Updates from: 05/25/2022 01:52:41
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c B2clogin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/b2clogin.md
Previously updated : 09/15/2021 Last updated : 05/21/2022 # Set redirect URLs to b2clogin.com for Azure Active Directory B2C
-When you set up an identity provider for sign-up and sign-in in your Azure Active Directory B2C (Azure AD B2C) application, you need to specify a redirect URL. You should no longer reference *login.microsoftonline.com* in your applications and APIs for authenticating users with Azure AD B2C. Instead, use *b2clogin.com* for all new applications, and migrate existing applications from *login.microsoftonline.com* to *b2clogin.com*.
+When you set up an identity provider for sign-up and sign-in in your Azure Active Directory B2C (Azure AD B2C) applications, you need to specify the endpoints of the Azure AD B2C identity provider. You should no longer reference *login.microsoftonline.com* in your applications and APIs for authenticating users with Azure AD B2C. Instead, use *b2clogin.com* or a [custom domain](./custom-domain.md) for all applications.
## What endpoints does this apply to
-The transition to b2clogin.com only applies to authentication endpoints that use Azure AD B2C policies (user flows or custom policies) to authenticate users. These endpoints have a `<policy-name>` parameter which specifies the policy Azure AD B2C should use. [Learn more about Azure AD B2C policies](technical-overview.md#identity-experiences-user-flows-or-custom-policies).
-These endpoints may look like:
-- <code>https://login.microsoft.com/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code>
+The transition to b2clogin.com only applies to authentication endpoints that use Azure AD B2C policies (user flows or custom policies) to authenticate users. These endpoints have a `<policy-name>` parameter, which specifies the policy Azure AD B2C should use. [Learn more about Azure AD B2C policies](technical-overview.md#identity-experiences-user-flows-or-custom-policies).
-- <code>https://login.microsoft.com/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/token</code>
+Old endpoints may look like:
+- <code>https://<b>login.microsoft.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code>
+- <code>https://<b>login.microsoft.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize<b>?p=\<policy-name\></b></code>
-Alternatively, the `<policy-name>` may be passed as a query parameter:
-- <code>https://login.microsoft.com/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize?<b>p=\<policy-name\></b></code>-- <code>https://login.microsoft.com/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/token?<b>p=\<policy-name\></b></code>
+A corresponding updated endpoint would look like:
+- <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code>
+- <code>https://<b>\<tenant-name\>.b2clogin.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize?<b>p=\<policy-name\></b></code>
+
+With Azure AD B2C [custom domain](./custom-domain.md) the corresponding updated endpoint would look like:
-> [!IMPORTANT]
-> Endpoints that use the 'policy' parameter must be updated as well as [identity provider redirect URLs](#change-identity-provider-redirect-urls).
+- <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/<b>\<policy-name\></b>/oauth2/v2.0/authorize</code>
+- <code>https://<b>login.contoso.com</b>/\<tenant-name\>.onmicrosoft.com/oauth2/v2.0/authorize?<b>p=\<policy-name\></b></code>
-Some Azure AD B2C customers use the shared capabilities of Azure AD enterprise tenants like OAuth 2.0 client credentials grant flow. These features are accessed using Azure AD's login.microsoftonline.com endpoints, *which don't contain a policy parameter*. __These endpoints are not affected__.
+## Endpoints that are not affected
-## Benefits of b2clogin.com
+Some customers use the shared capabilities of Azure AD enterprise tenants. For example, acquiring an access token to call the [MS Graph API](microsoft-graph-operations.md#code-discussion) of the Azure AD B2C tenant.
-When you use *b2clogin.com* as your redirect URL:
+All endpoints, which don't contain a policy parameter aren't affected by the change. They're accessed only with the Azure AD's login.microsoftonline.com endpoints, and can't be used with the *b2clogin.com*, or custom domains. The following example shows a valid token endpoint of the Azure AD platform:
-* Space consumed in the cookie header by Microsoft services is reduced.
-* Your redirect URLs no longer need to include a reference to Microsoft.
-* [JavaScript client-side code](javascript-and-page-layout.md) is supported in customized pages. Due to security restrictions, JavaScript code and HTML form elements are removed from custom pages if you use *login.microsoftonline.com*.
+```http
+https://login.microsoftonline.com/<tenant-name>.onmicrosoft.com/oauth2/v2.0/token
+```
## Overview of required changes
-There are several modifications you might need to make to migrate your applications to *b2clogin.com*:
+There are several modifications you might need to make to migrate your applications from *login.microsoftonline.com* using Azure AD B2C endpoints:
-* Change the redirect URL in your identity provider's applications to reference *b2clogin.com*.
-* Update your Azure AD B2C applications to use *b2clogin.com* in their user flow and token endpoint references. This may include updating your use of an authentication library like Microsoft Authentication Library (MSAL).
+* Change the redirect URL in your identity provider's applications to reference *b2clogin.com*, or custom domain. For more information, follow the [change identity provider redirect URLs](#change-identity-provider-redirect-urls) guidance.
+* Update your Azure AD B2C applications to use *b2clogin.com*, or custom domain in their user flow and token endpoint references. The change may include updating your use of an authentication library like Microsoft Authentication Library (MSAL).
* Update any **Allowed Origins** that you've defined in the CORS settings for [user interface customization](customize-ui-with-html.md).
-An old endpoint may look like:
-- <b><code>https://login.microsoft.com/</b>\<tenant-name\>.onmicrosoft.com/\<policy-name\>/oauth2/v2.0/authorize</code>-
-A corresponding updated endpoint would look like:
-- <code><b>https://\<tenant-name\>.b2clogin.com/</b>\<tenant-name\>.onmicrosoft.com/\<policy-name\>/oauth2/v2.0/authorize</code>- ## Change identity provider redirect URLs
-On each identity provider's website in which you've created an application, change all trusted URLs to redirect to `your-tenant-name.b2clogin.com` instead of *login.microsoftonline.com*.
+On each identity provider's website in which you've created an application, change all trusted URLs to redirect to `your-tenant-name.b2clogin.com`, or a custom domain instead of *login.microsoftonline.com*.
-There are two formats you can use for your b2clogin.com redirect URLs. The first provides the benefit of not having "Microsoft" appear anywhere in the URL by using the Tenant ID (a GUID) in place of your tenant domain name:
+There are two formats you can use for your b2clogin.com redirect URLs. The first provides the benefit of not having "Microsoft" appear anywhere in the URL by using the Tenant ID (a GUID) in place of your tenant domain name. Note, the `authresp` endpoint may not contain a policy name.
``` https://{your-tenant-name}.b2clogin.com/{your-tenant-id}/oauth2/authresp
For migrating Azure API Management APIs protected by Azure AD B2C, see the [Migr
### MSAL.NET ValidateAuthority property
-If you're using [MSAL.NET][msal-dotnet] v2 or earlier, set the **ValidateAuthority** property to `false` on client instantiation to allow redirects to *b2clogin.com*. Setting this value to `false` is not required for MSAL.NET v3 and above.
+If you're using [MSAL.NET][msal-dotnet] v2 or earlier, set the **ValidateAuthority** property to `false` on client instantiation to allow redirects to *b2clogin.com*. Setting this value to `false` isn't required for MSAL.NET v3 and above.
```csharp ConfidentialClientApplication client = new ConfidentialClientApplication(...); // Can also be PublicClientApplication
active-directory-b2c Partner Xid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-xid.md
The following architecture diagram shows the implementation.
![image shows the architecture diagram](./media/partner-xid/partner-xid-architecture-diagram.png)
-| Step | Description |
-|:--|:--|
-| 1. |User opens Azure AD B2C's sign-in page and then signs in or signs up by entering their username. |
-| 2. |Azure AD B2C redirects the user to xID authorize API endpoint using an OpenID Connect (OIDC) request. An OIDC endpoint is available containing information about the endpoints. xID Identity provider (IdP) redirects the user to the xID authorization sign-in page allowing the user to fill in or select their email address. |
-| 3. |xID IdP sends the push notification to the user's mobile device. |
-| 4. |The user opens the xID app, checks the request, then enters the PIN or authenticates with their biometrics. If PIN or biometrics is successfully verified, xID app activates the private key and creates an electronic signature. |
-| 5. |xID app sends the signature to xID IdP for verification. |
-| 6. |xID IdP shows a consent screen to the user, requesting authorization to give their personal information to the service they're signing in. |
-| 7. |xID IdP returns the OAuth authorization code to Azure AD B2C. |
-| 8. | Azure AD B2C sends a token request using the authorization code. |
-| 9. |xID IdP checks the token request and, if still valid, returns the OAuth access token and the ID token containing the requested user's identifier and email address. |
-| 10. |In addition, if the user's customer content is needed, Azure AD B2C calls the xID userdata API. |
-| 11. |The xID userdata API returns the user's encrypted customer content. Users can decrypt it with their private key, which they create when requesting the xID client information. |
-| 12. | User is either granted or denied access to the customer application based on the verification results. |
+| Step | Description |
+| : | :- |
+| 1. | User opens Azure AD B2C's sign-in page and then signs in or signs up by entering their username. |
+| 2. | Azure AD B2C redirects the user to xID authorize API endpoint using an OpenID Connect (OIDC) request. An OIDC endpoint is available containing information about the endpoints. xID Identity provider (IdP) redirects the user to the xID authorization sign-in page allowing the user to fill in or select their email address. |
+| 3. | xID IdP sends the push notification to the user's mobile device. |
+| 4. | The user opens the xID app, checks the request, then enters the PIN or authenticates with their biometrics. If PIN or biometrics is successfully verified, xID app activates the private key and creates an electronic signature. |
+| 5. | xID app sends the signature to xID IdP for verification. |
+| 6. | xID IdP shows a consent screen to the user, requesting authorization to give their personal information to the service they're signing in. |
+| 7. | xID IdP returns the OAuth authorization code to Azure AD B2C. |
+| 8. | Azure AD B2C sends a token request using the authorization code. |
+| 9. | xID IdP checks the token request and, if still valid, returns the OAuth access token and the ID token containing the requested user's identifier and email address. |
+| 10. | In addition, if the user's customer content is needed, Azure AD B2C calls the xID userdata API. |
+| 11. | The xID userdata API returns the user's encrypted customer content. Users can decrypt it with their private key, which they create when requesting the xID client information. |
+| 12. | User is either granted or denied access to the customer application based on the verification results. |
## Onboard with xID Request API documents by filling out [the request form](https://xid.inc/contact-us). In the message field, indicate that you'd like to onboard with Azure AD B2C. Then, an xID sales representative will contact you. Follow the instructions provided in the xID API document and request an xID API client. xID tech team will send client information to you in 3-4 working days.
+Supply redirect URI. This is the URI in your site to which the user is returned after a successful authentication. The URI that should be provided to xID for your Azure AD B2C follows the pattern - `https://<your-b2c-domain>.b2clogin.com/<your-b2c-domain>.onmicrosoft.com/oauth2/authresp`.
-## Step 1: Create a xID policy key
+## Step 1: Register a web application in Azure AD B2C
+
+Before your [applications](application-types.md) can interact with Azure AD B2C, they must be registered in a tenant that you manage.
+
+For testing purposes like this tutorial, you're registering `https://jwt.ms`, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser).
+
+Follow the steps mentioned in [this tutorial](tutorial-register-applications.md?tabs=app-reg-ga) to **register a web application** and **enable ID token implicit grant** for testing a user flow or custom policy. There's no need to create a Client Secret at this time.
+
+## Step 2: Create a xID policy key
Store the client secret that you received from xID in your Azure AD B2C tenant.
Store the client secret that you received from xID in your Azure AD B2C tenant.
>[!NOTE] >In Azure AD B2C, [**custom policies**](./user-flow-overview.md) are designed primarily to address complex scenarios.
-## Step 2: Configure xID as an Identity provider
+## Step 3: Configure xID as an Identity provider
To enable users to sign in using xID, you need to define xID as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims Azure AD B2C uses to verify that a specific user has authenticated using digital identity available on their device. Proving the user's identity. Use the following steps to add xID as a claims provider:
-1. Get the custom policy starter packs from GitHub, then update the XML files in the SocialAndLocalAccounts starter pack with your Azure AD B2C tenant name:
+1. Get the custom policy starter packs from GitHub, then update the XML files in the SocialAccounts starter pack with your Azure AD B2C tenant name:
i. Download the [.zip file](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip) or [clone the repository](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack).
- ii. In all of the files in the **LocalAccounts** directory, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is `contoso`, all instances of `yourtenant.onmicrosoft.com` become `contoso.onmicrosoft.com`.
+ ii. In all of the files in the **SocialAccounts** directory, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is `contoso`, all instances of `yourtenant.onmicrosoft.com` become `contoso.onmicrosoft.com`.
-2. Open the `LocalAccounts/ TrustFrameworkExtensions.xml`.
+2. Open the `SocialAccounts/TrustFrameworkExtensions.xml`.
3. Find the **ClaimsProviders** element. If it doesn't exist, add it under the root element.
Use the following steps to add xID as a claims provider:
<Item Key="DiscoverMetadataByTokenIssuer">true</Item> <Item Key="token_endpoint_auth_method">client_secret_basic</Item> <Item Key="ClaimsEndpoint">https://oidc-uat.x-id.io/userinfo</Item>
+ <Item Key="ValidTokenIssuerPrefixes">https://oidc-uat.x-id.io/</Item>
</Metadata> <CryptographicKeys>
- <Key Id="client_secret" StorageReferenceId="B2C_1A_X-IDClientSecret" />
+ <Key Id="client_secret" StorageReferenceId="B2C_1A_XIDSecAppSecret" />
</CryptographicKeys> <OutputClaims> <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
Use the following steps to add xID as a claims provider:
<OutputClaim ClaimTypeReferenceId="email" /> <OutputClaim ClaimTypeReferenceId="sid" /> <OutputClaim ClaimTypeReferenceId="userdataid" />
- <OutputClaim ClaimTypeReferenceId="X-ID_verified" />
+ <OutputClaim ClaimTypeReferenceId="XID_verified" />
<OutputClaim ClaimTypeReferenceId="email_verified" /> <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" /> <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" DefaultValue="https://oidc-uat.x-id.io/" />
Use the following steps to add xID as a claims provider:
5. Save the changes.
-## Step 3: Add a user journey
+## Step 4: Add a user journey
-At this point, you've set up the identity provider, but it's not yet available on any of the sign-in pages. If you have a custom user journey, continue to [step 4](#step-4-add-the-identity-provider-to-a-user-journey). Otherwise, create a duplicate of an existing template user journey as follows:
+At this point, you've set up the identity provider, but it's not yet available on any of the sign-in pages. If you have a custom user journey, continue to [step 5](#step-5-add-the-identity-provider-to-a-user-journey). Otherwise, create a duplicate of an existing template user journey as follows:
1. Open the `TrustFrameworkBase.xml` file from the starter pack.
At this point, you've set up the identity provider, but it's not yet available o
5. Rename the ID of the user journey. For example, `ID=CustomSignUpSignIn`
-## Step 4: Add the identity provider to a user journey
+## Step 5: Add the identity provider to a user journey
Now that you have a user journey add the new identity provider to the user journey. 1. Find the orchestration step element that includes Type=`CombinedSignInAndSignUp`, or Type=`ClaimsProviderSelection` in the user journey. It's usually the first orchestration step. The **ClaimsProviderSelections** element contains a list of identity providers used for signing in. The order of the elements controls the order of the sign-in buttons presented to the user. Add a **ClaimsProviderSelection** XML element. Set the value of **TargetClaimsExchangeId** to a friendly name, such as `X-IDExchange`.
-2. In the next orchestration step, add a **ClaimsExchange** element. Set the **Id** to the value of the target claims exchange ID to link the xID button to `X-ID-SignIn` action. Next, update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created earlier.
+2. In the next orchestration step, add a **ClaimsExchange** element. Set the **Id** to the value of the target claims exchange ID to link the xID button to `X-IDExchange` action. Next, update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created earlier `X-ID-Oauth2`.
- The following XML demonstrates the orchestration steps of a user journey with the identity provider:
+3. Add a new Orchestration step to call xID UserInfo endpoint to return claims about the authenticated user `X-ID-Userdata`.
+
+ The following XML demonstrates the orchestration steps of a user journey with xID identity provider:
```xml
- <UserJourney Id="X-IDSignUpOrSignIn">
+ <UserJourney Id="CombinedSignInAndSignUp">
<OrchestrationSteps> <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
Now that you have a user journey add the new identity provider to the user journ
```
-## Step 5: Upload the custom policy
+There are additional identity claims that xID supports and are referenced as part of the policy. Claims schema is the place where you declare these claims. ClaimsSchema element contains list of ClaimType elements. The ClaimType element contains the Id attribute, which is the claim name.
-1. Sign in to the [Azure portal](https://portal.azure.com/#home).
+1. Open the `TrustFrameworksExtension.xml`
-2. Make sure you're using the directory that contains your Azure AD B2C tenant:
+2. Find the `BuildingBlocks` element.
- a. Select the **Directories + subscriptions** icon in the portal toolbar.
+3. Add the following ClaimType element in the **ClaimsSchema** element of your `TrustFrameworksExtension.xml` policy
- b. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and select **Switch**.
-
-3. In the [Azure portal](https://portal.azure.com/#home), search for and select **Azure AD B2C**.
-
-4. Under Policies, select **Identity Experience Framework**.
-
-5. Select **Upload Custom Policy**, and then upload the files in the **LocalAccounts** starter pack in the following order: the extension policy, for example, `TrustFrameworkExtensions.xml`, then the relying party policy, such as `SignUpSignIn.xml`.
+```xml
+ <BuildingBlocks>
+ <ClaimsSchema>
+ <!-- xID -->
+ <ClaimType Id="sid">
+ <DisplayName>sid</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <ClaimType Id="userdataid">
+ <DisplayName>userdataid</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <ClaimType Id="xid_verified">
+ <DisplayName>xid_verified</DisplayName>
+ <DataType>boolean</DataType>
+ </ClaimType>
+ <ClaimType Id="email_verified">
+ <DisplayName>email_verified</DisplayName>
+ <DataType>boolean</DataType>
+ </ClaimType>
+ <ClaimType Id="identityProviderAccessToken">
+ <DisplayName>Identity Provider Access Token</DisplayName>
+ <DataType>string</DataType>
+ <AdminHelpText>Stores the access token of the identity provider.</AdminHelpText>
+ </ClaimType>
+ <ClaimType Id="last_name">
+ <DisplayName>last_name</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <ClaimType Id="first_name">
+ <DisplayName>first_name</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <ClaimType Id="previous_name">
+ <DisplayName>previous_name</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <ClaimType Id="year">
+ <DisplayName>year</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <ClaimType Id="month">
+ <DisplayName>month</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <ClaimType Id="date">
+ <DisplayName>date</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <ClaimType Id="prefecture">
+ <DisplayName>prefecture</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <ClaimType Id="city">
+ <DisplayName>city</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <ClaimType Id="address">
+ <DisplayName>address</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <ClaimType Id="sub_char_common_name">
+ <DisplayName>sub_char_common_name</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <ClaimType Id="sub_char_previous_name">
+ <DisplayName>sub_char_previous_name</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <ClaimType Id="sub_char_address">
+ <DisplayName>sub_char_address</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <ClaimType Id="verified_at">
+ <DisplayName>verified_at</DisplayName>
+ <DataType>int</DataType>
+ </ClaimType>
+ <ClaimType Id="gender">
+ <DisplayName>Gender</DisplayName>
+ <DataType>string</DataType>
+ <DefaultPartnerClaimTypes>
+ <Protocol Name="OpenIdConnect" PartnerClaimType="gender" />
+ </DefaultPartnerClaimTypes>
+ <AdminHelpText>The user's gender.</AdminHelpText>
+ <UserHelpText>Your gender.</UserHelpText>
+ <UserInputType>TextBox</UserInputType>
+ </ClaimType>
+ <ClaimType Id="correlationId">
+ <DisplayName>correlation ID</DisplayName>
+ <DataType>string</DataType>
+ </ClaimType>
+ <!-- xID -->
+ </ClaimsSchema>
+ </BuildingBlocks>
+```
## Step 6: Configure the relying party policy The relying party policy, for example [SignUpSignIn.xml](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/main/LocalAccounts/SignUpOrSignin.xml), specifies the user journey which Azure AD B2C will execute. First, find the **DefaultUserJourney** element within the relying party. Then, update the **ReferenceId** to match the user journey ID you added to the identity provider.
-In the following example, for the `X-IDSignUpOrSignIn` user journey, the **ReferenceId** is set to `X-IDSignUpOrSignIn`:
+In the following example, for the xID user journey, the **ReferenceId** is set to `CombinedSignInAndSignUp`:
```xml <RelyingParty>
- <DefaultUserJourney ReferenceId="X-IDSignUpOrSignIn" />
+ <DefaultUserJourney ReferenceId="CombinedSignInAndSignUp" />
<TechnicalProfile Id="PolicyProfile"> <DisplayName>PolicyProfile</DisplayName> <Protocol Name="OpenIdConnect" />
In the following example, for the `X-IDSignUpOrSignIn` user journey, the **Refer
```
+## Step 7: Upload the custom policy
+
+1. Sign in to the [Azure portal](https://portal.azure.com/#home).
+
+2. Make sure you're using the directory that contains your Azure AD B2C tenant:
+
+ a. Select the **Directories + subscriptions** icon in the portal toolbar.
+
+ b. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and select **Switch**.
+
+3. In the [Azure portal](https://portal.azure.com/#home), search for and select **Azure AD B2C**.
+
+4. Under Policies, select **Identity Experience Framework**.
+
+5. Select **Upload Custom Policy**, and then upload the files in the following order:
+ 1. `TrustFrameworkBase.xml`, the base policy file
+ 2. `TrustFrameworkExtensions.xml`, the extension policy
+ 3. `SignUpSignIn.xml`, then the relying party policy
-## Step 7: Test your custom policy
+## Step 8: Test your custom policy
1. In your Azure AD B2C tenant, and under **Policies**, select **Identity Experience Framework**.
active-directory-b2c Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/whats-new-docs.md
Title: "What's new in Azure Active Directory business-to-customer (B2C)" description: "New and updated documentation for the Azure Active Directory business-to-customer (B2C)." Previously updated : 04/04/2022 Last updated : 05/23/2022
Welcome to what's new in Azure Active Directory B2C documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the B2C service, see [What's new in Azure Active Directory](../active-directory/fundamentals/whats-new.md).
+## April 2022
+
+### New articles
+
+- [Tutorial: Configure Azure Web Application Firewall with Azure Active Directory B2C](partner-azure-web-application-firewall.md)
+- [Configure Asignio with Azure Active Directory B2C for multi-factor authentication](partner-asignio.md)
+- [Set up sign-up and sign-in with Mobile ID using Azure Active Directory B2C](identity-provider-mobile-id.md)
+- [Find help and open a support ticket for Azure Active Directory B2C](find-help-open-support-ticket.md)
+
+### Updated articles
+
+- [Configure authentication in a sample single-page application by using Azure AD B2C](configure-authentication-sample-spa-app.md)
+- [Configure xID with Azure Active Directory B2C for passwordless authentication](partner-xid.md)
+- [Azure Active Directory B2C service limits and restrictions](service-limits.md)
+- [Localization string IDs](localization-string-ids.md)
+- [Manage your Azure Active Directory B2C tenant](tenant-management.md)
+- [Page layout versions](page-layout.md)
+- [Secure your API used an API connector in Azure AD B2C](secure-rest-api.md)
+- [Azure Active Directory B2C: What's new](whats-new-docs.md)
+- [Application types that can be used in Active Directory B2C](application-types.md)
+- [Publish your Azure Active Directory B2C app to the Azure Active Directory app gallery](publish-app-to-azure-ad-app-gallery.md)
+- [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](quickstart-native-app-desktop.md)
+- [Register a single-page application (SPA) in Azure Active Directory B2C](tutorial-register-spa.md)
+ ## March 2022 ### New articles
active-directory Accidental Deletions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/accidental-deletions.md
Title: Enable accidental deletions prevention in Application Provisioning in Azu
description: Enable accidental deletions prevention in Application Provisioning in Azure Active Directory. -+
active-directory Application Provisioning Config Problem No Users Provisioned https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-config-problem-no-users-provisioned.md
Title: Users are not being provisioned in my application
description: How to troubleshoot common issues faced when you don't see users appearing in an Azure AD Gallery Application you have configured for user provisioning with Azure AD -+
active-directory Application Provisioning Config Problem Scim Compatibility https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility.md
Title: Known issues with System for Cross-Domain Identity Management (SCIM) 2.0
description: How to solve common protocol compatibility issues faced when adding a non-gallery application that supports SCIM 2.0 to Azure AD -+
active-directory Application Provisioning Config Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-config-problem.md
Title: Problem configuring user provisioning to an Azure Active Directory Galler
description: How to troubleshoot common issues faced when configuring user provisioning to an application already listed in the Azure Active Directory Application Gallery -+
active-directory Application Provisioning Configuration Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-configuration-api.md
Title: Configure provisioning using Microsoft Graph APIs
description: Learn how to save time by using the Microsoft Graph APIs to automate the configuration of automatic provisioning. -+
active-directory Application Provisioning Log Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-log-analytics.md
Title: Understand how Provisioning integrates with Azure Monitor logs in Azure A
description: Understand how Provisioning integrates with Azure Monitor logs in Azure Active Directory. -+
active-directory Application Provisioning Quarantine Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-quarantine-status.md
Title: Quarantine status in Azure Active Directory Application Provisioning
description: When you've configured an application for automatic user provisioning, learn what a provisioning status of Quarantine means and how to clear it. -+
active-directory Application Provisioning When Will Provisioning Finish Specific User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md
Title: Find out when a specific user will be able to access an app in Azure Acti
description: How to find out when a critically important user be able to access an application you have configured for user provisioning with Azure Active Directory -+
active-directory Check Status User Account Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/check-status-user-account-provisioning.md
Title: Report automatic user account provisioning from Azure Active Directory to
description: 'Learn how to check the status of automatic user account provisioning jobs, and how to troubleshoot the provisioning of individual users.' -+
active-directory Configure Automatic User Provisioning Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/configure-automatic-user-provisioning-portal.md
Title: User provisioning management for enterprise apps in Azure Active Director
description: Learn how to manage user account provisioning for enterprise apps using the Azure Active Directory. -+
active-directory Customize Application Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/customize-application-attributes.md
Title: Tutorial - Customize Azure Active Directory attribute mappings in Applica
description: Learn what attribute mappings for Software as a Service (SaaS) apps in Azure Active Directory Application Provisioning are how you can modify them to address your business needs. -+
active-directory Define Conditional Rules For Provisioning User Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md
Title: Use scoping filters in Azure Active Directory Application Provisioning
description: Learn how to use scoping filters to prevent objects in apps that support automated user provisioning from being provisioned if an object doesn't satisfy your business requirements in Azure Active Directory Application Provisioning. -+
active-directory Export Import Provisioning Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/export-import-provisioning-configuration.md
Title: Export Application Provisioning configuration and roll back to a known go
description: Learn how to export your Application Provisioning configuration and roll back to a known good state for disaster recovery in Azure Active Directory. -+
active-directory Expression Builder https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/expression-builder.md
Title: Understand how expression builder works with Application Provisioning in
description: Understand how expression builder works with Application Provisioning in Azure Active Directory. -+
active-directory Functions For Customizing Application Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/functions-for-customizing-application-data.md
Title: Reference for writing expressions for attribute mappings in Azure Active Directory Application Provisioning description: Learn how to use expression mappings to transform attribute values into an acceptable format during automated provisioning of SaaS app objects in Azure Active Directory. Includes a reference list of functions. -+
active-directory How Provisioning Works https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/how-provisioning-works.md
Title: Understand how Application Provisioning in Azure Active Directory
description: Understand how Application Provisioning works in Azure Active Directory. -+
active-directory Hr Attribute Retrieval Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-attribute-retrieval-issues.md
Title: Troubleshoot attribute retrieval issues with HR provisioning description: Learn how to troubleshoot attribute retrieval issues with HR provisioning -+
active-directory Hr Manager Update Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-manager-update-issues.md
Title: Troubleshoot manager update issues with HR provisioning description: Learn how to troubleshoot manager update issues with HR provisioning -+
active-directory Hr User Creation Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-user-creation-issues.md
Title: Troubleshoot user creation issues with HR provisioning description: Learn how to troubleshoot user creation issues with HR provisioning -+
active-directory Hr User Update Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-user-update-issues.md
Title: Troubleshoot user update issues with HR provisioning description: Learn how to troubleshoot user update issues with HR provisioning -+
active-directory Hr Writeback Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-writeback-issues.md
Title: Troubleshoot write back issues with HR provisioning description: Learn how to troubleshoot write back issues with HR provisioning -+
active-directory Isv Automatic Provisioning Multi Tenant Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/isv-automatic-provisioning-multi-tenant-apps.md
Title: Enable automatic user provisioning for multi-tenant applications in Azure
description: A guide for independent software vendors for enabling automated provisioning in Azure Active Directory -+
active-directory Known Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/known-issues.md
Title: Known issues for application provisioning in Azure Active Directory
description: Learn about known issues when you work with automated application provisioning in Azure Active Directory. -+
active-directory On Premises Application Provisioning Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md
Title: 'Azure AD on-premises application provisioning architecture | Microsoft D
description: Presents an overview of on-premises application provisioning architecture. -+
active-directory On Premises Ecma Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-ecma-troubleshoot.md
Title: 'Troubleshooting issues with provisioning to on-premises applications'
description: Describes how to troubleshoot various issues you might encounter when you install and use the ECMA Connector Host. -+
active-directory On Premises Ldap Connector Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-ldap-connector-configure.md
Title: Azure AD Provisioning to LDAP directories (preview)
description: This document describes how to configure Azure AD to provision users into an LDAP directory. -+
active-directory On Premises Migrate Microsoft Identity Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md
Title: 'Export a Microsoft Identity Manager connector for use with the Azure AD
description: Describes how to create and export a connector from MIM Sync to be used with the Azure AD ECMA Connector Host. -+
active-directory On Premises Scim Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-scim-provisioning.md
Title: Azure AD on-premises app provisioning to SCIM-enabled apps description: This article describes how to use the Azure AD provisioning service to provision users into an on-premises app that's SCIM enabled. -+
active-directory On Premises Sql Connector Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-sql-connector-configure.md
Title: Provisioning users into SQL based applications using the ECMA Connector h
description: Provisioning users into SQL based applications using the ECMA Connector host -+
active-directory Plan Auto User Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-auto-user-provisioning.md
Title: Plan an automatic user provisioning deployment for Azure Active Directory
description: Guidance for planning and executing automatic user provisioning in Azure Active Directory -+
active-directory Plan Cloud Hr Provision https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-cloud-hr-provision.md
Title: Plan cloud HR application to Azure Active Directory user provisioning
description: This article describes the deployment process of integrating cloud HR systems, such as Workday and SuccessFactors, with Azure Active Directory. Integrating Azure AD with your cloud HR system results in a complete identity lifecycle management system. -+
active-directory Provision On Demand https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/provision-on-demand.md
Title: Provision a user on demand by using Azure Active Directory
description: Learn how to provision users on demand in Azure Active Directory. -+
active-directory Provisioning Agent Release Version History https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/provisioning-agent-release-version-history.md
Title: Azure Active Directory Connect Provisioning Agent - Version release histo
description: This article lists all releases of Azure Active Directory Connect Provisioning Agent and describes new features and fixed issues. -+
active-directory Sap Successfactors Attribute Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/sap-successfactors-attribute-reference.md
Title: SAP SuccessFactors attribute reference for Azure Active Directory
description: Learn which attributes from SuccessFactors are supported by SuccessFactors-HR driven provisioning in Azure Active Directory. -+
active-directory Sap Successfactors Integration Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/sap-successfactors-integration-reference.md
Title: Azure Active Directory and SAP SuccessFactors integration reference
description: Technical deep dive into SAP SuccessFactors-HR driven provisioning for Azure Active Directory. -+
active-directory Scim Graph Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/scim-graph-scenarios.md
Title: Use SCIM, Microsoft Graph, and Azure Active Directory to provision users
description: Using SCIM and the Microsoft Graph together to provision users and enrich your application with the data it needs in Azure Active Directory. -+
active-directory Tutorial Ecma Sql Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/tutorial-ecma-sql-connector.md
Title: Azure AD Provisioning to SQL applications (preview)
description: This tutorial describes how to provision users from Azure AD into a SQL database. -+
active-directory Use Scim To Build Users And Groups Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/use-scim-to-build-users-and-groups-endpoints.md
Title: Build a SCIM endpoint for user provisioning to apps from Azure Active Dir
description: Learn to develop a SCIM endpoint, integrate your SCIM API with Azure Active Directory, and automatically provision users and groups into your cloud applications. -+
active-directory Use Scim To Provision Users And Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md
Title: Tutorial - Develop a SCIM endpoint for user provisioning to apps from Azu
description: System for Cross-domain Identity Management (SCIM) standardizes automatic user provisioning. In this tutorial, you learn to develop a SCIM endpoint, integrate your SCIM API with Azure Active Directory, and start automating provisioning users and groups into your cloud applications. -+
active-directory User Provisioning Sync Attributes For Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md
Title: Synchronize attributes to Azure Active Directory for mapping
description: When configuring user provisioning with Azure Active Directory and SaaS apps, use the directory extension feature to add source attributes that aren't synchronized by default. -+
active-directory User Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning.md
Title: What is automated app user provisioning in Azure Active Directory description: An introduction to how you can use Azure Active Directory to automatically provision, de-provision, and continuously update user accounts across multiple third-party applications. -+
active-directory What Is Hr Driven Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/what-is-hr-driven-provisioning.md
Title: 'What is HR driven provisioning with Azure Active Directory? | Microsoft
description: Describes overview of HR driven provisioning. -+
active-directory Workday Attribute Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/workday-attribute-reference.md
Title: Workday attribute reference for Azure Active Directory
description: Learn which which attributes that you can fetch from Workday using XPATH queries in Azure Active Directory. -+
active-directory Workday Integration Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/workday-integration-reference.md
Title: Azure Active Directory and Workday integration reference
description: Technical deep dive into Workday-HR driven provisioning in Azure Active Directory -+
active-directory Active Directory App Proxy Protect Ndes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/active-directory-app-proxy-protect-ndes.md
Title: Integrate with Azure Active Directory Application Proxy on an NDES server
description: Guidance on deploying an Azure Active Directory Application Proxy to protect your NDES server. -+
active-directory Application Proxy Add On Premises Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-add-on-premises-application.md
Title: Tutorial - Add an on-premises app - Application Proxy in Azure Active Dir
description: Azure Active Directory (Azure AD) has an Application Proxy service that enables users to access on-premises applications by signing in with their Azure AD account. This tutorial shows you how to prepare your environment for use with Application Proxy. Then, it uses the Azure portal to add an on-premises application to your Azure AD tenant. -+
active-directory Application Proxy Back End Kerberos Constrained Delegation How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-back-end-kerberos-constrained-delegation-how-to.md
Title: Troubleshoot Kerberos constrained delegation - App Proxy
description: Troubleshoot Kerberos Constrained Delegation configurations for Application Proxy -+
active-directory Application Proxy Config How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-config-how-to.md
Title: How to configure an Azure Active Directory Application Proxy application
description: Learn how to create and configure an Azure Active Directory Application Proxy application in a few simple steps -+
active-directory Application Proxy Config Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-config-problem.md
Title: Problem creating an Azure Active Directory Application Proxy application
description: How to troubleshoot issues creating Application Proxy applications in the Azure Active Directory Admin portal -+
active-directory Application Proxy Config Sso How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-config-sso-how-to.md
Title: Understand single sign-on with an on-premises app using Application Proxy
description: Understand single sign-on with an on-premises app using Application Proxy. -+
active-directory Application Proxy Configure Complex Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-complex-application.md
Title: Complex applications for Azure Active Directory Application Proxy
description: Provides an understanding of complex application in Azure Active Directory Application Proxy, and how to configure one. -+
active-directory Application Proxy Configure Connectors With Proxy Servers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-connectors-with-proxy-servers.md
Title: Work with existing on-premises proxy servers and Azure Active Directory
description: Covers how to work with existing on-premises proxy servers with Azure Active Directory. -+
active-directory Application Proxy Configure Cookie Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-cookie-settings.md
Title: Application Proxy cookie settings - Azure Active Directory
description: Azure Active Directory (Azure AD) has access and session cookies for accessing on-premises applications through Application Proxy. In this article, you'll find out how to use and configure the cookie settings. -+
active-directory Application Proxy Configure Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-custom-domain.md
Title: Custom domains in Azure Active Directory Application Proxy
description: Configure and manage custom domains in Azure Active Directory Application Proxy. -+
active-directory Application Proxy Configure Custom Home Page https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-custom-home-page.md
Title: Custom home page for published apps - Azure Active Directory Application
description: Covers the basics about Azure Active Directory Application Proxy connectors -+
active-directory Application Proxy Configure For Claims Aware Applications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-for-claims-aware-applications.md
Title: Claims-aware apps - Azure Active Directory Application Proxy
description: How to publish on-premises ASP.NET applications that accept AD FS claims for secure remote access by your users. -+
active-directory Application Proxy Configure Hard Coded Link Translation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-hard-coded-link-translation.md
Title: Translate links and URLs Azure Active Directory Application Proxy
description: Learn how to redirect hard-coded links for apps published with Azure Active Directory Application Proxy. -+
active-directory Application Proxy Configure Native Client Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-native-client-application.md
Title: Publish native client apps - Azure Active Directory
description: Covers how to enable native client apps to communicate with Azure Active Directory Application Proxy Connector to provide secure remote access to your on-premises apps. -+
active-directory Application Proxy Configure Single Sign On On Premises Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-on-premises-apps.md
Title: SAML single sign-on for on-premises apps with Azure Active Directory Appl
description: Learn how to provide single sign-on for on-premises applications that are secured with SAML authentication. Provide remote access to on-premises apps with Application Proxy. -+
active-directory Application Proxy Configure Single Sign On Password Vaulting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-password-vaulting.md
Title: Single sign-on to apps with Azure Active Directory Application Proxy
description: Turn on single sign-on for your published on-premises applications with Azure Active Directory Application Proxy in the Azure portal. -+
active-directory Application Proxy Configure Single Sign On With Headers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-headers.md
Title: Header-based single sign-on for on-premises apps with Azure AD App Proxy
description: Learn how to provide single sign-on for on-premises applications that are secured with header-based authentication. -+
active-directory Application Proxy Configure Single Sign On With Kcd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-kcd.md
Title: Kerberos-based single sign-on (SSO) in Azure Active Directory with Applic
description: Covers how to provide single sign-on using Azure Active Directory Application Proxy. -+
active-directory Application Proxy Connectivity No Working Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connectivity-no-working-connector.md
Title: No working connector group found for an Azure Active Directory Applicatio
description: Address problems you might encounter when there is no working Connector in a Connector Group for your application with the Azure Active Directory Application Proxy -+
active-directory Application Proxy Connector Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connector-groups.md
Title: Publish apps on separate networks via connector groups - Azure Active Dir
description: Covers how to create and manage groups of connectors in Azure Active Directory Application Proxy. -+
active-directory Application Proxy Connector Installation Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connector-installation-problem.md
Title: Problem installing the Azure Active Directory Application Proxy Agent Con
description: How to troubleshoot issues you might face when installing the Application Proxy Agent Connector for Azure Active Directory. -+
active-directory Application Proxy Connectors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connectors.md
Title: Understand Azure Active Directory Application Proxy connectors
description: Learn about the Azure Active Directory Application Proxy connectors. -+
active-directory Application Proxy Debug Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-debug-apps.md
Title: Debug Application Proxy applications - Azure Active Directory
description: Debug issues with Azure Active Directory (Azure AD) Application Proxy applications. -+
active-directory Application Proxy Debug Connectors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-debug-connectors.md
Title: Debug Application Proxy connectors - Azure Active Directory
description: Debug issues with Azure Active Directory (Azure AD) Application Proxy connectors. -+
active-directory Application Proxy Deployment Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-deployment-plan.md
Title: Plan an Azure Active Directory Application Proxy Deployment
description: An end-to-end guide for planning the deployment of Application proxy within your organization -+
active-directory Application Proxy High Availability Load Balancing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-high-availability-load-balancing.md
Title: High availability and load balancing - Azure Active Directory Application
description: How traffic distribution works with your Application Proxy deployment. Includes tips for how to optimize connector performance and use load balancing for back-end servers. -+
active-directory Application Proxy Integrate With Microsoft Cloud Application Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security.md
Title: Use Application Proxy to integrate on-premises apps with Defender for Cloud Apps - Azure Active Directory description: Configure an on-premises application in Azure Active Directory to work with Microsoft Defender for Cloud Apps. Use the Defender for Cloud Apps Conditional Access App Control to monitor and control sessions in real-time based on Conditional Access policies. You can apply these policies to on-premises applications that use Application Proxy in Azure Active Directory (Azure AD). -+
active-directory Application Proxy Integrate With Power Bi https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-power-bi.md
Title: Enable remote access to Power BI with Azure Active Directory Application
description: Covers the basics about how to integrate an on-premises Power BI with Azure Active Directory Application Proxy. -+
active-directory Application Proxy Integrate With Remote Desktop Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-remote-desktop-services.md
Title: Publish Remote Desktop with Azure Active Directory Application Proxy
description: Covers how to configure App Proxy with Remote Desktop Services (RDS) -+ Previously updated : 07/12/2021 Last updated : 05/19/2022
The configuration outlined in this article is for access to RDS via RD Web or th
| Authentication method | Supported client configuration | | | |
-| Pre-authentication | RD Web- Windows 7/10 using Internet Explorer* or [Edge Chromium IE mode](/deployedge/edge-ie-mode) + RDS ActiveX add-on |
+| Pre-authentication | RD Web- Windows 7/10/11 using Internet Explorer* or [Edge Chromium IE mode](/deployedge/edge-ie-mode) + RDS ActiveX add-on |
| Pre-authentication | RD Web Client- HTML5-compatible web browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, Safari, or Mozilla Firefox (v55.0 and later) | | Passthrough | Any other operating system that supports the Microsoft Remote Desktop application |
active-directory Application Proxy Integrate With Sharepoint Server Saml https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-sharepoint-server-saml.md
Title: Publish an on-premises SharePoint farm with Azure Active Directory Applic
description: Covers the basics about how to integrate an on-premises SharePoint farm with Azure Active Directory Application Proxy for SAML. -+
active-directory Application Proxy Integrate With Sharepoint Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-sharepoint-server.md
Title: Enable remote access to SharePoint - Azure Active Directory Application P
description: Covers the basics about how to integrate on-premises SharePoint Server with Azure Active Directory Application Proxy. -+
active-directory Application Proxy Integrate With Tableau https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-tableau.md
Title: Azure Active Directory Application Proxy and Tableau
description: Learn how to use Azure Active Directory (Azure AD) Application Proxy to provide remote access for your Tableau deployment. -+
active-directory Application Proxy Integrate With Teams https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-teams.md
Title: Access Azure Active Directory Application Proxy apps in Teams
description: Use Azure Active Directory Application Proxy to access your on-premises application through Microsoft Teams. -+
active-directory Application Proxy Network Topology https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-network-topology.md
Title: Network topology considerations for Azure Active Directory Application Pr
description: Covers network topology considerations when using Azure Active Directory Application Proxy. -+
active-directory Application Proxy Page Appearance Broken Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-page-appearance-broken-problem.md
Title: App page doesn't display correctly for Application Proxy app
description: Guidance when the page isnΓÇÖt displaying correctly in an Application Proxy Application you have integrated with Azure Active Directory -+
active-directory Application Proxy Page Links Broken Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-page-links-broken-problem.md
Title: Links on the page don't work for an Azure Active Directory Application Pr
description: How to troubleshoot issues with broken links on Application Proxy applications you have integrated with Azure Active Directory -+
active-directory Application Proxy Page Load Speed Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-page-load-speed-problem.md
Title: An Azure Active Directory Application Proxy application takes too long to
description: Troubleshoot page load performance issues with Azure Active Directory Application Proxy -+
active-directory Application Proxy Ping Access Publishing Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-ping-access-publishing-guide.md
Title: Header-based authentication with PingAccess for Azure Active Directory Ap
description: Publish applications with PingAccess and App Proxy to support header-based authentication. -+
active-directory Application Proxy Powershell Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-powershell-samples.md
Title: PowerShell samples for Azure Active Directory Application Proxy
description: Use these PowerShell samples for Azure Active Directory Application Proxy to get information about Application Proxy apps and connectors in your directory, assign users and groups to apps, and get certificate information. -+
active-directory Application Proxy Qlik https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-qlik.md
Title: Azure Active Directory Application Proxy and Qlik Sense
description: Integrate Azure Active Directory Application Proxy with Qlik Sense. -+
active-directory Application Proxy Register Connector Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-register-connector-powershell.md
Title: Silent install Azure Active Directory Application Proxy connector
description: Covers how to perform an unattended installation of Azure Active Directory Application Proxy Connector to provide secure remote access to your on-premises apps. -+
active-directory Application Proxy Release Version History https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-release-version-history.md
Title: 'Azure Active Directory Application Proxy: Version release history'
description: This article lists all releases of Azure Active Directory Application Proxy and describes new features and fixed issues. -+
active-directory Application Proxy Remove Personal Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-remove-personal-data.md
Title: Remove personal data - Azure Active Directory Application Proxy description: Remove personal data from connectors installed on devices for Azure Active Directory Application Proxy. -+
active-directory Application Proxy Secure Api Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-secure-api-access.md
Title: Access on-premises APIs with Azure Active Directory Application Proxy
description: Azure Active Directory's Application Proxy lets native apps securely access APIs and business logic you host on-premises or on cloud VMs. -+
active-directory Application Proxy Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-security.md
Title: Security considerations for Azure Active Directory Application Proxy
description: Covers security considerations for using Azure AD Application Proxy -+
active-directory Application Proxy Sign In Bad Gateway Timeout Error https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-sign-in-bad-gateway-timeout-error.md
Title: Can't access this Corporate Application error with Azure Active Directory
description: How to resolve common access issues with Azure Active Directory Application Proxy applications. -+
active-directory Application Proxy Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-troubleshoot.md
Title: Troubleshoot Azure Active Directory Application Proxy
description: Covers how to troubleshoot errors in Azure Active Directory Application Proxy. -+
active-directory Application Proxy Understand Cors Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-understand-cors-issues.md
Title: Understand and solve Azure Active Directory Application Proxy CORS issues
description: Provides an understanding of CORS in Azure Active Directory Application Proxy, and how to identify and solve CORS issues. -+
active-directory Application Proxy Wildcard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-wildcard.md
Title: Wildcard applications in Azure Active Directory Application Proxy
description: Learn how to use Wildcard applications in Azure Active Directory Application Proxy. -+
active-directory Application Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy.md
Title: Remote access to on-premises apps - Azure AD Application Proxy
description: Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal. For example, Application Proxy can provide remote access and single sign-on to Remote Desktop, SharePoint, Teams, Tableau, Qlik, and line of business (LOB) applications. -+
active-directory Application Sign In Problem On Premises Application Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-sign-in-problem-on-premises-application-proxy.md
Title: Problem signing in to on-premises app using Azure Active Directory Applic
description: Troubleshooting common issues faced when you are unable to sign in to an on-premises application integrated using the Azure Active Directory Application Proxy -+
active-directory Powershell Assign Group To App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-assign-group-to-app.md
Title: PowerShell sample - Assign group to an Azure Active Directory Application
description: PowerShell example that assigns a group to an Azure Active Directory (Azure AD) Application Proxy application. -+
active-directory Powershell Assign User To App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-assign-user-to-app.md
Title: PowerShell sample - Assign user to an Azure Active Directory Application
description: PowerShell example that assigns a user to an Azure Active Directory (Azure AD) Application Proxy application. -+
active-directory Powershell Display Users Group Of App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-display-users-group-of-app.md
Title: PowerShell sample - List users & groups for an Azure Active Directory App
description: PowerShell example that lists all the users and groups assigned to a specific Azure Active Directory (Azure AD) Application Proxy application. -+
active-directory Powershell Get All App Proxy Apps Basic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-basic.md
Title: PowerShell sample - List basic info for Application Proxy apps
description: PowerShell example that lists Azure Active Directory (Azure AD) Application Proxy applications along with the application ID (AppId), name (DisplayName), and object ID (ObjId). -+
active-directory Powershell Get All App Proxy Apps By Connector Group https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-by-connector-group.md
Title: List Azure Active Directory Application Proxy connector groups for apps
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy Connector groups with the assigned applications. -+
active-directory Powershell Get All App Proxy Apps Extended https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-extended.md
Title: PowerShell sample - List extended info for Azure Active Directory Applica
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications along with the application ID (AppId), name (DisplayName), external URL (ExternalUrl), internal URL (InternalUrl), and authentication type (ExternalAuthenticationType). -+
active-directory Powershell Get All App Proxy Apps With Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-with-policy.md
Title: PowerShell sample - List all Azure Active Directory Application Proxy app
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications in your directory that have a lifetime token policy. -+
active-directory Powershell Get All Connectors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-connectors.md
Title: PowerShell sample - List all Azure Active Directory Application Proxy con
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy connector groups and connectors in your directory. -+
active-directory Powershell Get All Custom Domain No Cert https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-custom-domain-no-cert.md
Title: PowerShell sample - Azure Active Directory Application Proxy apps with no
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are using custom domains but do not have a valid TLS/SSL certificate uploaded. -+
active-directory Powershell Get All Custom Domains And Certs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-custom-domains-and-certs.md
Title: PowerShell sample - Azure Active Directory Application Proxy apps using c
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are using custom domains and certificate information. -+
active-directory Powershell Get All Default Domain Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-default-domain-apps.md
Title: PowerShell sample - Azure Active Directory Application Proxy apps using d
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are using default domains (.msappproxy.net). -+
active-directory Powershell Get All Wildcard Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-wildcard-apps.md
Title: PowerShell sample - List Azure Active Directory Application Proxy apps us
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are using wildcards. -+
active-directory Powershell Get Custom Domain Identical Cert https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-custom-domain-identical-cert.md
Title: PowerShell sample - Azure Active Directory Application Proxy apps with id
description: PowerShell example that lists all Azure Active Directory (Azure AD) Application Proxy applications that are published with the identical certificate. -+
active-directory Powershell Get Custom Domain Replace Cert https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-custom-domain-replace-cert.md
Title: PowerShell sample - Replace certificate in Azure Active Directory Applica
description: PowerShell example that bulk replaces a certificate across Azure Active Directory (Azure AD) Application Proxy applications. -+
active-directory Powershell Move All Apps To Connector Group https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-move-all-apps-to-connector-group.md
Title: PowerShell sample - Move Azure Active Directory Application Proxy apps to
description: Azure Active Directory (Azure AD) Application Proxy PowerShell example used to move all applications currently assigned to a connector group to a different connector group. -+
active-directory What Is Application Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/what-is-application-proxy.md
Title: Publish on-premises apps with Azure Active Directory Application Proxy
description: Understand why to use Application Proxy to publish on-premises web applications externally to remote users. Learn about Application Proxy architecture, connectors, authentication methods, and security benefits. -+
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/whats-new-docs.md
-+ # Azure Active Directory application proxy: What's new
active-directory Concept Registration Mfa Sspr Combined https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md
Previously updated : 03/1/2022 Last updated : 05/24/2022
Users can set one of the following options as the default Multi-Factor Authentic
- Phone call - Text message
+>[!NOTE]
+>Virtual phone numbers are not supported for Voice calls or SMS messages.
+ Third party authenticator apps do not provide push notification. As we continue to add more authentication methods to Azure AD, those methods become available in combined registration. ## Combined registration modes
active-directory Fido2 Compatibility https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/fido2-compatibility.md
This table shows support for authenticating Azure Active Directory (Azure AD) an
|::|::|::|::|::|::|::|::|::|::|::|::|::| | | USB | NFC | BLE | USB | NFC | BLE | USB | NFC | BLE | USB | NFC | BLE | | **Windows** | ![Chrome supports USB on Windows for Azure AD accounts.][y] | ![Chrome supports NFC on Windows for Azure AD accounts.][y] | ![Chrome supports BLE on Windows for Azure AD accounts.][y] | ![Edge supports USB on Windows for Azure AD accounts.][y] | ![Edge supports NFC on Windows for Azure AD accounts.][y] | ![Edge supports BLE on Windows for Azure AD accounts.][y] | ![Firefox supports USB on Windows for Azure AD accounts.][y] | ![Firefox supports NFC on Windows for Azure AD accounts.][y] | ![Firefox supports BLE on Windows for Azure AD accounts.][y] | ![Safari supports USB on Windows for Azure AD accounts.][n] | ![Safari supports NFC on Windows for Azure AD accounts.][n] | ![Safari supports BLE on Windows for Azure AD accounts.][n] |
-| **macOS** | ![Chrome supports USB on macOS for Azure AD accounts.][y] | ![Chrome supports NFC on macOS for Azure AD accounts.][n] | ![Chrome supports BLE on macOS for Azure AD accounts.][n] | ![Edge supports USB on macOS for Azure AD accounts.][y] | ![Edge supports NFC on macOS for Azure AD accounts.][n] | ![Edge supports BLE on macOS for Azure AD accounts.][n] | ![Firefox supports USB on macOS for Azure AD accounts.][y] | ![Firefox supports NFC on macOS for Azure AD accounts.][n] | ![Firefox supports BLE on macOS for Azure AD accounts.][n] | ![Safari supports USB on macOS for Azure AD accounts.][n] | ![Safari supports NFC on macOS for Azure AD accounts.][n] | ![Safari supports BLE on macOS for Azure AD accounts.][n] |
+| **macOS** | ![Chrome supports USB on macOS for Azure AD accounts.][y] | ![Chrome supports NFC on macOS for Azure AD accounts.][n] | ![Chrome supports BLE on macOS for Azure AD accounts.][n] | ![Edge supports USB on macOS for Azure AD accounts.][y] | ![Edge supports NFC on macOS for Azure AD accounts.][n] | ![Edge supports BLE on macOS for Azure AD accounts.][n] | ![Firefox supports USB on macOS for Azure AD accounts.][n] | ![Firefox supports NFC on macOS for Azure AD accounts.][n] | ![Firefox supports BLE on macOS for Azure AD accounts.][n] | ![Safari supports USB on macOS for Azure AD accounts.][n] | ![Safari supports NFC on macOS for Azure AD accounts.][n] | ![Safari supports BLE on macOS for Azure AD accounts.][n] |
| **ChromeOS** | ![Chrome supports USB on ChromeOS for Azure AD accounts.][y] | ![Chrome supports NFC on ChromeOS for Azure AD accounts.][n] | ![Chrome supports BLE on ChromeOS for Azure AD accounts.][n] | ![Edge supports USB on ChromeOS for Azure AD accounts.][n] | ![Edge supports NFC on ChromeOS for Azure AD accounts.][n] | ![Edge supports BLE on ChromeOS for Azure AD accounts.][n] | ![Firefox supports USB on ChromeOS for Azure AD accounts.][n] | ![Firefox supports NFC on ChromeOS for Azure AD accounts.][n] | ![Firefox supports BLE on ChromeOS for Azure AD accounts.][n] | ![Safari supports USB on ChromeOS for Azure AD accounts.][n] | ![Safari supports NFC on ChromeOS for Azure AD accounts.][n] | ![Safari supports BLE on ChromeOS for Azure AD accounts.][n] | | **Linux** | ![Chrome supports USB on Linux for Azure AD accounts.][y] | ![Chrome supports NFC on Linux for Azure AD accounts.][n] | ![Chrome supports BLE on Linux for Azure AD accounts.][n] | ![Edge supports USB on Linux for Azure AD accounts.][n] | ![Edge supports NFC on Linux for Azure AD accounts.][n] | ![Edge supports BLE on Linux for Azure AD accounts.][n] | ![Firefox supports USB on Linux for Azure AD accounts.][n] | ![Firefox supports NFC on Linux for Azure AD accounts.][n] | ![Firefox supports BLE on Linux for Azure AD accounts.][n] | ![Safari supports USB on Linux for Azure AD accounts.][n] | ![Safari supports NFC on Linux for Azure AD accounts.][n] | ![Safari supports BLE on Linux for Azure AD accounts.][n] | | **iOS** | ![Chrome supports USB on iOS for Azure AD accounts.][n] | ![Chrome supports NFC on iOS for Azure AD accounts.][n] | ![Chrome supports BLE on iOS for Azure AD accounts.][n] | ![Edge supports USB on iOS for Azure AD accounts.][n] | ![Edge supports NFC on Linux for Azure AD accounts.][n] | ![Edge supports BLE on Linux for Azure AD accounts.][n] | ![Firefox supports USB on Linux for Azure AD accounts.][n] | ![Firefox supports NFC on iOS for Azure AD accounts.][n] | ![Firefox supports BLE on iOS for Azure AD accounts.][n] | ![Safari supports USB on iOS for Azure AD accounts.][n] | ![Safari supports NFC on iOS for Azure AD accounts.][n] | ![Safari supports BLE on iOS for Azure AD accounts.][n] |
active-directory Howto Authentication Passwordless Security Key On Premises https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md
Make sure that enough DCs are patched to respond in time to service your resourc
> [!NOTE] > The `/keylist` switch in the `nltest` command is available in client Windows 10 v2004 and later.
-### What if I have a CloudTGT but it never gets exchange for a OnPremTGT when I am using Windows Hello for Business Cloud Trust?
-
-Make sure that the user you are signed in as, is a member of the groups of users that can use FIDO2 as an authentication method, or enable it for all users.
-
-> [!NOTE]
-> Even if you are not explicitly using a security key to sign-in to your device, the underlying technology is dependent on the FIDO2 infrastructure requirements.
