windows-admin-password` and `--windows-admin-username` parameters set the admin credentials for any Windows Server containers created on the cluster and must meet [Windows Server password requirements][windows-server-password]. If you don't specify the *windows-admin-password* parameter, you will be prompted to provide a value.
+* The `--windows-admin-password` and `--windows-admin-username` parameters set the administrator credentials for any Windows Server nodes on the cluster and must meet [Windows Server password requirements][windows-server-password]. If you don't specify the *windows-admin-password* parameter, you will be prompted to provide a value.
* The node pool uses `VirtualMachineScaleSets`. > [!NOTE] > To ensure your cluster to operate reliably, you should run at least 2 (two) nodes in the default node pool.
-Create a username to use as administrator credentials for your Windows Server containers on your cluster. The following commands prompt you for a username and set it WINDOWS_USERNAME for use in a later command (remember that the commands in this article are entered into a BASH shell).
+Create a username to use as administrator credentials for the Windows Server nodes on your cluster. The following commands prompt you for a username and set it WINDOWS_USERNAME for use in a later command (remember that the commands in this article are entered into a BASH shell).
```azurecli-interactive
-echo "Please enter the username to use as administrator credentials for Windows Server containers on your cluster: " && read WINDOWS_USERNAME
+echo "Please enter the username to use as administrator credentials for Windows Server nodes on your cluster: " && read WINDOWS_USERNAME
```
-Create your cluster ensuring you specify `--windows-admin-username` parameter. The following example command creates a cluster using the value from *WINDOWS_USERNAME* you set in the previous command. Alternatively you can provide a different username directly in the parameter instead of using *WINDOWS_USERNAME*. The following command will also prompt you to create a password for the administrator credentials for your Windows Server Containers on your cluster. Alternatively, you can use the *windows-admin-password* parameter and specify your own value there.
+Create your cluster ensuring you specify `--windows-admin-username` parameter. The following example command creates a cluster using the value from *WINDOWS_USERNAME* you set in the previous command. Alternatively you can provide a different username directly in the parameter instead of using *WINDOWS_USERNAME*. The following command will also prompt you to create a password for the administrator credentials for the Windows Server nodes on your cluster. Alternatively, you can use the *windows-admin-password* parameter and specify your own value there.
```azurecli-interactive az aks create \
az aks create \
> [!NOTE] > If you get a password validation error, verify the password you set meets the [Windows Server password requirements][windows-server-password]. If your password meets the requirements, try creating your resource group in another region. Then try creating the cluster with the new resource group.
+>
+> If you do not specify an administrator username and password when setting `--vm-set-type VirtualMachineScaleSets` and `--network-plugin azure`, the username is set to *azureuser* and the password is set to a random value.
+>
+> The administrator username can't be changed, but you can change the administrator password your AKS cluster uses for Windows Server nodes using `az aks update`. For more details, see [Windows Server node pools FAQ][win-faq-change-admin-creds].
After a few minutes, the command completes and returns JSON-formatted information about the cluster. Occasionally the cluster can take longer than a few minutes to provision. Allow up to 10 minutes in these cases.
To learn more about AKS, and walk through a complete code to deployment example,
[use-advanced-networking]: configure-azure-cni.md [aks-support-policies]: support-policies.md [aks-faq]: faq.md
-[az-extension-add]: /cli/azure/extension#az_extension_add
-[az-extension-update]: /cli/azure/extension#az_extension_update
-[windows-server-password]: /windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements#reference
+[az-extension-add]: /cli/azure/extension#az-extension-add
+[az-extension-update]: /cli/azure/extension#az-extension-update
+[windows-server-password]: /windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements#reference
+[win-faq-change-admin-creds]: windows-faq.md#how-do-i-change-the-administrator-password-for-windows-server-nodes-on-my-cluster
aks Windows Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/windows-faq.md
Windows node pools do not support service principal rotation. To update the serv
Instead, use managed identities, which are essentially wrappers around service principals. For more information, see [Use managed identities in Azure Kubernetes Service][managed-identity].
+## How do I change the administrator password for Windows Server nodes on my cluster?
+
+When you create your AKS cluster, you specify the `--windows-admin-password` and `--windows-admin-username` parameters to set the administrator credentials for any Windows Server nodes on the cluster. If you did not specify administrator credentials, such as when creating a cluster using the Azure Portal or when setting `--vm-set-type VirtualMachineScaleSets` and `--network-plugin azure` using the Azure CLI, the username defaults to *azureuser* and a randomized password.
+
+To change the administrator password, use the `az aks update` command:
+
+```azurecli
+az aks update \
+ --resource-group $RESOURCE_GROUP \
+ --name $CLUSTER_NAME \
+ --windows-admin-password $NEW_PW
+```
+
+> [!IMPORTANT]
+> Performing this operation upgrades all Windows Server node pools. Linux node pools are not affected.
+>
+> When changing `--windows-admin-password`, the new password must be at least 14 characters and meet [Windows Server password requirements][windows-server-password].
+ ## How many node pools can I create? The AKS cluster can have a maximum of 10 node pools. You can have a maximum of 1000 nodes across those node pools. [Node pool limitations][nodepool-limitations].
To get started with Windows Server containers in AKS, [create a node pool that r
[managed-identity]: use-managed-identity.md [hybrid-vms]: ../virtual-machines/windows/hybrid-use-benefit-licensing.md [resource-groups]: faq.md#why-are-two-resource-groups-created-with-aks
-[dsr]: ../load-balancer/load-balancer-multivip-overview.md#rule-type-2-backend-port-reuse-by-using-floating-ip
+[dsr]: ../load-balancer/load-balancer-multivip-overview.md#rule-type-2-backend-port-reuse-by-using-floating-ip
+[windows-server-password]: /windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements#reference
api-management Api Management Using With Internal Vnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-using-with-internal-vnet.md
editor: ''
Last updated 04/12/2021-+
To perform the steps described in this article, you must have:
[!INCLUDE [api-management-public-ip-for-vnet](../../includes/api-management-public-ip-for-vnet.md)]
-When an API Management service is deployed in a virtual network, a [list of ports](./api-management-using-with-vnet.md#required-ports) are used and need to be opened.
+When an API Management service is deployed in a virtual network, a [list of ports](./api-management-using-with-vnet.md#required-ports) are used and need to be opened.
## <a name="enable-vpn"> </a>Creating an API Management in an internal virtual network The API Management service in an internal virtual network is hosted behind an internal load balancer Basic SKU if the service is created with client API version 2020-12-01. For service created with clients having API version 2021-01-01-preview and having a public IP address from the customer's subscription, it is hosted behind an internal load balancer Standard SKU. For more information, see [Azure Load Balancer SKUs](../load-balancer/skus.md).
You can also enable virtual network connectivity by using the following methods.
### API version 2020-12-01
-* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/201-api-management-create-with-internal-vnet)
+* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-internal-vnet)
- [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F201-api-management-create-with-internal-vnet%2Fazuredeploy.json)
+ [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.apimanagement%2Fapi-management-create-with-internal-vnet%2Fazuredeploy.json)
* Azure PowerShell cmdlets - [Create](/powershell/module/az.apimanagement/new-azapimanagement) or [update](/powershell/module/az.apimanagement/update-azapimanagementregion) an API Management instance in a virtual network
If you use a custom DNS server in a virtual network, you can also create A DNS r
### Access on custom domain names
-1. If you donΓÇÖt want to access the API Management service with the default host names, you can set up custom domain names for all your service endpoints as shown in the following image:
+1. If you don't want to access the API Management service with the default host names, you can set up custom domain names for all your service endpoints as shown in the following image:
![Setting up a custom domain for API Management][api-management-custom-domain-name]
To learn more, see the following articles:
* [Virtual network FAQs](../virtual-network/virtual-networks-faq.md) * [Creating a record in DNS](/previous-versions/windows/it-pro/windows-2000-server/bb727018(v=technet.10))
-[api-management-using-internal-vnet-menu]: ./media/api-management-using-with-internal-vnet/api-management-using-with-internal-vnet.png
-[api-management-internal-vnet-dashboard]: ./media/api-management-using-with-internal-vnet/api-management-internal-vnet-dashboard.png
-[api-management-custom-domain-name]: ./media/api-management-using-with-internal-vnet/api-management-custom-domain-name.png
+[api-management-using-internal-vnet-menu]: ./media/api-management-using-with-internal-vnet/updated-api-management-using-with-internal-vnet.png
+[api-management-internal-vnet-dashboard]: ./media/api-management-using-with-internal-vnet/updated-api-management-internal-vnet-dashboard.png
+[api-management-custom-domain-name]: ./media/api-management-using-with-internal-vnet/updated-api-management-custom-domain-name.png
[Create API Management service]: get-started-create-service-instance.md [Common network configuration problems]: api-management-using-with-vnet.md#network-configuration-issues
api-management Api Management Using With Vnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-using-with-vnet.md
To perform the steps described in this article, you must have:
1. Configure the API Management instance to be deployed inside a Virtual network. :::image type="content" source="media/api-management-using-with-vnet/api-management-menu-vnet.png" alt-text="Select virtual network in Azure portal.":::
-
+ 1. Select the desired access type: * **Off**: This is the default. API Management is not deployed into a virtual network.
To perform the steps described in this article, you must have:
> [!IMPORTANT] > * When your client uses **API version 2020-12-01 or earlier** to deploy an Azure API Management instance in a Resource Manager VNET, the service must be in a dedicated subnet that contains no resources except Azure API Management instances. If an attempt is made to deploy an Azure API Management instance to a Resource Manager VNET subnet that contains other resources, the deployment will fail.
- > * When your client uses **API version 2021-01-01-preview or later** to deploy an Azure API Management instance in a virtual network, only a Resource Manager virtual network is supported. Additionally, the subnet used may contain other resources. You don't have to use a subnet dedicated to API Management instances.
+ > * When your client uses **API version 2021-01-01-preview or later** to deploy an Azure API Management instance in a virtual network, only a Resource Manager virtual network is supported. Additionally, the subnet used may contain other resources. You don't have to use a subnet dedicated to API Management instances.
1. Select **Apply**. The **Virtual network** page of your API Management instance is updated with your new virtual network and subnet choices.
You can also enable virtual network connectivity by using the following methods.
### API version 2020-12-01
-* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/201-api-management-create-with-external-vnet)
-
- [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F201-api-management-create-with-external-vnet%2Fazuredeploy.json)
+* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-external-vnet)
+
+ [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.apimanagement%2Fapi-management-create-with-external-vnet%2Fazuredeploy.json)
* Azure PowerShell cmdlets - [Create](/powershell/module/az.apimanagement/new-azapimanagement) or [update](/powershell/module/az.apimanagement/update-azapimanagementregion) an API Management instance in a virtual network
When an API Management service instance is hosted in a VNET, the ports in the fo
+ **Azure Load Balancer**: Allowing Inbound request from Service Tag `AZURE_LOAD_BALANCER` is not a requirement for the `Developer` SKU, since we only deploy one unit of Compute behind it. But Inbound from [168.63.129.16](../virtual-network/what-is-ip-address-168-63-129-16.md) becomes critical when scaling to higher SKU like `Premium`, as failure of Health Probe from Load Balancer, fails a deployment.
-+ **Application Insights**: If [Azure Application Insights](api-management-howto-app-insights.md) monitoring is enabled on API Management, then we need to allow outbound connectivity to the [Telemetry endpoint](../azure-monitor/app/ip-addresses.md#outgoing-ports) from the Virtual Network.
++ **Application Insights**: If [Azure Application Insights](api-management-howto-app-insights.md) monitoring is enabled on API Management, then we need to allow outbound connectivity to the [Telemetry endpoint](../azure-monitor/app/ip-addresses.md#outgoing-ports) from the Virtual Network. + **Force Tunneling Traffic to On-premises Firewall Using Express Route or Network Virtual Appliance**: A common customer configuration is to define their own default route (0.0.0.0/0) which forces all traffic from the API Management delegated subnet to flow through an on-premises firewall or to a Network virtual appliance. This traffic flow invariably breaks connectivity with Azure API Management because the outbound traffic is either blocked on-premises, or NAT'd to an unrecognizable set of addresses that no longer work with various Azure endpoints. The solution requires you to do a couple of things: * Enable service endpoints on the subnet in which the API Management service is deployed. [Service Endpoints][ServiceEndpoints] need to be enabled for Azure Sql, Azure Storage, Azure EventHub and Azure ServiceBus. Enabling endpoints directly from API Management delegated subnet to these services allows them to use the Microsoft Azure backbone network providing optimal routing for service traffic. If you use Service Endpoints with a forced tunneled Api Management, the above Azure services traffic isn't forced tunneled. The other API Management service dependency traffic is forced tunneled and can't be lost or the API Management service would not function properly.
-
+ * All the control plane traffic from Internet to the management endpoint of your API Management service are routed through a specific set of Inbound IPs hosted by API Management. When the traffic is force tunneled the responses will not symmetrically map back to these Inbound source IPs. To overcome the limitation, we need to add the following user-defined routes ([UDRs][UDRs]) to steer traffic back to Azure by setting the destination of these host routes to "Internet". The set of Inbound IPs for control Plane traffic is documented [Control Plane IP Addresses](#control-plane-ips) * For other API Management service dependencies which are force tunneled, there should be a way to resolve the hostname and reach out to the endpoint. These include
api-management How To Configure Local Metrics Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/how-to-configure-local-metrics-logs.md
na Previously updated : 02/01/2021 Last updated : 05/11/2021
spec:
spec: containers: - name: sputnik-metrics-statsd
- image: mcr.microsoft.com/aks/hcp/prom/statsd-exporter
+ image: prom/statsd-exporter
ports: - name: tcp containerPort: 9102
spec:
- mountPath: /tmp name: sputnik-metrics-config-files - name: sputnik-metrics-prometheus
- image: mcr.microsoft.com/oss/prometheus/prometheus
+ image: prom/prometheus
ports: - name: tcp containerPort: 9090
app-service App Service Web Tutorial Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-web-tutorial-rest-api.md
ms.assetid: a820e400-06af-4852-8627-12b3db4a8e70
ms.devlang: dotnet Last updated 04/28/2020-+ # Tutorial: Host a RESTful API with CORS in Azure App Service
app-service Configure Custom Container https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-custom-container.md
description: Learn how to configure a custom container in Azure App Service. Thi
Last updated 02/23/2021 -+ zone_pivot_groups: app-service-containers-windows-linux
Multi-container is currently in preview. The following App Service platform feat
- Authentication / Authorization - Managed Identities - CORS
+- VNET integration is not supported for Docker Compose scenarios
### Docker Compose options
app-service Monitor Instances Health Check https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/monitor-instances-health-check.md
After providing your application's Health check path, you can monitor the health
Health check should not be enabled on Premium Functions sites. Due to the rapid scaling of Premium Functions, the health check requests can cause unnecessary fluctuations in HTTP traffic. Premium Functions have their own internal health probes that are used to inform scaling decisions. ## Next steps-- [Create an Activity Log Alert to monitor all Autoscale engine operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/monitor-autoscale-alert)-- [Create an Activity Log Alert to monitor all failed Autoscale scale-in/scale-out operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/monitor-autoscale-failed-alert)
+- [Create an Activity Log Alert to monitor all Autoscale engine operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/monitor-autoscale-alert)
+- [Create an Activity Log Alert to monitor all failed Autoscale scale-in/scale-out operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/monitor-autoscale-failed-alert)
[1]: ./media/app-service-monitor-instances-health-check/health-check-success-diagram.png [2]: ./media/app-service-monitor-instances-health-check/health-check-failure-diagram.png
app-service Quickstart Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-java.md
The deployment process to Azure App Service will use your Azure credentials from
Run the Maven command below to configure the deployment. This command will help you to set up the App Service operating system, Java version, and Tomcat version. ```bash
-mvn com.microsoft.azure:azure-webapp-maven-plugin:1.12.0:config
+mvn com.microsoft.azure:azure-webapp-maven-plugin:1.14.0:config
``` ::: zone pivot="platform-windows"
app-service Samples Resource Manager Templates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/samples-resource-manager-templates.md
To learn about the JSON syntax and properties for App Services resources, see [M
| Deploying an app | Description | |-|-|
-| [App Service plan and basic Linux app](https://github.com/Azure/azure-quickstart-templates/tree/master/101-webapp-basic-linux) | Deploys an App Service app that is configured for Linux. |
-| [App Service plan and basic Windows app](https://github.com/Azure/azure-quickstart-templates/tree/master/101-webapp-basic-windows) | Deploys an App Service app that is configured for Windows. |
-| [App linked to a GitHub repository](https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-github-deploy)| Deploys an App Service app that pulls code from GitHub. |
-| [App with custom deployment slots](https://github.com/Azure/azure-quickstart-templates/tree/master/101-webapp-custom-deployment-slots)| Deploys an App Service app with custom deployment slots/environments. |
+| [App Service plan and basic Linux app](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-basic-linux) | Deploys an App Service app that is configured for Linux. |
+| [App Service plan and basic Windows app](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-basic-windows) | Deploys an App Service app that is configured for Windows. |
+| [App linked to a GitHub repository](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/web-app-github-deploy)| Deploys an App Service app that pulls code from GitHub. |
+| [App with custom deployment slots](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-custom-deployment-slots)| Deploys an App Service app with custom deployment slots/environments. |
| [App with Private Endpoint](https://github.com/Azure/azure-quickstart-templates/tree/master/101-private-endpoint-webapp)| Deploys an App Service app with a Private Endpoint. | |**Configuring an app**| **Description** | | [App certificate from Key Vault](https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-certificate-from-key-vault)| Deploys an App Service app certificate from an Azure Key Vault secret and uses it for TLS/SSL binding. |
To learn about the JSON syntax and properties for App Services resources, see [M
|**Protecting an app**| **Description** | | [App integrated with Azure Application Gateway](https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-with-app-gateway-v2)| Deploys an App Service app and an Application Gateway, and isolates the traffic using service endpoint and access restrictions. | |**Linux app with connected resources**| **Description** |
-| [App on Linux with MySQL](https://github.com/Azure/azure-quickstart-templates/tree/master/101-webapp-linux-managed-mysql) | Deploys an App Service app on Linux with Azure Database for MySQL. |
-| [App on Linux with PostgreSQL](https://github.com/Azure/azure-quickstart-templates/tree/master/101-webapp-linux-managed-postgresql) | Deploys an App Service app on Linux with Azure Database for PostgreSQL. |
+| [App on Linux with MySQL](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-linux-managed-mysql) | Deploys an App Service app on Linux with Azure Database for MySQL. |
+| [App on Linux with PostgreSQL](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-linux-managed-postgresql) | Deploys an App Service app on Linux with Azure Database for PostgreSQL. |
|**App with connected resources**| **Description** | | [App with MySQL](https://github.com/Azure/azure-quickstart-templates/tree/master/101-webapp-managed-mysql)| Deploys an App Service app on Windows with Azure Database for MySQL. |
-| [App with PostgreSQL](https://github.com/Azure/azure-quickstart-templates/tree/master/101-webapp-managed-postgresql)| Deploys an App Service app on Windows with Azure Database for PostgreSQL. |
-| [App with a database in Azure SQL Database](https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-sql-database)| Deploys an App Service app and a database in Azure SQL Database at the Basic service level. |
+| [App with PostgreSQL](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-managed-postgresql)| Deploys an App Service app on Windows with Azure Database for PostgreSQL. |
+| [App with a database in Azure SQL Database](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/web-app-sql-database)| Deploys an App Service app and a database in Azure SQL Database at the Basic service level. |
| [App with a Blob storage connection](https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-blob-connection)| Deploys an App Service app with an Azure Blob storage connection string. You can then use Blob storage from the app. | | [App with an Azure Cache for Redis](https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-with-redis-cache)| Deploys an App Service app with an Azure Cache for Redis. | | [App connected to a backend webapp](https://github.com/Azure/azure-quickstart-templates/tree/master/101-webapp-privateendpoint-vnet-injection)| Deploys two web apps (frontend and backend) securely connected together with VNet injection and Private Endpoint. | |**App Service Environment**| **Description** |
-| [Create an App Service environment v2](https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-asev2-create) | Creates an App Service environment v2 in your virtual network. |
-| [Create an App Service environment v2 with an ILB address](https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-asev2-ilb-create/) | Creates an App Service environment v2 in your virtual network with a private internal load balancer address. |
+| [Create an App Service environment v2](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/web-app-asev2-create) | Creates an App Service environment v2 in your virtual network. |
+| [Create an App Service environment v2 with an ILB address](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/web-app-asev2-ilb-create) | Creates an App Service environment v2 in your virtual network with a private internal load balancer address. |
| [Configure the default SSL certificate for an ILB App Service environment or an ILB App Service environment v2](https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-ase-ilb-configure-default-ssl) | Configures the default TLS/SSL certificate for an ILB App Service environment or an ILB App Service environment v2. | | | |
app-service Cli Linux Acr Aspnetcore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-linux-acr-aspnetcore.md
ms.devlang: azurecli
Last updated 12/13/2018 -+ # Create an ASP.NET Core app in a Docker container in App Service from Azure Container Registry
app-service Tutorial Java Spring Cosmosdb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-java-spring-cosmosdb.md
Open the `pom.xml` file in the `initial/spring-boot-todo` directory and add the
<plugin> <groupId>com.microsoft.azure</groupId> <artifactId>azure-webapp-maven-plugin</artifactId>
- <version>1.13.0</version>
+ <version>1.14.0</version>
<configuration> <schemaVersion>v2</schemaVersion>
bash-3.2$ mvn azure-webapp:deploy
[INFO] Building spring-todo-app 2.0-SNAPSHOT [INFO] [INFO]
-[INFO] azure-webapp-maven-plugin:1.11.0:deploy (default-cli) @ spring-todo-app
+[INFO] azure-webapp-maven-plugin:1.14.0:deploy (default-cli) @ spring-todo-app
[INFO] Auth Type : AZURE_CLI, Auth Files : [C:\Users\testuser\.azure\azureProfile.json, C:\Users\testuser\.azure\accessTokens.json] [INFO] Subscription : xxxxxxxxx [INFO] Target Web App doesn't exist. Creating a new one...
application-gateway Application Gateway Backend Health Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/application-gateway-backend-health-troubleshooting.md
-Troubleshoot backend health issues in Application Gateway
-==================================================
+# Troubleshoot backend health issues in Application Gateway
+
+## Overview
-Overview
By default, Azure Application Gateway probes backend servers to check their health status and to check whether they're ready to serve requests. Users can also create custom probes to mention the host name, the path to be probed, and the status codes to be accepted as Healthy. In each case, if the backend server doesn't respond successfully, Application Gateway marks the server as Unhealthy and stops forwarding requests to the server. After the server starts responding successfully, Application Gateway resumes forwarding the requests.
to that server. But if the backend
health for all the servers in a backend pool is Unhealthy or unknown, you might encounter problems when you try to access applications. This article describes the symptoms, cause, and resolution for each of the errors shown.
-Backend health status: Unhealthy
--
+## Backend health status: Unhealthy
If the backend health status is Unhealthy, the portal view will resemble the following screenshot:
BackendAddressPoolsText : [
} ] ```+ After you receive an Unhealthy backend server status for all the servers in a backend pool, requests aren't forwarded to the servers, and Application Gateway returns a "502 Bad Gateway" error to the requesting client. To troubleshoot this issue, check the **Details** column on the **Backend Health** tab. The message displayed in the **Details** column provides more detailed insights about the issue, and based on those, you can start troubleshooting the issue.
The message displayed in the **Details** column provides more detailed insights
> The default probe request is sent in the format of \<protocol\>://127.0.0.1:\<port\>/. For example, http://127.0.0.1:80 for an http probe on port 80. Only HTTP status codes of 200 through 399 are considered healthy. The protocol and destination port are inherited from the HTTP settings. If you want Application Gateway to probe on a different protocol, host name, or path and to recognize a different status code as Healthy, configure a custom probe and associate it with the HTTP settings.
-Error messages
-
-#### Backend server timeout
+## Error messages
++
+### Backend server timeout
**Message:** Time taken by the backend to respond to application gateway\'s health probe is more than the timeout threshold in the probe setting.
To increase the timeout value, follow these steps:
1. Save the custom probe settings and check whether the backend health shows as Healthy now.
-#### DNS resolution error
+### DNS resolution error
**Message:** Application Gateway could not create a probe for this backend. This usually happens when the FQDN of the backend has not been
this message is displayed, it suggests that Application Gateway couldn't success
[start](/powershell/module/azurerm.network/start-azurermapplicationgateway) by using the PowerShell commands described in these linked resources.
-#### TCP connect error
+### TCP connect error
**Message:** Application Gateway could not connect to the backend. Please check that the backend responds on the port used for the probe.
Or, if you think the response is legitimate and you want Application Gateway to
To create a custom probe, follow [these steps](./application-gateway-create-probe-portal.md).
-#### HTTP response body mismatch
+### HTTP response body mismatch
**Message:** Body of the backend\'s HTTP response did not match the probe setting. Received response body does not contain {string}.
Learn more about [Application Gateway probe matching](./application-gateway-prob
> For all TLS related error messages, to learn more about SNI behavior and differences between the v1 and v2 SKU, check the [TLS overview](ssl-overview.md) page.
-#### Backend server certificate invalid CA
+### Backend server certificate invalid CA
**Message:** The server certificate used by the backend is not signed by a well-known Certificate Authority (CA). Allow the backend on the Application Gateway by uploading the root certificate of the server certificate used by the backend.
Alternatively, you can export the root certificate from a client machine by dire
For more information about how to extract and upload Trusted Root Certificates in Application Gateway, see [Export trusted root certificate (for v2 SKU)](./certificates-for-backend-authentication.md#export-trusted-root-certificate-for-v2-sku).
-#### Trusted root certificate mismatch
+### Trusted root certificate mismatch
**Message:** The root certificate of the server certificate used by the backend does not match the trusted root certificate added to the
Follow steps 1-11 in the preceding method to upload the correct trusted root cer
For more information about how to extract and upload Trusted Root Certificates in Application Gateway, see [Export trusted root certificate (for v2 SKU)](./certificates-for-backend-authentication.md#export-trusted-root-certificate-for-v2-sku).+ > [!NOTE] > This error can also occur if the backend server doesn't exchange the complete chain of the cert, including the Root > Intermediate (if applicable) > Leaf during the TLS handshake. To verify, you can use OpenSSL commands from any client and connect to the backend server by using the configured settings in the Application Gateway probe.
For example:
``` OpenSSL> s_client -connect 10.0.0.4:443 -servername www.example.com -showcerts ```+ If the output doesn't show the complete chain of the certificate being returned, export the certificate again with the complete chain, including the root certificate. Configure that certificate on your backend server. ```
If the output doesn't show the complete chain of the certificate being returned,
\--END CERTIFICATE-- ```
-#### Backend certificate invalid common name (CN)
+### Backend certificate invalid common name (CN)
**Message:** The Common Name (CN) of the backend certificate does not match the host header of the probe.
For Linux using OpenSSL:
2. From the properties displayed, find the CN of the certificate and enter the same in the host name field of the http settings. If that's not the desired host name for your website, you must get a certificate for that domain or enter the correct host name in the custom probe or HTTP setting configuration.
-#### Backend certificate is invalid
+### Backend certificate is invalid
**Message:** Backend certificate is invalid. Current date is not within the \"Valid from\" and \"Valid to\" date range on the certificate.
certificate. If it's a self-signed certificate, you must generate a valid certif
1. Remove the old certificate by using the **Delete** icon next to the certificate, and then select **Save**.
-#### Certificate verification failed
+### Certificate verification failed
**Message:** The validity of the backend certificate could not be verified. To find out the reason, check OpenSSL diagnostics for the
message associated with error code {errorCode}
**Solution:** To resolve this issue, verify that the certificate on your server was created properly. For example, you can use [OpenSSL](https://www.openssl.org/docs/man1.0.2/man1/verify.html) to verify the certificate and its properties and then try reuploading the certificate to the Application Gateway HTTP settings.
-Backend health status: unknown
--
+## Backend health status: unknown
+ If the backend health is shown as Unknown, the portal view will resemble the following screenshot: ![Application Gateway backend health - Unknown](./media/application-gateway-backend-health-troubleshooting/appgwunknown.png)
This behavior can occur for one or more of the following reasons:
1. To verify that Application Gateway is healthy and running, go to the **Resource Health** option in the portal and verify that the state is **Healthy**. If you see an **Unhealthy** or **Degraded** state, [contact support](https://azure.microsoft.com/support/options/).
-Next steps
--
+## Next steps
Learn more about [Application Gateway diagnostics and logging](./application-gateway-diagnostics.md).
attestation Quickstart Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/attestation/quickstart-template.md
Previously updated : 10/16/2020 Last updated : 05/20/2021 # Quickstart: Create an Azure Attestation provider with an ARM template
Last updated 10/16/2020
If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template will open in the Azure portal.
-[![Deploy To Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-attestation-provider-create%2Fazuredeploy.json)
+[![Deploy To Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.attestation%2Fattestation-provider-create%2Fazuredeploy.json)
## Prerequisites
If you don't have an Azure subscription, create a [free account](https://azure.m
The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-attestation-provider-create). Azure resources defined in the template:
Azure resources defined in the template:
1. Select the following image to sign in to Azure and open the template.
- [![Deploy To Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-attestation-provider-create%2Fazuredeploy.json)
+ [![Deploy To Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.attestation%2Fattestation-provider-create%2Fazuredeploy.json)
1. Select or enter the following values.
automanage Repair Automanage Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/repair-automanage-account.md
Last updated 11/05/2020 -+ # Repair an Automanage Account
automation Automation Dsc Getting Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-dsc-getting-started.md
This article provides a step-by-step guide for doing the most common tasks with Azure Automation State Configuration, such as creating, importing, and compiling configurations, enabling machines to manage, and viewing reports. For an overview State Configuration, see [State Configuration overview](automation-dsc-overview.md). For Desired State Configuration (DSC) documentation, see [Windows PowerShell Desired State Configuration Overview](/powershell/scripting/dsc/overview/overview). If you want a sample environment that is already set up without following the steps described in this
-article, you can use the [Azure Automation Managed Node template](https://github.com/Azure/azure-quickstart-templates/tree/master/101-automation-configuration). This template sets up a complete State Configuration (DSC) environment, including an Azure VM that is managed by State Configuration (DSC).
+article, you can use the [Azure Automation Managed Node template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.automation/automation-configuration). This template sets up a complete State Configuration (DSC) environment, including an Azure VM that is managed by State Configuration (DSC).
## Prerequisites
automation Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/change-tracking/overview.md
Machines connected to the Log Analytics workspace use the [Log Analytics agent](
> [!NOTE] > Change Tracking and Inventory requires linking a Log Analytics workspace to your Automation account. For a definitive list of supported regions, see [Azure Workspace mappings](../how-to/region-mappings.md). The region mappings don't affect the ability to manage VMs in a separate region from your Automation account.
-As a service provider, you may have onboarded multiple customer tenants to [Azure Lighthouse](../../lighthouse/overview.md). Azure Lighthouse allows you to perform operations at scale across several Azure Active Directory (Azure AD) tenants at once, making management tasks like Change Tracking and Inventory more efficient across those tenants you're responsible for. Change Tracking and Inventory can manage machines in multiple subscriptions in the same tenant, or across tenants using [Azure delegated resource management](../../lighthouse/concepts/azure-delegated-resource-management.md).
+As a service provider, you may have onboarded multiple customer tenants to [Azure Lighthouse](../../lighthouse/overview.md). Azure Lighthouse allows you to perform operations at scale across several Azure Active Directory (Azure AD) tenants at once, making management tasks like Change Tracking and Inventory more efficient across those tenants you're responsible for. Change Tracking and Inventory can manage machines in multiple subscriptions in the same tenant, or across tenants using [Azure delegated resource management](../../lighthouse/concepts/architecture.md).
## Current limitations
automation Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/overview.md
The following diagram illustrates how Update Management assesses and applies sec
![Update Management workflow](./media/overview/update-mgmt-updateworkflow.png)
-Update Management can be used to natively deploy to machines in multiple subscriptions in the same tenant, or across tenants using [Azure delegated resource management](../../lighthouse/concepts/azure-delegated-resource-management.md).
+Update Management can be used to natively deploy to machines in multiple subscriptions in the same tenant, or across tenants using [Azure Lighthouse](../../lighthouse/overview.md).
After a package is released, it takes 2 to 3 hours for the patch to show up for Linux machines for assessment. For Windows machines, it takes 12 to 15 hours for the patch to show up for assessment after it's been released. When a machine completes a scan for update compliance, the agent forwards the information in bulk to Azure Monitor logs. On a Windows machine, the compliance scan is run every 12 hours by default. For a Linux machine, the compliance scan is performed every hour by default. If the Log Analytics agent is restarted, a compliance scan is started within 15 minutes.
azure-arc Configure Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/configure-managed-instance.md
description: Configure Azure Arc enabled SQL managed instance
--++ Last updated 09/22/2020
azure-arc Connect Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/connect-managed-instance.md
description: Connect to Azure Arc enabled SQL Managed Instance
--++ Last updated 09/22/2020
azure-arc Create Sql Managed Instance Azure Data Studio https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-sql-managed-instance-azure-data-studio.md
Title: Create Azure SQL managed instance using Azure Data Studio
-description: Create Azure SQL managed instance using Azure Data Studio
+ Title: Create Azure SQL Managed Instance using Azure Data Studio
+description: Create Azure SQL Managed Instance using Azure Data Studio
--++ Last updated 09/22/2020
-# Create SQL managed instance - Azure Arc using Azure Data Studio
+# Create SQL Managed iInstance - Azure Arc using Azure Data Studio
-This document walks you through the steps for installing Azure SQL managed instance - Azure Arc using Azure Data Studio
+This document walks you through the steps for installing Azure SQL Managed Instance - Azure Arc using Azure Data Studio
[!INCLUDE [azure-arc-common-prerequisites](../../../includes/azure-arc-common-prerequisites.md)]
Namespace: arc
Logged in successfully to `https://10.0.0.4:30080` in namespace `arc`. Setting active context to `arc` ```
-## Create Azure SQL managed instance on Azure Arc
+## Create Azure SQL Managed Instance on Azure Arc
- Launch Azure Data Studio - On the Connections tab, Click on the three dots on the top left and choose "New Deployment"-- From the deployment options, select **Azure SQL managed instance - Azure Arc**
+- From the deployment options, select **Azure SQL Managed Instance - Azure Arc**
> [!NOTE] > You may be prompted to install the [!INCLUDE [azure-data-cli-azdata](../../../includes/azure-data-cli-azdata.md)] here if it is not currently installed. - Accept the Privacy and license terms and click **Select** at the bottom -- In the Deploy Azure SQL managed instance - Azure Arc blade, enter the following information:
+- In the Deploy Azure SQL Managed Instance - Azure Arc blade, enter the following information:
- Enter a name for the SQL Server instance - Enter and confirm a password for the SQL Server instance - Select the storage class as appropriate for data
Logged in successfully to `https://10.0.0.4:30080` in namespace `arc`. Setting a
- Click the **Deploy** button -- This should initiate the creation of the Azure SQL managed instance - Azure Arc on the data controller.
+- This should initiate the creation of the Azure SQL Managed Instance - Azure Arc on the data controller.
- In a few minutes, your creation should successfully complete
-## Connect to Azure SQL managed instance - Azure Arc from Azure Data Studio
+## Connect to Azure SQL Managed Instance - Azure Arc from Azure Data Studio
- Log in to the Azure Arc data controller, by providing the namespace, username and password for the data controller: ```console azdata login ``` -- View all the Azure SQL managed instances provisioned, using the following commands:
+- View all the Azure SQL Managed Instances provisioned, using the following commands:
```console azdata arc sql mi list
sqlinstance1 1/1 25.51.65.109:1433 Ready
- Enter the password for the `sa` account - Optionally, enter the specific database name to connect to - Optionally, select/Add New Server Group as appropriate-- Select **Connect** to connect to the Azure SQL managed instance - Azure Arc
+- Select **Connect** to connect to the Azure SQL Managed Instance - Azure Arc
azure-arc Create Sql Managed Instance Using Kubernetes Native Tools https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-sql-managed-instance-using-kubernetes-native-tools.md
description: Create a SQL managed instance using Kubernetes tools
--++ Last updated 02/11/2021
azure-arc Create Sql Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-sql-managed-instance.md
description: Create an Azure SQL managed instance on Azure Arc
--++ Last updated 09/22/2020
azure-arc Delete Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/delete-managed-instance.md
description: Delete Azure Arc enabled SQL Managed Instance
--++ Last updated 09/22/2020
azure-arc Managed Instance Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/managed-instance-features.md
description: Features and Capabilities of Azure Arc enabled SQL Managed Instance
--++ Last updated 09/22/2020
azure-arc Managed Instance High Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/managed-instance-high-availability.md
Title: Azure Arc enabled Managed Instance high availability description: Learn how to deploy Azure Arc enabled Managed Instance with high availability.--++ Last updated 03/02/2021
azure-arc Managed Instance Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/managed-instance-overview.md
description: Azure Arc enabled SQL Managed Instance Overview
--++ Last updated 03/02/2021
azure-arc Migrate To Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/migrate-to-managed-instance.md
description: Migrate database from SQL Server to Azure Arc enabled SQL Managed I
--++ Last updated 09/22/2020
azure-arc Quickstart Connect Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/quickstart-connect-cluster.md
Title: 'Quickstart: Connect an existing Kubernetes cluster to Azure Arc' description: "In this quickstart, learn how to connect an Azure Arc enabled Kubernetes cluster." --++ Last updated 03/03/2021
azure-australia Gateway Log Audit Visibility https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-australia/gateway-log-audit-visibility.md
Azure Alerts can be used to notify support and security personnel in response to
||| |Overview of Alerts in Microsoft Azure|[https://docs.microsoft.com/azure/monitoring-and-diagnostics/monitoring-overview-alerts](../azure-monitor/alerts/alerts-overview.md)| |Managing and responding to security alerts in Azure Security Center|[https://docs.microsoft.com/azure/security-center/security-center-managing-and-responding-alerts](../security-center/security-center-managing-and-responding-alerts.md)|
-|Respond to events with Azure Monitor Alerts|[https://docs.microsoft.com/azure/azure-monitor/learn/tutorial-response](../azure-monitor/alerts/tutorial-response.md)|
+|Azure Monitor Log Alerts|[https://docs.microsoft.com/azure/azure-monitor/learn/tutorial-response](../azure-monitor/alerts/alerts-log.md)|
| ### Azure Automation
azure-cache-for-redis Cache How To Scale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-how-to-scale.md
Last updated 02/08/2021 -+ # Scale an Azure Cache for Redis instance Azure Cache for Redis has different cache offerings, which provide flexibility in the choice of cache size and features. For a Basic, Standard or Premium cache, you can change its size and tier after it's been created to keep up with your application needs. This article shows you how to scale your cache using the Azure portal, and tools such as Azure PowerShell, and Azure CLI.
azure-functions Functions Deployment Slots https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-deployment-slots.md
Azure Functions deployment slots have the following limitations:
- The number of slots available to an app depends on the plan. The Consumption plan is only allowed one deployment slot. Additional slots are available for apps running under the App Service plan. - Swapping a slot resets keys for apps that have an `AzureWebJobsSecretStorageType` app setting equal to `files`.