- ### Do FIDO2 security keys work in a Windows login with RODC present in the hybrid environment? An FIDO2 Windows login looks for a writable DC to exchange the user TGT. As long as you have at least one writable DC per site, the login works fine. ## Next steps
-[Learn more about passwordless authentication](concept-authentication-passwordless.md)
+[Learn more about passwordless authentication](concept-authentication-passwordless.md)
active-directory Cloudknox All Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-all-reports.md
Title: View a list and description of all system reports available in CloudKnox Permissions Management reports description: View a list and description of all system reports available in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View a list and description of system reports
active-directory Cloudknox Faqs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-faqs.md
Title: Frequently asked questions (FAQs) about CloudKnox Permissions Management description: Frequently asked questions (FAQs) about CloudKnox Permissions Management. --++ Last updated 04/20/2022-+ # Frequently asked questions (FAQs)
active-directory Cloudknox Howto Add Remove Role Task https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-add-remove-role-task.md
Title: Add and remove roles and tasks for groups, users, and service accounts for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in CloudKnox Permissions Management description: How to attach and detach permissions for groups, users, and service accounts for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Add and remove roles and tasks for Microsoft Azure and Google Cloud Platform (GCP) identities
active-directory Cloudknox Howto Attach Detach Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-attach-detach-permissions.md
Title: Attach and detach permissions for users, roles, and groups for Amazon Web Services (AWS) identities in the Remediation dashboard in CloudKnox Permissions Management description: How to attach and detach permissions for users, roles, and groups for Amazon Web Services (AWS) identities in the Remediation dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Attach and detach policies for Amazon Web Services (AWS) identities
active-directory Cloudknox Howto Audit Trail Results https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-audit-trail-results.md
Title: Generate an on-demand report from a query in the Audit dashboard in CloudKnox Permissions Management description: How to generate an on-demand report from a query in the **Audit** dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Generate an on-demand report from a query
active-directory Cloudknox Howto Clone Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-clone-role-policy.md
Title: Clone a role/policy in the Remediation dashboard in CloudKnox Permissions Management description: How to clone a role/policy in the Just Enough Permissions (JEP) Controller. --++ Last updated 02/23/2022-+ # Clone a role/policy in the Remediation dashboard
active-directory Cloudknox Howto Create Alert Trigger https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-alert-trigger.md
Title: Create and view activity alerts and alert triggers in CloudKnox Permissions Management description: How to create and view activity alerts and alert triggers in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Create and view activity alerts and alert triggers
active-directory Cloudknox Howto Create Approve Privilege Request https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-approve-privilege-request.md
Title: Create or approve a request for permissions in the Remediation dashboard in CloudKnox Permissions Management description: How to create or approve a request for permissions in the Remediation dashboard. --++ Last updated 02/23/2022-+ # Create or approve a request for permissions
active-directory Cloudknox Howto Create Custom Queries https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-custom-queries.md
Title: Create a custom query in CloudKnox Permissions Management description: How to create a custom query in the Audit dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Create a custom query
active-directory Cloudknox Howto Create Group Based Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-group-based-permissions.md
Title: Select group-based permissions settings in CloudKnox Permissions Management with the User management dashboard description: How to select group-based permissions settings in CloudKnox Permissions Management with the User management dashboard. --++ Last updated 02/23/2022-+ # Select group-based permissions settings
active-directory Cloudknox Howto Create Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-role-policy.md
Title: Create a role/policy in the Remediation dashboard in CloudKnox Permissions Management description: How to create a role/policy in the Remediation dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Create a role/policy in the Remediation dashboard
active-directory Cloudknox Howto Create Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-create-rule.md
Title: Create a rule in the Autopilot dashboard in CloudKnox Permissions Management description: How to create a rule in the Autopilot dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Create a rule in the Autopilot dashboard
active-directory Cloudknox Howto Delete Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-delete-role-policy.md
Title: Delete a role/policy in the Remediation dashboard in CloudKnox Permissions Management description: How to delete a role/policy in the Just Enough Permissions (JEP) Controller. --++ Last updated 02/23/2022-+ # Delete a role/policy in the Remediation dashboard
active-directory Cloudknox Howto Modify Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-modify-role-policy.md
Title: Modify a role/policy in the Remediation dashboard in CloudKnox Permissions Management description: How to modify a role/policy in the Remediation dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Modify a role/policy in the Remediation dashboard
active-directory Cloudknox Howto Notifications Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-notifications-rule.md
Title: View notification settings for a rule in the Autopilot dashboard in CloudKnox Permissions Management description: How to view notification settings for a rule in the Autopilot dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View notification settings for a rule in the Autopilot dashboard
active-directory Cloudknox Howto Recommendations Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-recommendations-rule.md
Title: Generate, view, and apply rule recommendations in the Autopilot dashboard in CloudKnox Permissions Management description: How to generate, view, and apply rule recommendations in the Autopilot dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Generate, view, and apply rule recommendations in the Autopilot dashboard
active-directory Cloudknox Howto Revoke Task Readonly Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-revoke-task-readonly-status.md
Title: Revoke access to high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in CloudKnox Permissions Management description: How to revoke access to high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Revoke access to high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities
active-directory Cloudknox Howto View Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-howto-view-role-policy.md
Title: View information about roles/ policies in the Remediation dashboard in CloudKnox Permissions Management description: How to view and filter information about roles/ policies in the Remediation dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View information about roles/ policies in the Remediation dashboard
active-directory Cloudknox Integration Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-integration-api.md
Title: Set and view configuration settings in CloudKnox Permissions Management description: How to view the CloudKnox Permissions Management API integration settings and create service accounts and roles. --++ Last updated 02/23/2022-+ # Set and view configuration settings
active-directory Cloudknox Multi Cloud Glossary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-multi-cloud-glossary.md
Title: CloudKnox Permissions Management - The CloudKnox glossary description: CloudKnox Permissions Management glossary --++ Last updated 02/23/2022-+ # The CloudKnox glossary
active-directory Cloudknox Onboard Add Account After Onboarding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-add-account-after-onboarding.md
Title: Add an account/ subscription/ project to Microsoft CloudKnox Permissions Management after onboarding is complete description: How to add an account/ subscription/ project to Microsoft CloudKnox Permissions Management after onboarding is complete. --++ Last updated 02/23/2022-+ # Add an account/ subscription/ project after onboarding is complete
active-directory Cloudknox Onboard Aws https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-aws.md
Title: Onboard an Amazon Web Services (AWS) account on CloudKnox Permissions Management description: How to onboard an Amazon Web Services (AWS) account on CloudKnox Permissions Management. --++ Last updated 04/20/2022-+ # Onboard an Amazon Web Services (AWS) account
active-directory Cloudknox Onboard Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-azure.md
Title: Onboard a Microsoft Azure subscription in CloudKnox Permissions Management description: How to a Microsoft Azure subscription on CloudKnox Permissions Management. --++ Last updated 04/20/2022-+ # Onboard a Microsoft Azure subscription
active-directory Cloudknox Onboard Enable Controller After Onboarding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-enable-controller-after-onboarding.md
Title: Enable or disable the controller in Microsoft CloudKnox Permissions Management after onboarding is complete description: How to enable or disable the controller in Microsoft CloudKnox Permissions Management after onboarding is complete. --++ Last updated 02/23/2022-+ # Enable or disable the controller after onboarding is complete
active-directory Cloudknox Onboard Enable Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-enable-tenant.md
Title: Enable CloudKnox Permissions Management in your organization description: How to enable CloudKnox Permissions Management in your organization. --++ Last updated 04/20/2022-+ # Enable CloudKnox in your organization
active-directory Cloudknox Onboard Gcp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-gcp.md
Title: Onboard a Google Cloud Platform (GCP) project in CloudKnox Permissions Management description: How to onboard a Google Cloud Platform (GCP) project on CloudKnox Permissions Management. --++ Last updated 04/20/2022-+ # Onboard a Google Cloud Platform (GCP) project
active-directory Cloudknox Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-overview.md
Title: What's CloudKnox Permissions Management? description: An introduction to CloudKnox Permissions Management. --++ Last updated 04/20/2022-+ # What's CloudKnox Permissions Management?
active-directory Cloudknox Product Account Explorer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-account-explorer.md
Title: The CloudKnox Permissions Management - View roles and identities that can access account information from an external account description: How to view information about identities that can access accounts from an external account in CloudKnox Permissions Management. -+ -+ Last updated 02/23/2022-+ # View roles and identities that can access account information from an external account
active-directory Cloudknox Product Account Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-account-settings.md
Title: View personal and organization information in CloudKnox Permissions Management description: How to view personal and organization information in the Account settings dashboard in CloudKnox Permissions Management. -+ -+ Last updated 02/23/2022-+ # View personal and organization information
active-directory Cloudknox Product Audit Trail https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-audit-trail.md
Title: Filter and query user activity in CloudKnox Permissions Management description: How to filter and query user activity in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Filter and query user activity
active-directory Cloudknox Product Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-dashboard.md
Title: View data about the activity in your authorization system in CloudKnox Permissions Management description: How to view data about the activity in your authorization system in the CloudKnox Dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+
active-directory Cloudknox Product Data Inventory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-data-inventory.md
Title: CloudKnox Permissions Management - Display an inventory of created resources and licenses for your authorization system description: How to display an inventory of created resources and licenses for your authorization system in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Display an inventory of created resources and licenses for your authorization system
active-directory Cloudknox Product Data Sources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-data-sources.md
Title: View and configure settings for data collection from your authorization system in CloudKnox Permissions Management description: How to view and configure settings for collecting data from your authorization system in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View and configure settings for data collection
active-directory Cloudknox Product Define Permission Levels https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-define-permission-levels.md
Title: Define and manage users, roles, and access levels in CloudKnox Permissions Management description: How to define and manage users, roles, and access levels in CloudKnox Permissions Management User management dashboard. --++ Last updated 02/23/2022-+ # Define and manage users, roles, and access levels
active-directory Cloudknox Product Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-integrations.md
Title: View integration information about an authorization system in CloudKnox Permissions Management description: View integration information about an authorization system in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View integration information about an authorization system
active-directory Cloudknox Product Permission Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-permission-analytics.md
Title: Create and view permission analytics triggers in CloudKnox Permissions Management description: How to create and view permission analytics triggers in the Permission analytics tab in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Create and view permission analytics triggers
active-directory Cloudknox Product Permissions Analytics Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-permissions-analytics-reports.md
Title: Generate and download the Permissions analytics report in CloudKnox Permissions Management description: How to generate and download the Permissions analytics report in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Generate and download the Permissions analytics report
active-directory Cloudknox Product Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-reports.md
Title: View system reports in the Reports dashboard in CloudKnox Permissions Management description: How to view system reports in the Reports dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View system reports in the Reports dashboard
active-directory Cloudknox Product Rule Based Anomalies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-rule-based-anomalies.md
Title: Create and view rule-based anomalies and anomaly triggers in CloudKnox Permissions Management description: How to create and view rule-based anomalies and anomaly triggers in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Create and view rule-based anomaly alerts and anomaly triggers
active-directory Cloudknox Product Statistical Anomalies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-statistical-anomalies.md
Title: Create and view statistical anomalies and anomaly triggers in CloudKnox Permissions Management description: How to create and view statistical anomalies and anomaly triggers in the Statistical Anomaly tab in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Create and view statistical anomalies and anomaly triggers
active-directory Cloudknox Report Create Custom Report https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-report-create-custom-report.md
Title: Create, view, and share a custom report a custom report in CloudKnox Permissions Management description: How to create, view, and share a custom report in the CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Create, view, and share a custom report
active-directory Cloudknox Report View System Report https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-report-view-system-report.md
Title: Generate and view a system report in CloudKnox Permissions Management description: How to generate and view a system report in the CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Generate and view a system report
active-directory Cloudknox Training Videos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-training-videos.md
Title: CloudKnox Permissions Management training videos description: CloudKnox Permissions Management training videos. --++ Last updated 04/20/2022-+ # CloudKnox Permissions Management training videos
active-directory Cloudknox Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-troubleshoot.md
Title: Troubleshoot issues with CloudKnox Permissions Management description: Troubleshoot issues with CloudKnox Permissions Management --++ Last updated 02/23/2022-+ # Troubleshoot issues with CloudKnox Permissions Management
active-directory Cloudknox Ui Audit Trail https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-audit-trail.md
Title: Use queries to see how users access information in an authorization system in CloudKnox Permissions Management description: How to use queries to see how users access information in an authorization system in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Use queries to see how users access information
active-directory Cloudknox Ui Autopilot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-autopilot.md
Title: View rules in the Autopilot dashboard in CloudKnox Permissions Management description: How to view rules in the Autopilot dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View rules in the Autopilot dashboard
active-directory Cloudknox Ui Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-dashboard.md
Title: View key statistics and data about your authorization system in CloudKnox Permissions Management description: How to view statistics and data about your authorization system in the CloudKnox Permissions Management. --++ Last updated 02/23/2022-+
active-directory Cloudknox Ui Remediation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-remediation.md
Title: View existing roles/policies and requests for permission in the Remediation dashboard in CloudKnox Permissions Management description: How to view existing roles/policies and requests for permission in the Remediation dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View roles/policies and requests for permission in the Remediation dashboard
active-directory Cloudknox Ui Tasks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-tasks.md
Title: View information about active and completed tasks in CloudKnox Permissions Management description: How to view information about active and completed tasks in the Activities pane in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View information about active and completed tasks
active-directory Cloudknox Ui Triggers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-triggers.md
Title: View information about activity triggers in CloudKnox Permissions Management description: How to view information about activity triggers in the Activity triggers dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View information about activity triggers
active-directory Cloudknox Ui User Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-ui-user-management.md
Title: Manage users and groups with the User management dashboard in CloudKnox Permissions Management description: How to manage users and groups in the User management dashboard in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # Manage users and groups with the User management dashboard
active-directory Cloudknox Usage Analytics Access Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-access-keys.md
Title: View analytic information about access keys in CloudKnox Permissions Management description: How to view analytic information about access keys in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View analytic information about access keys
active-directory Cloudknox Usage Analytics Active Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-active-resources.md
Title: View analytic information about active resources in CloudKnox Permissions Management description: How to view usage analytics about active resources in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View analytic information about active resources
active-directory Cloudknox Usage Analytics Active Tasks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-active-tasks.md
Title: View analytic information about active tasks in CloudKnox Permissions Management description: How to view analytic information about active tasks in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View analytic information about active tasks
active-directory Cloudknox Usage Analytics Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-groups.md
Title: View analytic information about groups in CloudKnox Permissions Management description: How to view analytic information about groups in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View analytic information about groups
active-directory Cloudknox Usage Analytics Home https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-home.md
Title: View analytic information with the Analytics dashboard in CloudKnox Permissions Management description: How to use the Analytics dashboard in CloudKnox Permissions Management to view details about users, groups, active resources, active tasks, access keys, and serverless functions. --++ Last updated 02/23/2022-+ # View analytic information with the Analytics dashboard
active-directory Cloudknox Usage Analytics Serverless Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-serverless-functions.md
Title: View analytic information about serverless functions in CloudKnox Permissions Management description: How to view analytic information about serverless functions in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View analytic information about serverless functions
active-directory Cloudknox Usage Analytics Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-usage-analytics-users.md
Title: View analytic information about users in CloudKnox Permissions Management description: How to view analytic information about users in CloudKnox Permissions Management. --++ Last updated 02/23/2022-+ # View analytic information about users
active-directory Block Legacy Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/block-legacy-authentication.md
For more information about these authentication protocols and services, see [Sig
Before you can block legacy authentication in your directory, you need to first understand if your users have apps that use legacy authentication and how it affects your overall directory. Azure AD sign-in logs can be used to understand if you're using legacy authentication.
-1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-ins**.
+1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-in logs**.
1. Add the Client App column if it isn't shown by clicking on **Columns** > **Client App**. 1. **Add filters** > **Client App** > select all of the legacy authentication protocols. Select outside the filtering dialog box to apply your selections and close the dialog box. 1. If you've activated the [new sign-in activity reports preview](../reports-monitoring/concept-all-sign-ins.md), repeat the above steps also on the **User sign-ins (non-interactive)** tab.
active-directory Concept Conditional Access Grant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-grant.md
The following client apps have been confirmed to support this setting:
- Microsoft Invoicing - Microsoft Kaizala - Microsoft Launcher-- Microsoft Lists
+- Microsoft Lists (iOS)
- Microsoft Office - Microsoft OneDrive - Microsoft OneNote
active-directory Howto Conditional Access Session Lifetime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-session-lifetime.md
The Azure Active Directory (Azure AD) default configuration for user sign-in fre
It might sound alarming to not ask for a user to sign back in, in reality any violation of IT policies will revoke the session. Some examples include (but aren't limited to) a password change, an incompliant device, or account disable. You can also explicitly [revoke usersΓÇÖ sessions using PowerShell](/powershell/module/azuread/revoke-azureaduserallrefreshtoken). The Azure AD default configuration comes down to ΓÇ£donΓÇÖt ask users to provide their credentials if security posture of their sessions hasn't changedΓÇ¥.
-The sign-in frequency setting works with apps that have implemented OAUTH2 or OIDC protocols according to the standards. Most Microsoft native apps for Windows, Mac, and Mobile including the following web applications comply with the setting.
+The sign-in frequency setting works with apps that have implemented OAuth2 or OIDC protocols according to the standards. Most Microsoft native apps for Windows, Mac, and Mobile including the following web applications comply with the setting.
- Word, Excel, PowerPoint Online - OneNote Online
The sign-in frequency setting works with apps that have implemented OAUTH2 or OI
- Dynamics CRM Online - Azure portal
-The sign-in frequency setting works with SAML applications as well, as long as they don't drop their own cookies and are redirected back to Azure AD for authentication on regular basis.
+The sign-in frequency setting works with 3rd party SAML applications and apps that have implemented OAuth2 or OIDC protocols, as long as they don't drop their own cookies and are redirected back to Azure AD for authentication on regular basis.
### User sign-in frequency and multi-factor authentication
active-directory Active Directory Optional Claims https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/active-directory-optional-claims.md
This section covers the configuration options under optional claims for changing
{ "name": "groups", "additionalProperties": [
- "netbios_name_and_sam_account_name",
+ "netbios_domain_and_sam_account_name",
"emit_as_roles" ] }
This section covers the configuration options under optional claims for changing
{ "name": "groups", "additionalProperties": [
- "netbios_name_and_sam_account_name",
+ "netbios_domain_and_sam_account_name",
"emit_as_roles" ] }
active-directory Active Directory V2 Protocols https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/active-directory-v2-protocols.md
https://login.microsoftonline.com/<issuer>/oauth2/v2.0/token
# NOTE: These are examples. Endpoint URI format may vary based on application type, # sign-in audience, and Azure cloud instance (global or national cloud).+
+# The {issuer} value in the path of the request can be used to control who can sign into the application.
+# The allowed values are **common** for both Microsoft accounts and work or school accounts,
+# **organizations** for work or school accounts only, **consumers** for Microsoft accounts only,
+# and **tenant identifiers** such as the tenant ID or domain name.
``` To find the endpoints for an application you've registered, in the [Azure portal](https://portal.azure.com) navigate to:
active-directory Permissions Consent Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/permissions-consent-overview.md
+
+ Title: Overview of permissions and consent in the Microsoft identity platform
+description: Learn about the foundational concepts and scenarios around consent and permissions in the Microsoft identity platform
+++++++++ Last updated : 05/10/2022++
+#Customer intent: As and a developer or admin in the Microsoft identity platform, I want to understand the basic concept about managing how applications access resources through the permissions and consent framework.
+
+# Introduction to permissions and consent
+
+To _access_ a protected resource like email or calendar data, your application needs the resource owner's _authorization_. The resource owner can _consent_ to or deny your app's request. Understanding these foundational concepts will help you build more secure and trustworthy applications that request only the access they need, when they need it, from its users and administrators.
+
+## Access scenarios
+
+As an application developer, you must identify how your application will access data. The application can use delegated access, acting on behalf of a signed-in user, or direct access, acting only as the application's own identity.
+
+![Image shows illustration of access scenarios.](./media/permissions-consent-overview/access-scenarios.png)
+
+### Delegated access (access on behalf of a user)
+
+In this access scenario, a user has signed into a client application. The client application accesses the resource on behalf of the user. Delegated access requires delegated permissions. Both the client and the user must be authorized separately to make the request.
+
+For the client app, the correct delegated permissions must be granted. Delegated permissions can also be referred to as scopes. Scopes are permissions of a given resource that the client application exercises on behalf of a user. They're strings that represent what the application wants to do on behalf of the user. For more information about scopes, see [scopes and permissions](v2-permissions-and-consent.md#scopes-and-permissions).
+
+For the user, the authorization relies on the privileges that the user has been granted for them to access the resource. For example, the user could be authorized to access directory resources by [Azure Active Directory (Azure AD) role-based access control (RBAC)](../roles/custom-overview.md) or to access mail and calendar resources by [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo).
+
+### Direct access (App-only access)
+
+In this access scenario, the application acts on its own with no user signed in. Application access is used in scenarios such as automation, and backup. This scenario includes apps that run as background services or daemons. It's appropriate when it's undesirable to have a specific user signed in, or when the data required can't be scoped to a single user.
+
+Direct access may require application permissions but this isn't the only way for granting an application direct access. Application permissions can be referred to as app roles. When app roles are granted to other applications, they can be called applications permissions. The appropriate application permissions or app roles must be granted to the application for it to access the resource. For more information about assigning app roles to applications, see [App roles for applications](howto-add-app-roles-in-azure-ad-apps.md).
+
+## Types of permissions
+
+**Delegated permissions** are used in the delegated access scenario. They're permissions that allow the application to act on a user's behalf. The application will never be able to access anything users themselves couldn't access.
+
+For example, imagine an application that has been granted the Files.Read.All delegated permission on behalf of Tom, the user. The application will only be able to read files that Tom can personally access.
+
+**Application permissions** are used in the direct access scenario, without a signed-in user present. The application will be able to access any data that the permission is associated with. For example, an application granted the Files.Read.All application permission will be able to read any file in the tenant. Only an administrator or owner of the service principal can consent to application permissions.
+
+There are other ways in which applications can be granted authorization for direct access. For example, an application can be assigned an Azure AD RBAC role.
+
+## Consent
+One way that applications are granted permissions is through consent. Consent is a process where users or admins authorize an application to access a protected resource. For example, when a user attempts to sign into an application for the first time, the application can request permission to see the user's profile and read the contents of the user's mailbox. The user sees the list of permissions the app is requesting through a consent prompt.
+
+The key details of a consent prompt are the list of permissions the application requires and the publisher information. For more information about the consent prompt and the consent experience for both admins and end-users, see [application consent experience](application-consent-experience.md).
+
+### User consent
+
+User consent happens when a user attempts to sign into an application. The user provides their sign-in credentials. These credentials are checked to determine whether consent has already been granted. If no previous record of user or admin consent for the required permissions exists, the user is shown a consent prompt and asked to grant the application the requested permissions. In many cases, an admin may be required to grant consent on behalf of the user.
+
+### Administrator consent
+
+Depending on the permissions they require, some applications might require an administrator to be the one who grants consent. For example, application permissions can only be consented to by an administrator. Administrators can grant consent for themselves or for the entire organization. For more information about user and admin consent, see [user and admin consent overview](../manage-apps/consent-and-permissions-overview.md)
+
+### Preauthorization
+
+Preauthorization allows a resource application owner to grant permissions without requiring users to see a consent prompt for the same set of permissions that have been preauthorized. This way, an application that has been preauthorized won't ask users to consent to permissions. Resource owners can preauthorize client apps in the Azure portal or by using PowerShell and APIs, like Microsoft Graph.
+
+## Next steps
+- [User and admin consent overview](../manage-apps/consent-and-permissions-overview.md)
+- [Scopes and permissions](v2-permissions-and-consent.md)
active-directory Reference App Manifest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-app-manifest.md
Previously updated : 02/02/2021 Last updated : 05/19/2022
Example:
"id": "f7f9acfc-ae0c-4d6c-b489-0a81dc1652dd", ```
+### acceptMappedClaims attribute
+
+| Key | Value type |
+| : | : |
+| acceptMappedClaims | Nullable Boolean |
+
+As documented on the [apiApplication resource type](/graph/api/resources/apiapplication#properties), this allows an application to use [claims mapping](active-directory-claims-mapping.md) without specifying a custom signing key. Applications that receive tokens rely on the fact that the claim values are authoritatively issued by Azure AD and cannot be tampered with. However, when you modify the token contents through claims-mapping policies, these assumptions may no longer be correct. Applications must explicitly acknowledge that tokens have been modified by the creator of the claims-mapping policy to protect themselves from claims-mapping policies created by malicious actors.
+
+> [!WARNING]
+> Do not set `acceptMappedClaims` property to `true` for multi-tenant apps, which can allow malicious actors to create claims-mapping policies for your app.
+
+Example:
+
+```json
+ "acceptMappedClaims": true,
+```
+ ### accessTokenAcceptedVersion attribute | Key | Value type |
active-directory Reference Breaking Changes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-breaking-changes.md
If a request fails the validation check, the application API for create/update w
[!INCLUDE [active-directory-identifierUri](../../../includes/active-directory-identifier-uri-patterns.md)]
+>[!NOTE]
+> While it is safe to remove the identifierUris for app registrations within the current tenant, removing the identifierUris may cause clients to fail for other app registrations.
+ ## August 2021 ### Conditional Access will only trigger for explicitly requested scopes
active-directory Sample V2 Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/sample-v2-code.md
The following samples show an application that accesses the Microsoft Graph API
> |.NET Core| &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/1-Call-MSGraph) <br/> &#8226; [Call web API](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi)<br/> &#8226; [Call own web API](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/4-Call-OwnApi-Pop) <br/> &#8226; [Using managed identity and Azure key vault](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/3-Using-KeyVault)| MSAL.NET | Client credentials grant| > | ASP.NET|[Multi-tenant with Microsoft identity platform endpoint](https://github.com/Azure-Samples/ms-identity-aspnet-daemon-webapp) | MSAL.NET | Client credentials grant| > | Java | &#8226; [Call Microsoft Graph with Secret](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-client-credential-secret) <br/> &#8226; [Call Microsoft Graph with Certificate](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-client-credential-certificate)| MSAL Java | Client credentials grant|
-> | Node.js | [Sign in users and call web API](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-console) | MSAL Node | Client credentials grant |
+> | Node.js | [Call Microsoft Graph with secret](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-console) | MSAL Node | Client credentials grant |
> | Python | &#8226; [Call Microsoft Graph with secret](https://github.com/Azure-Samples/ms-identity-python-daemon/tree/master/1-Call-MsGraph-WithSecret) <br/> &#8226; [Call Microsoft Graph with certificate](https://github.com/Azure-Samples/ms-identity-python-daemon/tree/master/2-Call-MsGraph-WithCertificate) | MSAL Python| Client credentials grant| ## Azure Functions as web APIs
active-directory Scenario Protected Web Api App Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-protected-web-api-app-configuration.md
You can create a web API from scratch by using Microsoft.Identity.Web project te
#### Starting from an existing ASP.NET Core 3.1 application
-ASP.NET Core 3.1 uses the Microsoft.AspNetCore.AzureAD.UI library. The middleware is initialized in the Startup.cs file.
+ASP.NET Core 3.1 uses the Microsoft.AspNetCore.Authentication.JwtBearer library. The middleware is initialized in the Startup.cs file.
```csharp using Microsoft.AspNetCore.Authentication.JwtBearer;
active-directory Tutorial V2 Javascript Auth Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-javascript-auth-code.md
Next, implement a small [Express](https://expressjs.com/) web server to serve yo
npm install yargs ``` 2. Next, create file named *server.js* and add the following code:-
- :::code language="js" source="~/ms-identity-javascript-v2/server.js":::
+
+ :::code language="js" source="~/ms-identity-javascript-v2/server.js":::
## Create the SPA UI
active-directory Howto Hybrid Azure Ad Join https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-hybrid-azure-ad-join.md
Verify devices can access the required Microsoft resources under the system acco
We think most organizations will deploy hybrid Azure AD join with managed domains. Managed domains use [password hash sync (PHS)](../hybrid/whatis-phs.md) or [pass-through authentication (PTA)](../hybrid/how-to-connect-pta.md) with [seamless single sign-on](../hybrid/how-to-connect-sso.md). Managed domain scenarios don't require configuring a federation server.
-> [!NOTE]
-> Azure AD doesn't support smart cards or certificates in managed domains.
- Configure hybrid Azure AD join by using Azure AD Connect for a managed domain: 1. Start Azure AD Connect, and then select **Configure**.
active-directory Hybrid Azuread Join Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-azuread-join-plan.md
These scenarios don't require you to configure a federation server for authentic
> [!NOTE] > [Cloud authentication using Staged rollout](../hybrid/how-to-connect-staged-rollout.md) is only supported starting at the Windows 10 1903 update.
->
-> Azure AD doesn't support smartcards or certificates in managed domains.
+ ### Federated environment
active-directory Directory Delete Howto https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-delete-howto.md
You can put a subscription into the **Deprovisioned** state to be deleted in thr
If you have an Active or Cancelled Azure Subscription associated to your Azure AD Tenant then you would not be able to delete Azure AD Tenant. After you cancel, billing is stopped immediately. However, Microsoft waits 30 - 90 days before permanently deleting your data in case you need to access it or you change your mind. We don't charge you for keeping the data. -- If you have a free trial or pay-as-you-go subscription, you don't have to wait 90 days for the subscription to automatically delete. You can delete your subscription three days after you cancel it. The Delete subscription option isn't available until three days after you cancel your subscription. For more details please read through [Delete free trial or pay-as-you-go subscriptions](../../cost-management-billing/manage/cancel-azure-subscription.md#delete-free-trial-or-pay-as-you-go-subscriptions).
+- If you have a free trial or pay-as-you-go subscription, you don't have to wait 90 days for the subscription to automatically delete. You can delete your subscription three days after you cancel it. The Delete subscription option isn't available until three days after you cancel your subscription. For more details please read through [Delete free trial or pay-as-you-go subscriptions](../../cost-management-billing/manage/cancel-azure-subscription.md#delete-subscriptions).
- All other subscription types are deleted only through the [subscription cancellation](../../cost-management-billing/manage/cancel-azure-subscription.md#cancel-subscription-in-the-azure-portal) process. In other words, you can't delete a subscription directly unless it's a free trial or pay-as-you-go subscription. However, after you cancel a subscription, you can create an [Azure support request](https://go.microsoft.com/fwlink/?linkid=2083458) to ask to have the subscription deleted immediately. - Alternatively, you can also move/transfer the Azure subscription to another Azure AD tenant account. When you transfer billing ownership of your subscription to an account in another Azure AD tenant, you can move the subscription to the new account's tenant. Additionally, perfoming Switch Directory on the subscription would not help as the billing would still be aligned with Azure AD Tenant which was used to sign up for the subscription. For more information review [Transfer a subscription to another Azure AD tenant account](../../cost-management-billing/manage/billing-subscription-transfer.md#transfer-a-subscription-to-another-azure-ad-tenant-account)
You can put a self-service sign-up product like Microsoft Power BI or Azure Righ
## Next steps
-[Azure Active Directory documentation](../index.yml)
+[Azure Active Directory documentation](../index.yml)
active-directory B2b Direct Connect Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-direct-connect-overview.md
B2B direct connect requires a mutual trust relationship between two Azure AD org
Currently, B2B direct connect capabilities work with Teams shared channels. When B2B direct connect is established between two organizations, users in one organization can create a shared channel in Teams and invite an external B2B direct connect user to it. Then from within Teams, the B2B direct connect user can seamlessly access the shared channel in their home tenant Teams instance, without having to manually sign in to the organization hosting the shared channel.
-For licensing and pricing information related to B2B direct connect users, refer to [Azure Active Directory pricing](https://azure.microsoft.com/pricing/details/active-directory/).
+For licensing and pricing information related to B2B direct connect users, refer to [Azure Active Directory External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/).
## Managing cross-tenant access for B2B direct connect
active-directory B2b Government National Clouds https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-government-national-clouds.md
Previously updated : 01/31/2022 Last updated : 05/17/2022
# Azure AD B2B in government and national clouds
-## National clouds
-[National clouds](../develop/authentication-national-cloud.md) are physically isolated instances of Azure. B2B collaboration is not supported across national cloud boundaries. For example, if your Azure tenant is in the public, global cloud, you can't invite a user whose account is in a national cloud. To collaborate with the user, ask them for another email address or create a member user account for them in your directory.
+Microsoft Azure [national clouds](../develop/authentication-national-cloud.md) are physically isolated instances of Azure. B2B collaboration isn't enabled by default across national cloud boundaries, but you can use Microsoft cloud settings (preview) to establish mutual B2B collaboration between the following Microsoft Azure clouds:
-## Azure US Government clouds
-Within the Azure US Government cloud, B2B collaboration is supported between tenants that are both within Azure US Government cloud and that both support B2B collaboration. Azure US Government tenants that support B2B collaboration can also collaborate with social users using Microsoft, Google accounts, or email one-time passcode accounts. If you invite a user outside of these groups (for example, if the user is in a tenant that isn't part of the Azure US Government cloud or doesn't yet support B2B collaboration), the invitation will fail or the user won't be able to redeem the invitation. For Microsoft accounts (MSAs), there are known limitations with accessing the Azure portal: newly invited MSA guests are unable to redeem direct link invitations to the Azure portal, and existing MSA guests are unable to sign in to the Azure portal. For details about other limitations, see [Azure Active Directory Premium P1 and P2 Variations](../../azure-government/compare-azure-government-global-azure.md#azure-active-directory-premium-p1-and-p2).
+- Microsoft Azure global cloud and Microsoft Azure Government
+- Microsoft Azure global cloud and Microsoft Azure China 21Vianet
+
+## B2B collaboration across Microsoft clouds
+
+To set up B2B collaboration between tenants in different clouds, both tenants need to configure their Microsoft cloud settings to enable collaboration with the other cloud. Then each tenant must configure inbound and outbound cross-tenant access with the tenant in the other cloud. For details, see [Microsoft cloud settings (preview)](cross-cloud-settings.md).
+
+## B2B collaboration within the Microsoft Azure Government cloud
+
+Within the Azure US Government cloud, B2B collaboration is enabled between tenants that are both within Azure US Government cloud and that both support B2B collaboration. Azure US Government tenants that support B2B collaboration can also collaborate with social users using Microsoft, Google accounts, or email one-time passcode accounts. If you invite a user outside of these groups (for example, if the user is in a tenant that isn't part of the Azure US Government cloud or doesn't yet support B2B collaboration), the invitation will fail or the user won't be able to redeem the invitation. For Microsoft accounts (MSAs), there are known limitations with accessing the Azure portal: newly invited MSA guests are unable to redeem direct link invitations to the Azure portal, and existing MSA guests are unable to sign in to the Azure portal. For details about other limitations, see [Azure Active Directory Premium P1 and P2 Variations](../../azure-government/compare-azure-government-global-azure.md#azure-active-directory-premium-p1-and-p2).
### How can I tell if B2B collaboration is available in my Azure US Government tenant? To find out if your Azure US Government cloud tenant supports B2B collaboration, do the following:
active-directory Cross Cloud Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-cloud-settings.md
+
+ Title: Configure B2B collaboration Microsoft cloud settings - Azure AD
+description: Use Microsoft cloud settings to enable cross-cloud B2B collaboration between sovereign (national) Microsoft Azure clouds.
++++ Last updated : 05/17/2022++++++++
+# Configure Microsoft cloud settings for B2B collaboration (Preview)
+
+> [!NOTE]
+> Microsoft cloud settings are preview features of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+When Azure AD organizations in separate Microsoft Azure clouds need to collaborate, they can use Microsoft cloud settings to enable Azure AD B2B collaboration. B2B collaboration is available between the following global and sovereign Microsoft Azure clouds:
+
+- Microsoft Azure global cloud and Microsoft Azure Government
+- Microsoft Azure global cloud and Microsoft Azure China 21Vianet
+
+To set up B2B collaboration between partner organizations in different Microsoft Azure clouds, each partner mutually agrees to configure B2B collaboration with each other. In each organization, an admin completes the following steps:
+
+1. Configures their Microsoft cloud settings to enable collaboration with the partner's cloud.
+
+1. Uses the partner's tenant ID to find and add the partner to their organizational settings.
+
+1. Configures their inbound and outbound settings for the partner organization. The admin can either apply the default settings or configure specific settings for the partner.
+
+After each organization has completed these steps, Azure AD B2B collaboration between the organizations is enabled.
+
+## Before you begin
+
+- **Obtain the partner's tenant ID.** To enable B2B collaboration with a partner's Azure AD organization in another Microsoft Azure cloud, you'll need the partner's tenant ID. Using an organization's domain name for lookup isn't available in cross-cloud scenarios.
+- **Decide on inbound and outbound access settings for the partner.** Selecting a cloud in your Microsoft cloud settings doesn't automatically enable B2B collaboration. Once you enable another Microsoft Azure cloud, all B2B collaboration is blocked by default for organizations in that cloud. You'll need to add the tenant you want to collaborate with to your Organizational settings. At that point, your default settings go into effect for that tenant only. You can allow the default settings to remain in effect. Or, you can modify the inbound and outbound settings for the organization.
+- **Obtain any required object IDs or app IDs.** If you want to apply access settings to specific users, groups, or applications in the partner organization, you'll need to contact the organization for information before configuring your settings. Obtain their user object IDs, group object IDs, or application IDs (*client app IDs* or *resource app IDs*) so you can target your settings correctly.
+
+## Enable the cloud in your Microsoft cloud settings
+
+In your Microsoft cloud settings, enable the Microsoft Azure cloud you want to collaborate with.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service.
+1. Select **External Identities**, and then select **Cross-tenant access settings (Preview)**.
+1. Select **Cross cloud settings**.
+1. Select the checkboxes next to the external Microsoft Azure clouds you want to enable.
+
+ ![Screenshot showing Microsoft cloud settings.](media/cross-cloud-settings/cross-cloud-settings.png)
+
+> [!NOTE]
+> Selecting a cloud doesn't automatically enable B2B collaboration with organizations in that cloud. You'll need to add the organization you want to collaborate with, as described in the next section.
+
+## Add the tenant to your organizational settings
+
+Follow these steps to add the tenant you want to collaborate with to your Organizational settings.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service.
+1. Select **External Identities**, and then select **Cross-tenant access settings (Preview)**.
+1. Select **Organizational settings**.
+1. Select **Add organization**.
+1. On the **Add organization** pane, type the tenant ID for the organization (cross-cloud lookup by domain name isn't currently available).
+
+ ![Screenshot showing adding an organization.](media/cross-cloud-settings/cross-tenant-add-organization.png)
+
+1. Select the organization in the search results, and then select **Add**.
+1. The organization appears in the **Organizational settings** list. At this point, all access settings for this organization are inherited from your default settings.
+
+ ![Screenshot showing an organization added with default settings.](media/cross-cloud-settings/org-specific-settings-inherited.png)
++
+1. If you want to change the cross-tenant access settings for this organization, select the **Inherited from default** link under the **Inbound access** or **Outbound access** column. Then follow the detailed steps in these sections:
+
+ - [Modify inbound access settings](cross-tenant-access-settings-b2b-collaboration.md#modify-inbound-access-settings)
+ - [Modify outbound access settings](cross-tenant-access-settings-b2b-collaboration.md#modify-outbound-access-settings)
+
+## Next steps
+
+See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non-Azure AD identities, social identities, and non-IT managed external accounts.
active-directory Cross Tenant Access Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-overview.md
Previously updated : 03/21/2022 Last updated : 05/17/2022
> [!NOTE] > Cross-tenant access settings are preview features of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-Azure AD organizations can use External Identities cross-tenant access settings to manage how they collaborate with other Azure AD organizations through [B2B collaboration](cross-tenant-access-settings-b2b-collaboration.md) and [B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md). Cross-tenant access settings give you granular control over how external Azure AD organizations collaborate with you (inbound access) and how your users collaborate with external Azure AD organizations (outbound access). These settings also let you trust multi-factor authentication (MFA) and device claims ([compliant claims and hybrid Azure AD joined claims](../conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Azure AD organizations.
+Azure AD organizations can use External Identities cross-tenant access settings to manage how they collaborate with other Azure AD organizations and other Microsoft Azure clouds through B2B collaboration and [B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md). [Cross-tenant access settings](cross-tenant-access-settings-b2b-collaboration.md) give you granular control over how external Azure AD organizations collaborate with you (inbound access) and how your users collaborate with external Azure AD organizations (outbound access). These settings also let you trust multi-factor authentication (MFA) and device claims ([compliant claims and hybrid Azure AD joined claims](../conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Azure AD organizations.
-This article describes cross-tenant access settings, which are used to manage B2B collaboration and B2B direct connect with external Azure AD organizations. Additional settings are available for B2B collaboration with non-Azure AD identities (for example, social identities or non-IT managed external accounts). These [external collaboration settings](external-collaboration-settings-configure.md) include options for restricting guest user access, specifying who can invite guests, and allowing or blocking domains.
+This article describes cross-tenant access settings, which are used to manage B2B collaboration and B2B direct connect with external Azure AD organizations, including across Microsoft clouds. Additional settings are available for B2B collaboration with non-Azure AD identities (for example, social identities or non-IT managed external accounts). These [external collaboration settings](external-collaboration-settings-configure.md) include options for restricting guest user access, specifying who can invite guests, and allowing or blocking domains.
-![Overview diagram of cross-tenant access settings](media/cross-tenant-access-overview/cross-tenant-access-settings-overview.png)
+![Overview diagram of cross-tenant access settings.](media/cross-tenant-access-overview/cross-tenant-access-settings-overview.png)
## Manage external access with inbound and outbound settings
The default cross-tenant access settings apply to all Azure AD organizations ext
- **Organizational settings**: No organizations are added to your Organizational settings by default. This means all external Azure AD organizations are enabled for B2B collaboration with your organization.
+The behaviors described above apply to B2B collaboration with other Azure AD tenants in your same Microsoft Azure cloud. In cross-cloud scenarios, default settings work a little differently. See [Microsoft cloud settings](#microsoft-cloud-settings) later in this article.
+ ## Organizational settings You can configure organization-specific settings by adding an organization and modifying the inbound and outbound settings for that organization. Organizational settings take precedence over default settings.
You can configure organization-specific settings by adding an organization and m
- You can use external collaboration settings to limit who can invite external users, allow or block B2B specific domains, and set restrictions on guest user access to your directory.
+## Microsoft cloud settings
+
+Microsoft cloud settings let you collaborate with organizations from different Microsoft Azure clouds. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following clouds:
+
+- Microsoft Azure global cloud and Microsoft Azure Government
+- Microsoft Azure global cloud and Microsoft Azure China 21Vianet
+
+To set up B2B collaboration, both organizations configure their Microsoft cloud settings to enable the partner's cloud. Then each organization uses the partner's tenant ID to find and add the partner to their organizational settings. From there, each organization can allow their default cross-tenant access settings apply to the partner, or they can configure partner-specific inbound and outbound settings. After you establish B2B collaboration with a partner in another cloud, you'll be able to:
+
+- Use B2B collaboration to invite a user in the partner tenant to access resources in your organization, including web line-of-business apps, SaaS apps, and SharePoint Online sites, documents, and files.
+- Apply Conditional Access policies to the B2B collaboration user and opt to trust device claims (compliant claims and hybrid Azure AD joined claims) from the userΓÇÖs home tenant.
+
+For configuration steps, see [Configure Microsoft cloud settings for B2B collaboration (Preview)](cross-cloud-settings.md).
+
+### Default settings in cross-cloud scenarios
+
+To collaborate with a partner tenant in a different Microsoft Azure cloud, both organizations need to mutually enable B2B collaboration with each other. The first step is to enable the partner's cloud in your cross-tenant settings. When you first enable another cloud, B2B collaboration is blocked for all tenants in that cloud. You need to add the tenant you want to collaborate with to your Organizational settings, and at that point your default settings go into effect for that tenant only. You can allow the default settings to remain in effect, or you can modify the organizational settings for the tenant.
+ ## Important considerations > [!IMPORTANT]
You can configure organization-specific settings by adding an organization and m
Several tools are available to help you identify the access your users and partners need before you set inbound and outbound access settings. To ensure you donΓÇÖt remove access that your users and partners need, you should examine current sign-in behavior. Taking this preliminary step will help prevent loss of desired access for your end users and partner users. However, in some cases these logs are only retained for 30 days, so we strongly recommend you speak with your business stakeholders to ensure required access isn't lost.
+> [!NOTE]
+> During the preview of Microsoft cloud settings, sign-in events for cross-cloud scenarios will be reported in the resource tenant, but not in the home tenant.
+ ### Cross-tenant sign-in activity PowerShell script To review user sign-in activity associated with external tenants, use the [cross-tenant user sign-in activity](https://aka.ms/cross-tenant-signins-ps) PowerShell script. For example, to view all available sign-in events for inbound activity (external users accessing resources in the local tenant) and outbound activity (local users accessing resources in an external tenant), run the following command:
If your organization exports sign-in logs to a Security Information and Event Ma
The Azure AD audit logs capture all activity around cross-tenant access setting changes and activity. To audit changes to your cross-tenant access settings, use the **category** of ***CrossTenantAccessSettings*** to filter all activity to show changes to cross-tenant access settings.
-![Audit logs for cross-tenant access settings](media/cross-tenant-access-overview/cross-tenant-access-settings-audit-logs.png)
+![Audit logs for cross-tenant access settings.](media/cross-tenant-access-overview/cross-tenant-access-settings-audit-logs.png)
## Next steps
active-directory Cross Tenant Access Settings B2b Collaboration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md
Previously updated : 05/02/2022 Last updated : 05/17/2022
Use External Identities cross-tenant access settings to manage how you collabora
- Decide on the default level of access you want to apply to all external Azure AD organizations. - Identify any Azure AD organizations that will need customized settings so you can configure **Organizational settings** for them. - If you want to apply access settings to specific users, groups, or applications in an external organization, you'll need to contact the organization for information before configuring your settings. Obtain their user object IDs, group object IDs, or application IDs (*client app IDs* or *resource app IDs*) so you can target your settings correctly.
+- If you want to set up B2B collaboration with a partner organization in an external Microsoft Azure cloud, follow the steps in [Configure Microsoft cloud settings](cross-cloud-settings.md). An admin in the partner organization will need to do the same for your tenant.
## Configure default settings
- Default cross-tenant access settings apply to all external tenants for which you haven't created organization-specific customized settings. If you want to modify the Azure AD-provided default settings, follow these steps.
+ Default cross-tenant access settings apply to all external tenants for which you haven't created organization-specific customized settings. If you want to modify the Azure AD-provided default settings, follow these steps.
1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service. 1. Select **External Identities**, and then select **Cross-tenant access settings (Preview)**. 1. Select the **Default settings** tab and review the summary page.
- ![Screenshot showing the Cross-tenant access settings Default settings tab](media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-defaults.png)
+ ![Screenshot showing the Cross-tenant access settings Default settings tab.](media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-defaults.png)
1. To change the settings, select the **Edit inbound defaults** link or the **Edit outbound defaults** link.
- ![Screenshot showing edit buttons for Default settings](media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-defaults-edit.png)
+ ![Screenshot showing edit buttons for Default settings.](media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-defaults-edit.png)
1. Modify the default settings by following the detailed steps in these sections:
Use External Identities cross-tenant access settings to manage how you collabora
Follow these steps to configure customized settings for specific organizations. 1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service.
-1. Select **External Identities**, and then select **Cross-tenant access settings (preview)**.
+1. Select **External Identities**, and then select **Cross-tenant access settings (Preview)**.
1. Select **Organizational settings**. 1. Select **Add organization**. 1. On the **Add organization** pane, type the full domain name (or tenant ID) for the organization.
- ![Screenshot showing adding an organization](media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-add-organization.png)
+ ![Screenshot showing adding an organization.](media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-add-organization.png)
1. Select the organization in the search results, and then select **Add**. 1. The organization appears in the **Organizational settings** list. At this point, all access settings for this organization are inherited from your default settings. To change the settings for this organization, select the **Inherited from default** link under the **Inbound access** or **Outbound access** column.
- ![Screenshot showing an organization added with default settings](media/cross-tenant-access-settings-b2b-collaboration/org-specific-settings-inherited.png)
+ ![Screenshot showing an organization added with default settings.](media/cross-tenant-access-settings-b2b-collaboration/org-specific-settings-inherited.png)
1. Modify the organization's settings by following the detailed steps in these sections:
With inbound settings, you select which external users and groups will be able t
1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service.
-1. Select **External Identities** > **Cross-tenant access settings (preview)**.
+1. Select **External Identities** > **Cross-tenant access settings (Preview)**.
1. Navigate to the settings you want to modify: - **Default settings**: To modify default inbound settings, select the **Default settings** tab, and then under **Inbound access settings**, select **Edit inbound defaults**.
With inbound settings, you select which external users and groups will be able t
- **Allow access**: Allows the users and groups specified under **Applies to** to be invited for B2B collaboration. - **Block access**: Blocks the users and groups specified under **Applies to** from being invited to B2B collaboration.
- ![Screenshot showing selecting the user access status for B2B collaboration](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-external-users-groups-access.png)
+ ![Screenshot showing selecting the user access status for B2B collaboration.](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-external-users-groups-access.png)
1. Under **Applies to**, select one of the following:
With inbound settings, you select which external users and groups will be able t
> [!NOTE] > If you block access for all external users and groups, you also need to block access to all your internal applications (on the **Applications** tab).
- ![Screenshot showing selecting the target users and groups](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-external-users-groups-target.png)
+ ![Screenshot showing selecting the target users and groups.](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-external-users-groups-target.png)
1. If you chose **Select external users and groups**, do the following for each user or group you want to add:
With inbound settings, you select which external users and groups will be able t
- In the menu next to the search box, choose either **user** or **group**. - Select **Add**.
- ![Screenshot showing adding users and groups](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-external-users-groups-add.png)
+ ![Screenshot showing adding users and groups.](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-external-users-groups-add.png)
1. When you're done adding users and groups, select **Submit**.
- ![Screenshot showing submitting users and groups](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-external-users-groups-submit.png)
+ ![Screenshot showing submitting users and groups.](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-external-users-groups-submit.png)
1. Select the **Applications** tab.
With inbound settings, you select which external users and groups will be able t
- **Allow access**: Allows the applications specified under **Applies to** to be accessed by B2B collaboration users. - **Block access**: Blocks the applications specified under **Applies to** from being accessed by B2B collaboration users.
- ![Screenshot showing applications access status](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-applications-access.png)
+ ![Screenshot showing applications access status.](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-applications-access.png)
1. Under **Applies to**, select one of the following:
With inbound settings, you select which external users and groups will be able t
> [!NOTE] > If you block access to all applications, you also need to block access for all external users and groups (on the **External users and groups** tab).
- ![Screenshot showing target applications](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-applications-target.png)
+ ![Screenshot showing target applications.](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-applications-target.png)
1. If you chose **Select applications**, do the following for each application you want to add:
With inbound settings, you select which external users and groups will be able t
- In the **Select** pane, type the application name or the application ID (either the *client app ID* or the *resource app ID*) in the search box. Then select the application in the search results. Repeat for each application you want to add. - When you're done selecting applications, choose **Select**.
- ![Screenshot showing selecting applications](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-applications-add.png)
+ ![Screenshot showing selecting applications.](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-applications-add.png)
1. Select **Save**.
With inbound settings, you select which external users and groups will be able t
- **Trust hybrid Azure AD joined devices**: Allows your Conditional Access policies to trust hybrid Azure AD joined device claims from an external organization when their users access your resources.
- ![Screenshot showing trust settings](media/cross-tenant-access-settings-b2b-collaboration/inbound-trust-settings.png)
+ ![Screenshot showing trust settings.](media/cross-tenant-access-settings-b2b-collaboration/inbound-trust-settings.png)
1. Select **Save**.
With outbound settings, you select which of your users and groups will be able t
- **Allow access**: Allows your users and groups specified under **Applies to** to be invited to external organizations for B2B collaboration. - **Block access**: Blocks your users and groups specified under **Applies to** from being invited to B2B collaboration. If you block access for all users and groups, this will also block all external applications from being accessed via B2B collaboration.
- ![Screenshot showing users and groups access status for b2b collaboration](media/cross-tenant-access-settings-b2b-collaboration/generic-outbound-external-users-groups-access.png)
+ ![Screenshot showing users and groups access status for b2b collaboration.](media/cross-tenant-access-settings-b2b-collaboration/generic-outbound-external-users-groups-access.png)
1. Under **Applies to**, select one of the following:
With outbound settings, you select which of your users and groups will be able t
> [!NOTE] > If you block access for all of your users and groups, you also need to block access to all external applications (on the **External applications** tab).
- ![Screenshot showing selecting the target users for b2b collaboration](media/cross-tenant-access-settings-b2b-collaboration/generic-outbound-external-users-groups-target.png)
+ ![Screenshot showing selecting the target users for b2b collaboration.](media/cross-tenant-access-settings-b2b-collaboration/generic-outbound-external-users-groups-target.png)
1. If you chose **Select \<your organization\> users and groups**, do the following for each user or group you want to add:
With outbound settings, you select which of your users and groups will be able t
- **Allow access**: Allows the external applications specified under **Applies to** to be accessed by your users via B2B collaboration. - **Block access**: Blocks the external applications specified under **Applies to** from being accessed by your users via B2B collaboration.
- ![Screenshot showing applications access status for b2b collaboration](media/cross-tenant-access-settings-b2b-collaboration/generic-outbound-applications-access.png)
+ ![Screenshot showing applications access status for b2b collaboration.](media/cross-tenant-access-settings-b2b-collaboration/generic-outbound-applications-access.png)
1. Under **Applies to**, select one of the following:
With outbound settings, you select which of your users and groups will be able t
> [!NOTE] > If you block access to all external applications, you also need to block access for all of your users and groups (on the **Users and groups** tab).
- ![Screenshot showing application targets for b2b collaboration](media/cross-tenant-access-settings-b2b-collaboration/generic-outbound-applications-target.png)
+ ![Screenshot showing application targets for b2b collaboration.](media/cross-tenant-access-settings-b2b-collaboration/generic-outbound-applications-target.png)
1. If you chose **Select external applications**, do the following for each application you want to add:
With outbound settings, you select which of your users and groups will be able t
- In the search box, type the application name or the application ID (either the *client app ID* or the *resource app ID*). Then select the application in the search results. Repeat for each application you want to add. - When you're done selecting applications, choose **Select**.
- ![Screenshot showing selecting applications for b2b collaboration](media/cross-tenant-access-settings-b2b-collaboration/outbound-b2b-collaboration-add-apps.png)
+ ![Screenshot showing selecting applications for b2b collaboration.](media/cross-tenant-access-settings-b2b-collaboration/outbound-b2b-collaboration-add-apps.png)
1. Select **Save**.
active-directory External Identities Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/external-identities-overview.md
Previously updated : 03/21/2022 Last updated : 05/17/2022
The following capabilities make up External Identities:
Depending on how you want to interact with external organizations and the types of resources you need to share, you can use a combination of these capabilities.
-![External Identities overview diagram](media/external-identities-overview/external-identities-b2b-overview.png)
+![External Identities overview diagram.](media/external-identities-overview/external-identities-b2b-overview.png)
## B2B collaboration
There are various ways to add external users to your organization for B2B collab
A user object is created for the B2B collaboration user in the same directory as your employees. This user object can be managed like other user objects in your directory, added to groups, and so on. You can assign permissions to the user object (for authorization) while letting them use their existing credentials (for authentication).
-You can use [cross-tenant access settings](cross-tenant-access-overview.md) to manage B2B collaboration with other Azure AD organizations. For B2B collaboration with non-Azure AD external users and organizations, use [external collaboration settings](external-collaboration-settings-configure.md).
+You can use [cross-tenant access settings](cross-tenant-access-overview.md) to manage B2B collaboration with other Azure AD organizations and across Microsoft Azure clouds. For B2B collaboration with non-Azure AD external users and organizations, use [external collaboration settings](external-collaboration-settings-configure.md).
## B2B direct connect
-B2B direct connect is a new way to collaborate with other Azure AD organizations. With B2B direct connect, you create two-way trust relationships with other Azure AD organizations to allow users to seamlessly sign in to your shared resources and vice versa. B2B direct connect users aren't added as guests to your Azure AD directory. When two organizations mutually enable B2B direct connect, users authenticate in their home organization and receive a token from the resource organization for access. Learn more about [B2B direct connect in Azure AD](b2b-direct-connect-overview.md).
+B2B direct connect is a new way to collaborate with other Azure AD organizations. This feature currently works with Microsoft Teams shared channels. With B2B direct connect, you create two-way trust relationships with other Azure AD organizations to allow users to seamlessly sign in to your shared resources and vice versa. B2B direct connect users aren't added as guests to your Azure AD directory. When two organizations mutually enable B2B direct connect, users authenticate in their home organization and receive a token from the resource organization for access. Learn more about [B2B direct connect in Azure AD](b2b-direct-connect-overview.md).
Currently, B2B direct connect enables the Teams Connect shared channels feature, which lets your users collaborate with external users from multiple organizations with a Teams shared channel for chat, calls, file-sharing, and app-sharing. Once youΓÇÖve set up B2B direct connect with an external organization, the following Teams shared channels capabilities become available:
Cross-tenant access settings let you manage B2B collaboration and B2B direct con
For more information, see [Cross-tenant access in Azure AD External Identities](cross-tenant-access-overview.md).
+### Microsoft cloud settings for B2B collaboration (preview)
+
+Microsoft Azure cloud services are available in separate national clouds, which are physically isolated instances of Azure. Increasingly, organizations are finding the need to collaborate with organizations and users across global cloud and national cloud boundaries. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following Microsoft Azure clouds:
+
+- Microsoft Azure global cloud and Microsoft Azure Government
+- Microsoft Azure global cloud and Microsoft Azure China 21Vianet
+
+To set up B2B collaboration between tenants in different clouds, both tenants need to configure their Microsoft cloud settings to enable collaboration with the other cloud. Then each tenant must configure inbound and outbound cross-tenant access with the tenant in the other cloud. See [Microsoft cloud settings](cross-cloud-settings.md) for details.
### External collaboration settings External collaboration settings determine whether your users can send B2B collaboration invitations to external users and the level of access guest users have to your directory. With these settings, you can:
As an inviting organization, you might not know ahead of time who the individual
Microsoft Graph APIs are available for creating and managing External Identities features. -- **Cross-tenant access settings API**: The [Microsoft Graph cross-tenant access API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-beta) lets you programmatically create the same B2B collaboration and B2B direct connect policies that are configurable in the Azure portal. Using the API, you can set up policies for inbound and outbound collaboration to allow or block features for everyone by default and limit access to specific organizations, groups, users, and applications. The API also allows you to accept MFA and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.
+- **Cross-tenant access settings API**: The [Microsoft Graph cross-tenant access API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-beta&preserve-view=true) lets you programmatically create the same B2B collaboration and B2B direct connect policies that are configurable in the Azure portal. Using the API, you can set up policies for inbound and outbound collaboration to allow or block features for everyone by default and limit access to specific organizations, groups, users, and applications. The API also allows you to accept MFA and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.
- **B2B collaboration invitation manager**: The [Microsoft Graph invitation manager API](/graph/api/resources/invitation) is available for building your own onboarding experiences for B2B guest users. You can use the [create invitation API](/graph/api/invitation-post?tabs=http) to automatically send a customized invitation email directly to the B2B user, for example. Or your app can use the inviteRedeemUrl returned in the creation response to craft your own invitation (through your communication mechanism of choice) to the invited user.
active-directory Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/troubleshoot.md
Previously updated : 03/31/2022 Last updated : 05/17/2022 tags: active-directory
By default, SharePoint Online and OneDrive have their own set of external user o
If you're notified that you don't have permissions to invite users, verify that your user account is authorized to invite external users under Azure Active Directory > User settings > External users > Manage external collaboration settings:
-![Screenshot showing the External Users settings](media/troubleshoot/external-user-settings.png)
+![Screenshot showing the External Users settings.](media/troubleshoot/external-user-settings.png)
If you've recently modified these settings or assigned the Guest Inviter role to a user, there might be a 15-60 minute delay before the changes take effect.
Common errors include:
When inviting users whose organization is using Azure Active Directory, but where the specific userΓÇÖs account doesn't exist (for example, the user doesn't exist in Azure AD contoso.com). The administrator of contoso.com may have a policy in place preventing users from being created. The user must check with their admin to determine if external users are allowed. The external userΓÇÖs admin may need to allow Email Verified users in their domain (see this [article](/powershell/module/msonline/set-msolcompanysettings) on allowing Email Verified Users).
-![Error stating the tenant doesn't allow email verified users](media/troubleshoot/allow-email-verified-users.png)
+![Screenshot of the error stating the tenant doesn't allow email verified users.](media/troubleshoot/allow-email-verified-users.png)
### External user doesn't exist already in a federated domain
As of November 18, 2019, guest users in your directory (defined as user accounts
## In an Azure US Government tenant, I can't invite a B2B collaboration guest user
-Within the Azure US Government cloud, B2B collaboration is currently only supported between tenants that are both within Azure US Government cloud and that both support B2B collaboration. If you invite a user in a tenant that isn't part of the Azure US Government cloud or that doesn't yet support B2B collaboration, you'll get an error. For details and limitations, see [Azure Active Directory Premium P1 and P2 Variations](../../azure-government/compare-azure-government-global-azure.md#azure-active-directory-premium-p1-and-p2).
+Within the Azure US Government cloud, B2B collaboration is enabled between tenants that are both within Azure US Government cloud and that both support B2B collaboration. If you invite a user in a tenant that doesn't yet support B2B collaboration, you'll get an error. For details and limitations, see [Azure Active Directory Premium P1 and P2 Variations](../../azure-government/compare-azure-government-global-azure.md#azure-active-directory-premium-p1-and-p2).
+
+If you need to collaborate with an Azure AD organization that's outside of the Azure US Government cloud, you can use [Microsoft cloud settings (preview)](cross-cloud-settings.md) to enable B2B collaboration.
+
+## Invitation is blocked due to cross-tenant access policies
+
+When you try to invite a B2B collaboration user in another Microsoft Azure cloud, this error message will appear if B2B collaboration is supported between the two clouds but is blocked by cross-tenant access settings. The settings that are blocking collaboration could be either in the B2B collaboration userΓÇÖs home tenant or in your tenant. Check your cross-tenant access settings to make sure youΓÇÖve added the B2B collaboration userΓÇÖs home tenant to your Organizational settings and that your settings allow B2B collaboration with the user. Then make sure an admin in the userΓÇÖs tenant does the same.
+
+## Invitation is blocked due to disabled Microsoft B2B Cross Cloud Worker application
+
+Rarely, you might see this message: ΓÇ£This action can't be completed because the Microsoft B2B Cross Cloud Worker application has been disabled in the invited userΓÇÖs tenant. Please ask the invited userΓÇÖs admin to re-enable it, then try again.ΓÇ¥ This error means that the Microsoft B2B Cross Cloud Worker application has been disabled in the B2B collaboration userΓÇÖs home tenant. This app is typically enabled, but it might have been disabled by an admin in the userΓÇÖs home tenant, either through PowerShell or the portal (see [Disable how a user signs in](../manage-apps/disable-user-sign-in-portal.md)). An admin in the userΓÇÖs home tenant can re-enable the app through PowerShell or the Azure portal. In the portal, search for ΓÇ£Microsoft B2B Cross Cloud WorkerΓÇ¥ to find the app, select it, and then choose to re-enable it.
+
+## Redemption is blocked due to cross-tenant access settings
+
+A B2B collaboration user could see this message when they try to redeem a B2B collaboration invitation: ΓÇ£This invitation is blocked by cross-tenant access settings. Admins in both your organization and the inviterΓÇÖs organization must configure cross-tenant access settings to allow the invitation.ΓÇ¥ This error can occur when cross-tenant policies are changed between the time the invitation was sent to the user and the time the user redeems it. Check your cross-tenant access settings to make sure B2B collaboration is properly configured, and make sure an admin in the userΓÇÖs tenant does the same.
## I receive the error that Azure AD can't find the aad-extensions-app in my tenant
active-directory What Is B2b https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/what-is-b2b.md
Previously updated : 05/09/2022 Last updated : 05/17/2022
Azure Active Directory (Azure AD) B2B collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company's applications and services with external users, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don't have Azure AD or an IT department.
-![Diagram illustrating B2B collaboration](media/what-is-b2b/b2b-collaboration-overview.png)
+![Diagram illustrating B2B collaboration.](media/what-is-b2b/b2b-collaboration-overview.png)
A simple invitation and redemption process lets partners use their own credentials to access your company's resources. You can also enable self-service sign-up user flows to let external users sign up for apps or resources themselves. Once the external user has redeemed their invitation or completed sign-up, they're represented in your directory as a [user object](user-properties.md). B2B collaboration user objects are typically given a user type of "guest" and can be identified by the #EXT# extension in their user principal name. Developers can use Azure AD business-to-business APIs to customize the invitation process or write applications like self-service sign-up portals. For licensing and pricing information related to guest users, refer to [Azure Active Directory External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/). - > [!IMPORTANT] > We've begun rolling out a change to turn on the email one-time passcode feature for all existing tenants and enable it by default for new tenants. We're enabling the email one-time passcode feature because it provides a seamless fallback authentication method for your guest users. However, if you don't want to allow this feature to turn on automatically, you can [disable it](one-time-passcode.md#disable-email-one-time-passcode). Soon, we'll stop creating new, unmanaged ("viral") Azure AD accounts and tenants during B2B collaboration invitation redemption.
With Azure AD B2B, the partner uses their own identity management solution, so t
- You don't need to manage external accounts or passwords. - You don't need to sync accounts or manage account lifecycles.
-## Manage external access with inbound and outbound settings
+## Manage collaboration with other organizations and clouds
+
+B2B collaboration is enabled by default, but comprehensive admin settings let you control your inbound and outbound B2B collaboration with external partners and organizations:
-B2B collaboration is enabled by default, but comprehensive admin settings let you control your B2B collaboration with external partners and organizations:
+- For B2B collaboration with other Azure AD organizations, use [cross-tenant access settings (preview)](cross-tenant-access-overview.md). Manage inbound and outbound B2B collaboration, and scope access to specific users, groups, and applications. Set a default configuration that applies to all external organizations, and then create individual, organization-specific settings as needed. Using cross-tenant access settings, you can also trust multi-factor (MFA) and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.
-- For B2B collaboration with other Azure AD organizations, you can use [cross-tenant access settings](cross-tenant-access-overview.md) to manage inbound and outbound B2B collaboration and scope access to specific users, groups, and applications. You can set a default configuration that applies to all external organizations, and then create individual, organization-specific settings as needed. Using cross-tenant access settings, you can also trust multi-factor (MFA) and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.
+- Use [external collaboration settings](external-collaboration-settings-configure.md) to define who can invite external users, allow or block B2B specific domains, and set restrictions on guest user access to your directory.
-- You can use [external collaboration settings](external-collaboration-settings-configure.md) to limit who can invite external users, allow or block B2B specific domains, and set restrictions on guest user access to your directory.
+- Use [Microsoft cloud settings (preview)](cross-cloud-settings.md) to establish mutual B2B collaboration between the Microsoft Azure global cloud and Microsoft Azure Government or Microsoft Azure China 21Vianet.
## Easily invite guest users from the Azure AD portal
As an administrator, you can easily add guest users to your organization in the
- Assign guest users to apps or groups. - Send an invitation email that contains a redemption link, or send a direct link to an app you want to share.
-![Screenshot showing the New Guest User invitation entry page](media/what-is-b2b/add-a-b2b-user-to-azure-portal.png)
+![Screenshot showing the New Guest User invitation entry page.](media/what-is-b2b/add-a-b2b-user-to-azure-portal.png)
- Guest users follow a few simple [redemption steps](redemption-experience.md) to sign in.
-![Screenshot showing the Review permissions page](media/what-is-b2b/consentscreen.png)
+![Screenshot showing the Review permissions page.](media/what-is-b2b/consentscreen.png)
## Allow self-service sign-up
With a self-service sign-up user flow, you can create a sign-up experience for e
You can also use [API connectors](api-connectors-overview.md) to integrate your self-service sign-up user flows with external cloud systems. You can connect with custom approval workflows, perform identity verification, validate user-provided information, and more.
-![Screenshot showing the user flows page](media/what-is-b2b/self-service-sign-up-user-flow-overview.png)
+![Screenshot showing the user flows page.](media/what-is-b2b/self-service-sign-up-user-flow-overview.png)
## Use policies to securely share your apps and services
You can use authentication and authorization policies to protect your corporate
- At the application level. - For specific guest users to protect corporate apps and data.
-![Screenshot showing the Conditional Access option](media/what-is-b2b/tutorial-mfa-policy-2.png)
--
+![Screenshot showing the Conditional Access option.](media/what-is-b2b/tutorial-mfa-policy-2.png)
## Let application and group owners manage their own guest users
You can delegate guest user management to application owners so that they can ad
- Administrators set up self-service app and group management. - Non-administrators use their [Access Panel](https://myapps.microsoft.com) to add guest users to applications or groups.
-![Screenshot showing the Access panel for a guest user](media/what-is-b2b/access-panel-manage-app.png)
+![Screenshot showing the Access panel for a guest user.](media/what-is-b2b/access-panel-manage-app.png)
## Customize the onboarding experience for B2B guest users
Bring your external partners on board in ways customized to your organization's
Azure AD supports external identity providers like Facebook, Microsoft accounts, Google, or enterprise identity providers. You can set up federation with identity providers so your external users can sign in with their existing social or enterprise accounts instead of creating a new account just for your application. Learn more about [identity providers for External Identities](identity-providers.md).
-![Screenshot showing the Identity providers page](media/what-is-b2b/identity-providers.png)
+![Screenshot showing the Identity providers page.](media/what-is-b2b/identity-providers.png)
## Integrate with SharePoint and OneDrive
-You can [enable integration with SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration) to share files, folders, list items, document libraries, and sites with people outside your organization, while using Azure B2B for authentication and management. The users you share resources with are typically added to your directory as guests, and permissions and groups work the same for these guests as they do for internal users. When enabling integration with SharePoint and OneDrive, you'll also enable the [email one-time passcode](one-time-passcode.md) feature in Azure AD B2B to serve as a fallback authentication method.
+You can [enable integration with SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration) to share files, folders, list items, document libraries, and sites with people outside your organization, while using Azure B2B for authentication and management. The users you share resources with are typically added to your directory as guests, and permissions and groups work the same for these guests as they do for internal users. When enabling integration with SharePoint and OneDrive, you'll also enable the [email one-time passcode](one-time-passcode.md) feature in Azure AD B2B to serve as a fallback authentication method.
![Screenshot of the email one-time-passcode setting.](media/what-is-b2b/enable-email-otp-options.png) - ## Next steps - [External Identities pricing](external-identities-pricing.md) - [Add B2B collaboration guest users in the portal](add-users-administrator.md)-- [Understand the invitation redemption process](redemption-experience.md)
+- [Understand the invitation redemption process](redemption-experience.md)
active-directory Active Directory Groups Membership Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-groups-membership-azure-portal.md
This article helps you to add and remove a group from another group using Azure
You can add an existing Security group to another existing Security group (also known as nested groups), creating a member group (subgroup) and a parent group. The member group inherits the attributes and properties of the parent group, saving you configuration time. >[!Important]
->We don't currently support:<ul><li>Adding groups to a group synced with on-premises Active Directory.</li><li>Adding Security groups to Microsoft 365 groups.</li><li>Adding Microsoft 365 groups to Security groups or other Microsoft 365 groups.</li><li>Assigning apps to nested groups.</li><li>Applying licenses to nested groups.</li><li>Adding distribution groups in nesting scenarios.</li><li> Adding security groups as members of mail-enabled security groups</li></ul>
+>We don't currently support:<ul><li>Adding groups to a group synced with on-premises Active Directory.</li><li>Adding Security groups to Microsoft 365 groups.</li><li>Adding Microsoft 365 groups to Security groups or other Microsoft 365 groups.</li><li>Assigning apps to nested groups.</li><li>Applying licenses to nested groups.</li><li>Adding distribution groups in nesting scenarios.</li><li>Adding security groups as members of mail-enabled security groups</li><li> Adding groups as members of a role-assignable group.</li></ul>
### To add a group as a member of another group
active-directory Add Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-custom-domain.md
After you create your directory, you can add your custom domain name.
>[!IMPORTANT] >You must include *.com*, *.net*, or any other top-level extension for this to work properly.
+ >
+ >When adding a custom domain, the Password Policy values will be inherited from the initial domain.
The unverified domain is added. The **contoso.com** page appears showing your DNS information. Save this information. You need it later to create a TXT record to configure DNS.
If Azure AD can't verify a custom domain name, try the following suggestions:
- Manage your domain name information in Azure AD. For more information, see [Managing custom domain names](../enterprise-users/domains-manage.md). -- If you have on-premises versions of Windows Server that you want to use alongside Azure Active Directory, see [Integrate your on-premises directories with Azure Active Directory](../hybrid/whatis-hybrid-identity.md).
+- If you have on-premises versions of Windows Server that you want to use alongside Azure Active Directory, see [Integrate your on-premises directories with Azure Active Directory](../hybrid/whatis-hybrid-identity.md).
active-directory Concept Fundamentals Block Legacy Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication.md
Today, the majority of all compromising sign-in attempts come from legacy authen
Before you can block legacy authentication in your directory, you need to first understand if your users have apps that use legacy authentication and how it affects your overall directory. Azure AD sign-in logs can be used to understand if you're using legacy authentication.
-1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-ins**.
+1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-in logs**.
1. Add the **Client App** column if it is not shown by clicking onΓÇ»**Columns**ΓÇ»>ΓÇ»**Client App**. 1. Filter by **Client App** > check all the **Legacy Authentication Clients** options presented. 1. Filter by **Status** > **Success**.
active-directory Protect M365 From On Premises Attacks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/protect-m365-from-on-premises-attacks.md
Title: Protecting Microsoft 365 from on-premises attacks
-description: Guidance about how to ensure an on-premises attack doesn't affect Microsoft 365.
+description: Learn how to configure your systems to help protect your Microsoft 365 cloud environment from on-premises compromise.
- Previously updated : 12/22/2020+ Last updated : 04/29/2022 -+
+ - it-pro
+ - seodec18
+ - kr2b-contr-experiment
# Protecting Microsoft 365 from on-premises attacks
-Many customers connect their private corporate networks to Microsoft 365 to benefit their users, devices, and applications. However, these private networks can be compromised in many well-documented ways. Because Microsoft 365 acts as a sort of nervous system for many organizations, it's critical to protect it from compromised on-premises infrastructure.
+Many customers connect their private corporate networks to Microsoft 365 to benefit their users, devices, and applications. However, these private networks can be compromised in many well-documented ways. Microsoft 365 acts as a sort of nervous system for many organizations. It's critical to protect it from compromised on-premises infrastructure.
-This article shows you how to configure your systems to protect your Microsoft 365 cloud environment from on-premises compromise. We focus primarily on:
+This article shows you how to configure your systems to help protect your Microsoft 365 cloud environment from on-premises compromise, including the following elements:
-- Azure Active Directory (Azure AD) tenant configuration settings.-- How Azure AD tenants can be safely connected to on-premises systems.-- The tradeoffs required to operate your systems in ways that protect your cloud systems from on-premises compromise.
+- Azure Active Directory (Azure AD) tenant configuration settings
+- How Azure AD tenants can be safely connected to on-premises systems
+- The tradeoffs required to operate your systems in ways that protect your cloud systems from on-premises compromise
-We strongly recommend you implement this guidance to secure your Microsoft 365 cloud environment.
+Microsoft strongly recommends that you implement this guidance.
-> [!NOTE]
-> This article was initially published as a blog post. It has been moved to its current location for longevity and maintenance.
->
-> To create an offline version of this article, use your browser's print-to-PDF functionality. Check back here frequently for updates.
+## Threat sources in on-premises environments
-## Primary threat vectors from compromised on-premises environments
+Your Microsoft 365 cloud environment benefits from an extensive monitoring and security infrastructure. Microsoft 365 uses machine learning and human intelligence to look across worldwide traffic. It can rapidly detect attacks and allow you to reconfigure nearly in real time.
-Your Microsoft 365 cloud environment benefits from an extensive monitoring and security infrastructure. Using machine learning and human intelligence, Microsoft 365 looks across worldwide traffic. It can rapidly detect attacks and allow you to reconfigure nearly in real time.
-
-In hybrid deployments that connect on-premises infrastructure to Microsoft 365, many organizations delegate trust to on-premises components for critical authentication and directory object state management decisions. Unfortunately, if the on-premises environment is compromised, these trust relationships become an attacker's opportunities to compromise your Microsoft 365 environment.
+Hybrid deployments can connect on-premises infrastructure to Microsoft 365. In such deployments, many organizations delegate trust to on-premises components for critical authentication and directory object state management decisions. If the on-premises environment is compromised, these trust relationships become an attacker's opportunities to compromise your Microsoft 365 environment.
The two primary threat vectors are *federation trust relationships* and *account synchronization.* Both vectors can grant an attacker administrative access to your cloud.
-* **Federated trust relationships**, such as SAML authentication, are used to authenticate to Microsoft 365 through your on-premises identity infrastructure. If a SAML token-signing certificate is compromised, federation allows anyone who has that certificate to impersonate any user in your cloud. *We recommend you disable federation trust relationships for authentication to Microsoft 365 when possible.*
-
-* **Account synchronization** can be used to modify privileged users (including their credentials) or groups that have administrative privileges in Microsoft 365. *We recommend you ensure that synchronized objects hold no privileges beyond a user in Microsoft 365,* either directly or through inclusion in trusted roles or groups. Ensure these objects have no direct or nested assignment in trusted cloud roles or groups.
+- **Federated trust relationships**, such as Security Assertions Markup Language (SAML) authentication, are used to authenticate to Microsoft 365 through your on-premises identity infrastructure. If a SAML token-signing certificate is compromised, federation allows anyone who has that certificate to impersonate any user in your cloud.
-## Protecting Microsoft 365 from on-premises compromise
+ We recommend that you disable federation trust relationships for authentication to Microsoft 365 when possible.
-To address the threat vectors outlined earlier, we recommend you adhere to the principles illustrated in the following diagram:
+- **Account synchronization** can be used to modify privileged users, including their credentials, or groups that have administrative privileges in Microsoft 365.
-![Reference architecture for protecting Microsoft 365.](media/protect-m365/protect-m365-principles.png)
+ We recommend that you ensure that synchronized objects hold no privileges beyond a user in Microsoft 365. You can control privileges either directly or through inclusion in trusted roles or groups. Ensure these objects have no direct or nested assignment in trusted cloud roles or groups.
-1. **Fully isolate your Microsoft 365 administrator accounts.** They should be:
+## Protecting Microsoft 365 from on-premises compromise
- * Mastered in Azure AD.
+To address the threats described above, we recommend you adhere to the principles illustrated in the following diagram:
- * Authenticated by using multifactor authentication.
+![Reference architecture for protecting Microsoft 365, as described in the following list.](media/protect-m365/protect-m365-principles.png)
- * Secured by Azure AD Conditional Access.
+1. **Fully isolate your Microsoft 365 administrator accounts.** They should be:
- * Accessed only by using Azure-managed workstations.
+ - Mastered in Azure AD.
+ - Authenticated by using multifactor authentication.
+ - Secured by Azure AD Conditional Access.
+ - Accessed only by using Azure-managed workstations.
- These administrator accounts are restricted-use accounts. *No on-premises accounts should have administrative privileges in Microsoft 365.*
+ These administrator accounts are restricted-use accounts. No on-premises accounts should have administrative privileges in Microsoft 365.
- For more information, see the [overview of Microsoft 365 administrator roles](/microsoft-365/admin/add-users/about-admin-roles). Also see [Roles for Microsoft 365 in Azure AD](../roles/m365-workload-docs.md).
+ For more information, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles). Also, see [Roles for Microsoft 365 in Azure AD](../roles/m365-workload-docs.md).
1. **Manage devices from Microsoft 365.** Use Azure AD join and cloud-based mobile device management (MDM) to eliminate dependencies on your on-premises device management infrastructure. These dependencies can compromise device and security controls. 1. **Ensure no on-premises account has elevated privileges to Microsoft 365.** Some accounts access on-premises applications that require NTLM, LDAP, or Kerberos authentication. These accounts must be in the organization's on-premises identity infrastructure. Ensure that these accounts, including service accounts, aren't included in privileged cloud roles or groups. Also ensure that changes to these accounts can't affect the integrity of your cloud environment. Privileged on-premises software must not be capable of affecting Microsoft 365 privileged accounts or roles.
-1. **Use Azure AD cloud authentication** to eliminate dependencies on your on-premises credentials. Always use strong authentication, such as Windows Hello, FIDO, Microsoft Authenticator, or Azure AD multifactor authentication.
+1. **Use Azure AD cloud authentication to eliminate dependencies on your on-premises credentials.** Always use strong authentication, such as Windows Hello, FIDO, Microsoft Authenticator, or Azure AD multifactor authentication.
## Specific security recommendations
-The following sections provide specific guidance about how to implement the principles described earlier.
+The following sections provide guidance about how to implement the principles described above.
### Isolate privileged identities In Azure AD, users who have privileged roles, such as administrators, are the root of trust to build and manage the rest of the environment. Implement the following practices to minimize the effects of a compromise.
-* Use cloud-only accounts for Azure AD and Microsoft 365 privileged roles.
+- Use cloud-only accounts for Azure AD and Microsoft 365 privileged roles.
-* Deploy [privileged access devices](/security/compass/privileged-access-devices#device-roles-and-profiles) for privileged access to manage Microsoft 365 and Azure AD.
+- Deploy privileged access devices for privileged access to manage Microsoft 365 and Azure AD. See [Device roles and profiles](/security/compass/privileged-access-devices#device-roles-and-profiles).
-* Deploy [Azure AD Privileged Identity Management](../privileged-identity-management/pim-configure.md) (PIM) for just-in-time (JIT) access to all human accounts that have privileged roles. Require strong authentication to activate roles.
+ Deploy Azure AD Privileged Identity Management (PIM) for just-in-time access to all human accounts that have privileged roles. Require strong authentication to activate roles. See [What is Azure AD Privileged Identity Management](../privileged-identity-management/pim-configure.md).
-* Provide administrative roles that allow the [least privilege necessary to do required tasks](../roles/delegate-by-task.md).
+- Provide administrative roles that allow the least privilege necessary to do required tasks. See [Least privileged roles by task in Azure Active Directory](../roles/delegate-by-task.md).
-* To enable a rich role assignment experience that includes delegation and multiple roles at the same time, consider using Azure AD security groups or Microsoft 365 Groups. These groups are collectively called *cloud groups*. Also [enable role-based access control](../roles/groups-assign-role.md). You can use [administrative units](../roles/administrative-units.md) to restrict the scope of roles to a portion of the organization.
+- To enable a rich role assignment experience that includes delegation and multiple roles at the same time, consider using Azure AD security groups or Microsoft 365 Groups. These groups are collectively called *cloud groups*.
-* Deploy [emergency access accounts](../roles/security-emergency-access.md). Do *not* use on-premises password vaults to store credentials.
+ Also, enable role-based access control. See [Assign Azure AD roles to groups](../roles/groups-assign-role.md). You can use administrative units to restrict the scope of roles to a portion of the organization. See [Administrative units in Azure Active Directory](../roles/administrative-units.md).
-For more information, see [Securing privileged access](/security/compass/overview). Also see [Secure access practices for administrators in Azure AD](../roles/security-planning.md).
+- Deploy emergency access accounts. Do *not* use on-premises password vaults to store credentials. See [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md).
-### Use cloud authentication
+For more information, see [Securing privileged access](/security/compass/overview). Also, see [Secure access practices for administrators in Azure AD](../roles/security-planning.md).
+
+### Use cloud authentication
Credentials are a primary attack vector. Implement the following practices to make credentials more secure:
-* [Deploy passwordless authentication](../authentication/howto-authentication-passwordless-deployment.md). Reduce the use of passwords as much as possible by deploying passwordless credentials. These credentials are managed and validated natively in the cloud. Choose from these authentication methods:
+- **Deploy passwordless authentication**. Reduce the use of passwords as much as possible by deploying passwordless credentials. These credentials are managed and validated natively in the cloud. For more information, see [Plan a passwordless authentication deployment in Azure Active Directory](../authentication/howto-authentication-passwordless-deployment.md).
- * [Windows Hello for business](/windows/security/identity-protection/hello-for-business/passwordless-strategy)
+ Choose from these authentication methods:
- * [The Microsoft Authenticator app](../authentication/howto-authentication-passwordless-phone.md)
+ - [Windows Hello for business](/windows/security/identity-protection/hello-for-business/passwordless-strategy)
+ - [The Microsoft Authenticator app](../authentication/howto-authentication-passwordless-phone.md)
+ - [FIDO2 security keys](../authentication/howto-authentication-passwordless-security-key-windows.md)
- * [FIDO2 security keys](../authentication/howto-authentication-passwordless-security-key-windows.md)
+- **Deploy multifactor authentication**. For more information, see [Plan an Azure Active Directory Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md).
-* [Deploy multifactor authentication](../authentication/howto-mfa-getstarted.md). Provision
- [multiple strong credentials by using Azure AD multifactor authentication](../fundamentals/resilience-in-credentials.md). That way, access to cloud resources will require a credential that's managed in Azure AD in addition to an on-premises password that can be manipulated. For more information, see [Create a resilient access control management strategy by using Azure AD](./resilience-overview.md).
+ Provision multiple strong credentials by using Azure AD multifactor authentication. That way, access to cloud resources requires an Azure AD managed credential in addition to an on-premises password. For more information, see [Build resilience with credential management](../fundamentals/resilience-in-credentials.md) and [Create a resilient access control management strategy by using Azure AD](./resilience-overview.md).
### Limitations and tradeoffs
-* Hybrid account password management requires hybrid components such as password protection agents and password writeback agents. If your on-premises infrastructure is compromised, attackers can control the machines on which these agents reside. This vulnerability won't compromise your cloud infrastructure. But your cloud accounts won't protect these components from on-premises compromise.
+Hybrid account password management requires hybrid components such as password protection agents and password writeback agents. If your on-premises infrastructure is compromised, attackers can control the machines on which these agents reside. This vulnerability won't compromise your cloud infrastructure. But your cloud accounts won't protect these components from on-premises compromise.
-* On-premises accounts synced from Active Directory are marked to never expire in Azure AD. This setting is usually mitigated by on-premises Active Directory password settings. However, if your on-premises instance of Active Directory is compromised and synchronization is disabled, you must set the [EnforceCloudPasswordPolicyForPasswordSyncedUsers](../hybrid/how-to-connect-password-hash-synchronization.md) option to force password changes.
+On-premises accounts synced from Active Directory are marked to never expire in Azure AD. This setting is usually mitigated by on-premises Active Directory password settings. If your instance of Active Directory is compromised and synchronization is disabled, set the [EnforceCloudPasswordPolicyForPasswordSyncedUsers](../hybrid/how-to-connect-password-hash-synchronization.md) option to force password changes.
## Provision user access from the cloud *Provisioning* refers to the creation of user accounts and groups in applications or identity providers.
-![Diagram of provisioning architecture.](media/protect-m365/protect-m365-provision.png)
+![Diagram of provisioning architecture shows the interaction of Azure A D with Cloud HR, Azure A D B 2 B, Azure app provisioning, and group-based licensing.](media/protect-m365/protect-m365-provision.png)
We recommend the following provisioning methods:
-* **Provision from cloud HR apps to Azure AD**: This provisioning enables an on-premises compromise to be isolated, without disrupting your joiner-mover-leaver cycle from your cloud HR apps to Azure AD.
-
-* **Cloud applications**: Where possible, deploy [Azure AD app provisioning](../app-provisioning/user-provisioning.md) as opposed to on-premises provisioning solutions. This method protects some of your software-as-a-service (SaaS) apps from being affected by malicious hacker profiles in on-premises breaches.
+- **Provision from cloud HR apps to Azure AD.** This provisioning enables an on-premises compromise to be isolated. This isolation doesn't disrupt your joiner-mover-leaver cycle from your cloud HR apps to Azure AD.
+- **Cloud applications.** Where possible, deploy Azure AD app provisioning as opposed to on-premises provisioning solutions. This method protects some of your software as a service (SaaS) apps from malicious hacker profiles in on-premises breaches. For more information, see [What is app provisioning in Azure Active Directory](../app-provisioning/user-provisioning.md).
+- **External identities.** Use Azure AD B2B collaboration to reduce the dependency on on-premises accounts for external collaboration with partners, customers, and suppliers. Carefully evaluate any direct federation with other identity providers. For more information, see [B2B collaboration overview](../external-identities/what-is-b2b.md).
-* **External identities**: Use [Azure AD B2B collaboration](../external-identities/what-is-b2b.md) This method reduces the dependency on on-premises accounts for external collaboration with partners, customers, and suppliers. Carefully evaluate any direct federation with other identity providers. We recommend limiting B2B guest accounts in the following ways:
+ We recommend limiting B2B guest accounts in the following ways:
- * Limit guest access to browsing groups and other properties in the directory. Use the external collaboration settings to restrict guests' ability to read groups they're not members of.
+ - Limit guest access to browsing groups and other properties in the directory. Use the external collaboration settings to restrict guests' ability to read groups they're not members of.
+ - Block access to the Azure portal. You can make rare necessary exceptions. Create a Conditional Access policy that includes all guests and external users. Then implement a policy to block access. See [Conditional Access](../conditional-access/concept-conditional-access-cloud-apps.md).
- * Block access to the Azure portal. You can make rare necessary exceptions. Create a Conditional Access policy that includes all guests and external users. Then [implement a policy to block access](../conditional-access/concept-conditional-access-cloud-apps.md).
+- **Disconnected forests.** Use Azure AD cloud provisioning to connect to disconnected forests. This approach eliminates the need to establish cross-forest connectivity or trusts, which can broaden the effect of an on-premises breach. For more information, see [What is Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md).
-* **Disconnected forests**: Use [Azure AD cloud provisioning](../cloud-sync/what-is-cloud-sync.md). This method enables you to connect to disconnected forests, eliminating the need to establish cross-forest connectivity or trusts, which can broaden the effect of an on-premises breach.
-
### Limitations and tradeoffs When used to provision hybrid accounts, the Azure-AD-from-cloud-HR system relies on on-premises synchronization to complete the data flow from Active Directory to Azure AD. If synchronization is interrupted, new employee records won't be available in Azure AD.
When used to provision hybrid accounts, the Azure-AD-from-cloud-HR system relies
Cloud groups allow you to decouple your collaboration and access from your on-premises infrastructure.
-* **Collaboration**: Use Microsoft 365 Groups and Microsoft Teams for modern collaboration. Decommission on-premises distribution lists, and [upgrade distribution lists to Microsoft 365 Groups in Outlook](/office365/admin/manage/upgrade-distribution-lists).
-
-* **Access**: Use Azure AD security groups or Microsoft 365 Groups to authorize access to applications in Azure AD.
-
-* **Office 365 licensing**: Use group-based licensing to provision to Office 365 by using cloud-only groups. This method decouples control of group membership from on-premises infrastructure.
+- **Collaboration**. Use Microsoft 365 Groups and Microsoft Teams for modern collaboration. Decommission on-premises distribution lists, and [upgrade distribution lists to Microsoft 365 Groups in Outlook](/office365/admin/manage/upgrade-distribution-lists).
+- **Access**. Use Azure AD security groups or Microsoft 365 Groups to authorize access to applications in Azure AD.
+- **Office 365 licensing**. Use group-based licensing to provision to Office 365 by using cloud-only groups. This method decouples control of group membership from on-premises infrastructure.
Owners of groups that are used for access should be considered privileged identities to avoid membership takeover in an on-premises compromise. A takeover would include direct manipulation of group membership on-premises or manipulation of on-premises attributes that can affect dynamic group membership in Microsoft 365.
Owners of groups that are used for access should be considered privileged identi
Use Azure AD capabilities to securely manage devices. -- **Use Windows 10 workstations**: [Deploy Azure AD joined](../devices/azureadjoin-plan.md) devices with MDM policies. Enable [Windows Autopilot](/mem/autopilot/windows-autopilot) for a fully automated provisioning experience.-
- - Deprecate machines that run Windows 8.1 and earlier.
-
- - Don't deploy server OS machines as workstations.
+Deploy Azure AD joined Windows 10 workstations with mobile device management policies. Enable Windows Autopilot for a fully automated provisioning experience. See [Plan your Azure AD join implementation](../devices/azureadjoin-plan.md) and [Windows Autopilot](/mem/autopilot/windows-autopilot).
- - Use [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune) as the source of authority for all device management workloads.
+- **Use Windows 10 workstations**.
+ - Deprecate machines that run Windows 8.1 and earlier.
+ - Don't deploy computers that have server operating systems as workstations.
+- **Use Microsoft Endpoint Manager as the authority for all device management workloads.** See [Microsoft Endpoint Manager](https://www.microsoft.com/security/business/microsoft-endpoint-manager).
+- **Deploy privileged access devices.** For more information, see [Device roles and profiles](/security/compass/privileged-access-devices#device-roles-and-profiles).
-- [**Deploy privileged access devices**](/security/compass/privileged-access-devices#device-roles-and-profiles):
- Use privileged access to manage Microsoft 365 and Azure AD as part of a complete approach to [Securing privileged access](/security/compass/overview).
+### Workloads, applications, and resources
-## Workloads, applications, and resources
+- **On-premises single-sign-on (SSO) systems**
-- **On-premises single-sign-on (SSO) systems**
+ Deprecate any on-premises federation and web access management infrastructure. Configure applications to use Azure AD.
- Deprecate any on-premises federation and web access management infrastructure. Configure applications to use Azure AD.
+- **SaaS and line-of-business (LOB) applications that support modern authentication protocols**
-- **SaaS and line-of-business (LOB) applications that support modern authentication protocols**
+ Use Azure AD for SSO. The more apps you configure to use Azure AD for authentication, the less risk in an on-premises compromise. For more information, see [What is single sign-on in Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- [Use Azure AD for SSO](../manage-apps/what-is-single-sign-on.md). The more apps you configure to use Azure AD for authentication, the less risk in an on-premises compromise.
+- **Legacy applications**
+ You can enable authentication, authorization, and remote access to legacy applications that don't support modern authentication. Use [Azure AD Application Proxy](../app-proxy/application-proxy.md). Or, enable them through a network or application delivery controller solution by using secure hybrid access partner integrations. See [Secure legacy apps with Azure Active Directory](../manage-apps/secure-hybrid-access.md).
-* **Legacy applications**
+ Choose a VPN vendor that supports modern authentication. Integrate its authentication with Azure AD. In an on-premises compromise, you can use Azure AD to disable or block access by disabling the VPN.
- * You can enable authentication, authorization, and remote access to legacy applications that don't support modern authentication. Use [Azure AD Application Proxy](../app-proxy/application-proxy.md). You can also enable them through a network or application delivery controller solution by using [secure hybrid access partner integrations](../manage-apps/secure-hybrid-access.md).
+- **Application and workload servers**
- * Choose a VPN vendor that supports modern authentication. Integrate its authentication with Azure AD. In an on-premises compromise, you can use Azure AD to disable or block access by disabling the VPN.
+ Applications or resources that required servers can be migrated to Azure infrastructure as a service (IaaS). Use Azure AD Domain Services (Azure AD DS) to decouple trust and dependency on on-premises instances of Active Directory. To achieve this decoupling, make sure virtual networks used for Azure AD DS don't have a connection to corporate networks. See [Azure AD Domain Services](../../active-directory-domain-services/overview.md).
-* **Application and workload servers**
-
- * Applications or resources that required servers can be migrated to Azure infrastructure as a service (IaaS). Use [Azure AD Domain Services](../../active-directory-domain-services/overview.md) (Azure AD DS) to decouple trust and dependency on on-premises instances of Active Directory. To achieve this decoupling, make sure virtual networks used for Azure AD DS don't have a connection to corporate networks.
-
- * Follow the guidance for [credential tiering](/security/compass/privileged-access-access-model#ADATM_BM). Application servers are typically considered tier-1 assets.
+ Use credential tiering. Application servers are typically considered tier-1 assets. For more information, see [Enterprise access model](/security/compass/privileged-access-access-model#ADATM_BM).
## Conditional Access policies Use Azure AD Conditional Access to interpret signals and use them to make authentication decisions. For more information, see the [Conditional Access deployment plan](../conditional-access/plan-conditional-access.md).
-* Use Conditional Access to [block legacy authentication protocols](../conditional-access/howto-conditional-access-policy-block-legacy.md) whenever possible. Additionally, disable legacy authentication protocols at the application level by using an application-specific configuration.
+- Use Conditional Access to block legacy authentication protocols whenever possible. Additionally, disable legacy authentication protocols at the application level by using an application-specific configuration. See [Block legacy authentication](../conditional-access/howto-conditional-access-policy-block-legacy.md).
+
+ For more information, see [Legacy authentication protocols](../fundamentals/auth-sync-overview.md#legacy-authentication-protocols). Or see specific details for [Exchange Online](/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#how-basic-authentication-works-in-exchange-online) and [SharePoint Online](/powershell/module/sharepoint-online/set-spotenant).
- For more information, see [Legacy authentication protocols](../fundamentals/auth-sync-overview.md). Or see specific details for [Exchange Online](/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#how-basic-authentication-works-in-exchange-online) and [SharePoint Online](/powershell/module/sharepoint-online/set-spotenant).
+- Implement the recommended identity and device access configurations. See [Common Zero Trust identity and device access policies](/microsoft-365/security/office-365-security/identity-access-policies).
-* Implement the recommended [identity and device access configurations](/microsoft-365/security/office-365-security/identity-access-policies).
+- If you're using a version of Azure AD that doesn't include Conditional Access, use [Security defaults in Azure AD](../fundamentals/concept-fundamentals-security-defaults.md).
-* If you're using a version of Azure AD that doesn't include Conditional Access, ensure that you're using the [Azure AD security defaults](../fundamentals/concept-fundamentals-security-defaults.md).
+ For more information about Azure AD feature licensing, see the [Azure AD pricing guide](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
- For more information about Azure AD feature licensing, see the [Azure AD pricing guide](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+## Monitor
-## Monitor
+After you configure your environment to protect your Microsoft 365 from an on-premises compromise, proactively monitor the environment. For more information, see [What is Azure Active Directory monitoring](../reports-monitoring/overview-monitoring.md).
-After you configure your environment to protect your Microsoft 365
-from an on-premises compromise, [proactively monitor](../reports-monitoring/overview-monitoring.md)
-the environment.
### Scenarios to monitor Monitor the following key scenarios, in addition to any scenarios specific to your organization. For example, you should proactively monitor access to your business-critical applications and resources.
-* **Suspicious activity**
-
- Monitor all [Azure AD risk events](../identity-protection/overview-identity-protection.md#risk-detection-and-remediation) for suspicious activity. [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) is natively integrated with Microsoft Defender for Cloud.
-
- Define the network [named locations](../conditional-access/location-condition.md) to avoid noisy detections on location-based signals.
-* **User and Entity Behavioral Analytics (UEBA) alerts**
-
- Use UEBA to get insights on anomaly detection.
+- **Suspicious activity**
- * Microsoft Defender for Cloud Apps provides [UEBA in the cloud](/cloud-app-security/tutorial-ueba).
+ Monitor all Azure AD risk events for suspicious activity. See [Risk detection and remediation](../identity-protection/overview-identity-protection.md#risk-detection-and-remediation). Azure AD Identity Protection is natively integrated with Microsoft Defender for Cloud. See [What is Identity Protection](../identity-protection/overview-identity-protection.md).
- * You can [integrate on-premises UEBA from Azure Advanced Threat Protection (ATP)](/defender-for-identity/install-step2). Defender for Cloud Apps reads signals from Azure AD Identity Protection.
+ Define the network named locations to avoid noisy detections on location-based signals. See [Using the location condition in a Conditional Access policy](../conditional-access/location-condition.md).
-* **Emergency access accounts activity**
+- **User and Entity Behavioral Analytics (UEBA) alerts**
- Monitor any access that uses [emergency access accounts](../roles/security-emergency-access.md). Create alerts for investigations. This monitoring must include:
+ Use UEBA to get insights on anomaly detection. Microsoft Defender for Cloud Apps provides UEBA in the cloud. See [Investigate risky users](/cloud-app-security/tutorial-ueba).
- * Sign-ins.
+ You can integrate on-premises UEBA from Azure Advanced Threat Protection (ATP). Microsoft Defender for Cloud Apps reads signals from Azure AD Identity Protection. See [Connect to your Active Directory Forest](/defender-for-identity/install-step2).
- * Credential management.
+- **Emergency access accounts activity**
- * Any updates on group memberships.
+ Monitor any access that uses emergency access accounts. See [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md). Create alerts for investigations. This monitoring must include the following actions:
- * Application assignments.
+ - Sign-ins
+ - Credential management
+ - Any updates on group memberships
+ - Application assignments
-* **Privileged role activity**
+- **Privileged role activity**
- Configure and review security [alerts generated by Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-how-to-configure-security-alerts.md?tabs=new#security-alerts). Monitor direct assignment of privileged roles outside PIM by generating alerts whenever a user is assigned directly.
+ Configure and review security alerts generated by Azure AD Privileged Identity Management (PIM). Monitor direct assignment of privileged roles outside PIM by generating alerts whenever a user is assigned directly. See [Security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md?tabs=new#security-alerts).
-* **Azure AD tenant-wide configurations**
+- **Azure AD tenant-wide configurations**
- Any change to tenant-wide configurations should generate alerts in the system. These changes include but aren't limited to:
+ Any change to tenant-wide configurations should generate alerts in the system. These changes include but aren't limited to the following changes:
- * Updated custom domains.
+ - Updated custom domains
+ - Azure AD B2B changes to allowlists and blocklists
+ - Azure AD B2B changes to allowed identity providers, such as SAML identity providers through direct federation or social sign-ins
+ - Conditional Access or Risk policy changes
- * Azure AD B2B changes to allowlists and blocklists.
+- **Application and service principal objects**
- * Azure AD B2B changes to allowed identity providers (SAML identity providers through direct federation or social sign-ins).
+ - New applications or service principals that might require Conditional Access policies
+ - Credentials added to service principals
+ - Application consent activity
- * Conditional Access or Risk policy changes.
+- **Custom roles**
-* **Application and service principal objects**
-
- * New applications or service principals that might require Conditional Access policies.
-
- * Credentials added to service principals.
- * Application consent activity.
-
-* **Custom roles**
- * Updates to the custom role definitions.
-
- * Newly created custom roles.
+ - Updates to the custom role definitions
+ - Newly created custom roles
### Log management Define a log storage and retention strategy, design, and implementation to facilitate a consistent tool set. For example, you could consider security information and event management (SIEM) systems like Microsoft Sentinel, common queries, and investigation and forensics playbooks.
-* **Azure AD logs**: Ingest generated logs and signals by consistently following best practices for settings such as diagnostics, log retention, and SIEM ingestion.
-
- The log strategy must include the following Azure AD logs:
- * Sign-in activity
-
- * Audit logs
-
- * Risk events
+- **Azure AD logs**. Ingest generated logs and signals by consistently following best practices for settings such as diagnostics, log retention, and SIEM ingestion.
- Azure AD provides [Azure Monitor integration](../reports-monitoring/concept-activity-logs-azure-monitor.md) for the sign-in activity log and audit logs. Risk events can be ingested through the [Microsoft Graph API](/graph/api/resources/identityprotection-root). You can [stream Azure AD logs to Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).
+ The log strategy must include the following Azure AD logs:
-* **Hybrid infrastructure OS security logs**: All hybrid identity infrastructure OS logs should be archived and carefully monitored as a tier-0 system, because of the surface-area implications. Include the following elements:
+ - Sign-in activity
+ - Audit logs
+ - Risk events
- * Azure AD Connect. [Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md) must be deployed to monitor identity synchronization.
+ Azure AD provides Azure Monitor integration for the sign-in activity log and audit logs. See [Azure AD activity logs in Azure Monitor](../reports-monitoring/concept-activity-logs-azure-monitor.md).
- * Application Proxy agents
+ Use the Microsoft Graph API to ingest risk events. See [Use the Microsoft Graph identity protection APIs](/graph/api/resources/identityprotection-root).
+ You can stream Azure AD logs to Azure Monitor logs. See [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).
- * Password writeback agents
+- **Hybrid infrastructure operating system security logs**. All hybrid identity infrastructure operating system logs should be archived and carefully monitored as a tier-0 system, because of the surface-area implications. Include the following elements:
- * Password Protection Gateway machines
+ - Application Proxy agents
+ - Password writeback agents
+ - Password Protection Gateway machines
+ - Network policy servers (NPSs) that have the Azure AD multifactor authentication RADIUS extension
+ - Azure AD Connect
- * Network policy servers (NPSs) that have the Azure AD multifactor authentication RADIUS extension
+ You must deploy Azure AD Connect Health to monitor identity synchronization. See [What is Azure AD Connect](../hybrid/whatis-azure-ad-connect.md).
## Next steps
-* [Build resilience into identity and access management by using Azure AD](resilience-overview.md)
-* [Secure external access to resources](secure-external-access-resources.md)
-* [Integrate all your apps with Azure AD](five-steps-to-full-application-integration-with-azure-ad.md)
+- [Build resilience into identity and access management by using Azure AD](resilience-overview.md)
+- [Secure external access to resources](secure-external-access-resources.md)
+- [Integrate all your apps with Azure AD](five-steps-to-full-application-integration-with-azure-ad.md)
active-directory Resilience Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/resilience-overview.md
Title: Building resilient identity and access management with Azure Active Directory
-description: A guide for architects, IT administrators, and developers on building resilience to disruption of their identity systems.
+ Title: Resilience in identity and access management with Azure Active Directory
+description: Learn how to build resilience into identity and access management. Resilience helps endure disruption to system components and recover with minimal effort.
- Previously updated : 11/30/2020+ Last updated : 04/29/2022 -+
+ - it-pro
+ - seodec18
+ - kr2b-contr-experiment
# Building resilience into identity and access management with Azure Active Directory
-Identity and access management (IAM) is a framework of processes, policies, and technologies that facilitate the management of identities and what they access. It includes the many components supporting the authentication and authorization of user and other accounts in your system.
+Identity and access management (IAM) is a framework of processes, policies, and technologies. IAM facilitates the management of identities and what they access. It includes the many components supporting the authentication and authorization of user and other accounts in your system.
-IAM resilience is the ability to endure disruption to system components and recover with minimal impact to your business, users, customers, and operations. Reducing dependencies, complexity, and single-points-of-failure, while ensuring comprehensive error handling will increase your resilience.
+IAM resilience is the ability to endure disruption to system components and recover with minimal impact to your business, users, customers, and operations. Reducing dependencies, complexity, and single-points-of-failure, while ensuring comprehensive error handling, increases your resilience.
-Disruption can come from any component of your IAM systems. To build a resilient IAM system, assume disruptions will occur and plan for it.
+Disruption can come from any component of your IAM systems. To build a resilient IAM system, assume disruptions will occur and plan for them.
-When planning the resilience of your IAM solution, consider the following elements:
+When planning the resilience of your IAM solution, consider the following elements:
-* Your applications that rely on your IAM system.
+* Your applications that rely on your IAM system
+* The public infrastructures your authentication calls use, including telecom companies, Internet service providers, and public key providers
+* Your cloud and on-premises identity providers
+* Other services that rely on your IAM, and the APIs that connect them
+* Any other on-premises components in your system
-* The public infrastructures your authentication calls use, including telecom companies, Internet service providers, and public key providers.
-
-* Your cloud and on-premises identity providers.
-
-* Other services that rely on your IAM, and the APIs that connect them.
-
-* Any other on-premises components in your system.
-
-Whatever the source, recognizing and planning for the contingencies is important. However, adding additional identity systems, and their resultant dependencies and complexity, may reduce your resilience rather than increase it.
+Whatever the source, recognizing and planning for the contingencies is important. However, adding other identity systems, and their resultant dependencies and complexity, may reduce your resilience rather than increase it.
To build more resilience in your systems, review the following articles: * [Build resilience in your IAM infrastructure](resilience-in-infrastructure.md)- * [Build IAM resilience in your applications](resilience-app-development-overview.md)- * [Build resilience in your Customer Identity and Access Management (CIAM) systems](resilience-b2c.md)
active-directory Security Operations Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/security-operations-introduction.md
Title: Azure Active Directory security operations guide
-description: Learn to monitor, identify, and alert on security issues with accounts, applications, devices, and infrastructure
+description: Learn to monitor, identify, and alert on security issues with accounts, applications, devices, and infrastructure in Azure Active Directory.
- Previously updated : 07/15/2021+ Last updated : 04/29/2022 -+
+ - it-pro
+ - seodec18
+ - kr2b-contr-experiment
# Azure Active Directory security operations guide
-Microsoft has a successful and proven approach to [Zero Trust security](https://aka.ms/Zero-Trust) using [Defense in Depth](https://us-cert.cisa.gov/bsi/articles/knowledge/principles/defense-in-depth) principles that leverage identity as a control plane. As organizations continue to embrace a hybrid workload world for scale, cost savings, and security, Azure Active Directory (Azure AD) plays a pivotal role in your strategy for identity management. Recently, news surrounding identity and security compromise has increasingly prompted enterprise IT to consider their identity security posture as a measurement of defensive security success.
+Microsoft has a successful and proven approach to [Zero Trust security](https://aka.ms/Zero-Trust) using [Defense in Depth](https://us-cert.cisa.gov/bsi/articles/knowledge/principles/defense-in-depth) principles that use identity as a control plane. Organizations continue to embrace a hybrid workload world for scale, cost savings, and security. Azure Active Directory (Azure AD) plays a pivotal role in your strategy for identity management. Recently, news surrounding identity and security compromise has increasingly prompted enterprise IT to consider their identity security posture as a measurement of defensive security success.
Increasingly, organizations must embrace a mixture of on-premises and cloud applications, which users access with both onΓÇôpremises and cloud-only accounts. Managing users, applications, and devices both on-premises and in the cloud poses challenging scenarios.
-Azure Active Directory creates a common user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity.
+## Hybrid identity
+
+Azure Active Directory creates a common user identity for authentication and authorization to all resources, regardless of location. We call this *hybrid identity*.
To achieve hybrid identity with Azure AD, one of three authentication methods can be used, depending on your scenarios. The three methods are: * [Password hash synchronization (PHS)](../hybrid/whatis-phs.md)- * [Pass-through authentication (PTA)](../hybrid/how-to-connect-pta.md)- * [Federation (AD FS)](../hybrid/whatis-fed.md) As you audit your current security operations or establish security operations for your Azure environment, we recommend you: * Read specific portions of the Microsoft security guidance to establish a baseline of knowledge about securing your cloud-based or hybrid Azure environment.- * Audit your account and password strategy and authentication methods to help deter the most common attack vectors.- * Create a strategy for continuous monitoring and alerting on activities that might indicate a security threat.
-## Audience
+### Audience
The Azure AD SecOps Guide is intended for enterprise IT identity and security operations teams and managed service providers that need to counter threats through better identity security configuration and monitoring profiles. This guide is especially relevant for IT administrators and identity architects advising Security Operations Center (SOC) defensive and penetration testing teams to improve and maintain their identity security posture.
-## Scope
+### Scope
-This introduction provides the suggested prereading and password audit and strategy recommendations. This article also provides an overview of the tools available for hybrid Azure environments as well as fully cloud-based Azure environments. Finally, we provide a list of data sources you can use for monitoring and alerting and configuring your security information and event management (SIEM) strategy and environment. The rest of the guidance presents monitoring and alerting strategies in the following areas:
+This introduction provides the suggested prereading and password audit and strategy recommendations. This article also provides an overview of the tools available for hybrid Azure environments and fully cloud-based Azure environments. Finally, we provide a list of data sources you can use for monitoring and alerting and configuring your security information and event management (SIEM) strategy and environment. The rest of the guidance presents monitoring and alerting strategies in the following areas:
-* [User accounts](security-operations-user-accounts.md) ΓÇô Guidance specific to non-privileged user accounts without administrative privilege, including anomalous account creation and usage, and unusual sign-ins.
+* [User accounts](security-operations-user-accounts.md). Guidance specific to non-privileged user accounts without administrative privilege, including anomalous account creation and usage, and unusual sign-ins.
-* [Privileged accounts](security-operations-privileged-accounts.md) ΓÇô Guidance specific to privileged user accounts that have elevated permissions to perform administrative tasks, including Azure AD role assignments, Azure resource role assignments, and access management for Azure resources and subscriptions.
+* [Privileged accounts](security-operations-privileged-accounts.md). Guidance specific to privileged user accounts that have elevated permissions to perform administrative tasks. Tasks include Azure AD role assignments, Azure resource role assignments, and access management for Azure resources and subscriptions.
-* [Privileged Identity Management (PIM)](security-operations-privileged-identity-management.md) ΓÇô guidance specific to using PIM to manage, control, and monitor access to resources.
+* [Privileged Identity Management (PIM)](security-operations-privileged-identity-management.md). Guidance specific to using PIM to manage, control, and monitor access to resources.
-* [Applications](security-operations-applications.md) ΓÇô Guidance specific to accounts used to provide authentication for applications.
+* [Applications](security-operations-applications.md). Guidance specific to accounts used to provide authentication for applications.
-* [Devices](security-operations-devices.md) ΓÇô Guidance specific to monitoring and alerting for devices registered or joined outside of policies, non-compliant usage, managing device administration roles, and sign-ins to virtual machines.
+* [Devices](security-operations-devices.md). Guidance specific to monitoring and alerting for devices registered or joined outside of policies, non-compliant usage, managing device administration roles, and sign-ins to virtual machines.
-* [Infrastructure](security-operations-infrastructure.md)ΓÇô Guidance specific to monitoring and alerting on threats to your hybrid and purely cloud-based environments.
+* [Infrastructure](security-operations-infrastructure.md). Guidance specific to monitoring and alerting on threats to your hybrid and purely cloud-based environments.
## Important reference content
-Microsoft has many products and services that enable you to customize your IT environment to fit your needs. We recommend as part of your monitoring and alerting strategy you review the following guidance that is relevant to your operating environment:
+Microsoft has many products and services that enable you to customize your IT environment to fit your needs. We recommend that you review the following guidance for your operating environment:
* Windows operating systems
- * [Windows 10 and Windows Server 2016 security auditing and monitoring reference](https://www.microsoft.com/download/details.aspx?id=52630)
-
- * [Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093)
+ * [Windows 10 and Windows Server 2016 security auditing and monitoring reference](https://www.microsoft.com/download/details.aspx?id=52630)
+ * [Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093)
+ * [Security baseline for Windows 11](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-security-baseline/ba-p/2810772)
+ * [Security baseline for Windows Server 2022](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685)
- * [Security baseline for Windows 11](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-security-baseline/ba-p/2810772)
-
- * [Security baseline for Windows Server 2022](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685)
-
* On-premises environments
- * [Microsoft Defender for Identity architecture](/defender-for-identity/architecture)
-
- * [Connect Microsoft Defender for Identity to Active Directory quickstart](/defender-for-identity/install-step2)
-
- * [Azure security baseline for Microsoft Defender for Identity](/defender-for-identity/security-baseline)
-
- * [Monitoring Active Directory for Signs of Compromise](/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise)
+ * [Microsoft Defender for Identity architecture](/defender-for-identity/architecture)
+ * [Connect Microsoft Defender for Identity to Active Directory quickstart](/defender-for-identity/install-step2)
+ * [Azure security baseline for Microsoft Defender for Identity](/defender-for-identity/security-baseline)
+ * [Monitoring Active Directory for Signs of Compromise](/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise)
* Cloud-based Azure environments -
- * [Monitor sign-ins with the Azure AD sign-in log](../reports-monitoring/concept-all-sign-ins.md)
-
- * [Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)
-
- * [Investigate risk with Azure Active Directory Identity Protection](../identity-protection/howto-identity-protection-investigate-risk.md)
-
- * [Connect Azure AD Identity Protection data to Microsoft Sentinel](../../sentinel/data-connectors-reference.md#azure-active-directory-identity-protection)
+ * [Monitor sign-ins with the Azure AD sign-in log](../reports-monitoring/concept-all-sign-ins.md)
+ * [Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)
+ * [Investigate risk with Azure Active Directory Identity Protection](../identity-protection/howto-identity-protection-investigate-risk.md)
+ * [Connect Azure AD Identity Protection data to Microsoft Sentinel](../../sentinel/data-connectors-reference.md#azure-active-directory-identity-protection)
* Active Directory Domain Services (AD DS)
- * [Audit Policy Recommendations](/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations)
+ * [Audit Policy Recommendations](/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations)
* Active Directory Federation Services (AD FS)
- * [AD FS Troubleshooting - Auditing Events and Logging](/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging)
+ * [AD FS Troubleshooting - Auditing Events and Logging](/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging)
-## Data sources
+## Data sources
The log files you use for investigation and monitoring are: * [Azure AD Audit logs](../reports-monitoring/concept-audit-logs.md)- * [Sign-in logs](../reports-monitoring/concept-all-sign-ins.md)- * [Microsoft 365 Audit logs](/microsoft-365/compliance/auditing-solutions-overview)- * [Azure Key Vault logs](../../key-vault/general/logging.md?tabs=Vault)
-From the Azure portal you can view the Azure AD Audit logs and download as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:
+From the Azure portal, you can view the Azure AD Audit logs. Download logs as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:
-* **[Microsoft Sentinel](../../sentinel/overview.md)** ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.
+* **[Microsoft Sentinel](../../sentinel/overview.md)**. Enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.
-* **[Azure Monitor](../../azure-monitor/overview.md)** ΓÇô enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.
+* **[Azure Monitor](../../azure-monitor/overview.md)**. Enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.
-* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md) integrated with a SIEM**- [Azure AD logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hub integration.
+* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md)** integrated with a SIEM. Azure AD logs can be integrated to other SIEMs such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hubs integration. For more information, see [Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md).
-* **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)** ΓÇô enables you to discover and manage apps, govern across apps and resources, and check the compliance of your cloud apps.
+* **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)**. Enables you to discover and manage apps, govern across apps and resources, and check the compliance of your cloud apps.
-* **[Securing workload identities with Identity Protection Preview](..//identity-protection/concept-workload-identity-risk.md)** - Used to detect risk on workload identities across sign-in behavior and offline indicators of compromise.
+* **[Securing workload identities with Identity Protection Preview](../identity-protection/concept-workload-identity-risk.md)**. Used to detect risk on workload identities across sign-in behavior and offline indicators of compromise.
-Much of what you will monitor and alert on are the effects of your Conditional Access policies. You can use the [Conditional Access insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) to examine the effects of one or more Conditional Access policies on your sign-ins, as well as the results of policies, including device state. This workbook enables you to view an impact summary, and identify the impact over a specific time period. You can also use the workbook to investigate the sign-ins of a specific user.
+Much of what you will monitor and alert on are the effects of your Conditional Access policies. You can use the Conditional Access insights and reporting workbook to examine the effects of one or more Conditional Access policies on your sign-ins and the results of policies, including device state. This workbook enables you to view an impact summary, and identify the impact over a specific time period. You can also use the workbook to investigate the sign-ins of a specific user. For more information, see [Conditional Access insights and reporting](../conditional-access/howto-conditional-access-insights-reporting.md).
-The remainder of this article describes what we recommend you monitor and alert on, and is organized by the type of threat. Where there are specific pre-built solutions we link to them or provide samples following the table. Otherwise, you can build alerts using the preceding tools.
+The remainder of this article describes what to monitor and alert on. Where there are specific pre-built solutions we link to them or provide samples following the table. Otherwise, you can build alerts using the preceding tools.
-* **[Identity Protection](../identity-protection/overview-identity-protection.md)** -- generates three key reports that you can use to help with your investigation:
+* **[Identity Protection](../identity-protection/overview-identity-protection.md)** generates three key reports that you can use to help with your investigation:
- * **Risky users** ΓÇô contains information about which users are at risk, details about detections, history of all risky sign-ins, and risk history.
+* **Risky users** contains information about which users are at risk, details about detections, history of all risky sign-ins, and risk history.
- * **Risky sign-ins** ΓÇô contains information surrounding the circumstance of a sign-in that might indicate suspicious circumstances. For additional information on investigating information from this report, visit [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md).
+* **Risky sign-ins** contains information surrounding the circumstance of a sign-in that might indicate suspicious circumstances. For more information on investigating information from this report, see [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md).
- * **Risk detections** - contains information on risk signals detected by Azure AD Identity Protection that informs sign-in and user risk. For more information, see the [Azure AD security operations guide for user accounts](security-operations-user-accounts.md).
+* **Risk detections** contains information on risk signals detected by Azure AD Identity Protection that informs sign-in and user risk. For more information, see the [Azure AD security operations guide for user accounts](security-operations-user-accounts.md).
+
+For more information, see [What is Identity Protection](../identity-protection/overview-identity-protection.md).
### Data sources for domain controller monitoring
-For the best results, we recommend that you monitor your domain controllers using Microsoft Defender for Identity. This will enable you for the best detection and automation capabilities. Please follow the guidance from:
+For the best results, we recommend that you monitor your domain controllers using Microsoft Defender for Identity. This approach enables the best detection and automation capabilities. Follow the guidance from these resources:
* [Microsoft Defender for Identity architecture](/defender-for-identity/architecture)- * [Connect Microsoft Defender for Identity to Active Directory quickstart](/defender-for-identity/install-step2)
-If you do not plan to use Microsoft Defender for identity, you can [monitor your domain controllers either by event log messages](/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise) or by [running PowerShell cmdlets](/windows-server/identity/ad-ds/deploy/troubleshooting-domain-controller-deployment).
+If you don't plan to use Microsoft Defender for Identity, monitor your domain controllers by one of these approaches:
+
+* Event log messages. See [Monitoring Active Directory for Signs of Compromise](/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise).
+* PowerShell cmdlets. See [Troubleshooting Domain Controller Deployment](/windows-server/identity/ad-ds/deploy/troubleshooting-domain-controller-deployment).
## Components of hybrid authentication
-As part of an Azure hybrid environment, the following should be baselined and included in your monitoring and alerting strategy.
+As part of an Azure hybrid environment, the following items should be baselined and included in your monitoring and alerting strategy.
-* **PTA Agent** ΓÇô The Pass-through authentication agent is used to enable pass-through authentication and is installed on-premises. See [Azure AD Pass-through Authentication agent: Version release history](../hybrid/reference-connect-pta-version-history.md) for information on verifying your agent version and next steps.
+* **PTA Agent**. The pass-through authentication agent is used to enable pass-through authentication and is installed on-premises. See [Azure AD Pass-through Authentication agent: Version release history](../hybrid/reference-connect-pta-version-history.md) for information on verifying your agent version and next steps.
-* **AD FS/WAP** ΓÇô Azure Active Directory Federation Services (Azure AD FS) and Web Application Proxy (WAP) enable secure sharing of digital identity and entitlement rights across your security and enterprise boundaries. For information on security best practices, see [Best practices for securing Active Directory Federation Services](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs).
+* **AD FS/WAP**. Azure Active Directory Federation Services (Azure AD FS) and Web Application Proxy (WAP) enable secure sharing of digital identity and entitlement rights across your security and enterprise boundaries. For information on security best practices, see [Best practices for securing Active Directory Federation Services](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs).
-* **Azure AD Connect Health Agent** ΓÇô The agent used to provide a communications link for Azure AD Connect Health. For information on installing the agent, see [Azure AD Connect Health agent installation](../hybrid/how-to-connect-health-agent-install.md).