+- When slots are enabled, your Functions app is set to read-only mode in the portal.
## Support levels
azure-government Documentation Government Impact Level 5 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-impact-level-5.md
You need to address two key areas for Azure services in IL5 scope: storage isola
### Compute isolation
-IL5 separation requirements are stated in the SRG [Section 5.2.2.3](https://dl.dod.cyber.mil/wp-content/uploads/cloud/SRG/https://docsupdatetracker.net/index.html#5.2LegalConsiderations). The SRG focuses on compute separation during "processing" of IL5 data. This separation ensures that a virtual machine that could potentially compromise the physical host can't affect a DoD workload. To remove the risk of runtime attacks and ensure long running workloads aren't compromised from other workloads on the same host, all IL5 virtual machines should be isolated via [Azure Dedicated Host](https://azure.microsoft.com/services/virtual-machines/dedicated-host/). Doing so provides a dedicated physical server to host your Azure Virtual Machines (VMs) for Windows and Linux.
+IL5 separation requirements are stated in the SRG [Section 5.2.2.3](https://dl.dod.cyber.mil/wp-content/uploads/cloud/SRG/https://docsupdatetracker.net/index.html#5.2LegalConsiderations). The SRG focuses on compute separation during "processing" of IL5 data. This separation ensures that a virtual machine that could potentially compromise the physical host can't affect a DoD workload. To remove the risk of runtime attacks and ensure long running workloads aren't compromised from other workloads on the same host, all IL5 virtual machines should be isolated via [Azure Dedicated Host](https://azure.microsoft.com/services/virtual-machines/dedicated-host/) or [isolated virtual machines](../virtual-machines/isolation.md). Doing so provides a dedicated physical server to host your Azure Virtual Machines (VMs) for Windows and Linux.
For services where the compute processes are obfuscated from access by the owner and stateless in their processing of data, you should accomplish isolation by focusing on the data being processed and how it's stored and retained. This approach ensures the data is stored in protected mediums. It also ensures the data isn't present on these services for extended periods unless it's encrypted as needed.
Azure SignalR Service supports Impact Level 5 workloads in Azure Government with
Web Apps supports Impact Level 5 workloads in Azure Government with this configuration: -- To accommodate proper network and workload isolation, deploy your web apps on the Isolated SKU. For more information, see the [App Service plan documentation](../app-service/overview-hosting-plans.md).
+- To accommodate proper network and workload isolation, deploy your web apps on the Isolated SKU. For more information, see the [App Service plan documentation](../app-service/overview-hosting-plans.md).
azure-monitor Agent Linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/agent-linux.md
If you are using an older version of the agent, you must have the Virtual Machin
- Ubuntu, Debian: `apt-get install -y python2` - SUSE: `zypper install -y python2`
-The python2 executable must be aliased to *python*. Following is one method that you can use to set this alias:
+Again, only if you are using an older version of the agent, the python2 executable must be aliased to *python*. Following is one method that you can use to set this alias:
1. Run the following command to remove any existing aliases.
azure-monitor Azure Monitor Agent Install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/azure-monitor-agent-install.md
Last updated 11/17/2020 -+
azure-monitor Activity Log Alerts Webhook https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/activity-log-alerts-webhook.md
The JSON payload contained in the POST operation differs based on the payload's
> [!NOTE] > Currently, the description that is part of the Activity log event is copied to the fired **"Alert Description"** property. >
-> In order to align the Activity Log payload with other alert types, Starting April 1, 2021 the fired alert property **"DescriptionΓÇ£** will contain the alert rule description instead.
+> In order to align the Activity Log payload with other alert types, Starting April 1, 2021 the fired alert property **"Description"** will contain the alert rule description instead.
>
-> In preparation for this change, we created a new property **ΓÇ£Activity Log Event DescriptionΓÇ£** to the Activity Log fired Alert. This new property will be filled with the **"Description"** property that is already available for use. This means that the new field **ΓÇ£Activity Log Event DescriptionΓÇ£** will contain the description that is part of the Activity log event.
+> In preparation for this change, we created a new property **"Activity Log Event Description"** to the Activity Log fired Alert. This new property will be filled with the **"Description"** property that is already available for use. This means that the new field **"Activity Log Event Description"** will contain the description that is part of the Activity log event.
>
-> Please review your alert rules, action rules, webhooks, logic app or any other configurations where you might be using the **ΓÇ£DescriptionΓÇ¥** property from the fired alert and replace it with **ΓÇ£Activity Log Event DescriptionΓÇ¥** property.
+> Please review your alert rules, action rules, webhooks, logic app or any other configurations where you might be using the **"Description"** property from the fired alert and replace it with **"Activity Log Event Description"** property.
>
-> if your condition (in your action rules, webhooks, logic app or any other configurations) is currently based on the **"Description"** property for activity log alerts, you may need to modify it to be based on the **ΓÇ£Activity Log Event DescriptionΓÇ¥** property instead.
+> if your condition (in your action rules, webhooks, logic app or any other configurations) is currently based on the **"Description"** property for activity log alerts, you may need to modify it to be based on the **"Activity Log Event Description"** property instead.
> > In order to fill the new **"Description"** property, you can add a description in the alert rule definition. > ![Fired Activity Log Alerts](media/activity-log-alerts-webhook/activity-log-alert-fired.png)
The JSON payload contained in the POST operation differs based on the payload's
```json {
- "schemaId":"Microsoft.Insights/activityLogs",
- "data":{"status":"Activated",
- "context":{
- "activityLog":{
- "channels":"Operation",
- "correlationId":"2518408115673929999",
- "description":"Failed SSH brute force attack. Failed brute force attacks were detected from the following attackers: [\"IP Address: 01.02.03.04\"]. Attackers were trying to access the host with the following user names: [\"root\"].",
- "eventSource":"Security",
- "eventTimestamp":"2017-06-25T19:00:32.607+00:00",
- "eventDataId":"Sec-07f2-4d74-aaf0-03d2f53d5a33",
- "level":"Informational",
- "operationName":"Microsoft.Security/locations/alerts/activate/action",
- "operationId":"Sec-07f2-4d74-aaf0-03d2f53d5a33",
- "properties":{
- "attackers":"[\"IP Address: 01.02.03.04\"]",
- "numberOfFailedAuthenticationAttemptsToHost":"456",
- "accountsUsedOnFailedSignInToHostAttempts":"[\"root\"]",
- "wasSSHSessionInitiated":"No","endTimeUTC":"06/25/2017 19:59:39",
- "actionTaken":"Detected",
- "resourceType":"Virtual Machine",
- "severity":"Medium",
- "compromisedEntity":"LinuxVM1",
- "remediationSteps":"[In case this is an Azure virtual machine, add the source IP to NSG block list for 24 hours (see https://azure.microsoft.com/documentation/articles/virtual-networks-nsg/)]",
- "attackedResourceType":"Virtual Machine"
- },
- "resourceId":"/subscriptions/12345-5645-123a-9867-123b45a6789/resourceGroups/contoso/providers/Microsoft.Security/locations/centralus/alerts/Sec-07f2-4d74-aaf0-03d2f53d5a33",
- "resourceGroupName":"contoso",
- "resourceProviderName":"Microsoft.Security",
- "status":"Active",
- "subscriptionId":"12345-5645-123a-9867-123b45a6789",
- "submissionTimestamp":"2017-06-25T20:23:04.9743772+00:00",
- "resourceType":"MICROSOFT.SECURITY/LOCATIONS/ALERTS"
- }
- },
- "properties":{}
- }
+ "schemaId":"Microsoft.Insights/activityLogs",
+ "data":{"status":"Activated",
+ "context":{
+ "activityLog":{
+ "channels":"Operation",
+ "correlationId":"2518408115673929999",
+ "description":"Failed SSH brute force attack. Failed brute force attacks were detected from the following attackers: [\"IP Address: 01.02.03.04\"]. Attackers were trying to access the host with the following user names: [\"root\"].",
+ "eventSource":"Security",
+ "eventTimestamp":"2017-06-25T19:00:32.607+00:00",
+ "eventDataId":"Sec-07f2-4d74-aaf0-03d2f53d5a33",
+ "level":"Informational",
+ "operationName":"Microsoft.Security/locations/alerts/activate/action",
+ "operationId":"Sec-07f2-4d74-aaf0-03d2f53d5a33",
+ "properties":{
+ "attackers":"[\"IP Address: 01.02.03.04\"]",
+ "numberOfFailedAuthenticationAttemptsToHost":"456",
+ "accountsUsedOnFailedSignInToHostAttempts":"[\"root\"]",
+ "wasSSHSessionInitiated":"No","endTimeUTC":"06/25/2017 19:59:39",
+ "actionTaken":"Detected",
+ "resourceType":"Virtual Machine",
+ "severity":"Medium",
+ "compromisedEntity":"LinuxVM1",
+ "remediationSteps":"[In case this is an Azure virtual machine, add the source IP to NSG block list for 24 hours (see https://azure.microsoft.com/documentation/articles/virtual-networks-nsg/)]",
+ "attackedResourceType":"Virtual Machine"
+ },
+ "resourceId":"/subscriptions/12345-5645-123a-9867-123b45a6789/resourceGroups/contoso/providers/Microsoft.Security/locations/centralus/alerts/Sec-07f2-4d74-aaf0-03d2f53d5a33",
+ "resourceGroupName":"contoso",
+ "resourceProviderName":"Microsoft.Security",
+ "status":"Active",
+ "subscriptionId":"12345-5645-123a-9867-123b45a6789",
+ "submissionTimestamp":"2017-06-25T20:23:04.9743772+00:00",
+ "resourceType":"MICROSOFT.SECURITY/LOCATIONS/ALERTS"
+ }
+ },
+ "properties":{}
+ }
} ```
The JSON payload contained in the POST operation differs based on the payload's
```json {
- "schemaId":"Microsoft.Insights/activityLogs",
- "data":{
- "status":"Activated",
- "context":{
- "activityLog":{
- "channels":"Operation",
- "claims":"{\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\":\"Microsoft.Advisor\"}",
- "caller":"Microsoft.Advisor",
- "correlationId":"123b4c54-11bb-3d65-89f1-0678da7891bd",
- "description":"A new recommendation is available.",
- "eventSource":"Recommendation",
- "eventTimestamp":"2017-06-29T13:52:33.2742943+00:00",
- "httpRequest":"{\"clientIpAddress\":\"0.0.0.0\"}",
- "eventDataId":"1bf234ef-e45f-4567-8bba-fb9b0ee1dbcb",
- "level":"Informational",
- "operationName":"Microsoft.Advisor/recommendations/available/action",
- "properties":{
- "recommendationSchemaVersion":"1.0",
- "recommendationCategory":"HighAvailability",
- "recommendationImpact":"Medium",
- "recommendationName":"Enable Soft Delete to protect your blob data",
- "recommendationResourceLink":"https://portal.azure.com/#blade/Microsoft_Azure_Expert/RecommendationListBlade/recommendationTypeId/12dbf883-5e4b-4f56-7da8-123b45c4b6e6",
- "recommendationType":"12dbf883-5e4b-4f56-7da8-123b45c4b6e6"
- },
- "resourceId":"/subscriptions/12345-5645-123a-9867-123b45a6789/resourceGroups/contoso/providers/microsoft.storage/storageaccounts/contosoStore",
- "resourceGroupName":"CONTOSO",
- "resourceProviderName":"MICROSOFT.STORAGE",
- "status":"Active",
- "subStatus":"",
- "subscriptionId":"12345-5645-123a-9867-123b45a6789",
- "submissionTimestamp":"2017-06-29T13:52:33.2742943+00:00",
- "resourceType":"MICROSOFT.STORAGE/STORAGEACCOUNTS"
- }
- },
- "properties":{}
- }
+ "schemaId":"Microsoft.Insights/activityLogs",
+ "data":{
+ "status":"Activated",
+ "context":{
+ "activityLog":{
+ "channels":"Operation",
+ "claims":"{\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\":\"Microsoft.Advisor\"}",
+ "caller":"Microsoft.Advisor",
+ "correlationId":"123b4c54-11bb-3d65-89f1-0678da7891bd",
+ "description":"A new recommendation is available.",
+ "eventSource":"Recommendation",
+ "eventTimestamp":"2017-06-29T13:52:33.2742943+00:00",
+ "httpRequest":"{\"clientIpAddress\":\"0.0.0.0\"}",
+ "eventDataId":"1bf234ef-e45f-4567-8bba-fb9b0ee1dbcb",
+ "level":"Informational",
+ "operationName":"Microsoft.Advisor/recommendations/available/action",
+ "properties":{
+ "recommendationSchemaVersion":"1.0",
+ "recommendationCategory":"HighAvailability",
+ "recommendationImpact":"Medium",
+ "recommendationName":"Enable Soft Delete to protect your blob data",
+ "recommendationResourceLink":"https://portal.azure.com/#blade/Microsoft_Azure_Expert/RecommendationListBlade/recommendationTypeId/12dbf883-5e4b-4f56-7da8-123b45c4b6e6",
+ "recommendationType":"12dbf883-5e4b-4f56-7da8-123b45c4b6e6"
+ },
+ "resourceId":"/subscriptions/12345-5645-123a-9867-123b45a6789/resourceGroups/contoso/providers/microsoft.storage/storageaccounts/contosoStore",
+ "resourceGroupName":"CONTOSO",
+ "resourceProviderName":"MICROSOFT.STORAGE",
+ "status":"Active",
+ "subStatus":"",
+ "subscriptionId":"12345-5645-123a-9867-123b45a6789",
+ "submissionTimestamp":"2017-06-29T13:52:33.2742943+00:00",
+ "resourceType":"MICROSOFT.STORAGE/STORAGEACCOUNTS"
+ }
+ },
+ "properties":{}
+ }
} ```
For specific schema details on all other activity log alerts, see [Overview of t
## Next steps * [Learn more about the activity log](../essentials/platform-logs-overview.md). * [Execute Azure automation scripts (Runbooks) on Azure alerts](https://go.microsoft.com/fwlink/?LinkId=627081).
-* [Use a logic app to send an SMS via Twilio from an Azure alert](https://github.com/Azure/azure-quickstart-templates/tree/master/201-alert-to-text-message-with-logic-app). This example is for metric alerts, but it can be modified to work with an activity log alert.
+* [Use a logic app to send an SMS via Twilio from an Azure alert](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/alert-to-text-message-with-logic-app). This example is for metric alerts, but it can be modified to work with an activity log alert.
* [Use a logic app to send a Slack message from an Azure alert](https://github.com/Azure/azure-quickstart-templates/tree/master/201-alert-to-slack-with-logic-app). This example is for metric alerts, but it can be modified to work with an activity log alert.
-* [Use a logic app to send a message to an Azure queue from an Azure alert](https://github.com/Azure/azure-quickstart-templates/tree/master/201-alert-to-queue-with-logic-app). This example is for metric alerts, but it can be modified to work with an activity log alert.
+* [Use a logic app to send a message to an Azure queue from an Azure alert](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/alert-to-queue-with-logic-app). This example is for metric alerts, but it can be modified to work with an activity log alert.
azure-monitor Alerts Log https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/alerts-log.md
Last updated 09/22/2020 -+ # Create, view, and manage log alerts using Azure Monitor
azure-monitor Alerts Webhooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/alerts-webhooks.md
Last updated 02/14/2021
> This article describes how to use older classic metric alerts. Azure Monitor now supports [newer near-real time metric alerts and a new alerts experience](./alerts-overview.md). Classic alerts are [retired](./monitoring-classic-retirement.md) for public cloud users, though still in limited use until **31 May 2021**. Classic alerts for Azure Government cloud and Azure China 21Vianet will retire on **29 February 2024**. >
-You can use webhooks to route an Azure alert notification to other systems for post-processing or custom actions. You can use a webhook on an alert to route it to services that send SMS messages, to log bugs, to notify a team via chat or messaging services, or for various other actions.
+You can use webhooks to route an Azure alert notification to other systems for post-processing or custom actions. You can use a webhook on an alert to route it to services that send SMS messages, to log bugs, to notify a team via chat or messaging services, or for various other actions.
This article describes how to set a webhook on an Azure metric alert. It also shows you what the payload for the HTTP POST to a webhook looks like. For information about the setup and schema for an Azure activity log alert (alert on events), see [Call a webhook on an Azure activity log alert](../alerts/alerts-log-webhook.md).
The POST operation contains the following JSON payload and schema for all metric
## Next steps * Learn more about Azure alerts and webhooks in the video [Integrate Azure alerts with PagerDuty](https://go.microsoft.com/fwlink/?LinkId=627080). * Learn how to [execute Azure Automation scripts (runbooks) on Azure alerts](https://go.microsoft.com/fwlink/?LinkId=627081).
-* Learn how to [use a logic app to send an SMS message via Twilio from an Azure alert](https://github.com/Azure/azure-quickstart-templates/tree/master/201-alert-to-text-message-with-logic-app).
+* Learn how to [use a logic app to send an SMS message via Twilio from an Azure alert](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/alert-to-text-message-with-logic-app).
* Learn how to [use a logic app to send a Slack message from an Azure alert](https://github.com/Azure/azure-quickstart-templates/tree/master/201-alert-to-slack-with-logic-app).
-* Learn how to [use a logic app to send a message to an Azure queue from an Azure alert](https://github.com/Azure/azure-quickstart-templates/tree/master/201-alert-to-queue-with-logic-app).
+* Learn how to [use a logic app to send a message to an Azure queue from an Azure alert](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/alert-to-queue-with-logic-app).
azure-monitor Tutorial Response https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/tutorial-response.md
- Title: Respond to events with Azure Log Analytics Alerts | Microsoft Docs
-description: This tutorial helps you understand alerting with Log Analytics to identify important information in your workspace and proactively notify you of issues or invoke actions to attempt to correct them.
--- Previously updated : 10/05/2018----
-# Respond to events with Azure Monitor Alerts
-Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be configured to perform an automated response. This tutorial is a continuation of the [Create and share dashboards of Log Analytics data](../visualize/tutorial-logs-dashboards.md) tutorial.
-
-In this tutorial, you learn how to:
-
-> [!div class="checklist"]
-> * Create an alert rule
-> * Configure an Action Group to send an e-mail notification
-
-To complete the example in this tutorial, you must have an existing virtual machine [connected to the Log Analytics workspace](../vm/quick-collect-azurevm.md).
-
-## Sign in to Azure portal
-Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).
-
-## Create alerts
-Alerts are created by alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals. You can create alerts based on specific performance metrics or when certain events are created, absence of an event, or a number of events are created within a particular time window. For example, alerts can be used to notify you when average CPU usage exceeds a certain threshold, when a missing update is detected, or when an event is generated upon detecting that a specific Windows service or Linux daemon is not running. If the results of the log search match particular criteria, then an alert is created. The rule can then automatically run one or more actions, such as notify you of the alert or invoke another process.
-
-In the following example, you create a metric measurement alert rule based off of the *Azure VMs - Processor Utilization* query saved in the [Visualize data tutorial](../visualize/tutorial-logs-dashboards.md). An alert is created for each virtual machine that exceeds a threshold of 90%.
-
-1. In the Azure portal, click **All services**. In the list of resources, type **Log Analytics**. As you begin typing, the list filters based on your input. Select **Log Analytics**.
-2. In the left-hand pane, select **Alerts** and then click **New Alert Rule** from the top of the page to create a new alert.<br><br> ![Create new alert rule](./media/tutorial-response/alert-rule-02.png)<br>
-3. For the first step, under the **Create Alert** section, you are going to select your Log Analytics workspace as the resource, since this is a log based alert signal. Filter the results by choosing the specific **Subscription** from the drop-down list if you have more than one, which contains the VM and Log Analytics workspace created earlier. Filter the **Resource Type** by selecting **Log Analytics** from the drop-down list. Finally, select the **Resource** **DefaultLAWorkspace** and then click **Done**.<br><br> ![Create alert step 1 task](./media/tutorial-response/alert-rule-03.png)<br>
-4. Under the section **Alert Criteria**, click **Add Criteria** to select our saved query and then specify logic that the alert rule follows. From the **Configure signal logic** pane, select *Azure VMs - Processor Utilization* from the list. The pane updates to present the configuration settings for the alert. On the top, it shows the results for the last 30 minutes of the selected signal and the search query itself.
-5. Configure the alert with the following information:
- a. From the **Based on** drop-down list, select **Metric measurement**. A metric measurement will create an alert for each object in the query with a value that exceeds our specified threshold.
- b. For the **Condition**, select **Greater than** and enter **90** for **Threshold**.
- c. Under Trigger Alert Based On section, select **Consecutive breaches** and from the drop-down list select **Greater than** enter a value of 3.
- d. Under Evaluation based on section, modify the **Period** value to **30** minutes. The rule will run every five minutes and return records that were created within the last thirty minutes from the current time. Setting the time period to a wider window accounts for the potential of data latency, and ensures the query returns data to avoid a false negative where the alert never fires.
-6. Click **Done** to complete the alert rule.<br><br> ![Configure alert signal](./media/tutorial-response/alert-signal-logic-02.png)<br>
-7. Now moving onto the second step, provide a name of your alert in the **Alert rule name** field, such as **Percentage CPU greater than 90 percent**. Specify a **Description** detailing specifics for the alert, and select **Critical(Sev 0)** for the **Severity** value from the options provided.<br><br> ![Configure alert details](./media/tutorial-response/alert-signal-logic-04.png)<br>
-8. To immediately activate the alert rule on creation, accept the default value for **Enable rule upon creation**.
-9. For the third and final step, you specify an **Action Group**, which ensures that the same actions are taken each time an alert is triggered and can be used for each rule you define. Configure a new action group with the following information:
- a. Select **New action group** and the **Add action group** pane appears.
- b. For **Action group name**, specify a name such as **IT Operations - Notify** and a **Short name** such as **itops-n**.
- c. Verify the default values for **Subscription** and **Resource group** are correct. If not, select the correct one from the drop-down list.
- d. Under the Actions section, specify a name for the action, such as **Send Email** and under **Action Type** select **Email/SMS/Push/Voice** from the drop-down list. The **Email/SMS/Push/Voice** properties pane will open to the right in order to provide additional information.
- e. On the **Email/SMS/Push/Voice** pane, enable **Email** and provide a valid email SMTP address to deliver the message to.
- f. Click **OK** to save your changes.<br><br>
-
- ![Create new action group](./media/tutorial-response/action-group-properties-01.png)
-
-10. Click **OK** to complete the action group.
-11. Click **Create alert rule** to complete the alert rule. It starts running immediately.<br><br> ![Complete creating new alert rule](./media/tutorial-response/alert-rule-01.png)<br>
-
-## View your alerts in Azure portal
-Now that you have created an alert, you can view Azure alerts in a single pane and manage all alert rules across your Azure subscriptions. It lists all the alert rules (enabled or disabled) and can be sorted based on target resources, resource groups, rule name, or status. Included is an aggregated summary of all the fired alerts, and total configured/enabled alert rules.<br><br> ![Azure Alerts status page](./media/tutorial-response/azure-alerts-02.png)
-
-When the alert triggers, the table reflects the condition and how many times it occurred within the time range selected (the default is last six hours). There should be a corresponding email in your inbox similar to the following example showing the offending virtual machine and the top results that matched the search query in this case.<br><br> ![Alert email action example](./media/tutorial-response/azure-alert-email-notification-01.png)
-
-## Next steps
-In this tutorial, you learned how alert rules can proactively identify and respond to an issue when they run log searches at scheduled intervals and match a particular criteria.
-
-Follow this link to see pre-built Log Analytics script samples.
-
-> [!div class="nextstepaction"]
-> [Log Analytics script samples](../powershell-samples.md)
azure-monitor Create New Resource https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/create-new-resource.md
Title: Create a new Azure Application Insights resource | Microsoft Docs
description: Manually set up Application Insights monitoring for a new live application. Last updated 02/10/2021 -+
azure-monitor Create Workspace Resource https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/create-workspace-resource.md
Title: Create a new Azure Monitor Application Insights workspace-based resource
description: Learn about the steps required to enable the new Azure Monitor Application Insights workspace-based resources. Last updated 10/06/2020 -+
azure-monitor Autoscale Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/autoscale/autoscale-best-practices.md
We recommend choosing an adequate margin between the scale-out and in thresholds
* Increase instances by 1 count when CPU% >= 80 * Decrease instances by 1 count when CPU% <= 60
-In this case
+In this case
1. Assume there are 2 instances to start with. 2. If the average CPU% across instances goes to 80, autoscale scales out adding a third instance.
Autoscale will post to the Activity Log if any of the following conditions occur
* Autoscale detects flapping and aborts the scale attempt. You will see a log type of `Flapping` in this situation. If you see this, consider whether your thresholds are too narrow. * Autoscale detects flapping but is still able to successfully scale. You will see a log type of `FlappingOccurred` in this situation. If you see this, the autoscale engine has attempted to scale (e.g. from 4 instances to 2), but has determined that this would cause flapping. Instead, the autoscale engine has scaled to a different number of instances (e.g. using 3 instances instead of 2), which no longer causes flapping, so it has scaled to this number of instances.
-You can also use an Activity Log alert to monitor the health of the autoscale engine. Here are examples to [create an Activity Log Alert to monitor all autoscale engine operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/monitor-autoscale-alert) or to [create an Activity Log Alert to monitor all failed autoscale scale in/scale out operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/monitor-autoscale-failed-alert).
+You can also use an Activity Log alert to monitor the health of the autoscale engine. Here are examples to [create an Activity Log Alert to monitor all autoscale engine operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/monitor-autoscale-alert) or to [create an Activity Log Alert to monitor all failed autoscale scale in/scale out operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/monitor-autoscale-failed-alert).
In addition to using activity log alerts, you can also configure email or webhook notifications to get notified for successful scale actions via the notifications tab on the autoscale setting. ## Next Steps-- [Create an Activity Log Alert to monitor all autoscale engine operations on your subscription.](https://github.com/Azure/azure-quickstart-templates/tree/master/monitor-autoscale-alert)-- [Create an Activity Log Alert to monitor all failed autoscale scale in/scale out operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/monitor-autoscale-failed-alert)-
+- [Create an Activity Log Alert to monitor all autoscale engine operations on your subscription.](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/monitor-autoscale-alert)
+- [Create an Activity Log Alert to monitor all failed autoscale scale in/scale out operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/monitor-autoscale-failed-alert)
azure-monitor Autoscale Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/autoscale/autoscale-get-started.md
You can always return to Autoscale by clicking **Enable autoscale** and then **S
### Cool-down period effects
-Autoscale uses a cool-down period to prevent "flapping", which is the rapid, repetative up and down scaling of instances. For more information, see [Autoscale evaluation steps](autoscale-understanding-settings.md#autoscale-evaluation). Other valuable information on flapping and understanding how to monitor the autoscale engine can be found in [Autoscale Best Practices](autoscale-best-practices.md#choose-the-thresholds-carefully-for-all-metric-types) and [Troubleshooting autoscale](autoscale-troubleshoot.md) respectively.
+Autoscale uses a cool-down period to prevent "flapping", which is the rapid, repetitive up and down scaling of instances. For more information, see [Autoscale evaluation steps](autoscale-understanding-settings.md#autoscale-evaluation). Other valuable information on flapping and understanding how to monitor the autoscale engine can be found in [Autoscale Best Practices](autoscale-best-practices.md#choose-the-thresholds-carefully-for-all-metric-types) and [Troubleshooting autoscale](autoscale-troubleshoot.md) respectively.
## Route traffic to healthy instances (App Service)
This section describes how to move Azure autoscale to another region under the s
### Move Use [REST API](/rest/api/monitor/autoscalesettings/createorupdate) to create an autoscale setting in the new environment. The autoscale setting created in the destination region will be a copy of the autoscale setting in the source region.
-[Diagnostic settings](../essentials/diagnostic-settings.md) that were created in association with the autoscale setting in the source region cannot be moved. You will need to recreate diagnostic settings in the destination region, after the creation of autosale settings is completed.
+[Diagnostic settings](../essentials/diagnostic-settings.md) that were created in association with the autoscale setting in the source region cannot be moved. You will need to recreate diagnostic settings in the destination region, after the creation of autosale settings is completed.
### Learn more about moving resources across Azure regions To learn more about moving resources between regions and disaster recovery in Azure, refer to [Move resources to a new resource group or subscription](../../azure-resource-manager/management/move-resource-group-and-subscription.md) ## Next steps-- [Create an Activity Log Alert to monitor all Autoscale engine operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/monitor-autoscale-alert)-- [Create an Activity Log Alert to monitor all failed Autoscale scale-in/scale-out operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/monitor-autoscale-failed-alert)
+- [Create an Activity Log Alert to monitor all Autoscale engine operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/monitor-autoscale-alert)
+- [Create an Activity Log Alert to monitor all failed Autoscale scale-in/scale-out operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/monitor-autoscale-failed-alert)
<!--Reference-->
azure-monitor Collect Custom Metrics Guestos Resource Manager Vmss https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/essentials/collect-custom-metrics-guestos-resource-manager-vmss.md
If you're new to Resource Manager templates, learn about [template deployments](
The Azure Diagnostics extension uses a feature called **data sinks** to route metrics and logs to different locations. The following steps show how to use a Resource Manager template and PowerShell to deploy a VM by using the new Azure Monitor data sink. ## Author a Resource Manager template
-For this example, you can use a publicly available [sample template](https://github.com/Azure/azure-quickstart-templates/tree/master/201-vmss-windows-autoscale):
+For this example, you can use a publicly available [sample template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/vmss-windows-autoscale):
- **Azuredeploy.json** is a preconfigured Resource Manager template for deployment of a virtual machine scale set.
azure-monitor Customer Managed Keys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/customer-managed-keys.md
Last updated 04/21/2021 -+
azure-monitor Logs Dedicated Clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/logs-dedicated-clusters.md
Last updated 09/16/2020 -+ # Azure Monitor Logs Dedicated Clusters
azure-monitor Manage Cost Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/manage-cost-storage.md
na Previously updated : 04/30/2021 Last updated : 05/07/2021
Each workspace has its daily cap applied on a different hour of the day. The res
Soon after the daily limit is reached, the collection of billable data types stops for the rest of the day. Latency inherent in applying the daily cap means that the cap is not applied at precisely the specified daily cap level. A warning banner appears across the top of the page for the selected Log Analytics workspace and an operation event is sent to the *Operation* table under **LogManagement** category. Data collection resumes after the reset time defined under *Daily limit will be set at*. We recommend defining an alert rule based on this operation event, configured to notify when the daily data limit has been reached (see [below](#alert-when-daily-cap-reached)). > [!NOTE]
-> The daily cap cannot stop data collection as precisely the specified cap level and some excess data is expected, particularly if the workspace is receiving high volumes of data. See [below](#view-the-effect-of-the-daily-cap) for a query that is helpful in studying the daily cap behavior.
+> The daily cap cannot stop data collection as precisely the specified cap level and some excess data is expected, particularly if the workspace is receiving high volumes of data. If data is collected above the cap, it is still billed. See [below](#view-the-effect-of-the-daily-cap) for a query that is helpful in studying the daily cap behavior.
> [!WARNING] > The daily cap does not stop the collection of data types WindowsEvent, SecurityAlert, SecurityBaseline, SecurityBaselineSummary, SecurityDetection, SecurityEvent, WindowsFirewall, MaliciousIPCommunication, LinuxAuditLog, SysmonEvent, ProtectionStatus, Update and UpdateSummary, except for workspaces in which Azure Defender (Security Center) was installed before June 19, 2017.
azure-monitor Move Workspace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/move-workspace.md
The workspace source and destination subscriptions must exist within the same Az
> - If you have already moved the workspace, disable all active rules under **Analytics** and re-enable them after five minutes. This should be an effective solution in most cases, though, to reiterate, it is unsupported and undertaken at your own risk. > > **Re-create alerts**
-> - All alerts must be re-created after a move because the permissions are based on the Azure Resource ID of the workspace, which changes during a workspace move.
+> - All alerts must be re-created after a workspace move or rename operation because the permissions are based on the Azure Resource ID of the workspace, which changes during a workspace move or resource name change.
> > **Update resource paths** > - After a workspace move, any Azure or external resources that point to the workspace must be reviewed and updated to point to the new resource target path.
azure-monitor Service Providers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/service-providers.md
In this architecture, a workspace is deployed in the customer's tenant that is u
There are two ways that service provider administrators can gain access to a Log Analytics workspace in a customer tenant: - A customer can add individual users from the service provider as [Azure Active Directory guest users (B2B)](../../active-directory/external-identities/what-is-b2b.md). The service provider administrators will have to sign in to each customer's directory in the Azure portal to be able to access these workspaces. This also requires the customers to manage individual access for each service provider administrator.-- For greater scalability and flexibility, service providers can use the [Azure delegated resource management](../../lighthouse/concepts/azure-delegated-resource-management.md) capability of [Azure Lighthouse](../../lighthouse/overview.md) to access the customerΓÇÖs tenant. With this method, the service provider administrators are included in an Azure AD user group in the service providerΓÇÖs tenant, and this group is granted access during the onboarding process for each customer. These administrators can then access each customerΓÇÖs workspaces from within their own service provider tenant, rather than having to log into each customerΓÇÖs tenant individually. Accessing your customersΓÇÖ Log Analytics workspaces resources in this way reduces the work required on the customer side, and can make it easier to gather and analyze data across multiple customers managed by the same service provider via tools such as [Azure Monitor Workbooks](../visualize/workbooks-overview.md). For more info, see [Monitor customer resources at scale](../../lighthouse/how-to/monitor-at-scale.md).
+- For greater scalability and flexibility, service providers can use [Azure Lighthouse](../../lighthouse/overview.md) to access the customerΓÇÖs tenant. With this method, the service provider administrators are included in an Azure AD user group in the service providerΓÇÖs tenant, and this group is granted access during the onboarding process for each customer. These administrators can then access each customerΓÇÖs workspaces from within their own service provider tenant, rather than having to log into each customerΓÇÖs tenant individually. Accessing your customersΓÇÖ Log Analytics workspaces resources in this way reduces the work required on the customer side, and can make it easier to gather and analyze data across multiple customers managed by the same service provider via tools such as [Azure Monitor Workbooks](../visualize/workbooks-overview.md). For more info, see [Monitor customer resources at scale](../../lighthouse/how-to/monitor-at-scale.md).
The advantages of the distributed architecture are:
-* The customer can confirm specific levels of permissions via [Azure delegated resource management](../../lighthouse/concepts/azure-delegated-resource-management.md), or can manage access to the logs using their own [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md).
+* The customer can confirm specific levels of permissions via [Azure delegated resource management](../../lighthouse/concepts/architecture.md), or can manage access to the logs using their own [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md).
* Logs can be collected from all types of resources, not just agent-based VM data. For example, Azure Audit Logs. * Each customer can have different settings for their workspace such as retention and data capping. * Isolation between customers for regulatory and compliancy.
azure-monitor Tutorial Logs Dashboards https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/visualize/tutorial-logs-dashboards.md
Now that we have a query pinned to the dashboard, you will notice it has a gener
![Completed configuration of sample dashboard](media/tutorial-logs-dashboards/log-analytics-modify-dashboard-02.png) ## Next steps
-In this tutorial, you learned how to create a dashboard in the Azure portal and add a log query to it. Advance to the next tutorial to learn the different responses you can implement based on log query results.