+* **Azure AD Connect Health Agent**. The agent used to provide a communications link for Azure AD Connect Health. For information on installing the agent, see [Azure AD Connect Health agent installation](../hybrid/how-to-connect-health-agent-install.md).
-* **Azure AD Connect Sync Engine** - The on-premises component, also called the sync engine. For information on the feature, see [Azure AD Connect sync service features](../hybrid/how-to-connect-syncservice-features.md).
+* **Azure AD Connect Sync Engine**. The on-premises component, also called the sync engine. For information on the feature, see [Azure AD Connect sync service features](../hybrid/how-to-connect-syncservice-features.md).
-* **Password Protection DC agent** ΓÇô Azure password protection DC agent is used to help with monitoring and reporting event log messages. For information, see [Enforce on-premises Azure AD Password Protection for Active Directory Domain Services](../authentication/concept-password-ban-bad-on-premises.md).
+* **Password Protection DC agent**. Azure password protection DC agent is used to help with monitoring and reporting event log messages. For information, see [Enforce on-premises Azure AD Password Protection for Active Directory Domain Services](../authentication/concept-password-ban-bad-on-premises.md).
-* **Password Filter DLL** ΓÇô The password filter DLL of the DC Agent receives user password-validation requests from the operating system. The filter forwards them to the DC Agent service that's running locally on the DC. For information on using the DLL, see [Enforce on-premises Azure AD Password Protection for Active Directory Domain Services](../authentication/concept-password-ban-bad-on-premises.md).
+* **Password Filter DLL**. The password filter DLL of the DC Agent receives user password-validation requests from the operating system. The filter forwards them to the DC Agent service that's running locally on the DC. For information on using the DLL, see [Enforce on-premises Azure AD Password Protection for Active Directory Domain Services](../authentication/concept-password-ban-bad-on-premises.md).
-* **Password writeback Agent** ΓÇô Password writeback is a feature enabled with [Azure AD Connect](../hybrid/whatis-hybrid-identity.md) that allows password changes in the cloud to be written back to an existing on-premises directory in real time. For more information on this feature, see [How does self-service password reset writeback work in Azure Active Directory?](../authentication/concept-sspr-writeback.md)
+* **Password writeback Agent**. Password writeback is a feature enabled with [Azure AD Connect](../hybrid/whatis-hybrid-identity.md) that allows password changes in the cloud to be written back to an existing on-premises directory in real time. For more information on this feature, see [How does self-service password reset writeback work in Azure Active Directory](../authentication/concept-sspr-writeback.md).
-* **Azure AD Application Proxy Connector** ΓÇô Lightweight agents that sit on-premises and facilitate the outbound connection to the Application Proxy service. For more information, see [Understand Azure ADF Application Proxy connectors](../app-proxy/application-proxy-connectors.md).
+* **Azure AD Application Proxy Connector**. Lightweight agents that sit on-premises and facilitate the outbound connection to the Application Proxy service. For more information, see [Understand Azure ADF Application Proxy connectors](../app-proxy/application-proxy-connectors.md).
## Components of cloud-based authentication
-As part of an Azure cloud-based environment, the following should be baselined and included in your monitoring and alerting strategy.
+As part of an Azure cloud-based environment, the following items should be baselined and included in your monitoring and alerting strategy.
-* **Azure AD Application Proxy** ΓÇô This cloud service provides secure remote access to on-premises web applications. For more information, see [Remote access to on-premises applications through Azure AD Application Proxy](../app-proxy/application-proxy-connectors.md).
+* **Azure AD Application Proxy**. This cloud service provides secure remote access to on-premises web applications. For more information, see [Remote access to on-premises applications through Azure AD Application Proxy](../app-proxy/application-proxy-connectors.md).
-* **Azure AD Connect** ΓÇô Services used for an Azure AD Connect solution. For more information, see [What is Azure AD Connect](../hybrid/whatis-azure-ad-connect.md).
+* **Azure AD Connect**. Services used for an Azure AD Connect solution. For more information, see [What is Azure AD Connect](../hybrid/whatis-azure-ad-connect.md).
-* **Azure AD Connect Health** ΓÇô Service Health provides you with a customizable dashboard which tracks the health of your Azure services in the regions where you use them. For more information, see [Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md).
+* **Azure AD Connect Health**. Service Health provides you with a customizable dashboard that tracks the health of your Azure services in the regions where you use them. For more information, see [Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md).
-* **Azure MFA** ΓÇô Azure AD Multi-Factor Authentication requires a user to provide more than one form of proof for authentication. This can provide a proactive first step to securing your environment. For more information, see [How it works: Azure AD Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md).
+* **Azure AD multifactor authentication**. Multifactor authentication requires a user to provide more than one form of proof for authentication. This approach can provide a proactive first step to securing your environment. For more information, see [Azure AD multi-factor authentication](../authentication/concept-mfa-howitworks.md).
-* **Dynamic Groups** ΓÇô Dynamic configuration of security group membership for Azure Active Directory (Azure AD) Administrators can set rules to populate groups that are created in Azure AD based on user attributes. For more information, see [Dynamic groups and Azure Active Directory B2B collaboration](../external-identities/use-dynamic-groups.md).
+* **Dynamic groups**. Dynamic configuration of security group membership for Azure AD Administrators can set rules to populate groups that are created in Azure AD based on user attributes. For more information, see [Dynamic groups and Azure Active Directory B2B collaboration](../external-identities/use-dynamic-groups.md).
-* **Conditional Access** ΓÇô Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane. For more information, see [What is Conditional Access](../conditional-access/overview.md).
+* **Conditional Access**. Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane. For more information, see [What is Conditional Access](../conditional-access/overview.md).
-* **Identity Protection** ΓÇô A tool that enables organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to your SIEM. For more information, see [What is Identity Protection](../identity-protection/overview-identity-protection.md)?
+* **Identity Protection**. A tool that enables organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to your SIEM. For more information, see [What is Identity Protection](../identity-protection/overview-identity-protection.md).
-* **Group-based licensing**ΓÇô Licenses can be assigned to groups rather than directly to users. Azure AD stores information about license assignment states for users.
+* **Group-based licensing**. Licenses can be assigned to groups rather than directly to users. Azure AD stores information about license assignment states for users.
-* **Provisioning Service** ΓÇô Provisioning refers to creating user identities and roles in the cloud applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. For more information, see [How Application Provisioning works in Azure Active Directory](../app-provisioning/how-provisioning-works.md).
+* **Provisioning Service**. Provisioning refers to creating user identities and roles in the cloud applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. For more information, see [How Application Provisioning works in Azure Active Directory](../app-provisioning/how-provisioning-works.md).
-* **Graph API** ΓÇô The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API. For more information, see [Overview of Microsoft Graph](/graph/overview).
+* **Graph API**. The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API. For more information, see [Overview of Microsoft Graph](/graph/overview).
-* **Domain Service** ΓÇô Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy. For more information, see [What is Azure Active Directory Domain Services?](../../active-directory-domain-services/overview.md)
+* **Domain Service**. Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy. For more information, see [What is Azure Active Directory Domain Services](../../active-directory-domain-services/overview.md).
-* **Azure Resource Manager** ΓÇô Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. For more information, see [What is Azure Resource Manager?](../../azure-resource-manager/management/overview.md)
+* **Azure Resource Manager**. Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. For more information, see [What is Azure Resource Manager](../../azure-resource-manager/management/overview.md).
-* **Managed Identity** ΓÇô Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. For more information, see [What are managed identities for Azure resources?](../managed-identities-azure-resources/overview.md)
+* **Managed identity**. Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication. For more information, see [What are managed identities for Azure resources](../managed-identities-azure-resources/overview.md).
-* **Privileged Identity Management** ΓÇô Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. For more information, see [What is Azure AD Privileged Identity Management](../privileged-identity-management/pim-configure.md).
+* **Privileged Identity Management**. PIM is a service in Azure AD that enables you to manage, control, and monitor access to important resources in your organization. For more information, see [What is Azure AD Privileged Identity Management](../privileged-identity-management/pim-configure.md).
-* **Access Reviews** ΓÇô Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access. For more information, see [What are Azure AD access reviews?](../governance/access-reviews-overview.md)
+* **Access reviews**. Azure AD access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed regularly to make sure only the right people have continued access. For more information, see [What are Azure AD access reviews](../governance/access-reviews-overview.md).
-* **Entitlement Management** ΓÇô Azure Active Directory (Azure AD) entitlement management is an [identity governance](../governance/identity-governance-overview.md) feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration. For more information, see [What is Azure AD entitlement management?](../governance/entitlement-management-overview.md)
+* **Entitlement management**. Azure AD entitlement management is an [identity governance](../governance/identity-governance-overview.md) feature. Organizations can manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration. For more information, see [What is Azure AD entitlement management](../governance/entitlement-management-overview.md).
-* **Activity Logs** ΓÇô The Activity log is a [platform log](../../azure-monitor/essentials/platform-logs-overview.md) in Azure that provides insight into subscription-level events. This includes such information as when a resource is modified or when a virtual machine is started. For more information, see [Azure Activity log](../../azure-monitor/essentials/activity-log.md).
+* **Activity logs**. The Activity log is an Azure [platform log](../../azure-monitor/essentials/platform-logs-overview.md) that provides insight into subscription-level events. This log includes such information as when a resource is modified or when a virtual machine is started. For more information, see [Azure Activity log](../../azure-monitor/essentials/activity-log.md).
-* **Self-service Password reset service** ΓÇô Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. For more information, see [How it works: Azure AD self-service password reset](../authentication/concept-sspr-howitworks.md).
+* **Self-service password reset service**. Azure AD self-service password reset (SSPR) gives users the ability to change or reset their password. The administrator or help desk isn't required. For more information, see [How it works: Azure AD self-service password reset](../authentication/concept-sspr-howitworks.md).
-* **Device Services** ΓÇô Device identity management is the foundation for [device-based Conditional Access](../conditional-access/require-managed-devices.md). With device-based Conditional Access policies, you can ensure that access to resources in your environment is only possible with managed devices. For more information, see [What is a device identity?](../devices/overview.md)
+* **Device services**. Device identity management is the foundation for [device-based Conditional Access](../conditional-access/require-managed-devices.md). With device-based Conditional Access policies, you can ensure that access to resources in your environment is only possible with managed devices. For more information, see [What is a device identity](../devices/overview.md).
-* **Self-Service Group Management** ΓÇô You can enable users to create and manage their own security groups or Microsoft 365 groups in Azure Active Directory (Azure AD). The owner of the group can approve or deny membership requests and can delegate control of group membership. Self-service group management features are not available for mail-enabled security groups or distribution lists. For more information, see [Set up self-service group management in Azure Active Directory](../enterprise-users/groups-self-service-management.md).
+* **Self-service group management**. You can enable users to create and manage their own security groups or Microsoft 365 groups in Azure AD. The owner of the group can approve or deny membership requests and can delegate control of group membership. Self-service group management features aren't available for mail-enabled security groups or distribution lists. For more information, see [Set up self-service group management in Azure Active Directory](../enterprise-users/groups-self-service-management.md).
-* **Risk detections** ΓÇô contains information about other risks triggered when a risk is detected and other pertinent information such as sign-in location and any details from Microsoft Defender for Cloud Apps.
+* **Risk detections**. Contains information about other risks triggered when a risk is detected and other pertinent information such as sign-in location and any details from Microsoft Defender for Cloud Apps.
## Next steps See these security operations guide articles:
-[Azure AD security operations overview](security-operations-introduction.md)
-
-[Security operations for user accounts](security-operations-user-accounts.md)
-
-[Security operations for privileged accounts](security-operations-privileged-accounts.md)
-
-[Security operations for Privileged Identity Management](security-operations-privileged-identity-management.md)
-
-[Security operations for applications](security-operations-applications.md)
-
-[Security operations for devices](security-operations-devices.md)
-
-
-[Security operations for infrastructure](security-operations-infrastructure.md)
+* [Azure AD security operations overview](security-operations-introduction.md)
+* [Security operations for user accounts](security-operations-user-accounts.md)
+* [Security operations for privileged accounts](security-operations-privileged-accounts.md)
+* [Security operations for Privileged Identity Management](security-operations-privileged-identity-management.md)
+* [Security operations for applications](security-operations-applications.md)
+* [Security operations for devices](security-operations-devices.md)
+* [Security operations for infrastructure](security-operations-infrastructure.md)
active-directory Security Operations Privileged Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/security-operations-privileged-accounts.md
Title: Azure Active Directory security operations for privileged accounts
-description: Learn to set baselines, and then monitor and alert on potential security issues with privileged accounts in Azure Active directory.
+ Title: Security operations for privileged accounts in Azure Active Directory
+description: Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Azure Active Directory.
- Previously updated : 07/15/2021+ Last updated : 04/29/2022 +
-# Security operations for privileged accounts
+# Security operations for privileged accounts in Azure Active Directory
The security of business assets depends on the integrity of the privileged accounts that administer your IT systems. Cyber attackers use credential theft attacks and other means to target privileged accounts and gain access to sensitive data.
You're entirely responsible for all layers of security for your on-premises IT e
* For more information on securing access for privileged users, see [Securing privileged access for hybrid and cloud deployments in Azure AD](../roles/security-planning.md). * For a wide range of videos, how-to guides, and content of key concepts for privileged identity, see [Privileged Identity Management documentation](../privileged-identity-management/index.yml).
-## Where to look
+## Log files to monitor
The log files you use for investigation and monitoring are:
The log files you use for investigation and monitoring are:
From the Azure portal, you can view the Azure AD Audit logs and download as comma-separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:
-* [Microsoft Sentinel](../../sentinel/overview.md): Enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.
-* [Azure Monitor](../../azure-monitor/overview.md): Enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.
-* [Azure Event Hubs](../../event-hubs/event-hubs-about.md) integrated with a SIEM: Enables [Azure AD logs to be pushed to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration.
-* [Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security): Enables you to discover and manage apps, govern across apps and resources, and check your cloud apps' compliance.
-* **Microsoft Graph**: Enables you to export data and use Microsoft Graph to do more analysis. For more information on Microsoft Graph, see [Microsoft Graph PowerShell SDK and Azure Active Directory Identity Protection](../identity-protection/howto-identity-protection-graph-api.md).
-* [Identity Protection](../identity-protection/overview-identity-protection.md): Generates three key reports you can use to help with your investigation:
+* **[Microsoft Sentinel](../../sentinel/overview.md)**. Enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.
+* **[Azure Monitor](../../azure-monitor/overview.md)**. Enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.
+* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md)** integrated with a SIEM. Enables Azure AD logs to be pushed to other SIEMs such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration. For more information, see [Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md).
+* **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)**. Enables you to discover and manage apps, govern across apps and resources, and check your cloud apps' compliance.
+* **Microsoft Graph**. Enables you to export data and use Microsoft Graph to do more analysis. For more information, see [Microsoft Graph PowerShell SDK and Azure Active Directory Identity Protection](../identity-protection/howto-identity-protection-graph-api.md).
+* **[Identity Protection](../identity-protection/overview-identity-protection.md)**. Generates three key reports you can use to help with your investigation:
- * **Risky users**: Contains information about which users are at risk, details about detections, history of all risky sign-ins, and risk history.
- * **Risky sign-ins**: Contains information about a sign-in that might indicate suspicious circumstances. For more information on investigating information from this report, see [Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md).
- * **Risk detections**: Contains information about other risks triggered when a risk is detected and other pertinent information such as sign-in location and any details from Microsoft Defender for Cloud Apps.
+ * **Risky users**. Contains information about which users are at risk, details about detections, history of all risky sign-ins, and risk history.
+ * **Risky sign-ins**. Contains information about a sign-in that might indicate suspicious circumstances. For more information on investigating information from this report, see [Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md).
+ * **Risk detections**. Contains information about other risks triggered when a risk is detected and other pertinent information such as sign-in location and any details from Microsoft Defender for Cloud Apps.
-* **[Securing workload identities with Identity Protection Preview](..//identity-protection/concept-workload-identity-risk.md)** - Used to detect risk on workload identities across sign-in behavior and offline indicators of compromise.
+* **[Securing workload identities with Identity Protection Preview](..//identity-protection/concept-workload-identity-risk.md)**. Use to detect risk on workload identities across sign-in behavior and offline indicators of compromise.
Although we discourage the practice, privileged accounts can have standing administration rights. If you choose to use standing privileges, and the account is compromised, it can have a strongly negative effect. We recommend you prioritize monitoring privileged accounts and include the accounts in your Privileged Identity Management (PIM) configuration. For more information on PIM, see [Start using Privileged Identity Management](../privileged-identity-management/pim-getting-started.md). Also, we recommend you validate that admin accounts: * Are required. * Have the least privilege to execute the require activities.
-* Are protected with multifactor authentication (MFA) at a minimum.
+* Are protected with multifactor authentication at a minimum.
* Are run from privileged access workstation (PAW) or secure admin workstation (SAW) devices.
-The rest of this article describes what we recommend you monitor and alert on. The article is organized by the type of threat. Where there are specific prebuilt solutions, we link to them following the table. Otherwise, you can build alerts by using the preceding tools.
+The rest of this article describes what we recommend you monitor and alert on. The article is organized by the type of threat. Where there are specific prebuilt solutions, we link to them following the table. Otherwise, you can build alerts by using the tools described above.
-Specifically, this article provides details on setting baselines and auditing sign-in and usage of privileged accounts. It also discusses tools and resources you can use to help maintain the integrity of your privileged accounts. The content is organized into the following subjects:
+This article provides details on setting baselines and auditing sign-in and usage of privileged accounts. It also discusses tools and resources you can use to help maintain the integrity of your privileged accounts. The content is organized into the following subjects:
* Emergency "break-glass" accounts * Privileged account sign-in
Specifically, this article provides details on setting baselines and auditing si
## Emergency access accounts
-It's important that you prevent being accidentally locked out of your Azure AD tenant. You can mitigate the effect of an accidental lockout by creating emergency access accounts in your organization. Emergency access accounts are also known as break-glass accounts, as in "break glass in case of emergency" messages found on physical security equipment like fire alarms.
+It's important that you prevent being accidentally locked out of your Azure AD tenant. You can mitigate the effect of an accidental lockout by creating emergency access accounts in your organization. Emergency access accounts are also known as *break-glass accounts*, as in "break glass in case of emergency" messages found on physical security equipment like fire alarms.
Emergency access accounts are highly privileged, and they aren't assigned to specific individuals. Emergency access accounts are limited to emergency or break-glass scenarios where normal privileged accounts can't be used. An example is when a Conditional Access policy is misconfigured and locks out all normal administrative accounts. Restrict emergency account use to only the times when it's absolutely necessary.
Send a high-priority alert every time an emergency access account is used.
Because break-glass accounts are only used if there's an emergency, your monitoring should discover no account activity. Send a high-priority alert every time an emergency access account is used or changed. Any of the following events might indicate a bad actor is trying to compromise your environments:
-* **Account used**: Monitor and alert on any activity by using this type of account, such as:
- * Sign-in.
- * Account password change.
- * Account permission or roles changed.
- * Credential or auth method added or changed.
+* Sign-in.
+* Account password change.
+* Account permission or roles changed.
+* Credential or auth method added or changed.
For more information on managing emergency access accounts, see [Manage emergency access admin accounts in Azure AD](../roles/security-emergency-access.md). For detailed information on creating an alert for an emergency account, see [Create an alert rule](../roles/security-emergency-access.md).
You can monitor privileged account sign-in events in the Azure AD Sign-in logs.
| - | - | - | - | - | | Sign-in failure, bad password threshold | High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 50126 | Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml) | | Failure because of Conditional Access requirement |High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 53003<br>-and-<br>Failure reason = Blocked by Conditional Access | This event can be an indication an attacker is trying to get into the account.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml) |
-| Privileged accounts that don't follow naming policy| | Azure subscription | [List Azure role assignments using the Azure portal - Azure RBAC](../../role-based-access-control/role-assignments-list-portal.md)| List role assignments for subscriptions and alert where the sign-in name doesn't match your organization's format. An example is the use of ADM_ as a prefix. |
-| Interrupt | High, medium | Azure AD Sign-ins | Status = Interrupted<br>-and-<br>error code = 50074<br>-and-<br>Failure reason = Strong auth required<br>Status = Interrupted<br>-and-<br>Error code = 500121<br>Failure reason = Authentication failed during strong authentication request | This event can be an indication an attacker has the password for the account but can't pass the MFA challenge.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml) |
+| Privileged accounts that don't follow naming policy| | Azure subscription | [List Azure role assignments using the Azure portal](../../role-based-access-control/role-assignments-list-portal.md)| List role assignments for subscriptions and alert where the sign-in name doesn't match your organization's format. An example is the use of ADM_ as a prefix. |
+| Interrupt | High, medium | Azure AD Sign-ins | Status = Interrupted<br>-and-<br>error code = 50074<br>-and-<br>Failure reason = Strong auth required<br>Status = Interrupted<br>-and-<br>Error code = 500121<br>Failure reason = Authentication failed during strong authentication request | This event can be an indication an attacker has the password for the account but can't pass the multifactor authentication challenge.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml) |
| Privileged accounts that don't follow naming policy| High | Azure AD directory | [List Azure AD role assignments](../roles/view-assignments.md)| List role assignments for Azure AD roles and alert where the UPN doesn't match your organization's format. An example is the use of ADM_ as a prefix. |
-| Discover privileged accounts not registered for MFA | High | Microsoft Graph API| Query for IsMFARegistered eq false for admin accounts. [List credentialUserRegistrationDetails - Microsoft Graph beta](/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&preserve-view=true&tabs=http) | Audit and investigate to determine if the event is intentional or an oversight. |
+| Discover privileged accounts not registered for multifactor authentication | High | Microsoft Graph API| Query for IsMFARegistered eq false for admin accounts. [List credentialUserRegistrationDetails - Microsoft Graph beta](/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&preserve-view=true&tabs=http) | Audit and investigate to determine if the event is intentional or an oversight. |
| Account lockout | High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 50053 | Define a baseline threshold, and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml) | | Account disabled or blocked for sign-ins | Low | Azure AD Sign-ins log | Status = Failure<br>-and-<br>Target = User UPN<br>-and-<br>error code = 50057 | This event could indicate someone is trying to gain access to an account after they've left the organization. Although the account is blocked, it's still important to log and alert on this activity.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml) |
-| MFA fraud alert or block | High | Azure AD Sign-ins log/Azure Log Analytics | Sign-ins>Authentication details Result details = MFA denied, fraud code entered | Privileged user has indicated they haven't instigated the MFA prompt, which could indicate an attacker has the password for the account.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml) |
-| MFA fraud alert or block | High | Azure AD Audit log log/Azure Log Analytics | Activity type = Fraud reported - User is blocked for MFA or fraud reported - No action taken (based on tenant-level settings for fraud report) | Privileged user has indicated they haven't instigated the MFA prompt, which could indicate an attacker has the password for the account.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml) |
+| MFA fraud alert or block | High | Azure AD Sign-ins log/Azure Log Analytics | Sign-ins>Authentication details Result details = MFA denied, fraud code entered | Privileged user has indicated they haven't instigated the multi-factor authentication prompt, which could indicate an attacker has the password for the account.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml) |
+| MFA fraud alert or block | High | Azure AD Audit log log/Azure Log Analytics | Activity type = Fraud reported - User is blocked for MFA or fraud reported - No action taken (based on tenant-level settings for fraud report) | Privileged user has indicated they haven't instigated the multi-factor authentication prompt, which could indicate an attacker has the password for the account.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml) |
| Privileged account sign-ins outside of expected controls | | Azure AD Sign-ins log | Status = Failure<br>UserPricipalName = \<Admin account\><br>Location = \<unapproved location\><br>IP address = \<unapproved IP\><br>Device info = \<unapproved Browser, Operating System\> | Monitor and alert on any entries that you've defined as unapproved.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml) | | Outside of normal sign-in times | High | Azure AD Sign-ins log | Status = Success<br>-and-<br>Location =<br>-and-<br>Time = Outside of working hours | Monitor and alert if sign-ins occur outside of expected times. It's important to find the normal working pattern for each privileged account and to alert if there are unplanned changes outside of normal working times. Sign-ins outside of normal working hours could indicate compromise or possible insider threats.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml) | | Identity protection risk | High | Identity Protection logs | Risk state = At risk<br>-and-<br>Risk level = Low, medium, high<br>-and-<br>Activity = Unfamiliar sign-in/TOR, and so on | This event indicates there's some abnormality detected with the sign-in for the account and should be alerted on. |
You can monitor privileged account sign-in events in the Azure AD Sign-in logs.
| Change in legacy authentication protocol | High | Azure AD Sign-ins log | Client App = Other client, IMAP, POP3, MAPI, SMTP, and so on<br>-and-<br>Username = UPN<br>-and-<br>Application = Exchange (example) | Many attacks use legacy authentication, so if there's a change in auth protocol for the user, it could be an indication of an attack. | | New device or location | High | Azure AD Sign-ins log | Device info = Device ID<br>-and-<br>Browser<br>-and-<br>OS<br>-and-<br>Compliant/Managed<br>-and-<br>Target = User<br>-and-<br>Location | Most admin activity should be from [privileged access devices](/security/compass/privileged-access-devices), from a limited number of locations. For this reason, alert on new devices or locations.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml) | | Audit alert setting is changed | High | Azure AD Audit logs | Service = PIM<br>-and-<br>Category = Role management<br>-and-<br>Activity = Disable PIM alert<br>-and-<br>Status = Success | Changes to a core alert should be alerted if unexpected. |
-| Administrators authenticating to other Azure AD tenants| Medium| Azure AD Sign-ins log| Status = success<br><br>Resource tenantID != Home Tenant ID| When scoped to Privileged Users this detects when an administrator has successfully authenticated to another Azure AD tenant with an identity in your organization's tenant. <br><br>Alert if Resource TenantID is not equal to Home Tenant ID |
-|Admin User state changed from Guest to Member|Medium|Azure AD Audit logs|Activity: Update user<br><br>Category: UserManagement<br><br>UserType changed from Guest to Member|Monitor and alert on change of user type from Guest to Member.<br><br> Was this expected?
+| Administrators authenticating to other Azure AD tenants| Medium| Azure AD Sign-ins log| Status = success<br><br>Resource tenantID != Home Tenant ID| When scoped to Privileged Users, this monitor detects when an administrator has successfully authenticated to another Azure AD tenant with an identity in your organization's tenant. <br><br>Alert if Resource TenantID isn't equal to Home Tenant ID |
+|Admin User state changed from Guest to Member|Medium|Azure AD Audit logs|Activity: Update user<br><br>Category: UserManagement<br><br>UserType changed from Guest to Member|Monitor and alert on change of user type from Guest to Member.<br><br> Was this change expected?
|Guest users invited to tenant by non-approved inviters|Medium|Azure AD Audit logs|Activity: Invite external user<br><br>Category: UserManagement<br><br>Initiated by (actor): User Principal Name|Monitor and alert on non-approved actors inviting external users.+ ## Changes by privileged accounts Monitor all completed and attempted changes by a privileged account. This data enables you to establish what's normal activity for each privileged account and alert on activity that deviates from the expected. The Azure AD Audit logs are used to record this type of event. For more information on Azure AD Audit logs, see [Audit logs in Azure Active Directory](../reports-monitoring/concept-audit-logs.md). ### Azure Active Directory Domain Services
-Privileged accounts that have been assigned permissions in Azure AD Domain Services can perform tasks for Azure AD Domain Services that affect the security posture of your Azure-hosted virtual machines (VMs) that use Azure AD Domain Services. Enable security audits on VMs and monitor the logs. For more information on enabling Azure AD Domain Services audits and for a list of sensitive privileges, see the following resources:
+Privileged accounts that have been assigned permissions in Azure AD Domain Services can perform tasks for Azure AD Domain Services that affect the security posture of your Azure-hosted virtual machines that use Azure AD Domain Services. Enable security audits on virtual machines and monitor the logs. For more information on enabling Azure AD Domain Services audits and for a list of sensitive privileges, see the following resources:
* [Enable security audits for Azure Active Directory Domain Services](../../active-directory-domain-services/security-audit-events.md) * [Audit Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-sensitive-privilege-use)
-| What to monitor | Risk level | Where | Filter/subfilter | Notes |
-|-|||--|--|
-| Attempted and completed changes | High | Azure AD Audit logs | Date and time<br>-and-<br>Service<br>-and-<br>Category and name of the activity (what)<br>-and-<br>Status = Success or failure<br>-and-<br>Target<br>-and-<br>Initiator or actor (who) | Any unplanned changes should be alerted on immediately. These logs should be retained to assist in any investigation. Any tenant-level changes should be investigated immediately (link out to Infra doc) that would lower the security posture of your tenant. An example is excluding accounts from MFA or Conditional Access. Alert on any [additions or changes to applications](security-operations-applications.md). |
-| **EXAMPLE**<br>Attempted or completed change to high-value apps or services | High | Audit log | Service<br>-and-<br>Category and name of the activity | <li>Date and time <li>Service <li>Category and name of the activity <li>Status = Success or failure <li>Target <li>Initiator or actor (who) |
-| Privileged changes in Azure AD Domain Services | High | Azure AD Domain Services | Look for event [4673](/windows/security/threat-protection/auditing/event-4673) | [Enable security audits for Azure Active Directory Domain Services](../../active-directory-domain-services/security-audit-events.md)<br>[Audit Sensitive Privilege use](/windows/security/threat-protection/auditing/audit-sensitive-privilege-use). See the article for a list of all privileged events. |
+| What to monitor | Risk level | Where | Filter/subfilter | Notes |
+||||-|-|
+| Attempted and completed changes | High | Azure AD Audit logs | Date and time<br>-and-<br>Service<br>-and-<br>Category and name of the activity (what)<br>-and-<br>Status = Success or failure<br>-and-<br>Target<br>-and-<br>Initiator or actor (who) | Any unplanned changes should be alerted on immediately. These logs should be retained to help with any investigation. Any tenant-level changes should be investigated immediately (link out to Infra doc) that would lower the security posture of your tenant. An example is excluding accounts from multifactor authentication or Conditional Access. Alert on any additions or changes to applications. See [Azure Active Directory security operations guide for Applications](security-operations-applications.md). |
+| **EXAMPLE**<br>Attempted or completed change to high-value apps or services | High | Audit log | Service<br>-and-<br>Category and name of the activity | <li>Date and time <li>Service <li>Category and name of the activity <li>Status = Success or failure <li>Target <li>Initiator or actor (who) |
+| Privileged changes in Azure AD Domain Services | High | Azure AD Domain Services | Look for event [4673](/windows/security/threat-protection/auditing/event-4673) | [Enable security audits for Azure Active Directory Domain Services](../../active-directory-domain-services/security-audit-events.md)<br>For a list of all privileged events, see [Audit Sensitive Privilege use](/windows/security/threat-protection/auditing/audit-sensitive-privilege-use). |
## Changes to privileged accounts
Investigate changes to privileged accounts' authentication rules and privileges,
| Changes to authentication methods| High| Azure AD Audit logs| Service = Authentication Method<br>-and-<br>Activity type = User registered security information<br>-and-<br>Category = User management| This change could be an indication of an attacker adding an auth method to the account so they can have continued access.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AuthenticationMethodsChangedforPrivilegedAccount.yaml) | | Alert on changes to privileged account permissions| High| Azure AD Audit logs| Category = Role management<br>-and-<br>Activity type = Add eligible member (permanent)<br>-and-<br>Activity type = Add eligible member (eligible)<br>-and-<br>Status = Success or failure<br>-and-<br>Modified properties = Role.DisplayName| This alert is especially for accounts being assigned roles that aren't known or are outside of their normal responsibilities. | | Unused privileged accounts| Medium| Azure AD Access Reviews| | Perform a monthly review for inactive privileged user accounts. |
-| Accounts exempt from Conditional Access| High| Azure Monitor Logs<br>-or-<br>Access Reviews| Conditional Access = Insights and reporting| Any account exempt from Conditional Access is most likely bypassing security controls and is more vulnerable to compromise. Break-glass accounts are exempt. See information on how to monitor break-glass accounts in a subsequent section of this article.|
-| Addition of a Temporary Access Pass to a privileged account| High| Azure AD Audit logs| Activity: Admin registered security info<br><br>Status Reason: Admin registered temporary access pass method for user<br><br>Category: UserManagement<br><br>Initiated by (actor): User Principal Name<br><br>Target:User Principal Name|Monitor and alert on a Temporary Access Pass being created for a privileged user.
+| Accounts exempt from Conditional Access| High| Azure Monitor Logs<br>-or-<br>Access Reviews| Conditional Access = Insights and reporting| Any account exempt from Conditional Access is most likely bypassing security controls and is more vulnerable to compromise. Break-glass accounts are exempt. See information on how to monitor break-glass accounts later in this article.|
+| Addition of a Temporary Access Pass to a privileged account| High| Azure AD Audit logs| Activity: Admin registered security info<br><br>Status Reason: Admin registered temporary access pass method for user<br><br>Category: UserManagement<br><br>Initiated by (actor): User Principal Name<br><br>Target: User Principal Name|Monitor and alert on a Temporary Access Pass being created for a privileged user.
For more information on how to monitor for exceptions to Conditional Access policies, see [Conditional Access insights and reporting](../conditional-access/howto-conditional-access-insights-reporting.md).
Having privileged accounts that are permanently provisioned with elevated abilit
### Establish a baseline
-To monitor for exceptions, you must first create a baseline. Determine the following information for:
+To monitor for exceptions, you must first create a baseline. Determine the following information for these elements
-* **Admin accounts**:
+* **Admin accounts**
- * Your privileged account strategy
- * Use of on-premises accounts to administer on-premises resources
- * Use of cloud-based accounts to administer cloud-based resources
- * Approach to separating and monitoring administrative permissions for on-premises and cloud-based resources
+ * Your privileged account strategy
+ * Use of on-premises accounts to administer on-premises resources
+ * Use of cloud-based accounts to administer cloud-based resources
+ * Approach to separating and monitoring administrative permissions for on-premises and cloud-based resources
-* **Privileged role protection**:
+* **Privileged role protection**
- * Protection strategy for roles that have administrative privileges
- * Organizational policy for using privileged accounts
- * Strategy and principles for maintaining permanent privilege versus providing time-bound and approved access
+ * Protection strategy for roles that have administrative privileges
+ * Organizational policy for using privileged accounts
+ * Strategy and principles for maintaining permanent privilege versus providing time-bound and approved access
-The following concepts and information will help you determine policies:
+The following concepts and information help determine policies:
-* **Just-in-time admin principles**: Use the Azure AD logs to capture information for performing administrative tasks that are common in your environment. Determine the typical amount of time needed to complete the tasks.
-* **Just-enough admin principles**: [Determine the least-privileged role](../roles/delegate-by-task.md), which might be a custom role, that's needed for administrative tasks.
-* **Establish an elevation policy**: After you have insight into the type of elevated privilege needed and how long is needed for each task, create policies that reflect elevated privileged usage for your environment. As an example, define a policy to limit Global admin access to one hour.
+* **Just-in-time admin principles**. Use the Azure AD logs to capture information for performing administrative tasks that are common in your environment. Determine the typical amount of time needed to complete the tasks.
+* **Just-enough admin principles**. Determine the least-privileged role, which might be a custom role, that's needed for administrative tasks. For more information, see [Least privileged roles by task in Azure Active Directory](../roles/delegate-by-task.md).
+* **Establish an elevation policy**. After you have insight into the type of elevated privilege needed and how long is needed for each task, create policies that reflect elevated privileged usage for your environment. As an example, define a policy to limit Global admin access to one hour.
- After you establish your baseline and set policy, you can configure monitoring to detect and alert usage outside of policy.
+After you establish your baseline and set policy, you can configure monitoring to detect and alert usage outside of policy.
### Discovery
Pay particular attention to and investigate changes in assignment and elevation
### Things to monitor
-You can monitor privileged account changes by using Azure AD Audit logs and Azure Monitor logs. Specifically, include the following changes in your monitoring process.
+You can monitor privileged account changes by using Azure AD Audit logs and Azure Monitor logs. Include the following changes in your monitoring process.
| What to monitor| Risk level| Where| Filter/subfilter| Notes | | - | - | - | - | - |
For more information about managing elevation, see [Elevate access to manage all
For information about configuring alerts for Azure roles, see [Configure security alerts for Azure resource roles in Privileged Identity Management](../privileged-identity-management/pim-resource-roles-configure-alerts.md).
- ## Next steps
+## Next steps
See these security operations guide articles:
active-directory Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-archive.md
The registration campaign comes with the ability for an admin to scope users and
**Service category:** User Access Management **Product capability:** Entitlement Management
-In Azure AD entitlement management, an administrator can define that an access package is incompatible with another access package or with a group. Users who have the incompatible memberships will be then unable to request more access. [Learn more](../governance/entitlement-management-access-package-request-policy.md#prevent-requests-from-users-with-incompatible-access-preview).
+In Azure AD entitlement management, an administrator can define that an access package is incompatible with another access package or with a group. Users who have the incompatible memberships will be then unable to request more access. [Learn more](../governance/entitlement-management-access-package-request-policy.md#prevent-requests-from-users-with-incompatible-access).
active-directory Deploy Access Reviews https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/deploy-access-reviews.md
When you create an access review for groups or applications, you can choose to l
[Access packages](entitlement-management-overview.md) can vastly simplify your governance and access review strategy. An access package is a bundle of all the resources with the access a user needs to work on a project or do their task. For example, you might want to create an access package that includes all the applications that developers in your organization need, or all applications to which external users should have access. An administrator or delegated access package manager then groups the resources (groups or apps) and the roles the users need for those resources.
-When you [create an access package](entitlement-management-access-package-create.md), you can create one or more access policies that set conditions for which users can request an access package, what the approval process looks like, and how often a person would have to re-request access. Access reviews are configured while you create or edit an access package policy.
+When you [create an access package](entitlement-management-access-package-create.md), you can create one or more access package policies that set conditions for which users can request an access package, what the approval process looks like, and how often a person would have to re-request access or have their access reviewed. Access reviews are configured while you create or edit those access package policies.
Select the **Lifecycle** tab and scroll down to access reviews.
active-directory Entitlement Management Access Package Approval Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-approval-policy.md
# Change approval and requestor information settings for an access package in Azure AD entitlement management
-As an access package manager, you can change the approval and requestor information settings for an access package at any time by editing an existing policy or adding a new policy.
+As an access package manager, you can change the approval and requestor information settings for an access package at any time by editing an existing policy or adding a new policy for requesting access.
-This article describes how to change the approval and requestor information settings for an existing access package.
+This article describes how to change the approval and requestor information settings for an existing access package, through an access package's policy.
## Approval
In order to make sure users are getting access to the right access packages, you
1. Fill out the remaining tabs (e.g., Lifecycle) based on your needs.
-After you have configured requestor information in your access package policy, can view the requestor's responses to the questions. For guidance on seeing requestor information, see [View requestor's answers to questions](entitlement-management-request-approve.md#view-requestors-answers-to-questions).
+After you have configured requestor information in your access package's policy, can view the requestor's responses to the questions. For guidance on seeing requestor information, see [View requestor's answers to questions](entitlement-management-request-approve.md#view-requestors-answers-to-questions).
## Next steps - [Change lifecycle settings for an access package](entitlement-management-access-package-lifecycle-policy.md)
active-directory Entitlement Management Access Package Assignments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-assignments.md
$req = New-MgEntitlementManagementAccessPackageAssignmentRequest -AccessPackageI
## Remove an assignment
+You can remove an assignment that a user or an administrator had previously requested.
+ **Prerequisite role:** Global administrator, User administrator, Catalog owner, Access package manager or Access package assignment manager 1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.
active-directory Entitlement Management Access Package Create https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-create.md
You can also create an access package using Microsoft Graph. A user in an approp
1. [List the accessPackageResources in the catalog](/graph/api/entitlementmanagement-list-accesspackagecatalogs?tabs=http&view=graph-rest-beta&preserve-view=true) and [create an accessPackageResourceRequest](/graph/api/entitlementmanagement-post-accesspackageresourcerequests?tabs=http&view=graph-rest-beta&preserve-view=true) for any resources that are not yet in the catalog. 1. [List the accessPackageResourceRoles](/graph/api/accesspackage-list-accesspackageresourcerolescopes?tabs=http&view=graph-rest-beta&preserve-view=true) of each accessPackageResource in an accessPackageCatalog. This list of roles will then be used to select a role, when subsequently creating an accessPackageResourceRoleScope. 1. [Create an accessPackage](/graph/tutorial-access-package-api).
-1. [Create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-accesspackageassignmentpolicies?tabs=http&view=graph-rest-beta&preserve-view=true).
+1. [Create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-accesspackageassignmentpolicies?tabs=http&view=graph-rest-beta&preserve-view=true) for each policy needed in the access package.
1. [Create an accessPackageResourceRoleScope](/graph/api/accesspackage-post-accesspackageresourcerolescopes?tabs=http&view=graph-rest-beta&preserve-view=true) for each resource role needed in the access package. ## Next steps
active-directory Entitlement Management Access Package Lifecycle Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-lifecycle-policy.md
# Change lifecycle settings for an access package in Azure AD entitlement management
-As an access package manager, you can change the lifecycle settings for an access package at any time by editing an existing policy. If you change the expiration date for a policy, the expiration date for requests that are already in a pending approval or approved state will not change.
+As an access package manager, you can change the lifecycle settings for assignments in an access package at any time by editing an existing policy. If you change the expiration date for assignments on a policy, the expiration date for requests that are already in a pending approval or approved state will not change.
This article describes how to change the lifecycle settings for an existing access package.
active-directory Entitlement Management Access Package Request Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-request-policy.md
As an access package manager, you can change the users who can request an access
The way you specify who can request an access package is with a policy. Before creating a new policy or editing an existing policy in an access package, you need to determine how many policies the access package needs.
-When you create an access package, you specify the request setting which creates a policy. Most access packages will have a single policy, but a single access package can have multiple policies. You would create multiple policies for an access package if you want to allow different sets of users to be granted assignments with different request and approval settings.
+When you create an access package, you specify the request, approval and lifecycle settings, which are stored on the first policy of the access package. Most access packages will have a single policy, but a single access package can have multiple policies. You would create multiple policies for an access package if you want to allow different sets of users to be granted assignments with different request and approval settings.
For example, a single policy cannot be used to assign internal and external users to the same access package. However, you can create two policies in the same access package, one for internal users and one for external users. If there are multiple policies that apply to a user, they will be prompted at the time of their request to select the policy they would like to be assigned to. The following diagram shows an access package with two policies.
Follow these steps if you want to allow users not in your directory to request t
1. Once you've selected all your connected organizations, click **Select**. > [!NOTE]
- > All users from the selected connected organizations will be able to request this access package. This includes users in Azure AD from all subdomains associated with the organization, unless those domains are blocked by the Azure B2B allow or blocklist. For more information, see [Allow or block invitations to B2B users from specific organizations](../external-identities/allow-deny-list.md).
+ > All users from the selected connected organizations can request this access package. For a connected organization that has an Azure AD directory, users from all verified domains associated with the Azure AD directory can request, unless those domains are blocked by the Azure B2B allow or deny list. For more information, see [Allow or block invitations to B2B users from specific organizations](../external-identities/allow-deny-list.md).
1. If you want to require approval, use the steps in [Change approval settings for an access package in Azure AD entitlement management](entitlement-management-access-package-approval-policy.md) to configure approval settings.
To change the request and approval settings for an access package, you need to o
1. If you are editing a policy click **Update**. If you are adding a new policy, click **Create**.
-## Prevent requests from users with incompatible access (preview)
+## Prevent requests from users with incompatible access
In addition to the policy checks on who can request, you may wish to further restrict access, in order to avoid a user who already has some access - via a group or another access package - from obtaining excessive access.
active-directory Entitlement Management Access Package Requests https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-requests.md
# View and remove requests for an access package in Azure AD entitlement management
-In Azure AD entitlement management, you can see who has requested access packages, their policy, and status. This article describes how to view requests for an access package, and remove requests that are no longer needed.
+In Azure AD entitlement management, you can see who has requested access packages, the policy for their request, and the status of their request. This article describes how to view requests for an access package, and remove requests that are no longer needed.
## View requests
active-directory Entitlement Management Access Reviews Create https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-reviews-create.md
Title: Create an access review of an access package in Azure AD entitlement management
-description: Learn how to create an access review policy for entitlement management access packages in Azure Active Directory access reviews (Preview).
+description: Learn how to set up an access review in a policy for entitlement management access packages in Azure Active Directory.
documentationCenter: ''
-#Customer intent: As an administrator, I want to create an access review policy for my access packages so I can review the active assignments of my users to ensure everyone has the appropriate access.
+#Customer intent: As an administrator, I want to create an access review for my access packages so I can review the active assignments of my users to ensure everyone has the appropriate access.
# Create an access review of an access package in Azure AD entitlement management
active-directory Entitlement Management Access Reviews Self Review https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-reviews-self-review.md
Title: Self-review of an access package in Azure AD entitlement management
-description: Learn how to review user access of entitlement management access packages in Azure Active Directory access reviews (Preview).
+description: Learn how to review user access of entitlement management access packages in Azure Active Directory access reviews.
documentationCenter: ''
active-directory Entitlement Management External Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-external-users.md
When using the [Azure AD B2B](../external-identities/what-is-b2b.md) invite expe
With entitlement management, you can define a policy that allows users from organizations you specify to be able to self-request an access package. That policy includes whether approval is required, whether access reviews are required, and an expiration date for the access. If approval is required, you might consider inviting one or more users from the external organization to your directory, designating them as sponsors, and configuring that sponsors are approvers - since they are likely to know which external users from their organization need access. Once you have configured the access package, obtain the access package's request link so you can send that link to your contact person (sponsor) at the external organization. That contact can share with other users in their external organization, and they can use this link to request the access package. Users from that organization who have already been invited into your directory can also use that link.
-Typically, when a request is approved, entitlement management will provision the user with the necessary access. If the user is not already in your directory, entitlement management will first invite the user. When the user is invited, Azure AD will automatically create a B2B guest account for them, but will not send the user an email. Note that an administrator may have previously limited which organizations are permitted for collaboration, by setting a [B2B allow or deny list](../external-identities/allow-deny-list.md) to allow or block invites to other organizations. If the user is not permitted by the allow or block list, then they will not be invited, and cannot be assigned access until the lists are updated.
+Typically, when a request is approved, entitlement management will provision the user with the necessary access. If the user isn't already in your directory, entitlement management will first invite the user. When the user is invited, Azure AD will automatically create a B2B guest account for them but won't send the user an email. Note that an administrator may have previously limited which organizations are allowed for collaboration, by setting a [B2B allow or deny list](../external-identities/allow-deny-list.md) to allow or block invites to other organization's domains. If the user's domain isn't allowed by those lists, then they won't be invited and can't be assigned access until the lists are updated.
Since you do not want the external user's access to last forever, you specify an expiration date in the policy, such as 180 days. After 180 days, if their access is not extended, entitlement management will remove all access associated with that access package. By default, if the user who was invited through entitlement management has no other access package assignments, then when they lose their last assignment, their guest account will be blocked from signing in for 30 days, and subsequently removed. This prevents the proliferation of unnecessary accounts. As described in the following sections, these settings are configurable.
The following diagram and steps provide an overview of how external users are gr
1. To access the resources, the external user can either click the link in the email or attempt to access any of the directory resources directly to complete the invitation process.
-1. If the policy settings includes an expiration date, then later when the access package assignment for the external user expires, the external user's access rights from that access package are removed.
+1. If the policy settings include an expiration date, then later when the access package assignment for the external user expires, the external user's access rights from that access package are removed.
1. Depending on the lifecycle of external users settings, when the external user no longer has any access package assignments, the external user is blocked from signing in and the guest user account is removed from your directory.
To ensure people outside of your organization can request access packages and ge
### Configure your Azure AD B2B external collaboration settings - Allowing guests to invite other guests to your directory means that guest invites can occur outside of entitlement management. We recommend setting **Guests can invite** to **No** to only allow for properly governed invitations.-- If you are using the B2B allow list, you must make sure all the domains of all the organizations you want to partner with using entitlement management are added to the list. Alternatively, if you are using the B2B deny list, you must make sure no domain of any organization you want to partner with is not present on that list.-- If you create an entitlement management policy for **All users** (All connected organizations + any new external users), and a user doesnΓÇÖt belong to a connected organization in your directory, a connected organization will automatically be created for them when they request the package. Any B2B allow or deny list settings you have will take precedence. Therefore, be sure to include the domains you intend to include in this policy to your allow list if you are using one, and exclude them from your deny list if you are using a deny list.
+- If you have been previously using the B2B allow list, you must either remove that list, or make sure all the domains of all the organizations you want to partner with using entitlement management are added to the list. Alternatively, if you are using the B2B deny list, you must make sure no domain of any organization you want to partner with is present on that list.
+- If you create an entitlement management policy for **All users** (All connected organizations + any new external users), and a user doesnΓÇÖt belong to a connected organization in your directory, a connected organization will automatically be created for them when they request the package. However, any B2B [allow or deny list](../external-identities/allow-deny-list.md) settings you have will take precedence. Therefore, you will want to remove the allow list, if you were using one, so that **All users** can request access, and exclude all authorized domains from your deny list if you are using a deny list.
- If you want to create an entitlement management policy that includes **All users** (All connected organizations + any new external users), you must first enable email one-time passcode authentication for your directory. For more information, see [Email one-time passcode authentication](../external-identities/one-time-passcode.md). - For more information about Azure AD B2B external collaboration settings, see [Configure external collaboration settings](../external-identities/external-collaboration-settings-configure.md). ![Azure AD external collaboration settings](./media/entitlement-management-external-users/collaboration-settings.png)
+
+ > [!NOTE]
+ > If you create a connected organization for an Azure AD tenant from a different Microsoft cloud, you also need to configure cross-tenant access settings appropriately. For more information on how to configure these settings, see [Configure cross-tenant access settings](../external-identities/cross-cloud-settings.md).
### Review your Conditional Access policies
active-directory Entitlement Management Logic Apps Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-logic-apps-integration.md
These triggers to Logic Apps are controlled in a new tab within access package p
For more information on creating Logic App workflows, see [Create automated workflows with Azure Logic Apps in the Azure portal](../../logic-apps/quickstart-create-first-logic-app-workflow.md).
-## Add custom extension to access package policy
+## Add custom extension to a policy in an access package
**Prerequisite roles:** Global administrator, Identity Governance administrator, Catalog owner, or Access package manager
These triggers to Logic Apps are controlled in a new tab within access package p
1. In the left menu, select **Access packages**.
-1. Select **New access package** if you want to add a custom extension (Logic App) to a new access package. Or select the access package you want to add a custom extension (Logic App) to from the list of access packages that have already been created.
+1. Select the access package you want to add a custom extension (Logic App) to from the list of access packages that have already been created.
> [!NOTE]
+ > Select **New access package** if you want to create a new access package.
> For more information about how to create an access package see [Create a new access package in entitlement management](entitlement-management-access-package-create.md). For more information about how to edit an existing access package, see [Change request settings for an access package in Azure AD entitlement management](entitlement-management-access-package-request-policy.md#open-and-edit-an-existing-policy-of-request-settings).
-1. In the policy settings of the access package, go to the **Rules (Preview)** tab.
+1. Change to the policy tab, select the policy and select **Edit**.
-1. In the menu below **When**, select the access package event you wish to use as trigger for this custom extension (Logic App). For example, if you only want to trigger the custom extension Logic App workflow when a user requests the access package, select **when request is created**.
+1. In the policy settings, go to the **Custom Extensions (Preview)** tab.
-1. In the menu below **Do**, select the custom extension (Logic App) you want to add to the access package. The do action you select will execute when the event selected in the when field occurs.
+1. In the menu below **Stage**, select the access package event you wish to use as trigger for this custom extension (Logic App). For example, if you only want to trigger the custom extension Logic App workflow when a user requests the access package, select **Request is created**.
-1. Select **Create** if you want to add the custom extension to a new access package. Select **Update** if you want to add it to an existing access package.
+1. In the menu below **Custom Extension**, select the custom extension (Logic App) you want to add to the access package. The do action you select will execute when the event selected in the when field occurs.
+
+1. Select **Update** to add it to an existing access package's policy.
![Add a logic app to access package](./media/entitlement-management-logic-apps/add-logic-apps-access-package.png)
active-directory Entitlement Management Organization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-organization.md
A connected organization is another organization that you have a relationship wi
There are three ways that entitlement management lets you specify the users that form a connected organization. It could be
-* users in another Azure AD directory,
+* users in another Azure AD directory (from any Microsoft cloud),
* users in another non-Azure AD directory that has been configured for direct federation, or * users in another non-Azure AD directory, whose email addresses all have the same domain name in common.
+In addition, you can have a connected organization for users with a Microsoft Account, such as from the domain *live.com*.
+ For example, suppose you work at Woodgrove Bank and you want to collaborate with two external organizations. These two organizations have different configurations: - Graphic Design Institute uses Azure AD, and their users have a user principal name that ends with *graphicdesigninstitute.com*. - Contoso does not yet use Azure AD. Contoso users have a user principal name that ends with *contoso.com*.
-In this case, you can configure two connected organizations. You create one connected organization for Graphic Design Institute and one for Contoso. If you then add the two connected organizations to a policy, users from each organization with a user principal name that matches the policy can request access packages. Users with a user principal name that has a domain of contoso.com would match the Contoso-connected organization and would also be allowed to request packages. Users with a user principal name that has a domain of *graphicdesigninstitute.com* would match the Graphic Design Institute-connected organization and be allowed to submit requests. And, because Graphic Design Institute uses Azure AD, any users with a principal name that matches a [verified domain](../fundamentals/add-custom-domain.md#verify-your-custom-domain-name) that's added to their tenant, such as *graphicdesigninstitute.example*, would also be able to request access packages by using the same policy. If you have [email one-time passcode (OTP) authentication](../external-identities/one-time-passcode.md) turned on, that includes users from those domains who do not yet have Azure AD accounts who will authenticate using email OTP when accessing your resources.
+In this case, you can configure two connected organizations. You create one connected organization for Graphic Design Institute and one for Contoso. If you then add the two connected organizations to a policy, users from each organization with a user principal name that matches the policy can request access packages. Users with a user principal name that has a domain of contoso.com would match the Contoso-connected organization and would also be allowed to request packages. Users with a user principal name that has a domain of *graphicdesigninstitute.com* would match the Graphic Design Institute-connected organization and be allowed to submit requests. And, because Graphic Design Institute uses Azure AD, any users with a principal name that matches a [verified domain](../fundamentals/add-custom-domain.md#verify-your-custom-domain-name) that's added to their tenant, such as *graphicdesigninstitute.example*, would also be able to request access packages by using the same policy. If you have [email one-time passcode (OTP) authentication](../external-identities/one-time-passcode.md) turned on, that includes users from those domains that aren't yet part of Azure AD directories who'll authenticate using email OTP when accessing your resources.
![Connected organization example](./media/entitlement-management-organization/connected-organization-example.png)
To add an external Azure AD directory or domain as a connected organization, fol
1. In the search box, enter a domain name to search for the Azure AD directory or domain. Be sure to enter the entire domain name.
-1. Verify that the organization name and authentication type are correct. How users sign in depends on the authentication type.
+1. Confirm that the organization name and authentication type are correct. User sign in, prior to being able to access the myaccess portal, depends on the authentication type for their organization. If the authentication type for a connected organization is Azure AD, then all users with an account in any verified domain of that Azure AD directory will sign into their directory, and then can request access to access packages that allow that connected organization. If the authentication type is One-time passcode, this allows users with email addresses from just that domain to visit the myaccess portal. Then, after they authenticate with the passcode, the user can make a request.
![The "Select directories + domains" pane](./media/entitlement-management-organization/organization-select-directories-domains.png)
-1. Select **Add** to add the Azure AD directory or domain. Currently, you can add only one Azure AD directory or domain per connected organization.
- > [!NOTE]
- > All users from the Azure AD directory or domain will be able to request this access package. This includes users in Azure AD from all subdomains associated with the directory, unless those domains are blocked by the Azure AD business to business (B2B) allow or deny list. For more information, see [Allow or block invitations to B2B users from specific organizations](../external-identities/allow-deny-list.md).
+ > Access from some domains could be blocked by the Azure AD business to business (B2B) allow or deny list. For more information, see [Allow or block invitations to B2B users from specific organizations](../external-identities/allow-deny-list.md).
+
+1. Select **Add** to add the Azure AD directory or domain. Currently, you can add only one Azure AD directory or domain per connected organization.
1. After you've added the Azure AD directory or domain, select **Select**.
active-directory Entitlement Management Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-overview.md
You can also read the [common scenarios](entitlement-management-scenarios.md), o
Entitlement management introduces to Azure AD the concept of an *access package*. An access package is a bundle of all the resources with the access a user needs to work on a project or perform their task. Access packages are used to govern access for your internal employees, and also users outside your organization.
- Here are the types of resources you can manage user's access to with entitlement management:
+ Here are the types of resources you can manage user's access to, with entitlement management:
- Membership of Azure AD security groups - Membership of Microsoft 365 Groups and Teams
You can also control access to other resources that rely upon Azure AD security
With an access package, an administrator or delegated access package manager lists the resources (groups, apps, and sites), and the roles the users need for those resources.
-Access packages also include one or more *policies*. A policy defines the rules or guardrails for assignment to access package. Each policy can be used to ensure that only the appropriate users are able to request access, that there are approvers for their request, and that their access to those resources is time-limited and will expire if not renewed.
+Access packages also include one or more *policies*. A policy defines the rules or guardrails for assignment to access package. Each policy can be used to ensure that only the appropriate users are able to have access assignments, and the access is time-limited and will expire if not renewed.
![Access package and policies](./media/entitlement-management-overview/elm-overview-access-package.png)
-Within each policy, an administrator or access package manager defines
+You can have policies for users to request access. In these kinds of policies, an administrator or access package manager defines
- Either the already-existing users (typically employees or already-invited guests), or the partner organizations of external users, that are eligible to request access - The approval process and the users that can approve or deny access - The duration of a user's access assignment, once approved, before the assignment expires
+You can also have policies for users to be assigned access, either by an administrator or automatically.
+ The following diagram shows an example of the different elements in entitlement management. It shows one catalog with two example access packages. - **Access package 1** includes a single group as a resource. Access is defined with a policy that enables a set of users in the directory to request access.
active-directory How To Connect Fed Group Claims https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-fed-group-claims.md
Emit group names to be returned in `NetbiosDomain\sAMAccountName` format as the
"optionalClaims": { "saml2Token": [{ "name": "groups",
- "additionalProperties": ["netbios_name_and_sam_account_name", "emit_as_roles"]
+ "additionalProperties": ["netbios_domain_and_sam_account_name", "emit_as_roles"]
}], "idToken": [{ "name": "groups",
- "additionalProperties": ["netbios_name_and_sam_account_name", "emit_as_roles"]
+ "additionalProperties": ["netbios_domain_and_sam_account_name", "emit_as_roles"]
}] } ```
Emit group names to be returned in `NetbiosDomain\sAMAccountName` format as the
- [Add authorization using groups & group claims to an ASP.NET Core web app (code sample)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-2-Groups/README.md) - [Assign a user or group to an enterprise app](../../active-directory/manage-apps/assign-user-or-group-access-portal.md)-- [Configure role claims](../../active-directory/develop/active-directory-enterprise-app-role-management.md)
+- [Configure role claims](../../active-directory/develop/active-directory-enterprise-app-role-management.md)
active-directory How To Connect Sync Staging Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-sync-staging-server.md
na Previously updated : 02/27/2018 Last updated : 5/18/2022
Most of the file is self-explanatory. Some abbreviations to understand the conte
* AMODT ΓÇô Attribute Modification Type. Indicates if the operation at an attribute level is an Add, Update, or delete. **Retrieve common identifiers**
-The export.csv file contains all changes that are about to be exported. Each row corresponds to a change for an object in the connector space and the object is identified by the DN attribute. The DN attribute is a unique identifier assigned to an object in the connector space. When you have many rows/changes in the export.csv to analyze, it may be difficult for you to figure out which objects the changes are for based on the DN attribute alone. To simplify the process of analyzing the changes, use the csanalyzer.ps1 PowerShell script. The script retrieves common identifiers (for example, displayName, userPrincipalName) of the objects. To use the script:
+The export.csv file contains all changes that are about to be exported. Each row corresponds to a change for an object in the connector space and the object is identified by the DN attribute. The DN attribute is a unique identifier assigned to an object in the connector space. When you have many rows/changes in the export.csv to analyze, it may be difficult for you to figure out which objects the changes are for based on the DN attribute alone. To simplify the process of analyzing the changes, use the `csanalyzer.ps1` PowerShell script. The script retrieves common identifiers (for example, displayName, userPrincipalName) of the objects. To use the script:
1. Copy the PowerShell script from the section [CSAnalyzer](#appendix-csanalyzer) to a file named `csanalyzer.ps1`. 2. Open a PowerShell window and browse to the folder where you created the PowerShell script. 3. Run: `.\csanalyzer.ps1 -xmltoimport %temp%\export.xml`.