+In this tutorial, you learned how to create a dashboard in the Azure portal and add a log query to it. Follow this link to see pre-built Log Analytics script samples.
> [!div class="nextstepaction"]
-> [Respond to events with Log Analytics Alerts](../alerts/tutorial-response.md)
+> [Log Analytics script samples](../powershell-samples.md)
azure-netapp-files Azure Netapp Files Create Volumes Smb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-create-volumes-smb.md
Before creating an SMB volume, you need to create an Active Directory connection
> [!IMPORTANT] > The SMB Continuous Availability feature is currently in public preview. You need to submit a waitlist request for accessing the feature through the **[Azure NetApp Files SMB Continuous Availability Shares Public Preview waitlist submission page](https://aka.ms/anfsmbcasharespreviewsignup)**. Wait for an official confirmation email from the Azure NetApp Files team before using the Continuous Availability feature. >
- > You should enable Continuous Availability only for SQL Server and [FSLogix user profile containers](../virtual-desktop/create-fslogix-profile-container.md). Using SMB Continuous Availability shares for workloads other than SQL Server and FSLogix user profile containers is *not* supported. This feature is currently supported on Windows SQL Server. Linux SQL Server is not currently supported. If you are using a non-administrator (domain) account to install SQL Server, ensure that the account has the required security privilege assigned. If the domain account does not have the required security privilege (`SeSecurityPrivilege`), and the privilege cannot be set at the domain level, you can grant the privilege to the account by using the **Security privilege users** field of Active Directory connections. See [Create an Active Directory connection](create-active-directory-connections.md#create-an-active-directory-connection).
+ You should enable Continuous Availability only for SQL Server and [FSLogix user profile containers](../virtual-desktop/create-fslogix-profile-container.md). Using SMB Continuous Availability shares for workloads other than SQL Server and FSLogix user profile containers is *not* supported. This feature is currently supported on Windows SQL Server. Linux SQL Server is not currently supported. If you are using a non-administrator (domain) account to install SQL Server, ensure that the account has the required security privilege assigned. If the domain account does not have the required security privilege (`SeSecurityPrivilege`), and the privilege cannot be set at the domain level, you can grant the privilege to the account by using the **Security privilege users** field of Active Directory connections. See [Create an Active Directory connection](create-active-directory-connections.md#create-an-active-directory-connection).
<!-- [1/13/21] Commenting out command-based steps below, because the plan is to use form-based (URL) registration, similar to CRR feature registration --> <!--
You can set permissions for a file or folder by using the **Security** tab of th
* [Mount or unmount a volume for Windows or Linux virtual machines](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md) * [Resource limits for Azure NetApp Files](azure-netapp-files-resource-limits.md) * [Configure ADDS LDAP over TLS for Azure NetApp Files](configure-ldap-over-tls.md)
+* [Convert existing SMB volumes to use Continuous Availability](convert-smb-continuous-availability.md)
* [SMB FAQs](azure-netapp-files-faqs.md#smb-faqs) * [Troubleshoot SMB or dual-protocol volumes](troubleshoot-dual-protocol-volumes.md) * [Learn about virtual network integration for Azure services](../virtual-network/virtual-network-for-azure-services.md)
azure-netapp-files Azure Netapp Files Register https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-register.md
To use the service, you must register the Azure Resource Provider for Azure NetA
2. If you have multiple subscriptions on your Azure account, select the one that has been approved for Azure NetApp Files:
- ```azurepowershell
+ ```azurecli
az account set --subscription <subscriptionId> ``` 3. In the Azure Cloud Shell console, enter the following command to verify that your subscription has been approved:
- ```azurepowershell
+ ```azurecli
az feature list | grep NetApp ```
To use the service, you must register the Azure Resource Provider for Azure NetA
4. In the Azure Cloud Shell console, enter the following command to register the Azure Resource Provider:
- ```azurepowershell
+ ```azurecli
az provider register --namespace Microsoft.NetApp --wait ```
To use the service, you must register the Azure Resource Provider for Azure NetA
5. In the Azure Cloud Shell console, enter the following command to verify that the Azure Resource Provider has been registered:
- ```azurepowershell
+ ```azurecli
az provider show --namespace Microsoft.NetApp ```
azure-netapp-files Configure Nfs Clients https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/configure-nfs-clients.md
na ms.devlang: na Previously updated : 11/09/2020 Last updated : 05/10/2021 # Configure an NFS client for Azure NetApp Files
The examples in this section use the following domain name and IP address:
Ensure that `default_realm` is set to the provided realm in `/etc/krb5.conf`. If not, add it under the `[libdefaults]` section in the file as shown in the following example:
- `default_realm = CONTOSO.COM`
+ ```
+ [libdefaults]
+ default_realm = CONTOSO.COM
+ default_tkt_enctypes = aes256-cts-hmac-sha1-96
+ default_tgs_enctypes = aes256-cts-hmac-sha1-96
+ permitted_enctypes = aes256-cts-hmac-sha1-96
+ [realms]
+ CONTOSO.COM = {
+ kdc = dc01.contoso.com
+ admin_server = dc01.contoso.com
+ master_kdc = dc01.contoso.com
+ default_domain = contoso.com
+ }
+ [domain_realm]
+ .contoso.com = CONTOSO.COM
+ contoso.com = CONTOSO.COM
+ [logging]
+ kdc = SYSLOG:INFO
+ admin_server = FILE=/var/kadm5.log
+ ```
7. Restart all NFS
azure-netapp-files Convert Smb Continuous Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/convert-smb-continuous-availability.md
+
+ Title: Convert existing Azure NetApp Files SMB volumes to use SMB Continuous Availability | Microsoft Docs
+description: Describes enable SMB CA by converting an existing Azure NetApp Files SMB volume.
+
+documentationcenter: ''
++
+editor: ''
+
+ms.assetid:
++
+ na
+ms.devlang: na
+ Last updated : 05/10/2021++
+# Convert existing SMB volumes to use Continuous Availability
+
+You can enable the SMB Continuous Availability (CA) feature when you [create a new SMB volume](azure-netapp-files-create-volumes-smb.md#add-an-smb-volume). You can also convert an existing SMB volume to enable the SMB CA feature. This article shows you how to enable SMB CA by converting an existing volume.
+
+> [!IMPORTANT]
+> This procedure includes a cut-over from the original volume to the new volume enabled for CA shares. As such, you should plan for a maintenance window for this process.
+
+## Steps
+
+1. Make sure that you have [registered the SMB Continuous Availability Shares](https://aka.ms/anfsmbcasharespreviewsignup) feature.
+2. Stop the application that is using the SMB volume.
+3. [Create an on-demand snapshot](azure-netapp-files-manage-snapshots.md#create-an-on-demand-snapshot-for-a-volume) of the existing volume.
+4. Select **Snapshots** from the existing volume to display the snapshot list.
+5. Right-click the snapshot to restore, and select **Restore to new volume** from the menu option.
+
+ ![Snapshot that shows the Restore to New Volume option.](../media/azure-netapp-files/azure-netapp-files-snapshot-restore-to-new-volume.png)
+
+6. In the Create a Volume window that appears, provide information for the new volume:
+
+ * **Volume name**
+ Specify the name for the volume that you are creating.
+ The name must be unique within a resource group. It must be at least three characters long. It can use any alphanumeric characters.
+
+ * **Quota**
+ Specify the amount of logical storage that you want to allocate to the volume.
+
+ ![Snapshot that shows the Create a Volume window.](../media/azure-netapp-files/snapshot-restore-new-volume.png)
+
+7. Under the Protocol section of the Create a Volume window, make sure that you select the **Enable Continuous Availability** option.
+
+ ![Snapshot that shows the Enable Continuous Availability option.](../media/azure-netapp-files/enable-continuous-availability-option.png)
+
+8. Click **Review + create**. Click **Create**.
+ The new volume uses the same protocol that the snapshot uses.
+ The new volume to which the snapshot is restored appears in the Volumes view.
+
+9. After the new volume is created, click **Mount instructions** from the selected volume blade. And then follow the instructions to mount the new volume.
+
+10. Reconfigure your application to make use of the new volume mount point.
+
+11. Restart the application that you stopped during Step 2.
+
+12. After the application begins to leverage the new volume, and when the process of restoring to the new volume is complete, you can optionally delete the original volume.
+
+## Next steps
+
+* [Create an SMB volume for Azure NetApp Files](azure-netapp-files-create-volumes-smb.md)
+* [Mount or unmount a volume for Windows or Linux virtual machines](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md)
azure-netapp-files Develop Rest Api Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/develop-rest-api-powershell.md
The REST API specification for Azure NetApp Files is published through [GitHub](
2. Enter the following command in the Azure CLI:
- ```azurepowershell
+ ```azurecli
$RBAC_SP = az ad sp create-for-rbac --name <YOURSPNAMEGOESHERE> | ConvertFrom-Json ```
azure-percept How To Update Via Usb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/how-to-update-via-usb.md
This guide will show you how to successfully update your dev kit's operating sys
## Download software tools and update files
-1. [NXP UUU tool](https://github.com/NXPmicro/mfgtools/releases). Download the **Latest Release** uuu.exe file (for Windows) or the uuu file (for Linux) under the **Assets** tab. UUU is a tool created by NXP used to update software on NXP dev boards.
+1. [NXP UUU tool](https://github.com/NXPmicro/mfgtools/releases). Download the **Latest Release** uuu.exe file (for Windows) or the uuu file (for Linux) under the **Assets** tab. UUU is a tool created by NXP used to update NXP dev boards.
1. [Download the update files](https://go.microsoft.com/fwlink/?linkid=2155734). They are all contained in a zip file that you will extract in the next section.
azure-percept Quickstart Percept Dk Set Up https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/quickstart-percept-dk-set-up.md
To verify if your Azure account is an ΓÇ£ownerΓÇ¥ or ΓÇ£contributorΓÇ¥ within th
1. When you see the **Device setup complete!** page, your dev kit has successfully linked to your IoT Hub and downloaded the necessary software. Your dev kit will automatically disconnect from the Wi-Fi access point resulting in these two notifications:
- <!
> [!NOTE]
- > The onboarding process and connection to the device Wifi access to your host computer shuts down at this point, but your dev kit will stay connected to the internet. You can restart the onboarding experience with a dev kit reboot, which will allow you to go back through the onboarding and reconnect the device to a different IOT hub associated with the same or a different Azure Subscription..
- >
+ > The IoT Edge containers that get configured as part of this set up process use certificates that will expire after 90 days. The certificates can be automatically regenerated by restarting IoT Edge. Refer to [Manage certificates on an IoT Edge device](https://docs.microsoft.com/azure/iot-edge/how-to-manage-device-certificates) for more details.
:::image type="content" source="./media/quickstart-percept-dk-setup/main-19-0-warning.png" alt-text="Setup experience disconnect warning.":::
To verify if your Azure account is an ΓÇ£ownerΓÇ¥ or ΓÇ£contributorΓÇ¥ within th
1. Click **Continue to the Azure portal**.
- :::image type="content" source="./media/quickstart-percept-dk-setup/main-20-azure-portal-continue.png" alt-text="Go to Azure Percept Studio.":::
+ :::image type="content" source="./media/quickstart-percept-dk-setup/main-20-Azure-portal-continue.png" alt-text="Go to Azure Percept Studio.":::
## View your dev kit video stream and deploy a sample model
azure-resource-manager Create Custom Provider https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/custom-providers/create-custom-provider.md
Last updated 06/24/2020 -+ # Quickstart: Create a custom provider and deploy custom resources
azure-resource-manager Azure Subscription Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/azure-subscription-service-limits.md
The following limits apply when you use Azure Resource Manager and Azure resourc
## App Service limits
-The following App Service limits include limits for Web Apps, Mobile Apps, and API Apps.
- [!INCLUDE [azure-websites-limits](../../../includes/azure-websites-limits.md)] ## Automation limits
The following App Service limits include limits for Web Apps, Mobile Apps, and A
[!INCLUDE [app-configuration-limits](../../../includes/app-configuration-limits.md)]
+## Azure API for FHIR service limits
++ ## Azure Cache for Redis limits [!INCLUDE [redis-cache-service-limits](../../../includes/redis-cache-service-limits.md)]
azure-resource-manager Virtual Machines Move Limitations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/move-limitations/virtual-machines-move-limitations.md
Title: Move Azure VMs to new subscription or resource group
description: Use Azure Resource Manager to move virtual machines to a new resource group or subscription. Last updated 04/23/2021 -+ # Move guidance for virtual machines
azure-resource-manager View Activity Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/view-activity-logs.md
Title: View Azure activity logs to monitor resources
description: Use the activity logs to review user actions and errors. Shows Azure portal PowerShell, Azure CLI, and REST. Last updated 05/13/2019 -+ # View activity logs to monitor actions on resources
azure-resource-manager Bicep Install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/bicep-install.md
Title: Set up Bicep development and deployment environments
description: How to configure Bicep development and deployment environments Last updated 03/26/2021 -+ # Install Bicep (Preview)
azure-resource-manager Conditional Resource Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/conditional-resource-deployment.md
resource dnsZone 'Microsoft.Network/dnszones@2018-05-01' = if (deployZone) {
-For a more complex example, see [Azure SQL logical server](https://github.com/Azure/azure-quickstart-templates/tree/master/101-sql-logical-server).
+For a more complex example, see [Azure SQL logical server](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.sql/sql-logical-server).
## New or existing resource
resource sa 'Microsoft.Storage/storageAccounts@2019-06-01' = if (newOrExisting =
When the parameter `newOrExisting` is set to **new**, the condition evaluates to true. The storage account is deployed. However, when `newOrExisting` is set to **existing**, the condition evaluates to false and the storage account isn't deployed.
-For a complete example template that uses the `condition` element, see [VM with a new or existing Virtual Network, Storage, and Public IP](https://github.com/Azure/azure-quickstart-templates/tree/master/201-vm-new-or-existing-conditions).
+For a complete example template that uses the `condition` element, see [VM with a new or existing Virtual Network, Storage, and Public IP](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/vm-new-or-existing-conditions).
## Runtime functions
azure-resource-manager Copy Properties https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/copy-properties.md
The following example shows a common scenario for creating more than one value f
|Template |Description | |||
-|[VM deployment with a variable number of data disks](https://github.com/Azure/azure-quickstart-templates/tree/master/101-vm-windows-copy-datadisks) |Deploys several data disks with a virtual machine. |
+|[VM deployment with a variable number of data disks](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/vm-windows-copy-datadisks) |Deploys several data disks with a virtual machine. |
## Next steps
azure-resource-manager Deploy To Management Group https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-to-management-group.md
Title: Deploy resources to management group
description: Describes how to deploy resources at the management group scope in an Azure Resource Manager template. Last updated 03/18/2021 -+ # Management group deployments with ARM templates
azure-resource-manager Deploy To Subscription https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-to-subscription.md
Title: Deploy resources to subscription
description: Describes how to create a resource group in an Azure Resource Manager template. It also shows how to deploy resources at the Azure subscription scope. Last updated 01/13/2021 -+ # Subscription deployments with ARM templates
azure-resource-manager Deploy To Tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-to-tenant.md
Title: Deploy resources to tenant
description: Describes how to deploy resources at the tenant scope in an Azure Resource Manager template. Last updated 04/27/2021 -+ # Tenant deployments with ARM templates
azure-resource-manager Deployment History Deletions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deployment-history-deletions.md
Title: Deployment history deletions
description: Describes how Azure Resource Manager automatically deletes deployments from the deployment history. Deployments are deleted when the history is close to exceeding the limit of 800. Last updated 03/23/2021 -+ # Automatic deletions from deployment history
azure-resource-manager Deployment History https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deployment-history.md
description: Describes how to view Azure Resource Manager deployment operations
tags: top-support-issue Last updated 09/23/2020 -+ # View deployment history with Azure Resource Manager
azure-resource-manager Key Vault Parameter https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/key-vault-parameter.md
Title: Key Vault secret with template
description: Shows how to pass a secret from a key vault as a parameter during deployment. Last updated 04/23/2021 -++ # Use Azure Key Vault to pass secure parameter value during deployment
Instead of putting a secure value (like a password) directly in your template or parameter file, you can retrieve the value from an [Azure Key Vault](../../key-vault/general/overview.md) during a deployment. You retrieve the value by referencing the key vault and secret in your parameter file. The value is never exposed because you only reference its key vault ID. The key vault can exist in a different subscription than the resource group you're deploying to. This article's focus is how to pass a sensitive value as a template parameter. The article doesn't cover how to set a virtual machine property to a certificate's URL in a key vault.
-For a quickstart template of that scenario, see [Install a certificate from Azure Key Vault on a Virtual Machine](https://github.com/Azure/azure-quickstart-templates/tree/master/201-vm-winrm-keyvault-windows).
+For a quickstart template of that scenario, see [Install a certificate from Azure Key Vault on a Virtual Machine](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/vm-winrm-keyvault-windows).
## Deploy key vaults and secrets
azure-resource-manager Linked Templates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/linked-templates.md
Title: Link templates for deployment
description: Describes how to use linked templates in an Azure Resource Manager template (ARM template) to create a modular template solution. Shows how to pass parameters values, specify a parameter file, and dynamically created URLs. Last updated 03/25/2021 -+ # Using linked and nested templates when deploying Azure resources
azure-resource-manager Scope Extension Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/scope-extension-resources.md
Title: Scope on extension resource types
description: Describes how to use the scope property when deploying extension resource types. Last updated 01/13/2021 -+ # Setting scope for extension resources in ARM templates
azure-resource-manager Secure Template With Sas Token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/secure-template-with-sas-token.md
Title: Securely deploy template with SAS token
description: Deploy resources to Azure with an Azure Resource Manager template that is protected by a SAS token. Shows Azure PowerShell and Azure CLI. Last updated 08/25/2020 -+ # Deploy private ARM template with SAS token
azure-sql Arm Templates Content Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/arm-templates-content-guide.md
Title: Azure Resource Manager templates - Azure SQL Database & SQL Managed Instance
-description: Use Azure Resource Manager templates to create and configure Azure SQL Database and Azure SQL Managed Instance.
+description: Use Azure Resource Manager templates to create and configure Azure SQL Database and Azure SQL Managed Instance.
+ms.devlang:
The following table includes links to Azure Resource Manager templates for Azure
|Link |Description| |||
-| [SQL Database](https://github.com/Azure/azure-quickstart-templates/tree/master/201-sql-database-transparent-encryption-create) | This Azure Resource Manager template creates a single database in Azure SQL Database and configures server-level IP firewall rules. |
-| [Server](https://github.com/Azure/azure-quickstart-templates/tree/master/101-sql-logical-server) | This Azure Resource Manager template creates a server for Azure SQL Database. |
+| [SQL Database](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.sql/sql-database-transparent-encryption-create) | This Azure Resource Manager template creates a single database in Azure SQL Database and configures server-level IP firewall rules. |
+| [Server](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.sql/sql-logical-server) | This Azure Resource Manager template creates a server for Azure SQL Database. |
| [Elastic pool](https://github.com/Azure/azure-quickstart-templates/tree/master/101-sql-elastic-pool-create) | This template allows you to deploy an elastic pool and to assign databases to it. |
-| [Failover groups](https://github.com/Azure/azure-quickstart-templates/tree/master/101-sql-with-failover-group) | This template creates two servers, a single database, and a failover group in Azure SQL Database.|
-| [Threat Detection](https://github.com/Azure/azure-quickstart-templates/tree/master/201-sql-threat-detection-db-policy-multiple-databases) | This template allows you to deploy a server and a set of databases with Threat Detection enabled, with an email address for alerts for each database. Threat Detection is part of the SQL Advanced Threat Protection (ATP) offering and provides a layer of security that responds to potential threats over servers and databases.|
-| [Auditing to Azure Blob storage](https://github.com/Azure/azure-quickstart-templates/tree/master/201-sql-auditing-server-policy-to-blob-storage) | This template allows you to deploy a server with auditing enabled to write audit logs to a Blob storage. Auditing for Azure SQL Database tracks database events and writes them to an audit log that can be placed in your Azure storage account, OMS workspace, or Event Hubs.|
-| [Auditing to Azure Event Hub](https://github.com/Azure/azure-quickstart-templates/tree/master/201-sql-auditing-server-policy-to-eventhub) | This template allows you to deploy a server with auditing enabled to write audit logs to an existing event hub. In order to send audit events to Event Hubs, set auditing settings with `Enabled` `State`, and set `IsAzureMonitorTargetEnabled` as `true`. Also, configure Diagnostic Settings with the `SQLSecurityAuditEvents` log category on the `master` database (for server-level auditing). Auditing tracks database events and writes them to an audit log that can be placed in your Azure storage account, OMS workspace, or Event Hubs.|
-| [Azure Web App with SQL Database](https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-sql-database) | This sample creates a free Azure web app and a database in Azure SQL Database at the "Basic" service level.|
+| [Failover groups](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.sql/sql-with-failover-group) | This template creates two servers, a single database, and a failover group in Azure SQL Database.|
+| [Threat Detection](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.sql/sql-threat-detection-db-policy-multiple-databases) | This template allows you to deploy a server and a set of databases with Threat Detection enabled, with an email address for alerts for each database. Threat Detection is part of the SQL Advanced Threat Protection (ATP) offering and provides a layer of security that responds to potential threats over servers and databases.|
+| [Auditing to Azure Blob storage](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.sql/sql-auditing-server-policy-to-blob-storage) | This template allows you to deploy a server with auditing enabled to write audit logs to a Blob storage. Auditing for Azure SQL Database tracks database events and writes them to an audit log that can be placed in your Azure storage account, OMS workspace, or Event Hubs.|
+| [Auditing to Azure Event Hub](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.sql/sql-auditing-server-policy-to-eventhub) | This template allows you to deploy a server with auditing enabled to write audit logs to an existing event hub. In order to send audit events to Event Hubs, set auditing settings with `Enabled` `State`, and set `IsAzureMonitorTargetEnabled` as `true`. Also, configure Diagnostic Settings with the `SQLSecurityAuditEvents` log category on the `master` database (for server-level auditing). Auditing tracks database events and writes them to an audit log that can be placed in your Azure storage account, OMS workspace, or Event Hubs.|
+| [Azure Web App with SQL Database](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/web-app-sql-database) | This sample creates a free Azure web app and a database in Azure SQL Database at the "Basic" service level.|
| [Azure Web App and Redis Cache with SQL Database](https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-redis-cache-sql-database) | This template creates a web app, Redis Cache, and database in the same resource group and creates two connection strings in the web app for the database and Redis Cache.|
-| [Import data from Blob storage using ADF V2](https://github.com/Azure/azure-quickstart-templates/tree/master/101-data-factory-v2-blob-to-sql-copy) | This Azure Resource Manager template creates an instance of Azure Data Factory V2 that copies data from Azure Blob storage to SQL Database.|
+| [Import data from Blob storage using ADF V2](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.datafactory/101-data-factory-v2-blob-to-sql-copy) | This Azure Resource Manager template creates an instance of Azure Data Factory V2 that copies data from Azure Blob storage to SQL Database.|
| [HDInsight cluster with a database](https://github.com/Azure/azure-quickstart-templates/tree/master/101-hdinsight-linux-with-sql-database) | This template allows you to create an HDInsight cluster, a logical SQL server, a database, and two tables. This template is used by the [Use Sqoop with Hadoop in HDInsight article](../../hdinsight/hadoop/hdinsight-use-sqoop.md). | | [Azure Logic App that runs a SQL Stored Procedure on a schedule](https://github.com/Azure/azure-quickstart-templates/tree/master/101-logic-app-sql-proc) | This template allows you to create a logic app that will run a SQL stored procedure on schedule. Any arguments for the procedure can be put into the body section of the template.|
The following table includes links to Azure Resource Manager templates for Azure
|Link|Description| ||| | [SQL Managed Instance in a new VNet](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.sql/sqlmi-new-vnet) | This Azure Resource Manager template creates a new configured Azure virtual network and managed instance in the virtual network. |
-| [Network environment for SQL Managed Instance](https://github.com/Azure/azure-quickstart-templates/tree/master/101-sql-managed-instance-azure-environment) | This deployment will create a configured Azure virtual network with two subnets, one that will be dedicated to your managed instances and another where you can place other resources (for example VMs, App Service environments, etc.). This template will create a properly configured networking environment where you can deploy managed instances. |
-| [SQL Managed Instance with P2S connection](https://github.com/Azure/azure-quickstart-templates/tree/master/201-sqlmi-new-vnet-w-point-to-site-vpn) | This deployment will create an Azure virtual network with two subnets, `ManagedInstance` and `GatewaySubnet`. SQL Managed Instance will be deployed in the ManagedInstance subnet. A virtual network gateway will be created in the `GatewaySubnet` subnet and configured for Point-to-Site VPN connection. |
-| [SQL Managed Instance with a virtual machine](https://github.com/Azure/azure-quickstart-templates/tree/master/201-sqlmi-new-vnet-w-jumpbox) | This deployment will create an Azure virtual network with two subnets, `ManagedInstance` and `Management`. SQL Managed Instance will be deployed in the `ManagedInstance` subnet. A virtual machine with the latest version of SQL Server Management Studio (SSMS) will be deployed in the `Management` subnet. |
+| [Network environment for SQL Managed Instance](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.sql/sql-managed-instance-azure-environment) | This deployment will create a configured Azure virtual network with two subnets, one that will be dedicated to your managed instances and another where you can place other resources (for example VMs, App Service environments, etc.). This template will create a properly configured networking environment where you can deploy managed instances. |
+| [SQL Managed Instance with P2S connection](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.sql/sqlmi-new-vnet-w-point-to-site-vpn) | This deployment will create an Azure virtual network with two subnets, `ManagedInstance` and `GatewaySubnet`. SQL Managed Instance will be deployed in the ManagedInstance subnet. A virtual network gateway will be created in the `GatewaySubnet` subnet and configured for Point-to-Site VPN connection. |
+| [SQL Managed Instance with a virtual machine](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.sql/sqlmi-new-vnet-w-jumpbox) | This deployment will create an Azure virtual network with two subnets, `ManagedInstance` and `Management`. SQL Managed Instance will be deployed in the `ManagedInstance` subnet. A virtual machine with the latest version of SQL Server Management Studio (SSMS) will be deployed in the `Management` subnet. |
azure-sql Elastic Jobs Tsql Create Manage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/elastic-jobs-tsql-create-manage.md
EXEC jobs.sp_add_jobstep
@output_credential_name = 'job_credential', @output_server_name = 'server1.database.windows.net', @output_database_name = '<resultsdb>',
-@output_table_name = '<resutlstable>';
+@output_table_name = '<resultstable>';
--Create a job to monitor pool performance
SELECT elastic_pool_name , end_time, elastic_pool_dtu_limit, avg_cpu_percent, av
@output_credential_name = 'job_credential', @output_server_name = 'server1.database.windows.net', @output_database_name = 'resultsdb',
-@output_table_name = 'resutlstable';
+@output_table_name = 'resultstable';
``` ## View job definitions
azure-sql Transparent Data Encryption Byok Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/transparent-data-encryption-byok-configure.md
Check the following if an issue occurs:
# [The Azure CLI](#tab/azure-cli)
- ```powershell
+ ```azurecli
az account show - s <SubscriptionId> ```
azure-sql Rhel High Availability Stonith Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/linux/rhel-high-availability-stonith-tutorial.md
To add the role, run the following command:
- Replace `<filename>` with the name of the file. - If you are executing the command from a path other than the folder that the file is saved to, include the folder path of the file in the command.
-```bash
+```azurecli-interactive
az role definition create --role-definition "<filename>.json" ```
azure-sql Sql Agent Extension Automatic Registration All Vms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/sql-agent-extension-automatic-registration-all-vms.md
This article teaches you to enable the automatic registration feature. Alternati
Registering your SQL Server VM with the [SQL IaaS Agent extension](sql-server-iaas-agent-extension-automate-management.md) to unlock a full feature set of benefits.
-When automatic registration is enabled, a job runs daily to detect whether or not SQL Server is installed on all the unregistered VMs in the subscription. This is done by copying the SQL IaaS agent extension binaries to the VM, then running a one-time utility that checks for the SQL Server registry hive. If the SQL Server hive is detected, the virtual machine is registered with the extension in lightweight mode. If no SQL Server hive exists in the registry, the binaries are removed.
+When automatic registration is enabled, a job runs daily to detect whether or not SQL Server is installed on all the unregistered VMs in the subscription. This is done by copying the SQL IaaS agent extension binaries to the VM, then running a one-time utility that checks for the SQL Server registry hive. If the SQL Server hive is detected, the virtual machine is registered with the extension in lightweight mode. If no SQL Server hive exists in the registry, the binaries are removed. Automatic registration can take up to 4 days to detect newly created SQL Server VMs.
Once automatic registration is enabled for a subscription, all current and future VMs that have SQL Server installed will be registered with the SQL IaaS Agent extension **in lightweight mode without downtime, and without restarting the SQL Server service**. You still need to [manually upgrade to full manageability mode](sql-agent-extension-manually-register-single-vm.md#upgrade-to-full) to take advantage of the full feature set.
azure-vmware Concepts Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/concepts-identity.md
Title: Concepts - Identity and access description: Learn about the identity and access concepts of Azure VMware Solution Previously updated : 03/22/2021 Last updated : 05/11/2021 # Azure VMware Solution identity concepts
The private cloud user doesn't have access to and can't configure specific manag
You can view the privileges granted to the Azure VMware Solution CloudAdmin role on your Azure VMware Solution private cloud vCenter.
-1. Log into the SDDC vSphere Client and go to **Menu** > **Administration**.
+1. Sign into the vSphere Client and go to **Menu** > **Administration**.
+ 1. Under **Access Control**, select **Roles**.+ 1. From the list of roles, select **CloudAdmin** and then select **Privileges**. :::image type="content" source="media/role-based-access-control-cloudadmin-privileges.png" alt-text="How to view the CloudAdmin role privileges in vSphere Client":::
The CloudAdmin role in Azure VMware Solution has the following privileges on vCe
Azure VMware Solution supports the use of custom roles with equal or lesser privileges than the CloudAdmin role.
-The CloudAdmin role can create, modify, or delete custom roles that have privileges lesser than or equal to their current role. You may be able to create roles that have privileges greater than CloudAdmin but you will not be able to assign the role to any users or groups or delete the role.
+You'll use the CloudAdmin role to create, modify, or delete custom roles with privileges lesser than or equal to their current role. You can create roles with privileges greater than CloudAdmin, but you can't assign the role to any users or groups or delete the role.
-To prevent the creation of roles that can't be assigned or deleted, Azure VMware Solution recommends cloning the CloudAdmin role as the basis for creating new custom roles.
+To prevent creating roles that can't be assigned or deleted, clone the CloudAdmin role as the basis for creating new custom roles.
#### Create a custom role 1. Sign into vCenter with cloudadmin\@vsphere.local or a user with the CloudAdmin role.
-2. Navigate to the **Roles** configuration section and select **Menu** > **Administration** > **Access Control** > **Roles**.
-3. Select the **CloudAdmin** role and select the **Clone role action** icon.
- > [!NOTE]
- > Do not clone the **Administrator** role. This role cannot be used and the custom role created cannot be deleted by cloudadmin\@vsphere.local.
+1. Navigate to the **Roles** configuration section and select **Menu** > **Administration** > **Access Control** > **Roles**.
+
+1. Select the **CloudAdmin** role and select the **Clone role action** icon.
+
+ >[!NOTE]
+ >Don't clone the **Administrator** role because you can't use it. Also, the custom role created can't be deleted by cloudadmin\@vsphere.local.
-4. Provide the name you want for the cloned role.
-5. Add or remove privileges for the role and select **OK**. The cloned role should now be visible in the **Roles** list.
+1. Provide the name you want for the cloned role.
+1. Add or remove privileges for the role and select **OK**. The cloned role is visible in the **Roles** list.
-#### Use a custom role
-1. Navigate to the object that requires the added permission. For example, to apply the permission to a folder, navigate to **Menu** > **VMs and Templates** > **Folder Name**
+#### Apply a custom role
+
+1. Navigate to the object that requires the added permission. For example, to apply the permission to a folder, navigate to **Menu** > **VMs and Templates** > **Folder Name**.
+ 1. Right-click the object and select **Add Permission**.+ 1. In the **Add Permission** window, select the Identity Source in the **User** drop-down where the group or user can be found.+ 1. Search for the user or group after selecting the Identity Source under the **User** section. + 1. Select the role that will be applied for the user or group.
-1. Check the **Propagate to children** if needed, and select **OK**.
- The added permission displays in the **Permissions** section for the object.
+
+1. Check the **Propagate to children** if needed, and select **OK**. The added permission displays in the **Permissions** section.
## NSX-T Manager access and identity
To prevent the creation of roles that can't be assigned or deleted, Azure VMware
Use the *admin* account to access NSX-T Manager. It has full privileges and lets you create and manage Tier-1 (T1) Gateways, segments (logical switches), and all services. The privileges give you access to the NSX-T Tier-0 (T0) Gateway. A change to the T0 Gateway could result in degraded network performance or no private cloud access. Open a support request in the Azure portal to request any changes to your NSX-T T0 Gateway.
->[!TIP]
->You can use the [simplified NSX feature in the Azure portal](configure-nsx-network-components-azure-portal.md) as an alternative to using NSX-T Manager.
- ## Next steps
Now that you've covered Azure VMware Solution access and identity concepts, you
- [How to enable Azure VMware Solution resource](enable-azure-vmware-solution.md) - [Details of each privilege](https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-ED56F3C4-77D0-49E3-88B6-B99B8B437B62.html) - [How Azure VMware Solution monitors and repairs private clouds](/azure/azure-vmware/concepts-private-clouds-clusters#host-monitoring-and-remediation)-- [How to enable Azure VMware Solution resource](enable-azure-vmware-solution.md)+ <!-- LINKS - external-->
azure-vmware Deploy Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/deploy-azure-vmware-solution.md
Title: Deploy and configure Azure VMware Solution description: Learn how to use the information gathered in the planning stage to deploy and configure the Azure VMware Solution private cloud. -+ Last updated 04/23/2021
azure-vmware Reset Vsphere Credentials https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/reset-vsphere-credentials.md
- Title: Reset vSphere credentials for Azure VMware Solution
-description: Learn how to reset vSphere credentials for your Azure VMware Solution private cloud and ensure the HCX connector has the latest vSphere credentials.
- Previously updated : 05/10/2021--
-# Reset vSphere credentials for Azure VMware Solution
-
-This article walks you through the steps to reset the vCenter Server and NSX-T Manager credentials for your Azure VMware Solution private cloud. It allows you to ensure the HCX connector has the latest vCenter Server credentials.
-
-In addition to this how-to, you can also view the video for [resetting the vCenter CloudAdmin & NSX-T Admin password](https://youtu.be/cK1qY3knj88).
-
-## Prerequisites
-
-If you use your cloudadmin credentials for connected services like HCX, vRealize Orchestrator, vRealize Operations Manager, or VMware Horizon, your connections will stop working once you update your password. Stop these services before initiating the password rotation. If you don't stop these services, you'll experience temporary locks on your vCenter CloudAdmin and NSX-T admin accounts, as these services continuously call using your old credentials. For more information about setting up separate accounts for connected services, see [Access and Identity Concepts](./concepts-identity.md).
-
-## Reset your Azure VMware Solution credentials
-
-In this step, you'll reset the credentials for your Azure VMware Solution components. Although your vCenter and NSX-T credentials don't expire, you can generate new passwords for these accounts.
-
-1. From the Azure portal, open an Azure Cloud Shell session.
-
-2. Run the following command to update your vCenter CloudAdmin password. You will need to replace {SubscriptionID}, {ResourceGroup}, and {PrivateCloudName} with the actual values of the private cloud that the CloudAdmin account belongs to.
-
- ```azurecli-interactive
- az resource invoke-action --action rotateVcenterPassword --ids "/subscriptions/{SubscriptionID}/resourceGroups/{ResourceGroup}/providers/Microsoft.AVS/privateClouds/{PrivateCloudName}" --api-version "2020-07-17-preview"
- ```
-
-3. Run the following command to update your NSX-T admin password. You will need to replace **{SubscriptionID}**, **{ResourceGroup}**, and **{PrivateCloudName}** with the actual values of the private cloud that the NSX-T admin account belongs to.
-
- ```azurecli-interactive
- az resource invoke-action --action rotateNSXTPassword --ids "/subscriptions/{SubscriptionID}/resourceGroups/{ResourceGroup}/providers/Microsoft.AVS/privateClouds/{PrivateCloudName}" --api-version "2020-07-17-preview"
- ```
-
-## Verify the HCX Connector has the latest vCenter Server credentials
-
-In this step, you'll verify that the HCX connector has the updated credentials.
-
-1. Once your password is changed, go to the on-premises HCX connector web interface using https://{ip of the HCX connector appliance}:443. Be sure to use port 443. Log in using your new credentials.
-
-2. On the VMware HCX Dashboard, select **Site Pairing**.
-
- :::image type="content" source="media/reset-vsphere-credentials/hcx-site-pairing.png" alt-text="Screenshot of VMware HCX Dashboard with Site Pairing highlighted.":::
-
-3. Select the correct connection to Azure VMware Solution (if there is more than one) and select **Edit Connection**.
-
-4. Provide the new vCenter Server CloudAdmin user credentials and select **Edit**, which saves the credentials. Save should show successful.
-
-## Next steps
-
-Now that you've covered resetting vCenter Server and NSX-T Manager credentials for Azure VMware Solution, you may want to learn about:
--- [Configuring NSX network components in Azure VMware Solution](configure-nsx-network-components-azure-portal.md).-- [Monitor and manage Azure VMware Solution VMs](lifecycle-management-of-azure-vmware-solution-vms.md).-- [Deploying disaster recovery of virtual machines using Azure VMware Solution](disaster-recovery-for-virtual-machines.md).
azure-vmware Rotate Cloudadmin Credentials https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/rotate-cloudadmin-credentials.md
+
+ Title: Rotate the cloudadmin credentials for Azure VMware Solution
+description: Learn how to rotate the vCenter Server and NSX-T Manager credentials for your Azure VMware Solution private cloud.
+ Last updated : 05/11/2021+
+#Customer intent: As an Azure service administrator, I want to rotate my cloudadmin credentials so that the HCX Connector has the latest vCenter CloudAdmin and NSX-T admin credentials.
+++
+# Rotate the cloudadmin credentials for Azure VMware Solution
+
+This article walks you through the steps to rotate the cloudadmin credentials for your Azure VMware Solution private cloud. Although your vCenter Server CloudAdmin and NSX-T Manager admin credentials don't expire, you can generate new passwords for these accounts. After rotating the credentials, you'll verify the HCX Connector has the latest vCenter Server credentials.
+
+You can also watch a video on how to [reset the vCenter CloudAdmin & NSX-T admin password](https://youtu.be/cK1qY3knj88).
+
+## Prerequisites
+
+If you use your cloudadmin credentials for connected services like HCX, vRealize Orchestrator, vRealize Operations Manager, or VMware Horizon, your connections stop working once you update your password. Stop these services before initiating the password rotation. Otherwise, you'll experience temporary locks on your vCenter CloudAdmin and NSX-T admin accounts, as these services continuously call using your old credentials. For more information about setting up separate accounts for connected services, see [Access and Identity Concepts](./concepts-identity.md).
+
+## Reset your Azure VMware Solution credentials
+
+In this step, you'll rotate the cloudadmin credentials for your Azure VMware Solution components.
+
+>[!NOTE]
+>Remember to replace **{SubscriptionID}**, **{ResourceGroup}**, and **{PrivateCloudName}** with you private cloud information.
+
+1. From the Azure portal, open an Azure Cloud Shell session.
+
+2. Update your vCenter CloudAdmin password.
+
+ ```azurecli-interactive
+ az resource invoke-action --action rotateVcenterPassword --ids "/subscriptions/{SubscriptionID}/resourceGroups/{ResourceGroup}/providers/Microsoft.AVS/privateClouds/{PrivateCloudName}" --api-version "2020-07-17-preview"
+ ```
+
+3. Update your NSX-T admin password.
+
+ ```azurecli-interactive
+ az resource invoke-action --action rotateNSXTPassword --ids "/subscriptions/{SubscriptionID}/resourceGroups/{ResourceGroup}/providers/Microsoft.AVS/privateClouds/{PrivateCloudName}" --api-version "2020-07-17-preview"
+ ```
+
+## Verify HCX Connector has the latest credentials
+
+In this step, you'll verify that the HCX Connector has the updated credentials.
+
+1. Go to the on-premises HCX Connector at https://{ip of the HCX connector appliance}:443 and sign in using the new credentials.
+
+ Be sure to use port 443.
+
+2. On the VMware HCX Dashboard, select **Site Pairing**.
+
+ :::image type="content" source="media/reset-vsphere-credentials/hcx-site-pairing.png" alt-text="Screenshot of VMware HCX Dashboard with Site Pairing highlighted.":::
+
+3. Select the correct connection to Azure VMware Solution and select **Edit Connection**.
+
+4. Provide the new vCenter Server CloudAdmin user credentials and select **Edit**, which saves the credentials. Save should show successful.
+
+## Next steps
+
+Now that you've covered resetting vCenter Server and NSX-T Manager credentials for Azure VMware Solution, you may want to learn about:
+
+- [Configure NSX network components in Azure VMware Solution](configure-nsx-network-components-azure-portal.md)
+- [Monitor and manage Azure VMware Solution VMs](lifecycle-management-of-azure-vmware-solution-vms.md)
+- [Deploy disaster recovery of virtual machines using Azure VMware Solution](disaster-recovery-for-virtual-machines.md)
backup Backup Rm Template Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-rm-template-samples.md
The following table includes links to Azure Resource Manager templates for use w
| Template | Description | ||| |**Recovery Services vault** | |
-| [Create a Recovery Services vault](https://github.com/Azure/azure-quickstart-templates/tree/master/101-recovery-services-vault-create)| Create a Recovery Services vault. The vault can be used for Azure Backup and Azure Site Recovery. |
+| [Create a Recovery Services vault](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.recoveryservices/recovery-services-vault-create)| Create a Recovery Services vault. The vault can be used for Azure Backup and Azure Site Recovery. |
|**Back up virtual machines**| | | [Back up Resource Manager VMs](https://github.com/Azure/azure-quickstart-templates/tree/master/101-recovery-services-backup-vms) | Use the existing Recovery Services vault and Backup policy to back up Resource Manager-virtual machines in the same resource group.| | [Back up IaaS VMs to Recovery Services vault](https://github.com/Azure/azure-quickstart-templates/tree/master/201-recovery-services-backup-classic-resource-manager-vms) | Template to back up classic and Resource Manager-virtual machines. |
-| [Create Weekly Backup policy for IaaS VMs](https://github.com/Azure/azure-quickstart-templates/tree/master/101-recovery-services-weekly-backup-policy-create) | Template creates Recovery Services vault and a weekly backup policy, which is used to back up classic and Resource Manager-virtual machines.|
+| [Create Weekly Backup policy for IaaS VMs](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.recoveryservices/recovery-services-weekly-backup-policy-create) | Template creates Recovery Services vault and a weekly backup policy, which is used to back up classic and Resource Manager-virtual machines.|
| [Create Daily Backup policy for IaaS VMs](https://github.com/Azure/azure-quickstart-templates/tree/master/101-recovery-services-daily-backup-policy-create) | Template creates Recovery Services vault and a daily backup policy, which is used to back up classic and Resource Manager-virtual machines.|
-| [Deploy Windows Server VM with backup enabled](https://github.com/Azure/azure-quickstart-templates/tree/master/101-recovery-services-create-vm-and-configure-backup) | Template creates a Windows Server VM and Recovery Services vault with the default backup policy enabled.|
+| [Deploy Windows Server VM with backup enabled](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.recoveryservices/recovery-services-create-vm-and-configure-backup) | Template creates a Windows Server VM and Recovery Services vault with the default backup policy enabled.|
|**Monitor Backup jobs** | | | [Use Azure Monitor logs with Azure Backup](https://github.com/Azure/azure-quickstart-templates/tree/master/101-backup-oms-monitoring) | Template deploys Azure Monitor logs with Azure Backup, which allows you to monitor backup and restore jobs, backup alerts, and the Cloud storage used in your Recovery Services vaults.| |**Back up SQL Server in Azure VM** | |
batch Batch Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/batch-diagnostics.md
To configure a metric alert in the Azure portal:
For more information about creating metric alerts, see [Understand how metric alerts work in Azure Monitor](../azure-monitor/alerts/alerts-metric-overview.md) and [Create, view, and manage metric alerts using Azure Monitor](../azure-monitor/alerts/alerts-metric.md).
-You can also configure a near real-time alert using the [Azure Monitor REST API](/rest/api/monitor/). For more information, see [Overview of alerts in Microsoft Azure](../azure-monitor/alerts/alerts-overview.md). To include job, task, or pool-specific information in your alerts, see [Respond to events with Azure Monitor Alerts](../azure-monitor/alerts/tutorial-response.md).
+You can also configure a near real-time alert using the [Azure Monitor REST API](/rest/api/monitor/). For more information, see [Overview of alerts in Microsoft Azure](../azure-monitor/alerts/alerts-overview.md). To include job, task, or pool-specific information in your alerts, see [Azure Monitor log Alerts](../azure-monitor/alerts/alerts-log.md).
## Batch diagnostics
blockchain Configure Aad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/configure-aad.md
Title: Configure Azure Active Directory access - Azure Blockchain Service description: How to configure Azure Blockchain Service with Azure Active Directory access Previously updated : 11/22/2019 Last updated : 05/11/2021 #Customer intent: As a node operator, I want to configure Azure Blockchain Service with Azure Active Directory access.
In this article, you learn how to grant access and connect to Azure Blockchain Service nodes using Azure Active Directory (Azure AD) user, group, or application IDs. + Azure AD provides cloud-based identity management and allows you to use a single identity across an entire enterprise and access applications in Azure. Azure Blockchain Service is integrated with Azure AD and offers benefits such as ID federation, single sign-on and multi-factor authentication. ## Prerequisites
The follow the quickstart section in the **readme** to build the connector from
1. Run the following command to authenticate using an Azure AD user account. Replace \<myAADDirectory\> with an Azure AD domain. For example, `yourdomain.onmicrosoft.com`. ```
- connector.exe -remote <myMemberName>.blockchain.azure.com:3200 -method aadauthcode -tenant-id <myAADDirectory>
+ connector.exe -remote <myMemberName>.blockchain.azure.com:3200 -method aadauthcode -tenant-id <myAADDirectory>
``` 1. Azure AD prompts for credentials.
blockchain Configure Transaction Nodes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/configure-transaction-nodes.md
Title: Configure Azure Blockchain Service transaction nodes description: How to configure Azure Blockchain Service transaction nodes Previously updated : 11/20/2019 Last updated : 05/11/2021 #Customer intent: As a network operator, I want to use the Azure portal to create and configure transaction nodes.
Transaction nodes are used to send blockchain transactions to Azure Blockchain Service through a public endpoint. The default transaction node contains the private key of the Ethereum account registered on the blockchain, and as such cannot be deleted. + To view the default transaction node details: 1. Sign in to the [Azure portal](https://portal.azure.com).
You can view a transaction node's access key details and copy endpoint addresses
### Firewall rules
-Firewall rules enable you to limit the IP addresses that can attempt to authenticate to your transaction node. If no firewall rules are configured for your transaction node, it cannot be accessed by any party.
+Firewall rules enable you to limit the IP addresses that can attempt to authenticate to your transaction node. If no firewall rules are configured for your transaction node, it cannot be accessed by any party.
To view a transaction node's firewall rules, navigate to one of your Azure Blockchain Service member transaction nodes and select **Firewall rules** in settings.
blockchain Connect Geth https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/connect-geth.md
In this quickstart, you use the Geth client to attach to a Geth instance on an Azure Blockchain Service transaction node. Once attached, you use the Geth console to call an Ethereum JavaScript API. + [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] ## Prerequisites
blockchain Connect Metamask https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/connect-metamask.md
In this quickstart you'll use MetaMask to connect to an Azure Blockchain Service network and use Remix to deploy a smart contract. Metamask is a browser extension to manage an Ether wallet and perform smart contract actions. + [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] ## Prerequisites
Remix is a browser-based Solidity development environment. Using MetaMask and Re
```solidity pragma solidity ^0.5.0;
-
+ contract simple { uint balance;
-
+ constructor() public{ balance = 0; }
-
+ function add(uint _num) public { balance += _num; }
-
+ function get() public view returns (uint){ return balance; }
blockchain Connect Vscode https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/connect-vscode.md
In this quickstart, you install and use the Azure Blockchain Development Kit for Ethereum Visual Studio Code (VS Code) extension to attach to a consortium on Azure Blockchain Service. The Azure Blockchain Development Kit simplifies how you create, connect, build, and deploy smart contracts on Ethereum blockchain ledgers. + [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] ## Prerequisites
blockchain Create Member Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/create-member-cli.md
In this quickstart, you deploy a new blockchain member and consortium in Azure Blockchain Service using Azure CLI. + [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] ## Prerequisites
blockchain Create Member Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/create-member-powershell.md
In this quickstart, you deploy a new blockchain member and consortium in Azure Blockchain Service using Azure PowerShell. + ## Prerequisites If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/) account
blockchain Create Member Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/create-member-template.md
Title: Create an Azure Blockchain Service member by using Azure Resource Manager template description: Learn how to create an Azure Blockchain Service member by using Azure Resource Manager template. Previously updated : 09/16/2020 Last updated : 05/11/2021
# Quickstart: Create an Azure Blockchain Service member using an ARM template
-In this quickstart, you deploy a new blockchain member and consortium in Azure Blockchain Service using an Azure Resource Manager template (ARM template). An Azure Blockchain Service member is a blockchain node in a private consortium blockchain network. When provisioning a member, you can create or join a consortium network. You need at least one member for a consortium network. The number of blockchain members needed by participants depends on your scenario. Consortium participants may have one or more blockchain members or they may share members with other participants. For more information on consortia, see [Azure Blockchain Service consortium](consortium.md).
+In this quickstart, you deploy a new blockchain member and consortium in Azure Blockchain Service using an Azure Resource Manager template (ARM template).
++
+An Azure Blockchain Service member is a blockchain node in a private consortium blockchain network. When provisioning a member, you can create or join a consortium network. You need at least one member for a consortium network. The number of blockchain members needed by participants depends on your scenario. Consortium participants may have one or more blockchain members or they may share members with other participants. For more information on consortia, see [Azure Blockchain Service consortium](consortium.md).
[!INCLUDE [About Azure Resource Manager](../../../includes/resource-manager-quickstart-introduction.md)] If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template will open in the Azure portal.
-[![Deploy to Azure](../../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F201-blockchain-asaservice%2Fazuredeploy.json)
+[![Deploy to Azure](../../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.blockchain%2Fblockchain-asaservice%2Fazuredeploy.json)
## Prerequisites
If you don't have an Azure subscription, create a [free](https://azure.microsoft
The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/201-blockchain-asaservice/). Azure resources defined in the template:
Azure resources defined in the template:
1. Select the following link to sign in to Azure and open a template.
- [![Deploy to Azure](../../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F201-blockchain-asaservice%2Fazuredeploy.json)
+ [![Deploy to Azure](../../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.blockchain%2Fblockchain-asaservice%2FFazuredeploy.json)
1. Specify the settings for the Azure Blockchain Service member.
blockchain Create Member https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/create-member.md
In this quickstart, you deploy a new blockchain member and consortium in Azure Blockchain Service using the Azure portal. + [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] ## Prerequisites
None.
## Create a blockchain member
-An Azure Blockchain Service member is a blockchain node in a private consortium blockchain network. When provisioning a member, you can create or join a consortium network. You need at least one member for a consortium network. The number of blockchain members needed by participants depends on your scenario. Consortium participants may have one or more blockchain members or they may share members with other participants. For more information on consortia, see [Azure Blockchain Service consortium](consortium.md).
+An Azure Blockchain Service member is a blockchain node in a private consortium blockchain network.
+
+When provisioning a member, you can create or join a consortium network. You need at least one member for a consortium network. The number of blockchain members needed by participants depends on your scenario. Consortium participants may have one or more blockchain members or they may share members with other participants. For more information on consortia, see [Azure Blockchain Service consortium](consortium.md).
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Select **Create a resource** in the upper left-hand corner of the Azure portal.
blockchain Data Manager Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/data-manager-cli.md
Configure Blockchain Data Manager for Azure Blockchain Service to capture blockchain data send it to an Azure Event Grid Topic. + To configure a Blockchain Data Manager instance, you: * Create a Blockchain Manager instance
blockchain Data Manager Cosmosdb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/data-manager-cosmosdb.md
# Tutorial: Use Blockchain Data Manager to send data to Azure Cosmos DB
-In this tutorial, you use Blockchain Data Manager for Azure Blockchain Service to record blockchain transaction data in Azure Cosmos DB. Blockchain Data Manager captures, transforms, and delivers blockchain ledger data to Azure Event Grid Topics. From Azure Event Grid, you use an Azure Logic App connector to create documents in an Azure Cosmos DB database. When finished with tutorial, you can explore blockchain transaction data in Azure Cosmos DB Data Explorer.
+In this tutorial, you use Blockchain Data Manager for Azure Blockchain Service to record blockchain transaction data in Azure Cosmos DB.
++
+Blockchain Data Manager captures, transforms, and delivers blockchain ledger data to Azure Event Grid Topics. From Azure Event Grid, you use an Azure Logic App connector to create documents in an Azure Cosmos DB database. When finished with tutorial, you can explore blockchain transaction data in Azure Cosmos DB Data Explorer.
[![Screenshot shows blockchain transaction details.](./media/data-manager-cosmosdb/raw-msg.png)](./media/data-manager-cosmosdb/raw-msg.png#lightbox)
blockchain Data Manager Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/data-manager-portal.md
Configure Blockchain Data Manager for Azure Blockchain Service to capture blockchain data and send it to an Azure Event Grid Topic. + To configure a Blockchain Data Manager instance, you: * Create a Blockchain Data Manager instance for an Azure Blockchain Service transaction node
blockchain Ethereum Logic App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/ethereum-logic-app.md
# Use the Ethereum Blockchain connector with Azure Logic Apps
-Use the [Ethereum Blockchain connector](/connectors/blockchainethereum/) with [Azure Logic Apps](../../logic-apps/index.yml) to perform smart contract actions and respond to smart contract events. This article explains how you might use the Ethereum Blockchain connector to send blockchain information to another service or call a blockchain function. For example, let's say you want to create a REST-based microservice that returns information from a blockchain ledger. By using a logic app, you can accept HTTP requests that query information stored in a blockchain ledger.
+Use the [Ethereum Blockchain connector](/connectors/blockchainethereum/) with [Azure Logic Apps](../../logic-apps/index.yml) to perform smart contract actions and respond to smart contract events.
++
+This article explains how you might use the Ethereum Blockchain connector to send blockchain information to another service or call a blockchain function. For example, let's say you want to create a REST-based microservice that returns information from a blockchain ledger. By using a logic app, you can accept HTTP requests that query information stored in a blockchain ledger.
## Prerequisites
blockchain Manage Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/manage-cli.md
In addition to the Azure portal, you can use Azure CLI to manage blockchain members and transaction nodes for your Azure Blockchain Service. ## Launch Azure Cloud Shell The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.
az blockchain member update \
| **name** | Name that identifies your Azure Blockchain Service member. | | **password** | The password for the member's default transaction node. Use the password for basic authentication when connecting to blockchain member's default transaction node public endpoint. The password must meet three of the following four requirements: length needs to be between 12 & 72 characters, 1 lower case character, 1 upper case character, 1 number, and 1 special character that is not number sign(#), percent(%), comma(,), star(*), back quote(\`), double quote("), single quote('), dash(-) and semicolumn(;)| | **consortium-management-account-password** | The consortium account password is also known as the member account password. The member account password is used to encrypt the private key for the Ethereum account that is created for your member. You use the member account and member account password for consortium management. |
-| **firewall-rules** | Start and end IP address for IP allow list. |
+| **firewall-rules** | Start and end IP address for IP allowlist. |
## Create transaction node
blockchain Manage Consortium Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/manage-consortium-powershell.md
# Manage consortium members in Azure Blockchain Service using PowerShell
-You can use PowerShell to manage blockchain consortium members for your Azure Blockchain Service. Members who have administrator privileges can invite, add, remove, and change roles for all participants in the blockchain consortium. Members who have user privileges can view all participants in the blockchain consortium and change their member display name.
+You can use PowerShell to manage blockchain consortium members for your Azure Blockchain Service.
++
+Members who have administrator privileges can invite, add, remove, and change roles for all participants in the blockchain consortium. Members who have user privileges can view all participants in the blockchain consortium and change their member display name.
## Prerequisites
blockchain Migration Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/migration-guide.md
There are several blockchain resource management templates you can use to deploy
If you are starting to develop a new solution or are in an evaluation phase, consider the following alternatives based on your scenario requirements. -- [Quorum template from Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/consensys.quorum-dev-quickstart?tab=Overview)-- [Besu template from Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/consensys.hyperledger-besu-quickstart?tab=Overview)
+- [Quorum template from Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/consensys.quorum-dev-quickstart)
+- [Besu template from Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/consensys.hyperledger-besu-quickstart)
### How to migrate to an alternative
blockchain Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/overview.md
# What is Azure Blockchain Service?
-Azure Blockchain Service is a fully managed ledger service that gives users the ability to grow and operate blockchain networks at scale in Azure. By providing unified control for both infrastructure management as well as blockchain network governance, Azure Blockchain Service provides:
+Azure Blockchain Service is a fully managed ledger service that gives users the ability to grow and operate blockchain networks at scale in Azure.
++
+By providing unified control for both infrastructure management as well as blockchain network governance, Azure Blockchain Service provides:
* Simple network deployment and operations * Built-in consortium management
Deploying Azure Blockchain Service is done through the Azure portal, Azure CLI,
### Performance and service tiers
-Azure Blockchain Service offers two service tiers: *Basic* and *Standard*. Each tier offers different performance and capabilities to support lightweight development and test workloads up to massively scaled production blockchain deployments. Use the *Basic* tier for development, testing, and proof of concepts. Use the *Standard* tier for production grade deployments. Both tiers include at least one transaction node, and one validator node (Basic) or two validator nodes (Standard).
+Azure Blockchain Service offers two service tiers: *Basic* and *Standard*. Each tier offers different performance and capabilities to support lightweight development and test workloads up to massively scaled production blockchain deployments. Use the *Basic* tier for development, testing, and proof of concepts. Use the *Standard* tier for production grade deployments. Both tiers include at least one transaction node, and one validator node (Basic) or two validator nodes (Standard).
![Pricing tiers](./media/overview/pricing-tiers.png)
blockchain Send Transaction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/send-transaction.md
In this tutorial, use the Azure Blockchain Development Kit for Ethereum extension in Visual Studio Code to create, build, and deploy a smart contract on Azure Blockchain Service. You also use the development kit to execute a smart contract function via a transaction. + You use Azure Blockchain Development Kit for Ethereum to: > [!div class="checklist"]
The **HelloBlockchain** contract's **SendRequest** function changes the **Reques
```javascript var HelloBlockchain = artifacts.require("HelloBlockchain");
-
+ module.exports = function(done) { console.log("Getting the deployed version of the HelloBlockchain smart contract") HelloBlockchain.deployed().then(function(instance) {
Smart contract functions can return the current value of state variables. Let's
```javascript var HelloBlockchain = artifacts.require("HelloBlockchain");
-
+ module.exports = function(done) { console.log("Getting the deployed version of the HelloBlockchain smart contract") HelloBlockchain.deployed().then(function(instance) {
blockchain Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/service/whats-new.md
Azure Blockchain Service receives improvements on an ongoing basis. To stay up t
+## May 2021
++ ## June 2020 ### Version upgrades
In Quorum v2.6.0, calls to *eth.estimateGas* function without providing the addi
### Mining stops if fewer than four validator nodes
-Production networks should have at least four validator nodes. Quorum recommends at least four validator nodes are required to meet the IBFT crash fault tolerance (3F+1). You should have at least two Azure Blockchain Service *Standard* tier nodes to get four validator nodes. A standard node is provisioned with two validator nodes.
+Production networks should have at least four validator nodes. Quorum recommends at least four validator nodes are required to meet the IBFT crash fault tolerance (3F+1). You should have at least two Azure Blockchain Service *Standard* tier nodes to get four validator nodes. A standard node is provisioned with two validator nodes.
-If the Blockchain network on Azure Blockchain Service doesnΓÇÖt have four validator nodes, then mining might stop on the network. You can detect mining has stopped by setting an alert on processed blocks. In a healthy network, processed block will be 60 blocks per node per five minutes.
+If the Blockchain network on Azure Blockchain Service doesn't have four validator nodes, then mining might stop on the network. You can detect mining has stopped by setting an alert on processed blocks. In a healthy network, processed block will be 60 blocks per node per five minutes.
As a mitigation, the Azure Blockchain Service team has to restart the node. Customers need to open a support request to restart the node. The Azure Blockchain Service team is working toward detecting and fixing mining issues automatically.
To identify geth crashes, you can check logs for any error message in Blockchain
To mitigate the issue, send signed transactions instead of sending unsigned transactions with a command to unlock the account. For transactions that are already signed externally, there is no need to unlock the account.
-If you want to send unsigned transactions, unlock the account for infinite time by sending 0 as the time parameter in the unlock command. You can lock the account back after all the transactions are submitted.
+If you want to send unsigned transactions, unlock the account for infinite time by sending 0 as the time parameter in the unlock command. You can lock the account back after all the transactions are submitted.
The following are the geth parameters that Azure Blockchain Service uses. You cannot adjust these parameters.
blockchain Integration Patterns https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/blockchain/workbench/integration-patterns.md
change occurs following the previous process where -
smart contract, enabling other functions to now be executed as appropriate.
-###
- ### Delivery of a message in a format unknown to Azure Blockchain Workbench ![Unknown message format](./media/integration-patterns/unknown-message-format.png)
cdn Create Profile Endpoint Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cdn/create-profile-endpoint-template.md
na
ms.devlang: na Previously updated : 06/25/2020 Last updated : 05/10/2021
Get started with Azure Content Delivery Network (CDN) by using an Azure Resource
If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template will open in the Azure portal.
-[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-cdn-with-custom-origin%2Fazuredeploy.json)
+[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.cdn%2Fcdn-with-custom-origin%2Fazuredeploy.json)
## Prerequisites
This template is configured to create a:
* Profile * Endpoint One Azure resource is defined in the template:
One Azure resource is defined in the template:
```azurecli-interactive read -p "Enter the location (i.e. eastus): " location resourceGroupName="myResourceGroupCDN"
-templateUri="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-cdn-with-custom-origin/azuredeploy.json"
+templateUri="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.cdn/cdn-with-custom-origin/azuredeploy.json"
az group create \ --name $resourceGroupName \
az deployment group create \
```azurepowershell-interactive $location = Read-Host -Prompt "Enter the location (i.e. eastus)"
-$templateUri = "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-cdn-with-custom-origin/azuredeploy.json"
+$templateUri = "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.cdn/cdn-with-custom-origin/azuredeploy.json"
$resourceGroupName = "myResourceGroupCDN"
New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri
### Portal
-[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-cdn-with-custom-origin%2Fazuredeploy.json)
+[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.cdn%2Fcdn-with-custom-origin%2Fazuredeploy.json)
## Review deployed resources
New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri
When no longer needed, you can use the [az group delete](/cli/azure/group#az_group_delete) command to remove the resource group and all resources contained within.
-```azurecli-interactive
+```azurecli-interactive
az group delete \ --name myResourceGroupCDN ```
When no longer needed, you can use the [az group delete](/cli/azure/group#az_gro
When no longer needed, you can use the [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup) command to remove the resource group and all resources contained within.
-```azurepowershell-interactive
+```azurepowershell-interactive
Remove-AzResourceGroup -Name myResourceGroupCDN ```
certification Tutorial 01 Creating Your Project https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/certification/tutorial-01-creating-your-project.md
In this tutorial, you will learn how to:
## Prerequisites -- You'll need a valid work/school [Azure Active Directory account](../active-directory/fundamentals/active-directory-whatis.md).-- You'll need a verified Microsoft Partner Network (MPN) account. If you don't have an MPN account, [join the partner network](https://partner.microsoft.com/) before you begin.+
+- Valid work/school [Azure Active Directory account](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis).
+- Verified Microsoft Partner Network (MPN) account. If you don't have an MPN account, [join the partner network](https://partner.microsoft.com/) before you begin.
+
+> [!NOTE]
+> If you're having problems setting up or validating your MPN account, see the [Partner Center Support](https://docs.microsoft.com/partner-center) documentation.
+ ## Signing into the Azure Certified Device portal
Then, you must supply basic device information. You can to edit this information
You are now ready to add device details and test your device using our certification service. Advance to the next article to learn how to edit your device details. > [!div class="nextstepaction"]
-> [Tutorial: Adding device details](tutorial-02-adding-device-details.md)
+> [Tutorial: Adding device details](tutorial-02-adding-device-details.md)
cognitive-services FAQ https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/FAQ.md
**Question**: *Can I deploy the OCR (Read) capability on-premise?*
-**Answer**: Yes, the OCR (Read) cloud API is also available as a Docker container for on-premise deployment. Learn [how to deploy the OCR containers](/computer-vision-how-to-install-containers).
+**Answer**: Yes, the OCR (Read) cloud API is also available as a Docker container for on-premise deployment. Learn [how to deploy the OCR containers](/azure/cognitive-services/computer-vision/computer-vision-how-to-install-containers).
cognitive-services How To Speech Synthesis Viseme https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-speech-synthesis-viseme.md
zone_pivot_groups: programming-languages-speech-services-nomore-variant
# Get facial pose events > [!NOTE]
-> Viseme events are only available for `en-US-AriaNeural` voice for now.
+> Viseme events are only available for `en-US` English (United States) [neural voices](language-support.md#text-to-speech) for now.
A _viseme_ is the visual description of a phoneme in spoken language. It defines the position of the face and mouth when speaking a word.
cognitive-services Text To Speech https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/text-to-speech.md
This documentation contains the following article types:
* Adjust speaking styles with SSML - Speech Synthesis Markup Language (SSML) is an XML-based markup language used to customize speech-to-text outputs. With SSML, you can adjust pitch, add pauses, improve pronunciation, speed up or slow down speaking rate, increase or decrease volume, and attribute multiple voices to a single document. See the [how-to](speech-synthesis-markup.md) for adjusting speaking styles.
-* Visemes - [Visemes](how-to-speech-synthesis-viseme.md) are the key poses in observed speech, including the position of the lips, jaw and tongue when producing a particular phoneme. Visemes have a strong correlation with voices and phonemes. Using viseme events in Speech SDK, you can generate facial animation data, which can be used to animate faces in lip-reading communication, education, entertainment, and customer service.
-
-> [!NOTE]
-> Viseme events are currently only supported for the `en-US-AriaNeural` voice.
+* Visemes - [Visemes](how-to-speech-synthesis-viseme.md) are the key poses in observed speech, including the position of the lips, jaw and tongue when producing a particular phoneme. Visemes have a strong correlation with voices and phonemes. Using viseme events in Speech SDK, you can generate facial animation data, which can be used to animate faces in lip-reading communication, education, entertainment, and customer service. Viseme is currently only supported for the `en-US` English (United States) [neural voices](language-support.md#text-to-speech).
## Get started
cognitive-services Cognitive Services Apis Create Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/cognitive-services-apis-create-account.md
At this time, the multi-service resource enables access to the following Cogniti
* **Vision** - Computer Vision, Custom Vision, Form Recognizer, Face * **Speech** - Speech * **Language** - Language Understanding (LUIS), Text Analytics, Translator
-* **Decision** - Personalizer, Content Moderator
+* **Decision** - Content Moderator
### [Single-service resource](#tab/singleservice)
container-instances Container Instances Samples Rm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-instances/container-instances-samples-rm.md
You have several options for deploying resources with Resource Manager templates
<!-- LINKS - External --> [app-nav]: https://github.com/Azure/azure-quickstart-templates/tree/master/101-aci-dynamicsnav [app-wp]: https://github.com/Azure/azure-quickstart-templates/tree/master/201-aci-wordpress
-[az-files]: https://github.com/Azure/azure-quickstart-templates/tree/master/101-aci-storage-file-share
-[net-publicip]: https://github.com/Azure/azure-quickstart-templates/tree/master/101-aci-linuxcontainer-public-ip
-[net-udp]: https://github.com/Azure/azure-quickstart-templates/tree/master/201-aci-udp
+[az-files]: https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.containerinstance/aci-storage-file-share
+[net-publicip]: https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.containerinstance/aci-linuxcontainer-public-ip
+[net-udp]: https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.containerinstance/aci-udp
[net-vnet]: https://github.com/Azure/azure-quickstart-templates/tree/master/101-aci-vnet [repo]: https://github.com/Azure/azure-quickstart-templates
-[vol-emptydir]: https://github.com/Azure/azure-quickstart-templates/tree/master/201-aci-linuxcontainer-volume-emptydir
-[vol-gitrepo]: https://github.com/Azure/azure-quickstart-templates/tree/master/201-aci-linuxcontainer-volume-gitrepo
-[vol-secret]: https://github.com/Azure/azure-quickstart-templates/tree/master/201-aci-linuxcontainer-volume-secret
+[vol-emptydir]: https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.containerinstance/aci-linuxcontainer-volume-emptydir
+[vol-gitrepo]: https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.containerinstance/aci-linuxcontainer-volume-gitrepo
+[vol-secret]: https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.containerinstance/aci-linuxcontainer-volume-secret
<!-- LINKS - Internal --> [deploy-cli]: ../azure-resource-manager/templates/deploy-cli.md
container-instances Tutorial Docker Compose https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-instances/tutorial-docker-compose.md
az acr repository show --name <acrName> --repository azure-vote-front
[!INCLUDE [container-instances-create-docker-context](../../includes/container-instances-create-docker-context.md)]
-## Deploy application to Azure Container instances
+## Deploy application to Azure Container Instances
Next, change to the ACI context. Subsequent Docker commands run in this context.
In this tutorial, you used Docker Compose to switch from running a multi-contain
You can also use the [Docker extension for Visual Studio Code](https://aka.ms/VSCodeDocker) for an integrated experience to develop, run, and manage containers, images, and contexts.
-If you want to take advantage of more features in Azure Container Instances, use Azure tools to specify a multi-container group. For example, see the tutorials to deploy a container group using the Azure CLI with a [YAML file](container-instances-multi-container-yaml.md), or deploy using an [Azure Resource Manager template](container-instances-multi-container-group.md).
+If you want to take advantage of more features in Azure Container Instances, use Azure tools to specify a multi-container group. For example, see the tutorials to deploy a container group using the Azure CLI with a [YAML file](container-instances-multi-container-yaml.md), or deploy using an [Azure Resource Manager template](container-instances-multi-container-group.md).
cosmos-db Create Website https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/create-website.md
The resulting deployment has a fully functional web application that can connect
## Step 1: Deploy the template
-First, select the **Deploy to Azure** button below to open the Azure portal to create a custom deployment. You can also view the Azure Resource Management template from the [Azure Quickstart Templates Gallery](https://github.com/Azure/azure-quickstart-templates/tree/master/101-cosmosdb-webapp)
+First, select the **Deploy to Azure** button below to open the Azure portal to create a custom deployment. You can also view the Azure Resource Management template from the [Azure Quickstart Templates Gallery](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.documentdb/cosmosdb-webapp)
-[:::image type="content" source="../media/template-deployments/deploy-to-azure.svg" alt-text="Deploy to Azure":::](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-cosmosdb-webapp%2Fazuredeploy.json)
+[:::image type="content" source="../media/template-deployments/deploy-to-azure.svg" alt-text="Deploy to Azure":::](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.documentdb%2Fcosmosdb-webapp%2Fazuredeploy.json)
Once in the Azure portal, select the subscription to deploy into and select or create a new resource group. Then fill in the following values.
Lastly, we need to deploy the web application from GitHub into the App Service.
Congratulations! You've deployed Azure Cosmos DB, Azure App Service, and a sample web application that automatically has the connection info necessary to connect to Cosmos DB, all in a single operation and without having to cut and paste sensitive information. Using this template as a starting point, you can modify it to deploy your own web applications the same way.
-* For the Azure Resource Manager Template for this sample go to [Azure Quickstart Templates Gallery](https://github.com/Azure/azure-quickstart-templates/tree/master/101-cosmosdb-webapp)
+* For the Azure Resource Manager Template for this sample go to [Azure Quickstart Templates Gallery](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.documentdb/cosmosdb-webapp)
* For the source code for the sample app go to [Cosmos DB To Do App on GitHub](https://github.com/Azure-Samples/cosmos-dotnet-core-todo-app).
cosmos-db Troubleshoot Request Rate Too Large https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/troubleshoot-request-rate-too-large.md
-# Diagnose and troubleshoot Azure Cosmos DB request rate too large exceptions
+# Diagnose and troubleshoot Azure Cosmos DB request rate too large (429) exceptions
[!INCLUDE[appliesto-sql-api](includes/appliesto-sql-api.md)]
-A "Request rate too large" message or error code 429 indicates that your requests are being throttled.
+This article contains known causes and solutions for various 429 status code errors for the SQL API. If you are using the API for MongoDB, see the [Troubleshoot common issues in API for MongoDB](mongodb-troubleshoot.md) article for how to debug status code 16500.
-## Troubleshooting steps
-The following section contains known causes and solutions for too many requests.
+A "Request rate too large" exception, also known as error code 429, indicates that your requests against Azure Cosmos DB are being rate limited.
-### Check the metrics
-Check [Azure Cosmos DB monitoring](monitor-cosmos-db.md) to see the number of 429 exceptions.
+When you use provisioned throughput, you set the throughput measured in request units per second (RU/s) required for your workload. Database operations against the service such as reads, writes, and queries consume some amount of request units (RUs). Learn more about [request units](request-units.md).
-#### Cause:
-The consumed throughput (Request Units per second) has exceeded the [provisioned throughput](set-throughput.md). The SDK automatically retries requests based on the specified retry policy. If you get this failure often, consider increasing the throughput on the collection. Check the portal's metrics to see if you're getting 429 errors. Review your partition key to ensure it results in an [even distribution of storage and request volume](partitioning-overview.md).
+In a given second, if the operations consume more than the provisioned request units, Azure Cosmos DB will return a 429 exception. Each second, the number of request units available to use is reset.