Support for SQL AOA was added to Azure AD Connect in version 1.1.524.0. You must
## Appendix CSAnalyzer See the section [verify](#verify) on how to use this script.
-```
+```powershell
Param( [Parameter(Mandatory=$true, HelpMessage="Must be a file generated using csexport 'Name of Connector' export.xml /f:x)")] [string]$xmltoimport="%temp%\exportedStage1a.xml",
$resolvedXMLtoimport=Resolve-Path -Path ([Environment]::ExpandEnvironmentVariabl
#use an XmlReader to deal with even large files $result=$reader = [System.Xml.XmlReader]::Create($resolvedXMLtoimport)  $result=$reader.ReadToDescendant('cs-object')
-do 
+if($result)
{
- #create the object placeholder
- #adding them up here means we can enforce consistency
- $objOutputUser=New-Object psobject
- Add-Member -InputObject $objOutputUser -MemberType NoteProperty -Name ID -Value ""
- Add-Member -InputObject $objOutputUser -MemberType NoteProperty -Name Type -Value ""
- Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name DN -Value ""
- Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name operation -Value ""
- Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name UPN -Value ""
- Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name displayName -Value ""
- Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name sourceAnchor -Value ""
- Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name alias -Value ""
- Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name primarySMTP -Value ""
- Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name onPremisesSamAccountName -Value ""
- Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name mail -Value ""
-
- $user = [System.Xml.Linq.XElement]::ReadFrom($reader)
- if ($showOutput) {Write-Host Found an exported object... -ForegroundColor Green}
-
- #object id
- $outID=$user.Attribute('id').Value
- if ($showOutput) {Write-Host ID: $outID}
- $objOutputUser.ID=$outID
-
- #object type
- $outType=$user.Attribute('object-type').Value
- if ($showOutput) {Write-Host Type: $outType}
- $objOutputUser.Type=$outType
-
- #dn
- $outDN= $user.Element('unapplied-export').Element('delta').Attribute('dn').Value
- if ($showOutput) {Write-Host DN: $outDN}
- $objOutputUser.DN=$outDN
-
- #operation
- $outOperation= $user.Element('unapplied-export').Element('delta').Attribute('operation').Value
- if ($showOutput) {Write-Host Operation: $outOperation}
- $objOutputUser.operation=$outOperation
-
- #now that we have the basics, go get the details
-
- foreach ($attr in $user.Element('unapplied-export-hologram').Element('entry').Elements("attr"))
+ do 
{
- $attrvalue=$attr.Attribute('name').Value
- $internalvalue= $attr.Element('value').Value
-
- switch ($attrvalue)
+ #create the object placeholder
+ #adding them up here means we can enforce consistency
+ $objOutputUser=New-Object psobject
+ Add-Member -InputObject $objOutputUser -MemberType NoteProperty -Name ID -Value ""
+ Add-Member -InputObject $objOutputUser -MemberType NoteProperty -Name Type -Value ""
+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name DN -Value ""
+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name operation -Value ""
+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name UPN -Value ""
+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name displayName -Value ""
+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name sourceAnchor -Value ""
+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name alias -Value ""
+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name primarySMTP -Value ""
+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name onPremisesSamAccountName -Value ""
+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name mail -Value ""
+
+ $user = [System.Xml.Linq.XElement]::ReadFrom($reader)
+ if ($showOutput) {Write-Host Found an exported object... -ForegroundColor Green}
+
+ #object id
+ $outID=$user.Attribute('id').Value
+ if ($showOutput) {Write-Host ID: $outID}
+ $objOutputUser.ID=$outID
+
+ #object type
+ $outType=$user.Attribute('object-type').Value
+ if ($showOutput) {Write-Host Type: $outType}
+ $objOutputUser.Type=$outType
+
+ #dn
+ $outDN= $user.Element('unapplied-export').Element('delta').Attribute('dn').Value
+ if ($showOutput) {Write-Host DN: $outDN}
+ $objOutputUser.DN=$outDN
+
+ #operation
+ $outOperation= $user.Element('unapplied-export').Element('delta').Attribute('operation').Value
+ if ($showOutput) {Write-Host Operation: $outOperation}
+ $objOutputUser.operation=$outOperation
+
+ #now that we have the basics, go get the details
+
+ foreach ($attr in $user.Element('unapplied-export-hologram').Element('entry').Elements("attr"))
{
- "userPrincipalName"
- {
- if ($showOutput) {Write-Host UPN: $internalvalue}
- $objOutputUser.UPN=$internalvalue
- }
- "displayName"
- {
- if ($showOutput) {Write-Host displayName: $internalvalue}
- $objOutputUser.displayName=$internalvalue
- }
- "sourceAnchor"
- {
- if ($showOutput) {Write-Host sourceAnchor: $internalvalue}
- $objOutputUser.sourceAnchor=$internalvalue
- }
- "alias"
- {
- if ($showOutput) {Write-Host alias: $internalvalue}
- $objOutputUser.alias=$internalvalue
- }
- "proxyAddresses"
+ $attrvalue=$attr.Attribute('name').Value
+ $internalvalue= $attr.Element('value').Value
+
+ switch ($attrvalue)
{
- if ($showOutput) {Write-Host primarySMTP: ($internalvalue -replace "SMTP:","")}
- $objOutputUser.primarySMTP=$internalvalue -replace "SMTP:",""
+ "userPrincipalName"
+ {
+ if ($showOutput) {Write-Host UPN: $internalvalue}
+ $objOutputUser.UPN=$internalvalue
+ }
+ "displayName"
+ {
+ if ($showOutput) {Write-Host displayName: $internalvalue}
+ $objOutputUser.displayName=$internalvalue
+ }
+ "sourceAnchor"
+ {
+ if ($showOutput) {Write-Host sourceAnchor: $internalvalue}
+ $objOutputUser.sourceAnchor=$internalvalue
+ }
+ "alias"
+ {
+ if ($showOutput) {Write-Host alias: $internalvalue}
+ $objOutputUser.alias=$internalvalue
+ }
+ "proxyAddresses"
+ {
+ if ($showOutput) {Write-Host primarySMTP: ($internalvalue -replace "SMTP:","")}
+ $objOutputUser.primarySMTP=$internalvalue -replace "SMTP:",""
+ }
} }
- }
- $objOutputUsers += $objOutputUser
+ $objOutputUsers += $objOutputUser
- Write-Progress -activity "Processing ${xmltoimport} in batches of ${batchsize}" -status "Batch ${outputfilecount}: " -percentComplete (($objOutputUsers.Count / $batchsize) * 100)
+ Write-Progress -activity "Processing ${xmltoimport} in batches of ${batchsize}" -status "Batch ${outputfilecount}: " -percentComplete (($objOutputUsers.Count / $batchsize) * 100)
- #every so often, dump the processed users in case we blow up somewhere
- if ($count % $batchsize -eq 0)
- {
- Write-Host Hit the maximum users processed without completion... -ForegroundColor Yellow
+ #every so often, dump the processed users in case we blow up somewhere
+ if ($count % $batchsize -eq 0)
+ {
+ Write-Host Hit the maximum users processed without completion... -ForegroundColor Yellow
- #export the collection of users as a CSV
- Write-Host Writing processedusers${outputfilecount}.csv -ForegroundColor Yellow
- $objOutputUsers | Export-Csv -path processedusers${outputfilecount}.csv -NoTypeInformation
+ #export the collection of users as a CSV
+ Write-Host Writing processedusers${outputfilecount}.csv -ForegroundColor Yellow
+ $objOutputUsers | Export-Csv -path processedusers${outputfilecount}.csv -NoTypeInformation
- #increment the output file counter
- $outputfilecount+=1
+ #increment the output file counter
+ $outputfilecount+=1
- #reset the collection and the user counter
- $objOutputUsers = $null
- $count=0
- }
+ #reset the collection and the user counter
+ $objOutputUsers = $null
+ $count=0
+ }
- $count+=1
+ $count+=1
- #need to bail out of the loop if no more users to process
- if ($reader.NodeType -eq [System.Xml.XmlNodeType]::EndElement)
- {
- break
- }
+ #need to bail out of the loop if no more users to process
+ if ($reader.NodeType -eq [System.Xml.XmlNodeType]::EndElement)
+ {
+ break
+ }
-} while ($reader.Read)
+ } while ($reader.Read)
-#need to write out any users that didn't get picked up in a batch of 1000
-#export the collection of users as CSV
-Write-Host Writing processedusers${outputfilecount}.csv -ForegroundColor Yellow
-$objOutputUsers | Export-Csv -path processedusers${outputfilecount}.csv -NoTypeInformation
+ #need to write out any users that didn't get picked up in a batch of 1000
+ #export the collection of users as CSV
+ Write-Host Writing processedusers${outputfilecount}.csv -ForegroundColor Yellow
+ $objOutputUsers | Export-Csv -path processedusers${outputfilecount}.csv -NoTypeInformation
+}
+else
+{
+ Write-Host "Imported XML file is empty. No work to do." -ForegroundColor Red
+}
``` ## Next steps
active-directory Tshoot Connect Connectivity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/tshoot-connect-connectivity.md
This article explains how connectivity between Azure AD Connect and Azure AD wor
Azure AD Connect uses the MSAL library for authentication. The installation wizard and the sync engine proper require machine.config to be properly configured since these two are .NET applications. >[!NOTE]
->Azure AD Connect v1.6.xx.x uses the ADAL library. The ADAL library is being depricated and support will end in June 2022. Microsoft recommends that you upgrade to the latest version of [Azure AD Connect v2](whatis-azure-ad-connect-v2.md).
+>Azure AD Connect v1.6.xx.x uses the ADAL library. The ADAL library is being deprecated and support will end in June 2022. Microsoft recommends that you upgrade to the latest version of [Azure AD Connect v2](whatis-azure-ad-connect-v2.md).
In this article, we show how Fabrikam connects to Azure AD through its proxy. The proxy server is named fabrikamproxy and is using port 8080.
active-directory Concept Identity Protection B2b https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-b2b.md
From the [Risky users report](https://portal.azure.com/#blade/Microsoft_AAD_IAM/
### Manually dismiss user's risk
-If password reset is not an option for you from the Azure AD portal, you can choose to manually dismiss user risk. This process will cause the user to no longer be at risk, but does not have any impact on the existing password. It is important that you change the user's password using whatever means are available to you in order to bring the identity back to a safe state.
+If password reset is not an option for you from the Azure AD portal, you can choose to manually dismiss user risk. Dismissing user risk does not have any impact on the user's existing password, but this process will change the user's Risk State from At Risk to Dismissed. It is important that you change the user's password using whatever means are available to you in order to bring the identity back to a safe state.
To dismiss user risk, go to the [Risky users report](https://portal.azure.com/#blade/Microsoft_AAD_IAM/SecurityMenuBlade/RiskyUsers) in the Azure AD Security menu. Search for the impacted user using the 'User' filter and click on the user. Click on "dismiss user risk" option from the top toolbar. This action may take a few minutes to complete and update the user risk state in the report.
Excluding B2B users from your organization's risk-based Conditional Access polic
See the following articles on Azure AD B2B collaboration: -- [What is Azure AD B2B collaboration?](../external-identities/what-is-b2b.md)
+- [What is Azure AD B2B collaboration?](../external-identities/what-is-b2b.md)
active-directory F5 Aad Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-aad-integration.md
Refer to the following guided configuration tutorials using Easy Button template
- [F5 BIG-IP Easy Button for SSO to header-based and LDAP applications](f5-big-ip-ldap-header-easybutton.md) -- [BIG-IP Easy Button for SSO to Oracle EBS (Enterprise Business Suite)](f5-big-ip-oracle-enterprise-business-suite-easy-button.md)
+- [F5-BIG-IP Easy Button for SSO to Oracle EBS (Enterprise Business Suite)](f5-big-ip-oracle-enterprise-business-suite-easy-button.md)
-- [BIG-IP Easy Button for SSO to Oracle JD Edwards](f5-big-ip-oracle-jde-easy-button.md)
+- [F5-BIG-IP Easy Button for SSO to Oracle JD Edwards](f5-big-ip-oracle-jde-easy-button.md)
-- [BIG-IP Easy Button for SSO to SAP ERP](f5-big-ip-sap-erp-easy-button.md)
+- [F5-BIG-IP Easy Button for SSO to SAP ERP](f5-big-ip-sap-erp-easy-button.md)
## Azure AD B2B guest access Azure AD B2B guest access to SHA protected applications is also possible, but some scenarios may require some additional steps not covered in the tutorials. One example is Kerberos SSO, where a BIG-IP will perform kerberos constrained delegation (KCD) to obtain a service ticket from domain contollers. Without a local representation of a guest user exisiting locally, a domain controller will fail to honour the request on the basis that the user does not exist. To support this scenario, you would need to ensure external identities are flowed down from your Azure AD tenant to the directory used by the application. See [Grant B2B users in Azure AD access to your on-premises applications](../external-identities/hybrid-cloud-to-on-premises.md) for guidance.
active-directory Powershell Export Apps With Secrets Beyond Required https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/scripts/powershell-export-apps-with-secrets-beyond-required.md
This PowerShell script example exports all app registrations secrets and certifi
## Script explanation This script is working non-interactively. The admin using it will need to change the values in the "#PARAMETERS TO CHANGE" section with their own App ID, Application Secret, Tenant Name, the period for the apps credentials expiration and the Path where the CSV will be exported.
-This script uses the [Client_Credential Oauth Flow](../../develop/v2-oauth2-client-creds-grant-flow.md)
+This script uses the [Client_Credential Oauth Flow](../../develop/v2-oauth2-client-creds-grant-flow.md)
The function "RefreshToken" will build the access token based on the values of the parameters modified by the admin. The "Add-Member" command is responsible for creating the columns in the CSV file. | Command | Notes | |||
-| [Invoke-WebRequest](/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.1&preserve-view=true) | Sends HTTP and HTTPS requests to a web page or web service. It parses the response and returns collections of links, images, and other significant HTML elements. |
+| [Invoke-WebRequest](/powershell/module/microsoft.powershell.utility/invoke-webrequest) | Sends HTTP and HTTPS requests to a web page or web service. It parses the response and returns collections of links, images, and other significant HTML elements. |
## Next steps
active-directory Concept Privileged Access Versus Role Assignable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/concept-privileged-access-versus-role-assignable.md
na Previously updated : 12/16/2021 Last updated : 05/18/2022
Privileged Identity Management (PIM) supports the ability to enable privileged a
## What are Azure AD role-assignable groups?
-Azure AD lets you assign a cloud Azure AD security group to an Azure AD role. Global Administrators and Privileged Role Administrators must create a new security group and make the group role-assignable at creation time. Only users in the Global Administrator, Privileged Role Administrator, or the group's Owner roles can change the membership of the group. Also, no other users can reset the password of the users who are members of the group. This feature helps prevent admins from elevating to a higher privileged role without going through a request and approval procedure.
+Azure Active Directory (Azure AD) lets you assign a cloud Azure AD security group to an Azure AD role. A Global Administrator or Privileged Role Administrator must create a new security group and make the group role-assignable at creation time. Only the Global Administrator, Privileged Role Administrator, or the group Owner role assignments can change the membership of the group. Also, no other users can reset the password of the users who are members of the group. This feature helps prevent an admin from elevating to a higher privileged role without going through a request and approval procedure.
## What are Privileged Access groups?
Privileged Access groups enable users to elevate to the owner or member role of
>[!Note] >For privileged access groups used for elevating into Azure AD roles, Microsoft recommends that you require an approval process for eligible member assignments. Assignments that can be activated without approval can leave you vulnerable to a security risk from less-privileged administrators. For example, the Helpdesk Administrator has permission to reset an eligible user's passwords.
-## When to use each type of group
+## When to use a role-assignable group
You can set up just-in-time access to permissions and roles beyond Azure AD and Azure Resource. If you have other resources whose authorization can be connected to an Azure AD security group (for Azure Key Vault, Intune, Azure SQL, or other apps and services), you should enable privileged access on the group and assign users as eligible for membership in the group.
-If you want to assign a group to an Azure AD or Azure Resource role and require elevation through a PIM process, there are two ways to do it:
+If you want to assign a group to an Azure AD or Azure Resource role and require elevation through a PIM process, there's only one way to do it:
-- **Assign the group persistently to a role**. You then grant users eligible member access to the group in PIM. Each eligible user must then activate their membership to get into the group that is permanently assigned to the role. This path requires a role-assignable group to be enabled in PIM as a privileged access group for the Azure AD role.-- **Assign the group as eligible for a role** through PIM. Everyone in the group gets access to the role assignment at once when the group's assignment is activated. This path requires a role-assignable group for the Azure AD role, and a security group for Azure resources.
+- **Assign the group persistently to a role**. Then, in PIM, you can grant users eligible role assignments to the group. Each eligible user must activate their role assignment to become members of the group, and activation is subject to approval policies. This path requires a role-assignable group to be enabled in PIM as a privileged access group for the Azure AD role.
- ![Diagram showing two ways to assign role using privileged access groups in PIM.](./media/concept-privileged-access-versus-role-assignable/concept-privileged-access.png)
-
-Method one allows maximum granularity of permissions, and method two allows simple, one-step activation for a group of users. Either of these methods will work for the end-to-end scenario. We recommend that you use the second method in most cases. You should use the first method only if you are trying to:
+This method allows maximum granularity of permissions. Use this method to:
- Assign a group to multiple Azure AD or Azure resource roles and have users activate once to get access to multiple roles.-- Maintain different activation policies for different sets of users to access an Azure AD or Azure resource role. For example, if you want some users to be approved before becoming a Global Administrator while allowing other users to be auto-approved, you can set up two privileged access groups, assign them both persistently (a "permanent" assignment in Privileged Identity Management) to the Global Administrator role and then use a different activation policy for the member role for each group.
+- Maintain different activation policies for different sets of users to access an Azure AD or Azure resource role. For example, if you want some users to be approved before becoming a Global Administrator while allowing other users to be auto-approved, you could set up two privileged access groups, assign them both persistently (a "permanent" assignment in Privileged Identity Management) to the Global Administrator role and then use a different activation policy for the Member role for each group.
## Next steps
active-directory Pim How To Change Default Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md
You can require that users enter a business justification when they activate. To
## Require ticket information on activation
-If your organization uses a ticketing system to track help desk items or change requests for your enviornment, you can select the **Require ticket information on activation** box to require the elevation request to contain the name of the ticketing system (optional, if your organization uses multiple systems) and the ticket number that prompted the need for role activation.
+If your organization uses a ticketing system to track help desk items or change requests for your environment, you can select the **Require ticket information on activation** box to require the elevation request to contain the name of the ticketing system (optional, if your organization uses multiple systems) and the ticket number that prompted the need for role activation.
## Require approval to activate
If setting multiple approvers, approval completes as soon as one of them approve
1. Select **Update** to save your changes.
+## Manage role settings through Microsoft Graph
+
+To manage settings for Azure AD roles through Microsoft Graph, use the [unifiedRoleManagementPolicy resource type and related methods](/graph/api/resources/unifiedrolemanagementpolicy).
+
+In Microsoft Graph, role settings are referred to as rules and they're assigned to Azure AD roles through container policies. Each Azure AD role is assigned a specific policy object. You can retrieve all policies that are scoped to Azure AD roles and for each policy, retrieve the associated collection of rules through an `$expand` query parameter. The syntax for the request is as follows:
+
+```http
+GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'&$expand=rules
+```
+
+Rules are grouped into containers. The containers are further broken down into rule definitions that are identified by unique IDs for easier management. For example, a **unifiedRoleManagementPolicyEnablementRule** container exposes three rule definitions identified by the following unique IDs.
+++ `Enablement_Admin_Eligibility` - Rules that apply for admins to carry out operations on role eligibilities. For example, whether justification is required, and whether for all operations (for example, renewal, activation, or deactivation) or only for specific operations.++ `Enablement_Admin_Assignment` - Rules that apply for admins to carry out operations on role assignments. For example, whether justification is required, and whether for all operations (for example, renewal, deactivation, or extension) or only for specific operations.++ `Enablement_EndUser_Assignment` - Rules that apply for principals to enable their assignments. For example, whether multifactor authentication is required.++
+To update these rule definitions, use the [update rules API](/graph/api/unifiedrolemanagementpolicyrule-update). For example, the following request specifies an empty **enabledRules** collection, therefore deactivating the enabled rules for a policy, such as multifactor authentication, ticketing information and justification.
+
+```http
+PATCH https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448/rules/Enablement_EndUser_Assignment
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_EndUser_Assignment",
+ "enabledRules": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+}
+```
+
+You can retrieve the collection of rules that are applied to all Azure AD roles or a specific Azure AD role through the [unifiedroleManagementPolicyAssignment resource type and related methods](/graph/api/resources/unifiedrolemanagementpolicyassignment). For example, the following request uses the `$expand` query parameter to retrieve the rules that are applied to an Azure AD role identified by **roleDefinitionId** or **templateId** `62e90394-69f5-4237-9190-012177145e10`.
+
+```http
+GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole' and roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'&$expand=policy($expand=rules)
+```
+
+For more information about managing role settings through PIM, see [Role settings and PIM](/graph/api/resources/privilegedidentitymanagementv3-overview#role-settings-and-pim).
+ ## Next steps - [Assign Azure AD roles in Privileged Identity Management](pim-how-to-add-role-to-user.md)
active-directory Pim Resource Roles Configure Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-alerts.md
na Previously updated : 10/07/2021 Last updated : 05/24/2022
Select an alert to see a report that lists the users or roles that triggered the
## Alerts
-| Alert | Severity | Trigger | Recommendation |
-| | | | |
-| **Too many owners assigned to a resource** |Medium |Too many users have the owner role. |Review the users in the list and reassign some to less privileged roles. |
-| **Too many permanent owners assigned to a resource** |Medium |Too many users are permanently assigned to a role. |Review the users in the list and re-assign some to require activation for role use. |
-| **Duplicate role created** |Medium |Multiple roles have the same criteria. |Use only one of these roles. |
+Alert | Severity | Trigger | Recommendation
+ | | |
+**Too many owners assigned to a resource** |Medium |Too many users have the owner role. |Review the users in the list and reassign some to less privileged roles.
+**Too many permanent owners assigned to a resource** |Medium |Too many users are permanently assigned to a role. |Review the users in the list and re-assign some to require activation for role use.
+**Duplicate role created** |Medium |Multiple roles have the same criteria. |Use only one of these roles.
+**Roles are being assigned outside of Privileged Identity Management (Preview)** | High | A role is managed directly through the Azure IAM resource blade or the Azure Resource Manager API | Review the users in the list and remove them from privileged roles assigned outside of Privilege Identity Management.
+
+> [!Note]
+> During the public preview of the **Roles are being assigned outside of Privileged Identity Management (Preview)** alert, Microsoft supports only permissions that are assigned at the subscription level.
### Severity
active-directory Administrative Units https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/administrative-units.md
Previously updated : 03/22/2022 Last updated : 05/24/2022
The following sections describe current support for administrative unit scenario
| Permissions | Microsoft Graph/PowerShell | Azure portal | Microsoft 365 admin center | | | :: | :: | :: |
-| Create or delete administrative units | :heavy_check_mark: | :heavy_check_mark: | :x: |
-| Add or remove members individually | :heavy_check_mark: | :heavy_check_mark: | :x: |
-| Add or remove members in bulk by using CSV files | :x: | :heavy_check_mark: | No plan to support |
-| Assign administrative unit-scoped administrators | :heavy_check_mark: | :heavy_check_mark: | :x: |
+| Create or delete administrative units | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Add or remove members individually | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Add or remove members in bulk | :x: | :heavy_check_mark: | :heavy_check_mark: |
+| Assign administrative unit-scoped administrators | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Add or remove users or devices dynamically based on rules (Preview) | :heavy_check_mark: | :heavy_check_mark: | :x: | | Add or remove groups dynamically based on rules | :x: | :x: | :x: |
The following sections describe current support for administrative unit scenario
| Permissions | Microsoft Graph/PowerShell | Azure portal | Microsoft 365 admin center | | | :: | :: | :: |
-| Administrative unit-scoped management of group properties and membership | :heavy_check_mark: | :heavy_check_mark: | :x: |
+| Administrative unit-scoped creation and deletion of groups | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Administrative unit-scoped management of group properties and membership | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Administrative unit-scoped management of group licensing | :heavy_check_mark: | :heavy_check_mark: | :x: | > [!NOTE]
active-directory Custom Group Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-group-permissions.md
Title: Group management permissions for Azure AD custom roles (Preview) - Azure Active Directory
-description: Group management permissions for Azure AD custom roles (Preview) in the Azure portal, PowerShell, or Microsoft Graph API.
+ Title: Group management permissions for Azure AD custom roles - Azure Active Directory
+description: Group management permissions for Azure AD custom roles in the Azure portal, PowerShell, or Microsoft Graph API.
Previously updated : 10/26/2021 Last updated : 05/24/2022
-# Group management permissions for Azure AD custom roles (Preview)
-
-> [!IMPORTANT]
-> Group management permissions for Azure AD custom roles are currently in PREVIEW.
-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+# Group management permissions for Azure AD custom roles
Group management permissions can be used in custom role definitions in Azure Active Directory (Azure AD) to grant fine-grained access such as the following:
Group management permissions can be used in custom role definitions in Azure Act
This article lists the permissions you can use in your custom roles for different group management scenarios. For information about how to create custom roles, see [Create and assign a custom role](custom-create.md).
-> [!NOTE]
-> Assigning custom roles at a group scope using the Azure portal is currently available **only** for Azure AD Premium P1.
+## License requirements
+ ## How to interpret group management permissions
active-directory My Staff Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/my-staff-configure.md
Previously updated : 03/11/2021 Last updated : 05/18/2021
Before you configure My Staff for your organization, we recommend that you revie
## How My Staff works
-My Staff is based on administrative units, which are a container of resources which can be used to restrict the scope of a role assignment's administrative control. For more information, see [Administrative units management in Azure Active Directory](administrative-units.md). In My Staff, administrative units can used to contain a group of users in a store or department. A team manager can then be assigned to an administrative role at a scope of one or more units.
+My Staff is based on administrative units, which are a container of resources which can be used to restrict the scope of a role assignment's administrative control. For more information, see [Administrative units management in Azure Active Directory](administrative-units.md). In My Staff, administrative units can be used to contain a group of users in a store or department. A team manager can then be assigned to an administrative role at a scope of one or more units.
## Before you begin
To complete this article, you need the following resources and privileges:
Once you have configured administrative units, you can apply this scope to your users who access My Staff. Only users who are assigned an administrative role can access My Staff. To enable My Staff, complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com) as a User Administrator.
+1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com) as a Global Administrator, User Administrator, or Group Administrator.
1. Select **Azure Active Directory** > **User settings** > **User feature ** > **Manage user feature settings**.
active-directory Permissions Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/permissions-reference.md
Previously updated : 04/03/2022 Last updated : 05/20/2022
Users in this role can read and update basic information of users, groups, and s
> | microsoft.directory/servicePrincipals/synchronizationCredentials/manage | Manage application provisioning secrets and credentials | > | microsoft.directory/servicePrincipals/synchronizationJobs/manage | Start, restart, and pause application provisioning syncronization jobs | > | microsoft.directory/servicePrincipals/synchronizationSchema/manage | Create and manage application provisioning syncronization jobs and schema |
-> | microsoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissions | Grant a service principal direct access to a group's data |
> | microsoft.directory/servicePrincipals/appRoleAssignedTo/update | Update service principal role assignments | > | microsoft.directory/users/assignLicense | Manage user licenses | > | microsoft.directory/users/create | Add users |
Users with this role have access to all administrative features in Azure Active
> | microsoft.directory/passwordHashSync/allProperties/allTasks | Manage all aspects of Password Hash Synchronization (PHS) in Azure AD | > | microsoft.directory/policies/allProperties/allTasks | Create and delete policies, and read and update all properties | > | microsoft.directory/conditionalAccessPolicies/allProperties/allTasks | Manage all properties of conditional access policies |
-> | microsoft.directory/crossTenantAccessPolicy/standard/read | Read basic properties of cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update | Update allowed cloud endpoints of cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/basic/update | Update basic settings of cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/standard/read | Read basic properties of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update | Update Azure AD B2B collaboration settings of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update | Update tenant restrictions of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/partners/create | Create cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/delete | Delete cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/standard/read | Read basic properties of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update | Update Azure AD B2B collaboration settings of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update | Update tenant restrictions of cross-tenant access policy for partners |
+> | microsoft.directory/crossTenantAccessPolicies/allProperties/allTasks | Manage all aspects of cross-tenant access policies |
> | microsoft.directory/privilegedIdentityManagement/allProperties/read | Read all resources in Privileged Identity Management | > | microsoft.directory/provisioningLogs/allProperties/read | Read all properties of provisioning logs | > | microsoft.directory/roleAssignments/allProperties/allTasks | Create and delete role assignments, and read and update all role assignment properties |
Users with this role have access to all administrative features in Azure Active
> | microsoft.directory/serviceAction/getAvailableExtentionProperties | Can perform the getAvailableExtentionProperties service action | > | microsoft.directory/servicePrincipals/allProperties/allTasks | Create and delete service principals, and read and update all properties | > | microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin | Grant consent for any permission to any application |
-> | microsoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissions | Grant a service principal direct access to a group's data |
> | microsoft.directory/servicePrincipals/synchronization/standard/read | Read provisioning settings associated with your service principal | > | microsoft.directory/signInReports/allProperties/read | Read all properties on sign-in reports, including privileged properties | > | microsoft.directory/subscribedSkus/allProperties/allTasks | Buy and manage subscriptions and delete subscriptions |
Users with this role have access to all administrative features in Azure Active
> | microsoft.directory/verifiableCredentials/configuration/delete | Delete configuration required to create and manage verifiable credentials and delete all of its verifiable credentials | > | microsoft.directory/verifiableCredentials/configuration/allProperties/read | Read configuration required to create and manage verifiable credentials | > | microsoft.directory/verifiableCredentials/configuration/allProperties/update | Update configuration required to create and manage verifiable credentials |
+> | microsoft.directory/lifecycleManagement/workflows/allProperties/allTasks | Manage all aspects of lifecycle management workflows and tasks in Azure AD |
> | microsoft.azure.advancedThreatProtection/allEntities/allTasks | Manage all aspects of Azure Advanced Threat Protection | > | microsoft.azure.informationProtection/allEntities/allTasks | Manage all aspects of Azure Information Protection | > | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
Users in this role can read settings and administrative information across Micro
> | microsoft.directory/permissionGrantPolicies/standard/read | Read standard properties of permission grant policies | > | microsoft.directory/policies/allProperties/read | Read all properties of policies | > | microsoft.directory/conditionalAccessPolicies/allProperties/read | Read all properties of conditional access policies |
-> | microsoft.directory/crossTenantAccessPolicy/standard/read | Read basic properties of cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/standard/read | Read basic properties of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/partners/standard/read | Read basic properties of cross-tenant access policy for partners |
+> | microsoft.directory/crossTenantAccessPolicies/allProperties/read | Read all properties of cross-tenant access policies |
> | microsoft.directory/deviceManagementPolicies/standard/read | Read standard properties on device management application policies | > | microsoft.directory/deviceRegistrationPolicy/standard/read | Read standard properties on device registration policies | > | microsoft.directory/privilegedIdentityManagement/allProperties/read | Read all resources in Privileged Identity Management |
Users in this role can read settings and administrative information across Micro
> | microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read | Read a verifiable credential card | > | microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read | Read a verifiable credential contract | > | microsoft.directory/verifiableCredentials/configuration/allProperties/read | Read configuration required to create and manage verifiable credentials |
+> | microsoft.directory/lifecycleManagement/workflows/allProperties/read | Read all properties of lifecycle management workflows and tasks in Azure AD |
> | microsoft.cloudPC/allEntities/allProperties/read | Read all aspects of Windows 365 | > | microsoft.commerce.billing/allEntities/read | Read all resources of Office 365 billing | > | microsoft.edge/allEntities/allProperties/read | Read all aspects of Microsoft Edge |
Users in this role can create/manage groups and its settings like naming and exp
> | microsoft.directory/groups/owners/update | Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups/settings/update | Update settings of groups | > | microsoft.directory/groups/visibility/update | Update the visibility property of Security groups and Microsoft 365 groups, excluding role-assignable groups |
-> | microsoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissions | Grant a service principal direct access to a group's data |
> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health | > | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets | > | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
Azure Advanced Threat Protection | Monitor and respond to suspicious security ac
> | microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, including privileged properties | > | microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policy | > | microsoft.directory/bitlockerKeys/key/read | Read bitlocker metadata and key on devices |
-> | microsoft.directory/crossTenantAccessPolicy/standard/read | Read basic properties of cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update | Update allowed cloud endpoints of cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/basic/update | Update basic settings of cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/standard/read | Read basic properties of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update | Update Azure AD B2B collaboration settings of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update | Update tenant restrictions of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/partners/create | Create cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/delete | Delete cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/standard/read | Read basic properties of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update | Update Azure AD B2B collaboration settings of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update | Update tenant restrictions of cross-tenant access policy for partners |
+> | microsoft.directory/crossTenantAccessPolicies/create | Create cross-tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/delete | Delete cross-tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/standard/read | Read basic properties of cross-tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/owners/read | Read owners of cross-tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/policyAppliedTo/read | Read the policyAppliedTo property of cross-tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/basic/update | Update basic properties of cross-tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/owners/update | Update owners of cross-tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/tenantDefault/update | Update the default tenant for cross-tenant access policies |
> | microsoft.directory/entitlementManagement/allProperties/read | Read all properties in Azure AD entitlement management |
-> | microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks | Manage hybrid authentication policy in Azure AD |
> | microsoft.directory/identityProtection/allProperties/read | Read all resources in Azure AD Identity Protection | > | microsoft.directory/identityProtection/allProperties/update | Update all resources in Azure AD Identity Protection |
-> | microsoft.directory/passwordHashSync/allProperties/allTasks | Manage all aspects of Password Hash Synchronization (PHS) in Azure AD |
> | microsoft.directory/policies/create | Create policies in Azure AD | > | microsoft.directory/policies/delete | Delete policies in Azure AD | > | microsoft.directory/policies/basic/update | Update basic properties on policies |
Users in this role can manage all aspects of the Microsoft Teams workload via th
> | microsoft.directory/groups.unified/basic/update | Update basic properties on Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups.unified/members/update | Update members of Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups.unified/owners/update | Update owners of Microsoft 365 groups, excluding role-assignable groups |
-> | microsoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissions | Grant a service principal direct access to a group's data |
> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health | > | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets | > | microsoft.office365.network/performance/allProperties/read | Read all network performance properties in the Microsoft 365 admin center |
Users in this role can manage all aspects of the Microsoft Teams workload via th
> | microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports | > | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center | > | microsoft.teams/allEntities/allProperties/allTasks | Manage all resources in Teams |
-> | microsoft.directory/crossTenantAccessPolicy/standard/read | Read basic properties of cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update | Update allowed cloud endpoints of cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/basic/update | Update basic settings of cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/standard/read | Read basic properties of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update | Update Azure AD B2B collaboration settings of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update | Update tenant restrictions of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/partners/create | Create cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/delete | Delete cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/standard/read | Read basic properties of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update | Update Azure AD B2B collaboration settings of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update | Update tenant restrictions of cross-tenant access policy for partners |
## Teams Communications Administrator
active-directory Alinto Protect Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/alinto-protect-provisioning-tutorial.md
+
+ Title: 'Tutorial: Configure Alinto Protect for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Alinto Protect.
++
+writer: twimmers
+
+ms.assetid: cc47804c-2d00-402f-8aa5-b6155a81d78d
++++ Last updated : 05/15/2022+++
+# Tutorial: Configure Alinto Protect for automatic user provisioning
+
+This tutorial describes the steps you need to do in both Alinto Protect and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Alinto Protect](https://www.alinto.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
++
+## Capabilities supported
+> [!div class="checklist"]
+> * Create users in Alinto Protect
+> * Remove users in Alinto Protect when they do not require access anymore
+> * Keep user attributes synchronized between Azure AD and Alinto Protect
+> * [Single sign-on](../manage-apps/add-application-portal-setup-oidc-sso.md) to Alinto Protect (recommended).
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A user account in Alinto Protect with Admin permission
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+1. Determine what data to [map between Azure AD and Alinto Protect](../app-provisioning/customize-application-attributes.md).
+
+## Step 2. Configure Alinto Protect to support provisioning with Azure AD
+
+Contact [Alinto Protect Support](https://www.alinto.com/contact-email-provider/) to configure Alinto to support provisioning with Azure AD.
+
+## Step 3. Add Alinto Protect from the Azure AD application gallery
+
+Add Alinto Protect from the Azure AD application gallery to start managing provisioning to Alinto Protect. If you have previously setup Alinto Protect for SSO, you can use the same application. However it's recommended you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
+
+## Step 4. Define who will be in scope for provisioning
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user and group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* If you need additional roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.
++
+## Step 5. Configure automatic user provisioning to Alinto Protect
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and groups in Alinto Protect based on user and group assignments in Azure AD.
+
+### To configure automatic user provisioning for Alinto Protect in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+1. In the applications list, select **Alinto Protect**.
+
+ ![The Alinto Protect link in the Applications list](common/all-applications.png)
+
+1. Select the **Provisioning** tab.
+
+ ![Provisioning tab](common/provisioning.png)
+
+1. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Provisioning tab automatic](common/provisioning-automatic.png)
+
+1. In the **Admin Credentials** section, input your Alinto Protect Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Alinto Protect. If the connection fails, ensure your Alinto Protect account has Admin permissions and try again.
+
+ ![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+1. Select **Save**.
+
+1. In the **Mappings** section, select **Synchronize Azure Active Directory Users to Alinto Protect**.
+
+1. Review the user attributes that are synchronized from Azure AD to Alinto Protect in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Alinto Protect for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Alinto Protect API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for filtering|Required by Alinto Protect|
+ |||||
+ |userName|String|&check;|&check;
+ |active|Boolean||&check;
+ |name.givenName|String||
+ |name.familyName|String||
+ |externalId|String||
+
+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+1. To enable the Azure AD provisioning service for Alinto Protect, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+1. Define the users and groups that you would like to provision to Alinto Protect by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+1. When you're ready to provision, click **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to complete than next cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## More resources
+
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Cerby Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cerby-provisioning-tutorial.md
+
+ Title: 'Tutorial: Configure Cerby for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Cerby.
++
+writer: twimmers
+
+ms.assetid: 465492d5-4f75-4201-bed4-f45b3be18702
++++ Last updated : 05/15/2022+++
+# Tutorial: Configure Cerby for automatic user provisioning
+
+This tutorial describes the steps you need to do in both Cerby and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Cerby](https://app.cerby.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
++
+## Capabilities supported
+> [!div class="checklist"]
+> * Create users in Cerby
+> * Remove users in Cerby when they do not require access anymore
+> * Keep user attributes synchronized between Azure AD and Cerby
+> * [Single sign-on](cerby-tutorial.md) to Cerby (recommended).
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A user account in Cerby with the Workspace Owner role.
+* The Cerby SAML2-based integration must be set up. Follow the instructions in the [How to Configure the Cerby App Gallery SAML App with Your Azure AD Tenant](https://help.cerby.com/en/articles/5457563-how-to-configure-the-cerby-app-gallery-saml-app-with-your-azure-ad-tenant) article to set up the integration.
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+1. Determine what data to [map between Azure AD and Cerby](../app-provisioning/customize-application-attributes.md).
+
+## Step 2. Configure Cerby to support provisioning with Azure AD
+Cerby has enabled by default the provisioning support for Azure AD. You must only retrieve the SCIM API authentication token by completing the following steps:
+
+1. Log in to your corresponding [Cerby workspace](https://app.cerby.com/).
+1. Click the **Hi there < user >!** button located at the bottom of the left side navigation menu. A drop-down menu is displayed.
+1. Select the **Workspace Configuration** option related to your account from the drop-down menu. The **Workspace Configuration** page is displayed.
+1. Activate the **IDP Settings** tab.
+1. Click the **View Token** button located in the **Directory Sync** section of the **IDP Settings** tab. A pop-up window is displayed waiting to confirm your identity, and a push notification is sent to your Cerby mobile application.
+**IMPORTANT:** To confirm your identity, you must have installed and logged in to the Cerby mobile application to receive push notifications.
+1. Click the **It's me!** button in the **Confirmation Request** screen of your Cerby mobile application to confirm your identity. The pop-up window in your Cerby workspace is closed, and the **Show Token** pop-up window is displayed.
+1. Click the **Copy** button to copy the SCIM token to the clipboard.
+
+ >[!TIP]
+ >Keep the **Show Token** pop-up window open to copy the token at any time. You need the token to configure provisioning with Azure AD.
+
+## Step 3. Add Cerby from the Azure AD application gallery
+
+Add Cerby from the Azure AD application gallery to start managing provisioning to Cerby. If you have previously setup Cerby for SSO, you can use the same application. However it's recommended you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
+
+## Step 4. Define who will be in scope for provisioning
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user and group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* If you need additional roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.
++
+## Step 5. Configure automatic user provisioning to Cerby
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and groups in Cerby based on user and group assignments in Azure AD.
+
+### To configure automatic user provisioning for Cerby in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+1. In the applications list, select **Cerby**.
+
+ ![The Cerby link in the Applications list](common/all-applications.png)
+
+1. Select the **Provisioning** tab.
+
+ ![Provisioning tab](common/provisioning.png)
+
+1. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Provisioning tab automatic](common/provisioning-automatic.png)
+
+1. In the **Admin Credentials** section, input `https://api.cerby.com/v1/scim/v2` as your Cerby Tenant URL and the SCIM API authentication token that you have previously retrieved.
+
+1. Click **Test Connection** to ensure Azure AD can connect to Cerby. If the connection fails, ensure your Cerby account has Admin permissions and try again.
+
+ ![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+1. Select **Save**.
+
+1. In the **Mappings** section, select **Synchronize Azure Active Directory Users to Cerby**.
+
+1. Review the user attributes that are synchronized from Azure AD to Cerby in the **Attribute Mappings** section. The attributes selected as **Matching** properties are used to match the user accounts in Cerby for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Cerby API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for filtering|Required by Cerby|
+ |||||
+ |userName|String|&check;|&check;
+ |emails[type eq "work"].value|String|&check;|&check;
+ |active|Boolean||&check;
+ |name.givenName|String||&check;
+ |name.familyName|String||&check;
+ |externalId|String||
+
+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+1. To enable the Azure AD provisioning service for Cerby, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+1. Define the users and groups that you would like to provision to Cerby by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+1. When you're ready to provision, click **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to complete than next cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## More resources
+
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Chronus Saml Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/chronus-saml-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with Chronus SAML'
+description: Learn how to configure single sign-on between Azure Active Directory and Chronus SAML.
++++++++ Last updated : 05/18/2022+++
+# Tutorial: Azure AD SSO integration with Chronus SAML
+
+In this tutorial, you'll learn how to integrate Chronus SAML with Azure Active Directory (Azure AD). When you integrate Chronus SAML with Azure AD, you can:
+
+* Control in Azure AD who has access to Chronus SAML.
+* Enable your users to be automatically signed-in to Chronus SAML with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Chronus SAML single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Chronus SAML supports **SP and IDP** initiated SSO.
+* Chronus SAML supports **Just In Time** user provisioning.
+
+## Add Chronus SAML from the gallery
+
+To configure the integration of Chronus SAML into Azure AD, you need to add Chronus SAML from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Chronus SAML** in the search box.
+1. Select **Chronus SAML** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Chronus SAML
+
+Configure and test Azure AD SSO with Chronus SAML using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Chronus SAML.
+
+To configure and test Azure AD SSO with Chronus SAML, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Chronus SAML SSO](#configure-chronus-saml-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Chronus SAML test user](#create-chronus-saml-test-user)** - to have a counterpart of B.Simon in Chronus SAML that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Chronus SAML** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Screenshot shows to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Identifier** textbox, type a value using the following pattern:
+ `<CustomerName>.domain.extension`
+
+ b. In the **Reply URL** textbox, type a URL using the following pattern:
+ `https://<CustomerName>.domain.extension/session`
+
+1. Click **Set additional URLs** and perform the following steps if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<CustomerName>.domain.extension/session`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Chronus SAML Client support team](mailto:support@chronus.com) to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![Screenshot shows the Certificate download link.](common/certificatebase64.png "Certificate")
+
+1. On the **Set up Chronus SAML** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Screenshot shows to copy configuration appropriate U R L's.](common/copy-configuration-urls.png "Attributes")
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Chronus SAML.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Chronus SAML**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Chronus SAML SSO
+
+To configure single sign-on on Chronus SAML side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Chronus SAML support team](mailto:support@chronus.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Chronus SAML test user
+
+In this section, a user called B.Simon is created in Chronus SAML. Chronus SAML supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Chronus SAML, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Chronus SAML Sign on URL where you can initiate the login flow.
+
+* Go to Chronus SAML Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Chronus SAML for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Chronus SAML tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Chronus SAML for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+
+## Next steps
+
+Once you configure Chronus SAML you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
active-directory Clebex Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/clebex-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Clebex | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with Clebex'
description: Learn how to configure single sign-on between Azure Active Directory and Clebex.
Previously updated : 08/27/2021 Last updated : 05/23/2022
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Clebex
+# Tutorial: Azure AD SSO integration with Clebex
In this tutorial, you'll learn how to integrate Clebex with Azure Active Directory (Azure AD). When you integrate Clebex with Azure AD, you can:
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Configure Clebex SSO
-1. Log in to your Clebex website as an administrator.
+1. To automate the configuration within Clebex, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
+
+ ![My apps extension](common/install-myappssecure-extension.png)
+
+2. After adding extension to the browser, click on **Set up Clebex** will direct you to the Clebex application. From there, provide the admin credentials to sign into Clebex. The browser extension will automatically configure the application for you and automate steps 3-10.
+
+ ![Setup configuration](common/setup-sso.png)
+
+3. If you want to setup Clebex manually, in a different web browser window, sign in to your Clebex company site as an administrator.
1. Go to the COMPANY ADMIN -> **Connectors** -> **Single Sign On (SSO)** and click **select**.
active-directory Fortigate Ssl Vpn Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/fortigate-ssl-vpn-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with FortiGate SSL VPN | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with FortiGate SSL VPN'
description: Learn the steps you need to perform to integrate FortiGate SSL VPN with Azure Active Directory (Azure AD).
Previously updated : 06/30/2021 Last updated : 05/13/2022
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with FortiGate SSL VPN
+# Tutorial: Azure AD SSO integration with FortiGate SSL VPN
In this tutorial, you'll learn how to integrate FortiGate SSL VPN with Azure Active Directory (Azure AD). When you integrate FortiGate SSL VPN with Azure AD, you can:
In this tutorial, you'll learn how to integrate FortiGate SSL VPN with Azure Act
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* A FortiGate SSL VPN subscription with single sign-on (SSO) enabled.
+* A FortiGate SSL VPN with single sign-on (SSO) enabled.
## Tutorial description
To configure the integration of FortiGate SSL VPN into Azure AD, you need to add
## Configure and test Azure AD SSO for FortiGate SSL VPN
-You'll configure and test Azure AD SSO with FortiGate SSL VPN by using a test user named B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the corresponding user in FortiGate SSL VPN.
+You'll configure and test Azure AD SSO with FortiGate SSL VPN by using a test user named B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the corresponding SAML SSO user group in FortiGate SSL VPN.
To configure and test Azure AD SSO with FortiGate SSL VPN, you'll complete these high-level steps:
To configure and test Azure AD SSO with FortiGate SSL VPN, you'll complete these
1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on. 1. **[Grant access to the test user](#grant-access-to-the-test-user)** to enable Azure AD single sign-on for that user. 1. **[Configure FortiGate SSL VPN SSO](#configure-fortigate-ssl-vpn-sso)** on the application side.
- 1. **Create a FortiGate SSL VPN test user** as a counterpart to the Azure AD representation of the user.
+ 1. **Create a FortiGate SAML SSO user group** as a counterpart to the Azure AD representation of the user.
1. **[Test SSO](#test-sso)** to verify that the configuration works. ### Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal:
1. In the Azure portal, on the **FortiGate SSL VPN** application integration page, in the **Manage** section, select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, select the pencil button for **Basic SAML Configuration** to edit the settings:
+1. On the **Set up Single Sign-On with SAML** page, select the **Edit** button for **Basic SAML Configuration** to edit the settings:
- ![Screenshot that shows the pencil button for editing the basic SAML configuration.](common/edit-urls.png)
+ ![Screenshot of showing Basic SAML configuration page.](./media/fortigate-ssl-vpn-tutorial/saml-configuration.png)
1. On the **Set up Single Sign-On with SAML** page, enter the following values:
- a. In the **Sign on URL** box, enter a URL in the pattern
- `https://<FQDN>/remote/saml/login`.
+ a. In the **Identifier** box, enter a URL in the pattern
+ `https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/metadata`.
- b. In the **Identifier** box, enter a URL in the pattern
- `https://<FQDN>/remote/saml/metadata`.
+ b. In the **Reply URL** box, enter a URL in the pattern
+ `https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/login`.
- c. In the **Reply URL** box, enter a URL in the pattern
- `https://<FQDN>/remote/saml/login`.
+ c. In the **Sign on URL** box, enter a URL in the pattern
+ `https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/login`.
d. In the **Logout URL** box, enter a URL in the pattern
- `https://<FQDN>/remote/saml/logout`.
+ `https://<FortiGate IP or FQDN address>:<Custom SSL VPN port><FQDN>/remote/saml/logout`.
> [!NOTE]
- > These values are just patterns. You need to use the actual **Sign on URL**, **Identifier**, **Reply URL**, and **Logout URL**. Contact [Fortinet support](https://support.fortinet.com) for guidance. You can also refer to the example patterns shown in the Fortinet documentation and the **Basic SAML Configuration** section in the Azure portal.
+ > These values are just patterns. You need to use the actual **Sign on URL**, **Identifier**, **Reply URL**, and **Logout URL** that is configured on the FortiGate.
1. The FortiGate SSL VPN application expects SAML assertions in a specific format, which requires you to add custom attribute mappings to the configuration. The following screenshot shows the list of default attributes.
- ![Screenshot that shows the default attributes.](common/default-attributes.png)
+ ![Screenshot of showing Attributes and Claims section.](./media/fortigate-ssl-vpn-tutorial/claims.png)
-1. The two additional claims required by FortiGate SSL VPN are shown in the following table. The names of these claims must match the names used in the **Perform FortiGate command-line configuration** section of this tutorial.
+
+1. The claims required by FortiGate SSL VPN are shown in the following table. The names of these claims must match the names used in the **Perform FortiGate command-line configuration** section of this tutorial. Names are case-sensitive.
| Name | Source attribute| | | |
Follow these steps to enable Azure AD SSO in the Azure portal:
g. Select **All groups**.
- h. Select the **Customize the name of the group claim** check box.
+ h. Under **Advanced options**, select the **Customize the name of the group claim** check box.
i. For **Name**, enter **group**.
After the certificate is uploaded, take note of its name under **System** > **Ce
#### Complete FortiGate command-line configuration
-The following steps require that you configure the Azure Logout URL. This URL contains a question mark character (?). You need to take specific steps to successfully submit this character. You can't complete these steps from the FortiGate CLI Console. Instead, establish an SSH session to the FortiGate appliance by using a tool like PuTTY. If your FortiGate appliance is an Azure virtual machine, you can complete the following steps from the serial console for Azure virtual machines.
+Although you can configure SSO from the GUI since FortiOS 7.0, the CLI configurations apply to all versions and are therefore shown here.
To complete these steps, you'll need the values you recorded earlier: -- Entity ID-- Reply URL-- Logout URL-- Azure Login URL-- Azure AD Identifier-- Azure Logout URL-- Base64 SAML certificate name (REMOTE_Cert_*N*)
+| FortiGate SAML CLI setting | Equivalent Azure configuration |
+ | | |
+ | SP entity ID (`entity-id`) | Identifier (Entity ID) |
+| SP Single Sign-On URL (`single-sign-on-url`) | Reply URL (Assertion Consumer Service URL) |
+| SP Single Logout URL (`single-logout-url`) | Logout URL |
+| IdP Entity ID (`idp-entity-id`) | Azure Login URL |
+| IdP Single Sign-On URL (`idp-single-sign-on-url`) | Azure AD Identifier |
+| IdP Single Logout URL (`idp-single-logout-url`) | Azure Logout URL |
+| IdP certificate (`idp-cert`) | Base64 SAML certificate name (REMOTE_Cert_N) |
+| Username attribute (`user-name`) | username |
+| Group name attribute (`group-name`) | group |
+
+> [!NOTE]
+ > The Sign on URL under Basic SAML Configuration is not used in the FortiGate configurations. It is used to trigger SP-initiated single sign on to redirect the user to the SSL VPN portal page.
1. Establish an SSH session to your FortiGate appliance, and sign in with a FortiGate Administrator account.
-1. Run these commands:
+1. Run these commands and substitute the `<values>` with the information that you collected previously:
```console config user saml
- edit azure
- set cert <FortiGate VPN Server Certificate Name>
- set entity-id <Entity ID>
- set single-sign-on-url <Reply URL>
- set single-logout-url <Logout URL>
- set idp-single-sign-on-url <Azure Login URL>
- set idp-entity-id <Azure AD Identifier>
- set idp-single-logout-url <Azure Logout URL>
- set idp-cert <Base64 SAML Certificate Name>
- set user-name username
- set group-name group
+ edit azure
+ set cert <FortiGate VPN Server Certificate Name>
+ set entity-id < Identifier (Entity ID)Entity ID>
+ set single-sign-on-url < Reply URL Reply URL>
+ set single-logout-url <Logout URL>
+ set idp-entity-id <Azure AD Identifier>
+ set idp-single-logout-url <Azure Logout URL>
+ set idp-cert <Base64 SAML Certificate Name>
+ set user-name username
+ set group-name group
+ next
end ```
- > [!NOTE]
- > The Azure Logout URL contains a `?` character. You must enter a special key sequence to correctly provide this URL to the FortiGate serial console. The URL is usually `https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0`.
- >
- > To enter the Azure Logout URL in the serial console, enter `set idp-single-logout-url https://login.microsoftonline.com/common/wsfederation`.
- >
- > Then select CTRL+V and paste the rest of the URL to complete the line: `set idp-single-logout-url https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0`.
- #### Configure FortiGate for group matching In this section, you'll configure FortiGate to recognize the Object ID of the security group that includes the test user. This configuration will allow FortiGate to make access decisions based on the group membership.
To complete these steps, you'll need the Object ID of the FortiGateAccess securi
1. Establish an SSH session to your FortiGate appliance, and sign in with a FortiGate Administrator account. 1. Run these commands:
- ```
+ ```console
config user group
- edit FortiGateAccess
- set member azure
- config match
- edit 1
- set server-name azure
- set group-name <Object Id>
- next
- end
- next
+ edit FortiGateAccess
+ set member azure
+ config match
+ edit 1
+ set server-name azure
+ set group-name <Object Id>
+ next
+ end
+ next
end
- ```
-
+ ```
+
#### Create a FortiGate VPN Portals and Firewall Policy In this section, you'll configure a FortiGate VPN Portals and Firewall Policy that grants access to the FortiGateAccess security group you created earlier in this tutorial.
-Work with the [FortiGate support team](mailto:tac_amer@fortinet.com) to add the VPN Portals and Firewall Policy to the FortiGate VPN platform. You need to complete this step before you use single sign-on.
+Refer to [Configuring SAML SSO login for SSL VPN with Azure AD acting as SAML IdP for instructions](https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/azure-administration-guide/584456/configuring-saml-sso-login-for-ssl-vpn-web-mode-with-azure-ad-acting-as-saml-idp).
## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on **Test this application** in Azure portal. This will redirect to FortiGate VPN Sign-on URL where you can initiate the login flow.
+* In Step 5) of the Azure SSO configuration, **Test single sign-on with your App*, click the **Test** button in the Azure portal. This will redirect to FortiGate VPN Sign-on URL where you can initiate the login flow.
* Go to FortiGate VPN Sign-on URL directly and initiate the login flow from there.
active-directory Fresh Relevance Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/fresh-relevance-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Fresh Relevance | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with Fresh Relevance'
description: Learn how to configure single sign-on between Azure Active Directory and Fresh Relevance.
Previously updated : 07/26/2021 Last updated : 05/23/2022
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Fresh Relevance
+# Tutorial: Azure AD SSO integration with Fresh Relevance
In this tutorial, you'll learn how to integrate Fresh Relevance with Azure Active Directory (Azure AD). When you integrate Fresh Relevance with Azure AD, you can:
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Configure Fresh Relevance SSO
-1. Log in to your Fresh Relevance company site as an administrator.
+1. To automate the configuration within Fresh Relevance, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
+
+ ![My apps extension](common/install-myappssecure-extension.png)
+
+2. After adding extension to the browser, click on **Set up Fresh Relevance** will direct you to the Fresh Relevance application. From there, provide the admin credentials to sign into Fresh Relevance. The browser extension will automatically configure the application for you and automate steps 3-10.
+
+ ![Setup configuration](common/setup-sso.png)
+
+3. If you want to setup Fresh Relevance manually, in a different web browser window, sign in to your Fresh Relevance company site as an administrator.
1. Go to **Settings** > **All Settings** > **Security and Privacy** and click **SAML/Azure AD Single Sign-On**.
active-directory Idrive360 Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/idrive360-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with IDrive360 | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with IDrive360'
description: Learn how to configure single sign-on between Azure Active Directory and IDrive360.
Previously updated : 06/18/2021 Last updated : 05/23/2022
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with IDrive360
+# Tutorial: Azure AD SSO integration with IDrive360
In this tutorial, you'll learn how to integrate IDrive360 with Azure Active Directory (Azure AD). When you integrate IDrive360 with Azure AD, you can:
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
### Create IDrive360 test user
-1. In a different web browser window, sign in to your IDrive360 company site as an administrator.
+1. To automate the configuration within IDrive360, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
+
+ ![My apps extension](common/install-myappssecure-extension.png)
+
+2. After adding extension to the browser, click on **Set up IDrive360** will direct you to the IDrive360 application. From there, provide the admin credentials to sign into IDrive360. The browser extension will automatically configure the application for you and automate steps 3-10.
+
+ ![Setup configuration](common/setup-sso.png)
+
+3. If you want to setup IDrive360 manually, in a different web browser window, sign in to your IDrive360 company site as an administrator.
2. Navigate to the **Users** tab and click **Add User**.
active-directory Isight Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/isight-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with i-Sight'
+description: Learn how to configure single sign-on between Azure Active Directory and i-Sight.
++++++++ Last updated : 05/18/2022++++
+# Tutorial: Azure AD SSO integration with i-Sight
+
+In this tutorial, you'll learn how to integrate i-Sight with Azure Active Directory (Azure AD). When you integrate i-Sight with Azure AD, you can:
+
+* Control in Azure AD who has access to i-Sight.
+* Enable your users to be automatically signed-in to i-Sight with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* i-Sight single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* i-Sight supports **IDP** initiated SSO.
+
+## Add i-Sight from the gallery
+
+To configure the integration of i-Sight into Azure AD, you need to add i-Sight from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **i-Sight** in the search box.
+1. Select **i-Sight** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for i-Sight
+
+Configure and test Azure AD SSO with i-Sight using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in i-Sight.