-#### Solution:
-1. Use the [portal or the SDK](set-throughput.md) to increase the provisioned throughput.
-1. Switch the database or container to [Autoscale](provision-throughput-autoscale.md).
+Before taking an action to change the RU/s, it's important to understand the root cause of rate limiting and address the underlying issue.
+
+There are different error messages that correspond to different types of 429 exceptions:
+- [Request rate is large. More Request Units may be needed, so no changes were made.](#request-rate-is-large)
+- [The request did not complete due to a high rate of metadata requests.](#rate-limiting-on-metadata-requests)
+- [The request did not complete due to a transient service error.](#rate-limiting-due-to-transient-service-error)
++
+## Request rate is large
+This is the most common scenario. It occurs when the request units consumed by operations on data exceed the provisioned number of RU/s.
+
+### Step 1: Check the metrics to determine the percentage of requests with 429 error
+Seeing 429 error messages doesn't necessarily mean there is a problem with your database or container.
+
+#### How to investigate
+
+Determine what percent of your requests to your database or container resulted in 429s, compared to the overall count of successful requests. From your Azure Cosmos DB account blade, navigate to **Insights** > **Requests** > **Total Requests by Status Code**. Filter to a specific database and container.
+
+By default, the Azure Cosmos DB client SDKs and data import tools such as Azure Data Factory and bulk executor library automatically retry requests on 429s. They retry typically up to 9 times. As a result, while you may see 429s in the metrics, these errors may not even have been returned to your application.
+++
+#### Recommended solution
+In general, for a production workload, if you see between 1-5% of requests with 429s, and your end to end latency is acceptable, this is a healthy sign that the RU/s are being fully utilized. No action is required. Otherwise, move to the next troubleshooting steps.
+
+### Step 2: Determine if there is a hot partition
+A hot partition arises when one or a few logical partition keys consume a disproportionate amount of the total RU/s due to higher request volume. This can be caused by a partition key design that doesn't evenly distribute requests. It results in many requests being directed to a small subset of logical (which implies physical) partitions that become "hot." Because all data for a logical partition resides on one physical partition and total RU/s is evenly distributed among the physical partitions, a hot partition can lead to 429s and inefficient use of throughput.
+
+Here are some examples of partitioning strategies that lead to hot partitions:
+- You have a container storing IoT device data for a write-heavy workload that is partitioned by date. All data for a single date will reside on the same logical and physical partition. Because all the data written each day has the same date, this would result in a hot partition every day.
+ - Instead, for this scenario, a partition key like id (either a GUID or device id), or a [synthetic partition key](/synthetic-partition-keys.md) combining id and date would yield a higher cardinality of values and better distribution of request volume.
+- You have a multi-tenant scenario with a container partitioned by tenantId. If one tenant is significantly more active than the others, it results in a hot partition. For example, if the largest tenant has 100,000 users, but most tenants have fewer than 10 users, you will have a hot partition when partitioned by the tenantID.
+ - For this previous scenario, consider having a dedicated container for the largest tenant, partitioned by a more granular property such as UserId.
+
+#### How to identify the hot partition
+
+To verify if there is a hot partition, navigate to **Insights** > **Throughput** > **Normalized RU Consumption (%) By PartitionKeyRangeID**. Filter to a specific database and container.
+
+Each PartitionKeyRangeId maps to a one physical partition. If there is one PartitionKeyRangeId that has significantly higher Normalized RU consumption than others (for example, one is consistently at 100%, but others are at 30% or less), this can be a sign of a hot partition. Learn more about the [Normalized RU Consumption metric](monitor-normalized-request-units.md).
++
+To see which logical partition keys are consuming the most RU/s,
+use [Azure Diagnostic Logs](cosmosdb-monitor-resource-logs.md). This sample query sums up the total request units consumed per second on each logical partition key.
+
+> [!IMPORTANT]
+> Enabling diagnostic logs incurs a separate charge for the Log Analytics service, which is billed based on volume of data ingested. It is recommended you turn on diagnostic logs for a limited amount of time for debugging, and turn off when no longer required. See [pricing page](https://azure.microsoft.com/pricing/details/monitor/) for details.
+
+```kusto
+AzureDiagnostics
+| where TimeGenerated >= ago(24hour)
+| where Category == "PartitionKeyRUConsumption"
+| where collectionName_s == "CollectionName"
+| where isnotempty(partitionKey_s)
+// Sum total request units consumed by logical partition key for each second
+| summarize sum(todouble(requestCharge_s)) by partitionKey_s, operationType_s, bin(TimeGenerated, 1s)
+| order by sum_requestCharge_s desc
+```
+This sample output shows that in a particular minute, the logical partition key with value "Contoso" consumed around 12,000 RU/s, while the logical partition key with value "Fabrikam" consumed less than 600 RU/s. If this pattern was consistent during the time period where rate limiting occurred, this would indicate a hot partition.
++
+> [!TIP]
+> In any workload, there will be natural variation in request volume across logical partitions. You should determine if the hot partition is caused by a fundamental skewness due to choice of partition key (which may require changing the key) or temporary spike due to natural variation in workload patterns.
+
+#### Recommended solution
+Review the guidance on [how to chose a good partition key](/partitioning-overview.md#choose-partitionkey).
+
+If there is high percent of rate limited requests and no hot partition:
+- You can [increase the RU/s](set-throughput.md) on the database or container using the client SDKs, Azure portal, PowerShell, CLI or ARM template.
+
+If there is high percent of rate limited requests and there is an underlying hot partition:
+- Long-term, for best cost and performance, consider **changing the partition key**. The partition key cannot be updated in place, so this requires migrating the data to a new container with a different partition key. Azure Cosmos DB supports a [live data migration tool](https://devblogs.microsoft.com/cosmosdb/how-to-change-your-partition-key/) for this purpose.
+- Short-term, you can temporarily increase the RU/s to allow more throughput to the hot partition. This is not recommended as a long-term strategy, as it leads to overprovisioning RU/s and higher cost.
+
+> [!TIP]
+> When you increase the throughput, the scale-up operation will either complete instantaneously or require up to 5-6 hours to complete, depending on the number of RU/s you want to scale up to. If you want to know the highest number of RU/s you can set without triggering the asynchronous scale-up operation (which requires Azure Cosmos DB to provision more physical partitions), multiply the number of distinct PartitionKeyRangeIds by 10,0000 RU/s. For example, if you have 30,000 RU/s provisioned and 5 physical partitions (6000 RU/s allocated per physical partition), you can increase to 50,000 RU/s (10,000 RU/s per physical partition) in an instantaneous scale-up operation. Increasing to >50,000 RU/s would require an asynchronous scale-up operation.
+
+### Step 3: Determine what requests are returning 429s
+
+#### How to investigate requests with 429s
+Use [Azure Diagnostic Logs](cosmosdb-monitor-resource-logs.md) to identify which requests are returning 429s and how many RUs they consumed. This sample query aggregates at the minute level.
+
+> [!IMPORTANT]
+> Enabling diagnostic logs incurs a separate charge for the Log Analytics service, which is billed based on volume of data ingested. It is recommended you turn on diagnostic logs for a limited amount of time for debugging, and turn off when no longer required. See [pricing page](https://azure.microsoft.com/pricing/details/monitor/) for details.
+
+```kusto
+AzureDiagnostics
+| where TimeGenerated >= ago(24h)
+| where Category == "DataPlaneRequests"
+| summarize throttledOperations = dcountif(activityId_g, statusCode_s == 429), totalOperations = dcount(activityId_g), totalConsumedRUPerMinute = sum(todouble(requestCharge_s)) by databaseName_s, collectionName_s, OperationName, requestResourceType_s, bin(TimeGenerated, 1min)
+| extend averageRUPerOperation = 1.0 * totalConsumedRUPerMinute / totalOperations
+| extend fractionOf429s = 1.0 * throttledOperations / totalOperations
+| order by fractionOf429s desc
+```
+For example, this sample output shows that each minute, 30% of Create Document requests were being rate limited, with each request consuming an average of 17 RUs.
+
+#### Recommended solution
+##### 429s on create, replace, or upsert document requests
+- By default, in the SQL API, all properties are indexed by default. Tune the [indexing policy](index-policy.md) to only index the properties needed.
+This will lower the Request Units required per create document operation, which will reduce the likelihood of seeing 429s or allow you to achieve higher operations per second for the same amount of provisioned RU/s.
+
+##### 429s on query document requests
+- Follow the guidance to [troubleshoot queries with high RU charge](troubleshoot-query-performance.md#querys-ru-charge-is-too-high)
+
+##### 429s on execute stored procedures
+- [Stored procedures](stored-procedures-triggers-udfs.md) are intended for operations that require write transactions across a partition key value. It is not recommended to use stored procedures for a large number of read or query operations. For best performance, these read or query operations should be done on the client-side, using the Cosmos SDKs.
+
+## Rate limiting on metadata requests
+
+Metadata rate limiting can occur when you are performing a high volume of metadata operations on databases and/or containers. Metadata operations include:
+- Create, read, update, or delete a container or database
+- List databases or containers in a Cosmos account
+- Query for offers to see the current provisioned throughput
+
+There is a system-reserved RU limit for these operations, so increasing the provisioned RU/s of the database or container will have no impact and is not recommended. See [limits on metadata operations](concepts-limits.md#metadata-request-limits).
+
+#### How to investigate
+Navigate to **Insights** > **System** > **Metadata Requests By Status Code**. Filter to a specific database and container if desired.
++
+#### Recommended solution
+- If your application needs to perform metadata operations, consider implementing a backoff policy to send these requests at a lower rate.
+
+- Use static Cosmos DB client instances. When the DocumentClient or CosmosClient is initialized, the Cosmos DB SDK fetches metadata on about the account, including information about the consistency level, databases, containers, partitions, and offers. This initialization may consume a high number of RUs, and should be performed infrequently. Use a single DocumentClient instance and use it for the lifetime of your application.
+
+- Cache the names of databases and containers. Retrieve the names of your databases and containers from configuration or cache them on start. Calls like ReadDatabaseAsync/ReadDocumentCollectionAsync or CreateDatabaseQuery/CreateDocumentCollectionQuery will result in metadata calls to the service, which consume from the system-reserved RU limit. These operations should be performed infrequently.
+
+## Rate limiting due to transient service error
+
+This 429 error is returned when the request encounters a transient service error. Increasing the RU/s on the database or container will have no impact and is not recommended.
+
+#### Recommended solution
+Retry the request. If the error persists for several minutes, file a support ticket from the [Azure portal](https://portal.azure.com/).
## Next steps
+* [Monitor normalized RU/s consumption](monitor-normalized-request-units.md) of your database or container.
* [Diagnose and troubleshoot](troubleshoot-dot-net-sdk.md) issues when you use the Azure Cosmos DB .NET SDK. * Learn about performance guidelines for [.NET v3](performance-tips-dotnet-sdk-v3-sql.md) and [.NET v2](performance-tips.md). * [Diagnose and troubleshoot](troubleshoot-java-sdk-v4-sql.md) issues when you use the Azure Cosmos DB Java v4 SDK.
cost-management-billing Allocate Costs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/costs/allocate-costs.md
Title: Allocate Azure costs
description: This article explains how create cost allocation rules to distribute costs of subscriptions, resource groups, or tags to others. Previously updated : 03/23/2021 Last updated : 05/10/2021
The allocation rule starts processing. When the rule is active, all the selected
> [!NOTE] > New rule processing can take up to two hours before it completes and is active.
+Here's a video that demonstrates how to create a cost allocation rule.
+
+>[!VIDEO https://www.youtube.com/embed/nYzIIs2mx9Q]
+ ## Verify the cost allocation rule When the cost allocation rule is active, costs from the selected sources are distributed to the specified allocation targets. Use the following information to verify that cost is properly allocated to targets.
In the Azure portal, navigate to **Cost Management + Billing** > **Cost Manageme
:::image type="content" source="./media/allocate-costs/tagged-costs.png" alt-text="Example showing costs for tagged items" lightbox="./media/allocate-costs/tagged-costs.png" :::
-Here's a video that demonstrates how to create a cost allocation rule.
+### View cost allocation in the downloaded Usage Details and in Exports CSV files
->[!VIDEO https://www.youtube.com/embed/nYzIIs2mx9Q]
+Cost allocation rules are also available in the downloaded Usage Details file and in the exported data. The data files have the column name `costAllocationRuleName`. If a Cost allocation rule is applicable to an entry in Usage Details or Exports file, the row is populated with the Cost allocation rule name. The following example image shows a negative charge with an entry for the source subscription. That's the charge getting allocated cost from. There's also a positive charge for the Cost allocation rule's target.
++
+#### Azure invoice reconciliation
+
+The Usage Details file is also used for Azure invoice reconciliation. Showing any internal allocated costs during reconciliation could be confusing. To reduce any potential confusion and to align to the data shown on the invoice, you can filter out any Cost allocation rules. After you remove the cost allocation rules, your Usage Details file should match the cost shown by the billed subscription invoice.
## Edit an existing cost allocation rule
Currently, cost allocation is supported in Cost Management by Cost analysis, bud
The following items are currently unsupported by the cost allocation public preview: -- Scheduled [Exports](tutorial-export-acm-data.md) - Data exposed by the [Usage Details](/rest/api/consumption/usagedetails/list) API - Billing subscriptions area - [Cost Management Power BI App](https://appsource.microsoft.com/product/power-bi/costmanagement.azurecostmanagementapp)
cost-management-billing Aws Integration Set Up Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/costs/aws-integration-set-up-configure.md
Title: Set up AWS integration with Azure Cost Management
description: This article walks you through setting up and configuring AWS Cost and Usage report integration with Azure Cost Management. Previously updated : 10/23/2020 Last updated : 05/10/2021
The policy JSON should resemble the following example. Replace _bucketname_ with
## Set up a new connector for AWS in Azure
-Use the following information to create an AWS connector and start monitoring your AWS costs:
+Use the following information to create an AWS connector and start monitoring your AWS costs.
+
+### Prerequisites
+
+- Ensure you have at least one management group enabled. A management group is required to link your subscription to the AWS service. For more information about creating a management group, see [Create a management group in Azure](../../governance/management-groups/create-management-group-portal.md).
+- Ensure that you're an administrator of the subscription.
+- Complete the set up required for a new AWS connector, as described in the [Create a Cost and Usage report in AWS](#create-a-cost-and-usage-report-in-aws) section.
++
+### Create a new connector
1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Go to Azure Home by clicking **Home** in the menu on the left ("hamburger" menu icon with 3 lines).
-3. Go to **Tools** > **Cost Management** at the bottom of the page.
-3. Under **Settings**, select **Connectors for AWS**.
-4. Select **+Add** at the top of the page to create a connector.
- :::image type="content" source="./media/aws-integration-setup-configure/aws-connector.png" alt-text="Example showing the Connectors for AWS setting" :::
+1. Navigate to **Cost Management + Billing** and select a billing scope, if necessary.
+1. Select **Cost analysis** and then select **Settings**.
+1. Select **Connectors for AWS**.
+1. Select **Add connector**.
1. On the **Create connector** page, in **Display name**, enter a name for your connector. :::image type="content" source="./media/aws-integration-setup-configure/create-aws-connector01.png" alt-text="Example of the page for creating an AWS connector" ::: 1. Optionally, select the default management group. It will store all discovered linked accounts. You can set it up later.
cost-management-billing Ea Portal Enrollment Invoices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/ea-portal-enrollment-invoices.md
To apply your Azure Prepayment to overages, you must meet the following criteria
- Your available Azure Prepayment amount covers the full number of incurred charges, including all past unpaid Azure invoices. - The billing term that you want to complete must be fully closed. Billing fully closes after the fifth day of each month. - The billing period that you want to offset must be fully closed.-- Your Azure Prepayment Discount (ACD) is based on the actual new Prepayment minus any funds planned for the previous consumption. This requirement applies only to overage charges incurred. It's only valid for services that consume Azure Prepayment, so doesn't apply to Azure Marketplace charges. Azure Marketplace charges are billed separately.
+- Your Azure Prepayment Discount (APD) is based on the actual new Prepayment minus any funds planned for the previous consumption. This requirement applies only to overage charges incurred. It's only valid for services that consume Azure Prepayment, so doesn't apply to Azure Marketplace charges. Azure Marketplace charges are billed separately.
To complete an overage offset, you or the account team can open a support request. An emailed approval from your enterprise administrator or Bill to Contact is required.
cost-management-billing Link Partner Id https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/link-partner-id.md
Before you link your partner ID, your customer must give you access to their Azu
- **Service principal**: Your customer can add an app or script from your organization in their directory and assign any Azure role. The identity of the app or script is known as a service principal. -- **Azure Lighthouse**: Your customer can delegate a subscription (or resource group) so that your users can work on it from within your tenant. For more information, see [Azure delegated resource management](../../lighthouse/concepts/azure-delegated-resource-management.md).
+- **Azure Lighthouse**: Your customer can delegate a subscription (or resource group) so that your users can work on it from within your tenant. For more information, see [Azure Lighthouse](../../lighthouse/overview.md).
## Link to a partner ID
data-factory Connector Azure Database For Postgresql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-database-for-postgresql.md
This Azure Database for PostgreSQL connector is supported for the following acti
- [Mapping data flow](concepts-data-flow-overview.md) - [Lookup activity](control-flow-lookup-activity.md)
-Currently, data flow supports Azure database for PostgreSQL Single Server but not Flexible Server or Hyperscale (Citus).
+Currently, data flow in Azure Data Factory supports Azure database for PostgreSQL Single Server but not Flexible Server or Hyperscale (Citus); data flow in Azure Synapse Analytics supports all PostgreSQL flavors.
## Getting started
data-factory Connector Azure Sql Data Warehouse https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-sql-data-warehouse.md
Previously updated : 03/17/2021 Last updated : 05/10/2021 # Copy and transform data in Azure Synapse Analytics by using Azure Data Factory
Settings specific to Azure Synapse Analytics are available in the **Settings** t
![pre and post SQL processing scripts](media/data-flow/prepost1.png "SQL processing scripts")
+### Error row handling
+
+When writing to Azure Synapse Analytics, certain rows of data may fail due to constraints set by the destination. Some common errors include:
+
+* String or binary data would be truncated in table
+* Cannot insert the value NULL into column
+* Conversion failed when converting the value to data type
+
+By default, a data flow run will fail on the first error it gets. You can choose to **Continue on error** that allows your data flow to complete even if individual rows have errors. Azure Data Factory provides different options for you to handle these error rows.
+
+**Transaction Commit:** Choose whether your data gets written in a single transaction or in batches. Single transaction will provide better performance and no data written will be visible to others until the transaction completes. Batch transactions have worse performance but can work for large datasets.
+
+**Output rejected data:** If enabled, you can output the error rows into a csv file in Azure Blob Storage or an Azure Data Lake Storage Gen2 account of your choosing. This will write the error rows with three additional columns: the SQL operation like INSERT or UPDATE, the data flow error code, and the error message on the row.
+
+**Report success on error:** If enabled, the data flow will be marked as a success even if error rows are found.
++ ## Lookup activity properties To learn details about the properties, check [Lookup activity](control-flow-lookup-activity.md).
data-factory Connector Sap Business Warehouse Open Hub https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sap-business-warehouse-open-hub.md
Title: Copy data from SAP Business Warehouse via Open Hub description: Learn how to copy data from SAP Business Warehouse (BW) via Open Hub to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Sap Business Warehouse https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sap-business-warehouse.md
Title: Copy data from SAP BW description: Learn how to copy data from SAP Business Warehouse to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Sap Cloud For Customer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sap-cloud-for-customer.md
Title: Copy data from/to SAP Cloud for Customer description: Learn how to copy data from SAP Cloud for Customer to supported sink data stores (or) from supported source data stores to SAP Cloud for Customer by using Data Factory.--++
data-factory Connector Sap Ecc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sap-ecc.md
Title: Copy data from SAP ECC description: Learn how to copy data from SAP ECC to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Sap Hana https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sap-hana.md
Title: Copy data from SAP HANA description: Learn how to copy data from SAP HANA to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Sap Table https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sap-table.md
Title: Copy data from an SAP table description: Learn how to copy data from an SAP table to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Create Self Hosted Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/create-self-hosted-integration-runtime.md
Here is a high-level summary of the data-flow steps for copying with a self-host
![The high-level overview of data flow](media/create-self-hosted-integration-runtime/high-level-overview.png)
-1. A data developer creates a self-hosted integration runtime within an Azure data factory by using the Azure portal or the PowerShell cmdlet.
+1. A data developer first creates a self-hosted integration runtime within an Azure data factory by using the Azure portal or the PowerShell cmdlet. Then the data developer creates a linked service for an on-premises data store, specifying the self-hosted integration runtime instance that the service should use to connect to data stores.
-2. The data developer creates a linked service for an on-premises data store. The developer does so by specifying the self-hosted integration runtime instance that the service should use to connect to data stores.
+2. The self-hosted integration runtime node encrypts the credentials by using Windows Data Protection Application Programming Interface (DPAPI) and saves the credentials locally. If multiple nodes are set for high availability, the credentials are further synchronized across other nodes. Each node encrypts the credentials by using DPAPI and stores them locally. Credential synchronization is transparent to the data developer and is handled by the self-hosted IR.
-3. The self-hosted integration runtime node encrypts the credentials by using Windows Data Protection Application Programming Interface (DPAPI) and saves the credentials locally. If multiple nodes are set for high availability, the credentials are further synchronized across other nodes. Each node encrypts the credentials by using DPAPI and stores them locally. Credential synchronization is transparent to the data developer and is handled by the self-hosted IR.
+3. Azure Data Factory communicates with the self-hosted integration runtime to schedule and manage jobs. Communication is via a control channel that uses a shared [Azure Relay](../azure-relay/relay-what-is-it.md#wcf-relay) connection. When an activity job needs to be run, Data Factory queues the request along with any credential information. It does so in case credentials aren't already stored on the self-hosted integration runtime. The self-hosted integration runtime starts the job after it polls the queue.
-4. Azure Data Factory communicates with the self-hosted integration runtime to schedule and manage jobs. Communication is via a control channel that uses a shared [Azure Relay](../azure-relay/relay-what-is-it.md#wcf-relay) connection. When an activity job needs to be run, Data Factory queues the request along with any credential information. It does so in case credentials aren't already stored on the self-hosted integration runtime. The self-hosted integration runtime starts the job after it polls the queue.
-
-5. The self-hosted integration runtime copies data between an on-premises store and cloud storage. The direction of the copy depends on how the copy activity is configured in the data pipeline. For this step, the self-hosted integration runtime directly communicates with cloud-based storage services like Azure Blob storage over a secure HTTPS channel.
+4. The self-hosted integration runtime copies data between an on-premises store and cloud storage. The direction of the copy depends on how the copy activity is configured in the data pipeline. For this step, the self-hosted integration runtime directly communicates with cloud-based storage services like Azure Blob storage over a secure HTTPS channel.
## Prerequisites
If you select the **Use system proxy** option for the HTTP proxy, the self-hoste
> [!IMPORTANT] > Don't forget to update both diahost.exe.config and diawp.exe.config.
-You also need to make sure that Microsoft Azure is in your company's allow list. You can download the list of valid Azure IP addresses from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=41653).
+You also need to make sure that Microsoft Azure is in your company's allowlist. You can download the list of valid Azure IP addresses from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=41653).
### Possible symptoms for issues related to the firewall and proxy server
For some cloud databases, such as Azure SQL Database and Azure Data Lake, you mi
### Get URL of Azure Relay
-One required domain and port that need to be put in the allow list of your firewall is for the communication to Azure Relay. The self-hosted integration runtime uses it for interactive authoring such as test connection, browse folder list and table list, get schema, and preview data. If you don't want to allow **.servicebus.windows.net** and would like to have more specific URLs, then you can see all the FQDNs that are required by your self-hosted integration runtime from the ADF portal. Follow these steps:
+One required domain and port that need to be put in the allowlist of your firewall is for the communication to Azure Relay. The self-hosted integration runtime uses it for interactive authoring such as test connection, browse folder list and table list, get schema, and preview data. If you don't want to allow **.servicebus.windows.net** and would like to have more specific URLs, then you can see all the FQDNs that are required by your self-hosted integration runtime from the ADF portal. Follow these steps:
1. Go to ADF portal and select your self-hosted integration runtime. 2. In Edit page, select **Nodes**.
One required domain and port that need to be put in the allow list of your firew
![Azure Relay URLs](media/create-self-hosted-integration-runtime/Azure-relay-url.png)
-4. You can add these FQDNs in the allow list of firewall rules.
+4. You can add these FQDNs in the allowlist of firewall rules.
### Copy data from a source to a sink
data-factory Data Flow Lookup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-lookup.md
SQLProducts, DimProd lookup(ProductID == ProductKey,
asc(ProductKey, true), broadcast: 'auto')~> LookupKeys ```
-##
-Next steps
+
+## Next steps
* The [join](data-flow-join.md) and [exists](data-flow-exists.md) transformations both take in multiple stream inputs * Use a [conditional split transformation](data-flow-conditional-split.md) with ```isMatch()``` to split rows on matching and non-matching values
data-factory Data Flow Parse https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-parse.md
Previously updated : 02/08/2021 Last updated : 05/10/2021 # Parse transformation in mapping data flow
Similar to derived columns and aggregates, this is where you will either modify
Use the expression builder to set the source for your parsing. This can be as simple as just selecting the source column with the self-contained data that you wish to parse, or you can create complex expressions to parse.
+#### Example expressions
+
+* Source string data: ```chrome|steel|plastic```
+ * Expression: ```(desc1 as string, desc2 as string, desc3 as string)```
+
+* Source JSON data: ```{"ts":1409318650332,"userId":"309","sessionId":1879,"page":"NextSong","auth":"Logged In","method":"PUT","status":200,"level":"free","itemInSession":2,"registration":1384448}```
+ * Expression: ```(level as string, registration as long)```
+
+* Source XML data: ```<Customers><Customer>122</Customer><CompanyName>Great Lakes Food Market</CompanyName></Customers>```
+ * Expression: ```(Customers as (Customer as integer, CompanyName as string))```
+ ### Output column type Here is where you will configure the target output schema from the parsing that will be written into a single column.
data-factory Managed Virtual Network Private Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/managed-virtual-network-private-endpoint.md
Private endpoint uses a private IP address in the managed Virtual Network to eff
> It's recommended that you create Managed private endpoints to connect to all your Azure data sources. > [!WARNING]
-> If a PaaS data store (Blob, ADLS Gen2, Azure Synapse Analytics) has a private endpoint already created against it, and even if it allows access from all networks, ADF would only be able to access it using managed private endpoint. Make sure you create a Private endpoint in such scenarios.
+> If a PaaS data store (Blob, ADLS Gen2, Azure Synapse Analytics) has a private endpoint already created against it, and even if it allows access from all networks, ADF would only be able to access it using a managed private endpoint. If a private endpoint does not already exist, you must create one in such scenarios.
A private endpoint connection is created in a "Pending" state when you create a Managed private endpoint in Azure Data Factory. An approval workflow is initiated. The private link resource owner is responsible to approve or reject the connection.
Below data sources are supported to connect through private link from ADF Manage
## Next steps - Tutorial: [Build a copy pipeline using managed Virtual Network and private endpoints](tutorial-copy-data-portal-private.md) -- Tutorial: [Build mapping dataflow pipeline using managed Virtual Network and private endpoints](tutorial-data-flow-private.md)
+- Tutorial: [Build mapping dataflow pipeline using managed Virtual Network and private endpoints](tutorial-data-flow-private.md)
data-factory Quickstart Create Data Factory Resource Manager Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/quickstart-create-data-factory-resource-manager-template.md
Previously updated : 07/16/2020 Last updated : 05/10/2021 # Quickstart: Create an Azure Data Factory using ARM template
This quickstart describes how to use an Azure Resource Manager template (ARM tem
If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template will open in the Azure portal.
-[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-data-factory-v2-blob-to-blob-copy%2Fazuredeploy.json)
+[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.datafactory%2Fdata-factory-v2-blob-to-blob-copy%2Fazuredeploy.json)
## Prerequisites
Save the file in the **C:\ADFv2QuickStartPSH** folder. (If the folder doesn't al
The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-data-factory-v2-blob-to-blob-copy/). There are Azure resources defined in the template:
More Azure Data Factory template samples can be found in the [quickstart templat
1. Select the following image to sign in to Azure and open a template. The template creates an Azure Data Factory account, a storage account, and a blob container.
- [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-data-factory-v2-blob-to-blob-copy%2Fazuredeploy.json)
+ [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.datafactory%2Fdata-factory-v2-blob-to-blob-copy%2Fazuredeploy.json)
2. Select or enter the following values.
Keep the container page open, because you can use it to verify the output at the
### Start Trigger
-1. Navigate to the **Data factories** page, and select the data factory you created.
+1. Navigate to the **Data factories** page, and select the data factory you created.
-2. Select the **Author & Monitor** tile.
+2. Select the **Author & Monitor** tile.
:::image type="content" source="media/quickstart-create-data-factory-resource-manager-template/data-factory-author-monitor-tile.png" alt-text="Author & Monitor":::
Keep the container page open, because you can use it to verify the output at the
### Verify the output file
-The pipeline automatically creates an output folder in the blob container. Then, it copies the emp.txt file from the input folder to the output folder.
+The pipeline automatically creates an output folder in the blob container. Then, it copies the emp.txt file from the input folder to the output folder.
-1. In the Azure portal, on the **Containers** page, select **Refresh** to see the output folder.
+1. In the Azure portal, on the **Containers** page, select **Refresh** to see the output folder.
2. Select **output** in the folder list.
-3. Confirm that the **emp.txt** is copied to the output folder.
+3. Confirm that the **emp.txt** is copied to the output folder.
:::image type="content" source="media/quickstart-create-data-factory-resource-manager-template/data-factory-arm-template-output.png" alt-text="Output":::
The pipeline automatically creates an output folder in the blob container. Then,
You can clean up the resources that you created in the Quickstart in two ways. You can [delete the Azure resource group](../azure-resource-manager/management/delete-resource-group.md), which includes all the resources in the resource group. If you want to keep the other resources intact, delete only the data factory you created in this tutorial.
-Deleting a resource group deletes all resources including data factories in it. Run the following command to delete the entire resource group:
+Deleting a resource group deletes all resources including data factories in it. Run the following command to delete the entire resource group:
```azurepowershell-interactive Remove-AzResourceGroup -ResourceGroupName $resourcegroupname ```
-If you want to delete just the data factory, and not the entire resource group, run the following command:
+If you want to delete just the data factory, and not the entire resource group, run the following command:
```azurepowershell-interactive Remove-AzDataFactoryV2 -Name $dataFactoryName -ResourceGroupName $resourceGroupName
data-factory Self Hosted Integration Runtime Proxy Ssis https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/self-hosted-integration-runtime-proxy-ssis.md
Finally, you download and install the latest version of the self-hosted IR, as w
### Enable Windows authentication for on-premises tasks
-If on-premises staging tasks/Execute SQL Tasks on your self-hosted IR require Windows authentication, you must also [configure Windows authentication feature on your Azure-SSIS IR](/sql/integration-services/lift-shift/ssis-azure-connect-with-windows-auth.md).
+If on-premises staging tasks/Execute SQL Tasks on your self-hosted IR require Windows authentication, you must also [configure Windows authentication feature on your Azure-SSIS IR](/sql/integration-services/lift-shift/ssis-azure-connect-with-windows-auth).
Your on-premises staging tasks/Execute SQL Tasks will be invoked with the self-hosted IR service account (*NT SERVICE\DIAHostService*, by default), and your data stores will be accessed with the Windows authentication account. Both accounts require certain security policies to be assigned to them. On the self-hosted IR machine, go to **Local Security Policy** > **Local Policies** > **User Rights Assignment**, and then do the following:
If you haven't already done so, create an Azure Blob Storage linked service in t
- For **Authentication method**, select **Account key**, **SAS URI**, **Service Principal**, or **Managed Identity**. >[!TIP]
->If you select the **Service Principal** method, grant your service principal at least a *Storage Blob Data Contributor* role. For more information, see [Azure Blob Storage connector](connector-azure-blob-storage.md#linked-service-properties). If you select the **Managed Identity** method, grant your ADF managed identity a proper role to access Azure Blob Storage. For more information, see [Access Azure Blob Storage using Azure Active Directory authentication with ADF managed identity](/sql/integration-services/connection-manager/azure-storage-connection-manager.md#managed-identities-for-azure-resources-authentication).
+>If you select the **Service Principal** method, grant your service principal at least a *Storage Blob Data Contributor* role. For more information, see [Azure Blob Storage connector](connector-azure-blob-storage.md#linked-service-properties). If you select the **Managed Identity** method, grant your ADF managed identity a proper role to access Azure Blob Storage. For more information, see [Access Azure Blob Storage using Azure Active Directory authentication with ADF managed identity](/sql/integration-services/connection-manager/azure-storage-connection-manager#managed-identities-for-azure-resources-authentication).
![Prepare the Azure Blob storage-linked service for staging](media/self-hosted-integration-runtime-proxy-ssis/shir-azure-blob-storage-linked-service.png)
data-factory Wrangling Functions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/wrangling-functions.md
The following M functions add or transform columns: [Table.AddColumn](/powerquer
* Row filters as a logical column * Number, text, logical, date, and datetime constants
-Merging/Joining tables
--
+## Merging/Joining tables
+ * Power Query will generate a nested join (Table.NestedJoin; users can also manually write [Table.AddJoinColumn](/powerquery-m/table-addjoincolumn)).
databox-online Azure Stack Edge Gpu Connect Powershell Interface https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-connect-powershell-interface.md
Previously updated : 03/30/2021 Last updated : 04/15/2021 # Manage an Azure Stack Edge Pro GPU device via Windows PowerShell [!INCLUDE [applies-to-GPU-and-pro-r-and-mini-r-skus](../../includes/azure-stack-edge-applies-to-gpu-pro-r-mini-r-sku.md)]
-Azure Stack Edge Pro solution lets you process data and send it over the network to Azure. This article describes some of the configuration and management tasks for your Azure Stack Edge Pro device. You can use the Azure portal, local web UI, or the Windows PowerShell interface to manage your device.
+Azure Stack Edge Pro GPU solution lets you process data and send it over the network to Azure. This article describes some of the configuration and management tasks for your Azure Stack Edge Pro GPU device. You can use the Azure portal, local web UI, or the Windows PowerShell interface to manage your device.
This article focuses on how you can connect to the PowerShell interface of the device and the tasks you can do using this interface.
A Multi-Process Service (MPS) on Nvidia GPUs provides a mechanism where GPUs can
> [!NOTE] > When the device software and the Kubernetes cluster are updated, the MPS setting is not retained for the workloads. You'll need to enable MPS again.
+<!--## Enable compute on private network
+
+Use the `Add-HcsNetRoute` cmdlet to enable compute on a private network. This cmdlet lets you add custom routes on Kubernetes master and worker VMs.
+#### Add new route configuration
+
+IP routing is the process of forwarding a packet based on the destination IP address. For the Kubernetes VMs on your device, you can route the traffic by adding a new route configuration.
+
+A route configuration is a routing table entry that includes the following fields:
+
+| Parameter | Description |
+|||
+|Destination | Either an IP address or an IP address prefix. |
+|Prefix length | The prefix length corresponding to the address or range of addresses in the destination. |
+|Next hop | The IP address to which the packet is forwarded. |
+|Interface | The network interface that forwards the IP packet. |
+|Metric |Routing metric determines the preferred network interface used to reach the destination. |
++
+Consider the following information before you add these routes:
+
+- The Kubernetes network where you are adding this route is in a private network and not connected to the internet.
+- The device port on which the compute is enabled does not have a gateway configured.
+- If you have a flat subnet, then you don't need to add these routes to the private network. You can (optionally) add these routes when there are multiple subnets on your private network.
+- You can add these routes only to the Kubernetes master and worker VMs and not to the device (Windows host).
+- The Kubernetes compute need not be configured before you add this route. You can also add or update routes after the Kubernetes compute is configured. You can only add a new route configuration via the PowerShell interface of the device and not through the local UI.
+- Make sure that the network interface that you'll use has a static configuration.
+
+Consider an example where Port 1 and Port 2 on your device are connected to the internet. Ports 3 to Port 6 are on a private network and is the same network that has the Kubernetes master and worker VMs. None of the ports 3 to 6 have a default gateway configured. There are cameras that are connected to the private network. And the camera feed creates a traffic that flows between the camera and the network interfaces on the Kubernetes VMs.
+
+To add a new custom route, use the cmdlet as follows:
+
+```powershell
+Add-HcsNetRoute -InterfaceAlias "Port3" -DestinationPrefix "192.168.21.0/24" -NextHop "192.168.20.1" -RouteMetric 100
+```
+
+Here the compute is enabled on the Port 3 network interface on your device and a virtual switch is created. The above route defines a destination subnet 192.168.21.0/24 and specifies the next hop as 192.168.20.1. This routing configuration has a routing metric of 100. Lower the routing metric, higher the priority assigned to the route.
+
+
+#### Check route configuration for an interface
+
+Use this cmdlet to check for all the custom route configurations that you added on your device. These routes do not include all the system routes or default routes that already exist on the device.
+
+```powershell
+Get-HcsNetRoute -InterfaceAlias Port3
+```
++
+#### Remove a route configuration
+
+Use this cmdlet to remove a route configuration that you added on your device.
+
+```powershell
+Remove-HcsNetRoute -InterfaceAlias "Port3" -DestinationPrefix "192.168.21.0/24"
+```
+-->
+ ## Reset your device [!INCLUDE [Reset your device](../../includes/data-box-edge-gateway-deactivate-device.md)]
Before you begin, you must have:
- Compute network configured. See [Tutorial: Configure network for Azure Stack Edge Pro with GPU](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md). - Compute role configured on your device.
-On an Azure Stack Edge Pro device that has the compute role configured, you can troubleshoot or monitor the device using two different sets of commands.
+On an Azure Stack Edge Pro GPU device that has the compute role configured, you can troubleshoot or monitor the device using two different sets of commands.
- Using `iotedge` commands. These commands are available for basic operations for your device. - Using `kubectl` commands. These commands are available for an extensive set of operations for your device.
Here is a sample output.
### Use kubectl commands
-On an Azure Stack Edge Pro device that has the compute role configured, all the `kubectl` commands are available to monitor or troubleshoot modules. To see a list of available commands, run `kubectl --help` from the command window.
+On an Azure Stack Edge Pro GPU device that has the compute role configured, all the `kubectl` commands are available to monitor or troubleshoot modules. To see a list of available commands, run `kubectl --help` from the command window.
```PowerShell C:\Users\myuser>kubectl --help
To exit the remote PowerShell session, close the PowerShell window.
## Next steps -- Deploy [Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-prep.md) in Azure portal.
+- Deploy [Azure Stack Edge Pro GPU](azure-stack-edge-gpu-deploy-prep.md) in Azure portal.
databox-online Azure Stack Edge Gpu Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-overview.md
Previously updated : 01/18/2021 Last updated : 04/19/2021
-#Customer intent: As an IT admin, I need to understand what Azure Stack Edge Pro is and how it works so I can use it to process and transform data before sending to Azure.
+#Customer intent: As an IT admin, I need to understand what Azure Stack Edge Pro GPU is and how it works so I can use it to process and transform data before sending to Azure.
# What is Azure Stack Edge Pro with GPU?
Azure Stack Edge Pro with GPU is a Hardware-as-a-service solution. Microsoft shi
## Use cases
-Here are the various scenarios where Azure Stack Edge Pro can be used for rapid Machine Learning (ML) inferencing at the edge and preprocessing data before sending it to Azure.
+Here are the various scenarios where Azure Stack Edge Pro GPU can be used for rapid Machine Learning (ML) inferencing at the edge and preprocessing data before sending it to Azure.
-- **Inference with Azure Machine Learning** - With Azure Stack Edge Pro, you can run ML models to get quick results that can be acted on before the data is sent to the cloud. The full data set can optionally be transferred to continue to retrain and improve your ML models. For more information on how to use the Azure ML hardware accelerated models on the Azure Stack Edge Pro device, see
-[Deploy Azure ML hardware accelerated models on Azure Stack Edge Pro](../machine-learning/how-to-deploy-fpga-web-service.md#deploy-to-a-local-edge-server).
+- **Inference with Azure Machine Learning** - With Azure Stack Edge Pro GPU, you can run ML models to get quick results that can be acted on before the data is sent to the cloud. The full data set can optionally be transferred to continue to retrain and improve your ML models. For more information on how to use the Azure ML hardware accelerated models on the Azure Stack Edge Pro GPU device, see
+[Deploy Azure ML hardware accelerated models on Azure Stack Edge Pro GPU](../machine-learning/how-to-deploy-fpga-web-service.md#deploy-to-a-local-edge-server).
- **Preprocess data** - Transform data before sending it to Azure via compute options such as containerized workloads and Virtual Machines to create a more actionable dataset. Preprocessing can be used to:
Here are the various scenarios where Azure Stack Edge Pro can be used for rapid
- Subset data to optimize storage and bandwidth, or for further analysis. - Analyze and react to IoT Events. -- **Transfer data over network to Azure** - Use Azure Stack Edge Pro to easily and quickly transfer data to Azure to enable further compute and analytics or for archival purposes.
+- **Transfer data over network to Azure** - Use Azure Stack Edge Pro GPU to easily and quickly transfer data to Azure to enable further compute and analytics or for archival purposes.
## Key capabilities
-Azure Stack Edge Pro has the following capabilities:
+Azure Stack Edge Pro GPU has the following capabilities:
|Capability |Description | |||
Azure Stack Edge Pro has the following capabilities:
|Data access | Direct data access from Azure Storage Blobs and Azure Files using cloud APIs for additional data processing in the cloud. Local cache on the device is used for fast access of most recently used files.| |Cloud-managed |Device and service are managed via the Azure portal. | |Offline upload | Disconnected mode supports offline upload scenarios.|
-|Supported file transfer protocols | Support for standard SMB, NFS, and REST protocols for data ingestion. <br> For more information on supported versions, see [Azure Stack Edge Pro system requirements](azure-stack-edge-system-requirements.md).|
+|Supported file transfer protocols | Support for standard SMB, NFS, and REST protocols for data ingestion. <br> For more information on supported versions, see [Azure Stack Edge Pro GPU system requirements](azure-stack-edge-system-requirements.md).|
|Data refresh | Ability to refresh local files with the latest from cloud.| |Encryption | BitLocker support to locally encrypt data and secure data transfer to cloud over *https*.| |Bandwidth throttling| Throttle to limit bandwidth usage during peak hours.|
Azure Stack Edge Pro has the following capabilities:
## Components
-The Azure Stack Edge Pro solution comprises of Azure Stack Edge resource, Azure Stack Edge Pro physical device, and a local web UI.
+The Azure Stack Edge Pro GPU solution comprises of Azure Stack Edge resource, Azure Stack Edge Pro GPU physical device, and a local web UI.
-* **Azure Stack Edge Pro physical device** - A 1U rack-mounted server supplied by Microsoft that can be configured to send data to Azure.
+* **Azure Stack Edge Pro GPU physical device** - A 1U rack-mounted server supplied by Microsoft that can be configured to send data to Azure.
-* **Azure Stack Edge resource** ΓÇô A resource in the Azure portal that lets you manage an Azure Stack Edge Pro device from a web interface that you can access from different geographical locations. Use the Azure Stack Edge resource to create and manage resources, view, and manage devices and alerts, and manage shares.
+* **Azure Stack Edge resource** ΓÇô A resource in the Azure portal that lets you manage an Azure Stack Edge Pro GPU device from a web interface that you can access from different geographical locations. Use the Azure Stack Edge resource to create and manage resources, view, and manage devices and alerts, and manage shares.
- For more information, go to [Create an order for your Azure Stack Edge Pro device](azure-stack-edge-gpu-deploy-prep.md#create-a-new-resource).
+ For more information, go to [Create an order for your Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-deploy-prep.md#create-a-new-resource).
-* **Azure Stack Edge Pro local web UI** - A browser-based local user interface on your Azure Stack Edge Pro device primarily intended for the initial configuration of the device. Use the local web UI also to run diagnostics, shut down and restart the Azure Stack Edge Pro device, view copy logs, and contact Microsoft Support to file a service request.
+* **Azure Stack Edge Pro GPU local web UI** - A browser-based local user interface on your Azure Stack Edge Pro GPU device primarily intended for the initial configuration of the device. Use the local web UI also to run diagnostics, shut down and restart the Azure Stack Edge Pro GPU device, view copy logs, and contact Microsoft Support to file a service request.
- For information about using the web-based UI, go to [Use the web-based UI to administer your Azure Stack Edge Pro](azure-stack-edge-manage-access-power-connectivity-mode.md).
+ [!INCLUDE [azure-stack-edge-gateway-local-web-ui-languages](../../includes/azure-stack-edge-gateway-local-web-ui-languages.md)]
+
+ For information about using the web-based UI, go to [Use the web-based UI to administer your Azure Stack Edge Pro GPU](azure-stack-edge-manage-access-power-connectivity-mode.md).
## Region availability
-Azure Stack Edge Pro physical device, Azure resource, and target storage account to which you transfer data do not all have to be in the same region.
+Azure Stack Edge Pro GPU physical device, Azure resource, and target storage account to which you transfer data do not all have to be in the same region.
- **Resource availability** - For this release, the resource is available in East US, West EU, and South East Asia regions. -- **Device availability** - For a list of all the countries/regions where the Azure Stack Edge Pro device is available, go to **Availability** section in the **Azure Stack Edge Pro** tab for [Azure Stack Edge Pro pricing](https://azure.microsoft.com/pricing/details/azure-stack/edge/#azureStackEdgePro).
+- **Device availability** - For a list of all the countries/regions where the Azure Stack Edge Pro GPU device is available, go to **Availability** section in the **Azure Stack Edge Pro** tab for [Azure Stack Edge Pro GPU pricing](https://azure.microsoft.com/pricing/details/azure-stack/edge/#azureStackEdgePro).
-- **Destination Storage accounts** - The storage accounts that store the data are available in all Azure regions. The regions where the storage accounts store Azure Stack Edge Pro data should be located close to where the device is located for optimum performance. A storage account located far from the device results in long latencies and slower performance.
+- **Destination Storage accounts** - The storage accounts that store the data are available in all Azure regions. The regions where the storage accounts store Azure Stack Edge Pro GPU data should be located close to where the device is located for optimum performance. A storage account located far from the device results in long latencies and slower performance.
Azure Stack Edge service is a non-regional service. For more information, see [Regions and Availability Zones in Azure](../availability-zones/az-overview.md). Azure Stack Edge service does not have dependency on a specific Azure region, making it resilient to zone-wide outages and region-wide outages. ## Next steps -- Review the [Azure Stack Edge Pro system requirements](azure-stack-edge-gpu-system-requirements.md).
+- Review the [Azure Stack Edge Pro GPU system requirements](azure-stack-edge-gpu-system-requirements.md).
-- Understand the [Azure Stack Edge Pro limits](azure-stack-edge-limits.md).-- Deploy [Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-prep.md) in Azure portal.
+- Understand the [Azure Stack Edge Pro GPU limits](azure-stack-edge-limits.md).
+- Deploy [Azure Stack Edge Pro GPU](azure-stack-edge-gpu-deploy-prep.md) in Azure portal.
databox-online Azure Stack Edge Gpu System Requirements https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-system-requirements.md
Last updated 04/26/2021 -+ # System requirements for Azure Stack Edge Pro with GPU
databox-online Azure Stack Edge Mini R Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-mini-r-overview.md
Previously updated : 03/03/2021 Last updated : 04/19/2021 #Customer intent: As an IT admin, I need to understand what Azure Stack Edge Mini R is and how it works so I can use it to process and transform data before sending to Azure.
The Azure Stack Edge Mini R solution comprises of an Azure Stack Edge resource,
* **Azure Stack Edge Mini R local web UI** - A browser-based local user interface on your Azure Stack Edge Mini R device primarily intended for the initial configuration of the device. Use the local web UI also to run diagnostics, shut down and restart the Azure Stack Edge Pro device, view copy logs, and contact Microsoft Support to file a service request.
+ [!INCLUDE [azure-stack-edge-gateway-local-web-ui-languages](../../includes/azure-stack-edge-gateway-local-web-ui-languages.md)]
## Region availability
databox-online Azure Stack Edge Pro R Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-pro-r-overview.md
Previously updated : 02/22/2021 Last updated : 04/19/2021 #Customer intent: As an IT admin, I need to understand what Azure Stack Edge Pro R is and how it works so I can use it to process and transform data before sending to Azure.
The Azure Stack Edge Pro R solution comprises of an Azure Stack Edge resource, A
- **Azure Stack Edge Pro R local web UI** - A browser-based local user interface on your Azure Stack Edge Pro R device primarily intended for the initial configuration of the device. Use the local web UI also to run diagnostics, shut down and restart the Azure Stack Edge Pro device, view copy logs, and contact Microsoft Support to file a service request.
+ [!INCLUDE [azure-stack-edge-gateway-local-web-ui-languages](../../includes/azure-stack-edge-gateway-local-web-ui-languages.md)]
+ ## Region availability
databox Data Box Deploy Picked Up https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-deploy-picked-up.md
Previously updated : 05/06/2021 Last updated : 05/07/2021 ms.localizationpriority: high
Once the upload to Azure is complete, the Data Box erases the data on its disks
::: zone target="docs" ::: zone-end -->
Once the upload to Azure is complete, the Data Box erases the data on its disks
[!INCLUDE [data-box-verify-upload-return](../../includes/data-box-verify-upload-return.md)] ::: zone-end-
databox Data Box Disk Contact Microsoft Support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-disk-contact-microsoft-support.md
Previously updated : 05/24/2019 Last updated : 05/04/2021 # Open a support ticket for Azure Data Box
After creating a support ticket, you can manage the lifecycle of the ticket from
## Next steps Learn how to [Troubleshoot issues related to Data Box Disk](data-box-disk-troubleshoot.md).
-Learn how to [Troubleshoot issues related to Data Box](data-box-troubleshoot.md).
+
+Learn how to [Troubleshoot issues related to a Data Box](data-box-troubleshoot.md).
+
+Learn how to [Review copy errors in an upload from a Data Box or Data Box Disk device](data-box-troubleshoot-data-upload.md).
+ Learn how to [Troubleshoot issues related to Data Box Blob storage](data-box-troubleshoot-rest.md).
databox Data Box Disk Portal Customer Managed Shipping https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-disk-portal-customer-managed-shipping.md
Previously updated : 05/07/2021 Last updated : 05/08/2021
When you place a Data Box Disk order, you can choose self-managed shipping optio
**Instructions for Brazil:** If you're scheduling a device pickup in Brazil, include the following information in your email. The datacenter will schedule the pickup after they receive an inbound `Nota Fiscal`, which can take up to 4 business days.
- ```xml
+ ```
Subject: Request Azure Data Box Disk pickup for order: <ordername> - Order name
When you place a Data Box Disk order, you can choose self-managed shipping optio
**Instructions for Brazil:** To schedule a device return in Brazil, send an email to [adbops@microsoft.com](mailto:adbops@microsoft.com) with the following information:
- ```xml
- Subject: Request Azure Data Box Disk dropoff for order: <ordername>
+ ```
+ Subject: Request Azure Data Box Disk drop-off for order: <ordername>
- Order name - Contact name of the person who will drop off the Data Box Disk (A government-issued photo ID will be required to validate the contactΓÇÖs identity upon arrival.)
- - Inbound Nota Fiscal (A copy of the inbound Nota Fiscal will be required at dropoff.)
+ - Inbound Nota Fiscal (A copy of the inbound Nota Fiscal will be required at drop-off.)
``` 10. After you receive an appointment for drop-off, the order should be in the **Ready to receive at Azure datacenter** state in the Azure portal.
databox Data Box Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-faq.md
Previously updated : 02/25/2021 Last updated : 05/11/2021
Questions and answers are arranged in the following categories:
- Order device - Configure and connect - Track status-- Copy data
+- Migrate data
- Ship device - Verify and upload data - Chain of custody support
A. During the transit, the following features on the Data Box help protect the
- The device is locked and needs an unlock password to enter and access data. For more information, go to [Data Box security features](data-box-security.md).
-### Q. I have finished Prepare to Ship for my import order and shut down the device. Can I still add more data to the Data Box?
-A. Yes. You can turn on the device and add more data. You will need to run **Prepare to Ship** again once you have completed data copy.
+### Q. I finished Prepare to Ship for my import order and shut down the device. Can I still add more data to the Data Box?
+A. Yes. You can turn on the device and add more data. You'll need to run **Prepare to Ship** again once you have completed the data copy.
-### Q. I received my device and it is not booting up? How do I ship the device back?
+### Q. I received my device and it's not booting up? How do I ship the device back?
A. If your device isn't booting, go to your order in the Azure portal. Download a shipping label, and attach it to the device. For more information, go to [Download shipping label](data-box-portal-admin.md#download-shipping-label). ## Verify and upload ### Q. How soon can I access my data in Azure once I've shipped the Data Box back?
-A. Once the order status for **Data Copy** shows as **Complete**, you should be able to access your data right away.
+A. Once the order status for **Data Copy** shows as **Complete**, you can access your data right away.
### Q. Where is my data located in Azure after the upload? A. When you copy the data to Data Box, depending on whether the data is block blob or page blob or Azure files, the data is uploaded to one of the following paths in your Azure Storage account:
A. If the container names have uppercase letters, those names are automatically
- [Naming and referencing shares](/rest/api/storageservices/naming-and-referencing-shares--directories--files--and-metadata) - [Block blobs and page blob conventions](/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs). +
+### Q. I was notified of copy errors during a data upload from my Data Box. What should I do?
+A. When non-retryable data copy errors prevent any files in your import order from uploading to Azure, the errors are logged in the data copy log and you get a notification. You can't fix the errors. The upload has completed with errors. The notification is sent to make sure you know that the files didn't upload so you can fix any configuration errors before you try again. When you confirm that you're ready to proceed, the data will be secure erased from the device. If you don't respond, the order completes automatically after 14 days.
+
+For error information and steps to proceed with your order, see [Review copy errors in uploads from Azure Data Box and Azure Data Box Heavy devices](data-box-troubleshoot-data-upload.md).
++ ### Q. How do I verify the data I copied onto Data Box? A. After the data copy is complete, when you run **Prepare to ship**, your data is validated. Data Box generates a list of files and checksums for the data during the validation process. You can download the list of files and verify the list against the files in the source data. For more information, go to [Prepare to ship](data-box-deploy-picked-up.md#prepare-to-ship).
databox Data Box Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-logs.md
Previously updated : 07/10/2020 Last updated : 05/10/2021
A Data Box or Data Box Heavy import order goes through the following steps: order, set up, data copy, return, upload to Azure and verify, and data erasure. Corresponding to each step in the order, you can take multiple actions to control the access to the order, audit the events, track the order, and interpret the various logs that are generated.
-The following table shows a summary of the Data Box or Data Box Heavy import order steps and the tools available to track and audit the order during each step.
+The following table gives a summary of each step in processing an import order and the tools available to track and audit the order during the step.
-| Data Box import order stage | Tool to track and audit |
-|-||
+| Data Box import order stage| Tool to track and audit|
+|-||
| Create order | [Set up access control on the order via Azure RBAC](#set-up-access-control-on-the-order) | | Order processed | [Track the order](#track-the-order) through <ul><li> Azure portal </li><li> Shipping carrier website </li><li>Email notifications</ul> | | Set up device | Device credentials access logged in [Activity logs](#query-activity-logs-during-setup) |
During the data copy to Data Box or Data Box Heavy, an error file is generated i
Make sure that the copy jobs have finished with no errors. If there are errors during the copy process, download the logs from the **Connect and copy** page. -- If you copied a file that is not 512 bytes aligned to a managed disk folder on your Data Box, the file isn't uploaded as page blob to your staging storage account. You will see an error in the logs. Remove the file and copy a file that is 512 bytes aligned.-- If you copied a VHDX, or a dynamic VHD, or a differencing VHD (these files are not supported), you will see an error in the logs.
+- If you copied a file that is not 512 bytes aligned to a managed disk folder on your Data Box, the file isn't uploaded as a page blob to your staging storage account. You will see an error in the logs. Remove the file, and copy a file that is 512 bytes aligned.
+- If you copied a VHDX, or a dynamic VHD, or a differencing VHD (these file types are not supported), you will see an error in the logs.
Here is a sample of the *error.xml* for different errors when copying to managed disks.
For more information on the errors received during prepare to ship, go to [Troub
### BOM or manifest file
-The BOM or manifest file contains the list of all the files that are copied to the Data Box device. The BOM file has file names and the corresponding sizes as well as the checksum. A separate BOM file is created for the block blobs, page blobs, Azure Files, for copy via the REST APIs, and for the copy to managed disks on the Data Box. You can download the BOM files from the local web UI of the device during the prepare to ship.
+The BOM or manifest file contains the list of all the files that are copied to the Data Box device. The BOM file has file names and file sizes, and the checksum. A separate BOM file is created for the block blobs, page blobs, Azure Files, for copy via the REST APIs, and for the copy to managed disks on the Data Box. You can download the BOM files from the local web UI of the device during the prepare to ship.
These files also reside on the Data Box device and are uploaded to the associated storage account in the Azure datacenter.
During the data upload to Azure, a copy log is created.
### Copy log
-For each order that is processed, the Data Box service creates copy log in the associated storage account. The copy log has the total number of files that were uploaded and the number of files that errored out during the data copy from Data Box to your Azure storage account.
+For each order that is processed, the Data Box service creates a copy log in the associated storage account. The copy log has the total number of files that were uploaded and the number of files that errored out during the data copy from Data Box to your Azure storage account.
A Cyclic Redundancy Check (CRC) computation is done during the upload to Azure. The CRCs from the data copy and after the data upload are compared. A CRC mismatch indicates that the corresponding files failed to upload.
The copy log path is also displayed on the **Overview** blade for the portal.
![Path to copy log in Overview blade when completed](media/data-box-logs/copy-log-path-1.png)
-### Upload completed successfully
+### Upload completed successfully
The following sample describes the general format of a copy log for a Data Box upload that completed successfully:
The following sample describes the general format of a copy log for a Data Box u
</CopyLog> ```
-### Upload completed with errors
-
-Upload to Azure may also complete with errors.
-
-![Path to copy log in Overview blade when completed with errors](media/data-box-logs/copy-log-path-2.png)
-
-Here is an example of a copy log where the upload completed with errors:
-
-```xml
-<ErroredEntity Path="iso\samsungssd.iso">
- <Category>UploadErrorCloudHttp</Category>
- <ErrorCode>409</ErrorCode>
- <ErrorMessage>The blob type is invalid for this operation.</ErrorMessage>
- <Type>File</Type>
-</ErroredEntity><ErroredEntity Path="iso\iSCSI_Software_Target_33.iso">
- <Category>UploadErrorCloudHttp</Category>
- <ErrorCode>409</ErrorCode>
- <ErrorMessage>The blob type is invalid for this operation.</ErrorMessage>
- <Type>File</Type>
-</ErroredEntity><CopyLog Summary="Summary">
- <Status>Failed</Status>
- <TotalFiles_Blobs>72</TotalFiles_Blobs>
- <FilesErrored>2</FilesErrored>
-</CopyLog>
-```
### Upload completed with warnings
-Upload to Azure completes with warnings if your data had container/blob/file names that didn't conform to Azure naming conventions and the names were modified to upload the data to Azure.
+Upload to Azure completes with warnings if your data had container, blob, or file names that didn't conform to Azure naming conventions and the names were modified in order to upload the data to Azure.
![Path to copy log in Overview blade when completed with warnings](media/data-box-logs/copy-log-path-3.png)
-Here is an example of a copy log where the containers that did not conform to Azure naming conventions were renamed during the data upload to Azure.
+Here is an example of a copy log where the containers that didn't conform to Azure naming conventions were renamed during the data upload to Azure.
-The new unique names for containers are in the format `DataBox-GUID` and the data for the container are put into the new renamed container. The copy log specifies the old and the new container name for container.
+The unique names for the new containers are in the format `DataBox-GUID`. The data from the original containers is put in the new, renamed containers. The copy log specifies the old and new container names.
```xml <ErroredEntity Path="New Folder">
The new unique names for containers are in the format `DataBox-GUID` and the dat
</ErroredEntity> ```
-Here is an example of a copy log where the blobs or files that did not conform to Azure naming conventions, were renamed during the data upload to Azure. The new blob or file names are converted to SHA256 digest of relative path to container and are uploaded to path based on destination type. The destination can be block blobs, page blobs, or Azure Files.
+Here is an example of a copy log in which blobs or files that didn't conform to Azure naming conventions were renamed during the data upload to Azure. The new blob or file names are converted to SHA256 digest of relative path to container and are uploaded to the path based on the destination type. The destination can be block blobs, page blobs, or Azure Files.
The `copylog` specifies the old and the new blob or file name and the path in Azure.
The `copylog` specifies the old and the new blob or file name and the path in Az
</ErroredEntity> ``` +
+### Upload completed with errors
+
+Upload to Azure may also complete with errors.
+
+![Path to copy log in Overview blade when completed with errors](media/data-box-logs/copy-log-path-2.png)
+
+You may occasionally get a non-retryable error that causes a file not to upload. In that case, you'll receive a notification. For information about how to follow up on the notification, see [Review copy errors in data uploads from Azure Data Box and Azure Data Box Heavy devices](data-box-troubleshoot-data-upload.md).
+
+Here is an example of a copy log where the upload completed with errors:
+
+```xml
+<ErroredEntity Path="iso\samsungssd.iso">
+ <Category>UploadErrorCloudHttp</Category>
+ <ErrorCode>409</ErrorCode>
+ <ErrorMessage>The blob type is invalid for this operation.</ErrorMessage>
+ <Type>File</Type>
+</ErroredEntity><ErroredEntity Path="iso\iSCSI_Software_Target_33.iso">
+ <Category>UploadErrorCloudHttp</Category>
+ <ErrorCode>409</ErrorCode>
+ <ErrorMessage>The blob type is invalid for this operation.</ErrorMessage>
+ <Type>File</Type>
+</ErroredEntity><CopyLog Summary="Summary">
+ <Status>Failed</Status>
+ <TotalFiles_Blobs>72</TotalFiles_Blobs>
+ <FilesErrored>2</FilesErrored>
+</CopyLog>
+```
+ ## Get chain of custody logs after data erasure After the data is erased from the Data Box disks as per the NIST SP 800-88 Revision 1 guidelines, the chain of custody logs are available. These logs include the audit logs and the order history. The BOM or manifest files are also copied with the audit logs.
databox Data Box Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-overview.md
Previously updated : 12/18/2020 Last updated : 04/19/2021 #Customer intent: As an IT admin, I need to understand what Data Box is and how it works so I can use it to import on-premises data into Azure or export data from Azure.
The Data Box includes the following components:
![The Data Box local web UI](media/data-box-overview/data-box-local-web-ui.png)
+ The local web UI on the device currently supports the following languages with their corresponding language codes:
+
+ | Language | Code | Language | Code | Language | Code |
+ |-||-|--|-|--|
+ | English {default} | en | Czech | cs | German | de |
+ | Spanish | es | French | fr | Hungarian | hu |
+ | Italian | it | Japanese | ja | Korean | ko |
+ | Dutch | nl | Polish | pl | Portuguese - Brazil | pt-br |
+ | Portuguese - Portugal| pt-pt| Russian | ru | Swedish | sv |
+ | Turkish | tr | Chinese - simplified | zh-hans| | |
+ For information about using the web-based UI, go to [Use the web-based UI to administer your Data Box](data-box-portal-ui-admin.md). ## The workflow
databox Data Box Portal Customer Managed Shipping https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-portal-customer-managed-shipping.md
Previously updated : 05/07/2021 Last updated : 05/08/2021
When you place a Data Box order, you can choose the self-managed shipping option
**Instructions for Brazil:** If you're scheduling a device pickup in Brazil, include the following information in your email. The datacenter will schedule the pickup after they receive an inbound `Nota Fiscal`, which can take up to 4 business days.
- ```xml
+ ```
Subject: Request Azure Data Box Disk pickup for order: <ordername> - Order name
When you place a Data Box order, you can choose the self-managed shipping option
**Instructions for Brazil:** To schedule a device return in Brazil, send an email to [adbops@microsoft.com](mailto:adbops@microsoft.com) with the following information:
- ```xml
- Subject: Request Azure Data Box Disk dropoff for order: <ordername>
+ ```
+ Subject: Request Azure Data Box Disk drop-off for order: <ordername>
- Order name - Contact name of the person who will drop off the Data Box Disk (A government-issued photo ID will be required to validate the contactΓÇÖs identity upon arrival.)
- - Inbound Nota Fiscal (A copy of the inbound Nota Fiscal will be required at dropoff.)
+ - Inbound Nota Fiscal (A copy of the inbound Nota Fiscal will be required at drop-off.)
``` 10. If you've received an appointment for drop-off, the order should have **Ready to receive at Azure datacenter** status in the Azure portal. Follow the instructions under **Schedule drop-off** to return the device.
databox Data Box Troubleshoot Data Upload https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-troubleshoot-data-upload.md
+
+ Title: Review copy errors in uploads from Azure Data Box, Azure Data Box Heavy devices
+description: Describes review and follow-up for non-retryable errors that prevent files from uploading from an Azure Data Box or Azure Data Box Heavy device.
++++++ Last updated : 05/10/2021+++
+# Review copy errors in uploads from Azure Data Box and Azure Data Box Heavy devices
+
+This article describes review and follow-up for non-retryable errors that occasionally prevent files from uploading to the cloud from an Azure Data Box or Azure Data Box Heavy device.
+
+> [!NOTE]
+> The information in this article applies to import orders only.
+
+## Upload errors notification
+
+When data is uploaded to Azure from your device, some file uploads might occasionally fail because of configuration errors that can't be resolved through a retry. In that case, you receive a notification to give you a chance to review and fix the errors for a later upload.
+
+You'll see the following notification in the Azure portal. The errors are listed in the data copy log, which you can open using the **DATA COPY PATH**. For guidance on resolving the errors, see [Summary of non-retryable upload errors](#summary-of-non-retryable-upload-errors).
+
+![Notification of errors during upload](media/data-box-troubleshoot-data-upload/copy-completed-with-errors-notification-01.png)
+
+You can't fix these errors. The upload has completed with errors. The notification lets you know about any configuration issues you need to fix before you try another upload via network transfer or a new import order.
+
+After you review the errors and confirm that you're ready to proceed, the data will be secure erased from the device. If you don't respond to the notification, the order is completed automatically after 14 days. For step-by-step instructions, see [Review errors and proceed](#review-errors-and-proceed).
++
+## Review errors and proceed
+
+The order will be completed automatically after 14 days. By acting on the notification, you can move things along more quickly.
+++
+## Summary of non-retryable upload errors
+
+The following non-retryable errors result in a notification:
+
+|Error category |Error code |Error message |
+|-|--||
+|UploadErrorCloudHttp |400 |Bad Request (file name not valid) [Learn more](#bad-request-file-name-not-valid).|
+|UploadErrorCloudHttp |400 |The value for one of the HTTP headers is not in the correct format. [Learn more](#the-value-for-one-of-the-http-headers-is-not-in-the-correct-format).|
+|UploadErrorCloudHttp |409 |This operation is not permitted as the blob is immutable due to a policy. [Learn more](#this-operation-is-not-permitted-as-the-blob-is-immutable-due-to-policy).|
+|UploadErrorCloudHttp |409 |The total provisioned capacity of the shares cannot exceed the account maximum size limit. [Learn more](#the-total-provisioned-capacity-of-the-shares-cannot-exceed-the-account-maximum-size-limit).|
+|UploadErrorCloudHttp |409 |The blob type is invalid for this operation. [Learn more](#the-blob-type-is-invalid-for-this-operation).|
+|UploadErrorCloudHttp |409 |There is currently a lease on the blob and no lease ID was specified in the request. [Learn more](#there-is-currently-a-lease-on-the-blob-and-no-lease-id-was-specified-in-the-request).|
+|UploadErrorManagedConversionError |409 |The size of the blob being imported is invalid. The blob size is `<blob-size>` bytes. Supported sizes are between 20971520 Bytes and 8192 GiB. [Learn more](#the-size-of-the-blob-being-imported-is-invalid-the-blob-size-is-blob-size-bytes-supported-sizes-are-between-20971520-bytes-and-8192-gib)|
+<!--Temporarily removed from table: Bad Request (file property failure for Azure Files)-->
+
+For more information about the data copy log's contents, see [Tracking and event logging for your Azure Data Box and Azure Data Box Heavy import order](data-box-logs.md).
+
+Other REST API errors might occur during data uploads. For more information, see [Common REST API error codes](/rest/api/storageservices/common-rest-api-error-codes).
+
+> [!NOTE]
+> The **Follow-up** sections in the error descriptions describe how to update your data configuration before you place a new import order or perform a network transfer. You can't fix these errors in the current upload.
++
+### Bad Request (file name not valid)
+
+**Error category:** UploadErrorCloudHttp
+
+**Error code:** 400
+
+**Error description:** Most file naming issues are caught during the **Prepare to ship** phase or fixed automatically during the upload (resulting in a **Copy with warnings** status). When an invalid file name is not caught, the file fails to upload to Azure.
+
+**Follow-up:** You can't fix this error in the current upload. The upload has completed with errors. Before you do a network transfer or start a new order, rename the listed files to meet naming requirements for Azure Files. For naming requirements, see [Directory and File Names](/rest/api/storageservices/naming-and-referencing-shares--directories--files--and-metadata#directory-and-file-names).
++
+<!--TEMPORARILY REMOVED. Product team may restore later. ### Bad Request (File property failure for Azure Files)
+
+**Error category:** UploadErrorCloudHttp
+
+**Error code:** 400
+
+**Error description:** Data import will fail if the upload of file properties fails for Azure Files.
+
+**Follow-up:** You can't fix this error in the current upload. The upload will complete with errors. Before you do a network transfer or start a new import order, *GET TROUBLESHOOTING*.-->
++
+### The value for one of the HTTP headers is not in the correct format
+
+**Error category:** UploadErrorCloudHttp
+
+**Error code:** 400
+
+**Error description:** The listed blobs couldn't be uploaded because they don't meet format or size requirements for blobs in Azure storage.
+
+**Follow-up:** You can't fix this error in the current upload. The upload has completed with errors. Before you do a network transfer or start a new import order, ensure that:
+
+- The listed page blobs align to the 512-byte page boundaries.
+
+- The listed block blobs do not exceed the 4.75-TiB maximum size.
++
+### This operation is not permitted as the blob is immutable due to policy
+
+**Error category:** UploadErrorCloudHttp
+
+**Error code:** 409
+
+**Error description:** If a blob storage container is configured as Write Once, Read Many (WORM), upload of any blobs that are already stored in the container will fail.
+
+**Follow-up:** You can't fix this error in the current upload. The upload has completed with errors. Before you do a network transfer or start a new import order, make sure the listed blobs are not part of an immutable storage container. For more information, see [Store business-critical blob data with immutable storage](/azure/storage/blobs/storage-blob-immutable-storage).
++
+### The total provisioned capacity of the shares cannot exceed the account maximum size limit
+
+**Error category:** UploadErrorCloudHttp
+
+**Error code:** 409
+
+**Error description:** The upload failed because the total size of the data exceeds the storage account size limit. For example, the maximum capacity of a FileStorage account is 100 TiB. If total data size exceeds 100 TiB, the upload will fail.
+
+**Follow-up:** You can't fix this error in the current upload. The upload has completed with errors. Before you do a network transfer or start a new import order, make sure the total capacity of all shares in the storage account will not exceed the size limit of the storage account. For more information, see [Azure storage account size limits](data-box-limits.md#azure-storage-account-size-limits).
++
+### The blob type is invalid for this operation
+
+**Error category:** UploadErrorCloudHttp
+
+**Error code:** 409
+
+**Error description:** Data import to a blob in the cloud will fail if the destination blob's data or properties are being modified.
+
+**Follow-up:** You can't fix this error in the current upload. The upload has completed with errors. Before you do a network transfer or start a new import order, make sure there is no concurrent modification of the listed blobs or their properties during the upload.
+
+### There is currently a lease on the blob and no lease ID was specified in the request
+
+**Error category:** UploadErrorCloudHttp
+
+**Error code:** 409
+
+**Error description:** Data import to a blob in the cloud will fail if the destination blob has an active lease.
+
+**Follow-up:** You can't fix this error in the current upload. The upload has completed with errors. Before you do a network transfer or start a new import order, ensure that the listed blobs do not have an active lease. For more information, see [Pessimistic concurrency for blobs](/azure/storage/blobs/concurrency-manage?tabs=dotnet#pessimistic-concurrency-for-blobs).
++
+### The size of the blob being imported is invalid. The blob size is `<blob-size>` Bytes. Supported sizes are between 20971520 Bytes and 8192 GiB.
+
+**Error category:** UploadErrorManagedConversionError
+
+**Error code:** 409
+
+**Error description:** The listed page blobs failed to upload because they are not a size that can be converted to a Managed Disk. To be converted to a Managed Disk, a page blob must be from 20 MB (20,971,520 Bytes) to 8192 GiB in size.
+
+**Follow-up:** You can't fix this error in the current upload. The upload has completed with errors. Before you do a network transfer or start a new import order, make sure each listed blob is from 20 MB to 8192 GiB in size.
++
+## Next steps
+
+- [Review common REST API errors](/rest/api/storageservices/common-rest-api-error-codes).
+- [Verify a data upload to Azure](data-box-deploy-picked-up.md?tabs=in-us-canada-europe#verify-data-upload-to-azure-8)
defender-for-iot How To Forward Alert Information To Partners https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/how-to-forward-alert-information-to-partners.md
Enter the following parameters:
After you enter all the information, select **Submit**.
+#### Webhook server action
+
+Send alert information to a webhook server. Working with webhook servers lets you set up integrations that subscribe to alert events with Defender for IoT. When an alert event is triggered,the management console sends a HTTP POST payload to the webhook's configured URL. Webhooks can be used to update an external SIEM system, SOAR systems, Incident management systems, etc.
+
+**To define to a webhook action:**
+
+1. Select the Webhook action.
++
+1. Enter the server address in the **URL**field.
+1. In the **Key** and **Value**fields, customize the HTTP header with a key and value definition. Keys can only contain letters, numbers, dashes, and underscores. Values can only contain one leading and/or one trailing space.