+
+To configure and test Azure AD SSO with i-Sight, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure i-Sight SSO](#configure-i-sight-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create i-Sight test user](#create-i-sight-test-user)** - to have a counterpart of B.Simon in i-Sight that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **i-Sight** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Identifier** text box, type a URL using one of the following patterns:
+
+ | **Identifier** |
+ |--|
+ | `https://<CustomerName>.i-sight.com` |
+ | `https://<CustomerName>.i-sightuat.com` |
+
+ b. In the **Reply URL** text box, type a URL using one of the following patterns:
+
+ | **Reply URL** |
+ |--|
+ | `https://<CustomerName>.i-sight.com/auth/wsfed` |
+ | `https://<CustomerName>.i-sightuat.com/auth/wsfed` |
+
+ > [!Note]
+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [i-Sight Client support team](mailto:it@i-sight.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
+
+1. On the **Set up i-Sight** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Attributes")
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to i-Sight.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **i-Sight**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure i-Sight SSO
+
+To configure single sign-on on **i-Sight** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [i-Sight support team](mailto:it@i-sight.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create i-Sight test user
+
+In this section, you create a user called Britta Simon in i-Sight. Work with [i-Sight support team](mailto:it@i-sight.com) to add the users in the i-Sight platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on Test this application in Azure portal and you should be automatically signed in to the i-Sight for which you set up the SSO.
+
+* You can use Microsoft My Apps. When you click the i-Sight tile in the My Apps, you should be automatically signed in to the i-Sight for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure i-Sight you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Mongodb Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/mongodb-cloud-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with MongoDB Cloud | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with MongoDB Cloud'
description: Learn how to configure single sign-on between Azure Active Directory and MongoDB Cloud.
Previously updated : 04/14/2021 Last updated : 05/13/2022
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with MongoDB Cloud
+# Tutorial: Azure AD SSO integration with MongoDB Cloud
In this tutorial, you'll learn how to integrate MongoDB Cloud with Azure Active Directory (Azure AD). When you integrate MongoDB Cloud with Azure AD, you can:
-* Control in Azure AD who has access to MongoDB Cloud, MongoDB Atlas, the MongoDB community, MongoDB University, and MongoDB Support.
+* Control in Azure AD who has access to MongoDB Atlas, the MongoDB community, MongoDB University, and MongoDB Support.
* Enable your users to be automatically signed in to MongoDB Cloud with their Azure AD accounts.
+* Assign MongoDB Atlas roles to users based on their Azure AD group memberships.
* Manage your accounts in one central location: the Azure portal. ## Prerequisites
Configure and test Azure AD SSO with MongoDB Cloud, by using a test user called
To configure and test Azure AD SSO with MongoDB Cloud, perform the following steps: 1. [Configure Azure AD SSO](#configure-azure-ad-sso) to enable your users to use this feature.
- 1. [Create an Azure AD test user](#create-an-azure-ad-test-user) to test Azure AD single sign-on with B.Simon.
- 1. [Assign the Azure AD test user](#assign-the-azure-ad-test-user) to enable B.Simon to use Azure AD single sign-on.
-1. [Configure MongoDB Cloud SSO](#configure-mongodb-cloud-sso) to configure the single sign-on settings on the application side.
+ 1. [Create an Azure AD test user and test group](#create-an-azure-ad-test-user-and-test-group) to test Azure AD single sign-on with B.Simon.
+ 1. [Assign the Azure AD test user or test group](#assign-the-azure-ad-test-user-or-test-group) to enable B.Simon to use Azure AD single sign-on.
+1. [Configure MongoDB Atlas SSO](#configure-mongodb-atlas-sso) to configure the single sign-on settings on the application side.
1. [Create a MongoDB Cloud test user](#create-a-mongodb-cloud-test-user) to have a counterpart of B.Simon in MongoDB Cloud, linked to the Azure AD representation of the user. 1. [Test SSO](#test-sso) to verify whether the configuration works.
To configure and test Azure AD SSO with MongoDB Cloud, perform the following ste
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **MongoDB Cloud** application integration page, find the **Manage** section. Select **single sign-on**.
+1. In the Azure portal, on the **MongoDB Cloud** application integration page, find the **Manage** section. Select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up Single Sign-On with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
Follow these steps to enable Azure AD SSO in the Azure portal.
| firstName | user.givenname | | lastName | user.surname |
+1. If you would like to authorize users using MongoDB Atlas [role mappings](https://docs.atlas.mongodb.com/security/manage-role-mapping/), add the below group claim to send user's group information within SAML assertion.
+
+ | Name | Source attribute|
+ | | |
+ | memberOf | Group ID |
+
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML**. Select **Download** to download the certificate and save it on your computer. ![Screenshot of SAML Signing Certificate section, with Download link highlighted](common/metadataxml.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
![Screenshot of Set up Mongo DB Cloud section, with URLs highlighted](common/copy-configuration-urls.png)
-### Create an Azure AD test user
+### Create an Azure AD test user and test group
In this section, you create a test user in the Azure portal called B.Simon.
In this section, you create a test user in the Azure portal called B.Simon.
1. Select the **Show password** check box, and then write the password down. 1. Select **Create**.
-### Assign the Azure AD test user
+If you are using MongoDB Atlas role mappings feature in order to assign roles to users based on their Azure AD groups, create a test group and B.Simon as a member:
+1. From the left pane in Azure portal, select **Azure Active Directory** > **Groups**.
+1. Select **New group** at the top of the screen.
+1. In the **Group** properties, follow these steps:
+ 1. Select 'Security' in **Group type** dropdown.
+ 1. In the **Group name** field, enter 'Group 1'.
+ 1. Select **Create**.
+
+### Assign the Azure AD test user or test group
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to MongoDB Cloud.
+In this section, you'll enable B.Simon or Group 1 to use Azure single sign-on by granting access to MongoDB Cloud.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **MongoDB Cloud**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list or if you are using MongoDB Atla role mappings, select **Group 1** from the Groups list; then click the **Select** button at the bottom of the screen.
1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure MongoDB Cloud SSO
+## Configure MongoDB Atlas SSO
+
+To configure single sign-on on the MongoDB Atlas side, you need the appropriate URLs copied from the Azure portal. You also need to configure the Federation Application for your MongoDB Atlas Organization. Follow the instructions in the [MongoDB Atlas documentation](https://docs.atlas.mongodb.com/security/federated-auth-azure-ad/). If you have a problem, contact the [MongoDB support team](https://support.mongodb.com/).
+
+### Configure MongoDB Atlas Role Mapping
-To configure single sign-on on the MongoDB Cloud side, you need the appropriate URLs copied from the Azure portal. You also need to configure the Federation Application for your MongoDB Cloud Organization. Follow the instructions in the [MongoDB Cloud documentation](https://docs.atlas.mongodb.com/security/federated-auth-azure-ad/). If you have a problem, contact the [MongoDB Cloud support team](https://support.mongodb.com/).
+To authorize users in MongoDB Atlas based on their Azure AD group membership, you can map the Azure AD group's Object-IDs to MongoDB Atlas Organization/Project roles with the help of MongoDB Atlas role mappings. Follow the instructions in the [MongoDB Atlas documentation](https://docs.atlas.mongodb.com/security/manage-role-mapping/#add-role-mappings-in-your-organization-and-its-projects). If you have a problem, contact the [MongoDB support team](https://support.mongodb.com/).
### Create a MongoDB Cloud test user
-MongoDB Cloud supports just-in-time user provisioning, which is enabled by default. There is no additional action for you to take. If a user doesn't already exist in MongoDB Cloud, a new one is created after authentication.
+MongoDB Atlas supports just-in-time user provisioning, which is enabled by default. There is no additional action for you to take. If a user doesn't already exist in MongoDB Atlas, a new one is created after authentication.
## Test SSO
In this section, you test your Azure AD single sign-on configuration with follow
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to MongoDB Cloud Sign on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to MongoDB Atlas Sign-on URL where you can initiate the login flow.
-* Go to MongoDB Cloud Sign-on URL directly and initiate the login flow from there.
+* Go to MongoDB Atlas Sign on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the MongoDB Cloud for which you set up the SSO.
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the MongoDB Atlas for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the MongoDB Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the MongoDB Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+You can also use Microsoft My Apps to test the application in any mode. When you click the MongoDB Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the MongoDB Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
## Next steps
active-directory Sharingcloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sharingcloud-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with SharingCloud | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with SharingCloud |'
description: Learn how to configure single sign-on between Azure Active Directory and Instant Suite.
Previously updated : 03/10/2021 Last updated : 05/19/2022
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with SharingCloud
+# Tutorial: Azure AD SSO integration with SharingCloud
In this tutorial, you'll learn how to integrate SharingCloud with Azure Active Directory (Azure AD). When you integrate SharingCloud with Azure AD, you can:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* SharingCloud supports **SP and IDP** initiated SSO
-* SharingCloud supports **Just In Time** user provisioning
+* SharingCloud supports **SP and IDP** initiated SSO.
+* SharingCloud supports **Just In Time** user provisioning.
## Adding SharingCloud from the gallery
Follow these steps to enable Azure AD SSO in the Azure portal.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, perform the following steps:
+1. On the **Set up single sign-on with SAML** page, perform the following steps:
- Upload the metadata file with XML file provided by SharingCloud. Contact the [SharingCloud Client support team](mailto:support@sharingcloud.com) to get the file.
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://auth.sharingcloud.net/auth/realms/<COMPANY_NAME>`
- ![Screenshot of the Basic SAML Configuration user interface with the **Upload metadata file** link highlighted.](common/upload-metadata.png)
-
- Select the metadata file provided and click on **Upload**.
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://auth.sharingcloud.net/auth/realms/<COMPANY_NAME>/broker/saml/endpoint`
- ![Screenshot of the metadata file provided user interface, with the select file icon and **Upload** button highlighted.](common/browse-upload-metadata.png)
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.factset.com/services/saml2/`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact the [SharingCloud support team](mailto:support@sharingcloud.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. SharingCloud application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
active-directory Skillsbase Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/skillsbase-tutorial.md
Previously updated : 07/22/2021 Last updated : 05/13/2022 # Tutorial: Azure Active Directory integration with Skills Base
In this tutorial, you'll learn how to integrate Skills Base with Azure Active Di
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Skills Base single sign-on (SSO) enabled subscription.
+* A Skills Base license that supports single sign-on (SSO).
> [!NOTE] > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Skills Base supports **SP** initiated SSO. * Skills Base supports **Just In Time** user provisioning.
-> [!NOTE]
-> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+>[!NOTE]
+> Skills Base does not support **IdP** initiated SSO.
## Add Skills Base from the gallery
To configure and test Azure AD SSO with Skills Base, perform the following steps
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure Skills Base SSO](#configure-skills-base-sso)** - to configure the single sign-on settings on application side.
+ 2. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+2. **[Configure Skills Base SSO](#configure-skills-base-sso)** - to configure the single sign-on settings on application side.
1. **[Create Skills Base test user](#create-skills-base-test-user)** - to have a counterpart of B.Simon in Skills Base that is linked to the Azure AD representation of user.
-1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-
+3. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **Skills Base** application integration page, find the **Manage** section and select **single sign-on**.
-1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+1. In the Azure portal, on the **Skills Base** Enterprise Application Overview page, under **Getting Started** section select **Get started** under **2. Set up single sign on**.
+
+2. On the **Select a single sign-on method** page, select **SAML**.
+
+3. On the **Set up Single Sign-On with SAML** page, click the **Upload metadata file** button at the top of the page.
+
+4. Click the **Select a file** icon and select the metadata file that you downloaded from Skills Base.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+5. Click **Add**
-4. On the **Basic SAML Configuration** section, perform the following step:
+ ![Screenshot of showing Upload SP metadata.](common/browse-upload-metadata.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
+6. On the **Basic SAML Configuration** page, in the **Sign on URL** text box, enter your Skills Base shortcut link, which should be in the format:
`https://app.skills-base.com/o/<customer-unique-key>` > [!NOTE]
- > You can get the Sign-On URL from Skills Base application. Please login as an Administrator and to go to Admin-> Settings-> Instance details -> Shortcut link. Copy the Sign-On URL and paste it in above textbox.
+ > You can get the Sign on URL from the Skills Base application. Please log in as an Administrator and to go to \[Administration > Settings > Instance details > Shortcut link\]. Copy the shortcut link and paste it into the **Sign on URL** textbox in Azure AD.
-5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
+5. Click **Save**
- ![The Certificate download link](common/metadataxml.png)
+6. Close the **Basic SAML Configuration** dialog.
-6. On the **Set up Skills Base** section, copy the appropriate URL(s) as per your requirement.
+5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, next to **Federation Metadata XML**, click **Download** to download the Federation Metadata XML and save it on your computer.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Screenshot of showing The Certificate download link.](common/metadataxml.png)
-### Create an Azure AD test user
+## Configure Skills Base SSO
-In this section, you'll create a test user in the Azure portal called B.Simon.
+1. Log in to Skills Base as an Administrator.
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. Select **New user** at the top of the screen.
-1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
+1. From the left side of menu, select **Administration -> Authentication**.
-### Assign the Azure AD test user
+ ![Screenshot of showing The Authentication menu.](./media/skillsbase-tutorial/admin.png)
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Skills Base.
+1. On the **Authentication** page in the **Identity Providers** section, select **Add identity provider**.
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Skills Base**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
-1. In the **Add Assignment** dialog, click the **Assign** button.
+ ![Screenshot shows the "Add identity provider" button.](./media/skillsbase-tutorial/configuration.png)
-## Configure Skills Base SSO
+1. Click **Add** to use the default settings.
-1. In a different web browser window, login to Skills Base as a Security Administrator.
+ ![Screenshot shows the Authentication page where you can enter the values described.](./media/skillsbase-tutorial/save-configuration.png)
-2. From the left side of menu, under **ADMIN** click **Authentication**.
+1. In the **Application Details** panel, next to **SAML SP Metadata**, select **Download XML File** and save the resulting file on your computer.
- ![The admin](./media/skillsbase-tutorial/admin.png)
+ ![Screenshot shows the Application Details panel where you can download the SP Metadata file.](./media/skillsbase-tutorial/download-sp-metadata.png)
-3. On the **Authentication** Page, select Single Sign-On as **SAML 2**.
+1. In the **Identity Providers** section, select the **edit** button (denoted by a pencil icon) for the Identity Provider record you added.
- ![Screenshot shows the Authentication page with SAML 2 selected for Sing Sign-on.](./media/skillsbase-tutorial/configuration.png)
+ ![Screenshot of showing Edit Identity Providers button.](./media/skillsbase-tutorial/edit-identity-provider.png)
-4. On the **Authentication** Page, Perform the following steps:
+1. In the **Edit identity provider** panel, for **SAML IdP Metadata** select **Upload an XML file**
- ![Screenshot shows the Authentication page where you can enter the values described.](./media/skillsbase-tutorial/save-configuration.png)
+1. Click **Browse** to choose a file. Select the Federation Metadata XML file that you downloaded from Azure AD and click **Save**.
+
+ ![Screenshot of showing Upload certificate type.](./media/skillsbase-tutorial/browse-and-save.png)
+
+1. In the **Authentication** panel, for **Single Sign-On** select the Identity Provider you added.
+
+ ![Screenshot for Authentication panel for S S O.](./media/skillsbase-tutorial/select-identity-provider.png)
- a. Click on **Update IdP metadata** button next to **Status** option and paste the contents of Metadata XML that you downloaded from the Azure portal in the specified textbox.
+1. Make sure the option to bypass the Skills Base login screen is **deselected** for now. You can enable this option later, once the integration is proved to be working.
+
+1. If you would like to enable **Just In Time** user provisioning, enable the **Automatic user account provisioning** option.
+
+1. click **Save changes**.
+
+ ![Screenshot for Just in Time provisioning.](./media/skillsbase-tutorial/identity-provider-enabled.png)
+
+> [!Note]
+> The Identity Provider you added in the **Identity Providers** panel should now have a green **Enabled** badge in the **Status** column.
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+2. Select **New user** at the top of the screen.
+3. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 2. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 3. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 4. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Skills Base.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+2. In the applications list, select **Skills Base**.
+3. In the app's overview page, find the **Manage** section and select **Users and groups**.
+4. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+5. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+6. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+7. In the **Add Assignment** dialog, click the **Assign** button.
- > [!Note]
- > You can also validate idp metadata through the **Metadata validator** tool as highlighted in screenshot above.
- b. Click **Save**.
### Create Skills Base test user
-In this section, a user called Britta Simon is created in Skills Base. Skills Base supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Skills Base, a new one is created after authentication.
+Skills Base supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Skills Base, a new one is created after authentication.
> [!Note]
-> If you need to create a user manually, follow the instructions [here](http://wiki.skills-base.net/index.php?title=Adding_people_and_enabling_them_to_log_in).
+> If you need to create a user manually, follow the instructions [here](https://support.skills-base.com/kb/articles/11000024831-adding-people-and-enabling-them-to-log-in).
## Test SSO
active-directory Userzoom Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/userzoom-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with UserZoom'
+description: Learn how to configure single sign-on between Azure Active Directory and UserZoom.
++++++++ Last updated : 05/05/2022++++
+# Tutorial: Azure AD SSO integration with UserZoom
+
+In this tutorial, you'll learn how to integrate UserZoom with Azure Active Directory (Azure AD). When you integrate UserZoom with Azure AD, you can:
+
+* Control in Azure AD who has access to UserZoom.
+* Enable your users to be automatically signed-in to UserZoom with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* UserZoom single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* UserZoom supports **SP** and **IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add UserZoom from the gallery
+
+To configure the integration of UserZoom into Azure AD, you need to add UserZoom from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **UserZoom** in the search box.
+1. Select **UserZoom** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for UserZoom
+
+Configure and test Azure AD SSO with UserZoom using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in UserZoom.
+
+To configure and test Azure AD SSO with UserZoom, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure UserZoom SSO](#configure-userzoom-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create UserZoom test user](#create-userzoom-test-user)** - to have a counterpart of B.Simon in UserZoom that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **UserZoom** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Screenshot shows to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **SP** initiated mode then perform the following steps :
+
+ a. In the **Identifier** text box, type the value:
+ `urn:auth0:auth-userzoom:microsoft`
+
+ b. In the **Reply URL** text box, type the URL:
+ `https://auth.userzoom.com/login/callback?connection=microsoft`
+
+ c. In the **Sign-on URL** text box, type the URL:
+ `https://www.manager.userzoom.com/microsoft`
+
+1. UserZoom application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+ ![Screenshot shows the Authomize application image.](common/default-attributes.png "Image")
+
+1. In addition to above, UserZoom application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirement.
+
+ | Name | Source Attribute |
+ |-| |
+ | email | user.mail |
+ | given_name | user.givenname |
+ | family_name | user.surname |
+
+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
+
+1. On the **Set up UserZoom** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Screenshot shows to copy configuration appropriate URLs.](common/copy-configuration-urls.png "Attributes")
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to UserZoom.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **UserZoom**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure UserZoom SSO
+
+To configure single sign-on on **UserZoom** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [UserZoom support team](mailto:support@userzoom.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create UserZoom test user
+
+In this section, you create a user called Britta Simon in UserZoom. Work with [UserZoom support team](mailto:support@userzoom.com) to add the users in the UserZoom platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to UserZoom Sign on URL where you can initiate the login flow.
+
+* Go to UserZoom Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the UserZoom for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the UserZoom tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the UserZoom for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure UserZoom you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Workgrid Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/workgrid-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Workgrid | Microsoft Docs'
+ Title: 'Tutorial: Azure Active Directory integration with Workgrid'
description: Learn how to configure single sign-on between Azure Active Directory and Workgrid.
Previously updated : 09/02/2021 Last updated : 05/13/2022 # Tutorial: Azure Active Directory integration with Workgrid
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Screenshot of Edit Basic SAML Configuration.](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<COMPANYCODE>.workgrid.com/console`
+ a. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<COMPANYCODE>.workgrid.com/console`
- b. In the **Identifier (Entity ID)** text box, type a value using the following pattern:
- `urn:amazon:cognito:sp:us-east-1_<poolid>`
+ b. In the **Identifier (Entity ID)** text box, type a value using the following pattern:
+ `urn:amazon:cognito:sp:us-east-1_<poolid>`
- > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Workgrid Client support team](mailto:support@workgrid.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Sign on URL and Identifier. Your Sign On URL is the same URL you use to sign in to the Workgrid console. You can find the Entity ID in the Security Section of your Workgrid console.
5. Workgrid application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on application integration page. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **User Attributes** dialog.
- ![image](common/edit-attribute.png)
+ ![Screenshot of user attributes.](common/edit-attribute.png)
6. On the **Set-up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![Screenshot of The Certificate download link.](common/metadataxml.png)
7. On the **Set-up Workgrid** section, copy the appropriate URL(s) as per your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Screenshot of Copy configuration U R Ls.](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Configure Workgrid SSO
-To configure single sign-on on **Workgrid** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Workgrid support team](mailto:support@workgrid.com). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on **Workgrid** side, you need to add the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to your Workgrid console in the **Security section**.
+
+ ![Screenshot of the Workgrid U I with the Security section called out.](media/workgrid-tutorial/security-section.png)
+
+ > [!NOTE]
+ > You will need to use the full schema URI for the Email, Name and Family Name claims when mapping the attributes in Workgrid:
+ >
+ > ![Screenshot of the Workgrid U I with the Security section attribute fields.](media/workgrid-tutorial/attribute-mappings.png)
+ ### Create Workgrid test user
Workgrid also supports automatic user provisioning, you can find more details [h
## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on **Test this application** in Azure portal. This will redirect to Workgrid Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Workgrid Sign-on URL where you can initiate the login flow.
* Go to Workgrid Sign-on URL directly and initiate the login flow from there.
active-directory Zscaler One Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zscaler-one-provisioning-tutorial.md
You can use the **Synchronization Details** section to monitor progress and foll
For information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../app-provisioning/check-status-user-account-provisioning.md).
+## Change Logs
+* 05/16/2022 - **Schema Discovery** feature enabled on this app.
+ ## Additional resources * [Manage user account provisioning for enterprise apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
active-directory Credential Design https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/credential-design.md
Title: How to customize your Azure Active Directory Verifiable Credentials (prev
description: This article shows you how to create your own custom verifiable credential --++ Last updated 04/01/2021
active-directory Decentralized Identifier Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/decentralized-identifier-overview.md
Title: Introduction to Azure Active Directory Verifiable Credentials (preview)
description: An overview Azure Verifiable Credentials. -+ editor:-+ Last updated 04/01/2021
active-directory Get Started Request Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/get-started-request-api.md
description: Learn how to issue and verify by using the Request Service REST API documentationCenter: '' --++ Last updated 05/03/2022
active-directory How To Create A Free Developer Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-create-a-free-developer-account.md
Title: How to create a free Azure Active Directory developer tenant
description: This article shows you how to create a developer account --++ Last updated 04/01/2021
active-directory How To Dnsbind https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-dnsbind.md
Title: Link your Domain to your Decentralized Identifier (DID) (preview) - Azure
description: Learn how to DNS Bind? documentationCenter: '' --++ Last updated 02/22/2022
active-directory How To Issuer Revoke https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-issuer-revoke.md
Title: How to Revoke a Verifiable Credential as an Issuer - Azure Active Directo
description: Learn how to revoke a Verifiable Credential that you've issued documentationCenter: '' --++ Last updated 04/01/2021
active-directory How To Opt Out https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-opt-out.md
Title: Opt out of the Azure Active Directory Verifiable Credentials (preview)
description: Learn how to Opt Out of the Verifiable Credentials Preview documentationCenter: '' --++ Last updated 02/08/2022
active-directory Introduction To Verifiable Credentials Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/introduction-to-verifiable-credentials-architecture.md
description: Learn foundational information to plan and design your solution
documentationCenter: '' -+ Last updated 07/20/2021
active-directory Issuance Request Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/issuance-request-api.md
description: Learn how to issue a verifiable credential that you've issued. documentationCenter: '' --++ Last updated 10/08/2021
active-directory Issuer Openid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/issuer-openid.md
Title: Issuer service communication examples (preview) - Azure Active Directory Verifiable Credentials description: Details of communication between identity provider and issuer service --++
active-directory Plan Issuance Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/plan-issuance-solution.md
description: Learn to plan your end-to-end issuance solution.
documentationCenter: '' -+ Last updated 07/20/2021
active-directory Plan Verification Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/plan-verification-solution.md
description: Learn foundational information to plan and design your verification
documentationCenter: '' -+ Last updated 07/20/2021
active-directory Presentation Request Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/presentation-request-api.md
description: Learn how to start a presentation request in Verifiable Credentials documentationCenter: '' --++ Last updated 10/08/2021
active-directory Verifiable Credentials Configure Issuer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-configure-issuer.md
Title: Tutorial - Issue Azure AD Verifiable Credentials from an application (preview) description: In this tutorial, you learn how to issue verifiable credentials by using a sample app.-+ -+ Last updated 05/03/2022
active-directory Verifiable Credentials Configure Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant.md
Title: Tutorial - Configure your tenant for Azure AD Verifiable Credentials (preview) description: In this tutorial, you learn how to configure your tenant to support the Verifiable Credentials service. -+ -+ Last updated 05/06/2022
active-directory Verifiable Credentials Configure Verifier https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-configure-verifier.md
Title: Tutorial - Configure Azure AD Verifiable Credentials verifier (preview) description: In this tutorial, you learn how to configure your tenant to verify credentials.-+ -+ Last updated 10/08/2021
active-directory Verifiable Credentials Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-faq.md
Title: Frequently asked questions - Azure Verifiable Credentials (preview) description: Find answers to common questions about Verifiable Credentials --++ Last updated 04/28/2022
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/whats-new.md
Title: What's new for Azure Active Directory Verifiable Credentials (preview)
description: Recent updates for Azure Active Directory Verifiable Credentials -+ Last updated 05/10/2022
aks Cluster Extensions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-extensions.md
Title: Cluster extensions for Azure Kubernetes Service (AKS) (preview)
+ Title: Cluster extensions for Azure Kubernetes Service (AKS)
description: Learn how to deploy and manage the lifecycle of extensions on Azure Kubernetes Service (AKS) Previously updated : 10/13/2021+ Last updated : 05/13/2022
-# Deploy and manage cluster extensions for Azure Kubernetes Service (AKS) (preview)
+# Deploy and manage cluster extensions for Azure Kubernetes Service (AKS)
Cluster extensions provides an Azure Resource Manager driven experience for installation and lifecycle management of services like Azure Machine Learning (ML) on an AKS cluster. This feature enables:
In this article, you will learn about:
A conceptual overview of this feature is available in [Cluster extensions - Azure Arc-enabled Kubernetes][arc-k8s-extensions] article. - ## Prerequisites * An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).
A conceptual overview of this feature is available in [Cluster extensions - Azur
> clusterconfig.azure.com/managedby: k8s-extension > ```
-### Register provider for cluster extensions
-
-#### [Azure CLI](#tab/azure-cli)
-
-1. Enter the following commands:
-
- ```azurecli-interactive
- az provider register --namespace Microsoft.KubernetesConfiguration
- az provider register --namespace Microsoft.ContainerService
- ```
-
-2. Monitor the registration process. Registration may take up to 10 minutes.
-
- ```azurecli-interactive
- az provider show -n Microsoft.KubernetesConfiguration -o table
- az provider show -n Microsoft.ContainerService -o table
- ```
-
- Once registered, you should see the `RegistrationState` state for these namespaces change to `Registered`.
-
-#### [PowerShell](#tab/azure-powershell)
-
-1. Enter the following commands:
-
- ```azurepowershell
- Register-AzResourceProvider -ProviderNamespace Microsoft.KubernetesConfiguration
- Register-AzResourceProvider -ProviderNamespace Microsoft.ContainerService
- ```
-
-1. Monitor the registration process. Registration may take up to 10 minutes.
-
- ```azurepowershell
- Get-AzResourceProvider -ProviderNamespace Microsoft.KubernetesConfiguration
- Get-AzResourceProvider -ProviderNamespace Microsoft.ContainerService
- ```
-
- Once registered, you should see the `RegistrationState` state for these namespaces change to `Registered`.
---
-### Register the `AKS-ExtensionManager` preview features
-
-To create an AKS cluster that can use cluster extensions, you must enable the `AKS-ExtensionManager` feature flag on your subscription.
-
-Register the `AKS-ExtensionManager` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
-
-```azurecli-interactive
-az feature register --namespace "Microsoft.ContainerService" --name "AKS-ExtensionManager"
-```
-
-It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:
-
-```azurecli-interactive
-az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKS-ExtensionManager')].{Name:name,State:properties.state}"
-```
-
-When ready, refresh the registration of the *Microsoft.KubernetesConfiguration* and *Microsoft.ContainerService* resource providers by using the [az provider register][az-provider-register] command:
-
-```azurecli-interactive
-az provider register --namespace Microsoft.KubernetesConfiguration
-az provider register --namespace Microsoft.ContainerService
-```
- ### Setup the Azure CLI extension for cluster extensions > [!NOTE]
az k8s-extension delete --name azureml --cluster-name <clusterName> --resource-g
[az-feature-register]: /cli/azure/feature#az-feature-register [az-feature-list]: /cli/azure/feature#az-feature-list [az-provider-register]: /cli/azure/provider#az-provider-register
-[azure-ml-overview]: ../machine-learning/how-to-attach-arc-kubernetes.md
+[azure-ml-overview]: ../machine-learning/how-to-attach-kubernetes-anywhere.md
[dapr-overview]: ./dapr.md [gitops-overview]: ../azure-arc/kubernetes/conceptual-gitops-flux2.md [k8s-extension-reference]: /cli/azure/k8s-extension [use-azure-ad-pod-identity]: ./use-azure-ad-pod-identity.md <!-- EXTERNAL -->
-[arc-k8s-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc&regions=all
+[arc-k8s-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc&regions=all
aks Custom Certificate Authority https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/custom-certificate-authority.md
+
+ Title: Custom certificate authority (CA) in Azure Kubernetes Service (AKS) (preview)
+description: Learn how to use a custom certificate authority (CA) in an Azure Kubernetes Service (AKS) cluster.
++++ Last updated : 4/12/2022++
+# Custom certificate authority (CA) in Azure Kubernetes Service (AKS) (preview)
+
+Custom certificate authorities (CAs) allow you to establish trust between your Azure Kubernetes Service (AKS) cluster and your workloads, such as private registries, proxies, and firewalls. A Kubernetes secret is used to store the certificate authority's information, then it's passed to all nodes in the cluster.
+
+This feature is applied per nodepool, so new and existing nodepools must be configured to enable this feature.
++
+## Prerequisites
+
+* An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).
+* [Azure CLI installed][azure-cli-install].
+* A base64 encoded certificate string.
+
+### Limitations
+
+This feature isn't currently supported for Windows nodepools.
+
+### Install the `aks-preview` extension
+
+You also need the *aks-preview* Azure CLI extensions version 0.5.72 or later. Install the *aks-preview* extension by using the [az extension add][az-extension-add] command, or install any available updates by using the [az extension update][az-extension-update] command.
+
+```azurecli
+# Install the aks-preview extension
+az extension add --name aks-preview
+
+# Update the extension to make sure you have the latest version installed
+az extension update --name aks-preview
+```
+
+### Register the `CustomCATrustPreview` preview feature
+
+Register the `CustomCATrustPreview` feature flag by using the [az feature register][az-feature-register] command:
+
+```azurecli
+az feature register --namespace "Microsoft.ContainerService" --name "CustomCATrustPreview"
+```
+
+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:
+
+```azurecli
+az feature list --query "[?contains(name, 'Microsoft.ContainerService/CustomCATrustPreview')].{Name:name,State:properties.state}" -o table
+```
+
+Refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:
+
+```azurecli
+az provider register --namespace Microsoft.ContainerService
+```
+
+## Configure a new AKS cluster to use a custom CA
+
+To configure a new AKS cluster to use a custom CA, run the [az aks create][az-aks-create] command with the `--enable-custom-ca-trust` parameter.
+
+```azurecli
+az aks create \
+ --resource-group myResourceGroup \
+ --name myAKSCluster \
+ --node-count 2 \
+ --enable-custom-ca-trust
+```
+
+## Configure a new nodepool to use a custom CA
+
+To configure a new nodepool to use a custom CA, run the [az aks nodepool add][az-aks-nodepool-add] command with the `--enable-custom-ca-trust` parameter.
+
+```azurecli
+az aks nodepool add \
+ --cluster-name myAKSCluster \
+ --resource-group myResourceGroup \
+ --name myNodepool \
+ --enable-custom-ca-trust
+```
+
+## Configure an existing nodepool to use a custom CA
+
+To configure an existing nodepool to use a custom CA, run the [az aks nodepool update][az-aks-nodepool-update] command with the `--enable-custom-trust-ca` parameter.
+
+```azurecli
+az aks nodepool update \
+ --resource-group myResourceGroup \
+ --cluster-name myAKSCluster \
+ --name myNodepool \
+ --enable-custom-ca-trust
+```
+
+## Create a Kubernetes secret with your CA information
+
+Create a [Kubernetes secret][kubernetes-secrets] YAML manifest with your base64 encoded certificate string in the `data` field. Data from this secret is used to update CAs on all nodes.
+
+You must ensure that:
+* The secret is named `custom-ca-trust-secret`.
+* The secret is created in the `kube-system` namespace.
+
+```yaml
+apiVerison: v1
+kind: Secret
+metadata:
+ name: custom-ca-trust-secret
+ namespace: kube-system
+type: Opaque
+data:
+ ca1.crt: |
+ {base64EncodedCertStringHere}
+ ca2.crt: |
+ {anotherBase64EncodedCertStringHere}
+```
+
+To update or remove a CA, edit and apply the YAML manifest. The cluster will poll for changes and update the nodes accordingly. This process may take a couple of minutes before changes are applied.
+
+## Next steps
+
+For more information on AKS security best practices, see [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)][aks-best-practices-security-upgrades].
+
+<!-- LINKS EXTERNAL -->
+[kubernetes-secrets]:https://kubernetes.io/docs/concepts/configuration/secret/
+
+<!-- LINKS INTERNAL -->
+[aks-best-practices-security-upgrades]: operator-best-practices-cluster-security.md
+[azure-cli-install]: /cli/azure/install-azure-cli
+[az-aks-create]: /cli/azure/aks#az-aks-create
+[az-aks-update]: /cli/azure/aks#az-aks-update
+[az-aks-nodepool-add]: /cli/azure/aks#az-aks-nodepool-add
+[az-aks-nodepool-update]: /cli/azure/aks#az-aks-update
+[az-extension-add]: /cli/azure/extension#az-extension-add
+[az-extension-update]: /cli/azure/extension#az-extension-update
+[az-feature-list]: /cli/azure/feature#az-feature-list
+[az-feature-register]: /cli/azure/feature#az-feature-register
+[az-provider-register]: /cli/azure/provider#az-provider-register
aks Custom Node Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/custom-node-configuration.md
Title: Customize the node configuration for Azure Kubernetes Service (AKS) node pools description: Learn how to customize the configuration on Azure Kubernetes Service (AKS) cluster nodes and node pools. + Last updated 12/03/2020
Add a new node pool specifying the Kubelet parameters using the JSON file you cr
az aks nodepool add --name mynodepool1 --cluster-name myAKSCluster --resource-group myResourceGroup --kubelet-config ./kubeletconfig.json ``` - ## Other configuration The settings below can be used to modify other Operating System settings.
The settings below can be used to modify other Operating System settings.
Pass the ```--message-of-the-day``` flag with the location of the file to replace the Message of the Day on Linux nodes at cluster creation or node pool creation. - #### Cluster creation+ ```azurecli az aks create --cluster-name myAKSCluster --resource-group myResourceGroup --message-of-the-day ./newMOTD.txt ``` #### Nodepool creation+ ```azurecli az aks nodepool add --name mynodepool1 --cluster-name myAKSCluster --resource-group myResourceGroup --message-of-the-day ./newMOTD.txt ```
+## Confirm settings have been applied
+After you have applied custom node configuration, you can confirm the settings have been applied to the nodes by [connecting to the host][node-access] and verifying `sysctl` or configuration changes have been made on the filesystem.
## Next steps
az aks nodepool add --name mynodepool1 --cluster-name myAKSCluster --resource-gr
[aks-scale-apps]: tutorial-kubernetes-scale.md [aks-support-policies]: support-policies.md [aks-upgrade]: upgrade-cluster.md
+[node-access]: node-access.md
[aks-view-master-logs]: ../azure-monitor/containers/container-insights-log-query.md#enable-resource-logs [autoscaler-profile-properties]: #using-the-autoscaler-profile [azure-cli-install]: /cli/azure/install-azure-cli
aks Dapr Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr-overview.md
Title: Dapr extension for Azure Kubernetes Service (AKS) overview (preview)
+ Title: Dapr extension for Azure Kubernetes Service (AKS) overview
description: Learn more about using Dapr on your Azure Kubernetes Service (AKS) cluster to develop applications. Previously updated : 10/15/2021- Last updated : 05/03/2022+ # Dapr
The managed Dapr cluster extension is the easiest method to provision Dapr on an
When installing Dapr OSS via helm or the Dapr CLI, runtime versions and configuration options are the responsibility of developers and cluster maintainers.
-Lastly, the Dapr extension is an extension of AKS, therefore you can expect the same support policy as other AKS features that are currently in preview.
+Lastly, the Dapr extension is an extension of AKS, therefore you can expect the same support policy as other AKS features.
### How can I switch to using the Dapr extension if IΓÇÖve already installed Dapr via a method, such as Helm?
After learning about Dapr and some of the challenges it solves, try [Deploying a
<!-- Links External --> [dapr-docs]: https://docs.dapr.io/ [dapr-blocks]: https://docs.dapr.io/concepts/building-blocks-concept/
-[dapr-secrets-block]: https://docs.dapr.io/developing-applications/building-blocks/secrets/secrets-overview/
+[dapr-secrets-block]: https://docs.dapr.io/developing-applications/building-blocks/secrets/secrets-overview/
aks Dapr https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr.md
Title: Dapr extension for Azure Kubernetes Service (AKS) (preview)
-description: Install and configure Dapr on your Azure Kubernetes Service (AKS) cluster using the Dapr cluster extension.
+ Title: Dapr extension for Azure Kubernetes Service (AKS) and Arc-enabled Kubernetes
+description: Install and configure Dapr on your Azure Kubernetes Service (AKS) and Arc-enabled Kubernetes clusters using the Dapr cluster extension.
Previously updated : 10/15/2021- Last updated : 05/16/2022+
-# Dapr extension for Azure Kubernetes Service (AKS) (preview)
+# Dapr extension for Azure Kubernetes Service (AKS) and Arc-enabled Kubernetes
[Dapr](https://dapr.io/) is a portable, event-driven runtime that makes it easy for any developer to build resilient, stateless and stateful applications that run on the cloud and edge and embraces the diversity of languages and developer frameworks. Leveraging the benefits of a sidecar architecture, Dapr helps you tackle the challenges that come with building microservices and keeps your code platform agnostic. In particular, it helps with solving problems around services calling other services reliably and securely, building event-driven apps with pub-sub, and building applications that are portable across multiple cloud services and hosts (e.g., Kubernetes vs. a VM).
-By using the AKS Dapr extension to provision Dapr on your AKS cluster, you eliminate the overhead of downloading Dapr tooling and manually installing and managing the runtime on your AKS cluster. Additionally, the extension offers support for all [native Dapr configuration capabilities][dapr-configuration-options] through simple command-line arguments.
+By using the Dapr extension to provision Dapr on your AKS or Arc-enabled Kubernetes cluster, you eliminate the overhead of downloading Dapr tooling and manually installing and managing the runtime on your AKS cluster. Additionally, the extension offers support for all [native Dapr configuration capabilities][dapr-configuration-options] through simple command-line arguments.
> [!NOTE] > If you plan on installing Dapr in a Kubernetes production environment, please see the [Dapr guidelines for production usage][kubernetes-production] documentation page. ## How it works
-The AKS Dapr extension uses the Azure CLI to provision the Dapr control plane on your AKS cluster. This will create:
+The Dapr extension uses the Azure CLI to provision the Dapr control plane on your AKS or Arc-enabled Kubernetes cluster. This will create:
- **dapr-operator**: Manages component updates and Kubernetes services endpoints for Dapr (state stores, pub/subs, etc.) - **dapr-sidecar-injector**: Injects Dapr into annotated deployment pods and adds the environment variables `DAPR_HTTP_PORT` and `DAPR_GRPC_PORT` to enable user-defined applications to easily communicate with Dapr without hard-coding Dapr port values. - **dapr-placement**: Used for actors only. Creates mapping tables that map actor instances to pods - **dapr-sentry**: Manages mTLS between services and acts as a certificate authority. For more information read the [security overview][dapr-security].
-Once Dapr is installed on your AKS cluster, you can begin to develop using the Dapr building block APIs by [adding a few annotations][dapr-deployment-annotations] to your deployments. For a more in-depth overview of the building block APIs and how to best use them, please see the [Dapr building blocks overview][building-blocks-concepts].
+Once Dapr is installed on your cluster, you can begin to develop using the Dapr building block APIs by [adding a few annotations][dapr-deployment-annotations] to your deployments. For a more in-depth overview of the building block APIs and how to best use them, please see the [Dapr building blocks overview][building-blocks-concepts].
> [!WARNING]
-> If you install Dapr through the AKS extension, our recommendation is to continue using the extension for future management of Dapr instead of the Dapr CLI. Combining the two tools can cause conflicts and result in undesired behavior.
+> If you install Dapr through the AKS or Arc-enabled Kubernetes extension, our recommendation is to continue using the extension for future management of Dapr instead of the Dapr CLI. Combining the two tools can cause conflicts and result in undesired behavior.
-## Supported Kubernetes versions
+## Currently supported
-The Dapr extension uses support window similar to AKS, but instead of N-2, Dapr supports N-1. For more, see the [Kubernetes version support policy][k8s-version-support-policy].
-
-## Prerequisites
--- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.-- Install the latest version of the [Azure CLI](/cli/azure/install-azure-cli-windows) and the *aks-preview* extension.-- If you don't have one already, you need to create an [AKS cluster][deploy-cluster].
+### Dapr versions
+The Dapr extension support varies depending on how you manage the runtime.
-### Register the `AKS-ExtensionManager` and `AKS-Dapr` preview features
+**Self-managed**
+For self-managed runtime, the Dapr extension supports:
+- [The latest version of Dapr and 1 previous version (N-1)][dapr-supported-version]
+- Upgrading minor version incrementally (for example, 1.5 -> 1.6 -> 1.7)
+Self-managed runtime requires manual upgrade to remain in the support window. To upgrade Dapr via the extension, follow the [Update extension instance instructions][update-extension].
-To create an AKS cluster that can use the Dapr extension, you must enable the `AKS-ExtensionManager` and `AKS-Dapr` feature flags on your subscription.
+**Auto-upgrade**
+Enabling auto-upgrade keeps your Dapr extension updated to the latest minor version. You may experience breaking changes between updates.
-Register the `AKS-ExtensionManager` and `AKS-Dapr` feature flags by using the [az feature register][az-feature-register] command, as shown in the following example:
+### Components
-```azurecli-interactive
-az feature register --namespace "Microsoft.ContainerService" --name "AKS-ExtensionManager"
-az feature register --namespace "Microsoft.ContainerService" --name "AKS-Dapr"
-```
+Azure + open source components are supported. Alpha and beta components are supported via best effort.
-It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:
+### Clouds/regions
-```azurecli-interactive
-az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKS-ExtensionManager')].{Name:name,State:properties.state}"
-az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKS-Dapr')].{Name:name,State:properties.state}"
-```
+Global Azure cloud is supported with Arc support on the regions listed by [Azure Products by Region][supported-cloud-regions].
-When ready, refresh the registration of the *Microsoft.KubernetesConfiguration* and *Microsoft.ContainerService* resource providers by using the [az provider register][az-provider-register] command:
+## Prerequisites
-```azurecli-interactive
-az provider register --namespace Microsoft.KubernetesConfiguration
-az provider register --namespace Microsoft.ContainerService
-```
+- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+- Install the latest version of the [Azure CLI](/cli/azure/install-azure-cli-windows).
+- If you don't have one already, you need to create an [AKS cluster][deploy-cluster] or connect an [Arc-enabled Kubernetes cluster][arc-k8s-cluster].
### Set up the Azure CLI extension for cluster extensions
-You will also need the `k8s-extension` Azure CLI extension. Install this by running the following commands:
+You will need the `k8s-extension` Azure CLI extension. Install this by running the following commands:
```azurecli-interactive az extension add --name k8s-extension
If the `k8s-extension` extension is already installed, you can update it to the
az extension update --name k8s-extension ```
-## Create the extension and install Dapr on your AKS cluster
+## Create the extension and install Dapr on your AKS or Arc-enabled Kubernetes cluster
-> [!NOTE]
-> It is important that you use the flag `--cluster-type managedClusters` when installing the Dapr extension on your AKS cluster. Using `--cluster-type connectedClusters` is currently not supported.
+When installing the Dapr extension, use the flag value that corresponds to your cluster type:
+
+- **AKS cluster**: `--cluster-type managedClusters`.
+- **Arc-enabled Kubernetes cluster**: `--cluster-type connectedClusters`.
-Once your subscription is registered to use Kubernetes extensions, you can create the Dapr extension, which installs Dapr on your AKS cluster. For example:
+Create the Dapr extension, which installs Dapr on your AKS or Arc-enabled Kubernetes cluster. For example, for an AKS cluster:
```azure-cli-interactive az k8s-extension create --cluster-type managedClusters \
The below JSON is returned, and the error message is captured in the `message` p
], ```
+### Troubleshooting Dapr
+
+Troubleshoot Dapr errors via the [common Dapr issues and solutions guide][dapr-troubleshooting].
+ ## Delete the extension If you need to delete the extension and remove Dapr from your AKS cluster, you can use the following command:
az k8s-extension delete --resource-group myResourceGroup --cluster-name myAKSClu
[az-provider-register]: /cli/azure/provider#az-provider-register [sample-application]: ./quickstart-dapr.md [k8s-version-support-policy]: ./supported-kubernetes-versions.md?tabs=azure-cli#kubernetes-version-support-policy
+[arc-k8s-cluster]: /azure-arc/kubernetes/quickstart-connect-cluster.md
+[update-extension]: ./cluster-extensions.md#update-extension-instance
<!-- LINKS EXTERNAL --> [kubernetes-production]: https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production
az k8s-extension delete --resource-group myResourceGroup --cluster-name myAKSClu
[sample-application]: https://github.com/dapr/quickstarts/tree/master/hello-kubernetes#step-2create-and-configure-a-state-store [dapr-security]: https://docs.dapr.io/concepts/security-concept/ [dapr-deployment-annotations]: https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-overview/#adding-dapr-to-a-kubernetes-deployment
+[dapr-oss-support]: https://docs.dapr.io/operations/support/support-release-policy/
+[dapr-supported-version]: https://docs.dapr.io/operations/support/support-release-policy/#supported-versions
+[dapr-troubleshooting]: https://docs.dapr.io/operations/troubleshooting/common_issues/
+[supported-cloud-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc
aks Devops Pipeline https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/devops-pipeline.md
After the pipeline run is finished, explore what happened and then go see your a
1. Select **View environment**.
-1. Select the instance if your app for the namespace you deployed to. If you stuck to the defaults we mentioned above, then it will be the **myapp** app in the **default** namespace.
+1. Select the instance of your app for the namespace you deployed to. If you stuck to the defaults we mentioned above, then it will be the **myapp** app in the **default** namespace.
1. Select the **Services** tab.
aks Draft https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/draft.md
+
+ Title: Draft extension for Azure Kubernetes Service (AKS) (preview)
+description: Install and use Draft on your Azure Kubernetes Service (AKS) cluster using the Draft extension.
++++ Last updated : 5/02/2022+++
+# Draft for Azure Kubernetes Service (AKS) (preview)
+
+[Draft](https://github.com/Azure/draft) is an open-source project that streamlines Kubernetes development by taking a non-containerized application and generating the Dockerfiles, Kubernetes manifests, Helm charts, Kustomize configurations, and other artifacts associated with a containerized application. Draft can also create a GitHub Action workflow file to quickly build and deploy applications onto any Kubernetes cluster.
+
+## How it works
+
+Draft has the following commands to help ease your development on Kubernetes:
+
+- **draft create**: Creates the Dockerfile and the proper manifest files.
+- **draft setup-gh**: Sets up your GitHub OIDC.
+- **draft generate-workflow**: Generates the GitHub Action workflow file for deployment onto your cluster.
+- **draft up**: Sets up your GitHub OIDC and generates a GitHub Action workflow file, combining the previous two commands.
+
+## Prerequisites
+
+- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+- Install the latest version of the [Azure CLI](/cli/azure/install-azure-cli-windows) and the *aks-preview* extension.
+- If you don't have one already, you need to create an [AKS cluster][deploy-cluster].
+
+### Install the `aks-preview` Azure CLI extension
++
+```azurecli-interactive
+# Install the aks-preview extension
+az extension add --name aks-preview
+
+# Update the extension to make sure you have the latest version installed
+az extension update --name aks-preview
+```
+
+## Create artifacts using `draft create`
+
+To create a Dockerfile, Helm chart, Kubernetes manifest, or Kustomize files needed to deploy your application onto an AKS cluster, use the `draft create` command:
+
+```azure-cli-interactive
+az aks draft create
+```
+
+You can also run the command on a specific directory using the `--destination` flag:
+
+```azure-cli-interactive
+az aks draft create --destination /Workspaces/ContosoAir
+```
+
+## Set up GitHub OIDC using `draft setup-gh`
+
+To use Draft, you have to register your application with GitHub using `draft setup-gh`. This step only needs to be done once per repository.
+
+```azure-cli-interactive
+az aks draft setup-gh
+```
+
+## Generate a GitHub Action workflow file for deployment using `draft generate-workflow`
+
+After you create your artifacts and set up GitHub OIDC, you can generate a GitHub Action workflow file, creating an action that deploys your application onto your AKS cluster. Once your workflow file is generated, you must commit it into your repository in order to initiate the GitHub Action.
+
+```azure-cli-interactive
+az aks draft generate-workflow
+```
+
+You can also run the command on a specific directory using the `--destination` flag:
+
+```azure-cli-interactive
+az aks draft generate-workflow --destination /Workspaces/ContosoAir
+```
+
+## Set up GitHub OpenID Connect (OIDC) and generate a GitHub Action workflow file using `draft up`
+
+`draft up` is a single command to accomplish GitHub OIDC setup and generate a GitHub Action workflow file for deployment. It effectively combines the `draft setup-gh` and `draft generate-workflow` commands, meaning it's most commonly used when getting started in a new repository for the first time, and only needs to be run once. Subsequent updates to the GitHub Action workflow file can be made using `draft generate-workflow`.
+
+```azure-cli-interactive
+az aks draft up
+```
+
+You can also run the command on a specific directory using the `--destination` flag:
+
+```azure-cli-interactive
+az aks draft up --destination /Workspaces/ContosoAir
+```
+
+<!-- LINKS INTERNAL -->
+[deploy-cluster]: ./tutorial-kubernetes-deploy-cluster.md
+[az-feature-register]: /cli/azure/feature#az-feature-register
+[az-feature-list]: /cli/azure/feature#az-feature-list
+[az-provider-register]: /cli/azure/provider#az-provider-register
+[sample-application]: ./quickstart-dapr.md
+[k8s-version-support-policy]: ./supported-kubernetes-versions.md?tabs=azure-cli#kubernetes-version-support-policy
+[web-app-routing]: web-app-routing.md
+[az-extension-add]: /cli/azure/extension#az-extension-add
+[az-extension-update]: /cli/azure/extension#az-extension-update
aks Gpu Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/gpu-cluster.md
Title: Use GPUs on Azure Kubernetes Service (AKS)
description: Learn how to use GPUs for high performance compute or graphics-intensive workloads on Azure Kubernetes Service (AKS) + Last updated 08/06/2021- #Customer intent: As a cluster administrator or developer, I want to create an AKS cluster that can use high-performance GPU-based VMs for compute-intensive workloads.
For information on using Azure Kubernetes Service with Azure Machine Learning, s
[aks-spark]: spark-job.md [gpu-skus]: ../virtual-machines/sizes-gpu.md [install-azure-cli]: /cli/azure/install-azure-cli
-[azureml-aks]: ../machine-learning/how-to-deploy-azure-kubernetes-service.md
+[azureml-aks]: ../machine-learning/v1/how-to-deploy-azure-kubernetes-service.md
[azureml-gpu]: ../machine-learning/how-to-deploy-inferencing-gpus.md [azureml-triton]: ../machine-learning/how-to-deploy-with-triton.md [aks-container-insights]: monitor-aks.md#container-insights
aks Howto Deploy Java Liberty App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/howto-deploy-java-liberty-app.md
export PASSWORD=${PASSWORD}
export DB_SERVER_NAME=<Server name>.database.windows.net export DB_PORT_NUMBER=1433 export DB_NAME=<Database name>
-export DB_USER=<Server admin login>@<Database name>
+export DB_USER=<Server admin login>@<Server name>
export DB_PASSWORD=<Server admin password>
-export NAMESPACE=${OPERATOR_NAMESPACE}
+export NAMESPACE=default
mvn clean install ```
aks Http Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/http-proxy.md
description: Use the HTTP proxy configuration feature for Azure Kubernetes Servi
Previously updated : 09/09/2021 Last updated : 05/23/2022
-# HTTP proxy support in Azure Kubernetes Service (preview)
+# HTTP proxy support in Azure Kubernetes Service
Azure Kubernetes Service (AKS) clusters, whether deployed into a managed or custom virtual network, have certain outbound dependencies necessary to function properly. Previously, in environments requiring internet access to be routed through HTTP proxies, this was a problem. Nodes had no way of bootstrapping the configuration, environment variables, and certificates necessary to access internet services.
This feature adds HTTP proxy support to AKS clusters, exposing a straightforward
Some more complex solutions may require creating a chain of trust to establish secure communications across the network. The feature also enables installation of a trusted certificate authority onto the nodes as part of bootstrapping a cluster. - ## Limitations and other details The following scenarios are **not** supported:
By default, *httpProxy*, *httpsProxy*, and *trustedCa* have no value.
## Prerequisites * An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).
-* [Azure CLI installed](/cli/azure/install-azure-cli).
-
-### Install the `aks-preview` Azure CLI
-
-You also need the *aks-preview* Azure CLI extension version 0.5.25 or later. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command. Or install any available updates by using the [az extension update][az-extension-update] command.
-
-```azurecli-interactive
-# Install the aks-preview extension
-az extension add --name aks-preview
-# Update the extension to make sure you have the latest version installed
-az extension update --name aks-preview
-```
-
-### Register the `HTTPProxyConfigPreview` preview feature
-
-To use the feature, you must also enable the `HTTPProxyConfigPreview` feature flag on your subscription.
-
-Register the `HTTPProxyConfigPreview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
-
-```azurecli-interactive
-az feature register --namespace "Microsoft.ContainerService" --name "HTTPProxyConfigPreview"
-```
-
-It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:
-
-```azurecli-interactive
-az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/HTTPProxyConfigPreview')].{Name:name,State:properties.state}"
-```
-
-When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:
-
-```azurecli-interactive
-az provider register --namespace Microsoft.ContainerService
-```
+* Latest version of [Azure CLI installed](/cli/azure/install-azure-cli).
## Configuring an HTTP proxy using Azure CLI
aks Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/integrations.md
Title: Add-ons, extensions, and other integrations with Azure Kubernetes Service
description: Learn about the add-ons, extensions, and open-source integrations you can use with Azure Kubernetes Service. + Last updated 02/22/2022
The below table shows a few examples of open-source and third-party integrations
| [Grafana][grafana] | An open-source dashboard for observability. | [Deploy Grafana on Kubernetes][grafana-install] | | [Couchbase][couchdb] | A distributed NoSQL cloud database. | [Install Couchbase and the Operator on AKS][couchdb-install] | | [OpenFaaS][open-faas]| An open-source framework for building serverless functions by using containers. | [Use OpenFaaS with AKS][open-faas-aks] |
-| [Apache Spark][apache-spark] | An open source, fast engine for large-scale data processing. | [Run an Apache Spark job with AKS][spark-job] |
+| [Apache Spark][apache-spark] | An open source, fast engine for large-scale data processing. | Running Apache Spark jobs requires a minimum node size of *Standard_D3_v2*. See [running Spark on Kubernetes][spark-kubernetes] for more details on running Spark jobs on Kubernetes. |
| [Istio][istio] | An open-source service mesh. | [Istio Installation Guides][istio-install] | | [Linkerd][linkerd] | An open-source service mesh. | [Linkerd Getting Started][linkerd-install] | | [Consul][consul] | An open source, identity-based networking solution. | [Getting Started with Consul Service Mesh for Kubernetes][consul-install] |
The below table shows a few examples of open-source and third-party integrations
[open-faas]: https://www.openfaas.com/ [open-faas-aks]: openfaas.md [apache-spark]: https://spark.apache.org/
-[spark-job]: spark-job.md
-[azure-ml-overview]: ../machine-learning/how-to-attach-arc-kubernetes.md
+[azure-ml-overview]: ../machine-learning/how-to-attach-kubernetes-anywhere.md
+[spark-kubernetes]: https://spark.apache.org/docs/latest/running-on-kubernetes.html
[dapr-overview]: ./dapr.md [gitops-overview]: ../azure-arc/kubernetes/conceptual-gitops-flux2.md
aks Keda https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda.md
+
+ Title: KEDA add-on on Azure Kubernetes Service (AKS) (Preview)
+description: Use the KEDA add-on to deploy a managed KEDA instance on Azure Kubernetes Service (AKS).
++++ Last updated : 05/24/2021+++
+# Simplified application autoscaling with Kubernetes Event-driven Autoscaling (KEDA) add-on (Preview)
+
+Kubernetes Event-driven Autoscaling (KEDA) is a single-purpose and lightweight component that strives to make application autoscaling simple and is a CNCF Incubation project.
+
+The KEDA add-on makes it even easier by deploying a managed KEDA installation, providing you with [a rich catalog of 40+ KEDA scalers](https://keda.sh/docs/latest/scalers/) that you can scale your applications with on your Azure Kubernetes Services (AKS) cluster.
++
+## KEDA add-on overview
+
+[KEDA][keda] provides two main components:
+
+- **KEDA operator** allows end-users to scale workloads in/out from 0 to N instances with support for Kubernetes Deployments, Jobs, StatefulSets or any custom resource that defines `/scale` subresource.
+- **Metrics server** exposes external metrics to HPA in Kubernetes for autoscaling purposes such as messages in a Kafka topic, or number of events in an Azure event hub. Due to upstream limitations, this must be the only installed metric adapter.
+
+## Prerequisites
+
+> [!NOTE]
+> KEDA is currently only available in the `westcentralus` region.
+
+- An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).
+- [Azure CLI installed](/cli/azure/install-azure-cli).
+
+### Register the `AKS-KedaPreview` feature flag
+
+To use the KEDA, you must enable the `AKS-KedaPreview` feature flag on your subscription.
+
+```azurecli
+az feature register --name AKS-KedaPreview --namespace Microsoft.ContainerService
+```
+
+You can check on the registration status by using the `az feature list` command:
+
+```azurecli-interactive
+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKS-KedaPreview')].{Name:name,State:properties.state}"
+```
+
+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the `az provider register` command:
+
+```azurecli-interactive
+az provider register --namespace Microsoft.ContainerService
+```
+
+## Deploy the KEDA add-on with Azure Resource Manager (ARM) templates
+
+The KEDA add-on can be enabled by deploying an AKS cluster with an Azure Resource Manager template and specifying the `workloadAutoScalerProfile` field:
+
+```json
+ "workloadAutoScalerProfile": {
+ "keda": {
+ "enabled": true
+ }
+ }
+```
+
+## Connect to your AKS cluster
+
+To connect to the Kubernetes cluster from your local computer, you use [kubectl][kubectl], the Kubernetes command-line client.
+
+If you use the Azure Cloud Shell, `kubectl` is already installed. You can also install it locally using the [az aks install-cli][az aks install-cli] command:
+
+```azurecli
+az aks install-cli
+```
+
+To configure `kubectl` to connect to your Kubernetes cluster, use the [az aks get-credentials][az aks get-credentials] command. The following example gets credentials for the AKS cluster named *MyAKSCluster* in the *MyResourceGroup*:
+
+```azurecli
+az aks get-credentials --resource-group MyResourceGroup --name MyAKSCluster
+```
+
+## Example deployment
+
+The following snippet is a sample deployment that creates a cluster with KEDA enabled with a single node pool comprised of three `DS2_v5` nodes.