+1. Select **Save**.
+ #### NetWitness action Send alert information to a NetWitness server.
digital-twins Concepts Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/concepts-cli.md
# Azure Digital Twins CLI command set
-In addition to managing your Azure Digital Twins instance in the Azure portal, Azure Digital Twins has a **command set for the [Azure CLI](/cli/azure/what-is-azure-cli)** that you can use to perform most major actions with the service, including:
+In addition to managing your Azure Digital Twins instance in the Azure portal, Azure Digital Twins has a command set for the [Azure CLI](/cli/azure/what-is-azure-cli) that you can use to perform most major actions with the service, including:
* Managing an Azure Digital Twins instance * Managing models * Managing digital twins
The Azure CLI will automatically prompt you to install the extension on the firs
Alternatively, you can use the following command to install the extension yourself at any time (or update it if it turns out that you already have an older version). The command can be run in either the [Azure Cloud Shell](../cloud-shell/overview.md) or a [local Azure CLI](/cli/azure/install-azure-cli). ```azurecli-interactive
-az extension add --upgrade -n azure-iot
+az extension add --upgrade --name azure-iot
``` ## Next steps
digital-twins Concepts Models https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/concepts-models.md
DTDL also allows for **relationships** to have properties of their own. When def
## Model inheritance
-Sometimes, you may want to specialize a model further. For example, it might be useful to have a generic model *Room*, and specialized variants *ConferenceRoom* and *Gym*. To express specialization, DTDL supports inheritance: interfaces can inherit from one or more other interfaces.
+Sometimes, you may want to specialize a model further. For example, it might be useful to have a generic model Room, and specialized variants ConferenceRoom and Gym. To express specialization, DTDL supports inheritance: interfaces can inherit from one or more other interfaces.
-The following example re-imagines the *Planet* model from the earlier DTDL example as a subtype of a larger *CelestialBody* model. The "parent" model is defined first, and then the "child" model builds on it by using the field `extends`.
+The following example re-imagines the Planet model from the earlier DTDL example as a subtype of a larger CelestialBody model. The "parent" model is defined first, and then the "child" model builds on it by using the field `extends`.
:::code language="json" source="~/digital-twins-docs-samples/models/CelestialBody-Planet-Crater.json":::
-In this example, *CelestialBody* contributes a name, a mass, and a temperature to *Planet*. The `extends` section is an interface name, or an array of interface names (allowing the extending interface to inherit from multiple parent models if desired).
+In this example, CelestialBody contributes a name, a mass, and a temperature to Planet. The `extends` section is an interface name, or an array of interface names (allowing the extending interface to inherit from multiple parent models if desired).
Once inheritance is applied, the extending interface exposes all properties from the entire inheritance chain.
In addition to primitive types, *Property* and *Telemetry* fields can have these
This section contains an example of a typical model, written as a DTDL interface. The model describes **planets**, each with a name, a mass, and a temperature.
-Consider that planets may also interact with **moons** that are their satellites, and may contain **craters**. In the example below, the `Planet` model expresses connections to these other entities by referencing two external modelsΓÇö`Moon` and `Crater`. These models are also defined in the example code below, but are kept very simple so as not to detract from the primary `Planet` example.
+Consider that planets may also interact with **moons** that are their satellites, and may contain **craters**. In the example below, the Planet model expresses connections to these other entities by referencing two external modelsΓÇöMoon and Crater. These models are also defined in the example code below, but are kept very simple so as not to detract from the primary Planet example.
:::code language="json" source="~/digital-twins-docs-samples/models/Planet-Crater-Moon.json":::
The fields of the model are:
| `contents` | All remaining interface data is placed here, as an array of attribute definitions. Each attribute must provide a `@type` (*Property*, *Telemetry*, *Command*, *Relationship*, or *Component*) to identify the sort of interface information it describes, and then a set of properties that define the actual attribute (for example, `name` and `schema` to define a *Property*). | > [!NOTE]
-> Note that the component interface (*Crater* in this example) is defined in the same array as the interface that uses it (*Planet*). Components must be defined this way in API calls in order for the interface to be found.
+> Note that the component interface (Crater in this example) is defined in the same array as the interface that uses it (Planet). Components must be defined this way in API calls in order for the interface to be found.
## Best practices for designing models
_**For uploading models to Azure Digital Twins**_
Once you are finished creating, extending, or selecting your models, you can upload them to your Azure Digital Twins instance to make them available for use in your solution. This is done using the [Azure Digital Twins APIs](concepts-apis-sdks.md), as described in [How-to: Manage DTDL models](how-to-manage-model.md#upload-models).
-However, if you have many models to uploadΓÇöor if they have many interdependencies that would make ordering individual uploads complicatedΓÇöyou can use this sample to upload many models at once: [Azure Digital Twins Model Uploader](https://github.com/Azure/opendigitaltwins-building-tools/tree/master/ModelUploader). Follow the instructions provided with the sample to configure and use this project to upload models into your own instance.
+However, if you have many models to uploadΓÇöor if they have many interdependencies that would make ordering individual uploads complicatedΓÇöyou can use [this Azure Digital Twins Model Uploader sample](https://github.com/Azure/opendigitaltwins-building-tools/tree/master/ModelUploader) to upload many models at once. Follow the instructions provided with the sample to configure and use this project to upload models into your own instance.
### Model visualizer
digital-twins Concepts Ontologies Adopt https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/concepts-ontologies-adopt.md
# Adopting an industry ontology
-Because it can be easier to start with an open-source DTDL ontology than starting from a blank page, Microsoft is partnering with domain experts to publish ontologies, which represent widely accepted industry conventions and support a variety of customer use cases.
+Because it can be easier to start with an open-source DTDL ontology than starting from a blank page, Microsoft is partnering with domain experts to publish ontologies, which represent widely accepted industry conventions and support various customer use cases.
The result is a set of open-source DTDL-based ontologies, which learn from, build on, learn from, or directly use industry standards. The ontologies are designed to meet the needs of downstream developers, with the potential to be widely adopted and/or extended by the industry.
At this time, Microsoft has worked with partners to develop an ontology for [sma
## RealEstateCore smart building ontology
-*Find the ontology here:* [Digital Twins Definition Language-based RealEstateCore ontology for smart buildings](https://github.com/Azure/opendigitaltwins-building).
+*Get the ontology from the following repository:* [Digital Twins Definition Language-based RealEstateCore ontology for smart buildings](https://github.com/Azure/opendigitaltwins-building).
Microsoft has partnered with [RealEstateCore](https://www.realestatecore.io/), a Swedish consortium of real estate owners, software vendors, and research institutions, to deliver this open-source DTDL ontology for the real estate industry.
This smart buildings ontology provides common ground for modeling smart building
To learn more about the ontology's structure and modeling conventions, how to use it, how to extend it, and how to contribute, visit the ontology's repository on GitHub: [Azure/opendigitaltwins-building](https://github.com/Azure/opendigitaltwins-building).
-You can also read more about the partnership with RealEstateCore and goals for this initiative in this blog post and accompanying video: [RealEstateCore, a smart building ontology for digital twins, is now available](https://techcommunity.microsoft.com/t5/internet-of-things/realestatecore-a-smart-building-ontology-for-digital-twins-is/ba-p/1914794).
+You can also read more about the partnership with RealEstateCore and goals for this initiative in the following blog post and accompanying video: [RealEstateCore, a smart building ontology for digital twins, is now available](https://techcommunity.microsoft.com/t5/internet-of-things/realestatecore-a-smart-building-ontology-for-digital-twins-is/ba-p/1914794).
## Smart cities ontology
-*Find the ontology here:* [Digital Twins Definition Language (DTDL) ontology for Smart Cities](https://github.com/Azure/opendigitaltwins-smartcities).
+*Get the ontology from the following repository:* [Digital Twins Definition Language (DTDL) ontology for Smart Cities](https://github.com/Azure/opendigitaltwins-smartcities).
-Microsoft has collaborated with [Open Agile Smart Cities (OASC)](https://oascities.org/) and [Sirus](https://sirus.be/) to provide a DTDL-based ontology for smart cities, starting with [ETSI CIM NGSI-LD](https://www.etsi.org/committee/cim). In addition to ETSI NGSI-LD, weΓÇÖve also evaluated Saref4City, CityGML, ISO and others.
+Microsoft has collaborated with [Open Agile Smart Cities (OASC)](https://oascities.org/) and [Sirus](https://sirus.be/) to provide a DTDL-based ontology for smart cities, starting with [ETSI CIM NGSI-LD](https://www.etsi.org/committee/cim). In addition to ETSI NGSI-LD, weΓÇÖve also evaluated Saref4City, CityGML, ISO, and others.
-The current release of the ontology is focused on an initial set of models. The ontology authors welcome you to contribute to extend the initial set of use cases, as well as improve the existing models.
+The current release of the ontology is focused on an initial set of models. The ontology authors welcome you to contribute to extend the initial set of use cases and improve the existing models.
To learn more about the ontology, how to use it, and how to contribute, visit the ontology's repository on GitHub: [Azure/opendigitaltwins-smartcities](https://github.com/Azure/opendigitaltwins-smartcities).
-You can also read more about the partnerships and approach for smart cities in this blog post and accompanying video: [Smart Cities Ontology for Digital Twins](https://techcommunity.microsoft.com/t5/internet-of-things/smart-cities-ontology-for-digital-twins/ba-p/2166585).
+You can also read more about the partnerships and approach for smart cities in the following blog post and accompanying video: [Smart Cities Ontology for Digital Twins](https://techcommunity.microsoft.com/t5/internet-of-things/smart-cities-ontology-for-digital-twins/ba-p/2166585).
## Next steps
digital-twins Concepts Ontologies Convert https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/concepts-ontologies-convert.md
The following C# code snippet shows how an RDF model file is loaded into a graph
There is a sample application available that converts an RDF-based model file to [DTDL (version 2)](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/dtdlv2.md) for use by the Azure Digital Twins service. It has been validated for the [Brick](https://brickschema.org/ontology/) schema, and can be extended for other schemas in the building industry (such as [Building Topology Ontology (BOT)](https://w3c-lbd-cg.github.io/bot/), [Semantic Sensor Network](https://www.w3.org/TR/vocab-ssn/), or [buildingSmart Industry Foundation Classes (IFC)](https://technical.buildingsmart.org/standards/ifc/ifc-schema-specifications/)).
-The sample is a .NET Core command-line application called **RdfToDtdlConverter**.
-
-You can get the sample here: [RdfToDtdlConverter](/samples/azure-samples/rdftodtdlconverter/digital-twins-model-conversion-samples/).
+The sample is a [.NET Core command-line application called RdfToDtdlConverter](/samples/azure-samples/rdftodtdlconverter/digital-twins-model-conversion-samples/).
To download the code to your machine, select the **Browse code** button underneath the title on the sample page, which will take you to the GitHub repo for the sample. Select the **Code** button and **Download ZIP** to download the sample as a .zip file called *RdfToDtdlConverter-main.zip*. You can then unzip the file and explore the code.
digital-twins Concepts Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/concepts-security.md
For more information about how built-in roles are defined, see [Understand role
When referring to roles in automated scenarios, it's recommended to refer to them by their **IDs** rather than their names. The names may change between releases, but the IDs will not, making them a more stable reference in automation. > [!TIP]
-> If you're assiging roles with a cmdlet, such as `New-AzRoleAssignment` ([reference](/powershell/module/az.resources/new-azroleassignment)), you can use the `-RoleDefinitionId` parameter instead of `-RoleDefinitionName` to pass an ID instead of a name for the role.
+> If you're assigning roles with a cmdlet, such as `New-AzRoleAssignment` ([reference](/powershell/module/az.resources/new-azroleassignment)), you can use the `-RoleDefinitionId` parameter instead of `-RoleDefinitionName` to pass an ID instead of a name for the role.
### Permission scopes
digital-twins Concepts Twins Graph https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/concepts-twins-graph.md
In an Azure Digital Twins solution, the entities in your environment are represe
Before you can create a digital twin in your Azure Digital Twins instance, you need to have a *model* uploaded to the service. A model describes the set of properties, telemetry messages, and relationships that a particular twin can have, among other things. For the types of information that are defined in a model, see [Concepts: Custom models](concepts-models.md).
-After creating and uploading a model, your client app can create an instance of the type; this is a digital twin. For example, after creating a model of *Floor*, you may create one or several digital twins that use this type (like a *Floor*-type twin called *GroundFloor*, another called *Floor2*, etc.).
+After creating and uploading a model, your client app can create an instance of the type; this is a digital twin. For example, after creating a model of Floor, you may create one or several digital twins that use this type (like a Floor-type twin called GroundFloor, another called Floor2, etc.).
[!INCLUDE [digital-twins-versus-device-twins](../../includes/digital-twins-versus-device-twins.md)]
After creating and uploading a model, your client app can create an instance of
Twins are connected into a twin graph by their relationships. The relationships that a twin can have are defined as part of its model.
-For example, the model *Floor* might define a *contains* relationship that targets twins of type *room*. With this definition, Azure Digital Twins will allow you to create *contains* relationships from any *Floor* twin to any *Room* twin (including twins that are of *Room* subtypes).
+For example, the model Floor might define a *contains* relationship that targets twins of type Room. With this definition, Azure Digital Twins will allow you to create *contains* relationships from any Floor twin to any Room twin (including twins that are of Room subtypes).
The result of this process is a set of nodes (the digital twins) connected via edges (their relationships) in a graph.
This section shows what it looks like to create digital twins and relationships
### Create digital twins
-Below is a snippet of client code that uses the [DigitalTwins APIs](/rest/api/digital-twins/dataplane/twins) to instantiate a twin of type *Room*.
+Below is a snippet of client code that uses the [DigitalTwins APIs](/rest/api/digital-twins/dataplane/twins) to instantiate a twin of type Room.
You can initialize the properties of a twin when it is created, or set them later. To create a twin with initialized properties, create a JSON document that provides the necessary initialization values.
digital-twins How To Create Azure Function https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-create-azure-function.md
To make sure the bearer token is passed, set up [managed identities](../active-d
1. Use the following command to see the details of the system-managed identity for the function. Take note of the `principalId` field in the output. ```azurecli-interactive
- az functionapp identity show -g <your-resource-group> -n <your-App-Service-(function-app)-name>
+ az functionapp identity show --resource-group <your-resource-group> --name <your-App-Service-(function-app)-name>
``` >[!NOTE] > If the result is empty instead of showing identity details, create a new system-managed identity for the function by using this command: > >```azurecli-interactive
- >az functionapp identity assign -g <your-resource-group> -n <your-App-Service-(function-app)-name>
+ >az functionapp identity assign --resource-group <your-resource-group> --name <your-App-Service-(function-app)-name>
>``` > > The output displays details of the identity, including the `principalId` value required for the next step.
Make the URL of your instance accessible to your function by setting an environm
> The Azure Digital Twins instance's URL is made by adding *https://* to the beginning of your instance's host name. To see the host name, along with all the properties of your instance, run `az dt show --dt-name <your-Azure-Digital-Twins-instance>`. ```azurecli-interactive
-az functionapp config appsettings set -g <your-resource-group> -n <your-App-Service-(function-app)-name> --settings "ADT_SERVICE_URL=https://<your-Azure-Digital-Twins-instance-host-name>"
+az functionapp config appsettings set --resource-group <your-resource-group> --name <your-App-Service-(function-app)-name> --settings "ADT_SERVICE_URL=https://<your-Azure-Digital-Twins-instance-host-name>"
``` # [Azure portal](#tab/portal)
digital-twins How To Enable Managed Identities Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-enable-managed-identities-cli.md
This is done by adding an `--assign-identity` parameter to the `az dt create` co
To create an instance with a system managed identity, add the `--assign-identity` parameter like this: ```azurecli-interactive
-az dt create -n {new_instance_name} -g {resource_group} --assign-identity
+az dt create --dt-name {new_instance_name} --resource-group {resource_group} --assign-identity
``` ### Add a system-managed identity to an existing instance
This is also done with the `az dt create` command and `--assign-identity` parame
The command to **enable** managed identity is the same as the command to create an instance with a system managed identity. All that changes is the value of the instance name parameter: ```azurecli-interactive
-az dt create -n {name_of_existing_instance} -g {resource_group} --assign-identity
+az dt create --dt-name {name_of_existing_instance} --resource-group {resource_group} --assign-identity
``` To **disable** managed identity on an instance where it's currently enabled, use the following similar command to set `--assign-identity` to `false`. ```azurecli-interactive
-az dt create -n {name_of_existing_instance} -g {resource_group} --assign-identity false
+az dt create --dt-name {name_of_existing_instance} --resource-group {resource_group} --assign-identity false
``` ## Assign Azure roles to the identity
You can add the `--scopes` parameter onto the `az dt create` command in order to
Here is an example that creates an instance with a system managed identity, and assigns that identity a custom role called `MyCustomRole` in an event hub. ```azurecli-interactive
-az dt create -n {instance_name} -g {resource_group} --assign-identity --scopes "/subscriptions/<subscription ID>/resourceGroups/<resource_group>/providers/Microsoft.EventHub/namespaces/<Event_Hubs_namespace>/eventhubs/<event_hub_name>" --role MyCustomRole
+az dt create --dt-name {instance_name} --resource-group {resource_group} --assign-identity --scopes "/subscriptions/<subscription ID>/resourceGroups/<resource_group>/providers/Microsoft.EventHub/namespaces/<Event_Hubs_namespace>/eventhubs/<event_hub_name>" --role MyCustomRole
``` For more examples of role assignments with this command, see the [az dt create reference documentation](/cli/azure/dt#az_dt_create).
This is done by adding a `--auth-type` parameter to the `az dt endpoint create`
To create an endpoint that uses identity-based authentication, specify the `IdentityBased` authentication type with the `--auth-type` parameter. The example below illustrates this for an Event Hubs endpoint. ```azurecli-interactive
-az dt endpoint create eventhub --endpoint-name {endpoint_name} --eventhub-resource-group {eventhub_resource_group} --eventhub-namespace {eventhub_namespace} --eventhub {eventhub_name} --auth-type IdentityBased -n {instance_name}
+az dt endpoint create eventhub --endpoint-name {endpoint_name} --eventhub-resource-group {eventhub_resource_group} --eventhub-namespace {eventhub_namespace} --eventhub {eventhub_name} --auth-type IdentityBased --dt-name {instance_name}
``` ## Considerations for disabling system-managed identities
digital-twins How To Enable Private Link Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-enable-private-link-cli.md
To create a private endpoint and link it to an Azure Digital Twins instance, use
Here is an example that uses the command to create a private endpoint, with only the required parameters. ```azurecli-interactive
-az network private-endpoint create --connection-name {private_link_service_connection} -n {name_for_private_endpoint} -g {resource_group} --subnet {subnet_ID} --private-connection-resource-id "/subscriptions/{subscription_ID}/resourceGroups/{resource_group}/providers/Microsoft.DigitalTwins/digitalTwinsInstances/{Azure_Digital_Twins_instance_name}"
+az network private-endpoint create --connection-name {private_link_service_connection} --name {name_for_private_endpoint} --resource-group {resource_group} --subnet {subnet_ID} --private-connection-resource-id "/subscriptions/{subscription_ID}/resourceGroups/{resource_group}/providers/Microsoft.DigitalTwins/digitalTwinsInstances/{Azure_Digital_Twins_instance_name}"
``` For a full list of required and optional parameters, as well as more private endpoint creation examples, see the [az network private-endpoint create reference documentation](/cli/azure/network/private-endpoint#az_network_private_endpoint_create).
In the Azure CLI, you can disable or enable public network access by adding a `-
To **disable** public network access for an Azure Digital Twins instance, use the `--public-network-access` parameter like this: ```azurecli-interactive
-az dt create -n {name_of_existing_instance} -g {resource_group} --public-network-access Disabled
+az dt create --dt-name {name_of_existing_instance} --resource-group {resource_group} --public-network-access Disabled
``` To **enable** public network access on an instance where it's currently disabled, use the following similar command: ```azurecli-interactive
-az dt create -n {name_of_existing_instance} -g {resource_group} --public-network-access Enabled
+az dt create --dt-name {name_of_existing_instance} --resource-group {resource_group} --public-network-access Enabled
``` ### Use the ARMClient command tool
digital-twins How To Ingest Iot Hub Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-ingest-iot-hub-data.md
To create a thermostat-type twin, you'll first need to upload the thermostat [mo
[!INCLUDE [digital-twins-thermostat-model-upload.md](../../includes/digital-twins-thermostat-model-upload.md)]
-You'll then need to **create one twin using this model**. Use the following command to create a thermostat twin named **thermostat67**, and set 0.0 as an initial temperature value.
+You'll then need to **create one twin using this model**. Use the following command to create a thermostat twin named thermostat67, and set 0.0 as an initial temperature value.
```azurecli-interactive az dt twin create --dtmi "dtmi:contosocom:DigitalTwins:Thermostat;1" --twin-id thermostat67 --properties '{"Temperature": 0.0,}' --dt-name {digital_twins_instance_name}
Select the _Create_ button to create the event subscription.
## Send simulated IoT data
-To test your new ingress function, use the device simulator from [Tutorial: Connect an end-to-end solution](./tutorial-end-to-end.md). That tutorial is driven by a sample project written in C#. The sample code is located here: [Azure Digital Twins end-to-end samples](/samples/azure-samples/digital-twins-samples/digital-twins-samples). You'll be using the **DeviceSimulator** project in that repository.
+To test your new ingress function, use the device simulator from [Tutorial: Connect an end-to-end solution](./tutorial-end-to-end.md). That tutorial is driven by [this Azure Digital Twins end-to-end sample project written in C#](/samples/azure-samples/digital-twins-samples/digital-twins-samples). You'll be using the **DeviceSimulator** project in that repository.
In the end-to-end tutorial, complete the following steps: 1. [Register the simulated device with IoT Hub](./tutorial-end-to-end.md#register-the-simulated-device-with-iot-hub)
In the end-to-end tutorial, complete the following steps:
While running the device simulator above, the temperature value of your digital twin will be changing. In the Azure CLI, run the following command to see the temperature value. ```azurecli-interactive
-az dt twin query -q "select * from digitaltwins" -n {digital_twins_instance_name}
+az dt twin query --query-command "select * from digitaltwins" --dt-name {digital_twins_instance_name}
``` Your output should contain a temperature value like this:
digital-twins How To Integrate Azure Signalr https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-integrate-azure-signalr.md
Next, configure the functions to communicate with your Azure SignalR instance. Y
1. Finally, add your Azure SignalR **connection string** to the function's app settings, using the following Azure CLI command. Also, replace the placeholders with your resource group and app service/function app name from the [tutorial prerequisite](how-to-integrate-azure-signalr.md#prerequisites). The command can be run in [Azure Cloud Shell](https://shell.azure.com), or locally if you have the Azure CLI [installed on your machine](/cli/azure/install-azure-cli): ```azurecli-interactive
- az functionapp config appsettings set -g <your-resource-group> -n <your-App-Service-(function-app)-name> --settings "AzureSignalRConnectionString=<your-Azure-SignalR-ConnectionString>"
+ az functionapp config appsettings set --resource-group <your-resource-group> --name <your-App-Service-(function-app)-name> --settings "AzureSignalRConnectionString=<your-Azure-SignalR-ConnectionString>"
``` The output of this command prints all the app settings set up for your Azure function. Look for `AzureSignalRConnectionString` at the bottom of the list to verify it's been added.
digital-twins How To Integrate Logic Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-integrate-logic-apps.md
In this article, you will use the [Azure portal](https://portal.azure.com) to **
## Prerequisites
-If you don't have an Azure subscription, **create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)** before you begin.
+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
Sign in to the [Azure portal](https://portal.azure.com) with this account. You also need to complete the following items as part of prerequisite setup. The remainder of this section will walk you through these steps:
digital-twins How To Integrate Maps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-integrate-maps.md
This pattern reads from the room twin directly, rather than the IoT device, whic
1. Create an event grid topic, which will receive events from your Azure Digital Twins instance. ```azurecli-interactive
- az eventgrid topic create -g <your-resource-group-name> --name <your-topic-name> -l <region>
+ az eventgrid topic create --resource-group <your-resource-group-name> --name <your-topic-name> --location <region>
``` 2. Create an endpoint to link your event grid topic to Azure Digital Twins. ```azurecli-interactive
- az dt endpoint create eventgrid --endpoint-name <Event-Grid-endpoint-name> --eventgrid-resource-group <Event-Grid-resource-group-name> --eventgrid-topic <your-Event-Grid-topic-name> -n <your-Azure-Digital-Twins-instance-name>
+ az dt endpoint create eventgrid --endpoint-name <Event-Grid-endpoint-name> --eventgrid-resource-group <Event-Grid-resource-group-name> --eventgrid-topic <your-Event-Grid-topic-name> --dt-name <your-Azure-Digital-Twins-instance-name>
``` 3. Create a route in Azure Digital Twins to send twin update events to your endpoint.
This pattern reads from the room twin directly, rather than the IoT device, whic
>To resolve, either run `az login` in Cloud Shell prior to running the command, or use the [local CLI](/cli/azure/install-azure-cli) instead of Cloud Shell. For more detail on this, see [Troubleshooting: Known issues in Azure Digital Twins](troubleshoot-known-issues.md#400-client-error-bad-request-in-cloud-shell). ```azurecli-interactive
- az dt route create -n <your-Azure-Digital-Twins-instance-name> --endpoint-name <Event-Grid-endpoint-name> --route-name <my_route> --filter "type = 'Microsoft.DigitalTwins.Twin.Update'"
+ az dt route create --dt-name <your-Azure-Digital-Twins-instance-name> --endpoint-name <Event-Grid-endpoint-name> --route-name <my_route> --filter "type = 'Microsoft.DigitalTwins.Twin.Update'"
``` ## Create a function to update maps
digital-twins How To Integrate Time Series Insights https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-integrate-time-series-insights.md
You will be attaching Time Series Insights to Azure Digital Twins through the pa
Before creating the event hubs, you'll first create an event hub namespace that will receive events from your Azure Digital Twins instance. You can either use the Azure CLI instructions below, or use the Azure portal: [Quickstart: Create an event hub using Azure portal](../event-hubs/event-hubs-create.md). To see what regions support event hubs, visit [Azure products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=event-hubs). ```azurecli-interactive
-az eventhubs namespace create --name <name-for-your-event-hubs-namespace> --resource-group <your-resource-group> -l <region>
+az eventhubs namespace create --name <name-for-your-event-hubs-namespace> --resource-group <your-resource-group> --location <region>
``` > [!TIP]
az eventhubs eventhub authorization-rule create --rights Listen Send --name <nam
Create an Azure Digital Twins [endpoint](concepts-route-events.md#create-an-endpoint) that links your event hub to your Azure Digital Twins instance. Specify a name for your twins hub endpoint. ```azurecli-interactive
-az dt endpoint create eventhub -n <your-Azure-Digital-Twins-instance-name> --eventhub-resource-group <your-resource-group> --eventhub-namespace <your-event-hubs-namespace-from-earlier> --eventhub <your-twins-hub-name-from-above> --eventhub-policy <your-twins-hub-auth-rule-from-earlier> --endpoint-name <name-for-your-twins-hub-endpoint>
+az dt endpoint create eventhub --dt-name <your-Azure-Digital-Twins-instance-name> --eventhub-resource-group <your-resource-group> --eventhub-namespace <your-event-hubs-namespace-from-earlier> --eventhub <your-twins-hub-name-from-above> --eventhub-policy <your-twins-hub-auth-rule-from-earlier> --endpoint-name <name-for-your-twins-hub-endpoint>
``` ### Create twins hub event route
Azure Digital Twins instances can emit [twin update events](./concepts-event-not
Create a [route](concepts-route-events.md#create-an-event-route) in Azure Digital Twins to send twin update events to your endpoint from above. The filter in this route will only allow twin update messages to be passed to your endpoint. Specify a name for the twins hub event route. ```azurecli-interactive
-az dt route create -n <your-Azure-Digital-Twins-instance-name> --endpoint-name <your-twins-hub-endpoint-from-above> --route-name <name-for-your-twins-hub-event-route> --filter "type = 'Microsoft.DigitalTwins.Twin.Update'"
+az dt route create --dt-name <your-Azure-Digital-Twins-instance-name> --endpoint-name <your-twins-hub-endpoint-from-above> --route-name <name-for-your-twins-hub-event-route> --filter "type = 'Microsoft.DigitalTwins.Twin.Update'"
``` ### Get twins hub connection string
Next, you'll add environment variables in the function app's settings that allow
Use the twins hub **primaryConnectionString** value that you saved earlier to create an app setting in your function app that contains the twins hub connection string: ```azurecli-interactive
-az functionapp config appsettings set --settings "EventHubAppSetting-Twins=<your-twins-hub-primaryConnectionString>" -g <your-resource-group> -n <your-App-Service-(function-app)-name>
+az functionapp config appsettings set --settings "EventHubAppSetting-Twins=<your-twins-hub-primaryConnectionString>" --resource-group <your-resource-group> --name <your-App-Service-(function-app)-name>
``` Use the time series hub **primaryConnectionString** value that you saved earlier to create an app setting in your function app that contains the time series hub connection string: ```azurecli-interactive
-az functionapp config appsettings set --settings "EventHubAppSetting-TSI=<your-time-series-hub-primaryConnectionString>" -g <your-resource-group> -n <your-App-Service-(function-app)-name>
+az functionapp config appsettings set --settings "EventHubAppSetting-TSI=<your-time-series-hub-primaryConnectionString>" --resource-group <your-resource-group> --name <your-App-Service-(function-app)-name>
``` ## Create and connect a Time Series Insights instance
In this section, you'll set up Time Series Insights instance to receive data fro
To begin sending data to Time Series Insights, you'll need to start updating the digital twin properties in Azure Digital Twins with changing data values.
-Use the following CLI command to update the *Temperature* property on the *thermostat67* twin that you added to your instance in the [Prerequisites](#prerequisites) section.
+Use the following CLI command to update the *Temperature* property on the thermostat67 twin that you added to your instance in the [Prerequisites](#prerequisites) section.
```azurecli-interactive
-az dt twin update -n <your-azure-digital-twins-instance-name> --twin-id thermostat67 --json-patch '{"op":"replace", "path":"/Temperature", "value": 20.5}'
+az dt twin update --dt-name <your-azure-digital-twins-instance-name> --twin-id thermostat67 --json-patch '{"op":"replace", "path":"/Temperature", "value": 20.5}'
``` **Repeat the command at least 4 more times with different temperature values**, to create several data points that can be observed later in the Time Series Insights environment.
Now, data should be flowing into your Time Series Insights instance, ready to be
:::image type="content" source="media/how-to-integrate-time-series-insights/view-environment.png" alt-text="Screenshot of the Azure portal to select the Time Series Insights explorer URL in the overview tab of your Time Series Insights environment." lightbox="media/how-to-integrate-time-series-insights/view-environment.png":::
-2. In the explorer, you will see the twins in the Azure Digital Twins instance shown on the left. Select the *thermostat67* twin, choose the property *Temperature*, and select **Add**.
+2. In the explorer, you will see the twins in the Azure Digital Twins instance shown on the left. Select the thermostat67 twin, choose the property *Temperature*, and select **Add**.
:::image type="content" source="media/how-to-integrate-time-series-insights/add-data.png" alt-text="Screenshot of the Time Series Insights explorer to select thermostat67, select the property temperature, and select add." lightbox="media/how-to-integrate-time-series-insights/add-data.png":::
digital-twins How To Manage Graph https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-manage-graph.md
To create a relationship, you need to specify:
* A relationship ID (`relId` in the code sample below): The specific name for this relationship, something like _Relationship1_. The relationship ID must be unique within the given source twin. It doesn't need to be globally unique.
-For example, for the twin *foo*, each specific relationship ID must be unique. However, another twin *bar* can have an outgoing relationship that matches the same ID of a *foo* relationship.
+For example, for the twin Foo, each specific relationship ID must be unique. However, another twin Bar can have an outgoing relationship that matches the same ID of a Foo relationship.
The following code sample illustrates how to create a relationship in your Azure Digital Twins instance. It uses the SDK call (highlighted) inside a custom method that might appear in the context of a larger program.
Relationships can be classified as either:
There is no restriction on the number of relationships that you can have between two twinsΓÇöyou can have as many relationships between twins as you like.
-This means that you can express several different types of relationships between two twins at once. For example, *Twin A* can have both a *stored* relationship and *manufactured* relationship with *Twin B*.
+This means that you can express several different types of relationships between two twins at once. For example, Twin A can have both a *stored* relationship and *manufactured* relationship with Twin B.
-You can even create multiple instances of the same type of relationship between the same two twins, if desired. In this example, *Twin A* could have two different *stored* relationships with *Twin B*, as long as the relationships have different relationship IDs.
+You can even create multiple instances of the same type of relationship between the same two twins, if desired. In this example, Twin A could have two different *stored* relationships with Twin B, as long as the relationships have different relationship IDs.
## List relationships
digital-twins How To Manage Model https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-manage-model.md
The first step towards the solution is to create models to represent aspects of
> [!NOTE] > This is a sample body for a .json file in which a model is defined and saved, to be uploaded as part of a client project. The REST API call, on the other hand, takes an array of model definitions like the one above (which is mapped to a `IEnumerable<string>` in the .NET SDK). So to use this model in the REST API directly, surround it with brackets.
-This model defines a name and a unique ID for the patient room, and properties to represent visitor count and hand-wash status (these counters will be updated from motion sensors and smart soap dispensers, and will be used together to calculate a *handwash percentage* property). The model also defines a relationship *hasDevices*, which will be used to connect any [digital twins](concepts-twins-graph.md) based on this *Room* model to the actual devices.
+This model defines a name and a unique ID for the patient room, and properties to represent visitor count and hand-wash status (these counters will be updated from motion sensors and smart soap dispensers, and will be used together to calculate a *handwash percentage* property). The model also defines a relationship *hasDevices*, which will be used to connect any [digital twins](concepts-twins-graph.md) based on this Room model to the actual devices.
Following this method, you can go on to define models for the hospital's wards, zones, or the hospital itself.
The rest of this section breaks down model deletion into closer detail, and show
Generally, models can be deleted at any time.
-The exception is models that other models depend on, either with an `extends` relationship or as a component. For example, if a *ConferenceRoom* model extends a *Room* model, and has a *ACUnit* model as a component, you cannot delete *Room* or *ACUnit* until *ConferenceRoom* removes those respective references.
+The exception is models that other models depend on, either with an `extends` relationship or as a component. For example, if a ConferenceRoom model extends a Room model, and has a ACUnit model as a component, you cannot delete Room or ACUnit until ConferenceRoom removes those respective references.
You can do this by updating the dependent model to remove the dependencies, or deleting the dependent model completely.
digital-twins How To Manage Routes Apis Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-manage-routes-apis-cli.md
[!INCLUDE [digital-twins-route-selector.md](../../includes/digital-twins-route-selector.md)]
-In Azure Digital Twins, you can route [event notifications](concepts-event-notifications.md) to downstream services or connected compute resources. This is done by first setting up **endpoints** that can receive the events. You can then create [event routes](concepts-route-events.md) that specify which events generated by Azure Digital Twins are delivered to which endpoints.
+In Azure Digital Twins, you can route [event notifications](concepts-event-notifications.md) to downstream services or connected compute resources. This is done by first setting up **endpoints** that can receive the events. You can then create [event routes](concepts-route-events.md) that specify which events generated by Azure Digital Twins are delivered to which endpoints.
This article walks you through the process of creating endpoints and routes with the [REST APIs](/rest/api/azure-digitaltwins/), the [.NET (C#) SDK](/dotnet/api/overview/azure/digitaltwins/client), and the [Azure Digital Twins CLI](concepts-cli.md).
Once you have created the endpoint resources, you can use them for an Azure Digi
To create an Event Grid endpoint: ```azurecli-interactive
-az dt endpoint create eventgrid --endpoint-name <Event-Grid-endpoint-name> --eventgrid-resource-group <Event-Grid-resource-group-name> --eventgrid-topic <your-Event-Grid-topic-name> -n <your-Azure-Digital-Twins-instance-name>
+az dt endpoint create eventgrid --endpoint-name <Event-Grid-endpoint-name> --eventgrid-resource-group <Event-Grid-resource-group-name> --eventgrid-topic <your-Event-Grid-topic-name> --dt-name <your-Azure-Digital-Twins-instance-name>
``` To create an Event Hubs endpoint (key-based authentication): ```azurecli-interactive
-az dt endpoint create eventhub --endpoint-name <Event-Hub-endpoint-name> --eventhub-resource-group <Event-Hub-resource-group> --eventhub-namespace <Event-Hub-namespace> --eventhub <Event-Hub-name> --eventhub-policy <Event-Hub-policy> -n <your-Azure-Digital-Twins-instance-name>
+az dt endpoint create eventhub --endpoint-name <Event-Hub-endpoint-name> --eventhub-resource-group <Event-Hub-resource-group> --eventhub-namespace <Event-Hub-namespace> --eventhub <Event-Hub-name> --eventhub-policy <Event-Hub-policy> --dt-name <your-Azure-Digital-Twins-instance-name>
``` To create a Service Bus topic endpoint (key-based authentication): ```azurecli-interactive
-az dt endpoint create servicebus --endpoint-name <Service-Bus-endpoint-name> --servicebus-resource-group <Service-Bus-resource-group-name> --servicebus-namespace <Service-Bus-namespace> --servicebus-topic <Service-Bus-topic-name> --servicebus-policy <Service-Bus-topic-policy> -n <your-Azure-Digital-Twins-instance-name>
+az dt endpoint create servicebus --endpoint-name <Service-Bus-endpoint-name> --servicebus-resource-group <Service-Bus-resource-group-name> --servicebus-namespace <Service-Bus-namespace> --servicebus-topic <Service-Bus-topic-name> --servicebus-policy <Service-Bus-topic-policy> --dt-name <your-Azure-Digital-Twins-instance-name>
``` After successfully running these commands, the event grid, event hub, or Service Bus topic will be available as an endpoint inside of Azure Digital Twins, under the name you supplied with the `--endpoint-name` argument. You'll typically use that name as the target of an **event route**, which you'll create [later in this article](#create-an-event-route).