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "resources": [
+ {
+ "apiVersion": "2022-05-02-preview",
+ "dependsOn": [],
+ "type": "Microsoft.ContainerService/managedClusters",
+ "location": "westcentralus",
+ "name": "myAKSCluster",
+ "properties": {
+ "kubernetesVersion": "1.23.5",
+ "enableRBAC": true,
+ "dnsPrefix": "myAKSCluster",
+ "agentPoolProfiles": [
+ {
+ "name": "agentpool",
+ "osDiskSizeGB": 200,
+ "count": 3,
+ "enableAutoScaling": false,
+ "vmSize": "Standard_D2S_v5",
+ "osType": "Linux",
+ "storageProfile": "ManagedDisks",
+ "type": "VirtualMachineScaleSets",
+ "mode": "System",
+ "maxPods": 110,
+ "availabilityZones": [],
+ "nodeTaints": [],
+ "enableNodePublicIP": false
+ }
+ ],
+ "networkProfile": {
+ "loadBalancerSku": "standard",
+ "networkPlugin": "kubenet"
+ },
+ "workloadAutoScalerProfile": {
+ "keda": {
+ "enabled": true
+ }
+ }
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ }
+ }
+ ]
+}
+```
+
+## Use KEDA
+
+KEDA scaling will only work once a custom resource definition has been defined (CRD). To learn more about KEDA CRDs, follow the official [KEDA documentation][keda-scalers] to define your scaler.
+
+## Clean Up
+
+To remove the resource group, and all related resources, use the [az group delete][az-group-delete] command:
+
+```azurecli
+az group delete --name MyResourceGroup
+```
+
+<!-- LINKS - internal -->
+[az-aks-create]: /cli/azure/aks#az-aks-create
+[az aks install-cli]: /cli/azure/aks#az-aks-install-cli
+[az aks get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az aks update]: /cli/azure/aks#az-aks-update
+[az-group-delete]: /cli/azure/group#az-group-delete
+
+<!-- LINKS - external -->
+[kubectl]: https://kubernetes.io/docs/user-guide/kubectl
+[keda]: https://keda.sh/
+[keda-scalers]: https://keda.sh/docs/scalers/
aks Kubernetes Action https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubernetes-action.md
description: Learn how to use GitHub Actions to deploy your container to Kubern
Previously updated : 01/05/2022 Last updated : 05/16/2022
For a workflow targeting AKS, the file has three sections:
|Section |Tasks | |||
-|**Authentication** | Login to a private container registry (ACR) |
+|**Authentication** | Generate deployment credentials. |
|**Build** | Build & push the container image | |**Deploy** | 1. Set the target AKS cluster | | |2. Create a generic/docker-registry secret in Kubernetes cluster |
For a workflow targeting AKS, the file has three sections:
## Create a service principal
+# [Service principal](#tab/userlevel)
+ You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) by using the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command in the [Azure CLI](/cli/azure/). You can run this command using [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button. ```azurecli-interactive
In the above command, replace the placeholders with your subscription ID, and re
``` Copy this JSON object, which you can use to authenticate from GitHub.
+# [Open ID Connect](#tab/openid)
+
+Open ID Connect is an authentication method that uses short-lived tokens. Setting up [Open ID Connect with GitHub Actions](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) is more complex process that offers hardened security.
+
+1. If you do not have an existing application, register a [new Active Directory application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). Create the Active Directory application.
+
+ ```azurecli-interactive
+ az ad app create --display-name myApp
+ ```
+
+ This command will output JSON with an `appId` that is your `client-id`. Save the value to use as the `AZURE_CLIENT_ID` GitHub secret later.
+
+ You'll use the `objectId` value when creating federated credentials with Graph API and reference it as the `APPLICATION-OBJECT-ID`.
+
+1. Create a service principal. Replace the `$appID` with the appId from your JSON output.
+
+ This command generates JSON output with a different `objectId` and will be used in the next step. The new `objectId` is the `assignee-object-id`.
+
+ Copy the `appOwnerTenantId` to use as a GitHub secret for `AZURE_TENANT_ID` later.
+
+ ```azurecli-interactive
+ az ad sp create --id $appId
+ ```
+
+1. Create a new role assignment by subscription and object. By default, the role assignment will be tied to your default subscription. Replace `$subscriptionId` with your subscription ID, `$resourceGroupName` with your resource group name, and `$assigneeObjectId` with the generated `assignee-object-id`. Learn [how to manage Azure subscriptions with the Azure CLI](/cli/azure/manage-azure-subscriptions-azure-cli).
+
+ ```azurecli-interactive
+ az role assignment create --role contributor --subscription $subscriptionId --assignee-object-id $assigneeObjectId --scopes /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/--assignee-principal-type ServicePrincipal
+ ```
+
+1. Run the following command to [create a new federated identity credential](/graph/api/application-post-federatedidentitycredentials?view=graph-rest-beta&preserve-view=true) for your active directory application.
+
+ * Replace `APPLICATION-OBJECT-ID` with the **objectId (generated while creating app)** for your Active Directory application.
+ * Set a value for `CREDENTIAL-NAME` to reference later.
+ * Set the `subject`. The value of this is defined by GitHub depending on your workflow:
+ * Jobs in your GitHub Actions environment: `repo:< Organization/Repository >:environment:< Name >`
+ * For Jobs not tied to an environment, include the ref path for branch/tag based on the ref path used for triggering the workflow: `repo:< Organization/Repository >:ref:< ref path>`. For example, `repo:n-username/ node_express:ref:refs/heads/my-branch` or `repo:n-username/ node_express:ref:refs/tags/my-tag`.
+ * For workflows triggered by a pull request event: `repo:< Organization/Repository >:pull_request`.
+
+ ```azurecli
+ az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:organization/repository:ref:refs/heads/main","description":"Testing","audiences":["api://AzureADTokenExchange"]}'
+ ```
+
+To learn how to create a Create an active directory application, service principal, and federated credentials in Azure portal, see [Connect GitHub and Azure](/azure/developer/github/connect-from-azure#use-the-azure-login-action-with-openid-connect).
++++ ## Configure the GitHub secrets
+# [Service principal](#tab/userlevel)
+ Follow the steps to configure the secrets: 1. In [GitHub](https://github.com/), browse to your repository, select **Settings > Secrets > New repository secret**.
Follow the steps to configure the secrets:
:::image type="content" source="media/kubernetes-action/kubernetes-secrets.png" alt-text="Screenshot shows existing secrets for a repository.":::
+# [OpenID Connect](#tab/openid)
+
+You need to provide your application's **Client ID**, **Tenant ID**, and **Subscription ID** to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.
+
+1. Open your GitHub repository and go to **Settings**.
+
+1. Select **Settings > Secrets > New secret**.
+
+1. Create secrets for `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID`. Use these values from your Active Directory application for your GitHub secrets:
+
+ |GitHub Secret | Active Directory Application |
+ |||
+ |AZURE_CLIENT_ID | Application (client) ID |
+ |AZURE_TENANT_ID | Directory (tenant) ID |
+ |AZURE_SUBSCRIPTION_ID | Subscription ID |
+
+1. Similarly, define the following additional secrets for the container registry credentials and set them in Docker login action.
+
+ - REGISTRY_USERNAME
+ - REGISTRY_PASSWORD
++ ## Build a container image and deploy to Azure Kubernetes Service cluster
Before you can deploy to AKS, you'll need to set target Kubernetes namespace and
Complete your deployment with the `azure/k8s-deploy@v1` action. Replace the environment variables with values for your application.
+# [Service principal](#tab/userlevel)
+ ```yaml on: [push]
jobs:
namespace: ${{ env.NAMESPACE }} ```
+# [Open ID Connect](#tab/openid)
+
+The Azure Kubernetes Service set context action ([azure/aks-set-context](https://github.com/Azure/aks-set-context)) can be used to set cluster context before other actions like [k8s-deploy](https://github.com/Azure/k8s-deploy). For Open ID Connect, you'll use the Azure Login action before set context.
+
+```yaml
+
+on: [push]
+
+# Environment variables available to all jobs and steps in this workflow
+env:
+ REGISTRY_NAME: {registry-name}
+ CLUSTER_NAME: {cluster-name}
+ CLUSTER_RESOURCE_GROUP: {resource-group-name}
+ NAMESPACE: {namespace-name}
+ SECRET: {secret-name}
+ APP_NAME: {app-name}
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@main
+
+ # Connect to Azure Container Registry (ACR)
+ - uses: azure/docker-login@v1
+ with:
+ login-server: ${{ env.REGISTRY_NAME }}.azurecr.io
+ username: ${{ secrets.REGISTRY_USERNAME }}
+ password: ${{ secrets.REGISTRY_PASSWORD }}
+
+ # Container build and push to a Azure Container Registry (ACR)
+ - run: |
+ docker build . -t ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.APP_NAME }}:${{ github.sha }}
+ docker push ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.APP_NAME }}:${{ github.sha }}
+ working-directory: ./<path-to-Dockerfile-directory>
+
+ - uses: azure/login@v1
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Set the target Azure Kubernetes Service (AKS) cluster.
+ - uses: azure/aks-set-context@v2.0
+ with:
+ cluster-name: ${{ env.CLUSTER_NAME }}
+ resource-group: ${{ env.CLUSTER_RESOURCE_GROUP }}
+
+ # Create namespace if doesn't exist
+ - run: |
+ kubectl create namespace ${{ env.NAMESPACE }} --dry-run=client -o json | kubectl apply -f -
+
+ # Create image pull secret for ACR
+ - uses: azure/k8s-create-secret@v1
+ with:
+ container-registry-url: ${{ env.REGISTRY_NAME }}.azurecr.io
+ container-registry-username: ${{ secrets.REGISTRY_USERNAME }}
+ container-registry-password: ${{ secrets.REGISTRY_PASSWORD }}
+ secret-name: ${{ env.SECRET }}
+ namespace: ${{ env.NAMESPACE }}
+ arguments: --force true
+
+ # Deploy app to AKS
+ - uses: azure/k8s-deploy@v1
+ with:
+ manifests: |
+ ${{ github.workspace }}/manifests/deployment.yaml
+ ${{ github.workspace }}/manifests/service.yaml
+ images: |
+ ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.APP_NAME }}:${{ github.sha }}
+ imagepullsecrets: |
+ ${{ env.SECRET }}
+ namespace: ${{ env.NAMESPACE }}
+```
+++ ## Clean up resources When your Kubernetes cluster, container registry, and repository are no longer needed, clean up the resources you deployed by deleting the resource group and your GitHub repository.
aks Quick Windows Container Deploy Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-windows-container-deploy-cli.md
Title: Create a Windows Server container on an AKS cluster by using Azure CLI
description: Learn how to quickly create a Kubernetes cluster, deploy an application in a Windows Server container in Azure Kubernetes Service (AKS) using the Azure CLI. + Last updated 04/29/2022-- #Customer intent: As a developer or cluster operator, I want to quickly create an AKS cluster and deploy a Windows Server container so that I can see how to run applications running on a Windows Server container using the managed Kubernetes service in Azure.
This article assumes a basic understanding of Kubernetes concepts. For more info
- This article requires version 2.0.64 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed. -- The identity you are using to create your cluster has the appropriate minimum permissions. For more details on access and identity for AKS, see [Access and identity options for Azure Kubernetes Service (AKS)](../concepts-identity.md).
+- The identity you're using to create your cluster has the appropriate minimum permissions. For more details on access and identity for AKS, see [Access and identity options for Azure Kubernetes Service (AKS)](../concepts-identity.md).
- If you have multiple Azure subscriptions, select the appropriate subscription ID in which the resources should be billed using the [Az account](/cli/azure/account) command.
The following additional limitations apply to Windows Server node pools:
## Create a resource group
-An Azure resource group is a logical group in which Azure resources are deployed and managed. When you create a resource group, you are asked to specify a location. This location is where resource group metadata is stored, it is also where your resources run in Azure if you don't specify another region during resource creation. Create a resource group using the [az group create][az-group-create] command.
+An Azure resource group is a logical group in which Azure resources are deployed and managed. When you create a resource group, you're asked to specify a location. This location is where resource group metadata is stored, it is also where your resources run in Azure if you don't specify another region during resource creation. Create a resource group using the [az group create][az-group-create] command.
The following example creates a resource group named *myResourceGroup* in the *eastus* location. > [!NOTE] > This article uses Bash syntax for the commands in this tutorial.
-> If you are using Azure Cloud Shell, ensure that the dropdown in the upper-left of the Cloud Shell window is set to **Bash**.
+> If you're using Azure Cloud Shell, ensure that the dropdown in the upper-left of the Cloud Shell window is set to **Bash**.
```azurecli-interactive az group create --name myResourceGroup --location eastus
az aks create \
After a few minutes, the command completes and returns JSON-formatted information about the cluster. Occasionally the cluster can take longer than a few minutes to provision. Allow up to 10 minutes in these cases.
-## Add a Windows Server node pool
+## Add a Windows Server 2019 node pool
By default, an AKS cluster is created with a node pool that can run Linux containers. Use `az aks nodepool add` command to add an additional node pool that can run Windows Server containers alongside the Linux node pool.
az aks nodepool add \
The above command creates a new node pool named *npwin* and adds it to the *myAKSCluster*. The above command also uses the default subnet in the default vnet created when running `az aks create`.
+## Add a Windows Server 2022 node pool (preview)
+
+When creating a Windows node pool, the default operating system will be Windows Server 2019. To use Windows Server 2022 nodes, you will need to specify an OS SKU type of `Windows2022`.
++
+### Install the `aks-preview` Azure CLI
+
+You also need the *aks-preview* Azure CLI extension version `0.5.68` or later. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command, or install any available updates by using the [az extension update][az-extension-update] command.
+
+```azurecli-interactive
+# Install the aks-preview extension
+az extension add --name aks-preview
+# Update the extension to make sure you have the latest version installed
+az extension update --name aks-preview
+```
+
+### Register the `AKSWindows2022Preview` preview feature
+
+To use the feature, you must also enable the `AKSWindows2022Preview` feature flag on your subscription.
+
+Register the `AKSWindows2022Preview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
+
+```azurecli-interactive
+az feature register --namespace "Microsoft.ContainerService" --name "AKSWindows2022Preview"
+```
+
+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:
+
+```azurecli-interactive
+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKSWindows2022Preview')].{Name:name,State:properties.state}"
+```
+
+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:
+
+```azurecli-interactive
+az provider register --namespace Microsoft.ContainerService
+```
+
+Use `az aks nodepool add` command to add a Windows Server 2022 node pool:
+
+```azurecli
+az aks nodepool add \
+ --resource-group myResourceGroup \
+ --cluster-name myAKSCluster \
+ --os-type Windows \
+ --os-sku Windows2022 \
+ --name npwin \
+ --node-count 1
+```
+ ## Optional: Using `containerd` with Windows Server node pools Beginning in Kubernetes version 1.20 and greater, you can specify `containerd` as the container runtime for Windows Server 2019 node pools. From Kubernetes 1.23, containerd will be the default container runtime for Windows.
Beginning in Kubernetes version 1.20 and greater, you can specify `containerd` a
### Add a Windows Server node pool with `containerd`
-Use the `az aks nodepool add` command to add an additional node pool that can run Windows Server containers with the `containerd` runtime.
+Use the `az aks nodepool add` command to add a node pool that can run Windows Server containers with the `containerd` runtime.
> [!NOTE] > If you do not specify the *WindowsContainerRuntime=containerd* custom header, the node pool will use Docker as the container runtime.
aks Node Auto Repair https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-auto-repair.md
If AKS identifies an unhealthy node that remains unhealthy for 10 minutes, AKS t
1. Reboot the node. 1. If the reboot is unsuccessful, reimage the node.
-1. If the reimage is unsuccessful, redploy the node.
+1. If the reimage is unsuccessful, redeploy the node.
Alternative remediations are investigated by AKS engineers if auto-repair is unsuccessful.
aks Quickstart Dapr https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/quickstart-dapr.md
Title: Deploy an application with the Dapr cluster extension (preview) for Azure Kubernetes Service (AKS)
-description: Use the Dapr cluster extension (Preview) for Azure Kubernetes Service (AKS) to deploy an application
+ Title: Deploy an application with the Dapr cluster extension for Azure Kubernetes Service (AKS)
+description: Use the Dapr cluster extension for Azure Kubernetes Service (AKS) to deploy an application
Previously updated : 11/01/2021- Last updated : 05/03/2022+
-# Quickstart: Deploy an application using the Dapr cluster extension (preview) for Azure Kubernetes Service (AKS)
+# Quickstart: Deploy an application using the Dapr cluster extension for Azure Kubernetes Service (AKS)
In this quickstart, you will get familiar with using the [Dapr cluster extension][dapr-overview] in an AKS cluster. You will be deploying a hello world example, consisting of a Python application that generates messages and a Node application that consumes and persists them. - ## Prerequisites * An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).
cd quickstarts/hello-kubernetes
## Create and configure a state store
-Dapr can use a number of different state stores (Redis, CosmosDB, DynamoDB, Cassandra, etc.) to persist and retrieve state. For this example, we will use Redis.
+Dapr can use a number of different state stores (Redis, Cosmos DB, DynamoDB, Cassandra, etc.) to persist and retrieve state. For this example, we will use Redis.
### Create a Redis store
aks Release Tracker https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/release-tracker.md
+
+ Title: AKS release tracker
+description: Learn how to determine which Azure regions have the weekly AKS release deployments rolled out in real time.
++ Last updated : 05/24/2022++++
+# AKS release tracker
+
+AKS releases weekly rounds of fixes and feature and component updates that affect all clusters and customers. However, these releases can take up to two weeks to roll out to all regions from the initial time of shipping due to Azure Safe Deployment Practices (SDP). It is important for customers to know when a particular AKS release is hitting their region, and the AKS release tracker provides these details in real time by versions and regions.
+
+## Why release tracker?
+
+With AKS release tracker, customers can follow specific component updates present in an AKS version release, such as fixes shipped to a core add-on. In addition to providing real-time updates of region release status, the tracker also links to the specific version of the AKS [release notes][aks-release] to help customers identify which instance of the release is relevant to them. As the data is updated in real time, customers can track the entire SDP process with a single tool.
+
+## How to use the release tracker
+
+The top half of the tracker shows the latest and 3 previously available release versions for each region, and links to the corresponding release notes entry. This view is helpful when you want to track the available versions by region.
++
+The bottom half of the tracker shows the SDP process. The table has two views: one shows the latest version and status update for each grouping of regions and the other shows the status and region availability of each currently supported version.
++
+<!-- LINKS - external -->
+[aks-release]: https://github.com/Azure/AKS/releases
aks Spark Job https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/spark-job.md
- Title: Run an Apache Spark job with Azure Kubernetes Service (AKS)
-description: Use Azure Kubernetes Service (AKS) to create and run an Apache Spark job for large-scale data processing.
- Previously updated : 10/18/2019---
-# Running Apache Spark jobs on AKS
-
-[Apache Spark][apache-spark] is a fast engine for large-scale data processing. As of the [Spark 2.3.0 release][spark-kubernetes-earliest-version], Apache Spark supports native integration with Kubernetes clusters. Azure Kubernetes Service (AKS) is a managed Kubernetes environment running in Azure. This document details preparing and running Apache Spark jobs on an Azure Kubernetes Service (AKS) cluster.
-
-## Prerequisites
-
-In order to complete the steps within this article, you need the following.
-
-* Basic understanding of Kubernetes and [Apache Spark][spark-quickstart].
-* [Docker Hub][docker-hub] account, or an [Azure Container Registry][acr-create].
-* Azure CLI [installed][azure-cli] on your development system.
-* [JDK 8][java-install] installed on your system.
-* [Apache Maven][maven-install] installed on your system.
-* SBT ([Scala Build Tool][sbt-install]) installed on your system.
-* Git command-line tools installed on your system.
-
-## Create an AKS cluster
-
-Spark is used for large-scale data processing and requires that Kubernetes nodes are sized to meet the Spark resources requirements. We recommend a minimum size of `Standard_D3_v2` for your Azure Kubernetes Service (AKS) nodes.
-
-If you need an AKS cluster that meets this minimum recommendation, run the following commands.
-
-Create a resource group for the cluster.
-
-```azurecli
-az group create --name mySparkCluster --location eastus
-```
-
-Create a Service Principal for the cluster. After it is created, you will need the Service Principal appId and password for the next command.
-
-```azurecli
-az ad sp create-for-rbac --name SparkSP --role Contributor --scopes /subscriptions/mySubscriptionID
-```
-
-Create the AKS cluster with nodes that are of size `Standard_D3_v2`, and values of appId and password passed as service-principal and client-secret parameters.
-
-```azurecli
-az aks create --resource-group mySparkCluster --name mySparkCluster --node-vm-size Standard_D3_v2 --generate-ssh-keys --service-principal <APPID> --client-secret <PASSWORD>
-```
-
-Connect to the AKS cluster.
-
-```azurecli
-az aks get-credentials --resource-group mySparkCluster --name mySparkCluster
-```
-
-If you are using Azure Container Registry (ACR) to store container images, configure authentication between AKS and ACR. See the [ACR authentication documentation][acr-aks] for these steps.
-
-## Build the Spark source
-
-Before running Spark jobs on an AKS cluster, you need to build the Spark source code and package it into a container image. The Spark source includes scripts that can be used to complete this process.
-
-Clone the Spark project repository to your development system.
-
-```bash
-git clone -b branch-2.4 https://github.com/apache/spark
-```
-
-Change into the directory of the cloned repository and save the path of the Spark source to a variable.
-
-```bash
-cd spark
-sparkdir=$(pwd)
-```
-
-If you have multiple JDK versions installed, set `JAVA_HOME` to use version 8 for the current session.
-
-```bash
-export JAVA_HOME=`/usr/libexec/java_home -d 64 -v "1.8*"`
-```
-
-Run the following command to build the Spark source code with Kubernetes support.
-
-```bash
-./build/mvn -Pkubernetes -DskipTests clean package
-```
-
-The following commands create the Spark container image and push it to a container image registry. Replace `registry.example.com` with the name of your container registry and `v1` with the tag you prefer to use. If using Docker Hub, this value is the registry name. If using Azure Container Registry (ACR), this value is the ACR login server name.
-
-```bash
-REGISTRY_NAME=registry.example.com
-REGISTRY_TAG=v1
-```
-
-```bash
-./bin/docker-image-tool.sh -r $REGISTRY_NAME -t $REGISTRY_TAG build
-```
-
-Push the container image to your container image registry.
-
-```bash
-./bin/docker-image-tool.sh -r $REGISTRY_NAME -t $REGISTRY_TAG push
-```
-
-## Prepare a Spark job
-
-Next, prepare a Spark job. A jar file is used to hold the Spark job and is needed when running the `spark-submit` command. The jar can be made accessible through a public URL or pre-packaged within a container image. In this example, a sample jar is created to calculate the value of Pi. This jar is then uploaded to Azure storage. If you have an existing jar, feel free to substitute
-
-Create a directory where you would like to create the project for a Spark job.
-
-```bash
-mkdir myprojects
-cd myprojects
-```
-
-Create a new Scala project from a template.
-
-```bash
-sbt new sbt/scala-seed.g8
-```
-
-When prompted, enter `SparkPi` for the project name.
-
-```bash
-name [Scala Seed Project]: SparkPi
-```
-
-Navigate to the newly created project directory.
-
-```bash
-cd sparkpi
-```
-
-Run the following commands to add an SBT plugin, which allows packaging the project as a jar file.
-
-```bash
-touch project/assembly.sbt
-echo 'addSbtPlugin("com.eed3si9n" % "sbt-assembly" % "0.14.10")' >> project/assembly.sbt
-```
-
-Run these commands to copy the sample code into the newly created project and add all necessary dependencies.
-
-```bash
-EXAMPLESDIR="src/main/scala/org/apache/spark/examples"
-mkdir -p $EXAMPLESDIR
-cp $sparkdir/examples/$EXAMPLESDIR/SparkPi.scala $EXAMPLESDIR/SparkPi.scala
-
-cat <<EOT >> build.sbt
-// https://mvnrepository.com/artifact/org.apache.spark/spark-sql
-libraryDependencies += "org.apache.spark" %% "spark-sql" % "2.3.0" % "provided"
-EOT
-
-sed -ie 's/scalaVersion.*/scalaVersion := "2.11.11"/' build.sbt
-sed -ie 's/name.*/name := "SparkPi",/' build.sbt
-```
-
-To package the project into a jar, run the following command.
-
-```bash
-sbt assembly
-```
-
-After successful packaging, you should see output similar to the following.
-
-```bash
-[info] Packaging /Users/me/myprojects/sparkpi/target/scala-2.11/SparkPi-assembly-0.1.0-SNAPSHOT.jar ...
-[info] Done packaging.
-[success] Total time: 10 s, completed Mar 6, 2018 11:07:54 AM
-```
-
-## Copy job to storage
-
-Create an Azure storage account and container to hold the jar file.
-
-```azurecli
-RESOURCE_GROUP=sparkdemo
-STORAGE_ACCT=sparkdemo$RANDOM
-az group create --name $RESOURCE_GROUP --location eastus
-az storage account create --resource-group $RESOURCE_GROUP --name $STORAGE_ACCT --sku Standard_LRS
-export AZURE_STORAGE_CONNECTION_STRING=`az storage account show-connection-string --resource-group $RESOURCE_GROUP --name $STORAGE_ACCT -o tsv`
-```
-
-Upload the jar file to the Azure storage account with the following commands.
-
-```azurecli
-CONTAINER_NAME=jars
-BLOB_NAME=SparkPi-assembly-0.1.0-SNAPSHOT.jar
-FILE_TO_UPLOAD=target/scala-2.11/SparkPi-assembly-0.1.0-SNAPSHOT.jar
-
-echo "Creating the container..."
-az storage container create --name $CONTAINER_NAME
-az storage container set-permission --name $CONTAINER_NAME --public-access blob
-
-echo "Uploading the file..."
-az storage blob upload --container-name $CONTAINER_NAME --file $FILE_TO_UPLOAD --name $BLOB_NAME
-
-jarUrl=$(az storage blob url --container-name $CONTAINER_NAME --name $BLOB_NAME | tr -d '"')
-```
-
-Variable `jarUrl` now contains the publicly accessible path to the jar file.
-
-## Submit a Spark job
-
-Start kube-proxy in a separate command-line with the following code.
-
-```bash
-kubectl proxy
-```
-
-Navigate back to the root of Spark repository.
-
-```bash
-cd $sparkdir
-```
-
-Create a service account that has sufficient permissions for running a job.
-
-```bash
-kubectl create serviceaccount spark
-kubectl create clusterrolebinding spark-role --clusterrole=edit --serviceaccount=default:spark --namespace=default
-```
-
-Submit the job using `spark-submit`.
-
-```bash
-./bin/spark-submit \
- --master k8s://http://127.0.0.1:8001 \
- --deploy-mode cluster \
- --name spark-pi \
- --class org.apache.spark.examples.SparkPi \
- --conf spark.executor.instances=3 \
- --conf spark.kubernetes.authenticate.driver.serviceAccountName=spark \
- --conf spark.kubernetes.container.image=$REGISTRY_NAME/spark:$REGISTRY_TAG \
- $jarUrl
-```
-
-This operation starts the Spark job, which streams job status to your shell session. While the job is running, you can see Spark driver pod and executor pods using the kubectl get pods command. Open a second terminal session to run these commands.
-
-```console
-kubectl get pods
-```
-
-```output
-NAME READY STATUS RESTARTS AGE
-spark-pi-2232778d0f663768ab27edc35cb73040-driver 1/1 Running 0 16s
-spark-pi-2232778d0f663768ab27edc35cb73040-exec-1 0/1 Init:0/1 0 4s
-spark-pi-2232778d0f663768ab27edc35cb73040-exec-2 0/1 Init:0/1 0 4s
-spark-pi-2232778d0f663768ab27edc35cb73040-exec-3 0/1 Init:0/1 0 4s
-```
-
-While the job is running, you can also access the Spark UI. In the second terminal session, use the `kubectl port-forward` command provide access to Spark UI.
-
-```bash
-kubectl port-forward spark-pi-2232778d0f663768ab27edc35cb73040-driver 4040:4040
-```
-
-To access Spark UI, open the address `127.0.0.1:4040` in a browser.
-
-![Spark UI](media/aks-spark-job/spark-ui.png)
-
-## Get job results and logs
-
-After the job has finished, the driver pod will be in a "Completed" state. Get the name of the pod with the following command.
-
-```bash
-kubectl get pods --show-all
-```
-
-Output:
-
-```output
-NAME READY STATUS RESTARTS AGE
-spark-pi-2232778d0f663768ab27edc35cb73040-driver 0/1 Completed 0 1m
-```
-
-Use the `kubectl logs` command to get logs from the spark driver pod. Replace the pod name with your driver pod's name.
-
-```bash
-kubectl logs spark-pi-2232778d0f663768ab27edc35cb73040-driver
-```
-
-Within these logs, you can see the result of the Spark job, which is the value of Pi.
-
-```output
-Pi is roughly 3.152155760778804
-```
-
-## Package jar with container image
-
-In the above example, the Spark jar file was uploaded to Azure storage. Another option is to package the jar file into custom-built Docker images.
-
-To do so, find the `dockerfile` for the Spark image located at `$sparkdir/resource-managers/kubernetes/docker/src/main/dockerfiles/spark/` directory. Add an `ADD` statement for the Spark job `jar` somewhere between `WORKDIR` and `ENTRYPOINT` declarations.
-
-Update the jar path to the location of the `SparkPi-assembly-0.1.0-SNAPSHOT.jar` file on your development system. You can also use your own custom jar file.
-
-```bash
-WORKDIR /opt/spark/work-dir
-
-ADD /path/to/SparkPi-assembly-0.1.0-SNAPSHOT.jar SparkPi-assembly-0.1.0-SNAPSHOT.jar
-
-ENTRYPOINT [ "/opt/entrypoint.sh" ]
-```
-
-Build and push the image with the included Spark scripts.
-
-```bash
-./bin/docker-image-tool.sh -r <your container repository name> -t <tag> build
-./bin/docker-image-tool.sh -r <your container repository name> -t <tag> push
-```
-
-When running the job, instead of indicating a remote jar URL, the `local://` scheme can be used with the path to the jar file in the Docker image.
-
-```bash
-./bin/spark-submit \
- --master k8s://https://<k8s-apiserver-host>:<k8s-apiserver-port> \
- --deploy-mode cluster \
- --name spark-pi \
- --class org.apache.spark.examples.SparkPi \
- --conf spark.executor.instances=3 \
- --conf spark.kubernetes.authenticate.driver.serviceAccountName=spark \
- --conf spark.kubernetes.container.image=<spark-image> \
- local:///opt/spark/work-dir/<your-jar-name>.jar
-```
-
-> [!WARNING]
-> From Spark [documentation][spark-docs]: "The Kubernetes scheduler is currently experimental. In future versions, there may be behavioral changes around configuration, container images and entrypoints".
-
-## Next steps
-
-Check out Spark documentation for more details.
-
-> [!div class="nextstepaction"]
-> [Spark documentation][spark-docs]
-
-<!-- LINKS - external -->
-[apache-spark]: https://spark.apache.org/
-[docker-hub]: https://docs.docker.com/docker-hub/
-[java-install]: /azure/developer/java/fundamentals/java-support-on-azure
-[maven-install]: https://maven.apache.org/install.html
-[sbt-install]: https://www.scala-sbt.org/1.x/docs/Setup.html
-[spark-docs]: https://spark.apache.org/docs/latest/running-on-kubernetes.html
-[spark-kubernetes-earliest-version]: https://spark.apache.org/releases/spark-release-2-3-0.html
-[spark-quickstart]: https://spark.apache.org/docs/latest/quick-start.html
--
-<!-- LINKS - internal -->
-[acr-aks]: cluster-container-registry-integration.md
-[acr-create]: ../container-registry/container-registry-get-started-azure-cli.md
-[aks-quickstart]: ./index.yml
-[azure-cli]: /cli/azure/
-[storage-account]: ../storage/blobs/storage-quickstart-blobs-cli.md
aks Supported Kubernetes Versions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/supported-kubernetes-versions.md
Last updated 08/09/2021 -+ # Supported Kubernetes versions in Azure Kubernetes Service (AKS)
Each number in the version indicates general compatibility with the previous ver
Aim to run the latest patch release of the minor version you're running. For example, your production cluster is on **`1.17.7`**. **`1.17.8`** is the latest available patch version available for the *1.17* series. You should upgrade to **`1.17.8`** as soon as possible to ensure your cluster is fully patched and supported.
-## Kubernetes version alias (Preview)
-
+## Alias minor version
> [!NOTE]
-> Kubernetes version alias requires Azure CLI version 2.31.0 or above with the aks-preview extension installed. Please use `az upgrade` to install the latest version of the CLI.
-
-You will need the *aks-preview* Azure CLI extension version 0.5.49 or greater. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command. Or install any available updates by using the [az extension update][az-extension-update] command.
+> Alias minor version requires Azure CLI version 2.31.0 or above. Use `az upgrade` to install the latest version of the CLI.
-```azurecli-interactive
-# Install the aks-preview extension
-az extension add --name aks-preview
-
-# Update the extension to make sure you have the latest version installed
-az extension update --name aks-preview
-```
+Azure Kubernetes Service allows for you to create a cluster without specifying the exact patch version. When creating a cluster without designating a patch, the cluster will run the minor version's latest GA patch. For example, if you create a cluster with **`1.21`**, your cluster will be running **`1.21.7`**, which is the latest GA patch version of *1.21*.
-Azure Kubernetes Service allows for you to create a cluster without specifiying the exact patch version. When creating a cluster without specifying a patch, the cluster will run the minor version's latest patch. For example, if you create a cluster with **`1.21`**, your cluster will be running **`1.21.7`**, which is the latest patch version of *1.21*.
+When upgrading by alias minor version, only a higher minor version is supported. For example, upgrading from `1.14.x` to `1.14` will not trigger an upgrade to the latest GA `1.14` patch, but upgrading to `1.15` will trigger an upgrade to the latest GA `1.15` patch.
To see what patch you are on, run the `az aks show --resource-group myResourceGroup --name myAKSCluster` command. The property `currentKubernetesVersion` shows the whole Kubernetes version.
aks Tutorial Kubernetes Upgrade Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/tutorial-kubernetes-upgrade-cluster.md
description: In this Azure Kubernetes Service (AKS) tutorial, you learn how to u
Last updated 05/24/2021---+ #Customer intent: As a developer or IT pro, I want to learn how to upgrade an Azure Kubernetes Service (AKS) cluster so that I can use the latest version of Kubernetes and features.
To minimize disruption to running applications, AKS nodes are carefully cordoned
1. When the new node is ready and joined to the cluster, the Kubernetes scheduler begins to run pods on it. 1. The old node is deleted, and the next node in the cluster begins the cordon and drain process. + ### [Azure CLI](#tab/azure-cli) Use the [az aks upgrade][] command to upgrade the AKS cluster.
aks Upgrade Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/upgrade-cluster.md
Title: Upgrade an Azure Kubernetes Service (AKS) cluster
description: Learn how to upgrade an Azure Kubernetes Service (AKS) cluster to get the latest features and security updates. + Last updated 12/17/2020- # Upgrade an Azure Kubernetes Service (AKS) cluster
With a list of available versions for your AKS cluster, use the [az aks upgrade]
- This process repeats until all nodes in the cluster have been upgraded. - At the end of the process, the last buffer node will be deleted, maintaining the existing agent node count and zone balance. + ```azurecli-interactive az aks upgrade \ --resource-group myResourceGroup \
aks Use Multiple Node Pools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-multiple-node-pools.md
Title: Use multiple node pools in Azure Kubernetes Service (AKS)
description: Learn how to create and manage multiple node pools for a cluster in Azure Kubernetes Service (AKS) + Last updated 05/16/2022- # Create and manage multiple node pools for a cluster in Azure Kubernetes Service (AKS)
The following example output shows that *mynodepool* has been successfully creat
> [!TIP] > If no *VmSize* is specified when you add a node pool, the default size is *Standard_D2s_v3* for Windows node pools and *Standard_DS2_v2* for Linux node pools. If no *OrchestratorVersion* is specified, it defaults to the same version as the control plane.
+### Add an ARM64 node pool (preview)
+
+The ARM64 processor provides low power compute for your Kubernetes workloads. To create an ARM64 node pool, you will need to choose an [ARM capable instance SKU][arm-sku-vm].
++
+#### Install the `aks-preview` Azure CLI
+
+You also need the *aks-preview* Azure CLI extension version 0.5.23 or later. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command. Or install any available updates by using the [az extension update][az-extension-update] command.
+
+```azurecli-interactive
+# Install the aks-preview extension
+az extension add --name aks-preview
+# Update the extension to make sure you have the latest version installed
+az extension update --name aks-preview
+```
+
+#### Register the `AKSARM64Preview` preview feature
+
+To use the feature, you must also enable the `AKSARM64Preview` feature flag on your subscription.
+
+Register the `AKSARM64Preview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
+
+```azurecli-interactive
+az feature register --namespace "Microsoft.ContainerService" --name "AKSARM64Preview"
+```
+
+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:
+
+```azurecli-interactive
+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKSARM64Preview')].{Name:name,State:properties.state}"
+```
+
+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:
+
+```azurecli-interactive
+az provider register --namespace Microsoft.ContainerService
+```
+
+Use `az aks nodepool add` command to add an ARM64 node pool.
+
+```azurecli
+az aks nodepool add \
+ --resource-group myResourceGroup \
+ --cluster-name myAKSCluster \
+ --name armpool \
+ --node-count 3 \
+ --node-vm-size Standard_Dpds_v5
+```
+ ### Add a node pool with a unique subnet A workload may require splitting a cluster's nodes into separate pools for logical isolation. This isolation can be supported with separate subnets dedicated to each node pool in the cluster. This can address requirements such as having non-contiguous virtual network address space to split across node pools.
A workload may require splitting a cluster's nodes into separate pools for logic
#### Limitations
-* All subnets assigned to nodepools must belong to the same virtual network.
+* All subnets assigned to node pools must belong to the same virtual network.
* System pods must have access to all nodes/pods in the cluster to provide critical functionality such as DNS resolution and tunneling kubectl logs/exec/port-forward proxy. * If you expand your VNET after creating the cluster you must update your cluster (perform any managed cluster operation but node pool operations don't count) before adding a subnet outside the original cidr. AKS will error out on the agent pool add now though we originally allowed it. If you don't know how to reconcile your cluster file a support ticket. * In clusters with Kubernetes version < 1.23.3, kube-proxy will SNAT traffic from new subnets, which can cause Azure Network Policy to drop the packets.
-* Windows nodes will SNAT traffic to the new subnets until the nodepool is reimaged.
+* Windows nodes will SNAT traffic to the new subnets until the node pool is reimaged.
* Internal load balancers default to one of the node pool subnets (usually the first subnet of the node pool at cluster creation). To override this behavior, you can [specify the load balancer's subnet explicitly using an annotation][internal-lb-different-subnet]. To create a node pool with a dedicated subnet, pass the subnet resource ID as an additional parameter when creating a node pool.
AKS offers a separate feature to automatically scale node pools with a feature c
If you no longer need a pool, you can delete it and remove the underlying VM nodes. To delete a node pool, use the [az aks node pool delete][az-aks-nodepool-delete] command and specify the node pool name. The following example deletes the *mynodepool* created in the previous steps: > [!CAUTION]
-> When you delete a node pool, AKS doesn't perform cordon and drain, and there are no recovery options for data loss that may occur when you delete a node pool. If pods can't be scheduled on other node pools, those applications become unavailable. Make sure you don't delete a node pool when in-use applications don't have data backups or the ability to run on other node pools in your cluster. To minimize the disruption of rescheduling pods currently running on the node pool you are going to delete, perform a cordon and drain on all nodes in the node pool before deleting. For more details, see [cordon and drain node pools][cordon-and-drain].
+> When you delete a node pool, AKS doesn't perform cordon and drain, and there are no recovery options for data loss that may occur when you delete a node pool. If pods can't be scheduled on other node pools, those applications become unavailable. Make sure you don't delete a node pool when in-use applications don't have data backups or the ability to run on other node pools in your cluster. To minimize the disruption of rescheduling pods currently running on the node pool you are going to delete, perform a cordon and drain on all nodes in the node pool before deleting. For more information, see [cordon and drain node pools][cordon-and-drain].
```azurecli-interactive az aks nodepool delete -g myResourceGroup --cluster-name myAKSCluster --name mynodepool --no-wait
Only pods that have this toleration applied can be scheduled on nodes in *taintn
### Setting nodepool labels
-For more details on using labels with node pools, see [Use labels in an Azure Kubernetes Service (AKS) cluster][use-labels].
+For more information on using labels with node pools, see [Use labels in an Azure Kubernetes Service (AKS) cluster][use-labels].
### Setting nodepool Azure tags
-For more details on using Azure tags with node pools, see [Use Azure tags in Azure Kubernetes Service (AKS)][use-tags].
+For more information on using Azure tags with node pools, see [Use Azure tags in Azure Kubernetes Service (AKS)][use-tags].
## Add a FIPS-enabled node pool
-The Federal Information Processing Standard (FIPS) 140-2 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. AKS allows you to create Linux-based node pools with FIPS 140-2 enabled. Deployments running on FIPS-enabled node pools can use those cryptographic modules to provide increased security and help meet security controls as part of FedRAMP compliance. For more details on FIPS 140-2, see [Federal Information Processing Standard (FIPS) 140-2][fips].
+The Federal Information Processing Standard (FIPS) 140-2 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. AKS allows you to create Linux-based node pools with FIPS 140-2 enabled. Deployments running on FIPS-enabled node pools can use those cryptographic modules to provide increased security and help meet security controls as part of FedRAMP compliance. For more information on FIPS 140-2, see [Federal Information Processing Standard (FIPS) 140-2][fips].
### Prerequisites
To create and use Windows Server container node pools, see [Create a Windows Ser
Use [proximity placement groups][reduce-latency-ppg] to reduce latency for your AKS applications. <!-- EXTERNAL LINKS -->
+[arm-vm-sku]: https://azure.microsoft.com/updates/public-preview-arm64based-azure-vms-can-deliver-up-to-50-better-priceperformance/
[kubernetes-drain]: https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/ [kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get [kubectl-taint]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#taint
aks Windows Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/windows-faq.md
AKS uses Windows Server 2019 as the host OS version and only supports process is
## Is Kubernetes different on Windows and Linux?
-Windows Server node pool support includes some limitations that are part of the upstream Windows Server in Kubernetes project. These limitations are not specific to AKS. For more information on the upstream support for Windows Server in Kubernetes, see the [Supported functionality and limitations][upstream-limitations] section of the [Intro to Windows support in Kubernetes][intro-windows] document, from the Kubernetes project.
+Windows Server node pool support includes some limitations that are part of the upstream Windows Server in Kubernetes project. These limitations are not specific to AKS. For more information on the upstream support from the Kubernetes project, see the [Supported functionality and limitations][upstream-limitations] section of the [Intro to Windows support in Kubernetes][intro-windows] document.
Historically, Kubernetes is Linux-focused. Many examples used in the upstream [Kubernetes.io][kubernetes] website are intended for use on Linux nodes. When you create deployments that use Windows Server containers, the following considerations at the OS level apply:
Historically, Kubernetes is Linux-focused. Many examples used in the upstream [K
## What kind of disks are supported for Windows?
-Azure Disks and Azure Files are the supported volume types. These are accessed as NTFS volumes in the Windows Server container.
+Azure Disks and Azure Files are the supported volume types, and are accessed as NTFS volumes in the Windows Server container.
## Can I run Windows only clusters in AKS?
The master nodes (the control plane) in an AKS cluster are hosted by the AKS ser
## How do I patch my Windows nodes?
-To get the latest patches for Windows nodes, you can either [upgrade the node pool][nodepool-upgrade] or [upgrade the node image][upgrade-node-image]. Windows Updates are not enabled on nodes in AKS. AKS releases new node pool images as soon as patches are available, and it's the user's responsibility to upgrade node pools to stay current on patches and hotfixes. This is also true for the Kubernetes version being used. [AKS release notes][aks-release-notes] indicate when new versions are available. For more information on upgrading the entire Windows Server node pool, see [Upgrade a node pool in AKS][nodepool-upgrade]. If you're only interested in updating the node image, see [AKS node image upgrades][upgrade-node-image].
+To get the latest patches for Windows nodes, you can either [upgrade the node pool][nodepool-upgrade] or [upgrade the node image][upgrade-node-image]. Windows Updates are not enabled on nodes in AKS. AKS releases new node pool images as soon as patches are available, and it's the user's responsibility to upgrade node pools to stay current on patches and hotfixes. This patch process is also true for the Kubernetes version being used. [AKS release notes][aks-release-notes] indicate when new versions are available. For more information on upgrading the Windows Server node pool, see [Upgrade a node pool in AKS][nodepool-upgrade]. If you're only interested in updating the node image, see [AKS node image upgrades][upgrade-node-image].
> [!NOTE] > The updated Windows Server image will only be used if a cluster upgrade (control plane upgrade) has been performed prior to upgrading the node pool.
->
## What network plug-ins are supported?
-AKS clusters with Windows node pools must use the Azure Container Networking Interface (Azure CNI) (advanced) networking model. Kubenet (basic) networking is not supported. For more information on the differences in network models, see [Network concepts for applications in AKS][azure-network-models]. The Azure CNI network model requires additional planning and consideration for IP address management. For more information on how to plan and implement Azure CNI, see [Configure Azure CNI networking in AKS][configure-azure-cni].
+AKS clusters with Windows node pools must use the Azure Container Networking Interface (Azure CNI) (advanced) networking model. Kubenet (basic) networking is not supported. For more information on the differences in network models, see [Network concepts for applications in AKS][azure-network-models]. The Azure CNI network model requires extra planning and consideration for IP address management. For more information on how to plan and implement Azure CNI, see [Configure Azure CNI networking in AKS][configure-azure-cni].
Windows nodes on AKS clusters also have [Direct Server Return (DSR)][dsr] enabled by default when Calico is enabled.
The AKS cluster can have a maximum of 100 node pools. You can have a maximum of
## What can I name my Windows node pools?
-Keep names to a maximum of six characters. This is the current limitation of AKS.
+A Windows node pool can have a six-character name.
## Are all features supported with Windows nodes?
A cluster with Windows nodes can have approximately 500 services before it encou
Yes. Azure Hybrid Benefit for Windows Server reduces operating costs by letting you bring your on-premises Windows Server license to AKS Windows nodes.
-Azure Hybrid Benefit can be used on your entire AKS cluster or on individual nodes. For individual nodes, you need to browse to the [node resource group][resource-groups] and apply the Azure Hybrid Benefit to the nodes directly. For more information on applying Azure Hybrid Benefit to individual nodes, see [Azure Hybrid Benefit for Windows Server][hybrid-vms].
+Azure Hybrid Benefit can be used on your entire AKS cluster or on individual nodes. For individual nodes, you need to browse to the [node resource group][resource-groups] and apply the Azure Hybrid Benefit to the nodes directly. For more information on applying Azure Hybrid Benefit to individual nodes, see [Azure Hybrid Benefit for Windows Server][hybrid-vms].
-To use Azure Hybrid Benefit on a new AKS cluster, use the `--enable-ahub` argument.
+To use Azure Hybrid Benefit on a new AKS cluster, run the `az aks create` command and use the `--enable-ahub` argument.
```azurecli az aks create \
az aks create \
--enable-ahub ```
-To use Azure Hybrid Benefit on an existing AKS cluster, update the cluster by using the `--enable-ahub` argument.
+To use Azure Hybrid Benefit on an existing AKS cluster, run the `az aks update` command and use the update the cluster by using the `--enable-ahub` argument.
```azurecli az aks update \
az aks update \
--enable-ahub ```
-To check if Azure Hybrid Benefit is set on the cluster, use the following command:
+To check if Azure Hybrid Benefit is set on the Windows nodes in the cluster, run the `az vmss show` command with the `--name` and `--resource-group` arguments to query the virtual machine scale set. To identify the resource group the scale set for the Windows node pool is created in, you can run the `az vmss list -o table` command.
```azurecli
-az vmss show --name myAKSCluster --resource-group MC_CLUSTERNAME
+az vmss show --name myScaleSet --resource-group MC_<resourceGroup>_<clusterName>_<region>
```
-If the cluster has Azure Hybrid Benefit enabled, the output of `az vmss show` will be similar to the following:
+If the Windows nodes in the scale set have Azure Hybrid Benefit enabled, the output of `az vmss show` will be similar to the following:
```console
-"platformFaultDomainCount": 1,
- "provisioningState": "Succeeded",
- "proximityPlacementGroup": null,
- "resourceGroup": "MC_CLUSTERNAME"
+""hardwareProfile": null,
+ "licenseType": "Windows_Server",
+ "networkProfile": {
+ "healthProbe": null,
+ "networkApiVersion": null,
``` ## How do I change the time zone of a running container?
To see the current time zone of the running container or an available list of ti
Although maintaining session affinity from client connections to pods with Windows containers will be supported in the Windows Server 2022 OS version, you achieve session affinity by client IP currently by limiting your desired pod to run a single instance per node and configuring your Kubernetes service to direct traffic to the pod on the local node.
-Use the following configuration:
+Use the following configuration:
1. Use an AKS cluster running a minimum version of 1.20. 1. Constrain your pod to allow only one instance per Windows node. You can achieve this by using anti-affinity in your deployment configuration.
Use the following configuration:
## What if I need a feature that's not supported?
-If you encounter feature gaps, the open-source, upstream [aks-engine][aks-engine] project provides an easy and fully customizable way of running Kubernetes in Azure, including Windows support. For more information, see [AKS roadmap][aks-roadmap].
+If you encounter feature gaps, the open-source [aks-engine][aks-engine] project provides an easy and fully customizable way of running Kubernetes in Azure, including Windows support. For more information, see [AKS roadmap][aks-roadmap].
## Next steps
api-management Api Management Access Restriction Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-access-restriction-policies.md
For more information and examples of this policy, see [Advanced request throttli
<rate-limit-by-key calls="number" renewal-period="seconds" increment-condition="condition"
+ increment-count="number"
counter-key="key value" retry-after-header-name="header name" retry-after-variable-name="policy expression variable name" remaining-calls-header-name="header name" remaining-calls-variable-name="policy expression variable name"
In the following example, the rate limit of 10 calls per 60 seconds is keyed by
| calls | The maximum total number of calls allowed during the time interval specified in the `renewal-period`. Policy expression is allowed. | Yes | N/A | | counter-key | The key to use for the rate limit policy. | Yes | N/A | | increment-condition | The boolean expression specifying if the request should be counted towards the rate (`true`). | No | N/A |
+| increment-count | The number by which the counter is increased per request. | No | 1 |
| renewal-period | The length in seconds of the sliding window during which the number of allowed requests should not exceed the value specified in `calls`. Policy expression is allowed. Maximum allowed value: 300 seconds. | Yes | N/A | | retry-after-header-name | The name of a response header whose value is the recommended retry interval in seconds after the specified call rate is exceeded. | No | N/A | | retry-after-variable-name | The name of a policy expression variable that stores the recommended retry interval in seconds after the specified call rate is exceeded. | No | N/A |
This policy can be used in the following policy [sections](./api-management-howt
- **Policy sections:** inbound - **Policy scopes:** all scopes
api-management Api Management Advanced Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-advanced-policies.md
Title: Azure API Management advanced policies | Microsoft Docs description: Reference for the advanced policies available for use in Azure API Management. Provides policy usage, settings and examples. - Previously updated : 03/07/2022+ Last updated : 04/28/2022
This article provides a reference for advanced API Management policies, such as
- [Control flow](api-management-advanced-policies.md#choose) - Conditionally applies policy statements based on the results of the evaluation of Boolean [expressions](api-management-policy-expressions.md). - [Forward request](#ForwardRequest) - Forwards the request to the backend service.
+- [Include fragment](#IncludeFragment) - Inserts a policy fragment in the policy definition.
- [Limit concurrency](#LimitConcurrency) - Prevents enclosed policies from executing by more than the specified number of requests at a time. - [Log to event hub](#log-to-eventhub) - Sends messages in the specified format to an event hub defined by a Logger entity. - [Emit metrics](#emit-metrics) - Sends custom metrics to Application Insights at execution.
This policy can be used in the following policy [sections](./api-management-howt
- **Policy sections:** backend - **Policy scopes:** all scopes
+## <a name="IncludeFragment"></a> Include fragment
+
+The `include-fragment` policy inserts the contents of a previously created [policy fragment](policy-fragments.md) in the policy definition. A policy fragment is a centrally managed, reusable XML policy snippet that can be included in policy definitions in your API Management instance.
+
+The policy inserts the policy fragment as-is at the location you select in the policy definition.
+
+### Policy statement
+
+```xml
+<include-fragment fragment-id="fragment" />
+```
+
+### Example
+
+In the following example, the policy fragment named *myFragment* is added in the inbound section of a policy definition.
+
+```xml
+<inbound>
+ <include-fragment fragment-id="myFragment" />
+ <base />
+</inbound>
+[...]
+```
+
+## Elements
+
+| Element | Description | Required |
+| -- | - | -- |
+| include-fragment | Root element. | Yes |
+
+### Attributes
+
+| Attribute | Description | Required | Default |
+| | -- | -- | - |
+| fragment-id | A string. Expression allowed. Specifies the identifier (name) of a policy fragment created in the API Management instance. | Yes | N/A |
+
+### Usage
+
+This policy can be used in the following policy [sections](./api-management-howto-policies.md#sections) and [scopes](./api-management-howto-policies.md#scopes).
+
+- **Policy sections:** inbound, outbound, backend, on-error
+
+- **Policy scopes:** all scopes
+ ## <a name="LimitConcurrency"></a> Limit concurrency The `limit-concurrency` policy prevents enclosed policies from executing by more than the specified number of requests at any time. When that number is exceeded, new requests will fail immediately with the `429` Too Many Requests status code.
The `limit-concurrency` policy prevents enclosed policies from executing by more
</limit-concurrency> ```
-### Examples
-
-#### Example
+### Example
The following example demonstrates how to limit number of requests forwarded to a backend based on the value of a context variable.
api-management Api Management Howto Configure Notifications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-configure-notifications.md
To view and configure a notification template in the portal:
## Configure email settings
-You can modify general e-mail settings for notifications that are sent from your API Management instance. You can change the administrator email address, the name of the organization sending notification, and the originating email address.
+You can modify general email settings for notifications that are sent from your API Management instance. You can change the administrator email address, the name of the organization sending notifications, and the originating email address.
To modify email settings:
api-management Api Management Howto Create Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-create-groups.md
Once the association is added between the developer and the group, you can view
* Once a developer is added to a group, they can view and subscribe to the products associated with that group. For more information, see [How create and publish a product in Azure API Management][How create and publish a product in Azure API Management], * In addition to creating and managing groups in the Azure portal, you can create and manage your groups using the API Management REST API [Group](/rest/api/apimanagement/apimanagementrest/azure-api-management-rest-api-group-entity) entity.
+* Learn how to manage the administrator [email settings](api-management-howto-configure-notifications.md#configure-email-settings) that asre used in notifications to developers from your API Management instance.
+ [Create a group]: #create-group [Associate a group with a product]: #associate-group-product
api-management Api Management Howto Oauth2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-oauth2.md
Configuring OAuth 2.0 user authorization in the test console of the developer po
## Prerequisites
-This article shows you how to configure your API Management service instance to use OAuth 2.0 authorization in the developer portal's test console, but doesn't show you how to configure an OAuth 2.0 provider.
+This article shows you how to configure your API Management service instance to use OAuth 2.0 authorization in the developer portal's test console, but it doesn't show you how to configure an OAuth 2.0 provider.
If you haven't yet created an API Management service instance, see [Create an API Management service instance][Create an API Management service instance].
When configuring OAuth 2.0 user authorization in the test console of the develop
Depending on your scenarios, you may configure more or less restrictive token scopes for other client applications that you create to access backend APIs. * **Take extra care if you enable the Client Credentials flow**. The test console in the developer portal, when working with the Client Credentials flow, doesn't ask for credentials. An access token could be inadvertently exposed to developers or anonymous users of the developer console.
+## Keeping track of key information
+
+Throughout this tutorial you'll be asked to record key information to reference later on:
+
+- **Backend Application (client) ID**: The GUID of the application that represents the backend API
+- **Backend Application Scopes**: One or more scopes you may create to access the API. The scope format is `api://<Backend Application (client) ID>/<Scope Name>` (for example, api://1764e900-1827-4a0b-9182-b2c1841864c2/Read)
+- **Client Application (client) ID**: The GUID of the application that represents the developer portal
+- **Client Application Secret Value**: The GUID that serves as the secret for interaction with the client application in Azure Active Directory
+ ## Register applications with the OAuth server You'll need to register two applications with your OAuth 2.0 provider: one represents the backend API to be protected, and a second represents the client application that calls the API - in this case, the test console of the developer portal.
Optionally:
`https://login.microsoftonline.com/<tenant_id>/oauth2/token` (v1)
- * If you use **v1** endpoints, add a body parameter:
- * Name: **resource**.
+ * If you use **v1** endpoints, add a body parameter:
+ * Name: **resource**.
* Value: the back-end app **Application (client) ID**.
- * If you use **v2** endpoints:
- * Enter the back-end app scope you created in the **Default scope** field.
- * Set the value for the [`accessTokenAcceptedVersion`](../active-directory/develop/reference-app-manifest.md#accesstokenacceptedversion-attribute) property to `2` in the [application manifest](../active-directory/develop/reference-app-manifest.md) for both the backend-app and the client-app registrations.
+ * If you use **v2** endpoints:
+ * Enter the back-end app scope you created in the **Default scope** field.
+ * Set the value for the [`accessTokenAcceptedVersion`](../active-directory/develop/reference-app-manifest.md#accesstokenacceptedversion-attribute) property to `2` in the [application manifest](../active-directory/develop/reference-app-manifest.md) for both the backend-app and the client-app registrations.
* Accept the default settings for **Client authentication methods** and **Access token sending method**.
Optionally:
1. [Republish](api-management-howto-developer-portal-customize.md#publish) the developer portal.
+ > [!NOTE]
+ > When making OAuth 2.0-related changes, it is important that you remember to (re-)publish the developer portal after every modification as relevant changes (for example, scope change) otherwise cannot propagate into the portal and subsequently be used in trying out the APIs.
+ After saving the OAuth 2.0 server configuration, configure APIs to use this configuration, as shown in the next section. ## Configure an API to use OAuth 2.0 user authorization
For more information about using OAuth 2.0 and API Management, see [Protect a we
[Configure an OAuth 2.0 authorization server in API Management]: #step1 [Configure an API to use OAuth 2.0 user authorization]: #step2 [Test the OAuth 2.0 user authorization in the Developer Portal]: #step3
-[Next steps]: #next-steps
+[Next steps]: #next-steps
api-management Api Management Howto Use Managed Service Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-use-managed-service-identity.md
You can grant two types of identities to an API Management instance:
- A *system-assigned identity* is tied to your service and is deleted if your service is deleted. The service can have only one system-assigned identity. - A *user-assigned identity* is a standalone Azure resource that can be assigned to your service. The service can have multiple user-assigned identities.
+> [!NOTE]
+> Managed identities are specific to the Azure AD tenant where your Azure subscription is hosted. They don't get updated if a subscription is moved to a different directory. If a subscription is moved, you'll need to recreate and configure the identities.
+ ## Create a system-assigned managed identity ### Azure portal
api-management Api Management Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-policies.md
More information about policies:
- [Send message to Pub/Sub topic](api-management-dapr-policies.md#pubsub) - uses Dapr runtime to publish a message to a Publish/Subscribe topic. - [Trigger output binding](api-management-dapr-policies.md#bind) - uses Dapr runtime to invoke an external system via output binding.
-## [GraphQL validation policy](graphql-validation-policies.md)
-- [Validate GraphQL request](graphql-validation-policies.md#validate-graphql-request) - Validates and authorizes a request to a GraphQL API.
+## [GraphQL API policies](graphql-policies.md)
+- [Validate GraphQL request](graphql-policies.md#validate-graphql-request) - Validates and authorizes a request to a GraphQL API.
+- [Set GraphQL resolver](graphql-policies.md#set-graphql-resolver) - Retrieves or sets data for a GraphQL field in an object type specified in a GraphQL schema.
## [Transformation policies](api-management-transformation-policies.md) - [Convert JSON to XML](api-management-transformation-policies.md#ConvertJSONtoXML) - Converts request or response body from JSON to XML.
api-management Api Management Terminology https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-terminology.md
editor: ''
Previously updated : 10/11/2017 Last updated : 05/09/2022 # Azure API Management terminology
-This article gives definitions for the terms that are specific to API Management (APIM).
+This article gives definitions for the terms that are specific to Azure API Management.
## Term definitions
-* **Backend API** - An HTTP service that implements your API and its operations. For more information, see [Backends](backends.md).
-* **Frontend API**/**APIM API** - An APIM API does not host APIs, it creates façades for your APIs. You customize the façade according to your needs without touching the backend API. For more information, see [Import and publish an API](import-and-publish.md).
-* **APIM product** - a product contains one or more APIs as well as a usage quota and the terms of use. You can include a number of APIs and offer them to developers through the Developer portal. For more information, see [Create and publish a product](api-management-howto-add-products.md).
-* **APIM API operation** - Each APIM API represents a set of operations available to developers. Each APIM API contains a reference to the backend service that implements the API, and its operations map to the operations implemented by the backend service. For more information, see [Mock API responses](mock-api-responses.md).
-* **Version** - Sometimes you want to publish new or different API features to some users, while others want to stick with the API that currently works for them. For more information, see [Publish multiple versions of your API](api-management-get-started-publish-versions.md).
-* **Revision** - When your API is ready to go and starts to be used by developers, you usually need to take care in making changes to that API and at the same time not to disrupt callers of your API. It's also useful to let developers know about the changes you made. For more information, see [Use revisions](api-management-get-started-revise-api.md).
-* **Developer portal** - Your customers (developers) should use the Developer portal to access your APIs. The Developer portal can be customized. For more information, see [Customize the Developer portal](api-management-customize-styles.md).
+- **Backend API** - A service, most commonly HTTP-based, that implements an API and its operations. Sometimes backend APIs are referred to simply as backends. For more information, see [Backends](backends.md).
+- **Frontend API** - API Management serves as mediation layer over the backend APIs. Frontend API is an API that is exposed to API consumers from API Management. You can customize the shape and behavior of a frontend API in API Management without making changes to the backend API(s) that it represents. Sometimes frontend APIs are referred to simply as APIs. For more information, see [Import and publish an API](import-and-publish.md).
+- **Product** - A product is a bundle of frontend APIs that can be made available to a specified group of API consumers for self-service onboarding under a single access credential and a set of usage limits. An API can be part of multiple products. For more information, see [Create and publish a product](api-management-howto-add-products.md).
+- **API operation** - A frontend API in API Management can define multiple operations. An operation is a combination of an HTTP verb and a URL template uniquely resolvable within the frontend API. Often operations map one-to-one to backend API endpoints. For more information, see [Mock API responses](mock-api-responses.md).
+- **Version** - A version is a distinct variant of existing frontend API that differs in shape or behavior from the original. Versions give customers a choice of sticking with the original API or upgrading to a new version at the time of their choosing. Versions are a mechanism for releasing breaking changes without impacting API consumers. For more information, see [Publish multiple versions of your API](api-management-get-started-publish-versions.md).
+- **Revision** - A revision is a copy of an existing API that can be changed without impacting API consumers and swapped with the version currently in use by consumers usually after validation and testing. Revisions provide a mechanism for safely implementing nonbreaking changes. For more information, see [Use revisions](api-management-get-started-revise-api.md).
+- **Policy** - A policy is a reusable and composable component, implementing some commonly used API-related functionality. API Management offers over 50 built-in policies that take care of critical but undifferentiated horizontal concerns - for example, request transformation, routing, security, protection, caching. The policies can be applied at various scopes, which determine the affected APIs or operations and dynamically configured using policy expressions. For more information, see [Policies in Azure API Management](api-management-howto-policies.md).
+- **Developer portal** - The developer portal is a component of API Management. It provides a customizable experience for API discovery and self-service onboarding to API consumers. For more information, see [Customize the Developer portal](api-management-customize-styles.md).
## Next steps > [!div class="nextstepaction"]
+>
> [Create an instance](get-started-create-service-instance.md)-
api-management Api Management Versions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-versions.md
When the query string versioning scheme is used, the version identifier needs to
The format of an API request URL when using query string-based versioning is: `https://{yourDomain}/{apiName}/{operationId}?{queryStringParameterName}={versionIdentifier}`.
-For example, `https://apis.contoso.com/products?api-version=v1` and `https://apis.contoso.com/products/api-version=v2` could refer to the same `products` API but to versions `v1` and `v2` respectively.
+For example, `https://apis.contoso.com/products?api-version=v1` and `https://apis.contoso.com/products?api-version=v2` could refer to the same `products` API but to versions `v1` and `v2` respectively.
## Original versions
api-management Compute Infrastructure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/compute-infrastructure.md
The following table summarizes the compute platforms currently used for instance
<sup>1</sup> Newly created instances in these tiers, created using the Azure portal or specifying API version 2021-01-01-preview or later. Includes some existing instances in Developer and Premium tiers configured with virtual networks or availability zones.
+> [!NOTE]
+> Currently, the `stv2` platform isn't available in the US Government cloud or in the following Azure regions: China East, China East 2, China North, China North 2.
+ ## How do I know which platform hosts my API Management instance? Starting with API version `2021-04-01-preview`, the API Management instance exposes a read-only `platformVersion` property that shows this platform information.
If you have an existing Developer or Premium tier instance that's connected to a
### Prerequisites
-* A new or existing virtual network and subnet in the same region and subscription as your API Management instance.
+* A new or existing virtual network and subnet in the same region and subscription as your API Management instance. The subnet must be different from the one currently used for the instance hosted on the `stv1` platform, and a network security group must be attached.
* A new or existing Standard SKU [public IPv4 address](../virtual-network/ip-services/public-ip-addresses.md#sku) resource in the same region and subscription as your API Management instance.
api-management Graphql Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/graphql-api.md
Title: Import a GraphQL API using the Azure portal | Microsoft Docs
+ Title: Import a GraphQL API to Azure API Management using the portal | Microsoft Docs
-description: Learn how API Management supports GraphQL, add a GraphQL API, and GraphQL limitations.
+description: Learn how to add an existing GraphQL service as an API in Azure API Management. Manage the API and enable queries to pass through to the GraphQL endpoint.
Previously updated : 10/21/2021- Last updated : 05/19/2022+
-# Import a GraphQL API (preview)
+# Import a GraphQL API
-GraphQL is an open-source, industry-standard query language for APIs. Unlike endpoint-based (or REST-style) APIs designed around actions over resources, GraphQL APIs support a broader set of use cases and focus on data types, schemas, and queries.
-
-API Management tackles the security, authentication, and authorization challenges that come with publishing GraphQL APIs. Using API Management to expose your GraphQL APIs, you can:
-* Add a GraphQL service as APIs via Azure portal.
-* Secure GraphQL APIs by applying both existing access control policies and a [new policy](graphql-validation-policies.md) to secure and protect against GraphQL-specific attacks.
-* Explore the schema and run test queries against the GraphQL APIs in the Azure and developer portals.
- In this article, you'll: > [!div class="checklist"]
In this article, you'll:
> * Test your GraphQL API. > * Learn the limitations of your GraphQL API in API Management.
+If you want to import a GraphQL schema and set up field resolvers using REST or SOAP API endpoints, see [Import a GraphQL schema and set up field resolvers](graphql-schema-resolve-api.md).
+ ## Prerequisites - An existing API Management instance. [Create one if you haven't already](get-started-create-service-instance.md). - A GraphQL API. + ## Add a GraphQL API 1. Navigate to your API Management instance. 1. From the side navigation menu, under the **APIs** section, select **APIs**. 1. Under **Define a new API**, select the **GraphQL** icon.
- :::image type="content" source="media/graphql-api/import-graphql-api.png" alt-text="Selecting GraphQL icon from list of APIs":::
+ :::image type="content" source="media/graphql-api/import-graphql-api.png" alt-text="Screenshot of selecting GraphQL icon from list of APIs.":::
1. In the dialog box, select **Full** and complete the required form fields.
- :::image type="content" source="media/graphql-api/create-from-graphql-schema.png" alt-text="Demonstrate fields for creating GraphQL":::
+ :::image type="content" source="media/graphql-api/create-from-graphql-schema.png" alt-text="Screenshot of fields for creating a GraphQL API.":::
| Field | Description | |-|-|
- | Display name | The name by which your GraphQL API will be displayed. |
- | Name | Raw name of the GraphQL API. Automatically populates as you type the display name. |
- | GraphQL API endpoint | The base URL with your GraphQL API endpoint name. <br /> For example: *`https://example.com/your-GraphQL-name`*. You can also use the common ["Star Wars" GraphQL endpoint](https://swapi-graphql.netlify.app/.netlify/functions/index) as a demo. |
- | Upload schema file | Select to browse and upload your schema file. |
- | Description | Add a description of your API. |
- | URL scheme | Select HTTP, HTTPS, or Both. Default selection: *Both*. |
- | API URL suffix| Add a URL suffix to identify this specific API in this API Management instance. It has to be unique in this API Management instance. |
- | Base URL | Uneditable field displaying your API base URL |
- | Tags | Associate your GraphQL API with new or existing tags. |
- | Products | Associate your GraphQL API with a product to publish it. |
- | Gateways | Associate your GraphQL API with existing gateways. Default gateway selection: *Managed*. |
- | Version this API? | Select to version control your GraphQL API. |
-
-1. Click **Create**.
-
-## Test your GraphQL API
-
-1. Navigate to your API Management instance.
-1. From the side navigation menu, under the **APIs** section, select **APIs**.
-1. Under **All APIs**, select your GraphQL API.
-1. Select the **Test** tab to access the Test console.
-1. Under **Headers**:
- 1. Select the header from the **Name** drop-down menu.
- 1. Enter the value to the **Value** field.
- 1. Add more headers by selecting **+ Add header**.
- 1. Delete headers using the **trashcan icon**.
-1. If you've added a product to your GraphQL API, apply product scope under **Apply product scope**.
-1. Under **Query editor**, either:
- 1. Select at least one field or subfield from the list in the side menu. The fields and subfields you select appear in the query editor.
- 1. Start typing in the query editor to compose a query.
-
- :::image type="content" source="media/graphql-api/test-graphql-query.png" alt-text="Demonstrating adding fields to the query editor":::
-
-1. Under **Query variables**, add variables to reuse the same query or mutation and pass different values.
-1. Click **Send**.
-1. View the **Response**.
-
- :::image type="content" source="media/graphql-api/graphql-query-response.png" alt-text="View the test query response":::
-
-1. Repeat preceding steps to test different payloads.
-1. When testing is complete, exit test console.
-
-## Limitations
-
-* Only GraphQL pass through is supported.
-* A single GraphQL API in API Management corresponds to only a single GraphQL backend endpoint.
+ | **Display name** | The name by which your GraphQL API will be displayed. |
+ | **Name** | Raw name of the GraphQL API. Automatically populates as you type the display name. |
+ | **GraphQL API endpoint** | The base URL with your GraphQL API endpoint name. <br /> For example: *`https://example.com/your-GraphQL-name`*. You can also use a common ["Star Wars" GraphQL endpoint](https://swapi-graphql.azure-api.net/graphql) as a demo. |
+ | **Upload schema** | Optionally select to browse and upload your schema file to replace the schema retrieved from the GraphQL endpoint (if available). |
+ | **Description** | Add a description of your API. |
+ | **URL scheme** | Select **HTTP**, **HTTPS**, or **Both**. Default selection: *Both*. |
+ | **API URL suffix**| Add a URL suffix to identify this specific API in this API Management instance. It has to be unique in this API Management instance. |
+ | **Base URL** | Uneditable field displaying your API base URL |
+ | **Tags** | Associate your GraphQL API with new or existing tags. |
+ | **Products** | Associate your GraphQL API with a product to publish it. |
+ | **Gateways** | Associate your GraphQL API with existing gateways. Default gateway selection: *Managed*. |
+ | **Version this API?** | Select to apply a versioning scheme to your GraphQL API. |
+
+1. Select **Create**.
+1. After the API is created, browse the schema on the **Design** tab, in the **Frontend** section.
+ :::image type="content" source="media/graphql-api/explore-schema.png" alt-text="Screenshot of exploring the GraphQL schema in the portal.":::
+ [!INCLUDE [api-management-define-api-topics.md](../../includes/api-management-define-api-topics.md)]
api-management Graphql Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/graphql-policies.md
+
+ Title: Azure API Management policies for GraphQL APIs | Microsoft Docs
+description: Reference for Azure API Management policies to validate and resolve GraphQL API queries. Provides policy usage, settings, and examples.
++++ Last updated : 05/17/2022++++
+# API Management policies for GraphQL APIs
+
+This article provides a reference for API Management policies to validate and resolve queries to GraphQL APIs.
++
+## GraphQL API policies
+
+- [Validate GraphQL request](#validate-graphql-request) - Validates and authorizes a request to a GraphQL API.
+- [Set GraphQL resolver](#set-graphql-resolver) - Retrieves or sets data for a GraphQL field in an object type specified in a GraphQL schema.
+
+## Validate GraphQL request
+
+The `validate-graphql-request` policy validates the GraphQL request and authorizes access to specific query paths. An invalid query is a "request error". Authorization is only done for valid requests.
+++
+**Permissions**
+Because GraphQL queries use a flattened schema:
+* Permissions may be applied at any leaf node of an output type:
+ * Mutation, query, or subscription
+ * Individual field in a type declaration.
+* Permissions may not be applied to:
+ * Input types
+ * Fragments
+ * Unions
+ * Interfaces
+ * The schema element
+
+**Authorize element**
+Configure the `authorize` element to set an appropriate authorization rule for one or more paths.
+* Each rule can optionally provide a different action.
+* Use policy expressions to specify conditional actions.
+
+**Introspection system**
+The policy for path=`/__*` is the [introspection](https://graphql.org/learn/introspection/) system. You can use it to reject introspection requests (`__schema`, `__type`, etc.).
+
+### Policy statement
+
+```xml
+<validate-graphql-request error-variable-name="variable name" max-size="size in bytes" max-depth="query depth">
+ <authorize>
+ <rule path="query path, for example: '/listUsers' or '/__*'" action="string or policy expression that evaluates to 'allow|remove|reject|ignore'" />
+ </authorize>
+</validate-graphql-request>
+```
+
+### Example: Query validation
+
+This example applies the following validation and authorization rules to a GraphQL query:
+* Requests larger than 100 kb or with query depth greater than 4 are rejected.
+* Requests to the introspection system are rejected.
+* The `/Missions/name` field is removed from requests containing more than two headers.
+
+```xml
+<validate-graphql-request error-variable-name="name" max-size="102400" max-depth="4">
+ <authorize>
+ <rule path="/__*" action="reject" />
+ <rule path="/Missions/name" action="@(context.Request.Headers.Count > 2 ? "remove" : "allow")" />
+ </authorize>
+</validate-graphql-request>
+```
+
+### Example: Mutation validation
+
+This example applies the following validation and authorization rules to a GraphQL mutation:
+* Requests larger than 100 kb or with query depth greater than 4 are rejected.
+* Requests to mutate the `deleteUser` field are denied except when the request is from IP address `198.51.100.1`.
+
+```xml
+<validate-graphql-request error-variable-name="name" max-size="102400" max-depth="4">
+ <authorize>
+ <rule path="/Mutation/deleteUser" action="@(context.Request.IpAddress <> "198.51.100.1" ? "deny" : "allow")" />
+ </authorize>
+</validate-graphql-request>
+```
+
+### Elements
+
+| Name | Description | Required |
+| | | -- |
+| `validate-graphql-request` | Root element. | Yes |
+| `authorize` | Add this element to provide field-level authorization with both request- and field-level errors. | No |
+| `rule` | Add one or more of these elements to authorize specific query paths. Each rule can optionally specify a different [action](#request-actions). | No |
+
+### Attributes
+
+| Name | Description | Required | Default |
+| -- | - | -- | - |
+| `error-variable-name` | Name of the variable in `context.Variables` to log validation errors to. | No | N/A |
+| `max-size` | Maximum size of the request payload in bytes. Maximum allowed value: 102,400 bytes (100 KB). (Contact [support](https://azure.microsoft.com/support/options/) if you need to increase this limit.) | Yes | N/A |
+| `max-depth` | An integer. Maximum query depth. | No | 6 |
+| `path` | Path to execute authorization validation on. It must follow the pattern: `/type/field`. | Yes | N/A |
+| `action` | [Action](#request-actions) to perform if the rule applies. May be specified conditionally using a policy expression. | No | allow |
+
+### Request actions
+
+Available actions are described in the following table.
+
+|Action |Description |
+|||
+|`reject` | A request error happens, and the request is not sent to the back end. Additional rules if configured are not applied. |
+|`remove` | A field error happens, and the field is removed from the request. |
+|`allow` | The field is passed to the back end. |
+|`ignore` | The rule is not valid for this case and the next rule is applied. |
+
+### Error handling
+
+Failure to validate against the GraphQL schema, or a failure for the request's size or depth, is a request error and results in the request being failed with an errors block (but no data block).
+
+Similar to the [`Context.LastError`](api-management-error-handling-policies.md#lasterror) property, all GraphQL validation errors are automatically propagated in the `GraphQLErrors` variable. If the errors need to be propagated separately, you can specify an error variable name. Errors are pushed onto the `error` variable and the `GraphQLErrors` variable.
+
+### Usage
+
+This policy can be used in the following policy [sections](./api-management-howto-policies.md#sections) and [scopes](./api-management-howto-policies.md#scopes).
+
+- **Policy sections:** inbound
+
+- **Policy scopes:** all scopes
+
+## Set GraphQL resolver
+
+The `set-graphql-resolver` policy retrieves or sets data for a GraphQL field in an object type specified in a GraphQL schema. The schema must be imported to API Management. Currently the data must be resolved using an HTTP-based data source (REST or SOAP API).
++
+* This policy is invoked only when a matching GraphQL query is executed.
+* The policy resolves data for a single field. To resolve data for multiple fields, configure multiple occurrences of this policy in a policy definition.
+* The context for the HTTP request and HTTP response (if specified) differs from the context for the original gateway API request:
+ * The HTTP request context contains arguments that are passed in the GraphQL query as its body.
+ * The HTTP response context is the response from the independent HTTP call made by the resolver, not the context for the complete response for the gateway request.
+++
+### Policy statement
+
+```xml
+<set-graphql-resolver parent-type="type" field="field">
+ <http-data-source>
+ <http-request>
+ <set-method>HTTP method</set-method>
+ <set-url>URL</set-url>
+ [...]
+ </http-request>
+ <http-response>
+ [...]
+ </http-response>
+ </http-data-source>
+</set-graphql-resolver>
+```
+
+### Examples
+
+### Resolver for GraphQL query
+
+The following example resolves a query by making an HTTP `GET` call to a backend data source.
+
+#### Example schema
+
+```
+type Query {
+ users: [User]
+}
+
+type User {
+ id: String!
+ name: String!
+}
+```
+
+#### Example policy
+
+```xml
+<set-graphql-resolver parent-type="Query" field="users">
+ <http-data-source>
+ <http-request>
+ <set-method>GET</set-method>
+ <set-url>https://data.contoso.com/get/users</set-url>
+ </http-request>
+ </http-data-source>
+</set-graphql-resolver>
+```
+
+### Resolver for a GraqhQL query that returns a list, using a liquid template
+
+The following example uses a liquid template, supported for use in the [set-body](api-management-transformation-policies.md#SetBody) policy, to return a list in the HTTP response to a query.
+
+#### Example schema
+
+```
+type Query {
+ users: [User]
+}
+
+type User {
+ id: String!
+ name: String!
+}
+```
+
+#### Example policy
+
+```xml
+<set-graphql-resolver parent-type="Query" field="users">
+ <http-data-source>
+ <http-request>
+ <set-method>GET</set-method>
+ <set-url>https://data.contoso.com/users</set-url>
+ </http-request>
+ <http-response>
+ <set-body template="liquid">
+ [
+ {% JSONArrayFor elem in body %}
+ {
+ "name": "{{elem.title}}"
+ }
+ {% endJSONArrayFor %}
+ ]
+ </set-body>
+ </http-response>
+ </http-data-source>
+</set-graphql-resolver>
+```
+
+### Resolver for GraphQL mutation
+
+The following example resolves a mutation that inserts data by making a `POST` request to an HTTP data source. The policy expression in the `set-body` policy of the HTTP request modifies a `name` argument that is passed in the GraphQL query as its body.
+
+#### Example schema
+
+```
+type Query {
+ users: [User]
+}
+
+type Mutation {
+ makeUser(name: String!): User
+}
+
+type User {
+ id: String!
+ name: String!
+}
+```
+
+#### Example policy
+
+```xml
+<set-graphql-resolver parent-type="Mutation" field="makeUser">
+ <http-data-source>
+ <http-request>
+ <set-method>POST</set-method>
+ <set-url> https://data.contoso.com/user/create </set-url>
+ <set-header name="Content-Type" exists-action="override">
+ <value>application/json</value>
+ </set-header>
+ <set-body>@{
+ var body = context.Request.Body.As<JObject>(true);
+ JObject jsonObject = new JObject();
+ jsonObject.Add("name", body["name"])
+ return jsonObject.ToString();
+ }</set-body>
+ </http-request>
+ </http-data-source>
+</set-graphql-resolver>
+```
+
+### Elements
+
+| Name | Description | Required |
+| | | -- |
+| `set-graphql-resolver` | Root element. | Yes |
+| `http-data-source` | Configures the HTTP request and optionally the HTTP response that are used to resolve data for the given `parent-type` and `field`. | Yes |
+| `http-request` | Specifies a URL and child policies to configure the resolver's HTTP request. Each of the following policies can be specified at most once in the element. <br/><br/>Required policy: [set-method](api-management-advanced-policies.md#SetRequestMethod)<br/><br/>Optional policies: [set-header](api-management-transformation-policies.md#SetHTTPheader), [set-body](api-management-transformation-policies.md#SetBody), [authentication-certificate](api-management-authentication-policies.md#ClientCertificate) | Yes |
+| `set-url` | The URL of the resolver's HTTP request. | Yes |
+| `http-response` | Optionally specifies child policies to configure the resolver's HTTP response. If not specified, the response is returned as a raw string. Each of the following policies can be specified at most once. <br/><br/>Optional policies: [set-body](api-management-transformation-policies.md#SetBody), [json-to-xml](api-management-transformation-policies.md#ConvertJSONtoXML), [xml-to-json](api-management-transformation-policies.md#ConvertXMLtoJSON), [find-and-replace](api-management-transformation-policies.md#Findandreplacestringinbody) | No |
+
+### Attributes
+
+| Name | Description | Required | Default |
+| -- | - | -- | - |
+| `parent-type`| An object type in the GraphQL schema. | Yes | N/A |
+| `field`| A field of the specified `parent-type` in the GraphQL schema. | Yes | N/A |
+
+> [!NOTE]
+> Currently, the values of `parent-type` and `field` aren't validated by this policy. If they aren't valid, the policy is ignored, and the GraphQL query is forwarded to a GraphQL endpoint (if one is configured).
+
+### Usage
+
+This policy can be used in the following policy [sections](./api-management-howto-policies.md#sections) and [scopes](./api-management-howto-policies.md#scopes).
+
+- **Policy sections:** backend
+
+- **Policy scopes:** all scopes
+
api-management Graphql Schema Resolve Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/graphql-schema-resolve-api.md
+
+ Title: Import GraphQL schema and set up field resolvers | Microsoft Docs
+
+description: Import a GraphQL schema to API Management and configure a policy to resolve a GraphQL query using an HTTP-based data source.
++++ Last updated : 05/17/2022+++
+# Import a GraphQL schema and set up field resolvers
+
+++
+In this article, you'll:
+> [!div class="checklist"]
+> * Import a GraphQL schema to your API Management instance
+> * Set up a resolver for a GraphQL query using an existing HTTP endpoints
+> * Test your GraphQL API
+
+If you want to expose an existing GraphQL endpoint as an API, see [Import a GraphQL API](graphql-api.md).
+
+## Prerequisites
+
+- An existing API Management instance. [Create one if you haven't already](get-started-create-service-instance.md).
+- A valid GraphQL schema file with the `.graphql` extension.
+- A backend GraphQL endpoint is optional for this scenario.
+++
+## Add a GraphQL schema
+
+1. From the side navigation menu, under the **APIs** section, select **APIs**.
+1. Under **Define a new API**, select the **Synthetic GraphQL** icon.
+
+ :::image type="content" source="media/graphql-schema-resolve-api/import-graphql-api.png" alt-text="Screenshot of selecting Synthetic GraphQL icon from list of APIs.":::
+
+1. In the dialog box, select **Full** and complete the required form fields.
+
+ :::image type="content" source="media/graphql-schema-resolve-api/create-from-graphql-schema.png" alt-text="Screenshot of fields for creating a GraphQL API.":::
+
+ | Field | Description |
+ |-|-|
+ | **Display name** | The name by which your GraphQL API will be displayed. |
+ | **Name** | Raw name of the GraphQL API. Automatically populates as you type the display name. |
+ | **Fallback GraphQL endpoint** | For this scenario, optionally enter a URL with a GraphQL API endpoint name. API Management passes GraphQL queries to this endpoint when a custom resolver isn't set for a field. |
+ | **Upload schema file** | Select to browse and upload a valid GraphQL schema file with the `.graphql` extension. |
+ | Description | Add a description of your API. |
+ | URL scheme | Select **HTTP**, **HTTPS**, or **Both**. Default selection: *Both*. |
+ | **API URL suffix**| Add a URL suffix to identify this specific API in this API Management instance. It has to be unique in this API Management instance. |
+ | **Base URL** | Uneditable field displaying your API base URL |
+ | **Tags** | Associate your GraphQL API with new or existing tags. |
+ | **Products** | Associate your GraphQL API with a product to publish it. |
+ | **Gateways** | Associate your GraphQL API with existing gateways. Default gateway selection: *Managed*. |
+ | **Version this API?** | Select to apply a versioning scheme to your GraphQL API. |
+
+1. Select **Create**.
+
+1. After the API is created, browse the schema on the **Design** tab, in the **Frontend** section.
+
+## Configure resolver
+
+Configure the [set-graphql-resolver](graphql-policies.md#set-graphql-resolver) policy to map a field in the schema to an existing HTTP endpoint.
+
+Suppose you imported the following basic GraphQL schema and wanted to set up a resolver for the *users* query.
+
+```
+type Query {
+ users: [User]
+}
+
+type User {
+ id: String!
+ name: String!
+}
+```
+
+1. From the side navigation menu, under the **APIs** section, select **APIs** > your GraphQL API.
+1. On the **Design** tab of your GraphQL API, select **All operations**.
+1. In the **Backend** processing section, select **+ Add policy**.
+1. Configure the `set-graphql-resolver` policy to resolve the *users* query using an HTTP data source.
+
+ For example, the following `set-graphql-resolver` policy retrieves the *users* field by using a `GET` call on an existing HTTP data source.
+
+ ```xml
+ <set-graphql-resolver parent-type="Query" field="users">
+ <http-data-source>
+ <http-request>
+ <set-method>GET</set-method>
+ <set-url>https://myapi.contoso.com/users</set-url>
+ </http-request>
+ </http-data-source>
+ </set-graphql-resolver>
+ ```
+1. To resolve data for other fields in the schema, repeat the preceding step.
+1. Select **Save**.
+++
+## Next steps
+> [!div class="nextstepaction"]
+> [Transform and protect a published API](transform-api.md)
api-management Graphql Validation Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/graphql-validation-policies.md
- Title: Azure API Management validation policy for GraphQL requests | Microsoft Docs
-description: Reference for an Azure API Management policy to validate and authorize GraphQL requests. Provides policy usage, settings, and examples.
---- Previously updated : 03/07/2022----
-# API Management policy to validate and authorize GraphQL requests (preview)
-
-This article provides a reference for an API Management policy to validate and authorize requests to a [GraphQL API](graphql-api.md) imported to API Management.
--
-## Validation policy
-
-| Policy | Description |
-| | -- |
-| [Validate GraphQL request](#validate-graphql-request) | Validates and authorizes a request to a GraphQL API. |
--
-## Validate GraphQL request
-
-The `validate-graphql-request` policy validates the GraphQL request and authorizes access to specific query paths. An invalid query is a "request error". Authorization is only done for valid requests.
---
-**Permissions**
-Because GraphQL queries use a flattened schema:
-* Permissions may be applied at any leaf node of an output type:
- * Mutation, query, or subscription
- * Individual field in a type declaration.
-* Permissions may not be applied to:
- * Input types
- * Fragments
- * Unions
- * Interfaces
- * The schema element
-
-**Authorize element**
-Configure the `authorize` element to set an appropriate authorization rule for one or more paths.
-* Each rule can optionally provide a different action.
-* Use policy expressions to specify conditional actions.
-
-**Introspection system**
-The policy for path=`/__*` is the [introspection](https://graphql.org/learn/introspection/) system. You can use it to reject introspection requests (`__schema`, `__type`, etc.).
-
-### Policy statement
-
-```xml
-<validate-graphql-request error-variable-name="variable name" max-size="size in bytes" max-depth="query depth">
- <authorize>
- <rule path="query path, for example: '/listUsers' or '/__*'" action="string or policy expression that evaluates to 'allow|remove|reject|ignore'" />
- </authorize>
-</validate-graphql-request>
-```
-
-### Example: Query validation
-
-This example applies the following validation and authorization rules to a GraphQL query:
-* Requests larger than 100 kb or with query depth greater than 4 are rejected.
-* Requests to the introspection system are rejected.
-* The `/Missions/name` field is removed from requests containing more than two headers.
-
-```xml
-<validate-graphql-request error-variable-name="name" max-size="102400" max-depth="4">
- <authorize>
- <rule path="/__*" action="reject" />
- <rule path="/Missions/name" action="@(context.Request.Headers.Count > 2 ? "remove" : "allow")" />
- </authorize>
-</validate-graphql-request>
-```
-
-### Example: Mutation validation
-
-This example applies the following validation and authorization rules to a GraphQL mutation:
-* Requests larger than 100 kb or with query depth greater than 4 are rejected.
-* Requests to mutate the `deleteUser` field are denied except when the request is from IP address `198.51.100.1`.
-
-```xml
-<validate-graphql-request error-variable-name="name" max-size="102400" max-depth="4">
- <authorize>
- <rule path="/Mutation/deleteUser" action="@(context.Request.IpAddress <> "198.51.100.1" ? "deny" : "allow")" />
- </authorize>
-</validate-graphql-request>
-```
-
-### Elements
-
-| Name | Description | Required |
-| | | -- |
-| `validate-graphql-request` | Root element. | Yes |
-| `authorize` | Add this element to provide field-level authorization with both request- and field-level errors. | No |
-| `rule` | Add one or more of these elements to authorize specific query paths. Each rule can optionally specify a different [action](#request-actions). | No |
-
-### Attributes
-
-| Name | Description | Required | Default |
-| -- | - | -- | - |
-| `error-variable-name` | Name of the variable in `context.Variables` to log validation errors to. | No | N/A |
-| `max-size` | Maximum size of the request payload in bytes. Maximum allowed value: 102,400 bytes (100 KB). (Contact [support](https://azure.microsoft.com/support/options/) if you need to increase this limit.) | Yes | N/A |
-| `max-depth` | An integer. Maximum query depth. | No | 6 |
-| `path` | Path to execute authorization validation on. It must follow the pattern: `/type/field`. | Yes | N/A |
-| `action` | [Action](#request-actions) to perform if the rule applies. May be specified conditionally using a policy expression. | No | allow |
-
-### Request actions
-
-Available actions are described in the following table.
-
-|Action |Description |
-|||
-|`reject` | A request error happens, and the request is not sent to the back end. Additional rules if configured are not applied. |
-|`remove` | A field error happens, and the field is removed from the request. |
-|`allow` | The field is passed to the back end. |
-|`ignore` | The rule is not valid for this case and the next rule is applied. |
-
-### Usage
-
-This policy can be used in the following policy [sections](./api-management-howto-policies.md#sections) and [scopes](./api-management-howto-policies.md#scopes).
--- **Policy sections:** inbound--- **Policy scopes:** all scopes-
-## Error handling
-
-Failure to validate against the GraphQL schema, or a failure for the request's size or depth, is a request error and results in the request being failed with an errors block (but no data block).
-
-Similar to the [`Context.LastError`](api-management-error-handling-policies.md#lasterror) property, all GraphQL validation errors are automatically propagated in the `GraphQLErrors` variable. If the errors need to be propagated separately, you can specify an error variable name. Errors are pushed onto the `error` variable and the `GraphQLErrors` variable.
-
api-management Policy Fragments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/policy-fragments.md
+
+ Title: Reuse policy configurations in Azure API Management | Microsoft Docs
+description: Learn how to create and manage reusable policy fragments in Azure API Management. Policy fragments are XML elements containing policy configurations that can be included in any policy definition.
+
+documentationcenter: ''
++++ Last updated : 04/28/2022++++
+# Reuse policy configurations in your API Management policy definitions
+
+This article shows you how to create and use *policy fragments* in your API Management policy definitions. Policy fragments are centrally managed, reusable XML snippets containing one or more API Management [policy](api-management-howto-policies.md) configurations.
+
+Policy fragments help you configure policies consistently and maintain policy definitions without needing to repeat or retype XML code.
+
+A policy fragment:
+
+* Must be valid XML containing one or more policy configurations
+* May include [policy expressions](api-management-policy-expressions.md), if a referenced policy supports them
+* Is inserted as-is in a policy definition by using the [include-fragment](api-management-advanced-policies.md#IncludeFragment) policy
+
+Limitations:
+
+* A policy fragment can't include a policy section identifier (`<inbound>`, `<outbound>`, etc.) or the `<base/>` element.
+* Currently, a policy fragment can't nest another policy fragment.
+
+## Prerequisites
+
+If you don't already have an API Management instance and a backend API, see:
+
+- [Create an Azure API Management instance](get-started-create-service-instance.md)
+- [Import and publish an API](import-and-publish.md)
+
+While not required, you may want to [configure](set-edit-policies.md) one or more policy definitions. You can copy policy elements from these definitions when creating policy fragments.
++
+## Create a policy fragment
+
+1. In the left navigation of your API Management instance, under **APIs**, select **Policy fragments** > **+ Create**.
+1. In the **Create a new policy fragment** window, enter a **Name** and an optional **Description** of the policy fragment. The name must be unique within your API Management instance.
+
+ Example name: *ForwardContext*
+1. In the **XML policy fragment** editor, type or paste one or more policy XML elements between the `<fragment>` and `</fragment>` tags.
+
+ :::image type="content" source="media/policy-fragments/create-fragment.png" alt-text="Screenshot showing the create a new policy fragment form.":::
+
+ For example, the following fragment contains a [`set-header`](api-management-transformation-policies.md#SetHTTPheader) policy configuration to forward context information to a backend service. This fragment would be included in an inbound policy section. The policy expressions in this example access the built-in [`context` variable](api-management-policy-expressions.md#ContextVariables).
+
+ ```xml
+ <fragment>
+ <set-header name="x-request-context-data" exists-action="override">
+ <value>@(context.User.Id)</value>
+ <value>@(context.Deployment.Region)</value>
+ </set-header>
+ </fragment>
+ ```
+
+1. Select **Create**. The fragment is added to the list of policy fragments.
+
+## Include a fragment in a policy definition
+
+Configure the [`include-fragment`](api-management-advanced-policies.md#IncludeFragment) policy to insert a policy fragment in a policy definition. For more information about policy definitions, see [Set or edit policies](set-edit-policies.md).
+
+* You may include a fragment at any scope and in any policy section, as long as the underlying policy or policies in the fragment support that usage.
+* You may include multiple policy fragments in a policy definition.
+
+For example, insert the policy fragment named *ForwardContext* in the inbound policy section:
+
+```xml
+<policies>
+ <inbound>
+ <include-fragment fragment-id="ForwardContext" />
+ <base />
+ </inbound>
+[...]
+```
+
+> [!TIP]
+> To see the content of an included fragment displayed in the policy definition, select **Recalculate effective policy** in the policy editor.
+
+## Manage policy fragments
+
+After creating a policy fragment, you can view and update policy properties, or delete the policy at any time.
+
+**To view properties of a fragment:**
+
+1. In the left navigation of your API Management instance, under **APIs**, select **Policy fragments**. Select the name of your fragment.
+1. On the **Overview** page, review the **Policy document references** to see the policy definitions that include the fragment.
+1. On the **Properties** page, review the name and description of the policy fragment. The name can't be changed.
+
+**To edit a policy fragment:**
+
+1. In the left navigation of your API Management instance, under **APIs**, select **Policy fragments**. Select the name of your fragment.
+1. Select **Policy editor**.
+1. Update the statements in the fragment and then select **Apply**.
+
+> [!NOTE]
+> Update affects all policy definitions where the fragment is included.
+
+**To delete a policy fragment:**
+
+1. In the left navigation of your API Management instance, under **APIs**, select **Policy fragments**. Select the name of your fragment.
+1. Review **Policy document references** for policy definitions that include the fragment. Before a fragment can be deleted, you must remove the fragment references from all policy definitions.
+1. After all references are removed, select **Delete**.
+
+For more information about working with policies, see:
+++ [Tutorial: Transform and protect APIs](transform-api.md)++ [Set or edit policies](set-edit-policies.md)++ [Policy reference](./api-management-policies.md) for a full list of policy statements++ [Policy samples](./policies/index.md)
api-management Set Edit Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-edit-policies.md
Operation scope is configured for a selected API operation.
1. Select **Save** to propagate changes to the API Management gateway immediately.
+## Reuse policy configurations
+
+You can create reusable [policy fragments](policy-fragments.md) in your API Management instance. Policy fragments are XML elements containing your configurations of one or more policies. Policy fragments help you configure policies consistently and maintain policy definitions without needing to repeat or retype XML code.
+
+Use the [`include-fragment`](api-management-advanced-policies.md#IncludeFragment) policy to insert a policy fragment in a policy definition.
+ ## Use `base` element to set policy evaluation order If you configure policy definitions at more than one scope, multiple policies could apply to an API request or response. Depending on the order that the policies from the different scopes are applied, the transformation of the request or response could differ.
api-management Zone Redundancy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/zone-redundancy.md
Previously updated : 02/02/2022 Last updated : 05/11/2022
Configuring API Management for zone redundancy is currently supported in the fol
* South Africa North (*) * South Central US * Southeast Asia
+* Switzerland North
* UK South * West Europe * West US 2 * West US 3 > [!IMPORTANT]
-> The regions with * against them have restrictive access in an Azure Subscription to enable Availability Zone support. Please work with your Microsoft sales or customer representative
+> The regions with * against them have restrictive access in an Azure subscription to enable availability zone support. Please work with your Microsoft sales or customer representative.
## Prerequisites
app-service Configure Common https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-common.md
Here, you can configure some common settings for the app. Some settings require
- **Platform settings**: Lets you configure settings for the hosting platform, including: - **FTP state**: Allow only FTPS or disable FTP altogether.
- - **Bitness**: 32-bit or 64-bit. (Defaults to 32-bit for App Service created in the portal.)
+ - **Bitness**: 32-bit or 64-bit. For Windows apps only.
- **WebSocket protocol**: For [ASP.NET SignalR] or [socket.io](https://socket.io/), for example. - **Always On**: Keeps the app loaded even when there's no traffic. When **Always On** is not turned on (default), the app is unloaded after 20 minutes without any incoming requests. The unloaded app can cause high latency for new requests because of its warm-up time. When **Always On** is turned on, the front-end load balancer sends a GET request to the application root every five minutes. The continuous ping prevents the app from being unloaded.
app-service Configure Language Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-language-java.md
To confirm that the datasource was added to the JBoss server, SSH into your weba
## Choosing a Java runtime version
-App Service allows users to choose the major version of the JVM, such as Java 8 or Java 11, and the patch version, such as 1.8.0_232 or 11.0.5. You can also choose to have the patch version automatically updated as new minor versions become available. In most cases, production sites should use pinned patch JVM versions. This will prevent unnanticipated outages during a patch version auto-update. All Java web apps use 64-bit JVMs, this is not configurable.
+App Service allows users to choose the major version of the JVM, such as Java 8 or Java 11, and the patch version, such as 1.8.0_232 or 11.0.5. You can also choose to have the patch version automatically updated as new minor versions become available. In most cases, production sites should use pinned patch JVM versions. This will prevent unanticipated outages during a patch version auto-update. All Java web apps use 64-bit JVMs, this is not configurable.
If you are using Tomcat, you can choose to pin the patch version of Tomcat. On Windows, you can pin the patch versions of the JVM and Tomcat independently. On Linux, you can pin the patch version of Tomcat; the patch version of the JVM will also be pinned but is not separately configurable.
app-service How To Migrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/how-to-migrate.md
az network vnet subnet update -g $ASE_RG -n <subnet-name> --vnet-name <vnet-name
## 6. Migrate to App Service Environment v3
-Only start this step once you've completed all pre-migration actions listed previously and understand the [implications of migration](migrate.md#migrate-to-app-service-environment-v3) including what will happen during this time. There will be about one hour of downtime. Scaling and modifications to your existing App Service Environment will be blocked during this step.
+Only start this step once you've completed all pre-migration actions listed previously and understand the [implications of migration](migrate.md#migrate-to-app-service-environment-v3) including what will happen during this time. This step takes up to three hours and during that time there will be about one hour of application downtime. Scaling and modifications to your existing App Service Environment will be blocked during this step.
```azurecli az rest --method post --uri "${ASE_ID}/migrate?api-version=2021-02-01&phase=fullmigration"
App Service Environment v3 requires the subnet it's in to have a single delegati
## 5. Migrate to App Service Environment v3
-Once you've completed all of the above steps, you can start migration. Make sure you understand the [implications of migration](migrate.md#migrate-to-app-service-environment-v3) including what will happen during this time. There will be about one hour of downtime. Scaling and modifications to your existing App Service Environment will be blocked during this step.
+Once you've completed all of the above steps, you can start migration. Make sure you understand the [implications of migration](migrate.md#migrate-to-app-service-environment-v3) including what will happen during this time. This step takes up to three hours and during that time there will be about one hour of application downtime. Scaling and modifications to your existing App Service Environment will be blocked during this step.
When migration is complete, you'll have an App Service Environment v3 and all of your apps will be running in your new environment. You can confirm the environment's version by checking the **Configuration** page for your App Service Environment.
app-service Migrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/migrate.md
Title: Migrate to App Service Environment v3 by using the migration feature
description: Overview of the migration feature for migration to App Service Environment v3 Previously updated : 4/29/2022 Last updated : 5/23/2022
App Service Environment v3 requires the subnet it's in to have a single delegati
After updating all dependent resources with your new IPs and properly delegating your subnet, you should continue with migration as soon as possible.
-During migration, the following events will occur:
+During migration, which requires up to a three hour service window, the following events will occur:
- The existing App Service Environment is shut down and replaced by the new App Service Environment v3. - All App Service plans in the App Service Environment are converted from Isolated to Isolated v2.-- All of the apps that are on your App Service Environment are temporarily down. You should expect about one hour of downtime.
+- All of the apps that are on your App Service Environment are temporarily down. You should expect about one hour of downtime during this period.
- If you can't support downtime, see [migration-alternatives](migration-alternatives.md#guidance-for-manual-migration). - The public addresses that are used by the App Service Environment will change to the IPs identified during the previous step.
There's no cost to migrate your App Service Environment. You'll stop being charg
- **What if migrating my App Service Environment is not currently supported?** You won't be able migrate using the migration feature at this time. If you have an unsupported environment and want to migrate immediately, see the [manual migration options](migration-alternatives.md). This doc will be updated as additional regions and supported scenarios become available. - **Will I experience downtime during the migration?**
- Yes, you should expect about one hour of downtime during the migration step so plan accordingly. If downtime isn't an option for you, see the [manual migration options](migration-alternatives.md).
+ Yes, you should expect about one hour of downtime during the three hour service window during the migration step so plan accordingly. If downtime isn't an option for you, see the [manual migration options](migration-alternatives.md).
- **Will I need to do anything to my apps after the migration to get them running on the new App Service Environment?** No, all of your apps running on the old environment will be automatically migrated to the new environment and run like before. No user input is needed. - **What if my App Service Environment has a custom domain suffix?**
app-service Nat Gateway Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/networking/nat-gateway-integration.md
az network vnet subnet update --resource-group [myResourceGroup] --vnet-name [my
The same NAT gateway can be used across multiple subnets in the same Virtual Network allowing a NAT gateway to be used across multiple apps and App Service plans.
-NAT gateway supports both public IP addresses and public IP prefixes. A NAT gateway can support up to 16 IP addresses across individual IP addresses and prefixes. Each IP address allocates 64,000 ports (SNAT ports) allowing up to 1M available ports. Learn more in the [Scaling section](../../virtual-network/nat-gateway/nat-gateway-resource.md#scale-nat-gateway) of NAT gateway.
+NAT gateway supports both public IP addresses and public IP prefixes. A NAT gateway can support up to 16 IP addresses across individual IP addresses and prefixes. Each IP address allocates 64,512 ports (SNAT ports) allowing up to 1M available ports. Learn more in the [Scaling section](../../virtual-network/nat-gateway/nat-gateway-resource.md#scale-nat-gateway) of NAT gateway.
## Next steps
app-service Overview Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-managed-identity.md
The **IDENTITY_ENDPOINT** is a local URL from which your app can request tokens.
> | Parameter name | In | Description | > |-|--|--| > | resource | Query | The Azure AD resource URI of the resource for which a token should be obtained. This could be one of the [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication) or any other resource URI. |
-> | api-version | Query | The version of the token API to be used. Use "2019-08-01" or later. |
+> | api-version | Query | The version of the token API to be used. Use `2019-08-01`. |
> | X-IDENTITY-HEADER | Header | The value of the IDENTITY_HEADER environment variable. This header is used to help mitigate server-side request forgery (SSRF) attacks. | > | client_id | Query | (Optional) The client ID of the user-assigned identity to be used. Cannot be used on a request that includes `principal_id`, `mi_res_id`, or `object_id`. If all ID parameters (`client_id`, `principal_id`, `object_id`, and `mi_res_id`) are omitted, the system-assigned identity is used. | > | principal_id | Query | (Optional) The principal ID of the user-assigned identity to be used. `object_id` is an alias that may be used instead. Cannot be used on a request that includes client_id, mi_res_id, or object_id. If all ID parameters (`client_id`, `principal_id`, `object_id`, and `mi_res_id`) are omitted, the system-assigned identity is used. |
app-service Tutorial Python Postgresql App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-python-postgresql-app.md
ms.devlang: python Last updated 03/09/2022-+ # Deploy a Python (Django or Flask) web app with PostgreSQL in Azure
To configure environment variables for the web app from VS Code, you must have t
Having issues? Refer first to the [Troubleshooting guide](configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp).
-> [!NOTE]
-> If you want to try an alternative approach to connect your app to the Postgres database in Azure, see the [Service Connector version](../service-connector/tutorial-django-webapp-postgres-cli.md) of this tutorial. Service Connector is a new Azure service that is currently in public preview. [Section 4.2](../service-connector/tutorial-django-webapp-postgres-cli.md#42-configure-environment-variables-to-connect-the-database) of that tutorial introduces a simplified process for creating the connection.
- ## 6 - Deploy your application code to Azure Azure App service supports multiple methods to deploy your application code to Azure including support for GitHub Actions and all major CI/CD tools. This article focuses on how to deploy your code from your local workstation to Azure.
application-gateway Disabled Listeners https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/disabled-listeners.md
Title: Identifying and fixing a disabled listener
+ Title: Understanding disabled listeners
description: The article explains the details of a disabled listener and ways to resolve the problem.
-# Identifying and fixing a disabled listener on your gateway
+# Understanding disabled listeners
The SSL/TLS certificates for Azure Application GatewayΓÇÖs listeners can be referenced from a customerΓÇÖs Key Vault resource. Your application gateway must always have access to such linked key vault resource and its certificate object to ensure smooth operations of the TLS termination feature and the overall health of the gateway resource.
application-gateway Tutorial Ssl Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/tutorial-ssl-cli.md
az network public-ip create \
--resource-group myResourceGroupAG \ --name myAGPublicIPAddress \ --allocation-method Static \
- --sku Standard
+ --sku Standard \
+ --location eastus
``` ## Create the application gateway
az group delete --name myResourceGroupAG --location eastus
## Next steps
-[Create an application gateway that hosts multiple web sites](./tutorial-multiple-sites-cli.md)
+[Create an application gateway that hosts multiple web sites](./tutorial-multiple-sites-cli.md)
applied-ai-services Managed Identities Secured Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/managed-identities-secured-access.md
+
+ Title: "Configure secure access with managed identities and private endpoints"
+
+description: Learn how to configure secure communications between Form Recognizer and other Azure Services.
+++++ Last updated : 05/23/2022+++
+# Configure secure access with managed identities and private endpoints
+
+This how-to guide will walk you through the process of enabling secure connections for your Form Recognizer resource. You can secure the following connections:
+
+* Communication between a client application within a Virtual Network (VNET) and your Form Recognizer Resource.
+
+* Communication between Form Recognizer Studio or the sample labeling tool (FOTT) and your Form Recognizer resource.
+
+* Communication between your Form Recognizer resource and a storage account (needed when training a custom model).
+
+You'll be setting up your environment to secure the resources:
+
+ :::image type="content" source="media/managed-identities/secure-config.png" alt-text="Screenshot of secure configuration with managed identity and private endpoints.":::
+
+## Prerequisites
+
+To get started, you'll need:
+
+* An active [**Azure account**](https://azure.microsoft.com/free/cognitive-services/)ΓÇöif you don't have one, you can [**create a free account**](https://azure.microsoft.com/free/).
+
+* A [**Form Recognizer**](https://portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation) or [**Cognitive Services**](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource in the Azure portal. For detailed steps, _see_ [Create a Cognitive Services resource using the Azure portal](../../cognitive-services/cognitive-services-apis-create-account.md?tabs=multiservice%2cwindows).
+
+* An [**Azure blob storage account**](https://portal.azure.com/#create/Microsoft.StorageAccount-ARM) in the same region as your Form Recognizer resource. You'll create containers to store and organize your blob data within your storage account.
+
+* An [**Azure virtual network**](https://portal.azure.com/#create/Microsoft.VirtualNetwork-ARM) in the same region as your Form Recognizer resource. You'll create a virtual network to deploy your application resources to train models and analyze documents.
+
+* An [**Azure data science VM**](https://portal.azure.com/#create/Microsoft.VirtualNetwork-ARM) optionally deploy a data science VM in the virtual network to test the secure connections being established.
+
+## Configure resources
+
+Configure each of the resources to ensure that the resources can communicate with each other:
+
+* Configure the Form Recognizer Studio to use the newly created Form Recognizer resource by accessing the settings page and selecting the resource.
+
+* Validate that the configuration works by selecting the Read API and analyzing a sample document. If the resource was configured correctly, the request will successfully complete.
+
+* Add a training dataset to a container in the Storage account you created.
+
+* Select the custom model tile to create a custom project. Ensure that you select the same Form Recognizer resource and the storage account you created in the previous step.
+
+* Select the container with the training dataset you uploaded in the previous step. Ensure that if the training dataset is within a folder, the folder path is set appropriately.
+
+* If you have the required permissions, the Studio will set the CORS setting required to access the storage account. If you don't have the permissions, you'll need to ensure that the CORS settings are configured on the Storage account before you can proceed.
+
+* Validate that the Studio is configured to access your training data, if you can see your documents in the labeling experience, all the required connections have been established.
+
+You now have a working implementation of all the components needed to build a Form Recognizer solution with the default security model:
+
+ :::image type="content" source="media/managed-identities/default-config.png" alt-text="Screenshot of default security configuration.":::
+
+Next, you'll complete the following steps:
+
+* Setup managed identity on the Form Recognizer resource.
+
+* Secure the storage account to restrict traffic from only specific virtual networks and IP addresses.
+
+* Configure the Form Recognizer managed identity to communicate with the storage account.
+
+* Disable public access to the Form Recognizer resource and create a private endpoint to make it accessible from the virtual network.
+
+* Add a private endpoint for the storage account in a selected virtual network.
+
+* Validate that you can train models and analyze documents from within the virtual network.
+
+## Setup managed identity for Form Recognizer
+
+Navigate to the Form Recognizer resource in the Azure portal and select the **Identity** tab. Toggle the **System assigned** managed identity to **On** and save the changes:
+
+ :::image type="content" source="media/managed-identities/v2-fr-mi.png" alt-text="Screenshot of configure managed identity.":::
+
+## Secure the Storage account to limit traffic
+
+Start configuring secure communications by navigating to the **Networking** tab on your **Storage account** in the Azure portal.
+
+1. Under **Firewalls and virtual networks**, choose **Enabled from selected virtual networks and IP addresses** from the **Public network access** list.
+
+1. Ensure that **Allow Azure services on the trusted services list to access this storage account** is selected from the **Exceptions** list.
+
+1. **Save** your changes.
+
+ :::image type="content" source="media/managed-identities/v2-stg-firewall.png" alt-text="Screenshot of configure storage firewall.":::
+
+> [!NOTE]
+>
+> Your storage account won't be accessible from the public internet.
+>
+> Refreshing the custom model labeling page in the Studio will result in an error message.
+
+## Enable access to storage from Form Recognizer
+
+To ensure that the Form Recognizer resource can access the training dataset, you'll need to add a role assignment for the managed identity that was created earlier.
+
+1. Staying on the storage account window in the Azure portal, navigate to the **Access Control (IAM)** tab in the left navigation bar.
+
+1. Select the **Add role assignment** button.
+
+ :::image type="content" source="media/managed-identities/v2-stg-role-assign-role.png" alt-text="Screenshot of add role assignment window.":::
+
+1. On the **Role** tab, search for and select the**Storage Blob Reader** permission and select **Next**.
+
+ :::image type="content" source="media/managed-identities/v2-stg-role-assignment.png" alt-text="Screenshot of choose a role tab.":::
+
+1. On the **Members** tab, select the **Managed identity** option and choose **+ Select members**
+
+1. On the **Select managed identities** dialog window, select the following options:
+
+ * **Subscription**. Select your subscription.
+
+ * **Managed Identity**. Select Form **Recognizer**.
+
+ * **Select**. Choose the Form Recognizer resource you enabled with a managed identity.
+
+ :::image type="content" source="media/managed-identities/v2-stg-role-assign-resource.png" alt-text="Screenshot of managed identities dialog window.":::
+
+1. **Close** the dialog window.
+
+1. Finally, select **Review + assign** to save your changes.
+
+Great! You've configured your Form Recognizer resource to use a managed identity to connect to a storage account.
+
+> [!TIP]
+>
+> When you try the [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio), you'll see the READ API and other prebuilt models don't require storage access to process documents. However, training a custom model requires additional configuration because the Studio can't directly communicate with a storage account.
+ > You can enable storage access by selecting **Add your client IP address** from the **Networking** tab of the storage account to configure your machine to access the storage account via IP allowlisting.
+
+## Configure private endpoints for access from VNETs
+
+When you connect to resources from a virtual network, adding private endpoints will ensure both the storage account and the Form Recognizer resource are accessible from the virtual network.
+
+Next, you'll configure the virtual network to ensure only resources within the virtual network or traffic router through the network will have access to the Form Recognizer resource and the storage account.
+
+### Enable your virtual network and private endpoints
+
+1. In the Azure portal, navigate to your Form Recognizer resource.
+
+1. Select the **Networking** tab from the left navigation bar.
+
+1. Enable the **Selected Networking and Private Endpoints** option from the **Firewalls and virtual networks** tab and select save.
+
+> [!NOTE]
+>
+>If you try accessing any of the Form Recognizer Studio features, you'll see an access denied message. To enable access from the Studio on your machine, select the **client IP address checkbox** and **Save** to restore access.
+
+ :::image type="content" source="media/managed-identities/v2-fr-network.png" alt-text="Screenshot showing how to disable public access to Form Recognizer.":::
+
+### Configure your private endpoint
+
+1. Navigate to the **Private endpoint connections** tab and select the **+ Private endpoint**. You'll be
+navigated to the **Create a private endpoint** dialog page.
+
+1. On the **Create private endpoint** dialog page, select the following options:
+
+ * **Subscription**. Select your billing subscription.
+
+ * **Resource group**. Select the appropriate resource group.
+
+ * **Name**. Enter a name for your private endpoint.
+
+ * **Region**. Select the same region as your virtual network.
+
+ * Select **Next: Resource**.
+
+ :::image type="content" source="media/managed-identities/v2-fr-private-end-basics.png" alt-text="Screenshot showing how to set-up a private endpoint":::
+
+### Configure your virtual network
+
+1. On the **Resource** tab, accept the default values and select **Next: Virtual Network**.
+
+1. On the **Virtual Network** tab, ensure that the virtual network you created is selected in the virtual network.
+
+1. If you have multiple subnets, select the subnet where you want the private endpoint to connect. Accept the default value to **Dynamically allocate IP address**.
+
+1. Select **Next: DNS**
+
+1. Accept the default value **Yes** to **integrate with private DNS zone**.
+
+ :::image type="content" source="media/managed-identities/v2-fr-private-end-vnet.png" alt-text="Screenshot showing how to configure private endpoint":::
+
+1. Accept the remaining defaults and select **Next: Tags**.
+
+1. Select **Next: Review + create** .
+
+Well done! Your Form Recognizer resource now is only accessible from the virtual network and any IP addresses in the IP allowlist.
+
+### Configure private endpoints for storage
+
+Navigate to your **storage account** on the Azure portal.
+
+1. Select the **Networking** tab from the left navigation menu.
+
+1. Select the **Private endpoint connections** tab.
+
+1. Choose add **+ Private endpoint**.
+
+1. Provide a name and choose the same region as the virtual network.
+
+1. Select **Next: Resource**.
+
+ :::image type="content" source="media/managed-identities/v2-stg-private-end-basics.png" alt-text="Screenshot showing how to create a private endpoint":::
+
+1. On the resource tab, select **blob** from the **Target sub-resource** list.
+
+1. select **Next: Virtual Network**.
+
+ :::image type="content" source="media/managed-identities/v2-stg-private-end-resource.png" alt-text="Screenshot showing how to configure a private endpoint for a blob.":::
+
+1. Select the **Virtual network** and **Subnet**. Make sure **Enable network policies for all private endpoints in this subnet** is selected and the **Dynamically allocate IP address** is enabled.
+
+1. Select **Next: DNS**.
+
+1. Make sure that **Yes** is enabled for **Integrate with private DNS zone**.
+
+1. Select **Next: Tags**.
+
+1. Select **Next: Review + create**.
+
+Great work! You now have all the connections between the Form Recognizer resource and storage configured to use managed identities.
+
+> [!NOTE]
+> The resources are only accessible from the virtual network.
+>
+> Studio access and analyze requests to your Form Recognizer resource will fail unless the request originates from the virtual network or is routed via the virtual network.
+
+## Validate your deployment
+
+To validate your deployment, you can deploy a virtual machine (VM) to the virtual network and connect to the resources.
+
+1. Configure a [Data Science VM](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.dsvm-win-2019?tab=Overview) in the virtual network.
+
+1. Remotely connect into the VM from your desktop to launch a browser session to access Form Recognizer Studio.
+
+1. Analyze requests and the training operations should now work successfully.
+
+That's it! You can now configure secure access for your Form Recognizer resource with managed identities and private endpoints.
+
+## Common error messages
+
+* **Failed to access Blob container**:
+
+ :::image type="content" source="media/managed-identities/cors-error.png" alt-text="Screenshot of error message when CORS config is required":::
+
+ **Resolution**: [Configure CORS](quickstarts/try-v3-form-recognizer-studio.md#prerequisites-for-new-users).
+
+* **AuthorizationFailure**:
+
+ :::image type="content" source="media/managed-identities/auth-failure.png" alt-text="Screenshot of authorization failure error.":::
+
+ **Resolution**: Ensure that there's a network line-of-sight between the computer accessing the form recognizer studio and the storage account. For example, you may need to add the client IP address in the storage account's networking tab.
+
+* **ContentSourceNotAccessible**:
+
+ :::image type="content" source="media/managed-identities/content-source-error.png" alt-text="Screenshot of content source not accessible error.":::
+
+ **Resolution**: Make sure you've given your Form Recognizer managed identity the role of **Storage Blob Data Reader** and enabled **Trusted services** access or **Resource instance** rules on the networking tab.
+
+* **AccessDenied**:
+
+ :::image type="content" source="media/managed-identities/access-denied.png" alt-text="Screenshot of a access denied error.":::
+
+ **Resolution**: Check to make sure there's connectivity between the computer accessing the form recognizer studio and the form recognizer service. For example, you may need to add the client IP address to the Form Recognizer service's networking tab.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Access Azure Storage from a web app using managed identities](../../app-service/scenario-secure-app-access-storage.md?bc=%2fazure%2fapplied-ai-services%2fform-recognizer%2fbreadcrumb%2ftoc.js