You can restrict the events being sent by adding a **filter** for an endpoint to
> > For telemetry filters, this means that the casing needs to match the casing in the telemetry sent by the device, not necessarily the casing defined in the twin's model.
-To add a filter, you can use a PUT request to *https://{Your-azure-digital-twins-host-name}/eventRoutes/{event-route-name}?api-version=2020-10-31* with the following body:
+To add a filter, you can use a PUT request to `https://{Your-azure-digital-twins-host-name}/eventRoutes/{event-route-name}?api-version=2020-10-31` with the following body:
:::code language="json" source="~/digital-twins-docs-samples/api-requests/filter.json":::
digital-twins How To Manage Routes Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-manage-routes-portal.md
Alternatively, you can also manage endpoints and routes with the [Event Routes A
## Prerequisites
-* You'll need an **Azure account** (you can set one up for free [here](https://azure.microsoft.com/free/?WT.mc_id=A261C142F))
+* You'll need an **Azure account**, which [can be set up for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F))
* You'll need an **Azure Digital Twins instance** in your Azure subscription. If you don't have an instance already, you can create one using the steps in [How-to: Set up an instance and authentication](how-to-set-up-instance-portal.md). Have the following values from setup handy to use later in this article: - Instance name - Resource group
After enabling the minimal filter of `true`, endpoints will receive a variety of
You can restrict the types of events being sent by defining a more-specific filter.
-To add an event filter while you are creating an event route, use the _Add an event route filter_ section of the *Create an event route* page.
+To add an event filter while you are creating an event route, use the "Add an event route filter" section of the *Create an event route* page.
You can either select from some basic common filter options, or use the advanced filter options to write your own custom filters.
digital-twins How To Manage Twin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-manage-twin.md
Only properties that have been set at least once are returned when you retrieve
To retrieve multiple twins using a single API call, see the query API examples in [How-to: Query the twin graph](how-to-query-graph.md).
-Consider the following model (written in [Digital Twins Definition Language (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl/tree/master/DTDL)) that defines a *Moon*:
+Consider the following model (written in [Digital Twins Definition Language (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl/tree/master/DTDL)) that defines a Moon:
:::code language="json" source="~/digital-twins-docs-samples/models/Moon.json":::
-The result of calling `object result = await client.GetDigitalTwinAsync("my-moon");` on a *Moon*-type twin might look like this:
+The result of calling `object result = await client.GetDigitalTwinAsync("my-moon");` on a Moon-type twin might look like this:
```json {
For example, consider the following JSON Patch document that replaces the digita
This operation will only succeed if the digital twin being modified by the patch conforms with the new model. Consider the following example:
-1. Imagine a digital twin with a model of *foo_old*. *foo_old* defines a required property *mass*.
-2. The new model *foo_new* defines a property mass, and adds a new required property *temperature*.
+1. Imagine a digital twin with a model of foo_old. foo_old defines a required property *mass*.
+2. The new model foo_new defines a property mass, and adds a new required property *temperature*.
3. After the patch, the digital twin must have both a mass and temperature property. The patch for this situation needs to update both the model and the twin's temperature property, like this:
Azure Digital Twins ensures that all incoming requests are processed one after t
This behavior is on a per-twin basis. As an example, imagine a scenario in which these three calls arrive at the same time:
-* Write property A on *Twin1*
-* Write property B on *Twin1*
-* Write property A on *Twin2*
+* Write property A on Twin1
+* Write property B on Twin1
+* Write property A on Twin2
-The two calls that modify *Twin1* are executed one after another, and change messages are generated for each change. The call to modify *Twin2* may be executed concurrently with no conflict, as soon as it arrives.
+The two calls that modify Twin1 are executed one after another, and change messages are generated for each change. The call to modify Twin2 may be executed concurrently with no conflict, as soon as it arrives.
## Delete a digital twin
digital-twins How To Provision Using Device Provisioning Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-provision-using-device-provisioning-service.md
For more information about the _provision_ and _retire_ stages, and to better un
Before you can set up the provisioning, you'll need to set up the following: * an **Azure Digital Twins instance**. Follow the instructions in [How-to: Set up an instance and authentication](how-to-set-up-instance-portal.md) to create an Azure digital twins instance. Gather the instance's **_host name_** in the Azure portal ([instructions](how-to-set-up-instance-portal.md#verify-success-and-collect-important-values)).
-* an **IoT hub**. For instructions, see the *Create an IoT Hub* section of this [IoT Hub quickstart](../iot-hub/quickstart-send-telemetry-cli.md).
+* an **IoT hub**. For instructions, see the "Create an IoT Hub" section of [the IoT Hub quickstart](../iot-hub/quickstart-send-telemetry-cli.md).
* an [Azure function](../azure-functions/functions-overview.md) that updates digital twin information based on IoT Hub data. Follow the instructions in [How to: Ingest IoT hub data](how-to-ingest-iot-hub-data.md) to create this Azure function. Gather the function **_name_** to use it in this article. This sample also uses a **device simulator** that includes provisioning using the Device Provisioning Service. The device simulator is located here: [Azure Digital Twins and IoT Hub Integration Sample](/samples/azure-samples/digital-twins-iothub-integration/adt-iothub-provision-sample/). Get the sample project on your machine by navigating to the sample link and selecting the **Browse code** button underneath the title. This will take you to the GitHub repo for the sample, which you can download as a .zip file by selecting the **Code** button and **Download ZIP**.
You should see the device being registered and connected to IoT Hub, and then st
As a result of the flow you've set up in this article, the device will be automatically registered in Azure Digital Twins. Use the following [Azure Digital Twins CLI](concepts-cli.md) command to find the twin of the device in the Azure Digital Twins instance you created. ```azurecli-interactive
-az dt twin show -n <Digital Twins instance name> --twin-id "<Device Registration ID>"
+az dt twin show --dt-name <Digital Twins instance name> --twin-id "<Device Registration ID>"
``` You should see the twin of the device being found in the Azure Digital Twins instance.
Next, configure the Azure function app that you set up in the [prerequisites](#p
2. Add the connection string as a variable in the function app settings with the following Azure CLI command. The command can be run in [Cloud Shell](https://shell.azure.com), or locally if you have the Azure CLI [installed on your machine](/cli/azure/install-azure-cli). ```azurecli-interactive
- az functionapp config appsettings set --settings "EVENTHUB_CONNECTIONSTRING=<Event Hubs SAS connection string Listen>" -g <resource group> -n <your App Service (function app) name>
+ az functionapp config appsettings set --settings "EVENTHUB_CONNECTIONSTRING=<Event Hubs SAS connection string Listen>" --resource-group <resource group> --name <your App Service (function app) name>
``` ### Add a function to retire with IoT Hub lifecycle events
It might take a few minutes to see the changes reflected in Azure Digital Twins.
Use the following [Azure Digital Twins CLI](concepts-cli.md) command to verify the twin of the device in the Azure Digital Twins instance was deleted. ```azurecli-interactive
-az dt twin show -n <Digital Twins instance name> --twin-id "<Device Registration ID>"
+az dt twin show --dt-name <Digital Twins instance name> --twin-id "<Device Registration ID>"
``` You should see that the twin of the device cannot be found in the Azure Digital Twins instance anymore.
digital-twins How To Query Graph https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-query-graph.md
Here is a sample relationship-based query. This code snippet selects all digital
You can use the relationship query structure to identify a digital twin that's the source or the target of a relationship.
-For instance, you can start with a source twin and follow its relationships to find the target twins of the relationships. Here is an example of a query that finds the target twins of the *feeds* relationships coming from the twin *source-twin*.
+For instance, you can start with a source twin and follow its relationships to find the target twins of the relationships. Here is an example of a query that finds the target twins of the *feeds* relationships coming from the twin source-twin.
:::code language="sql" source="~/digital-twins-docs-samples/queries/examples.sql" id="QueryByRelationshipSource":::
-You can also start with the target of the relationship and trace the relationship back to find the source twin. Here's an example of a query that finds the source twin of a *feeds* relationship to the twin *target-twin*.
+You can also start with the target of the relationship and trace the relationship back to find the source twin. Here's an example of a query that finds the source twin of a *feeds* relationship to the twin target-twin.
:::code language="sql" source="~/digital-twins-docs-samples/queries/examples.sql" id="QueryByRelationshipTarget":::
By using projections in the `SELECT` statement, you can choose which columns a q
>[!NOTE] >At this time, complex properties are not supported. To make sure that projection properties are valid, combine the projections with an `IS_PRIMITIVE` check.
-Here is an example of a query that uses projection to return twins and relationships. The following query projects the *Consumer*, *Factory* and *Edge* from a scenario where a *Factory* with an ID of *ABC* is related to the *Consumer* through a relationship of *Factory.customer*, and that relationship is presented as the *Edge*.
+Here is an example of a query that uses projection to return twins and relationships. The following query projects the Consumer, Factory and Edge from a scenario where a Factory with an ID of *ABC* is related to the Consumer through a relationship of *Factory.customer*, and that relationship is presented as the *Edge*.
:::code language="sql" source="~/digital-twins-docs-samples/queries/examples.sql" id="Projections1":::
-You can also use projection to return a property of a twin. The following query projects the *Name* property of the *Consumers* that are related to the *Factory* with an ID of *ABC* through a relationship of *Factory.customer*.
+You can also use projection to return a property of a twin. The following query projects the *Name* property of the Consumers that are related to the Factory with an ID of *ABC* through a relationship of *Factory.customer*.
:::code language="sql" source="~/digital-twins-docs-samples/queries/examples.sql" id="Projections2":::
-You can also use projection to return a property of a relationship. Like in the previous example, the following query projects the *Name* property of the *Consumers* related to the *Factory* with an ID of *ABC* through a relationship of *Factory.customer*; but now it also returns two properties of that relationship, *prop1* and *prop2*. It does this by naming the relationship *Edge* and gathering its properties.
+You can also use projection to return a property of a relationship. Like in the previous example, the following query projects the *Name* property of the Consumers related to the Factory with an ID of *ABC* through a relationship of *Factory.customer*; but now it also returns two properties of that relationship, *prop1* and *prop2*. It does this by naming the relationship *Edge* and gathering its properties.
:::code language="sql" source="~/digital-twins-docs-samples/queries/examples.sql" id="Projections3":::
The following query does the same operations as the previous example, but it ali
:::code language="sql" source="~/digital-twins-docs-samples/queries/examples.sql" id="Projections4":::
-Here is a similar query that queries the same set as above, but projects only the *Consumer.name* property as `consumerName`, and projects the complete *Factory* as a twin.
+Here is a similar query that queries the same set as above, but projects only the *Consumer.name* property as `consumerName`, and projects the complete Factory as a twin.
:::code language="sql" source="~/digital-twins-docs-samples/queries/examples.sql" id="Projections5":::
Here is a similar query that queries the same set as above, but projects only th
You can significantly reduce the number of queries you need by building an array of twins and querying with the `IN` operator.
-For example, consider a scenario in which *Buildings* contain *Floors* and *Floors* contain *Rooms*. To search for rooms within a building that are hot, one way is to follow these steps.
+For example, consider a scenario in which Buildings contain Floors and Floors contain Rooms. To search for rooms within a building that are hot, one way is to follow these steps.
1. Find floors in the building based on the `contains` relationship. :::code language="sql" source="~/digital-twins-docs-samples/queries/examples.sql" id="INOperatorWithout":::
-2. To find rooms, instead of considering the floors one-by-one and running a `JOIN` query to find the rooms for each one, you can query with a collection of the floors in the building (named *Floor* in the query below).
+2. To find rooms, instead of considering the floors one-by-one and running a `JOIN` query to find the rooms for each one, you can query with a collection of the floors in the building (named Floor in the query below).
In client app:
For example, consider a scenario in which *Buildings* contain *Floors* and *Floo
You can **combine** any of the above types of query using combination operators to include more detail in a single query. Here are some additional examples of compound queries that query for more than one type of twin descriptor at once.
-* Out of the devices that *Room 123* has, return the MxChip devices that serve the role of Operator
+* Out of the devices that Room 123 has, return the MxChip devices that serve the role of Operator
:::code language="sql" source="~/digital-twins-docs-samples/queries/examples.sql" id="OtherExamples1"::: * Get twins that have a relationship named *Contains* with another twin that has an ID of *id1* :::code language="sql" source="~/digital-twins-docs-samples/queries/examples.sql" id="OtherExamples2":::
-* Get all the rooms of this room model that are contained by *floor11*
+* Get all the rooms of this room model that are contained by floor11
:::code language="sql" source="~/digital-twins-docs-samples/queries/examples.sql" id="OtherExamples3"::: ## Run queries with the API
digital-twins How To Set Up Instance Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-set-up-instance-cli.md
In this section, you will **create a new instance of Azure Digital Twins** using
Use these values in the following command to create the instance: ```azurecli-interactive
-az dt create --dt-name <name-for-your-Azure-Digital-Twins-instance> -g <your-resource-group> -l <region>
+az dt create --dt-name <name-for-your-Azure-Digital-Twins-instance> --resource-group <your-resource-group> --location <region>
``` ### Verify success and collect important values
digital-twins How To Set Up Instance Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-set-up-instance-powershell.md
Get-AzDigitalTwinsInstance -ResourceGroupName <your-resource-group> -ResourceNam
> [!TIP] > You can use this command to see all the properties of your instance at any time.
-Note the Azure Digital Twins instance's **HostName**, **Name**, and **ResourceGroup**. These are
+Note the Azure Digital Twins instance's **host name**, **name**, and **resource group**. These are
important values that you may need as you continue working with your Azure Digital Twins instance, to set up authentication, and related Azure resources. If other users will be programming against the instance, you should share these values with them.
digital-twins How To Use Postman https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-use-postman.md
To make a Postman request to one of the Azure Digital Twins APIs, you'll need th
To proceed with an example query, this article will use the Query API (and its [reference documentation](/rest/api/digital-twins/dataplane/query/querytwins)) to query for all the digital twins in an instance.
-1. Get the request URL and type from the reference documentation. For the Query API, this is currently *POST `https://digitaltwins-host-name/query?api-version=2020-10-31`*.
+1. Get the request URL and type from the reference documentation. For the Query API, this is currently *POST* `https://digitaltwins-host-name/query?api-version=2020-10-31`.
1. In Postman, set the type for the request and enter the request URL, filling in placeholders in the URL as required. This is where you will use your instance's **host name** from the [Prerequisites](#prerequisites) section. :::image type="content" source="media/how-to-use-postman/postman-request-url.png" alt-text="Screenshot of the new request's details in Postman. The query URL from the reference documentation has been filled into the request URL box." lightbox="media/how-to-use-postman/postman-request-url.png":::
digital-twins How To Use Tags https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-use-tags.md
# Add tags to digital twins
-You can use the concept of tags to further identify and categorize your digital twins. In particular, users may want to replicate tags from existing systems, such as [Haystack Tags](https://project-haystack.org/doc/TagModel), within their Azure Digital Twins instances.
+You can use the concept of tags to further identify and categorize your digital twins. In particular, users may want to replicate tags from existing systems, such as [Haystack Tags](https://project-haystack.org/doc/appendix/tags), within their Azure Digital Twins instances.
This document describes patterns that can be used to implement tags on digital twins.
digital-twins Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/overview.md
Here's a summary of the features provided by Azure Digital Twins.
In Azure Digital Twins, you define the digital entities that represent the people, places, and things in your physical environment using custom twin types called [models](concepts-models.md).
-You can think of these model definitions as a specialized vocabulary to describe your business. For a building management solution, for example, you might define models such as "building", "floor", and "elevator". You can then create **digital twins** based on these models to represent your specific environment.
+You can think of these model definitions as a specialized vocabulary to describe your business. For a building management solution, for example, you might define models such as Building, Floor, and Elevator. You can then create **digital twins** based on these models to represent your specific environment.
[!INCLUDE [digital-twins-versus-device-twins](../../includes/digital-twins-versus-device-twins.md)]
The following diagram shows where Azure Digital Twins lies in the context of a l
## Service limits
-You can read about the **service limits** of Azure Digital Twins here: [Azure Digital Twins service limits](reference-service-limits.md). This can be useful while working with the service to understand the service's functional and rate limitations, as well as which limits can be adjusted if necessary.
+You can read about the **service limits** of Azure Digital Twins in the [Azure Digital Twins service limits article](reference-service-limits.md). This can be useful while working with the service to understand the service's functional and rate limitations, as well as which limits can be adjusted if necessary.
## Terminology
-You can view a list of **common IoT terms** and their uses across the Azure IoT services, including Azure Digital Twins, here: [Azure IoT Glossary](../iot-fundamentals/iot-glossary.md?toc=/azure/digital-twins/toc.json&bc=/azure/digital-twins/breadcrumb/toc.json). This may be a useful reference while you get started with Azure Digital Twins and building an IoT solution.
+You can view a list of **common IoT terms** and their uses across the Azure IoT services, including Azure Digital Twins, in the [Azure IoT Glossary](../iot-fundamentals/iot-glossary.md?toc=/azure/digital-twins/toc.json&bc=/azure/digital-twins/breadcrumb/toc.json). This resource may be a useful reference while you get started with Azure Digital Twins and building an IoT solution.
## Next steps
digital-twins Quickstart Azure Digital Twins Explorer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/quickstart-azure-digital-twins-explorer.md
Azure Digital Twins Explorer now uploads these model files to your Azure Digital
Now that some models have been uploaded to your Azure Digital Twins instance, you can add [digital twins](concepts-twins-graph.md) that follow the model definitions.
-Digital twins represent the actual entities within your business environment. They can be things like sensors on a farm, lights in a car, orΓÇöin this quickstartΓÇörooms on a building floor. You can create many twins of any given model type, such as multiple rooms that all use the *Room* model. You connect them with relationships into a **twin graph** that represents the full environment.
+Digital twins represent the actual entities within your business environment. They can be things like sensors on a farm, lights in a car, orΓÇöin this quickstartΓÇörooms on a building floor. You can create many twins of any given model type, such as multiple rooms that all use the Room model. You connect them with relationships into a **twin graph** that represents the full environment.
In this section, you'll upload precreated twins that are connected into a precreated graph. The graph contains two floors and two rooms, connected in the following layout:
Now you can see the uploaded graph of the sample scenario.
:::image type="content" source="media/quickstart-azure-digital-twins-explorer/graph-view-full.png" alt-text="View of the Graph View panel with a twin graph inside. A circle labeled 'floor1' is connected by an arrow labeled 'contains' to a circle labeled 'room1.' A circle labeled 'floor0' is connected by an arrow labeled 'contains' to a circle labeled 'room0.'":::
-The circles (graph "nodes") represent digital twins. The lines represent relationships. The **Floor0** twin contains **Room0**, and the **Floor1** twin contains **Room1**.
+The circles (graph "nodes") represent digital twins. The lines represent relationships. The Floor0 twin contains Room0, and the Floor1 twin contains Room1.
If you're using a mouse, you can drag pieces of the graph to move them around.
digital-twins Reference Query Clause Join https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/reference-query-clause-join.md
Consider the following query illustrating a building traversal.
:::code language="sql" source="~/digital-twins-docs-samples/queries/reference.sql" id="NoOuterJoinExample":::
-If `Building1` contains no floors, then this query will return an empty result set (instead of returning one row with a value for Building and `undefined` for Floor).
+If Building1 contains no floors, then this query will return an empty result set (instead of returning one row with a value for Building and `undefined` for Floor).
### Twins required
digital-twins Reference Query Clause Select https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/reference-query-clause-select.md
If a property included in the projection is not present for a particular data ro
#### Example scenario For the following examples, consider a twin graph that contains the following data elements:
-* A Factory twin called `FactoryA`
+* A Factory twin called FactoryA
- Contains a property called `name` with a value of `FactoryA`
-* A Consumer twin called `Contoso`
+* A Consumer twin called Contoso
- Contains a property called `name` with a value of `Contoso`
-* A consumerRelationship relationship from `FactoryA` to `Contoso`, called `FactoryA-consumerRelationship-Contoso`
+* A consumerRelationship relationship from FactoryA to Contoso, called `FactoryA-consumerRelationship-Contoso`
- Contains a property called `managedBy` with a value of `Jeff` Here's a diagram illustrating this scenario:
digital-twins Reference Query Clause Where https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/reference-query-clause-where.md
A condition evaluating to a `Boolean` value.
### Examples
-Here is an example using properties and operators. The following query specifies in the WHERE clause to only return the twin with a `$dtId` value of *Room1*.
+Here is an example using properties and operators. The following query specifies in the WHERE clause to only return the twin with a `$dtId` value of Room1.
:::code language="sql" source="~/digital-twins-docs-samples/queries/reference.sql" id="WhereExample":::
digital-twins Tutorial Code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/tutorial-code.md
Add the following code to the end of the `Main` method to create and initialize
:::code language="csharp" source="~/digital-twins-docs-samples/sdks/csharp/fullClientApp.cs" id="Initialize_twins":::
-In your command window, run the program with `dotnet run`. In the output, look for the print messages that *sampleTwin-0*, *sampleTwin-1*, and *sampleTwin-2* were created.
+In your command window, run the program with `dotnet run`. In the output, look for the print messages that sampleTwin-0, sampleTwin-1, and sampleTwin-2 were created.
Then, run the program again.
digital-twins Tutorial Command Line App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/tutorial-command-line-app.md
Select *Room.json* to open it in the editing window, and change it in the follow
After designing models, you need to upload them to your Azure Digital Twins instance. This configures your Azure Digital Twins service instance with your own custom domain vocabulary. Once you have uploaded the models, you can create twin instances that use them.
-1. In the project console window, run the following command to upload your updated *Room* model, as well as a *Floor* model that you'll also use in the next section to create different types of twins.
+1. In the project console window, run the following command to upload your updated Room model, as well as a Floor model that you'll also use in the next section to create different types of twins.
```cmd/sh CreateModels Room Floor
After designing models, you need to upload them to your Azure Digital Twins inst
The output should indicate the models were created successfully.
-1. Verify the models were created by running the command `GetModels true`. This will query the Azure Digital Twins instance for all models that have been uploaded, and print out their full information. Look for the edited *Room* model in the results:
+1. Verify the models were created by running the command `GetModels true`. This will query the Azure Digital Twins instance for all models that have been uploaded, and print out their full information. Look for the edited Room model in the results:
:::image type="content" source="media/tutorial-command-line/app/output-get-models.png" alt-text="Screenshot of the result from GetModels, showing the updated Room model." lightbox="media/tutorial-command-line/app/output-get-models.png":::
Now that some models have been uploaded to your Azure Digital Twins instance, yo
To create a digital twin, you use the `CreateDigitalTwin` command. You must reference the model that the twin is based on, and can optionally define initial values for any properties in the model. You do not have to pass any relationship information at this stage.
-1. Run this code in the running project console to create several twins, based on the *Room* model you updated earlier and another model, *Floor*. Recall that *Room* has three properties, so you can provide arguments with the initial values for these. (Initializing property values is optional in general, but they're needed for this tutorial.)
+1. Run this code in the running project console to create several twins, based on the Room model you updated earlier and another model, Floor. Recall that Room has three properties, so you can provide arguments with the initial values for these. (Initializing property values is optional in general, but they're needed for this tutorial.)
```cmd/sh CreateDigitalTwin dtmi:example:Room;2 room0 RoomName string Room0 Temperature double 70 HumidityLevel double 30
To create a digital twin, you use the `CreateDigitalTwin` command. You must refe
:::image type="content" source="media/tutorial-command-line/app/output-create-digital-twin.png" alt-text="Screenshot showing an excerpt from the result of the CreateDigitalTwin commands, which includes floor0, floor1, room0, and room1." lightbox="media/tutorial-command-line/app/output-create-digital-twin.png":::
-1. You can verify that the twins were created by running the `Query` command. This command queries your Azure Digital Twins instance for all the digital twins it contains. Look for the *room0*, *room1*, *floor0*, and *floor1* twins in the results.
+1. You can verify that the twins were created by running the `Query` command. This command queries your Azure Digital Twins instance for all the digital twins it contains. Look for the room0, room1, floor0, and floor1 twins in the results.
### Modify a digital twin
You can also modify the properties of a twin you've created.
> [!NOTE] > The underlying REST API uses [JSON Patch](http://jsonpatch.com/) format to define updates to a twin. The command-line app also uses this format, to give a truer experience with what the underlying APIs expect.
-1. Run this command to change *room0*'s RoomName from *Room0* to *PresidentialSuite*:
+1. Run this command to change room0's RoomName from "Room0" to "PresidentialSuite":
```cmd/sh UpdateDigitalTwin room0 add /RoomName string PresidentialSuite
You can also modify the properties of a twin you've created.
Next, you can create some **relationships** between these twins, to connect them into a [twin graph](concepts-twins-graph.md). Twin graphs are used to represent an entire environment.
-The types of relationships that you can create from one twin to another are defined within the [models](#model-a-physical-environment-with-dtdl) that you uploaded earlier. The [model definition for Floor](https://github.com/azure-Samples/digital-twins-samples/blob/master/AdtSampleApp/SampleClientApp/Models/Floor.json) specifies that floors can have a type of relationship called *contains*. This makes it possible to create a *contains*-type relationship from each *Floor* twin to the corresponding room that it contains.
+The types of relationships that you can create from one twin to another are defined within the [models](#model-a-physical-environment-with-dtdl) that you uploaded earlier. The [model definition for Floor](https://github.com/azure-Samples/digital-twins-samples/blob/master/AdtSampleApp/SampleClientApp/Models/Floor.json) specifies that floors can have a type of relationship called *contains*. This makes it possible to create a *contains*-type relationship from each Floor twin to the corresponding room that it contains.
To add a relationship, use the `CreateRelationship` command. Specify the twin that the relationship is coming from, the type of relationship, and the twin that the relationship is connecting to. Lastly, give the relationship a unique ID.
-1. Run the following code to add a "contains" relationship from each of the *Floor* twins you created earlier to a corresponding *Room* twin. The relationships are named *relationship0* and *relationship1*.
+1. Run the following code to add a "contains" relationship from each of the Floor twins you created earlier to a corresponding Room twin. The relationships are named relationship0 and relationship1.
```cmd/sh CreateRelationship floor0 contains room0 relationship0
To add a relationship, use the `CreateRelationship` command. Specify the twin th
>[!TIP] >The *contains* relationship in the [Floor model](https://github.com/azure-Samples/digital-twins-samples/blob/master/AdtSampleApp/SampleClientApp/Models/Floor.json) was also defined with two string properties, `ownershipUser` and `ownershipDepartment`, so you can also provide arguments with the initial values for these when you create the relationships.
- > Here's an alternate version of the command above to create *relationship0* that also specifies initial values for these properties:
+ > Here's an alternate version of the command above to create relationship0 that also specifies initial values for these properties:
> ```cmd/sh > CreateRelationship floor0 contains room0 relationship0 ownershipUser string MyUser ownershipDepartment string myDepartment > ```
Run the following commands in the running project console to answer some questio
Query SELECT * FROM DIGITALTWINS T WHERE IS_OF_MODEL(T, 'dtmi:example:Room;2') ```
- You can restrict your query to twins of a certain type, to get more specific information about what's represented. The result of this shows *room0* and *room1*, but does **not** show *floor0* or *floor1* (since they are floors, not rooms).
+ You can restrict your query to twins of a certain type, to get more specific information about what's represented. The result of this shows room0 and room1, but does **not** show floor0 or floor1 (since they are floors, not rooms).
:::image type="content" source="media/tutorial-command-line/app/output-query-model.png" alt-text="Screenshot of the result from the model query, showing only room0 and room1.":::
Run the following commands in the running project console to answer some questio
Query SELECT room FROM DIGITALTWINS floor JOIN room RELATED floor.contains where floor.$dtId = 'floor0' ```
- You can query based on relationships in your graph, to get information about how twins are connected or to restrict your query to a certain area. Only *room0* is on *floor0*, so it's the only room in the result.
+ You can query based on relationships in your graph, to get information about how twins are connected or to restrict your query to a certain area. Only room0 is on floor0, so it's the only room in the result.
:::image type="content" source="media/tutorial-command-line/app/output-query-relationship.png" alt-text="Screenshot of the result from the relationship query, showing room0.":::
Run the following commands in the running project console to answer some questio
Query SELECT * FROM DigitalTwins T WHERE T.Temperature > 75 ```
- You can query the graph based on properties to answer a variety of questions, including finding outliers in your environment that might need attention. Other comparison operators (*<*,*>*, *=*, or *!=*) are also supported. *room1* shows up in the results here, because it has a temperature of 80.
+ You can query the graph based on properties to answer a variety of questions, including finding outliers in your environment that might need attention. Other comparison operators (*<*,*>*, *=*, or *!=*) are also supported. room1 shows up in the results here, because it has a temperature of 80.
:::image type="content" source="media/tutorial-command-line/app/output-query-property.png" alt-text="Screenshot of the result from the property query, showing only room1.":::
Run the following commands in the running project console to answer some questio
Query SELECT room FROM DIGITALTWINS floor JOIN room RELATED floor.contains where floor.$dtId = 'floor0' AND IS_OF_MODEL(room, 'dtmi:example:Room;2') AND room.Temperature > 75 ```
- You can also combine the earlier queries like you would in SQL, using combination operators such as `AND`, `OR`, `NOT`. This query uses `AND` to make the previous query about twin temperatures more specific. The result now only includes rooms with temperatures above 75 that are on *floor0*ΓÇöwhich in this case, is none of them. The result set is empty.
+ You can also combine the earlier queries like you would in SQL, using combination operators such as `AND`, `OR`, `NOT`. This query uses `AND` to make the previous query about twin temperatures more specific. The result now only includes rooms with temperatures above 75 that are on floor0ΓÇöwhich in this case, is none of them. The result set is empty.
:::image type="content" source="media/tutorial-command-line/app/output-query-compound.png" alt-text="Screenshot of the result from the compound query, showing no results." lightbox="media/tutorial-command-line/app/output-query-compound.png":::
digital-twins Tutorial Command Line Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/tutorial-command-line-cli.md
In this tutorial, you will...
To complete the steps in this tutorial, you'll need to first complete the following prerequisites.
-If you don't have an Azure subscription, **create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)** before you begin.
+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
### Download the sample models
After you set up your Azure Digital Twins instance, make a note of the following
You can get both of these values for your instance in the output of the following Azure CLI command: ```azurecli-interactive
-az dt show -n <ADT_instance_name>
+az dt show --dt-name <ADT_instance_name>
``` :::image type="content" source="media/tutorial-command-line/cli/instance-details.png" alt-text="Screenshot of Cloud Shell browser window showing the output of the az dt show command. The hostName field and subscription ID (part of the id field) are highlighted.":::
After designing models, you need to upload them to your Azure Digital Twins inst
Navigate to the *Room.json* file on your machine and select "Open." Then, repeat this step for *Floor.json*.
-1. Next, use the [az dt model create](/cli/azure/dt/model#az_dt_model_create) command as shown below to upload your updated *Room* model to your Azure Digital Twins instance. The second command uploads another model, *Floor*, which you'll also use in the next section to create different types of twins.
+1. Next, use the [az dt model create](/cli/azure/dt/model#az_dt_model_create) command as shown below to upload your updated Room model to your Azure Digital Twins instance. The second command uploads another model, Floor, which you'll also use in the next section to create different types of twins.
```azurecli-interactive
- az dt model create -n <ADT_instance_name> --models Room.json
- az dt model create -n <ADT_instance_name> --models Floor.json
+ az dt model create --dt-name <ADT_instance_name> --models Room.json
+ az dt model create --dt-name <ADT_instance_name> --models Floor.json
``` The output from each command will show information about the successfully uploaded model.
After designing models, you need to upload them to your Azure Digital Twins inst
1. Verify the models were created with the [az dt model list](/cli/azure/dt/model#az_dt_model_list) command as shown below. This will print a list of all models that have been uploaded to the Azure Digital Twins instance with their full information. ```azurecli-interactive
- az dt model list -n <ADT_instance_name> --definition
+ az dt model list --dt-name <ADT_instance_name> --definition
```
- Look for the edited *Room* model in the results:
+ Look for the edited Room model in the results:
:::image type="content" source="media/tutorial-command-line/cli/output-get-models.png" alt-text="Screenshot of Cloud Shell showing result of the model list command, which includes the updated Room model." lightbox="media/tutorial-command-line/cli/output-get-models.png":::
The CLI also handles errors from the service.
Re-run the `az dt model create` command to try re-uploading one of the same models you just uploaded, for a second time: ```azurecli-interactive
-az dt model create -n <ADT_instance_name> --models Room.json
+az dt model create --dt-name <ADT_instance_name> --models Room.json
``` As models cannot be overwritten, this will now return an error code of `ModelIdAlreadyExists`.
Now that some models have been uploaded to your Azure Digital Twins instance, yo
To create a digital twin, you use the [az dt twin create](/cli/azure/dt/twin#az_dt_twin_create) command. You must reference the model that the twin is based on, and can optionally define initial values for any properties in the model. You do not have to pass any relationship information at this stage.
-1. Run this code in the Cloud Shell to create several twins, based on the *Room* model you updated earlier and another model, *Floor*. Recall that *Room* has three properties, so you can provide arguments with the initial values for these. (Initializing property values is optional in general, but they're needed for this tutorial.)
+1. Run this code in the Cloud Shell to create several twins, based on the Room model you updated earlier and another model, Floor. Recall that Room has three properties, so you can provide arguments with the initial values for these. (Initializing property values is optional in general, but they're needed for this tutorial.)
```azurecli-interactive
- az dt twin create -n <ADT_instance_name> --dtmi "dtmi:example:Room;2" --twin-id room0 --properties '{"RoomName":"Room0", "Temperature":70, "HumidityLevel":30}'
- az dt twin create -n <ADT_instance_name> --dtmi "dtmi:example:Room;2" --twin-id room1 --properties '{"RoomName":"Room1", "Temperature":"80", "HumidityLevel":"60"}'
- az dt twin create -n <ADT_instance_name> --dtmi "dtmi:example:Floor;1" --twin-id floor0
- az dt twin create -n <ADT_instance_name> --dtmi "dtmi:example:Floor;1" --twin-id floor1
+ az dt twin create --dt-name <ADT_instance_name> --dtmi "dtmi:example:Room;2" --twin-id room0 --properties '{"RoomName":"Room0", "Temperature":70, "HumidityLevel":30}'
+ az dt twin create --dt-name <ADT_instance_name> --dtmi "dtmi:example:Room;2" --twin-id room1 --properties '{"RoomName":"Room1", "Temperature":"80", "HumidityLevel":"60"}'
+ az dt twin create --dt-name <ADT_instance_name> --dtmi "dtmi:example:Floor;1" --twin-id floor0
+ az dt twin create --dt-name <ADT_instance_name> --dtmi "dtmi:example:Floor;1" --twin-id floor1
``` >[!NOTE] > If you're using Cloud Shell in the PowerShell environment, you may need to escape the quotation mark characters in order for the `--properties` JSON value to be parsed correctly. With this edit, the commands to create the room twins look like this: > > ```azurecli-interactive
- > az dt twin create -n <ADT_instance_name> --dtmi "dtmi:example:Room;2" --twin-id room0 --properties '{\"RoomName\":\"Room0\", \"Temperature\":70, \"HumidityLevel\":30}'
- > az dt twin create -n <ADT_instance_name> --dtmi "dtmi:example:Room;2" --twin-id room1 --properties '{\"RoomName\":\"Room1\", \"Temperature\":80, \"HumidityLevel\":60}'
+ > az dt twin create --dt-name <ADT_instance_name> --dtmi "dtmi:example:Room;2" --twin-id room0 --properties '{\"RoomName\":\"Room0\", \"Temperature\":70, \"HumidityLevel\":30}'
+ > az dt twin create --dt-name <ADT_instance_name> --dtmi "dtmi:example:Room;2" --twin-id room1 --properties '{\"RoomName\":\"Room1\", \"Temperature\":80, \"HumidityLevel\":60}'
> ``` > This is reflected in the screenshot below.
To create a digital twin, you use the [az dt twin create](/cli/azure/dt/twin#az_
1. You can verify that the twins were created with the [az dt twin query](/cli/azure/dt/twin#az_dt_twin_query) command as shown below. The query shown finds all the digital twins in your Azure Digital Twins instance. ```azurecli-interactive
- az dt twin query -n <ADT_instance_name> -q "SELECT * FROM DIGITALTWINS"
+ az dt twin query --dt-name <ADT_instance_name> --query-command "SELECT * FROM DIGITALTWINS"
```